hedZddlZddlmZddlmZddlmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZddlmZddlmZmZddlmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4dd l5m6Z6m7Z7dd l8m9Z9Gd d eZ:iZ;Gd de+Z<Gdde+Z=Gdde+Z>Gdde+Z?Gdde+Z@Gdde+ZAGdde+ZBGdde+ZCGdde+ZDeDe;d<Gd d!eZEeEe;d"<Gd#d$eZFeFe;d%<Gd&d'eZGeGe;d(<eGe;d)<eGe;d*<eGe;d+<Gd,d-e+ZHd.ZIGd/d0e7ZJeJe;d1< dd2lKmLZLn #eM$reNZLYnwxYwGd3d4eLZOGd5d6eLZPGd7d8eLZQGd9d:e+ZRGd;de+ZTGd?d@e+ZUGdAdBe+ZVGdCdDe+ZWGdEdFe+ZXGdGdHe2e.ZYGdIdJe+ZZGdKdLe+Z[eLeNkre[e;dM<GdNdOe+Z\GdPdQe+Z]e]e;dR<GdSdTeZ^e^e;dU<GdVdWeZ_e_e;dX<GdYdZeZ`Gd[d\eZaGd]d^eZbebed_<dS)`z [MS-PAC] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962 Up to date with version: 23.0 N)conf) log_runtime)ConditionalField FieldLenFieldFieldListField FlagsFieldLEIntEnumField LELongField LEIntField LEShortFieldMultipleTypeField PacketFieldPacketListFieldStrField StrFieldUtf16StrFixedLenFieldStrLenFieldUtf16 UTCTimeField XStrField XStrLenField)Packet)_AUTHORIZATIONDATA_VALUES _KRB_S_TYPES) NDRByteFieldNDRConfFieldListFieldNDRConfPacketListFieldNDRConfStrLenFieldNDRConfVarStrLenFieldUtf16NDRConfVarStrNullFieldUtf16NDRConformantStringNDRFieldListFieldNDRFullPointerFieldNDRInt3264EnumField NDRIntField NDRLongField NDRPacketNDRPacketFieldNDRSerialization1HeaderNDRSerializeType1PacketLenField NDRShortFieldNDRSignedLongField NDRUnionField _NDRConfFieldndr_deserialize1ndr_serialize1)_NTLMPayloadField_NTLMPayloadPacket) WINNT_SIDczeZdZeddddddddd d d d d ddddeddeddgZdZdS)PAC_INFO_BUFFERulTypezLogon informationzCredentials informationzServer Signaturez KDC Signaturez"Client name and ticket informationz"Constrained delegation informationzUPN and DNS informationzClient claims informationzDevice informationzDevice claims informationzTicket SignaturezPAC Attributesz PAC RequestorzExtended KDC Signature)r6  cbBufferSizeNOffsetctjSN)r padding_layer)selfpayloads ]/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/msrpce/mspac.pydefault_payload_classz%PAC_INFO_BUFFER.default_payload_classes !!)__name__ __module__ __qualname__r r r fields_descrLrMrKr4r4Ks  /5.+@@5707.,+4    (  >4(( Hd##-K2"""""rMr4c eZdZdZeddddeddddeedd d d d gZdS)RPC_UNICODE_STRINGLengthNBufferc |dzSNr7rR_xs rKzRPC_UNICODE_STRING.rs QQRUrM)size_ofadjust MaximumLengthc |dzSr[rRr\s rKr_zRPC_UNICODE_STRING.ts !a%rMc|jdzSr[)rbpkts rKr_zRPC_UNICODE_STRING.zsS%6!%;rMc|jdzSr[)rXrfs rKr_zRPC_UNICODE_STRING.{s szQrM)size_is length_isTdeferred)rNrOrP ALIGNMENTr*r"rrQrRrMrKrTrTosI hh?S?STTT T8sRSrM count_fromN)rNrOrPrryrQrRrMrKrrs+"?62| TTTUKKKrMrc,eZdZedddgZdS)RPC_SID_IDENTIFIER_AUTHORITYValuerdr8r{Nr}rRrMrKrrs(##GR:::;KKKrMrc eZdZdZdgZeddedddedeeedge d dd d gZ d Z dS)SIDrU SubAuthorityRevisionrSubAuthorityCountNr`IdentifierAuthorityrdc|jSrG)rrfs rKr_z SID.s  5rMT)riconformant_in_structc*tj|SrG)r2summary)rIs rKrz SID.summarys &&&rM) rNrOrPrmDEPORTED_CONFORMANTSrr'rrr$rQrrRrMrKrrsI*+ Z## ($GGG ! ( ( * * (     KA  55!%    K"'''''rMrcjeZdZdZeedeededdgZdS)KERB_SID_AND_ATTRIBUTESrUSidTrkrwrN) rNrOrPrmr"r'rr$rQrRrMrKrrsPINN5##%%==MMM L!$$KKKrMrc 0eZdZdZgedeeedeeedeeedeeedeeedeeedeeed eeed eeed eeed eeed eeeddeddeddeddeddde e de ge ddeddede e edeeedeee ede e ded ged!dd"#ed$ded%ged!dd&#ed'dd(e e d(eged)de ed*e e ded+dd,e e d,e ge d-dZdS).KERB_VALIDATION_INFOrU LogonTime LogoffTime KickOffTimePasswordLastSetPasswordCanChangePasswordMustChange EffectiveNameFullName LogonScript ProfilePath HomeDirectoryHomeDirectoryDrive LogonCountrBadPasswordCountUserIdPrimaryGroupId GroupCountNGroupIdsrc|jSrGrrfs rKr_zKERB_VALIDATION_INFO.CNrMriTrk UserFlagsUserSessionKey LogonServerLogonDomainName LogonDomainId Reserved1rdcdSr[rRrs rKr_zKERB_VALIDATION_INFO.STrM)rjUserAccountControl Reserved3cdS)Nr9rRrs rKr_zKERB_VALIDATION_INFO.rrMSidCount ExtraSidsc|jSrGrrfs rKr_zKERB_VALIDATION_INFO.CLrMResourceGroupDomainSidResourceGroupCountResourceGroupIdsc|jSrG)rrfs rKr_zKERB_VALIDATION_INFO. C$:rM)rNrOrPrmr'rorTr*r$r"rrurrr!rrQrRrMrKrrsI:{HHJJ99:|XXZZ::: }hhjj(;;: (((**h?? : *HHJJAA : +XXZZBB : (:(:(<(<>PQQ: z#5#5#7#79KLL: }&8&8&:&:PQQ: +-?-?-A-ACUVV:  lA&&:  (!,,:  Ha  :  $a((!:"  L$ ;;;#:$  " "!!##$ 22        %:6  K##7:8 ')9)9););=MNN9:: }&8&8&:&:*>@RSS=:> NN?CCEE3GGRVWWW?:@ +r;;r1+=+=UUUA:B  (!,,C:D +r;;r1+=+=UUUE:F  Jk:::G:H  " "((**+'00        I:Z  N3SSUUC @ @4   [:`  ($8JKKKa:b  " ""!!##$ ::        c:KKKrMrr6c beZdZeddeddddddd d ed d gZd S)PAC_CREDENTIAL_INFOVersionrEncryptionTyper6z DES-CBC-CRCz DES-CBC-MD5AES128_CTS_HMAC_SHA1_96AES256_CTS_HMAC_SHA1_96zRC4-HMAC)r6rArBSerializedDatarMN)rNrOrPr r rrQrRrMrKrrsd 9a    ))55&      "C((KKKrMrr7cleZdZedddgddedddd edd d gZdS)PAC_CLIENT_INFOClientIdNscnrM length_from)rNrOrPrrrrQrRrMrKrrsm $.C.C.CTW     lDFEEE2L2LMMM KKKrMrr:c\eZdZeddeedddeddgZdS)PAC_SIGNATURE_DATA SignatureTypeN SignaturerMcBddddd|jdS)NrVr@r<)r6lvr?r@r)getrrfs rKr_zPAC_SIGNATURE_DATA.,s1 %% c##Q'' rMrRODCIdentifier)rNrOrPr rrrrQrRrMrKrr"se       ((  !3''!KKKrMrr8r9r@rCc eZdZdZedeeedddeedegedd gZ dS) S4U_DELEGATION_INFOrUS4U2proxyTargetTransitedListSizeNS4UTransitedServicesrc|jSrG)rrfs rKr_zS4U_DELEGATION_INFO.I C$9rMrTrk) rNrOrPrmr'rTr$r"rrQrRrMrKrr?sI(*<*<*>*>@RSS '7MNNN " "&##%%&"99         KKKrMrc|jdD]\}}|dj|||}||}||dz.|d|t jd|z||dzdz}||dz1|d|dzt jd|z||dzdz}||z }|S)z:Util function to build the offset and populate the lengthsPayloadLenNrr7 BufferOffsetrV)fields get_field fields_mapi2len getfieldvalstructpack)rIp pay_offsetr field_namevaluer|offsets rK_pac_post_buildrSs![3   E **5jAGGeTT #   J. / / 7'6' V[v6666A:<<HA   J7 8 8 @,FQJ,&+dJ"?"??!FQJLL/QAf HrMceZdZeddeddeddeddedddd d geed dd eed ddeedddeedddeeddeddeddedde de e gdfgeddeddeddgg Z dZ dS) UPN_DNS_INFOUpnLenNUpnBufferOffsetDnsDomainNameLenDnsDomainNameBufferOffsetFlagsrUS SamNameLenc|jjSrGrrrfs rKr_zUPN_DNS_INFO.t  rMSamNameBufferOffsetc|jjSrGrrfs rKr_zUPN_DNS_INFO.yrrMSidLenc|jjSrGrrfs rKr_zUPN_DNS_INFO.~rrMSidBufferOffsetc|jjSrGrrfs rKr_zUPN_DNS_INFO.rrMrUpnrM DnsDomainNameSamNamerc|jjSrGrrfs rKr_zUPN_DNS_INFO.s  rMr<cjd}ddd}|jjr d}d|d<d|d<t|||||zS) Nr<rrV)rrr rr@r)rrr)rIrgpayrrs rK post_buildzUPN_DNS_INFO.post_buildsg   :< F "F9 F5M        rM) rNrOrPr rrr r0rrr2rQrrRrMrKrrbs Xt$$ &-- '.. 0$77        Lt , , # #   L. 5 5 # #   L4 ( ( # #   L*D 1 1 # #  &%!)M%55)M/3??)M)S99'Kyy{{IFF   ,+  "  !M%--!M/377  %  E=K~     rMrr<)IntEnumceZdZdZdZdZdZdS) CLAIM_TYPEr6r7rr8N)rNrOrPCLAIM_TYPE_INT64CLAIM_TYPE_UINT64CLAIM_TYPE_STRINGCLAIM_TYPE_BOOLEANrRrMrKrrs(rMrceZdZdZdZdS)CLAIMS_SOURCE_TYPEr6r7N)rNrOrPCLAIMS_SOURCE_TYPE_ADCLAIMS_SOURCE_TYPE_CERTIFICATErRrMrKrrs%&"""rMrceZdZdZdZdZdZdS)CLAIMS_COMPRESSION_FORMATrr7rrVN)rNrOrPCOMPRESSION_FORMAT_NONECOMPRESSION_FORMAT_LZNT1COMPRESSION_FORMAT_XPRESSCOMPRESSION_FORMAT_XPRESS_HUFFrRrMrKr!r!s(  !%&"""rMr!c deZdZdZedddeedgedd gZdS) CLAIM_ENTRY_sub0rU ValueCountN Int64Valuesrc|jSrGr(rfs rKr_zCLAIM_ENTRY_sub0.rrMrTrk) rNrOrPrmr$r"rr+rQrRrMrKr'r'slI L$ >>> ! !"22         KKKrMr'c deZdZdZedddeedgedd gZdS) CLAIM_ENTRY_sub1rUr(N Uint64Valuesrc|jSrGr+rfs rKr_zCLAIM_ENTRY_sub1.scnrMrTrk rNrOrPrmr$r"rr%rQrRrMrKr-r-sjI L$??? ! !L:T:T       KKKrMr-c eZdZdZedddeedgeeddd d d gZdS) CLAIM_ENTRY_sub2rUr(N StringValuesr StringValrdTrkc|jSrGr+rfs rKr_zCLAIM_ENTRY_sub2.rrMr) rNrOrPrmr$r"rrrQrRrMrKr2r2sI L$??? ! !##// R@@!32    KKKrMr2c deZdZdZedddeedgedd gZdS) CLAIM_ENTRY_sub3rUr(N BooleanValuesrc|jSrGr+rfs rKr_zCLAIM_ENTRY_sub3. ss~rMrTrkr0rRrMrKr7r7sjI L$@@@ ! !\;U;U       KKKrMr7c ^eZdZdZeedddeddeee de e d d ffe de e d d ffe de e d dffe de e ddffgedddddgZdS) CLAIM_ENTRYrUIdrdTrkTyperValuesc@t|ddtjkSNr=)getattrrrrfs rKr_zCLAIM_ENTRY.sVT(B(B):);rMc,|jtjkSrG)tagrrr]vals rKr_zCLAIM_ENTRY. s:3N(NrMc@t|ddtjkSr@)rArrrfs rKr_zCLAIM_ENTRY.'VT(B(B);)<rMc,|jtjkSrG)rCrrrDs rKr_zCLAIM_ENTRY.*:3O(OrMc@t|ddtjkSr@)rArrrfs rKr_zCLAIM_ENTRY.1rGrMc,|jtjkSrG)rCrrrDs rKr_zCLAIM_ENTRY.4rIrMc@t|ddtjkSr@)rArrrfs rKr_zCLAIM_ENTRY.;sVT(B(B)<)=rMc,|jtjkSrG)rCrrrDs rKr_zCLAIM_ENTRY.>s:3P(PrMr{)r7rW)HI)align switch_fmtN)rNrOrPrmr"rr#rr,r'r'r-r2r7rrQrRrMrKr;r;sqI77bAADQQQFAz22 #N8-=-=-?-?AQRR;;ON  #N8-=-=-?-?AQRR<<PO  #N8-=-=-?-?AQRR<<PO  #N8-=-=-?-?AQRR==QP  ?) T  Xr! 4 4 4![. . . 2KKKrMr;c eZdZdZeddeedddeede ge d d gZ dS) CLAIMS_ARRAYrUusClaimsSourceTyper ulClaimsCountN ClaimEntriesrc|jSrG)rUrfs rKr_zCLAIMS_ARRAY.Ss C$5rMrTrk) rNrOrPrmr#rr$r"rr;rQrRrMrKrSrSIsI0!5GHH OT>BBB " "55         KKKrMrSc eZdZdZedddeedegedd ed d ed dd ee d ddd gZ dS) CLAIMS_SETrUulClaimsArrayCountN ClaimsArraysrc|jSrG)rZrfs rKr_zCLAIMS_SET.crrMrTrkusReservedTyperulReservedFieldSize ReservedFieldrdc|jSrGr^rfs rKr_zCLAIMS_SET.k 9PrM) rNrOrPrmr$r"rrSr*rrQrRrMrKrYrYZsI ($GGG " " ::          &** )4III  -P-P       KKKrMrYc(eZdZdZdZdZdZdZdS)_CLAIMSClaimSetTcz|jtjkrt|tdSt |S)NFndr64)r)usCompressionFormatr!r"r.rYr )rIrgss rKm2iz_CLAIMSClaimSet.m2ivs<  "&?&W W W#Az??? ?'Q/// /rMcx|d}|jtjkrt|St |SNr)rhr!r"r/bytes)rIrgrEs rKi2mz_CLAIMSClaimSet.i2m}s9!f  "&?&W W W!#&& &:: rMcf|jtjkr||dS|Srl)rhr!r"_subval)rIrgr^s rKvalueofz_CLAIMSClaimSet.valueofs.  "&?&W W W<<??1% %HrMN)rNrOrPCONFORMANT_STRING LENGTH_FROMrjrnrqrRrMrKrdrdrsLK000rMrdc eZdZdZedddeeddddd ed d eed dde d d edddee dddd gZ dS)CLAIMS_SET_METADATArUulClaimsSetSizeN ClaimsSetrc|jSrG)rvrfs rKr_zCLAIMS_SET_METADATA.s S=PrMrTrkrhrulUncompressedClaimsSetSizer]r^r_rdc|jSrGrarfs rKr_zCLAIMS_SET_METADATA.rbrM) rNrOrPrmr$r"rdr#r!r*rrQrRrMrKrurusI %t[AAA OT41P1P        ! %   14MMM &** )4III  -P-P       #KKKrMruc:eZdZedeegZdS)PAC_CLIENT_CLAIMS_INFOClaimsN)rNrOrPr'rurQrRrMrKr|r|s/!>(,?,?,A,ACVWWXKKKrMr|r=c eZdZdZeedeededdeede ge d dgZ d S) DOMAIN_GROUP_MEMBERSHIPrUDomainIdTrkrrrc|jSrGrrfs rKr_z DOMAIN_GROUP_MEMBERSHIP.rrMrN) rNrOrPrmr"r'rr$rrurQrRrMrKrrsINN:ssuucBBTRRR L!$$ " "!!##$ 22         KKKrMrceZdZdZeddeddeedeededdeed e ge d ded deed e ge d deddeede ge d dg Z dS)PAC_DEVICE_INFOrUrrrAccountDomainIdTrkAccountGroupCountAccountGroupIdsc|jSrG)rrfs rKr_zPAC_DEVICE_INFO.rrMrrrc|jSrGrrfs rKr_zPAC_DEVICE_INFO.rrMDomainGroupCount DomainGroupc|jSrG)rrfs rKr_zPAC_DEVICE_INFO.s C$8rMN) rNrOrPrmr$r"r'rrrurrrQrRrMrKrrs{I Ha   $a(( N,cceeS 9 9D     '++ " "!!!##$ 99          J"" " "((**+'00          &** " "((**+'88        7$KKKrMrr>c feZdZeddeddgedddddd d gZd S) PAC_ATTRIBUTES_INFO FlagsLengthr7rPAC_WAS_REQUESTEDrdrrPAC_WAS_GIVEN_IMPLICITLY)r6r7c|jdzdzS)Nr9rW)rrfs rKr_zPAC_ATTRIBUTES_INFO.sCOa$7A#=rMrN)rNrOrPr rrrQrRrMrKrrsq =!$$  ! J 3 :   >= KKKrMrrAc:eZdZedeegZdS) PAC_REQUESTORrN)rNrOrPrr2rQrRrMrKrr s, E99;; 22KKKrMrrBceZdZfdZxZS)_PACTYPEBufferscd}t|t|jkr>tjdt t ||||Sdt|jzdz}t|D]\}}|||}|j|} t| tst| trtt| } nt| } |j +|ddtjd| z|ddz}|j+|ddtjd|z|ddz}|| z }|| dzz }||z }||zS)NrMz5Size of 'Buffers' does not match size of 'Payloads' !r@rWrV#..//3xx~%bqbEFKd333ae;xbqbEFKf555"##> dNF w!m #F 1HCC3wrM)rNrOrPr __classcell__)rs@rKrrs8rMrceZdZdZdZdS)_PACTYPEPayloadsct|tst|trt|}nt |}|dt | dzzzS)NrW)rr&r(r/rmr)rIrgrEris rKrnz_PACTYPEPayloads.i2m1s\ c9 % % C9P)Q)Q s##AAc A7Aw!m,,,rMc|r|s|gfSg}tt|jD]}|j|}|jdt|jzz dz } t|j}|jdkrtt|tr#t||||jz|d}n|||||jz}tj |vrtj |tj j} |tj j} | s#|t#d| | | n4#t$r'tj ||||jz}YnwxYw||d|fS) Nr@rWrFrf)loadzDissection failedrM)rangerBuffersrE _PACTYPESr5rDKeyError issubclassr&r.r raw_layerrHr underlayershow ValueErrorremove_payload add_payloadappend) rIrgriresultrbufrclsrEpadlays rKgetfieldz_PACTYPEPayloads.getfield8s ! b5Ls3;''((  A+a.CZ"s3;'7'7"77!;F P +#q(("Nc9--E*&6C,<#<<=#CC #a#2B)B BCDDC>S((,#dn2E2JKKKCdn-8C> ()<===&&(((OOC((( P P P(6FS=M4M+M)NOO P MM#    F{sDE44.F%$F%N)rNrOrPrnrrRrMrKrr0s2---rMrceZdZdZeddddeddedeged ed gdgZ dS) PACTYPEz PACTYPE - PACcBuffersNrr)count_ofrrrc|jSrG)rrfs rKr_zPACTYPE.cs3<rMrr) rNrOrPnamerr rr4rrQrRrMrKrrZs D j$EEE 9j))  _    //    R.. KKKrMr)c__doc__r scapy.configr scapy.errorr scapy.fieldsrrrrr r r r r rrrrrrrrr scapy.packetrscapy.layers.kerberosrrscapy.layers.dcerpcrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/scapy.layers.ntlmr0r1scapy.layers.smb2r2r4rrTroruryrrrrrrrrrrrenumr ImportErrorobjectrrr!r'r-r2r7r;rSrYrdrur|rrrrrrrrRrMrKrsM   ######( 0(''''' """""f"""<  &VVVVVyVVV OOOOOyOOO ;;;;;9;;;VVVVVyVVV<<<<<9<<<''''')'''0i<<<<<9<<<~$ ! &$# ! f! # *" ! ! ! $ $$ $ )(    S S S S S %S S S l #GGG'''''''' ''''''''     y        y   y&     y   44444)444n9"0m%D4)8YYYYYYYYY f+IcN i"&&&&&i&&&R! # &(& $ F  $ o2''''''''T     f   ")#sFFF