h1k dZddlZddlZddlZddlZddlmZmZddlm Z m Z ddl m Z m Z mZmZddlmZmZmZmZddlmZmZmZmZddlmZmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%ej&rdd l'm(Z(m)Z)dd l*m+Z+m,Z,m-Z-dd l.m/Z/n dxZ(xZ)xZ+xZ,xZ-Z/dd l0m1Z1iddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9 Z2e d:dd;e2j3Z2ed<Z4ed=Z5ed>Z6d?Z7ed@Z8dAZ9dBZ:edNdCZ;edNdDZedGZ?GdHdIeZ@GdJdKejAZBGdLdMeZCdS)Oz [MS-NRPC] Netlogon Remote Protocol https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f N)confcrypto_validator) FlagValue FlagsField)find_dcerpc_interfaceDCE_C_AUTHN_LEVELNL_AUTH_MESSAGENL_AUTH_SIGNATURE) GSS_C_FLAGSGSS_S_COMPLETEGSS_S_CONTINUE_NEEDED GSS_S_FAILURE)RC4RC4KRC4InitSSP) DCERPC_ClientDCERPC_Transport STATUS_ERREF)NetrServerAuthenticate3_Request NetrServerAuthenticate3_ResponseNetrServerReqChallenge_RequestNetrServerReqChallenge_ResponseNETLOGON_SECURE_CHANNEL_TYPEPNETLOGON_AUTHENTICATORPNETLOGON_CREDENTIAL)hasheshmac)Cipher algorithmsmodes)DES)OptionalABDCContinuousUpdaterD BDCChangelog RestartingDCSync@NoValidationLevel2 DatabaseRedoRefusalPasswordChangei SendToSamizGeneric-passthroughi ConcurrentRPCiAvoidRepliAccountDBi AvoidRepliAuthorityDBi@ StrongKeysiTransitiveTrustiQServerPasswordSet2 GetDomainInfoCrossForestTrust NoNT4EmulzRODC-passthroughAESKerberos SecureRPCZ) iiiii ii i@ic|}tj|tj}|||||ddS)Nr+rHMACrSHA256updatefinalize)HashNtClientChallengeServerChallengeM4SShs ^/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/msrpce/msnrpc.pyComputeSessionKeyAESrR~sY D $ ((AHH_HH_ ::<< c|}tjtj}|d||||t j|tj}|||SNrHashMD5rJrrHrK)rLrMrNrOdigestrPs rQComputeSessionKeyStrongKeyr[s D [ & &F MM%&&& MM/""" MM/""" $ %%AHHV__   ::<<rScttj|tjd}|}||S)Nsmode)rr r@r!CFB8 encryptorrJ)InputSkcipherr`s rQComputeNetlogonCredentialAESrdsM JN2&&UZ -E-E F F FF  ""I   E " ""rSctd}|ddz |d<|ddzdz|ddz z|d<|ddzdz|ddz z|d<|ddzd z|dd z z|d<|dd zdz|d dz z|d <|d d zdz|ddz z|d<|dd zdz|ddz z|d<|dd z|d<tdD]}||dzdz||<|S)Nsrr$r&r(?r)) bytearrayrange)KeyInKeyOutis rQ InitLMKeyrts6 { # #FaD F1I(T/a'E!HM:F1I(T/a'E!HM:F1I(T/a'E!HM:F1I(T/a'E!HM:F1I(T/a'E!HM:F1I(T/a'E!HM:F1Ia4F1I 1XX,,AY!^t+q MrSct|dd}t|dd}tt|tj|}tt|tj|S)Nrri)rtrr"r!ECBr`rJ)rarbk3k4output1s rQComputeNetlogonCredentialDESr{s 2ac7  B 2ad8  BSWWeikk**4466==eDDG #b''59;; ' ' 1 1 3 3 : :7 C CCrSc tjd|tjd|dddzdz|ddzS)NzLr}r-rDr)r~r)ClientSequenceNumberclientlowhighs rQComputeCopySeqNumberrsU +d0:= > >C ; " $ 2V7RzzQRS  D :rSctj|tj}||dd|r|||||S)Nr)rG) nl_auth_sigmessage SessionKey ConfounderrPs rQComputeNetlogonChecksumAESrsm *fmoo..AHH[!_ HHW ::<<rSctjtj}|d||dd|r||||t j|tj}|||S)NrVr)rW)rrrrrZrPs rQComputeNetlogonChecksumMD5rs [ & &F MM%&&& MM+bqb/"""" j!!! MM' *fjll++AHHV__   ::<<rSchttdt|DS)Nc3 K|] }|dz V dSN.0xs rQ z/ComputeNetlogonSealingKeyAES..s&EE!AHEEEEEErS)bytesro)rs rQComputeNetlogonSealingKeyAESrs/ EEy/D/DEEEEE F FFrScttdt|D}tj|t j}|dtj|t j}|||S)Nc3 K|] }|dz V dSrrrs rQrz/ComputeNetlogonSealingKeyRC4..s&GGAa$hGGGGGGrSrV)rrorrHrrYrJrK)r CopySeqNumberXorKeyrPs rQComputeNetlogonSealingKeyRC4rs 9GG:1F1FGGGGG H HF &&*,,''AHH !!! !**,, --AHH] ::<<rSc:tj|tj}|dtj|tj}|||SrU)rrHrrYrJrK)rChecksumrPs rQ#ComputeNetlogonSequenceNumberKeyMD5rsk *fjll++AHH !!! !**,, --AHHX ::<<rSceZdZdZGddejZGddejZdfd ZdZd Z dd Z dd Z d Z dZ ddeefdZddZdefdZxZS) NetlogonSSPDceZdZdZdZdZdS)NetlogonSSP.STATEr$r&rgN)__name__ __module__ __qualname__INIT CLI_SENT_NL SRV_SENT_NLrrSrQSTATErs  rSrc(eZdZgdZdfd ZxZS)NetlogonSSP.CONTEXT)rIsClientr@NTctjj|_||_d|_||_ttj| |dS)Nr) req_flags) rrrstaterrr@superCONTEXT__init__)selfrrr@ __class__s rQrzNetlogonSSP.CONTEXT.__init__ sP$*/DJ$DM()D %DH +%t , , 5 5 5 J J J J JrSNT)rrr __slots__r __classcell__rs@rQrrsX    K K K K K K K K K KrSrTc ||_||_||_||_t t |jdi|dS)Nr)rr@ computername domainnamerrr)rrrrr@kwargsrs rQrzNetlogonSSP.__init__sI$($)k4  )33F33333rScdd|D}d}|rtjd}|jrt d|rdnd}nt d |rd nd}t |j|j}|xjd z c_|jr2tt|||j |dd|_ n1tt|||j |dd|_ |r#|jrt|j }nt|j |}|jr|d z} tt!j|t#j|  } | ||_|D](} | jr| | j| _)nYt1|} t3| ||_t1|} |D]#} | jrt3| | j| _$|jru|j }|j d z} tt!j|t#j|  } | } | ||_n/t7|j |j }t9|||_||fS)zd Internal function used by GSS_WrapEx and GSS_GetMICEx [MS-NRPC] 3.3.4.2.1 rSc32K|]}|j |jVdSNsigndatars rQrz&NetlogonSSP._secure..!+99Q!&9!&999999rSNr)i)SignatureAlgorithm SealAlgorithmwzr$r&r])joinosurandomr@r rrrrrrrrrrrr r!r_r`rJr conf_req_flagrrrSequenceNumberrr)rContextmsgsSealToSignr signaturer EncryptionKeyIVr`msghandlercs rQ_securezNetlogonSSP._secures99$99999  'AJ ; )#)(,8ff&II *#)(,8ff&I.  ('*:   $$)$$ ; !;i  &$/:""qb"I  "<i  &$/:""qb"I  ! 9{  >C(>#,#3#3CH#=#=>!//'*6:'>'> $!//99C(9#&vsx#8#8 ; K OM#a'BJN=99 2OOOF((**I'0'7'7'G'GI $ $?!3M(,M>'J'JI $    rSct|tsJ|jr |jdks|js|jdkrt d|jru|j}|jdz}ttj|tj |}| }| |j } n/t|j|j}t||j } t!|j|j } | | krt d|xjdz c_d} |r)|jrt'|j}nt)|j| }|jr| dz}ttj|tj | }| |j} |D](} | jr| | j| _)n_t)|j| }t||j} t1|} |D]#} | jrt3| | j| _$d d |D}|jr-t7t9|||j| dd }n,t;t9|||j| dd }|j|krt d |S) zi Internal function used by GSS_UnwrapEx and GSS_VerifyMICEx [MS-NRPC] 3.3.4.2.2 rrzInvalid SignatureAlgorithm !r&r]z!ERROR: SequenceNumber don't matchr$NrSc32K|]}|j |jVdSrrrs rQrz(NetlogonSSP._unsecure..rrSr)zERROR: Checksum don't match) isinstancer r@r ValueErrorrrrr r!r_ decryptorrJrrrrrrrrrrrrrrrrr)rrrrrrrrcrrrrrrrrs rQ _unsecurezNetlogonSSP._unsecurezs9 )%677777 K =I8FBB C ) < F F;<< < ; K OM#a'BJN=99 2OOOF((**I&--i.FGGNN?!3M"-1IJJN,  (g.>*>   ] * *@AA A$$)$$  9{  >C(>#,#3#3CH#=#=> !=O^!! "-1EFF  //99C(9#&vsx#8#899$99999 ; 1i  &$/:qbHH2i  &$/:qbH   ) ):;; ; rSrc0|||dSrrrrrqop_reqs rQ GSS_WrapExzNetlogonSSP.GSS_WrapExs||GT4000rSc<|||ddS)NFr$rrs rQ GSS_GetMICExzNetlogonSSP.GSS_GetMICExs||GT511!44rSc2||||dSrrrrrrs rQ GSS_UnwrapExzNetlogonSSP.GSS_UnwrapExs~~gtY===rSc6||||ddS)NFrrs rQGSS_VerifyMICExzNetlogonSSP.GSS_VerifyMICExs  wi77777rSNrc||d||j}|j|jjkr6|jj|_|t dd|j|jtfS|dtfS)NTrr@rrg) MessageTypeFlagsNetbiosDomainNameNetbiosComputerName) rr@rrrrr rrr r )rrvalrs rQGSS_Init_sec_contextz NetlogonSSP.GSS_Init_sec_contexts ?ll49$(lKKG =DJO + + J2GM !&*o(,(9  &  D.0 0rSc||dd|j}|j|jjkr*|jj|_|t ddtfS|dtfS)NFrrr$)rr) rr@rrrrr r r)rrrs rQGSS_Accept_sec_contextz"NetlogonSSP.GSS_Accept_sec_contextsv ?ll5A48lDDG =DJO + + J2GM !  D-/ /rSrcV|jtjzr |jrdSdS|jrdSdS)z Returns the Maximum Signature length. This will be used in auth_len in DceRpc5, and is necessary for PFC_SUPPORT_HEADER_SIGN to work properly. 8r-0)flagsr GSS_C_CONF_FLAGr@)rrs rQMaximumSignatureLengthz"NetlogonSSP.MaximumSignatureLengths> =;6 6 { rr{ rrrS)T)r)NNr)rrr auth_typerrrrrrrrrrr#r rrrrrs@rQrrsjI  K K K K K#+ K K K444444^ ^ ^ @SSSj11115555>>>888EI11,4[,A1111*0000$grSrceZdZdZdZdS)NETLOGON_SECURE_CHANNEL_METHODr$r&N)rrrNetrServerAuthenticate3NetrServerAuthenticateKerberosrrSrQrrs%&"""rSrceZdZdZejddffd ZfdZfdZdZ dZ e j e jfded ed efd ZxZS) NetlogonClienta A subclass of DCERPC_Client that supports establishing a Netlogon secure channel using the Netlogon SSP, and handling Netlogon authenticators. This class therefore only supports the 'logon' rpc. :param auth_level: one of DCE_C_AUTHN_LEVEL :param verb: verbosity control. :param supportAES: advertise AES support in the Netlogon session. Example:: >>> cli = NetlogonClient() >>> cli.connect_and_bind("192.168.0.100") >>> cli.establishSecureChannel( ... domainname="DOMAIN", computername="WIN10", ... HashNT=bytes.fromhex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), ... ) Tc td|_d|_d|_d|_||_t t|jtj f||j|d|dS)NlogonF) auth_levelndr64verb) r interfacer rClientStoredCredential supportAESrr rr NCACN_IP_TCP)rr rrrrs rQrzNetlogonClient.__init__4s/w77 &*#$,nd##,  ) !*         rScdtt|||jdS)z\ This calls DCERPC_Client's connect_and_bind to bind the 'logon' interface. N)rr connect_and_bindr)rremoteIPrs rQrzNetlogonClient.connect_and_bindHs- nd##44Xt~NNNNNrSc^tt||jSr)rr  alter_contextr)rrs rQrzNetlogonClient.alter_contextNs#^T**88HHHrSc&ttj}t|j||_t t |jrt|j|jnt|j|j|S)z1 Create a NETLOGON_AUTHENTICATOR r) Credential Timestamp) inttimerrrrrrdrr{)rtss rQcreate_authenticatorz#NetlogonClient.create_authenticatorQs   &9  '' ' #'+  03 63       rSct|jd|_|jrt|j|j}nt |j|j}||jjkrtddS)zk Validate a NETLOGON_AUTHENTICATOR :param auth: the NETLOGON_AUTHENTICATOR object r$z(Server netlogon authenticator is wrong !N) rrrrdrr{rrr)rauthtempcreds rQvalidate_authenticatorz%NetlogonClient.validate_authenticatorks':  '' ' # ? 3+T_HH4+T_H t+ + +GHH H , +rSrrrLc Ztjd}|td|t ||j|j}t|vs |jdkrbttj dtj|jdz|t t#dt$ }|jr|d z }|t(jkr~|jj} |jr't1||| } t3|| |_n&t7||| } t9|| |_|t;d|d z||t |jt=||j|j } t>| vs | jdkrd} t>| vrSt#| j t$ } || kr2ttj d | |z zttj dtj| jdz| jtvr| t |jrR| j!jt3| | kr3ttj dt nQ| j!jt9| | kr3ttj dt | |_"tG|j"|j||x|_$|j%j&_$n|t(j'kr |dz }tP|)dS)a Function to establish the Netlogon Secure Channel. This uses NetrServerAuthenticate3 to negotiate the session key, then creates a NetlogonSSP that uses that session key and alters the DCE/RPC session to use it. :param mode: one of NETLOGON_SECURE_CHANNEL_METHOD. This defines which method to use to establish the secure channel. :param computername: the netbios computer account name that is used to establish the secure channel. (e.g. WIN10) :param domainname: the netbios domain name to connect to (e.g. DOMAIN) :param HashNt: the HashNT of the computer account. r)Nr) PrimaryName ComputerNamerMr  ndrendianrz! %sFailurei/`)namesr@$)r% AccountNameSecureChannelTyper&ClientCredentialNegotiateFlagsr r'z! Unsupported server flags: %sz! Invalid ServerCredential.)rr@rrrA)*rrsr1_reqrrr r'rstatusprintr color_themefailrgetshowrr_negotiateFlagsrrrrNrrRrdrr[r{rrrr.ServerCredentialrrsspsocksessionrNotImplementedErrorr) rrrrLr^secureChannelType clientChallnetr_server_req_chall_responser. serverChallrnetr_server_auth3_responseNegotiatedFlagss rQestablishSecureChannelz%NetlogonClient.establishSecureChannels.jmm )- * ) 4$!!!j.    * * & ,3Q Q Q-499  %%"&'E'LiXXY    + / / 1 1 1 " !    ? $ e #N 1I I I9HMK 1&+{SS .J//++8K /K//+*./ $ ,s 2&7!-%9!8&&&$'~#6#6*"n    * * &18RRR-499"&37QQQ&/2A-'''O&88 ,11 @#2^#C!E $))&*+E+LiXXY .4LHH.33555   %.?D3KLLMM$*//0MNNOOO$$ M/?D3KLLMM$*//0MNNOOO$$(DO/:?O%) 000 DHty(,, 3R R R j (N% % rS)rrr__doc__rNONErrrrr#rrrWorkstationSecureChannelstrrrBrrs@rQr r s.%)        (OOOOO IIIII   4III4, C6O MMMM MMMMMMMMrSr r)DrCenumrr~r scapy.configrr scapy.fieldsrrscapy.layers.dcerpcrrr r scapy.layers.gssapir r r rscapy.layers.ntlmrrrrscapy.layers.msrpce.rpcclientrrrscapy.layers.msrpce.raw.ms_nrpcrrrrrrr crypto_validcryptography.hazmat.primitivesrr&cryptography.hazmat.primitives.ciphersrr r!scapy.libs.rfc3961r"typingr#r6r)rRr[rdrtr{rrrrrrrrEnumrr rrSrQrUs!   ////////........  655555555555 =;;;;;;;;PPPPPPPPPP&&&&&&&8<