def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is not None: # Process the MAP entries self.mapEntries = list() data = self['AttributeMaps'] for i in range(self['AttributesMapsSize'] // len(VAULT_ATTRIBUTE_MAP_ENTRY())): entry = VAULT_ATTRIBUTE_MAP_ENTRY(data) self.mapEntries.append(entry) data = data[len(VAULT_ATTRIBUTE_MAP_ENTRY()):] self.attributesLen = list() for i in range(len(self.mapEntries)): if i > 0: self.attributesLen.append(self.mapEntries[i]['Offset'] - self.mapEntries[i - 1]['Offset']) self.attributesLen.append( len(self.rawData) - self.mapEntries[i]['Offset']) self.attributes = list() for i, entry in enumerate(self.mapEntries): attribute = VAULT_ATTRIBUTE( self.rawData[entry['Offset']:][:self.attributesLen[i]]) self.attributes.append(attribute) # Do we have remaining data? self['Data'] = self.rawData[self.mapEntries[-1]['Offset'] + len(self.attributes[-1].getData()):]
def fromString(self, data): Structure.fromString(self, data) # [MS-NLMP] page 27 # Payload data can be present in any order within the Payload field, # with variable-length padding before or after the data domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[domain_offset:domain_end] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[host_offset:host_end] user_offset = self['user_offset'] user_end = self['user_len'] + user_offset self['user_name'] = data[user_offset:user_end] ntlm_offset = self['ntlm_offset'] ntlm_end = self['ntlm_len'] + ntlm_offset self['ntlm'] = data[ntlm_offset:ntlm_end] lanman_offset = self['lanman_offset'] lanman_end = self['lanman_len'] + lanman_offset self['lanman'] = data[lanman_offset:lanman_end]
def __init__(self, data=None, alignment=0): if len(data) >= 16: if data[0:1] == b'\x24' or data[0:1] == b'\x34': self.structure = self.structureKDBM else: self.structure = self.structureKSSM Structure.__init__(self, data, alignment)
def __init__(self, data=None, alignment=0): if len(data) > 20: if data[16:][:6] == b'\x00' * 6: self.structure += self.padding if unpack('<L', data[:4])[0] >= 100: self.structure += self.id100 if len(data[16:]) >= 9: self.structure += self.extended Structure.__init__(self, data, alignment)
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) self.attributes = 0 if data is not None: # Unpack the attributes remaining = self['Remaining'] self.attributes = list() for i in range(self['AttrCount']): attr = CREDENTIAL_ATTRIBUTE(remaining) self.attributes.append(attr) remaining = remaining[len(attr):]
def fromString(self, data): self.aces = [] Structure.fromString(self, data) for i in range(self['AceCount']): # If we don't have any data left, return if len(self['Data']) == 0: raise Exception, "ACL header indicated there are more ACLs to unpack, but there is no more data" ace = ACE(data=self['Data']) self.aces.append(ace) self['Data'] = self['Data'][ace['AceSize']:] self['Data'] = self.aces
def __init__(self, version, revision, pageSize=8192, data=None): if (version < 0x620) or (version == 0x620 and revision < 0x0b): # For sure the old format self.structure = self.structure_2003_SP0 + self.common elif version == 0x620 and revision < 0x11: # Exchange 2003 SP1 and Windows Vista and later self.structure = self.structure_0x620_0x0b + self.common else: # Windows 7 and later self.structure = self.structure_win7 + self.common if pageSize > 8192: self.structure += self.extended_win7 Structure.__init__(self, data)
def __init__(self): Structure.__init__(self) self['flags'] = ( NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | # NTLMSSP_LM_KEY | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL | # NTLMSSP_TARGET | 0) self['host_name'] = '' self['domain_name'] = '' self['os_version'] = '' self._workstation = ''
def getData(self): # Set the correct flags if self['ObjectType'] != '': self['Flags'] |= self.ACE_OBJECT_TYPE_PRESENT if self['InheritedObjectType'] != '': self['Flags'] |= self.ACE_INHERITED_OBJECT_TYPE_PRESENT return Structure.getData(self)
def fromString(self, data): Structure.fromString(self, data) domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[domain_offset:domain_end] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[host_offset:host_end] hasOsInfo = self['flags'] & NTLMSSP_NEGOTIATE_VERSION if len(data) >= 36 and hasOsInfo: self['os_version'] = data[32:40] else: self['os_version'] = ''
def getData(self): headerlen = 20 # Reconstruct the security descriptor # flags are currently not set automatically # TODO: do this? datalen = 0 if self['Sacl'] != '': self['OffsetSacl'] = headerlen + datalen datalen += len(self['Sacl'].getData()) else: self['OffsetSacl'] = 0 if self['Dacl'] != '': self['OffsetDacl'] = headerlen + datalen datalen += len(self['Dacl'].getData()) else: self['OffsetDacl'] = 0 if self['OwnerSid'] != '': self['OffsetOwner'] = headerlen + datalen datalen += len(self['OwnerSid'].getData()) else: self['OffsetOwner'] = 0 if self['GroupSid'] != '': self['OffsetGroup'] = headerlen + datalen datalen += len(self['GroupSid'].getData()) else: self['OffsetGroup'] = 0 return Structure.getData(self)
def getData(self): self['AceCount'] = len(self.aces) # We modify the data field to be able to use the # parent class parsing self['Data'] = ''.join([ace.getData() for ace in self.aces]) self['AclSize'] = len( self['Data']) + 8 # Header size (8 bytes) is included data = Structure.getData(self) # Put the ACEs back in data self['Data'] = self.aces return data
def getData(self): self['domain_offset'] = 64 + self.checkMIC( self["flags"]) + self.checkVersion(self["flags"]) self['user_offset'] = 64 + self.checkMIC( self["flags"]) + self.checkVersion(self["flags"]) + len( self['domain_name']) self['host_offset'] = self['user_offset'] + len(self['user_name']) self['lanman_offset'] = self['host_offset'] + len(self['host_name']) self['ntlm_offset'] = self['lanman_offset'] + len(self['lanman']) self['session_key_offset'] = self['ntlm_offset'] + len(self['ntlm']) return Structure.getData(self)
def __init__(self, username='', password='', challenge='', lmhash='', nthash='', flags=0): Structure.__init__(self) self['session_key'] = '' self['user_name'] = username.encode('utf-16le') self['domain_name'] = '' #"CLON".encode('utf-16le') self['host_name'] = '' #"BETS".encode('utf-16le') self['flags'] = ( #authResp['flags'] # we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using # uninitializaed verifiers NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | # NTLMSSP_LM_KEY | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL | # NTLMSSP_TARGET | 0) # Here we do the stuff if username and (lmhash != '' or nthash != ''): self['lanman'] = get_ntlmv1_response(lmhash, challenge) self['ntlm'] = get_ntlmv1_response(nthash, challenge) elif username and password: lmhash = compute_lmhash(password) nthash = compute_nthash(password) self['lanman'] = get_ntlmv1_response(lmhash, challenge) self['ntlm'] = get_ntlmv1_response( nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY else: self['lanman'] = '' self['ntlm'] = '' if not self['host_name']: self['host_name'] = 'NULL'.encode( 'utf-16le') # for NULL session there must be a hostname
def getData(self): if RECALC_ACE_SIZE or 'AceSize' not in self.fields: self['AceSize'] = len( self['Ace'].getData()) + 4 # Header size (4 bytes) is included if self['AceSize'] % 4 != 0: # Make sure the alignment is correct self['AceSize'] += self['AceSize'] % 4 data = Structure.getData(self) # For some reason ACEs are sometimes longer than they need to be # we fill this space up with null bytes to make sure the object # we create is identical to the original object if len(data) < self['AceSize']: data += '\x00' * (self['AceSize'] - len(data)) return data
def __init__(self, data): # Depending on the type of data we'll end up building a different struct dataType = unpack('<H', data[4:][:2])[0] self.structure = self.fixed if dataType == CATALOG_TYPE_TABLE: self.structure += self.other + self.table_stuff elif dataType == CATALOG_TYPE_COLUMN: self.structure += self.column_stuff elif dataType == CATALOG_TYPE_INDEX: self.structure += self.other + self.index_stuff elif dataType == CATALOG_TYPE_LONG_VALUE: self.structure += self.other + self.lv_stuff elif dataType == CATALOG_TYPE_CALLBACK: raise Exception('CallBack types not supported!') else: LOG.error('Unknown catalog type 0x%x' % dataType) self.structure = () Structure.__init__(self, data) self.structure += self.common Structure.__init__(self, data)
def fromString(self, data): Structure.fromString(self, data) # All these fields are optional, if the offset is 0 they are empty # there are also flags indicating if they are present # TODO: parse those if it adds value if self['OffsetOwner'] != 0: self['OwnerSid'] = LDAP_SID(data=data[self['OffsetOwner']:]) else: self['OwnerSid'] = '' if self['OffsetGroup'] != 0: self['GroupSid'] = LDAP_SID(data=data[self['OffsetGroup']:]) else: self['GroupSid'] = '' if self['OffsetSacl'] != 0: self['Sacl'] = ACL(data=data[self['OffsetSacl']:]) else: self['Sacl'] = '' if self['OffsetDacl'] != 0: self['Dacl'] = ACL(data=data[self['OffsetDacl']:]) else: self['Sacl'] = ''
def getData(self): if len(self.fields['host_name']) > 0: self['flags'] |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED if len(self.fields['domain_name']) > 0: self['flags'] |= NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED if len(self.fields['os_version']) > 0: self['flags'] |= NTLMSSP_NEGOTIATE_VERSION if (self['flags'] & NTLMSSP_NEGOTIATE_VERSION) == NTLMSSP_NEGOTIATE_VERSION: version_len = 8 else: version_len = 0 if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED ) == NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED: self['host_offset'] = 32 + version_len if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED ) == NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED: self['domain_offset'] = 32 + len(self['host_name']) + version_len return Structure.getData(self)
def fromString(self, data): # This will parse the header Structure.fromString(self, data) # Now we parse the ACE body according to its type self['TypeName'] = ACE_TYPE_MAP[self['AceType']].__name__ self['Ace'] = ACE_TYPE_MAP[self['AceType']](data=self['Ace'])
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) self.decryptedKey = None
def __init__(self, flags=0, **kargs): if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: self.structure = self.extendedMessageSignature else: self.structure = self.MessageSignature return Structure.__init__(self, **kargs)
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) self['magic'] = 0x31484400 self['bitlen'] = 1024
def fromString(self, data): Structure.fromString(self, data)
def __init__(self, flags, data=None): if flags & TAG_COMMON > 0: # Include the common header self.structure = self.common + self.structure Structure.__init__(self, data)
def fromString(self, data): Structure.fromString(self, data) if data is not None: bioKey = BCRYPT_KEY_DATA_BLOB_HEADER( unhexlify(self['BioKey'].decode('utf-16le')[:-1])) self['BioKey'] = bioKey
def getData(self): if self['TargetInfoFields'] is not None and type( self['TargetInfoFields']) is not str: raw_av_fields = self['TargetInfoFields'].getData() self['TargetInfoFields'] = raw_av_fields return Structure.getData(self)
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) self['bType'] = TPUBLICKEYBLOB self['bVersion'] = CUR_BLOB_VERSION self['aiKeyAlg'] = CALG_DH_EPHEM
def fromString(self, data): Structure.fromString(self, data) self['domain_name'] = data[self['domain_offset']:][:self['domain_len']] self['TargetInfoFields'] = data[ self['TargetInfoFields_offset']:][:self['TargetInfoFields_len']] return self
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) self['publickeystruc'] = str(PUBLICKEYSTRUC()) self['dhpubkey'] = str(DHPUBKEY())
def __init__(self, data = None): Structure.__init__(self,data) if data is None: self['AlignPad'] = ''