def __init__(self, username = '', password = '', challenge = '', lmhash = '', nthash = '', flags = 0):
Structure.__init__(self)
self['session_key']=''
self['user_name']=username.encode('utf-16le')
self['domain_name']='' #"CLON".encode('utf-16le')
self['host_name']='' #"BETS".encode('utf-16le')
self['flags'] = ( #authResp['flags']
# we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
# Here we do the stuff
if username and ( lmhash != '' or nthash != ''):
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(nthash, challenge)
elif (username and password):
lmhash = compute_lmhash(password)
nthash = compute_nthash(password)
self['lanman']=get_ntlmv1_response(lmhash, challenge)
self['ntlm']=get_ntlmv1_response(nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY
else:
self['lanman'] = ''
self['ntlm'] = ''
if not self['host_name']:
self['host_name'] = 'NULL'.encode('utf-16le') # for NULL session there must be a hostname
def fromString(self,data):
Structure.fromString(self,data)
# [MS-NLMP] page 27
# Payload data can be present in any order within the Payload field,
# with variable-length padding before or after the data
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[ domain_offset : domain_end ]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[ host_offset: host_end ]
user_offset = self['user_offset']
user_end = self['user_len'] + user_offset
self['user_name'] = data[ user_offset: user_end ]
ntlm_offset = self['ntlm_offset']
ntlm_end = self['ntlm_len'] + ntlm_offset
self['ntlm'] = data[ ntlm_offset : ntlm_end ]
lanman_offset = self['lanman_offset']
lanman_end = self['lanman_len'] + lanman_offset
self['lanman'] = data[ lanman_offset : lanman_end]
def __init__(self, data = None, alignment = 0):
if len(data) >=16:
if data[0:1] == b'\x24' or data[0:1] == b'\x34':
self.structure = self.structureKDBM
else:
self.structure = self.structureKSSM
Structure.__init__(self, data, alignment)
def __init__(self,data=None):
Structure.__init__(self,data)
if data is None:
self['UserName'] = ''
self['Password'] = ''
self['Database'] = ''
self['AtchDBFile'] = ''
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is not None:
# Process the MAP entries
self.mapEntries = list()
data = self['AttributeMaps']
for i in range(self['AttributesMapsSize']//len(VAULT_ATTRIBUTE_MAP_ENTRY())):
entry = VAULT_ATTRIBUTE_MAP_ENTRY(data)
self.mapEntries.append(entry)
data = data[len(VAULT_ATTRIBUTE_MAP_ENTRY()):]
self.attributesLen = list()
for i in range(len(self.mapEntries)):
if i > 0:
self.attributesLen.append(self.mapEntries[i]['Offset']-self.mapEntries[i-1]['Offset'])
self.attributesLen.append(len(self.rawData) - self.mapEntries[i]['Offset'] )
self.attributes = list()
for i, entry in enumerate(self.mapEntries):
attribute = VAULT_ATTRIBUTE(self.rawData[entry['Offset']:][:self.attributesLen[i]])
self.attributes.append(attribute)
# Do we have remaining data?
self['Data'] = self.rawData[self.mapEntries[-1]['Offset']+len(self.attributes[-1].getData()):]
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data:
self.__array = ndrutils.NDRArray(data=self["Buffer"], itemClass=SHARE_INFO_1)
self["Buffer"] = self.__array
return
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self["cname"] = ""
self["username"] = ""
self["cltype_name"] = ""
self["transport"] = ""
return
def __init__(self, data = None, alignment = 0):
self.__ctx_items = []
Structure.__init__(self,data,alignment)
if data is None:
self['Pad'] = ''
self['ctx_items'] = ''
self['sec_trailer'] = ''
self['auth_data'] = ''
def fromString(self, data):
Structure.fromString(self,data)
# Parse the ctx_items
data = self['ctx_items']
for i in range(self['ctx_num']):
item = CtxItemResult(data)
self.__ctx_items.append(item)
data = data[len(item):]
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['cname'] = ''
self['username'] = ''
self['cltype_name'] = ''
self['transport'] = ''
return
def __init__(self, data = None, alignment = 0):
if len(data) > 20:
if data[16:][:6] == b'\x00'*6:
self.structure += self.padding
if unpack('<L',data[:4])[0] >= 100:
self.structure += self.id100
if len(data[16:]) >= 9:
self.structure += self.extended
Structure.__init__(self, data, alignment)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['max_tfrag'] = 4280
self['max_rfrag'] = 4280
self['assoc_group'] = 0
self['ctx_num'] = 1
self['ctx_items'] = ''
self.__ctx_items = []
def fromString(self,data):
Structure.fromString(self,data)
# Just in case there's more data after the TargetInfoFields
self['TargetInfoFields'] = self['TargetInfoFields'][:self['TargetInfoFields_len']]
# We gotta process the TargetInfoFields
#if self['TargetInfoFields_len'] > 0:
# av_pairs = AV_PAIRS(self['TargetInfoFields'][:self['TargetInfoFields_len']])
# self['TargetInfoFields'] = av_pairs
return self
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
self.attributes = 0
if data is not None:
# Unpack the attributes
remaining = self['Remaining']
self.attributes = list()
for i in range(self['AttrCount']):
attr = CREDENTIAL_ATTRIBUTE(remaining)
self.attributes.append(attr)
remaining = remaining[len(attr):]
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
def fromString(self, data):
self.aces = []
Structure.fromString(self, data)
for i in range(self['AceCount']):
# If we don't have any data left, return
if len(self['Data']) == 0:
raise Exception, "ACL header indicated there are more ACLs to unpack, but there is no more data"
ace = ACE(data=self['Data'])
self.aces.append(ace)
self['Data'] = self['Data'][ace['AceSize']:]
self['Data'] = self.aces
def fromString(self, data):
self.aces = []
Structure.fromString(self, data)
for i in range(self['AceCount']):
# If we don't have any data left, return
if len(self['Data']) == 0:
raise Exception(
"ACL header indicated there are more ACLs to unpack, but there is no more data"
)
ace = ACE(data=self['Data'])
self.aces.append(ace)
self['Data'] = self['Data'][ace['AceSize']:]
self['Data'] = self.aces
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
self['sec_trailer'] = ''
self['pad'] = ''
def __init__(self):
Structure.__init__(self)
self['flags'] = (
NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH |
# NTLMSSP_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name'] = ''
self['domain_name'] = ''
self['os_version'] = ''
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self, data)
def fromString(self, data):
Structure.fromString(self,data)
if self['PreviousPasswordOffset'] == 0:
endData = self['QueryPasswordIntervalOffset']
else:
endData = self['PreviousPasswordOffset']
self['CurrentPassword'] = self.rawData[self['CurrentPasswordOffset']:][:endData - self['CurrentPasswordOffset']]
if self['PreviousPasswordOffset'] != 0:
self['PreviousPassword'] = self.rawData[self['PreviousPasswordOffset']:][:self['QueryPasswordIntervalOffset']-self['PreviousPasswordOffset']]
self['QueryPasswordInterval'] = self.rawData[self['QueryPasswordIntervalOffset']:][:self['UnchangedPasswordIntervalOffset']-self['QueryPasswordIntervalOffset']]
self['UnchangedPasswordInterval'] = self.rawData[self['UnchangedPasswordIntervalOffset']:]
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self,data)
def fromString(self, data, offset=0):
Structure.fromString(self, data)
self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset'] +
offset:self['DataFileOffset'] +
offset].decode('utf-16-le')
self['DataFileArray'] = self.rawData[self['DataFileOffset'] +
offset:self['DriverPathOffset'] +
offset].decode('utf-16-le')
self['DriverPathArray'] = self.rawData[
self['DriverPathOffset'] + offset:self['EnvironmentOffset'] +
offset].decode('utf-16-le')
self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset'] +
offset:self['NameOffset'] +
offset].decode('utf-16-le')
def __init__(self):
Structure.__init__(self)
self['flags']= (
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name']=''
self['domain_name']=''
def fromString(self,data):
Structure.fromString(self,data)
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[ domain_offset : domain_end ]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[ host_offset : host_end ]
if len(data) >= 36 and self.__hasNegotiateVersion():
self['os_version'] = VERSION(data[32:])
else:
self['os_version'] = ''
def fromString(self,data):
Structure.fromString(self,data)
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[ domain_offset : domain_end ]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[ host_offset : host_end ]
hasOsInfo = self['flags'] & NTLMSSP_VERSION
if len(data) >= 36 and hasOsInfo:
self['os_version'] = data[32:40]
else:
self['os_version'] = ''
def __str__(self):
index = 36+50
self['HostNameOffset']= index
index += len(self['HostName'])
if self['UserName'] != '':
self['UserNameOffset'] = index
else:
self['UserNameOffset'] = 0
index += len(self['UserName'])
if self['Password'] != '':
self['PasswordOffset'] = index
else:
self['PasswordOffset'] = 0
index += len(self['Password'])
self['AppNameOffset']= index
self['ServerNameOffset']=self['AppNameOffset'] + len(self['AppName'])
self['CltIntNameOffset']=self['ServerNameOffset'] + len(self['ServerName'])
self['LanguageOffset']=self['CltIntNameOffset'] + len(self['CltIntName'])
self['DatabaseOffset']=self['LanguageOffset']
self['SSPIOffset']=self['DatabaseOffset'] + len(self['Database'])
self['AtchDBFileOffset']=self['SSPIOffset'] + len(self['SSPI'])
return Structure.__str__(self)
def fromString(self, data):
Structure.fromString(self, data)
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[domain_offset:domain_end]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[host_offset:host_end]
hasOsInfo = self['flags'] & NTLMSSP_NEGOTIATE_VERSION
if len(data) >= 36 and hasOsInfo:
self['os_version'] = data[32:40]
else:
self['os_version'] = ''
def getData(self):
# Set the correct flags
if self['ObjectType'] != '':
self['Flags'] |= self.ACE_OBJECT_TYPE_PRESENT
if self['InheritedObjectType'] != '':
self['Flags'] |= self.ACE_INHERITED_OBJECT_TYPE_PRESENT
return Structure.getData(self)
def getData(self):
# Set the correct flags
if self['ObjectType'] != '':
self['Flags'] |= self.ACE_OBJECT_TYPE_PRESENT
if self['InheritedObjectType'] != '':
self['Flags'] |= self.ACE_INHERITED_OBJECT_TYPE_PRESENT
return Structure.getData(self)
def __init__(self):
Structure.__init__(self)
self['flags']= (
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_KEY_EXCH|
# NTLMSSP_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_NEGOTIATE_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN |
NTLMSSP_NEGOTIATE_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name']=''
self['domain_name']=''
self['os_version']=''
def getData(self):
headerlen = 20
# Reconstruct the security descriptor
# flags are currently not set automatically
# TODO: do this?
datalen = 0
if self['Sacl'] != '':
self['OffsetSacl'] = headerlen + datalen
datalen += len(self['Sacl'].getData())
else:
self['OffsetSacl'] = 0
if self['Dacl'] != '':
self['OffsetDacl'] = headerlen + datalen
datalen += len(self['Dacl'].getData())
else:
self['OffsetDacl'] = 0
if self['OwnerSid'] != '':
self['OffsetOwner'] = headerlen + datalen
datalen += len(self['OwnerSid'].getData())
else:
self['OffsetOwner'] = 0
if self['GroupSid'] != '':
self['OffsetGroup'] = headerlen + datalen
datalen += len(self['GroupSid'].getData())
else:
self['OffsetGroup'] = 0
return Structure.getData(self)
def __str__(self):
index = 36 + 50
self['HostNameOffset'] = index
index += len(self['HostName'])
if self['UserName'] != '':
self['UserNameOffset'] = index
else:
self['UserNameOffset'] = 0
index += len(self['UserName'])
if self['Password'] != '':
self['PasswordOffset'] = index
else:
self['PasswordOffset'] = 0
index += len(self['Password'])
self['AppNameOffset'] = index
self['ServerNameOffset'] = self['AppNameOffset'] + len(self['AppName'])
self['CltIntNameOffset'] = self['ServerNameOffset'] + len(
self['ServerName'])
self['LanguageOffset'] = self['CltIntNameOffset'] + len(
self['CltIntName'])
self['DatabaseOffset'] = self['LanguageOffset']
self['SSPIOffset'] = self['DatabaseOffset'] + len(self['Database'])
self['AtchDBFileOffset'] = self['SSPIOffset'] + len(self['SSPI'])
return Structure.__str__(self)
def getData(self):
headerlen = 20
# Reconstruct the security descriptor
# flags are currently not set automatically
# TODO: do this?
datalen = 0
if self['Sacl'] != '':
self['OffsetSacl'] = headerlen + datalen
datalen += len(self['Sacl'].getData())
else:
self['OffsetSacl'] = 0
if self['Dacl'] != '':
self['OffsetDacl'] = headerlen + datalen
datalen += len(self['Dacl'].getData())
else:
self['OffsetDacl'] = 0
if self['OwnerSid'] != '':
self['OffsetOwner'] = headerlen + datalen
datalen += len(self['OwnerSid'].getData())
else:
self['OffsetOwner'] = 0
if self['GroupSid'] != '':
self['OffsetGroup'] = headerlen + datalen
datalen += len(self['GroupSid'].getData())
else:
self['OffsetGroup'] = 0
return Structure.getData(self)
def getData(self):
self['domain_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])
self['user_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])+len(self['domain_name'])
self['host_offset']=self['user_offset']+len(self['user_name'])
self['lanman_offset']=self['host_offset']+len(self['host_name'])
self['ntlm_offset']=self['lanman_offset']+len(self['lanman'])
self['session_key_offset']=self['ntlm_offset']+len(self['ntlm'])
return Structure.getData(self)
def getData(self):
self['domain_offset']=64
self['user_offset']=64+len(self['domain_name'])
self['host_offset']=self['user_offset']+len(self['user_name'])
self['lanman_offset']=self['host_offset']+len(self['host_name'])
self['ntlm_offset']=self['lanman_offset']+len(self['lanman'])
self['session_key_offset']=self['ntlm_offset']+len(self['ntlm'])
return Structure.getData(self)
def getData(self):
self['domain_offset'] = 64
self['user_offset'] = 64 + len(self['domain_name'])
self['host_offset'] = self['user_offset'] + len(self['user_name'])
self['lanman_offset'] = self['host_offset'] + len(self['host_name'])
self['ntlm_offset'] = self['lanman_offset'] + len(self['lanman'])
self['session_key_offset'] = self['ntlm_offset'] + len(self['ntlm'])
return Structure.getData(self)
def getData(self):
packetType = self['PacketType']
self.commonHdr = ()
packetLen = len(Structure.getData(self))
output = ''
while packetLen > 0:
encodedByte = packetLen % 128
packetLen /= 128
if packetLen > 0:
encodedByte |= 128
output += chr(encodedByte)
self.commonHdr = ( ('PacketType','B=0'), ('MessageLength',':'), )
self['PacketType'] = packetType
self['MessageLength'] = output
if output == '':
self['MessageLength'] = chr(00)
return Structure.getData(self)
def getData(self):
self['num_components'] = len(self.components)
# We modify the data field to be able to use the
# parent class parsing
self['components'] = b''.join(
[component.getData() for component in self.components])
self['restdata'] = self.restfields.getData()
data = Structure.getData(self)
return data
def getData(self):
packetType = self['PacketType']
self.commonHdr = ()
packetLen = len(Structure.getData(self))
output = ''
while packetLen > 0:
encodedByte = packetLen % 128
packetLen /= 128
if packetLen > 0:
encodedByte |= 128
output += chr(encodedByte)
self.commonHdr = ( ('PacketType','B=0'), ('MessageLength',':'), )
self['PacketType'] = packetType
self['MessageLength'] = output
if output == '':
self['MessageLength'] = chr(00)
return Structure.getData(self)
def getData(self):
self['AceCount'] = len(self.aces)
# We modify the data field to be able to use the
# parent class parsing
self['Data'] = b''.join([ace.getData() for ace in self.aces])
self['AclSize'] = len(self['Data'])+8 # Header size (8 bytes) is included
data = Structure.getData(self)
# Put the ACEs back in data
self['Data'] = self.aces
return data
def getData(self):
self['AceCount'] = len(self.aces)
# We modify the data field to be able to use the
# parent class parsing
self['Data'] = ''.join([ace.getData() for ace in self.aces])
self['AclSize'] = len(self['Data'])+8 # Header size (8 bytes) is included
data = Structure.getData(self)
# Put the ACEs back in data
self['Data'] = self.aces
return data
def getData(self):
if RECALC_ACE_SIZE or 'AceSize' not in self.fields:
self['AceSize'] = len(self['Ace'].getData())+4 # Header size (4 bytes) is included
if self['AceSize'] % 4 != 0:
# Make sure the alignment is correct
self['AceSize'] += self['AceSize'] % 4
data = Structure.getData(self)
# For some reason ACEs are sometimes longer than they need to be
# we fill this space up with null bytes to make sure the object
# we create is identical to the original object
if len(data) < self['AceSize']:
data += '\x00' * (self['AceSize'] - len(data))
return data
def getData(self):
if RECALC_ACE_SIZE or 'AceSize' not in self.fields:
self['AceSize'] = len(self['Ace'].getData())+4 # Header size (4 bytes) is included
if self['AceSize'] % 4 != 0:
# Make sure the alignment is correct
self['AceSize'] += self['AceSize'] % 4
data = Structure.getData(self)
# For some reason ACEs are sometimes longer than they need to be
# we fill this space up with null bytes to make sure the object
# we create is identical to the original object
if len(data) < self['AceSize']:
data += '\x00' * (self['AceSize'] - len(data))
return data
def __init__(self,
username='',
password='',
challenge='',
lmhash='',
nthash='',
flags=0):
Structure.__init__(self)
self['session_key'] = ''
self['user_name'] = username.encode('utf-16le')
self['domain_name'] = '' #"CLON".encode('utf-16le')
self['host_name'] = '' #"BETS".encode('utf-16le')
self['flags'] = ( #authResp['flags']
# we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using
# uninitializaed verifiers
NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH |
# NTLMSSP_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL |
# NTLMSSP_TARGET |
0)
# Here we do the stuff
if username and (lmhash != '' or nthash != ''):
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(nthash, challenge)
elif username and password:
lmhash = compute_lmhash(password)
nthash = compute_nthash(password)
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(
nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY
else:
self['lanman'] = ''
self['ntlm'] = ''
if not self['host_name']:
self['host_name'] = 'NULL'.encode(
'utf-16le') # for NULL session there must be a hostname
def __init__(self, data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
raise Exception('CallBack types not supported!')
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self, data)
self.structure += self.common
Structure.__init__(self, data)
def __init__(self,data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
raise Exception('CallBack types not supported!')
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self,data)
self.structure += self.common
Structure.__init__(self,data)
def fromString(self, data):
Structure.fromString(self, data)
# All these fields are optional, if the offset is 0 they are empty
# there are also flags indicating if they are present
# TODO: parse those if it adds value
if self['OffsetOwner'] != 0:
self['OwnerSid'] = LDAP_SID(data=data[self['OffsetOwner']:])
else:
self['OwnerSid'] = ''
if self['OffsetGroup'] != 0:
self['GroupSid'] = LDAP_SID(data=data[self['OffsetGroup']:])
else:
self['GroupSid'] = ''
if self['OffsetSacl'] != 0:
self['Sacl'] = ACL(data=data[self['OffsetSacl']:])
else:
self['Sacl'] = ''
if self['OffsetDacl'] != 0:
self['Dacl'] = ACL(data=data[self['OffsetDacl']:])
else:
self['Sacl'] = ''
def getData(self):
if len(self.fields['host_name']) > 0:
self['flags'] |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
if len(self.fields['domain_name']) > 0:
self['flags'] |= NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
version_len = len(self.fields['os_version'])
if version_len > 0:
self['flags'] |= NTLMSSP_NEGOTIATE_VERSION
elif self.__hasNegotiateVersion():
raise Exception('Must provide the os_version field if the NTLMSSP_NEGOTIATE_VERSION flag is set')
if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED) == NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
self['host_offset']=32 + version_len
if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED) == NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
self['domain_offset']=32+len(self['host_name']) + version_len
return Structure.getData(self)
def fromString(self, data):
Structure.fromString(self, data)
# All these fields are optional, if the offset is 0 they are empty
# there are also flags indicating if they are present
# TODO: parse those if it adds value
if self['OffsetOwner'] != 0:
self['OwnerSid'] = LDAP_SID(data=data[self['OffsetOwner']:])
else:
self['OwnerSid'] = ''
if self['OffsetGroup'] != 0:
self['GroupSid'] = LDAP_SID(data=data[self['OffsetGroup']:])
else:
self['GroupSid'] = ''
if self['OffsetSacl'] != 0:
self['Sacl'] = ACL(data=data[self['OffsetSacl']:])
else:
self['Sacl'] = ''
if self['OffsetDacl'] != 0:
self['Dacl'] = ACL(data=data[self['OffsetDacl']:])
else:
self['Sacl'] = ''
def getData(self):
if len(self.fields['host_name']) > 0:
self['flags'] |= NTLMSSP_WORKSTATION
if len(self.fields['domain_name']) > 0:
self['flags'] |= NTLMSSP_DOMAIN
if len(self.fields['os_version']) > 0:
self['flags'] |= NTLMSSP_VERSION
if (self['flags'] & NTLMSSP_VERSION) == NTLMSSP_VERSION:
version_len = 8
else:
version_len = 0
if (self['flags'] & NTLMSSP_WORKSTATION) == NTLMSSP_WORKSTATION:
self['host_offset']=32 + version_len
if (self['flags'] & NTLMSSP_DOMAIN) == NTLMSSP_DOMAIN:
self['domain_offset']=32+len(self['host_name']) + version_len
return Structure.getData(self)
def fromString(self, data):
if data is not None and len(data) > 2:
# Get the Length
index = 1
multiplier = 1
value = 0
encodedByte = 128
packetType = data[0]
while (encodedByte & 128) != 0:
encodedByte = ord(data[index])
value += (encodedByte & 127) * multiplier
multiplier *= 128
index += 1
if multiplier > 128 * 128 * 128:
raise Exception('Malformed Remaining Length')
data = packetType + struct.pack('<L', value) + data[index:value+index]
return Structure.fromString(self, data)
raise Exception('Dont know')
def __init__(self, flags=0, **kargs):
if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def getData(self):
if self['TargetInfoFields'] is not None and type(
self['TargetInfoFields']) is not str:
raw_av_fields = self['TargetInfoFields'].getData()
self['TargetInfoFields'] = raw_av_fields
return Structure.getData(self)
def __init__(self, data=None):
Structure.__init__(self, data=data)
def __init__(self, data=None):
Structure.__init__(self, data)
if data is None:
self['AlignPad'] = ''
def getData(self):
#self['AlignPad'] = '\x00' * ((8 - ((24 + SMB2_PACKET_SIZE) & 7)) & 7)
#self['SecurityBufferOffset'] = 24 + SMB2_PACKET_SIZE +len(self['AlignPad'])
#self['SecurityBufferLength'] += len(self['AlignPad'])
return Structure.getData(self)
def __init__(self, data=None):
Structure.__init__(self, data)
if data is None:
self['TreeID'] = 0
