def test_construct():
flags = NegotiateFlags.NEGOTIATE_56|NegotiateFlags.NEGOTIATE_KEY_EXCH|NegotiateFlags.NEGOTIATE_128|\
NegotiateFlags.NEGOTIATE_VERSION|\
NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY|\
NegotiateFlags.NEGOTIATE_ALWAYS_SIGN|NegotiateFlags.NEGOTIATE_NTLM|NegotiateFlags.NEGOTIATE_LM_KEY|\
NegotiateFlags.NEGOTIATE_SIGN|NegotiateFlags.REQUEST_TARGET|NegotiateFlags.NTLM_NEGOTIATE_OEM|NegotiateFlags.NEGOTIATE_UNICODE|\
NegotiateFlags.NEGOTIATE_OEM_WORKSTATION_SUPPLIED|NegotiateFlags.NEGOTIATE_OEM_DOMAIN_SUPPLIED
nego = NTLMNegotiate.construct(flags,
domainname="alma.com",
workstationname="testjoe",
version=Version.construct())
nego.to_bytes()
print(repr(nego))
test_reconstrut(nego.to_bytes())
flags = NegotiateFlags.NEGOTIATE_56|NegotiateFlags.NEGOTIATE_KEY_EXCH|NegotiateFlags.NEGOTIATE_128|\
NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY|\
NegotiateFlags.NEGOTIATE_ALWAYS_SIGN|NegotiateFlags.NEGOTIATE_NTLM|NegotiateFlags.NEGOTIATE_LM_KEY|\
NegotiateFlags.NEGOTIATE_SIGN|NegotiateFlags.REQUEST_TARGET|NegotiateFlags.NTLM_NEGOTIATE_OEM|NegotiateFlags.NEGOTIATE_UNICODE|\
NegotiateFlags.NEGOTIATE_OEM_WORKSTATION_SUPPLIED|NegotiateFlags.NEGOTIATE_OEM_DOMAIN_SUPPLIED
nego = NTLMNegotiate.construct(flags,
domainname="alma.com",
workstationname="testjoe2")
print(nego.to_bytes())
print(repr(nego))
test_reconstrut(nego.to_bytes())
def from_buffer(buff):
t = NTLMChallenge()
t.Signature = buff.read(8)
t.MessageType = int.from_bytes(buff.read(4),
byteorder='little',
signed=False)
t.TargetNameFields = Fields.from_buffer(buff)
t.NegotiateFlags = NegotiateFlags(
int.from_bytes(buff.read(4), byteorder='little', signed=False))
t.ServerChallenge = buff.read(8)
t.Reserved = buff.read(8)
t.TargetInfoFields = Fields.from_buffer(buff)
if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
t.Version = Version.from_buffer(buff)
currPos = buff.tell()
t.Payload = buff.read()
if t.TargetNameFields.length != 0:
buff.seek(t.TargetNameFields.offset, io.SEEK_SET)
raw_data = buff.read(t.TargetNameFields.length)
try:
t.TargetName = raw_data.decode('utf-16le')
except UnicodeDecodeError:
# yet another cool bug.
t.TargetName = raw_data.decode('utf-8')
if t.TargetInfoFields.length != 0:
buff.seek(t.TargetInfoFields.offset, io.SEEK_SET)
raw_data = buff.read(t.TargetInfoFields.length)
t.TargetInfo = AVPairs.from_bytes(raw_data)
return t
def from_buffer(buff, _use_NTLMv2=True):
auth = NTLMAuthenticate(_use_NTLMv2)
auth.Signature = buff.read(8)
auth.MessageType = int.from_bytes(buff.read(4),
byteorder='little',
signed=False)
auth.LmChallengeResponseFields = Fields.from_buffer(buff)
auth.NtChallengeResponseFields = Fields.from_buffer(buff)
auth.DomainNameFields = Fields.from_buffer(buff)
auth.UserNameFields = Fields.from_buffer(buff)
auth.WorkstationFields = Fields.from_buffer(buff)
auth.EncryptedRandomSessionKeyFields = Fields.from_buffer(buff)
auth.NegotiateFlags = NegotiateFlags(
int.from_bytes(buff.read(4), byteorder='little', signed=False))
if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
auth.Version = Version.from_buffer(buff)
# TODO: I'm not sure about this condition!!! Need to test this!
if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_ALWAYS_SIGN:
auth.MIC = buff.read(16)
currPos = buff.tell()
auth.Payload = buff.read()
if auth._use_NTLMv2 and auth.NtChallengeResponseFields.length > 24:
buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
auth.LMChallenge = LMv2Response.from_buffer(buff)
buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
auth.NTChallenge = NTLMv2Response.from_buffer(buff)
else:
buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
auth.LMChallenge = LMResponse.from_buffer(buff)
buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
auth.NTChallenge = NTLMv1Response.from_buffer(buff)
buff.seek(auth.DomainNameFields.offset, io.SEEK_SET)
auth.DomainName = buff.read(
auth.DomainNameFields.length).decode('utf-16le')
buff.seek(auth.UserNameFields.offset, io.SEEK_SET)
auth.UserName = buff.read(
auth.UserNameFields.length).decode('utf-16le')
buff.seek(auth.WorkstationFields.offset, io.SEEK_SET)
auth.Workstation = buff.read(
auth.WorkstationFields.length).decode('utf-16le')
buff.seek(auth.EncryptedRandomSessionKeyFields.offset, io.SEEK_SET)
auth.EncryptedRandomSession = buff.read(
auth.EncryptedRandomSessionKeyFields.length)
buff.seek(currPos, io.SEEK_SET)
return auth
def from_buffer(buff):
t = NTLMNegotiate()
t.Signature = buff.read(8)
t.MessageType = int.from_bytes(buff.read(4),
byteorder='little',
signed=False)
t.NegotiateFlags = NegotiateFlags(
int.from_bytes(buff.read(4), byteorder='little', signed=False))
t.DomainNameFields = Fields.from_buffer(buff)
t.WorkstationFields = Fields.from_buffer(buff)
if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
t.Version = Version.from_buffer(buff)
currPos = buff.tell()
t.Payload = buff.read()
#currPos = buff.tell()
if t.DomainNameFields.length != 0:
buff.seek(t.DomainNameFields.offset, io.SEEK_SET)
raw_data = buff.read(t.WorkstationFields.length)
#print(raw_data)
#print(t.DomainNameFields.length)
try:
t.Domain = raw_data.decode('utf-16le')
except UnicodeDecodeError:
# yet another cool bug.
t.Domain = raw_data.decode('utf-8')
if t.WorkstationFields.length != 0:
buff.seek(t.WorkstationFields.offset, io.SEEK_SET)
raw_data = buff.read(t.WorkstationFields.length)
try:
t.Workstation = raw_data.decode('utf-16le')
except UnicodeDecodeError:
# yet another cool bug.
t.Workstation = raw_data.decode('utf-8')
#buff.seek(currPos, io.SEEK_SET)
return t
from msldap.authentication.ntlm.structures.fields import Fields
from msldap.authentication.ntlm.structures.negotiate_flags import NegotiateFlags
from msldap.authentication.ntlm.structures.version import Version
from msldap.authentication.ntlm.structures.avpair import AVPairs, AVPAIRType
NTLMServerTemplates = {
"Windows2003": {
'flags':
NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_128
| NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_TARGET_INFO
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.TARGET_TYPE_DOMAIN | NegotiateFlags.NEGOTIATE_NTLM
| NegotiateFlags.REQUEST_TARGET | NegotiateFlags.NEGOTIATE_UNICODE,
'version':
Version.from_bytes(b"\x05\x02\xce\x0e\x00\x00\x00\x0f"),
'targetinfo':
AVPairs({
AVPAIRType.MsvAvNbDomainName: 'SMB',
AVPAIRType.MsvAvNbComputerName: 'SMB-TOOLKIT',
AVPAIRType.MsvAvDnsDomainName: 'smb.local',
AVPAIRType.MsvAvDnsComputerName: 'server2003.smb.local',
AVPAIRType.MsvAvDnsTreeName: 'smb.local',
}),
'targetname':
'SMB',
},
}
from msldap.authentication.ntlm.structures.fields import Fields
from msldap.authentication.ntlm.structures.negotiate_flags import NegotiateFlags
from msldap.authentication.ntlm.structures.version import Version, WindowsMajorVersion, WindowsMinorVersion
# LDAP doesnt seem to support sign-only. either no seal nor sign nor always_sign OR include seal.
NTLMClientTemplates = {
"Windows10_15063": {
'flags':
NegotiateFlags.NEGOTIATE_KEY_EXCH | NegotiateFlags.NEGOTIATE_128
| NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.NEGOTIATE_NTLM | NegotiateFlags.REQUEST_TARGET
| NegotiateFlags.NEGOTIATE_UNICODE,
'version':
Version.construct(WindowsMajorVersion.WINDOWS_MAJOR_VERSION_10,
minor=WindowsMinorVersion.WINDOWS_MINOR_VERSION_0,
build=15063),
'domain_name':
None,
'workstation_name':
None,
'ntlm_downgrade':
False,
},
"Windows10_15063_channel": {
'flags':
NegotiateFlags.NEGOTIATE_KEY_EXCH | NegotiateFlags.NEGOTIATE_128
| NegotiateFlags.NEGOTIATE_VERSION
| NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
| NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
| NegotiateFlags.NEGOTIATE_SIGN | NegotiateFlags.NEGOTIATE_SEAL