def from_buffer(buff):
t = NTLMChallenge()
t.Signature = buff.read(8)
t.MessageType = int.from_bytes(buff.read(4),
byteorder='little',
signed=False)
t.TargetNameFields = Fields.from_buffer(buff)
t.NegotiateFlags = NegotiateFlags(
int.from_bytes(buff.read(4), byteorder='little', signed=False))
t.ServerChallenge = buff.read(8)
t.Reserved = buff.read(8)
t.TargetInfoFields = Fields.from_buffer(buff)
if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
t.Version = Version.from_buffer(buff)
currPos = buff.tell()
t.Payload = buff.read()
if t.TargetNameFields.length != 0:
buff.seek(t.TargetNameFields.offset, io.SEEK_SET)
raw_data = buff.read(t.TargetNameFields.length)
try:
t.TargetName = raw_data.decode('utf-16le')
except UnicodeDecodeError:
# yet another cool bug.
t.TargetName = raw_data.decode('utf-8')
if t.TargetInfoFields.length != 0:
buff.seek(t.TargetInfoFields.offset, io.SEEK_SET)
raw_data = buff.read(t.TargetInfoFields.length)
t.TargetInfo = AVPairs.from_bytes(raw_data)
return t
def from_buffer(buff, _use_NTLMv2 = True):
auth = NTLMAuthenticate(_use_NTLMv2)
auth.Signature = buff.read(8)
auth.MessageType = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
auth.LmChallengeResponseFields = Fields.from_buffer(buff)
auth.NtChallengeResponseFields = Fields.from_buffer(buff)
auth.DomainNameFields = Fields.from_buffer(buff)
auth.UserNameFields = Fields.from_buffer(buff)
auth.WorkstationFields = Fields.from_buffer(buff)
auth.EncryptedRandomSessionKeyFields = Fields.from_buffer(buff)
auth.NegotiateFlags = NegotiateFlags(int.from_bytes(buff.read(4), byteorder = 'little', signed = False))
if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
auth.Version = Version.from_buffer(buff)
# TODO: I'm not sure about this condition!!! Need to test this!
if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_ALWAYS_SIGN:
auth.MIC = buff.read(16)
currPos = buff.tell()
auth.Payload = buff.read()
if auth._use_NTLMv2 and auth.NtChallengeResponseFields.length > 24:
buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
auth.LMChallenge = LMv2Response.from_buffer(buff)
buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
auth.NTChallenge = NTLMv2Response.from_buffer(buff)
else:
buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
auth.LMChallenge = LMResponse.from_buffer(buff)
buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
auth.NTChallenge = NTLMv1Response.from_buffer(buff)
buff.seek(auth.DomainNameFields.offset,io.SEEK_SET)
auth.DomainName = buff.read(auth.DomainNameFields.length).decode('utf-16le')
buff.seek(auth.UserNameFields.offset,io.SEEK_SET)
auth.UserName = buff.read(auth.UserNameFields.length).decode('utf-16le')
buff.seek(auth.WorkstationFields.offset,io.SEEK_SET)
auth.Workstation = buff.read(auth.WorkstationFields.length).decode('utf-16le')
buff.seek(auth.EncryptedRandomSessionKeyFields.offset,io.SEEK_SET)
auth.EncryptedRandomSession = buff.read(auth.EncryptedRandomSessionKeyFields.length)
buff.seek(currPos, io.SEEK_SET)
return auth
def test_msdn():
credential = Credential()
credential.username = '******'
credential.domain = 'Domain'
credential.password = '******'
template = {
'flags' : NegotiateFlags.NEGOTIATE_56|
NegotiateFlags.REQUEST_NON_NT_SESSION_KEY|
NegotiateFlags.NEGOTIATE_KEY_EXCH|
NegotiateFlags.NEGOTIATE_128|
NegotiateFlags.NEGOTIATE_VERSION|
NegotiateFlags.TARGET_TYPE_SERVER|
NegotiateFlags.NEGOTIATE_ALWAYS_SIGN|
NegotiateFlags.NEGOTIATE_NTLM|
NegotiateFlags.NEGOTIATE_SIGN|
NegotiateFlags.NEGOTIATE_SEAL|
NegotiateFlags.NTLM_NEGOTIATE_OEM|
NegotiateFlags.NEGOTIATE_UNICODE,
'version' : Version.construct(WindowsMajorVersion.WINDOWS_MAJOR_VERSION_10, minor = WindowsMinorVersion.WINDOWS_MINOR_VERSION_0, build = 15063 ),
'domain_name' : 'Domain',
'workstation_name' : 'COMPUTER',
'ntlm_downgrade' : True,
'extended_security': False
}
settings = NTLMHandlerSettings(credential, mode = 'CLIENT', template_name = None, ntlm_downgrade = True, extended_security = False, custom_template = template)
handler = NTLMAUTHHandler(settings)
#assert handler.flags == int.from_bytes(b'\x33\x82\x02\xe2', "little", signed = False)
data, is_res = handler.authenticate(None)
print(data)
print(is_res)
details = AVPairs({AVPAIRType.MsvAvNbDomainName: 'TEST', AVPAIRType.MsvAvNbComputerName: 'WIN2019AD', AVPAIRType.MsvAvDnsDomainName: 'test.corp', AVPAIRType.MsvAvDnsComputerName: 'WIN2019AD.test.corp', AVPAIRType.MsvAvTimestamp: b'\xae\xc6\x00\xbf\xc5\xfd\xd4\x01', AVPAIRType.MsvAvFlags: b'\x02\x00\x00\x00', AVPAIRType.MsvAvSingleHost: b"0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00R}'\xf24\xdet7`\x96c\x84\xd3oa\xae*\xa4\xfc*8\x06\x99\xf8\xca\xa6\x00\x01\x1bHm\x89", AVPAIRType.MsvChannelBindings: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', AVPAIRType.MsvAvTargetName: 'cifs/10.10.10.2'})
challenge = NTLMChallenge.construct(challenge=b'\x01\x23\x45\x67\x89\xab\xcd\xef', targetName = 'Domain', targetInfo = details, version = handler.ntlmNegotiate.Version, flags= handler.flags)
data, is_res = handler.authenticate(challenge.to_bytes())
print(data)
print(is_res)
print(handler.ntlmAuthenticate.LMChallenge.to_bytes().hex())
print(handler.ntlmAuthenticate.NTChallenge.to_bytes().hex())
from aiosmb.authentication.ntlm.structures.fields import Fields
from aiosmb.authentication.ntlm.structures.negotiate_flags import NegotiateFlags
from aiosmb.authentication.ntlm.structures.version import Version
from aiosmb.authentication.ntlm.structures.avpair import AVPairs, AVPAIRType
NTLMServerTemplates = {
"Windows2003": {
'flags':
NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_128
| NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_TARGET_INFO
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.TARGET_TYPE_DOMAIN | NegotiateFlags.NEGOTIATE_NTLM
| NegotiateFlags.REQUEST_TARGET | NegotiateFlags.NEGOTIATE_UNICODE,
'version':
Version.from_bytes(b"\x05\x02\xce\x0e\x00\x00\x00\x0f"),
'targetinfo':
AVPairs({
AVPAIRType.MsvAvNbDomainName: 'SMB',
AVPAIRType.MsvAvNbComputerName: 'SMB-TOOLKIT',
AVPAIRType.MsvAvDnsDomainName: 'smb.local',
AVPAIRType.MsvAvDnsComputerName: 'server2003.smb.local',
AVPAIRType.MsvAvDnsTreeName: 'smb.local',
}),
'targetname':
'SMB',
},
}
from aiosmb.authentication.ntlm.structures.negotiate_flags import NegotiateFlags
from aiosmb.authentication.ntlm.structures.version import Version, WindowsMajorVersion, WindowsMinorVersion
NTLMClientTemplates = {
"Windows10_15063": {
'flags':
NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_KEY_EXCH
| NegotiateFlags.NEGOTIATE_128 | NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
| NegotiateFlags.NEGOTIATE_LM_KEY | NegotiateFlags.NEGOTIATE_SIGN
| NegotiateFlags.REQUEST_TARGET | NegotiateFlags.NTLM_NEGOTIATE_OEM
| NegotiateFlags.NEGOTIATE_UNICODE,
'version':
Version.construct(WindowsMajorVersion.WINDOWS_MAJOR_VERSION_10,
minor=WindowsMinorVersion.WINDOWS_MINOR_VERSION_0,
build=15063),
'domain_name':
None,
'workstation_name':
None,
'ntlm_downgrade':
False,
},
"Windows10_15063_knowkey": {
'flags':
NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_KEY_EXCH
| NegotiateFlags.NEGOTIATE_128 | NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
| NegotiateFlags.NEGOTIATE_LM_KEY | NegotiateFlags.NEGOTIATE_SIGN