def from_buffer(buff): t = NTLMChallenge() t.Signature = buff.read(8) t.MessageType = int.from_bytes(buff.read(4), byteorder='little', signed=False) t.TargetNameFields = Fields.from_buffer(buff) t.NegotiateFlags = NegotiateFlags( int.from_bytes(buff.read(4), byteorder='little', signed=False)) t.ServerChallenge = buff.read(8) t.Reserved = buff.read(8) t.TargetInfoFields = Fields.from_buffer(buff) if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION: t.Version = Version.from_buffer(buff) currPos = buff.tell() t.Payload = buff.read() if t.TargetNameFields.length != 0: buff.seek(t.TargetNameFields.offset, io.SEEK_SET) raw_data = buff.read(t.TargetNameFields.length) try: t.TargetName = raw_data.decode('utf-16le') except UnicodeDecodeError: # yet another cool bug. t.TargetName = raw_data.decode('utf-8') if t.TargetInfoFields.length != 0: buff.seek(t.TargetInfoFields.offset, io.SEEK_SET) raw_data = buff.read(t.TargetInfoFields.length) t.TargetInfo = AVPairs.from_bytes(raw_data) return t
def from_buffer(buff): t = NTLMNegotiate() t.Signature = buff.read(8) t.MessageType = int.from_bytes(buff.read(4), byteorder='little', signed=False) t.NegotiateFlags = NegotiateFlags( int.from_bytes(buff.read(4), byteorder='little', signed=False)) t.DomainNameFields = Fields.from_buffer(buff) t.WorkstationFields = Fields.from_buffer(buff) if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION: t.Version = Version.from_buffer(buff) currPos = buff.tell() t.Payload = buff.read() #currPos = buff.tell() if t.DomainNameFields.length != 0: buff.seek(t.DomainNameFields.offset, io.SEEK_SET) raw_data = buff.read(t.WorkstationFields.length) #print(raw_data) #print(t.DomainNameFields.length) try: t.Domain = raw_data.decode('utf-16le') except UnicodeDecodeError: # yet another cool bug. t.Domain = raw_data.decode('utf-8') if t.WorkstationFields.length != 0: buff.seek(t.WorkstationFields.offset, io.SEEK_SET) raw_data = buff.read(t.WorkstationFields.length) try: t.Workstation = raw_data.decode('utf-16le') except UnicodeDecodeError: # yet another cool bug. t.Workstation = raw_data.decode('utf-8') #buff.seek(currPos, io.SEEK_SET) return t
def from_buffer(buff, _use_NTLMv2=True): auth = NTLMAuthenticate(_use_NTLMv2) auth.Signature = buff.read(8) auth.MessageType = int.from_bytes(buff.read(4), byteorder='little', signed=False) auth.LmChallengeResponseFields = Fields.from_buffer(buff) auth.NtChallengeResponseFields = Fields.from_buffer(buff) auth.DomainNameFields = Fields.from_buffer(buff) auth.UserNameFields = Fields.from_buffer(buff) auth.WorkstationFields = Fields.from_buffer(buff) auth.EncryptedRandomSessionKeyFields = Fields.from_buffer(buff) auth.NegotiateFlags = NegotiateFlags( int.from_bytes(buff.read(4), byteorder='little', signed=False)) if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION: auth.Version = Version.from_buffer(buff) # TODO: I'm not sure about this condition!!! Need to test this! if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_ALWAYS_SIGN: auth.MIC = buff.read(16) currPos = buff.tell() auth.Payload = buff.read() if auth._use_NTLMv2 and auth.NtChallengeResponseFields.length > 24: buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET) auth.LMChallenge = LMv2Response.from_buffer(buff) buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET) auth.NTChallenge = NTLMv2Response.from_buffer(buff) else: buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET) auth.LMChallenge = LMResponse.from_buffer(buff) buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET) auth.NTChallenge = NTLMv1Response.from_buffer(buff) buff.seek(auth.DomainNameFields.offset, io.SEEK_SET) auth.DomainName = buff.read( auth.DomainNameFields.length).decode('utf-16le') buff.seek(auth.UserNameFields.offset, io.SEEK_SET) auth.UserName = buff.read( auth.UserNameFields.length).decode('utf-16le') buff.seek(auth.WorkstationFields.offset, io.SEEK_SET) auth.Workstation = buff.read( auth.WorkstationFields.length).decode('utf-16le') buff.seek(auth.EncryptedRandomSessionKeyFields.offset, io.SEEK_SET) auth.EncryptedRandomSession = buff.read( auth.EncryptedRandomSessionKeyFields.length) buff.seek(currPos, io.SEEK_SET) return auth