def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is not None:
# Process the MAP entries
self.mapEntries = list()
data = self['AttributeMaps']
for i in range(self['AttributesMapsSize']//len(VAULT_ATTRIBUTE_MAP_ENTRY())):
entry = VAULT_ATTRIBUTE_MAP_ENTRY(data)
self.mapEntries.append(entry)
data = data[len(VAULT_ATTRIBUTE_MAP_ENTRY()):]
self.attributesLen = list()
for i in range(len(self.mapEntries)):
if i > 0:
self.attributesLen.append(self.mapEntries[i]['Offset']-self.mapEntries[i-1]['Offset'])
self.attributesLen.append(len(self.rawData) - self.mapEntries[i]['Offset'] )
self.attributes = list()
for i, entry in enumerate(self.mapEntries):
attribute = VAULT_ATTRIBUTE(self.rawData[entry['Offset']:][:self.attributesLen[i]])
self.attributes.append(attribute)
# Do we have remaining data?
self['Data'] = self.rawData[self.mapEntries[-1]['Offset']+len(self.attributes[-1].getData()):]
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is not None:
# Process the MAP entries
self.mapEntries = list()
data = self['AttributeMaps']
for i in range(self['AttributesMapsSize'] //
len(VAULT_ATTRIBUTE_MAP_ENTRY())):
entry = VAULT_ATTRIBUTE_MAP_ENTRY(data)
self.mapEntries.append(entry)
data = data[len(VAULT_ATTRIBUTE_MAP_ENTRY()):]
self.attributesLen = list()
for i in range(len(self.mapEntries)):
if i > 0:
self.attributesLen.append(self.mapEntries[i]['Offset'] -
self.mapEntries[i - 1]['Offset'])
self.attributesLen.append(
len(self.rawData) - self.mapEntries[i]['Offset'])
self.attributes = list()
for i, entry in enumerate(self.mapEntries):
attribute = VAULT_ATTRIBUTE(
self.rawData[entry['Offset']:][:self.attributesLen[i]])
self.attributes.append(attribute)
# Do we have remaining data?
self['Data'] = self.rawData[self.mapEntries[-1]['Offset'] +
len(self.attributes[-1].getData()):]
def __init__(self,data=None):
Structure.__init__(self,data)
if data is None:
self['UserName'] = ''
self['Password'] = ''
self['Database'] = ''
self['AtchDBFile'] = ''
def __init__(self, username = '', password = '', challenge = '', lmhash = '', nthash = '', flags = 0):
Structure.__init__(self)
self['session_key']=''
self['user_name']=username.encode('utf-16le')
self['domain_name']='' #"CLON".encode('utf-16le')
self['host_name']='' #"BETS".encode('utf-16le')
self['flags'] = ( #authResp['flags']
# we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
# Here we do the stuff
if username and ( lmhash != '' or nthash != ''):
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(nthash, challenge)
elif (username and password):
lmhash = compute_lmhash(password)
nthash = compute_nthash(password)
self['lanman']=get_ntlmv1_response(lmhash, challenge)
self['ntlm']=get_ntlmv1_response(nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY
else:
self['lanman'] = ''
self['ntlm'] = ''
if not self['host_name']:
self['host_name'] = 'NULL'.encode('utf-16le') # for NULL session there must be a hostname
def __init__(self, data = None, alignment = 0):
if len(data) >=16:
if data[0:1] == b'\x24' or data[0:1] == b'\x34':
self.structure = self.structureKDBM
else:
self.structure = self.structureKSSM
Structure.__init__(self, data, alignment)
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data:
self.__array = ndrutils.NDRArray(data=self["Buffer"], itemClass=SHARE_INFO_1)
self["Buffer"] = self.__array
return
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data:
self.__array = ndrutils.NDRArray(data=self['Buffer'],
itemClass=SESSION_INFO_502)
self['Buffer'] = self.__array
return
def __init__(self, data=None):
Structure.__init__(self, data)
if data is None:
self['UserName'] = ''
self['Password'] = ''
self['Database'] = ''
self['AtchDBFile'] = ''
def __init__(self, data=None, alignment=0):
if len(data) >= 16:
if data[0:1] == b'\x24' or data[0:1] == b'\x34':
self.structure = self.structureKDBM
else:
self.structure = self.structureKSSM
Structure.__init__(self, data, alignment)
def __init__(self):
Structure.__init__(self)
self['header'] = "NTLMSSP\x00"
self['message_type'] = 0x00000002
self['targetNameSecLen'] = 0x0000
self['targetNameSecAll'] = 0x0000
self['targetNameSecOff'] = 0x0000000030
self['flags'] = 0xe2898235
self['targetInfoSecLen'] = 0x0000
self['targetInfoSecAll'] = 0x0000
self['targetInfoSecOff'] = 0x0000000050
self['challenge'] = 'AAAAAAAA'
self['context'] = 8 * "\x00"
self['targetInfoSec'] = ''
self['targetName'] = ''
self['targetInfoType2'] = 0x0002
self['targetInfoDomainNameLen'] = 0x0000
self['targetInfoDomainName'] = ''
self['targetInfoType1'] = 0x0001
self['targetInfoServerNameLen'] = 0x0000
self['targetInfoServerName'] = ''
self['targetInfoType4'] = 0x0004
self['targetInfoDNSDomainNameLen'] = 0x0000
self['targetInfoDNSDomainName'] = ''
self['targetInfoType3'] = 0x0003
self['targetInfoDNSServerNameLen'] = 0x000
self['targetInfoDNSServerName'] = ''
self['terminatorBlock'] = 0x00000000
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self["cname"] = ""
self["username"] = ""
self["cltype_name"] = ""
self["transport"] = ""
return
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['cname'] = ''
self['username'] = ''
self['cltype_name'] = ''
self['transport'] = ''
return
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['cname'] = ''
self['username'] = ''
self['cltype_name'] = ''
self['transport'] = ''
return
def __init__(self, data = None, alignment = 0):
self.__ctx_items = []
Structure.__init__(self,data,alignment)
if data is None:
self['Pad'] = ''
self['ctx_items'] = ''
self['sec_trailer'] = ''
self['auth_data'] = ''
def __init__(self, data=None, pcReturned=None):
Structure.__init__(self, data=data)
self['drivers'] = list()
remaining = data
if data is not None:
for i in range(pcReturned):
attr = DRIVER_INFO_2_BLOB(remaining)
self['drivers'].append(attr)
remaining = remaining[len(attr):]
def __init__(self, data=None, alignment=0):
if len(data) > 20:
if data[16:][:6] == b'\x00' * 6:
self.structure += self.padding
if unpack('<L', data[:4])[0] >= 100:
self.structure += self.id100
if len(data[16:]) >= 9:
self.structure += self.extended
Structure.__init__(self, data, alignment)
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['max_tfrag'] = 4280
self['max_rfrag'] = 4280
self['assoc_group'] = 0
self['ctx_num'] = 1
self['ctx_items'] = ''
self.__ctx_items = []
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['max_tfrag'] = 4280
self['max_rfrag'] = 4280
self['assoc_group'] = 0
self['ctx_num'] = 1
self['ctx_items'] = ''
self.__ctx_items = []
def __init__(self, data = None, alignment = 0):
if len(data) > 20:
if data[16:][:6] == b'\x00'*6:
self.structure += self.padding
if unpack('<L',data[:4])[0] >= 100:
self.structure += self.id100
if len(data[16:]) >= 9:
self.structure += self.extended
Structure.__init__(self, data, alignment)
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
self.attributes = 0
if data is not None:
# Unpack the attributes
remaining = self['Remaining']
self.attributes = list()
for i in range(self['AttrCount']):
attr = CREDENTIAL_ATTRIBUTE(remaining)
self.attributes.append(attr)
remaining = remaining[len(attr):]
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
self.attributes = 0
if data is not None:
# Unpack the attributes
remaining = self['Remaining']
self.attributes = list()
for i in range(self['AttrCount']):
attr = CREDENTIAL_ATTRIBUTE(remaining)
self.attributes.append(attr)
remaining = remaining[len(attr):]
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
def __init__(self):
Structure.__init__(self)
self['flags'] = (
NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE |
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN | NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name'] = ''
self['domain_name'] = ''
def __init__(self):
Structure.__init__(self)
self['flags'] = (
NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH |
# NTLMSSP_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name'] = ''
self['domain_name'] = ''
self['os_version'] = ''
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self,data)
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self, data)
def __init__(self):
Structure.__init__(self)
self['flags']= (
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name']=''
self['domain_name']=''
def __init__(self):
Structure.__init__(self)
self['flags']= (
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_KEY_EXCH|
# NTLMSSP_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_NEGOTIATE_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN |
NTLMSSP_NEGOTIATE_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name']=''
self['domain_name']=''
self['os_version']=''
def __init__(self,data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
raise Exception('CallBack types not supported!')
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self,data)
self.structure += self.common
Structure.__init__(self,data)
def __init__(self, data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
raise Exception('CallBack types not supported!')
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self, data)
self.structure += self.common
Structure.__init__(self, data)
def __init__(self, data = None):
Structure.__init__(self,data)
if data is None:
self['AlignPad'] = ''
def __init__(self, data=None, alignment=0):
self.__ctx_items = []
Structure.__init__(self, data, alignment)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data,alignment)
self['bType'] = TPUBLICKEYBLOB
self['bVersion'] = CUR_BLOB_VERSION
self['aiKeyAlg'] = CALG_DH_EPHEM
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self["netname"] = ""
self["remark"] = ""
return
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data,alignment)
self['magic'] = 0x31484400
self['bitlen'] = 1024
def __init__(self, flags = 0, **kargs):
if flags & NTLMSSP_NTLM2_KEY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def __init__(self, data = None):
Structure.__init__(self,data)
self['VariablePart']=''
def __init__(self, flags = 0, **kargs):
if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def __init__(self, flags, data=None):
if flags & TAG_COMMON > 0:
# Include the common header
self.structure = self.common + self.structure
return Structure.__init__(self, data)
def __init__(self, data=None):
Structure.__init__(self, data)
if data is None:
self['AlignPad'] = ''
def __init__(self, data = None):
Structure.__init__(self,data)
self['VariablePart']=''
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
self.decryptedKey = None
def __init__(self, data = None):
Structure.__init__(self,data)
if data is None:
self['TreeID'] = 0
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
self['magic'] = 0x31484400
self['bitlen'] = 1024
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
self['publickeystruc'] = PUBLICKEYSTRUC().getData()
self['dhpubkey'] = DHPUBKEY().getData()
def __init__(self, data = None):
Structure.__init__(self,data)
self['UserData'] =''
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
self.decryptedKey = None
def __init__(self, data=None):
Structure.__init__(self, data)
if data is None:
self['TreeID'] = 0
def __init__(self, data = None, alignment = 0):
self.__ctx_items = []
Structure.__init__(self,data,alignment)
def __init__(self, data=None):
Structure.__init__(self, data=data)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data,alignment)
self['publickeystruc'] = PUBLICKEYSTRUC().getData()
self['dhpubkey'] = DHPUBKEY().getData()
def __init__(self, data = None):
Structure.__init__(self,data)
self['UserData'] =''
def __init__(self, flags, data=None):
if flags & TAG_COMMON > 0:
# Include the common header
self.structure = self.common + self.structure
return Structure.__init__(self,data)
def __init__(self, flags=0, **kargs):
if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data,alignment)
if data is None:
self['SupportedVersions'] = ''
