Python impacket.ntlm.LMOWFv1() Examples
The following are 30
code examples of impacket.ntlm.LMOWFv1().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.ntlm
, or try the search function
.
.
Example #1
| Source File: samr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword):
request = SamrChangePasswordUser()
request['UserHandle'] = userHandle
from impacket import crypto, ntlm
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
return dce.request(request)
Example #2
| Source File: samr.py From PiBunny with MIT License | 6 votes |
|
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword):
request = SamrChangePasswordUser()
request['UserHandle'] = userHandle
from impacket import crypto, ntlm
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
return dce.request(request)
Example #3
| Source File: samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword):
request = SamrChangePasswordUser()
request['UserHandle'] = userHandle
from impacket import crypto, ntlm
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
return dce.request(request)
Example #4
| Source File: samr.py From cracke-dit with MIT License | 6 votes |
|
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword):
request = SamrChangePasswordUser()
request['UserHandle'] = userHandle
from impacket import crypto, ntlm
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
return dce.request(request)
Example #5
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump()
Example #6
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = b'A'*(512-len(newPwd)) + b(newPwd)
samUser['Length'] = len(newPwd)
pwdBuff = samUser.getData()
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise
Example #7
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump()
Example #8
| Source File: raiseChild.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def __decryptHash(self, record, prefixTable=None):
logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
rid = 0
LMHash = None
NTHash = None
for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:
try:
attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])
LOOKUP_TABLE = self.ATTRTYP_TO_ATTID
except Exception as e:
logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e)
# Fallbacking to fixed table and hope for the best
attId = attr['attrTyp']
LOOKUP_TABLE = self.NAME_TO_ATTRTYP
if attId == LOOKUP_TABLE['dBCSPwd']:
if attr['AttrVal']['valCount'] > 0:
encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd)
else:
LMHash = LMOWFv1('', '')
elif attId == LOOKUP_TABLE['unicodePwd']:
if attr['AttrVal']['valCount'] > 0:
encryptedUnicodePwd = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd)
else:
NTHash = NTOWFv1('', '')
elif attId == LOOKUP_TABLE['objectSid']:
if attr['AttrVal']['valCount'] > 0:
objectSid = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])
rid = unpack('<L', objectSid[-4:])[0]
else:
raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
if LMHash is None:
LMHash = drsuapi.removeDESLayer(encryptedLMHash, rid)
if NTHash is None:
NTHash = drsuapi.removeDESLayer(encryptedNTHash, rid)
return rid, hexlify(LMHash), hexlify(NTHash)
Example #9
| Source File: raiseChild.py From PiBunny with MIT License | 5 votes |
|
def __decryptHash(self, record, prefixTable=None):
logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
rid = 0
LMHash = None
NTHash = None
for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:
try:
attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])
LOOKUP_TABLE = self.ATTRTYP_TO_ATTID
except Exception, e:
logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e)
# Fallbacking to fixed table and hope for the best
attId = attr['attrTyp']
LOOKUP_TABLE = self.NAME_TO_ATTRTYP
if attId == LOOKUP_TABLE['dBCSPwd']:
if attr['AttrVal']['valCount'] > 0:
encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd)
else:
LMHash = LMOWFv1('', '')
elif attId == LOOKUP_TABLE['unicodePwd']:
if attr['AttrVal']['valCount'] > 0:
encryptedUnicodePwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd)
else:
NTHash = NTOWFv1('', '')
elif attId == LOOKUP_TABLE['objectSid']:
if attr['AttrVal']['valCount'] > 0:
objectSid = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
rid = unpack('<L', objectSid[-4:])[0]
else:
raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
Example #10
| Source File: test_samr.py From PiBunny with MIT License | 5 votes |
|
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump()
Example #11
| Source File: test_samr.py From PiBunny with MIT License | 5 votes |
|
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd
samUser['Length'] = len(newPwd)
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise
Example #12
| Source File: test_nrpc.py From cracke-dit with MIT License | 5 votes |
|
def test_NetrLogonSamLogonEx(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonEx()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['ExtraFlags'] = 1
resp = dce.request(request)
resp.dump()
Example #13
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd
samUser['Length'] = len(newPwd)
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise
Example #14
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump()
Example #15
| Source File: test_nrpc.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_NetrLogonSamLogonEx(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonEx()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['ExtraFlags'] = 1
resp = dce.request(request)
resp.dump()
Example #16
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd
samUser['Length'] = len(newPwd)
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise
Example #17
| Source File: test_samr.py From PiBunny with MIT License | 4 votes |
|
def test_hSamrUnicodeChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
try:
resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus')
resp.dump()
except Exception, e:
if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0:
raise
# Delete the temp user
Example #18
| Source File: test_nrpc.py From PiBunny with MIT License | 4 votes |
|
def test_NetrLogonSamLogonWithFlags(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise
Example #19
| Source File: secretsdump.py From PiBunny with MIT License | 4 votes |
|
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if userAccount['LMHashLength'] == 20:
encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']]
else:
encLMHash = ''
if userAccount['NTHashLength'] == 20:
encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']]
else:
encNTHash = ''
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD)
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
self.__perSecretCallback(answer)
Example #20
| Source File: test_nrpc.py From PiBunny with MIT License | 4 votes |
|
def test_NetrLogonSamLogon(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogon()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise
Example #21
| Source File: secretsdump.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
|
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if userAccount['LMHashLength'] == 20:
encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']]
else:
encLMHash = ''
if userAccount['NTHashLength'] == 20:
encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']]
else:
encNTHash = ''
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD)
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
self.__perSecretCallback(answer)
Example #22
| Source File: test_nrpc.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def test_NetrLogonSamLogon(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogon()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need PyCrypto")
print("See http://www.pycrypto.org/")
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise
Example #23
| Source File: samr.py From PiBunny with MIT License | 4 votes |
|
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''):
request = SamrUnicodeChangePasswordUser2()
request['ServerName'] = serverName
request['UserName'] = userName
try:
from Crypto.Cipher import ARC4
except Exception:
LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
LOG.critical("See http://www.pycrypto.org/")
from impacket import crypto, ntlm
if oldPwdHashLM == '' and oldPwdHashNT == '':
oldPwdHashLM = ntlm.LMOWFv1(oldPassword)
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
else:
# Let's convert the hashes to binary form, if not yet
try:
oldPwdHashLM = unhexlify(oldPwdHashLM)
except:
pass
try:
oldPwdHashNT = unhexlify(oldPwdHashNT)
except:
pass
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
samUser = SAMPR_USER_PASSWORD()
try:
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le')
except UnicodeDecodeError:
import sys
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le')
samUser['Length'] = len(newPassword)*2
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashNT)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf
request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['LmPresent'] = 0
request['NewPasswordEncryptedWithOldLm'] = NULL
request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL
return dce.request(request)
Example #24
| Source File: test_nrpc.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def test_NetrLogonSamLogonWithFlags(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity'][
'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise
Example #25
| Source File: test_nrpc.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def test_NetrLogonSamLogonEx(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonEx()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain.split('.')[0]
request['LogonInformation']['LogonInteractive']['Identity'][
'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['ExtraFlags'] = 1
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_INTERNAL_ERROR') < 0:
raise
Example #26
| Source File: samr.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''):
request = SamrUnicodeChangePasswordUser2()
request['ServerName'] = serverName
request['UserName'] = userName
try:
from Cryptodome.Cipher import ARC4
except Exception:
LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
LOG.critical("See https://pypi.org/project/pycryptodomex/")
from impacket import crypto, ntlm
if oldPwdHashLM == '' and oldPwdHashNT == '':
oldPwdHashLM = ntlm.LMOWFv1(oldPassword)
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
else:
# Let's convert the hashes to binary form, if not yet
try:
oldPwdHashLM = unhexlify(oldPwdHashLM)
except:
pass
try:
oldPwdHashNT = unhexlify(oldPwdHashNT)
except:
pass
newPwdHashNT = ntlm.NTOWFv1(newPassword)
samUser = SAMPR_USER_PASSWORD()
try:
samUser['Buffer'] = b'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le')
except UnicodeDecodeError:
import sys
samUser['Buffer'] = b'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le')
samUser['Length'] = len(newPassword)*2
pwdBuff = samUser.getData()
rc4 = ARC4.new(oldPwdHashNT)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf
request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['LmPresent'] = 0
request['NewPasswordEncryptedWithOldLm'] = NULL
request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL
return dce.request(request)
Example #27
| Source File: secretsdump.py From smbwrapper with GNU General Public License v3.0 | 4 votes |
|
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
logging.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if userAccount['LMHashLength'] == 20:
encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']]
else:
encLMHash = ''
if userAccount['NTHashLength'] == 20:
encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']]
else:
encNTHash = ''
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD)
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
print answer
Example #28
| Source File: dump.py From Exchange2domain with MIT License | 4 votes |
|
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if V[userAccount['NTHashOffset']:][2] == '\x01':
# Old Style hashes
newStyle = False
if userAccount['LMHashLength'] == 20:
encLMHash = SAM_HASH(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
if userAccount['NTHashLength'] == 20:
encNTHash = SAM_HASH(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
else:
# New Style hashes
newStyle = True
if userAccount['LMHashLength'] == 24:
encLMHash = SAM_HASH_AES(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
encNTHash = SAM_HASH_AES(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
LOG.debug('NewStyle hashes is: %s' % newStyle)
if userAccount['LMHashLength'] >= 20:
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD, newStyle)
else:
lmHash = ''
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD, newStyle)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
self.__perSecretCallback(answer)
Example #29
| Source File: samr.py From cracke-dit with MIT License | 4 votes |
|
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''):
request = SamrUnicodeChangePasswordUser2()
request['ServerName'] = serverName
request['UserName'] = userName
try:
from Crypto.Cipher import ARC4
except Exception:
LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
LOG.critical("See http://www.pycrypto.org/")
from impacket import crypto, ntlm
if oldPwdHashLM == '' and oldPwdHashNT == '':
oldPwdHashLM = ntlm.LMOWFv1(oldPassword)
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
else:
# Let's convert the hashes to binary form, if not yet
try:
oldPwdHashLM = unhexlify(oldPwdHashLM)
except:
pass
try:
oldPwdHashNT = unhexlify(oldPwdHashNT)
except:
pass
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
samUser = SAMPR_USER_PASSWORD()
try:
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le')
except UnicodeDecodeError:
import sys
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le')
samUser['Length'] = len(newPassword)*2
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashNT)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf
request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['LmPresent'] = 0
request['NewPasswordEncryptedWithOldLm'] = NULL
request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL
return dce.request(request)
Example #30
| Source File: test_nrpc.py From cracke-dit with MIT License | 4 votes |
|
def test_NetrLogonSamLogon(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogon()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise
