def __init__(self, negotiate_flags, exported_session_key, source="client"): """ Initialises a security session context that can be used by libraries that call ntlm-auth to sign and seal messages send to the server as well as verify and unseal messages that have been received from the server. This is similar to the GSS_Wrap functions specified in the MS-NLMP document which does the same task. :param negotiate_flags: The negotiate flag structure that has been negotiated with the server :param exported_session_key: A 128-bit session key used to derive signing and sealing keys :param source: The source of the message, only used in test scenarios when testing out a server sealing and unsealing """ self.negotiate_flags = negotiate_flags self.exported_session_key = exported_session_key self.outgoing_seq_num = 0 self.incoming_seq_num = 0 client_sealing_key = \ compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) server_sealing_key = \ compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.SERVER_SEALING) if source == "client": self.outgoing_signing_key = \ compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING) self.incoming_signing_key = \ compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING) self.outgoing_handle = ARC4(client_sealing_key) self.incoming_handle = ARC4(server_sealing_key) elif source == "server": self.outgoing_signing_key = \ compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING) self.incoming_signing_key = \ compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING) self.outgoing_handle = ARC4(server_sealing_key) self.incoming_handle = ARC4(client_sealing_key) else: raise ValueError("Invalid source parameter %s, must be client " "or server" % source)
def test_get_seal_key_ntlm2_128(self): test_flags = 3800728115 expected = b"\x59\xf6\x00\x97\x3c\xc4\x96\x0a" \ b"\x25\x48\x0a\x7c\x19\x6e\x4c\x58" exported_session_key = b"\x55" * 16 actual = compute_keys.get_seal_key(test_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_no_flag(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL expected = b"\x55" * 16 exported_session_key = expected actual = compute_keys.get_seal_key(test_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm2_128(self): test_flags = ntlmv2_negotiate_flags test_exported_session_key = session_base_key expected = ntlmv2_seal_key actual = compkeys.get_seal_key(test_flags, test_exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def __init__(self, negotiate_flags, exported_session_key, source="client"): self.negotiate_flags = negotiate_flags self.outgoing_seq_num = 0 self.incoming_seq_num = 0 client_sealing_key = compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) server_sealing_key = compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.SERVER_SEALING) if source == "client": self.outgoing_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING) self.incoming_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING) self.outgoing_handle = ARC4(client_sealing_key) self.incoming_handle = ARC4(server_sealing_key) elif source == "server": self.outgoing_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING) self.incoming_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING) self.outgoing_handle = ARC4(server_sealing_key) self.incoming_handle = ARC4(client_sealing_key) else: raise Exception("Invalid source parameter %s, must be client or server" % source)
def test_get_seal_key_ntlm1_40(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \ NegotiateFlags.NTLMSSP_NEGOTIATE_LM_KEY # Not in document, custom test expected = b"\x55\x55\x55\x55\x55\xe5\x38\xb0" exported_session_key = b"\x55" * 16 actual = compute_keys.get_seal_key(test_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_no_flag(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL test_exported_session_key = session_base_key expected = session_base_key actual = compkeys.get_seal_key(test_flags, test_exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm2_56(self): test_flags = ntlmv1_with_ess_negotiate_flags test_session_base_key = ntlmv1_with_ess_session_base_key test_exported_session_key = compkeys._get_exchange_key_ntlm_v1( test_flags, test_session_base_key, server_challenge, ntlmv1_with_ess_lmv1_response, ntlmv1_with_ess_lmowfv1) expected = ntlmv1_with_ess_seal_key actual = compkeys.get_seal_key(test_flags, test_exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm1_40(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \ NegotiateFlags.NTLMSSP_NEGOTIATE_LM_KEY test_exported_session_key = session_base_key # Not in document, custom test expected = HexToByte('55 55 55 55 55 e5 38 b0') actual = compkeys.get_seal_key(test_flags, test_exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm2_40(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \ NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY test_session_base_key = ntlmv1_with_ess_session_base_key test_exported_session_key = compkeys._get_exchange_key_ntlm_v1( test_flags, test_session_base_key, server_challenge, ntlmv1_with_ess_lmv1_response, ntlmv1_with_ess_lmowfv1) # Not in document, custom test expected = HexToByte('26 b2 c1 e7 7b e4 53 3d 55 5a 22 0a 0f de b9 6c') actual = compkeys.get_seal_key(test_flags, test_exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm2_56(self): test_flags = 2181726771 expected = b"\x04\xdd\x7f\x01\x4d\x85\x04\xd2" \ b"\x65\xa2\x5c\xc8\x6a\x3a\x7c\x06" session_base_key = b"\xd8\x72\x62\xb0\xcd\xe4\xb1\xcb" \ b"\x74\x99\xbe\xcc\xcd\xf1\x07\x84" server_challenge = b"\x01\x23\x45\x67\x89\xab\xcd\xef" lm_challenge_response = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" lm_hash = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" exported_session_key = compute_keys._get_exchange_key_ntlm_v1( test_flags, session_base_key, server_challenge, lm_challenge_response, lm_hash) actual = compute_keys.get_seal_key(test_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected
def test_get_seal_key_ntlm2_40(self): test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \ NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \ NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY # Not in document, custom test expected = b"\x26\xb2\xc1\xe7\x7b\xe4\x53\x3d" \ b"\x55\x5a\x22\x0a\x0f\xde\xb9\x6c" session_base_key = b"\xd8\x72\x62\xb0\xcd\xe4\xb1\xcb" \ b"\x74\x99\xbe\xcc\xcd\xf1\x07\x84" server_challenge = b"\x01\x23\x45\x67\x89\xab\xcd\xef" lm_challenge_response = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" lm_hash = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \ b"\x00\x00\x00\x00\x00\x00\x00\x00" exported_session_key = compute_keys._get_exchange_key_ntlm_v1( test_flags, session_base_key, server_challenge, lm_challenge_response, lm_hash) actual = compute_keys.get_seal_key(test_flags, exported_session_key, SignSealConstants.CLIENT_SEALING) assert actual == expected