h xdZddlZddlZddlZddlZddlmZddlmZddl m Z ddl m Z m Z mZmZddlmZddlmZdd lmZdd lmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-dd l.m/Z/dd l0m1Z1dd l2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:ddl;mZ>m?Z?m@Z@mAZAddlBmCZCmDZDddlEmFZFGdde-e>e@eGeZdd?Zed@ZfGdAdBe/ZgePe9dC<ege:dC<dNdDZhdEZidFZjdGZkdHZldIZmdJZndKZoGdLdMe8ZpdS)Oz NTLM This is documented in [MS-NLMP] .. note:: You will find more complete documentation for this layer over at `GSSAPI `_ N)IntEnum) ASN1_Codecs)conf) ASN1F_OIDASN1F_PRINTABLE_STRINGASN1F_SEQUENCEASN1F_SEQUENCE_OF) ASN1_Packet) bytes_base64) log_runtime) ByteEnumField ByteFieldConditionalFieldField FieldLenField FlagsFieldLEIntEnumField LEIntFieldLEShortEnumField LEShortFieldLEThreeBytesFieldMultipleTypeField PacketFieldPacketListFieldStrField StrFieldUtf16StrFixedLenFieldStrLenFieldUtf16 UTCTimeField XStrFieldXStrFixedLenField XStrLenField _StrField)Packet) StringBuffer) GSS_C_FLAGSGSS_S_COMPLETEGSS_S_CONTINUE_NEEDEDGSS_S_DEFECTIVE_CREDENTIALGSS_S_DEFECTIVE_TOKENSSP _GSSAPI_OIDS_GSSAPI_SIGNATURE_OIDS)AnyCallableListOptionalTupleUnion)Hash_MD4Hash_MD5)Hmac_MD5c`eZdZdZgdZdZ dfd ZdZdZd Z d Z d Z d Z d Z xZS)_NTLMPayloadFieldzeSpecial field used to dissect NTLM payloads. This isn't trivial because the offsets are variable.)fields fields_mapoffset length_from force_order offset_nameTN BufferOffsetc||_||_d|D|_||_||_||_t t||d|DdS)Nci|] }|j| Sname.0fields U/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/ntlm.py z._NTLMPayloadField.__init__..wsAAA5:uAAAc8g|]}|j |j|jfSN)defaultrDrEs rH z._NTLMPayloadField.__init__..}s3   =,U]+,,,rJ) r;r9r:r<r=r>superr8__init__)selfrDr;r9r<r=r> __class__s rHrPz_NTLMPayloadField.__init__ks  AA&AAA&&& &&//   #        rJc|r|sgSg}|D]\}}||jvrt|j|ts:t|ts%t |j||||}|||f|SrL)r: isinstancerr$getattrappend)rQpktxfuncresults field_namevalues rH _on_payloadz_NTLMPayloadField._on_payloads ! I!" 0 0 J00 +_ O // OC ;TBB3NN NNJ. / / / /rJc0|||dS)Ni2hr]rQrWrXs rHr_z_NTLMPayloadField.i2hQ...rJc0|||dS)Nh2ir`ras rHrdz_NTLMPayloadField.h2irbrJcJt|||dS)Ni2repr)reprr]ras rHrfz_NTLMPayloadField.i2reprs"D$$S!X66777rJcbt|jr||S|jSrL)callabler;)rQrWs rH_o_pktz_NTLMPayloadField._o_pkts. DK  $;;s## #{rJc t}||d|t|z }jr|fd|D]\}}|jvrj|}||jz} | t|} nF| |z} | dzt|z } | dkr&|| dzt||| |t||t|d| dzt|S)NcDj|dSNr)r=index)rXrQs rHz,_NTLMPayloadField.addfield..s4#3#9#9!A$#?#?rJkeyr) r%rVrjlenr=sortr: getfieldvalr>addfieldbytes) rQrWsvalbufr_offr[r\rGr;pads ` rHrwz_NTLMPayloadField.addfieldsXnn 1a C  3q66)   A HH????H @ @ @!$ W W J00OJ/E__Z$2B%BCCF~S%qj3s88+77JJsW}c#hh777 JJu~~c5::u==c#hhjjI6TU: V V V VSzzrJc R jd|}}n)}||d|d|}}r|s|gfSg}d} fdjD}tjD]\} } ||  | jdz} n]#t $rPt| z } t| t fd|D} n#t$rYnwxYwYnwxYw dkrt | z|}| | zrB| | j| | | zdf|||dz }| d|d |DfS) NrJrcZg|]'}|jjzz (SrB)rvrDr>)rFrXo_pktrWrQs rHrNz._NTLMPayloadField.getfield..sA   CDCOOAFT%55 6 6 >   rJLenc3.K|]}|k|z VdSrLrB)rFrXr;s rH z-_NTLMPayloadField.getfield..s,,W,WAAPVJJQZJJJJ,W,WrJrlc|dSrnrBrXs rHrpz,_NTLMPayloadField.getfield..s 1Q4rJrqc"g|] }|dd S)rlNrBrFrXs rHrNz._NTLMPayloadField.getfield..s ,,,qQqrrU,,,rJ)r<rjr9 enumeratervrDAttributeErrorrtmin ValueErrormaxrVgetfieldru)rQrWryretremainlen_pktrZ max_offsetoffsetsirGlengthrr;s`` @@rHrz_NTLMPayloadField.getfields8   #qCC&&s++GGHH+q'{C & b5L  C        HL    "$+..  HAuQZF e);<<!   Vv- ,W,W,W,W,W,W,W)W)WXXFF!D  zzVf_j99Jfv./  sF6FVO3K,LMMaP vjkk""  (((,,G,,,,,s6B00D  )C76D 7 DD DD  D )NNr?)__name__ __module__ __qualname____doc__ __slots__islistrPr]r_rdrfrjrwr __classcell__rRs@rHr8r8]s<<IF"      2   //////888 6'-'-'-'-'-'-'-rJr8cLeZdZdZ d fd ZfdZfdZfdZxZS) _NTLMPayloadPacketPayloadrJNrc r fdtD}ttjd|||||dt fdjD fd|D}|D]\} } | | dS)Nc~i|]8tfdjD"9S)c3.K|]}|jkVdSrLrC)rFfks rHrz9_NTLMPayloadPacket.__init__...s)==qqAF{======rJ)any fields_descpop)rFrr9rQs @rHrIz/_NTLMPayloadPacket.__init__..s\   ====D,<===== vzz!}}   rJ)_pktpost_transform _internal _underlayer_parentc3ZK|]%}|jjkd|jDV&dS)cg|] }|j SrBrC)rFys rHrNz9_NTLMPayloadPacket.__init__...s & & &QV & & &rJN)rD_NTLM_PAYLOAD_FIELD_NAMEr9)rFrXrQs rHrz._NTLMPayloadPacket.__init__..sO  v666 ' &QX & & &6666  rJc$i|] \}}|v || SrBrB)rFrv local_fieldss rHrIz/_NTLMPayloadPacket.__init__.. s)QQQDAqqL?P?P1a?P?P?PrJrB)listrOrrPnextritems setfieldval) rQrrrrrr9unknownimplicit_fieldsrr\rrRs ` ` @rHrPz_NTLMPayloadPacket.__init__s      &\\    1 $''0 )#           %     RQQQGMMOOQQQ'--// ' 'HAu   Q & & & & ' 'rJc@ tt|S#t$rg t fdtt||jDcYS#t $rtwxYwwxYw)Nc3@K|]}|dk|dVdSrrlNrBrFrXattrs rHrz1_NTLMPayloadPacket.getfieldval..sAtt|| aD$||| rJ)rOrrvrrr StopIteration)rQrrRs `rHrvz_NTLMPayloadPacket.getfieldvals ++T22>>tDD D + + + +"#5t<<HH5! + + +$T*** + +s!', BAA?<B?BBc  tt|S#t$r||jj} |||tfdtt| |jDfcYS#ttf$rtwxYwwxYw)Nc3@K|]}|dk|dVdSrrBrs rHrz6_NTLMPayloadPacket.getfield_and_val..)sA ! !tt|| aD ,||| rJ) rOrgetfield_and_valr get_fieldrr:rdr __getattr__rKeyError)rQr PayFieldsrRs ` rHrz#_NTLMPayloadPacket.getfield_and_vals '+T22CCDII I ' ' 't'DEEPI 'dOdO''%*+=t%D%D%P%P $ =&&      "8, ' ' ' &&& '! 's"',)C%A'C=C%!C!!C%c  tt||S#t$rtt||j}||jjvrt |tfdttt||jDn#t$rYnwxYw| |gtt||j|YdSwxYw)Nc3:K|]\}}|dk|VdSrNrB)rFrrXrs rHrz1_NTLMPayloadPacket.setfieldval..AsA Aq Q44<<  (<<<rJ) rOrrrrrrr:rrrrrV)rQrrzrrRs ` rHrz_NTLMPayloadPacket.setfieldval5s +T22>>tSII I   .55AA-G4>>$*GHHSSS$T***  $-!"4d;;GG $ =%%    !     NND#; ' ' ' $d + + 7 7-w      + s6(-A(EA&C=<E= D E D  AEE)rJNrNN) rrrrrPrvrrrrs@rHrrs( ''''''B+++++ '''''.rJrc"eZdZdZdZdZdZdZdS) _NTLM_ENUMrliN)rrrLENMAXLENOFFSETCOUNTPAD8rBrJrHrrSs' C F F E DDDrJrrMaxLenr?c |j|jD]q\}}||jj|}|||}|||} ||} d} d} |D]\} }t |tr||}|tj zr|}n=|tj zr|}n+|tj zr|}n|tj zr| }nt|tjzr || dzz }||| zj}||| z@|d| | zt#jd| |z|z|| | z|zdz}| |z } ||z }s|S)z:Util function to build the offset and populate the lengthsrcdddd|S)NHIQ)rrrrB)rs rHrpz"_NTLM_post_build..js###..q1rJrNz<%s)r9rrr:i2leni2countrTdictrrrrrrrszrvstructpack)rQp pay_offsetr9configr[r\fldrcountr;rrfnameftypefvalrs rH_NTLM_post_buildrbs![)FG EnnT:;;FzR4'' D%(( #  1 1"  LE5%&& *j)z~% !** !!** !)) !  z& $$! # U 2336B U 233;l lOk%!!B%%-667 R))*+ GAAf HrJc heZdZdZedddedddd d d gZedd Zd S) NTLM_Headerz NTLM Header SignaturesNTLMSSPrr MessageTypeNEGOTIATE_MESSAGECHALLENGE_MESSAGEAUTHENTICATE_MESSAGE)rlrrNc|r]t|dkrJtjd|ddd}|dkrtS|dkrtS|dkrt S|S)N .s C.@rJ)rrr)rDrMs rH _NTLMStrFieldr#sB dG,,@@  w  rJc eZdZeddeddeddeddeddddigZd S) _NTLM_VersionProductMajorVersionrProductMinorVersion ProductBuildres_verNTLMRevisionCurrentv15N)rrrrrrr rrBrJrHr%r%sj '++ '++ ^Q'')Q'' +TD%=AA KKKrJr%c 4eZdZdZdZdZeedddee dde d de d de d de d de d dgde j Dze deeddeddggzZ dZdS)rzNTLM Negotiaterlc$|jpddkrdpdS)N( DomainNameBufferOffsetr"s rHrpzNTLM_NEGOTIATE.C6<"BJPbrJr!r DomainNameLenNDomainNameMaxLenr2WorkstationNameLenWorkstationNameMaxLenWorkstationNameBufferOffsetc6g|]tfdS)c|jdn|jpt|jpddkp|jjdS)Nr/rJr0)r2rtoriginalr9getrDrWrXs rHrpz"NTLM_NEGOTIATE..sX5= 7S3s|?Rs;S;S /:>>!&#..rJrrs @rHrNzNTLM_NEGOTIATE.sL    ////     rJr DomainNamerJWorkstationNamecVt|||ddd|zS)N)r@rArrrQrWpays rH post_buildzNTLM_NEGOTIATE.post_buildsA  "$')     rJ)rrrrDrrrr_negotiateFlagsrrr%rr8r#rHrBrJrHrrs$ DK Q QF  J'C A A L$ / / L+T 2 2 J/ 6 6 L-t 4 4 L0$ 7 7 J4d ; ;   #.    >  !M,44!M"3S99   ;' V      rJrcxeZdZeddeddeddded dd gZd Zd S) Single_Host_DataSize0Z4r CustomDatarJrr MachineIDr0ctjSrLr padding_layerrQpayloads rHdefault_payload_classz&Single_Host_Data.default_payload_class1 !!rJNrrrrr!rrVrBrJrHrKrK)sr 62 4,A666+s2666 K"""""rJrKc6eZdZdZedddddddd d d d d dd eddddeedddddddfeddgddddfe de e d fe dd!d"#d$fge dd!d%#gZ d&ZdS)'AV_PAIRz NTLM AV PairAvIdrMsvAvEOLMsvAvNbComputerNameMsvAvNbDomainNameMsvAvDnsComputerNameMsvAvDnsDomainNameMsvAvDnsTreeName MsvAvFlagsMsvAvTimestampMsvAvSingleHostMsvAvTargetNameMsvAvChannelBindings) rrlrrrr rAvLenNValuer) length_offmtrl constrained MIC integrityzSPN from untrusted source)rlrrc|jdkS)Nrhr[r"s rHrpzAV_PAIR.V F 2rJiArlrlrrrcA`rsrJc|jdkS)Nrrrr"s rHrpzAV_PAIR.drsrJrJc|jSrLrkr"s rHrpzAV_PAIR.gssyrJ)r<c|jdkS)Nrrrr"s rHrpzAV_PAIR.hrsrJc|jSrLr|r"s rHrpzAV_PAIR.ks39rJctjSrLrRrTs rHrVzAV_PAIR.default_payload_classorWrJ)rrrrDrrrrrrrKr"rrrVrBrJrHrZrZ5sx D  "-+.,*$()).    "  gtwDAAA#N$1$3$?32 !L333'* 32  K)9)9););=MNN22 !L#;P;PQQQ227 @  Wc7L7L M M MC" " '6Kp"""""rJrZc eZdZdZdZdZeeddeddedde dd d e e d dd e ddd eddeddeddg de j DzedeeddedegeggzZ dZdZdS)rzNTLM Challengerc$|jpddkrdpdS)N8rM)TargetInfoBufferOffsetr"s rHrpzNTLM_CHALLENGE.vr3rJ TargetNameLenNTargetNameMaxLenTargetNameBufferOffsetr!rr4ServerChallengerrReserved TargetInfoLenTargetInfoMaxLenrc6g|]tfdS)c^|jpddkp|jjdS)Nrr/rJ)rr9r=rDr>s rHrpz"NTLM_CHALLENGE..1c8>B"D/:>>!&#..rJr?rs @rHrNzNTLM_CHALLENGE.sL  ////   rJr TargetNamerJ TargetInfoc~ tfd|jDS#ttf$rtwxYw)Nc32K|]}|jk |VdSrLrrrFrXr[s rHrz'NTLM_CHALLENGE.getAv..s)EEaafnnnnnnEErJ)rrrr IndexErrorrQr[s `rHgetAvzNTLM_CHALLENGE.getAvsS EEEE4?EEEEE E~.     s#<cVt|||ddd|zS)N r/)rrrErFs rHrHzNTLM_CHALLENGE.post_buildsA  "$"$     rJ)rrrrDrrrrrrrIr!r%rr8r#rrZrrHrBrJrHrrssf DK Q QF  L$ / / L+T 2 2 J/ 6 6 J'C A A  /a @ @ @  j$q 9 9 9 L$ / / L+T 2 2 J/ 6 6  #.  6  !M,44#OL7799+wGG   3# N      rJrc,eZdZedddgZdS) LM_RESPONSEResponserJrDrNrrrrrrBrJrHrr*S444KKKrJrcFeZdZedddedddgZdS) LMv2_RESPONSErrJrCrChallengeFromClientrNrrBrJrHrrs@S444.A>>>KKKrJrc,eZdZedddgZdS) NTLM_RESPONSErrJrDrNrrBrJrHrrrrJrc eZdZeddeddeddeddeddd gd d ed ddeddede ge gZ dZ dS)NTLMv2_CLIENT_CHALLENGERespTyperl HiRespType Reserved1r Reserved2 TimeStampNrvrtru)rnrwrxrs12345678rr Reserved3AvPairscp tfd|jDS#t$rtwxYw)Nc32K|]}|jk |VdSrLrrrs rHrz0NTLMv2_CLIENT_CHALLENGE.getAv..s)BBa16T>>>>>>BBrJ)rrrrrs `rHrzNTLMv2_CLIENT_CHALLENGE.getAvsN BBBB4<BBBBB B     s#5) rrrrrrrrrrZrrrBrJrHrrs *a   ,"" [!$$ ;"" 4/D/D/DUX    . AFFF ;"" GGII;88 KrJrc4eZdZedddegZdZdS)NTLMv2_RESPONSE NTProofStrrJrCrc d}d}dd|jD}d||dtjd|j|jd|g}t |||zS)a2 Set temp to ConcatenationOf(Responserversion, HiResponserversion, Z(6), Time, ClientChallenge, Z(4), ServerName, Z(4)) Set NTProofStr to HMAC_MD5(ResponseKeyNT, ConcatenationOf(CHALLENGE_MESSAGE.ServerChallenge,temp)) Remember ServerName = AvPairs rJc34K|]}t|VdSrL)rxrs rHrz4NTLMv2_RESPONSE.computeNTProofStr..s(==1eAhh======rJsrvs)joinrrrrrHMAC_MD5)rQ ResponseKeyNTrResponserversionHiResponserversion ServerNametemps rHcomputeNTProofStrz!NTLMv2_RESPONSE.computeNTProofStrs#$XX== ===== xx " D$.11(     '=>>>rJN)rrrr!rrrrBrJrHrrsB,B777K ?????rJrcveZdZdZdZdZdZeeddedde dded ded de d ded ded de ddeddedde ddeddedde ddeddedde dde ddde gde j Dzeedddd ed!eeed"eed#fged"eeeed$eed%fged$eeed&ded'ded(ded)dggzZ d*Zd+ZdS),NTLM_AUTHENTICATEzNTLM AuthenticaterrlcB|jpddkrdp|jpddkrdpdS)NX@Hr1r"s rHrpzNTLM_AUTHENTICATE.s? $ *r 1   D(.B" 4 <" BrJLmChallengeResponseLenNLmChallengeResponseMaxLenLmChallengeResponseBufferOffsetNtChallengeResponseLenNtChallengeResponseMaxLenNtChallengeResponseBufferOffsetr5r6r2 UserNameLenUserNameMaxLenUserNameBufferOffsetWorkstationLenWorkstationMaxLenWorkstationBufferOffsetEncryptedRandomSessionKeyLenEncryptedRandomSessionKeyMaxLen%EncryptedRandomSessionKeyBufferOffsetr!rr4c6g|]tfdS)c^|jpddkp|jjdS)NrrrJ)r2r9r=rDr>s rHrpz%NTLM_AUTHENTICATE..-rrJr?rs @rHrNzNTLM_AUTHENTICATE.)sL    ////     rJMICrJrCrcR|jpddkp|jddS)NrrrrJ)r2r9r=r"s rHrpzNTLM_AUTHENTICATE.7s.c8>B"D.:>>%--rJrLmChallengeResponsec|jdkSNr NTLM_VERSIONr"s rHrpzNTLM_AUTHENTICATE.GC,<,ArJNtChallengeResponsec|jdkSrrr"s rHrpzNTLM_AUTHENTICATE.TrrJr@UserName WorkstationEncryptedRandomSessionKeyc ^t|||ddddddd|zS)Nr$,4)rrr@rrrrErFs rHrHzNTLM_AUTHENTICATE.post_builddsM  +-+-"$ "#%13     rJcd|_t|t|t|zt|z|_dS)N)rrrx)rQExportedSessionKey negotiate challenges rH compute_miczNTLM_AUTHENTICATE.compute_micwsC i 0 053C3C CeDkk Q  rJ)rrrrDrrrrrrrrIr%rrr!r8rrrrrrr#r rHrrBrJrHrrs DKLF  L14 8 8 L4d ; ; J8$ ? ? L14 8 8 L4d ; ; J8$ ? ? L$ / / L+T 2 2 J/ 6 6 L - - L)4 0 0 J-t 4 4 L)4 0 0 L,d 3 3 J0$ 7 7 L7 > > L:D A A J> E E J'C A A7 <  #.   =& R  !!%R888..    %%!, $9$1MOO$1!"!" !B A  $ $9;;==+VV  &%!, $9$3O$5$5$3!"!" !B A  $ 1==??M"M,44!M*c22!M-55I93??A!% % / OV t   &     rJrceZdZdZdS)rrN)rrrrrBrJrHrr~sLLLrJrc t|tsJddlm}m}||dt t |zz S)zCCreate an HTTP NTLM negotiate packet from an NTLM_NEGOTIATE messager)HTTP HTTPRequestsNTLM ) Authorization)rTrscapy.layers.httprrr rx)ntlm_negotiaterrs rHHTTP_ntlm_negotiatersn nn 5 555533333333 466KKeN.C.C!D!DD rJc eZdZejZeeeeddeddddZ dS)NEGOEX_EXCHANGE_NTLM_ITEMoidtoken1) explicit_tagN) rrrrBER ASN1_codecrrr ASN1_rootrBrJrHrrsuJ N %$$&&w33!          IIIrJrc beZdZdZejZeeedge dZ dS)NEGOEX_EXCHANGE_NTLMz[ GSSAPI NegoEX Exchange metadata blob This was reversed and may be meaningless r) implicit_tagN) rrrrrrrrr rrrBrJrHrrs\ J  gr+D E ETX   IIIrJrcHt||S)Nrq)r6digest)rrdatas rHrrs!     # #D ) ))rJcjt|dS)z/ MD4 over a string encoded as utf-16le utf-16le)r4rencoders rHMD4lers( ::  QXXj11 2 22rJcddlm}m} ddlm}n#t$r|}YnwxYw||}||d}|}|S)z Alleged RC4rCipher algorithmsr Nmode)&cryptography.hazmat.primitives.ciphersr r $cryptography.hazmat.decrepit.ciphers ImportErrorARC4 encryptor)rrr r decrepit_algorithms algorithmcipherrs rHRC4InitrsIIIIIIII)        )))()$((--I VID ) ) )F  ""I    c,||S)zThe RC4 Encryption Algorithm)update)handlers rHRC4rs ==  rJcddlm}m} ddlm}n#t$r|}YnwxYw||}||d}|}|||zS)zXIndicates the encryption of data item D with the key K using the RC4 algorithm. rr r Nr) rr r rrrrrfinalize)rrrr r rrrrs rHRC4Kr sJIIIIIII)        )))()$((--I VID ) ) )F  ""I   D ! !I$6$6$8$8 88rc^eZdZeddedddeddgZd Zd S) NTLMSSP_MESSAGE_SIGNATUREVersionrlChecksumrJrrSeqNumrctjSrLrRrTs rHrVz/NTLMSSP_MESSAGE_SIGNATURE.default_payload_classrWrJNrXrBrJrHr"r"s_  9j))*c!444 8Z((K """""rJr"1.3.6.1.4.1.311.2.2.10c|t|}t|||zdS)a Computes the ResponseKeyNT (per [MS-NLMP] sect 3.3.2) :param Passwd: the plain password :param User: the username :param UserDom: the domain name :param HashNt: (out of spec) if you have the HashNt, use this and set Passwd to None Nr)rrupperr)PasswdUserUserDomHashNts rHNTOWFv2r.s?~v FTZZ\\G3;;JGG H HHrJc"t||SrL)r)rrs rHNTLMv2_ComputeSessionBaseKeyr0 s M: . ..rJct|tjd||zdd}|rt||}t d||S)Nz.local) :param COMPUTER_NB_NAME: the server Netbios name (default: SRV) :param COMPUTER_FQDN: the server FQDN (default: .) :param IDENTITIES: a dict {"username": } Setting this value enables signature computation and authenticates inbound users. r'rceZdZdZdZdZdZdS) NTLMSSP.STATErlrrrN)rrrINIT CLI_SENT_NEGO CLI_SENT_AUTH SRV_SENT_CHALrBrJrHSTATErOs"   rJrTc4eZdZgdZdfd ZdZdZxZS)NTLMSSP.CONTEXT) SessionKeyr IsAcceptor SendSignKey SendSealKey RecvSignKey RecvSealKeySendSealHandleRecvSealHandle SendSeqNum RecvSeqNumneg_tok chall_tokServerHostnameNcTtjj|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_t%tj||dS)Nr req_flags)rMrTrPstaterWrrYrZr]r[r\r^r_r`rarbrcrXrOCONTEXTrP)rQrXrfrRs rHrPzNTLMSSP.CONTEXT.__init__s +DJ"DO&*D ##D #D "&D #D #D "&D DODODL!DN"&D (DO '/4 ( ( 1 1I 1 F F F F FrJcH||j|jdS)Nre)rPrXflagsrQs rH clifailurezNTLMSSP.CONTEXT.clifailures" MM$/TZM @ @ @ @ @rJcdS)NrMrBrks rH__repr__zNTLMSSP.CONTEXT.__repr__s9rJrL)rrrrrPrlrnrrs@rHrhrVsu   " G G G G G G$ A A A       rJrhNTDOMAINSRVFc  ||_||t|}||_||_||_||_|p|jdz|_||_| p#|jdz|jz|_ | |_ | |_ | |_ tt|jdi| dS)Nz.local.rB)UPNrHASHNTUSE_MIC NTLM_VALUESDOMAIN_NB_NAMElower DOMAIN_FQDNCOMPUTER_NB_NAME COMPUTER_FQDN IDENTITIESDO_NOT_CHECK_LOGINSERVER_CHALLENGErOrMrP)rQrsrtPASSWORDrurvrwryrzr{r|r}r~kwargsrRs rHrPzNTLMSSP.__init__s  >h28__F  &,&R4+>+D+D+F+F+Q 0*  ! ' ' ) )C /$2B B %"4 0%gt%///////rJContextcdS)NrrBrQrs rH LegsAmountzNTLMSSP.LegsAmountsqrJrcdd|D}t|j|j|j|}|xjdz c_|S)z& [MS-NLMP] sect 3.4.8 rJc32K|]}|j |jVdSrLsignrrs rHrz'NTLMSSP.GSS_GetMICEx..+99Q!&9!&999999rJrl)rr6r]rYr_)rQrmsgsqop_reqToSignsigs rH GSS_GetMICExzNTLMSSP.GSS_GetMICExsc 99$99999  "         a rJc|j|_dd|D}t|j|j|j|}|j|jkrtddS)z& [MS-NLMP] sect 3.4.9 rJc32K|]}|j |jVdSrLrrs rHrz*NTLMSSP.GSS_VerifyMICEx..rrJzERROR: Checksums don't matchN)r%r`rr6r^r[r$r)rQrrr<rrs rHGSS_VerifyMICExzNTLMSSP.GSS_VerifyMICEx s|'-99$99999  "         <9- - -;<< < . -rJctj|}|D](}|jrt|j|j|_)||||}||fS)z& [MS-NLMP] sect 3.4.6 )r)copydeepcopy conf_req_flagrr]rr)rQrrrmsgs_cpymsgrs rH GSS_WrapExzNTLMSSP.GSS_WrapExsq=&& A AC  Aw5sx@@7CC    rJc|D](}|jrt|j|j|_)|||||S)z& [MS-NLMP] sect 3.4.7 )rrr^rr)rQrrr<rs rH GSS_UnwrapExzNTLMSSP.GSS_UnwrapEx+sU  A AC  Aw5sx@@ WdI666 rJc.|jsdS|r|jsdSdS)NFT)rurWrs rHcanMechListMICzNTLMSSP.canMechListMIC7s/| 5 g0 5trJc|j}t|j|_ tt|||||_S#||_wxYwrL)r]rrZrOrMgetMechListMIC)rQrinputOriginalHandlerRs rHrzNTLMSSP.getMechListMICBsa !/!()t|j| d'|_@t|j@|_Bt{|j| d(|_Ct|j| d(|_Dt|jD|_E|jjF|_||tfS|j|jjFkr|rt}nt}|d|fSt%d)t|jz)*NFre+) rrrrrrrrrrrrrrriaJ)r!r&r'r(zNMust provide a 'UPN' and a 'HASHNT' or 'PASSWORD' when running in standalone !z2NTLMSSP: Unexpected token. Expected NTLM Challenge) _parse_upnrz1No realm specified in UPN, nor provided by serverrlWINr)rri!l rurbrpr[rlrdr0)rPrfrrezhost/r\rrr-rCrBrCNTLMSSP: unexpected state %s)JrhrgrTrPrrrjr&GSS_C_INTEG_FLAGGSS_C_CONF_FLAGrvsetattrrarWrQr(rsrtrrr debugr*rr!rrscapy.layers.kerberosrrrrlr@rwarningrwrrrcrosurandomrrinttimerrurZrKrr.rrrr0rr rrrrGrYrKrZrr]r[r\r^rRr'r)rg)rQrrzrftokrrrbrrealmcrrSessionBaseKeyKeyExchangeKeyrstatuss rHGSS_Init_sec_contextzNTLMSSP.GSS_Init_sec_contextZs ?ll5Il>>G =DJO + +!"xx    #=&7+:UUW 0  %0#=;+GG , 3>#=;+FF , A!# # H%'$%"O(((CR AAAC d...S$*:3*?@@@!GO!%G  J4GMC!66 6 ]dj6 6 6Ix4;#6 . <i ? ?!"VWWW&;;;&(7$&$%" C '4ooC # 8 8 8 8 8 8 5&0j&:&:# ee 5 5 5&*h# eee 5}B%.__V%<%<%BCNN!BBB'K&*%8%?%?%A%ACNNN B "' (;D??<<'"8"8 ( ( ("' (+:$&JqMM,,, B( F(v66<  F F F"DIKK+$=#DEE  F$SbS) |\III ..BHHH!7|LLL!2'CO:STTT,,, J& AAAC d...S$*:3*?@@@# { M00)BM :-WWN+N': 4%'Z^^"04"&11-- &4"| P 2GOYOOO);G &!(!;G ")"$6##G #*"$6##G &-W-@%A%AG "")"$6##G #*"$6##G &-W-@%A%AG " J4GMC/ / ]dj6 6 6 (3'D&( (;d7=>Q>QQRR RsHF55GGG77.jsCCCq1617CCCrJc g|]]\}}|jvs|vrKj|d-t|j||^S)TNr)rvr=rZ)rFrrXavpairsrQs rHrNz2NTLMSSP.GSS_Accept_sec_context..ks"""Ad...ALL(,,Q55A$*:*>*>q'!**M*MNNNBAArJ))rNetbiosDomainName)rlNetbiosComputerName)r DnsDomainName)rDnsComputerName)rg DnsTreeName)rhFlags)ri Timestamprz8NTLMSSP: Unexpected token. Expected NTLM Authenticate v2rrCrBr)7rhrgrTrPrr rr*rrr~rrrr!rrrZrzrwr{ryrvrrrbrSr(rr}r'_getSessionBaseKeyrrrr rrWrGrYrKrZrr]r[r\r^ _checkLoginrjr&rrr)rrg) rQrrznego_tok currentTimerrrauth_tokrrrrrs ` @rHGSS_Accept_sec_contextzNTLMSSP.GSS_Accept_sec_contexts ?lldal@@G =DJO + +H <~X==!"VWWW&;;;9;;4;K $ 5 FA"xx   $2A )**!($2A )**+  2%'$%&$$$2GHHH#$2EFFF#$2DEEE#$2BCCC#$2BCCC#+>>>#OOO;333Ch AACd...S$*:3*?@@@CCCNCCC""""" #"""!$G  J4GMC!66 6 ]dj6 6 6H <38CC!N&;;;& 5n44!44WhGGN @!/*= 8#@W5A114<4V1)-&(A**&&*8&-?*%,%?"! 9&-+-?''#'.+-?''#*11D)E)E&&-+-?''#'.+-?''#*11D)E)E&##GX669.=F )EE .=E )DD "D.88!%G  JOGMD"<< <;d7=>Q>QQRR RrJcdS)z Returns the Maximum Signature length. This will be used in auth_len in DceRpc5, and is necessary for PFC_SUPPORT_HEADER_SIGN to work properly. rCrBrs rHMaximumSignatureLengthzNTLMSSP.MaximumSignatureLengths rrJc||d}d|_|j|jjkrI|r t |vrt jddtfS||_ |jj |_|tfS|j|jj krI|r t|vrt jddtfS||_ |jj|_|tfS|j|jjkrv|r t|vrt jddtfS|||\}}}|t"krt jd|jj|_||fSt'dt)|jz)NTz NTLMSSP: Expected NTLM Negotiatez NTLMSSP: Expected NTLM Challengez#NTLMSSP: Expected NTLM AuthenticatezNTLMSSP: auth failed.r)rhpassivergrTrPrr rr*rarQr(rrbrSrrr'inforrg)rQrrz_rs rH GSS_PassivezNTLMSSP.GSS_Passives ?ll4((G"GO =DJO + + 3.33#$FGGG222!GO J4GM11 1 ]dj6 6 6 3.33#$FGGG222 #G  J4GM11 1 ]dj6 6 6 3.c99#$IJJJ222!%!Q>QQRR RrJc|j|urdS|j|jc|_|_|j|jc|_|_|j|jc|_|_|j|jc|_|_|j |_dSrL) rXr[rYr\rZr^r]r`r_)rQrrXs rHGSS_Passive_set_Directionz!NTLMSSP.GSS_Passive_set_Directions  Z / / F     1W0     1W0  "  " 7 6291CWEW.G.!(!33rJc|jr|j}nd}|jr|j}nd}|jrA||jvr8t d|||j|}t ||jjSdS)zV Function that returns the SessionBaseKey from the ntlm Authenticate. Nrr) rrr5r@r|r.r0rr)rQrrusernamedomainrs rHrzNTLMSSP._getSessionBaseKeys   (HHH  ! (FFF ? x4?::#htx/HM0x;F trJc|jr|j}nd}|jr|j}nd}||jvrUt d|||j|}|j||jj }||jj krdSdS)zw Function that checks the validity of an authentication. Overwrite and return True to bypass. NrrTF) rrr5r@r|r.rrrbrr)rQrrrrrrs rHrzNTLMSSP._checkLogin s   (HHH  ! (FFF t & &#htx/HM"5GG!1JX9DDDturJ)r)NNrL)F)rrrrr auth_typer+rTrhrPrrrrrrrrr1r&rrrrrrrrrs@rHrMrMvsg,,\ #CI  (((((#+(((X  000000B'    ===           4 4 4 4 4 4 4 4 4 4NRCSCSCS5=k5JCSCSCSCSJYSYSgYSYSYSYSvg S S7 S S S SD444444&*rJrMrL)qrrrrrenumrscapy.asn1.asn1rscapy.asn1.mibrscapy.asn1fieldsrrrr scapy.asn1packetr scapy.compatr scapy.errorr scapy.fieldsr rrrrrrrrrrrrrrrrrrr r!r"r# scapy.packetr$scapy.sessionsr%scapy.layers.gssapir&r'r(r)r*r+r,r-typingr.r/r0r1r2r3scapy.layers.tls.crypto.hashr4r5scapy.layers.tls.crypto.h_macr6strr8rrrrr _NTLM_CONFIGrrrIr#r%rrKrZrrrrrrrrrrrrrrrr r"r.r0r6r8r=r@rGrKrMrBrJrHrs  '''''' )(((((%%%%%%######2 ''''''                    <;;;;;;;222222J-J-J-J-J- $uS#X"78J-J-J-ZffffffffR JN z !Z&' :F! ! ! ! X&2!!!H   F< < < < < '< < < D " " " " "v " " ";";";";";"f;";";"|> > > > > '> > > H& FF f*?????-???Dz z z z z *z z z z,"             ;   "***333$ 999. " " " " " " " "*5 %&3L/0 I I I I///>>>%%%'''*"""@p p p p p cp p p p p rJ