Python impacket.ntlm.NTOWFv1() Examples
The following are 30
code examples of impacket.ntlm.NTOWFv1().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.ntlm
, or try the search function
.
Example #1
Source File: samr.py From PiBunny with MIT License | 6 votes |
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword): request = SamrChangePasswordUser() request['UserHandle'] = userHandle from impacket import crypto, ntlm oldPwdHashNT = ntlm.NTOWFv1(oldPassword) newPwdHashNT = ntlm.NTOWFv1(newPassword) newPwdHashLM = ntlm.LMOWFv1(newPassword) request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) return dce.request(request)
Example #2
Source File: samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword): request = SamrChangePasswordUser() request['UserHandle'] = userHandle from impacket import crypto, ntlm oldPwdHashNT = ntlm.NTOWFv1(oldPassword) newPwdHashNT = ntlm.NTOWFv1(newPassword) newPwdHashLM = ntlm.LMOWFv1(newPassword) request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) return dce.request(request)
Example #3
Source File: nrpc.py From Slackor with GNU General Public License v3.0 | 6 votes |
def ComputeSessionKeyStrongKey(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash md5 = hashlib.new('md5') md5.update(b'\x00'*4) md5.update(clientChallenge) md5.update(serverChallenge) finalMD5 = md5.digest() hm = hmac.new(M4SS) hm.update(finalMD5) return hm.digest()
Example #4
Source File: nrpc.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def ComputeSessionKeyStrongKey(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash md5 = hashlib.new('md5') md5.update('\x00'*4) md5.update(clientChallenge) md5.update(serverChallenge) finalMD5 = md5.digest() hm = hmac.new(M4SS) hm.update(finalMD5) return hm.digest()
Example #5
Source File: samr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword): request = SamrChangePasswordUser() request['UserHandle'] = userHandle from impacket import crypto, ntlm oldPwdHashNT = ntlm.NTOWFv1(oldPassword) newPwdHashNT = ntlm.NTOWFv1(newPassword) newPwdHashLM = ntlm.LMOWFv1(newPassword) request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) return dce.request(request)
Example #6
Source File: nrpc.py From cracke-dit with MIT License | 6 votes |
def ComputeSessionKeyStrongKey(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash md5 = hashlib.new('md5') md5.update('\x00'*4) md5.update(clientChallenge) md5.update(serverChallenge) finalMD5 = md5.digest() hm = hmac.new(M4SS) hm.update(finalMD5) return hm.digest()
Example #7
Source File: samr.py From cracke-dit with MIT License | 6 votes |
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword): request = SamrChangePasswordUser() request['UserHandle'] = userHandle from impacket import crypto, ntlm oldPwdHashNT = ntlm.NTOWFv1(oldPassword) newPwdHashNT = ntlm.NTOWFv1(newPassword) newPwdHashLM = ntlm.LMOWFv1(newPassword) request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) return dce.request(request)
Example #8
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #9
Source File: nrpc.py From PiBunny with MIT License | 5 votes |
def ComputeSessionKeyAES(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash hm = hmac.new(key=M4SS, digestmod=hashlib.sha256) hm.update(clientChallenge) hm.update(serverChallenge) sessionKey = hm.digest() return sessionKey[:16] # 3.1.4.3.2 Strong-key Session-Key
Example #10
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_SamrOemChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() # As you can guess by now, target machine must have the Administrator account with password admin # NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes # further testing is needed to verify this call works oldPwd = 'admin' oldPwdHashLM = ntlm.LMOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" from impacket import crypto request = samr.SamrOemChangePasswordUser2() request['ServerName'] = '' request['UserName'] = 'Administrator' samUser = samr.SAMPR_USER_PASSWORD() samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd samUser['Length'] = len(newPwd) pwdBuff = str(samUser) rc4 = ARC4.new(oldPwdHashLM) encBuf = rc4.encrypt(pwdBuff) request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM) try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_WRONG_PASSWORD') < 0: raise
Example #11
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #12
Source File: raiseChild.py From PiBunny with MIT License | 5 votes |
def __decryptHash(self, record, prefixTable=None): logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1]) rid = 0 LMHash = None NTHash = None for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']: try: attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp']) LOOKUP_TABLE = self.ATTRTYP_TO_ATTID except Exception, e: logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e) # Fallbacking to fixed table and hope for the best attId = attr['attrTyp'] LOOKUP_TABLE = self.NAME_TO_ATTRTYP if attId == LOOKUP_TABLE['dBCSPwd']: if attr['AttrVal']['valCount'] > 0: encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal']) encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd) else: LMHash = LMOWFv1('', '') elif attId == LOOKUP_TABLE['unicodePwd']: if attr['AttrVal']['valCount'] > 0: encryptedUnicodePwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal']) encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd) else: NTHash = NTOWFv1('', '') elif attId == LOOKUP_TABLE['objectSid']: if attr['AttrVal']['valCount'] > 0: objectSid = ''.join(attr['AttrVal']['pAVal'][0]['pVal']) rid = unpack('<L', objectSid[-4:])[0] else: raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
Example #13
Source File: nrpc.py From Slackor with GNU General Public License v3.0 | 5 votes |
def ComputeSessionKeyAES(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash hm = hmac.new(key=M4SS, digestmod=hashlib.sha256) hm.update(clientChallenge) hm.update(serverChallenge) sessionKey = hm.digest() return sessionKey[:16] # 3.1.4.3.2 Strong-key Session-Key
Example #14
Source File: raiseChild.py From Slackor with GNU General Public License v3.0 | 5 votes |
def __decryptHash(self, record, prefixTable=None): logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1]) rid = 0 LMHash = None NTHash = None for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']: try: attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp']) LOOKUP_TABLE = self.ATTRTYP_TO_ATTID except Exception as e: logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e) # Fallbacking to fixed table and hope for the best attId = attr['attrTyp'] LOOKUP_TABLE = self.NAME_TO_ATTRTYP if attId == LOOKUP_TABLE['dBCSPwd']: if attr['AttrVal']['valCount'] > 0: encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal']) encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd) else: LMHash = LMOWFv1('', '') elif attId == LOOKUP_TABLE['unicodePwd']: if attr['AttrVal']['valCount'] > 0: encryptedUnicodePwd = b''.join(attr['AttrVal']['pAVal'][0]['pVal']) encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd) else: NTHash = NTOWFv1('', '') elif attId == LOOKUP_TABLE['objectSid']: if attr['AttrVal']['valCount'] > 0: objectSid = b''.join(attr['AttrVal']['pAVal'][0]['pVal']) rid = unpack('<L', objectSid[-4:])[0] else: raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1]) if LMHash is None: LMHash = drsuapi.removeDESLayer(encryptedLMHash, rid) if NTHash is None: NTHash = drsuapi.removeDESLayer(encryptedNTHash, rid) return rid, hexlify(LMHash), hexlify(NTHash)
Example #15
Source File: nrpc.py From cracke-dit with MIT License | 5 votes |
def ComputeSessionKeyAES(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash hm = hmac.new(key=M4SS, digestmod=hashlib.sha256) hm.update(clientChallenge) hm.update(serverChallenge) sessionKey = hm.digest() return sessionKey[:16] # 3.1.4.3.2 Strong-key Session-Key
Example #16
Source File: test_nrpc.py From cracke-dit with MIT License | 5 votes |
def test_NetrLogonSamLogonEx(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogonEx() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 request['ExtraFlags'] = 1 resp = dce.request(request) resp.dump()
Example #17
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrOemChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() # As you can guess by now, target machine must have the Administrator account with password admin # NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes # further testing is needed to verify this call works oldPwd = 'admin' oldPwdHashLM = ntlm.LMOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" from impacket import crypto request = samr.SamrOemChangePasswordUser2() request['ServerName'] = '' request['UserName'] = 'Administrator' samUser = samr.SAMPR_USER_PASSWORD() samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd samUser['Length'] = len(newPwd) pwdBuff = str(samUser) rc4 = ARC4.new(oldPwdHashLM) encBuf = rc4.encrypt(pwdBuff) request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM) try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_WRONG_PASSWORD') < 0: raise
Example #18
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_SamrOemChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() # As you can guess by now, target machine must have the Administrator account with password admin # NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes # further testing is needed to verify this call works oldPwd = 'admin' oldPwdHashLM = ntlm.LMOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" from impacket import crypto request = samr.SamrOemChangePasswordUser2() request['ServerName'] = '' request['UserName'] = 'Administrator' samUser = samr.SAMPR_USER_PASSWORD() samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd samUser['Length'] = len(newPwd) pwdBuff = str(samUser) rc4 = ARC4.new(oldPwdHashLM) encBuf = rc4.encrypt(pwdBuff) request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM) try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_WRONG_PASSWORD') < 0: raise
Example #19
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #20
Source File: nrpc.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def ComputeSessionKeyAES(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None): # added the ability to receive hashes already if sharedSecretHash is None: M4SS = ntlm.NTOWFv1(sharedSecret) else: M4SS = sharedSecretHash hm = hmac.new(key=M4SS, digestmod=hashlib.sha256) hm.update(clientChallenge) hm.update(serverChallenge) sessionKey = hm.digest() return sessionKey[:16] # 3.1.4.3.2 Strong-key Session-Key
Example #21
Source File: test_nrpc.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_NetrLogonSamLogonEx(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogonEx() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 request['ExtraFlags'] = 1 resp = dce.request(request) resp.dump()
Example #22
Source File: secretsdump.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
def dump(self): NTPASSWORD = "NTPASSWORD\0" LMPASSWORD = "LMPASSWORD\0" if self.__samFile is None: # No SAM file provided return LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)') self.getHBootKey() usersKey = 'SAM\\Domains\\Account\\Users' # Enumerate all the RIDs rids = self.enumKey(usersKey) # Remove the Names item try: rids.remove('Names') except: pass for rid in rids: userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1]) rid = int(rid,16) V = userAccount['Data'] userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le') if userAccount['LMHashLength'] == 20: encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']] else: encLMHash = '' if userAccount['NTHashLength'] == 20: encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']] else: encNTHash = '' lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD) ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD) if lmHash == '': lmHash = ntlm.LMOWFv1('','') if ntHash == '': ntHash = ntlm.NTOWFv1('','') answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash)) self.__itemsFound[rid] = answer self.__perSecretCallback(answer)
Example #23
Source File: test_nrpc.py From cracke-dit with MIT License | 4 votes |
def test_NetrLogonSamLogon(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogon() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2 request['Authenticator'] = self.update_authenticator() request['ReturnAuthenticator']['Credential'] = '\x00'*8 request['ReturnAuthenticator']['Timestamp'] = 0 try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_USER') < 0: raise
Example #24
Source File: samr.py From PiBunny with MIT License | 4 votes |
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''): request = SamrUnicodeChangePasswordUser2() request['ServerName'] = serverName request['UserName'] = userName try: from Crypto.Cipher import ARC4 except Exception: LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto") LOG.critical("See http://www.pycrypto.org/") from impacket import crypto, ntlm if oldPwdHashLM == '' and oldPwdHashNT == '': oldPwdHashLM = ntlm.LMOWFv1(oldPassword) oldPwdHashNT = ntlm.NTOWFv1(oldPassword) else: # Let's convert the hashes to binary form, if not yet try: oldPwdHashLM = unhexlify(oldPwdHashLM) except: pass try: oldPwdHashNT = unhexlify(oldPwdHashNT) except: pass newPwdHashNT = ntlm.NTOWFv1(newPassword) newPwdHashLM = ntlm.LMOWFv1(newPassword) samUser = SAMPR_USER_PASSWORD() try: samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le') except UnicodeDecodeError: import sys samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le') samUser['Length'] = len(newPassword)*2 pwdBuff = str(samUser) rc4 = ARC4.new(oldPwdHashNT) encBuf = rc4.encrypt(pwdBuff) request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['LmPresent'] = 0 request['NewPasswordEncryptedWithOldLm'] = NULL request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL return dce.request(request)
Example #25
Source File: test_nrpc.py From PiBunny with MIT License | 4 votes |
def test_NetrLogonSamLogon(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogon() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2 request['Authenticator'] = self.update_authenticator() request['ReturnAuthenticator']['Credential'] = '\x00'*8 request['ReturnAuthenticator']['Timestamp'] = 0 try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_USER') < 0: raise
Example #26
Source File: test_nrpc.py From PiBunny with MIT License | 4 votes |
def test_NetrLogonSamLogonWithFlags(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogonWithFlags() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 request['Authenticator'] = self.update_authenticator() request['ReturnAuthenticator']['Credential'] = '\x00'*8 request['ReturnAuthenticator']['Timestamp'] = 0 request['ExtraFlags'] = 0 try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_USER') < 0: raise
Example #27
Source File: test_samr.py From PiBunny with MIT License | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception, e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user
Example #28
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception, e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user
Example #29
Source File: secretsdump.py From PiBunny with MIT License | 4 votes |
def dump(self): NTPASSWORD = "NTPASSWORD\0" LMPASSWORD = "LMPASSWORD\0" if self.__samFile is None: # No SAM file provided return LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)') self.getHBootKey() usersKey = 'SAM\\Domains\\Account\\Users' # Enumerate all the RIDs rids = self.enumKey(usersKey) # Remove the Names item try: rids.remove('Names') except: pass for rid in rids: userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1]) rid = int(rid,16) V = userAccount['Data'] userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le') if userAccount['LMHashLength'] == 20: encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']] else: encLMHash = '' if userAccount['NTHashLength'] == 20: encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']] else: encNTHash = '' lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD) ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD) if lmHash == '': lmHash = ntlm.LMOWFv1('','') if ntHash == '': ntHash = ntlm.NTOWFv1('','') answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash)) self.__itemsFound[rid] = answer self.__perSecretCallback(answer)
Example #30
Source File: test_nrpc.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
def test_NetrLogonSamLogon(self): dce, rpctransport = self.connect() request = nrpc.NetrLogonSamLogon() request['LogonServer'] = '\x00' request['ComputerName'] = self.serverName + '\x00' request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') lmhash = unhexlify(lmhash) nthash = unhexlify(nthash) else: lmhash = ntlm.LMOWFv1(self.password) nthash = ntlm.NTOWFv1(self.password) try: from Crypto.Cipher import ARC4 except Exception: print "Warning: You don't have any crypto installed. You need PyCrypto" print "See http://www.pycrypto.org/" rc4 = ARC4.new(self.sessionKey) lmhash = rc4.encrypt(lmhash) rc4 = ARC4.new(self.sessionKey) nthash = rc4.encrypt(nthash) request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2 request['Authenticator'] = self.update_authenticator() request['ReturnAuthenticator']['Credential'] = '\x00'*8 request['ReturnAuthenticator']['Timestamp'] = 0 try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_USER') < 0: raise