Python impacket.spnego.TypesMech() Examples
The following are 15
code examples of impacket.spnego.TypesMech().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.spnego
, or try the search function
.
.
Example #1
| Source File: SMB2_Lib.py From SMBetray with GNU General Public License v3.0 | 6 votes |
|
def negotiateResp_authDowngrade(self, packet):
try:
# Try to downgrade them to NTLM
resp = SMB2Negotiate_Response(packet['Data'])
securityBlob = SPNEGO_NegTokenInit(data = resp['Buffer'])
if TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] not in securityBlob['MechTypes']:
self.logger.info("Server does not support NTLM - auth mechanism downgrade will not work")
return packet
self.logger.info("Server supports NTLM auth - Attempting to downgrade....")
securityBlob['MechTypes'] = [TypesMech['NEGOEX - SPNEGO Extended Negotiation Security Mechanism'], TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
resp['Buffer'] = securityBlob.getData()
resp['SecurityBufferLength'] = len(resp['Buffer'])
packet['Data'] = str(resp)
except:
pass
return packet
# <NTLMV2 AUTHENTICATION CAPTURE>#
# NTLM Negotiate
Example #2
| Source File: smbrelayclient.py From GhostPotato with MIT License | 5 votes |
|
def sendNegotiatev2(self, negotiateMessage):
v2client = self.session.getSMBServer()
sessionSetup = SMB2SessionSetup()
sessionSetup['Flags'] = 0
# Let's build a NegTokenInit with the NTLMSSP
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = negotiateMessage
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = v2client.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = v2client.sendSMB(packet)
ans = v2client.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
v2client._Session['SessionID'] = ans['SessionID']
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
return respToken['ResponseToken']
return False
Example #3
| Source File: SMB2_Lib.py From SMBetray with GNU General Public License v3.0 | 5 votes |
|
def negotiateResp_track(self, packet): resp = SMB2Negotiate_Response(packet['Data']) # https://msdn.microsoft.com/en-us/library/cc246563.aspx if(resp['SecurityMode'] == 1): self.SERVER_INFO.SIGNATURES_ENABLED = True self.SERVER_INFO.SIGNATURES_REQUIRED = False if(resp['SecurityMode'] == 2): self.SERVER_INFO.SIGNATURES_ENABLED = False self.SERVER_INFO.SIGNATURES_REQUIRED = True if(resp['SecurityMode'] == 3): self.SERVER_INFO.SIGNATURES_ENABLED = True self.SERVER_INFO.SIGNATURES_REQUIRED = True # Server decides dialect self.SESSION_DIALECT = resp['DialectRevision'] # NTLM_SUPPORTED resp = SMB2Negotiate_Response(packet['Data']) securityBlob = SPNEGO_NegTokenInit(data = resp['Buffer']) if TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] not in securityBlob['MechTypes']: self.SERVER_INFO.NTLM_SUPPORTED = False else: self.SERVER_INFO.NTLM_SUPPORTED = True # Encryption (If client and server put the 'support' flag, encryption will be used) if (resp['Capabilities'] & SMB2_GLOBAL_CAP_ENCRYPTION) == SMB2_GLOBAL_CAP_ENCRYPTION: self.SERVER_INFO.ENCRYPTION_ENABLED = True else: self.SERVER_INFO.ENCRYPTION_ENABLED = False
Example #4
| Source File: SMB2_Lib.py From SMBetray with GNU General Public License v3.0 | 5 votes |
|
def sessionSetupReq_NTLMv2_Neg(self, packet):
try:
req = SMB2SessionSetup(packet['Data'])
securityBlob = SPNEGO_NegTokenInit(data = req['Buffer'])
if TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] not in securityBlob['MechTypes']:
return
newHash = NTLMV2_Struct()
newHash.NEGOTIATE_INFO.fromString(securityBlob['Payload'][securityBlob['Payload'].find("NTLMSSP"):])
self.NTLMV2_DATASTORE.append(newHash)
except:
pass
return packet
# NTLM Challenge
Example #5
| Source File: smbrelayclient.py From Exchange2domain with MIT License | 5 votes |
|
def sendNegotiatev2(self, negotiateMessage):
v2client = self.session.getSMBServer()
sessionSetup = SMB2SessionSetup()
sessionSetup['Flags'] = 0
# Let's build a NegTokenInit with the NTLMSSP
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = v2client.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = v2client.sendSMB(packet)
ans = v2client.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
v2client._Session['SessionID'] = ans['SessionID']
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
return respToken['ResponseToken']
return False
Example #6
| Source File: kerberos.py From krbrelayx with MIT License | 5 votes |
|
def ldap_kerberos(domain, kdc, tgt, username, ldapconnection, hostname):
# Hackery to authenticate with ldap3 using impacket Kerberos stack
# I originally wrote this for BloodHound.py, but it works fine (tm) here too
username = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
servername = Principal('ldap/%s' % hostname, type=constants.PrincipalNameType.NT_SRV_INST.value)
tgs, cipher, _, sessionkey = getKerberosTGS(servername, domain, kdc,
tgt['KDC_REP'], tgt['cipher'], tgt['sessionKey'])
# Let's build a NegTokenInit with a Kerberos AP_REQ
blob = SPNEGO_NegTokenInit()
# Kerberos
blob['MechTypes'] = [TypesMech['MS KRB5 - Microsoft Kerberos 5']]
# Let's extract the ticket from the TGS
tgs = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
ticket = Ticket()
ticket.from_asn1(tgs['ticket'])
# Now let's build the AP_REQ
apReq = AP_REQ()
apReq['pvno'] = 5
apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
opts = []
apReq['ap-options'] = constants.encodeFlags(opts)
seq_set(apReq, 'ticket', ticket.to_asn1)
authenticator = Authenticator()
authenticator['authenticator-vno'] = 5
authenticator['crealm'] = domain
seq_set(authenticator, 'cname', username.components_to_asn1)
now = datetime.datetime.utcnow()
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = KerberosTime.to_asn1(now)
encodedAuthenticator = encoder.encode(authenticator)
# Key Usage 11
# AP-REQ Authenticator (includes application authenticator
# subkey), encrypted with the application session key
# (Section 5.5.1)
encryptedEncodedAuthenticator = cipher.encrypt(sessionkey, 11, encodedAuthenticator, None)
apReq['authenticator'] = noValue
apReq['authenticator']['etype'] = cipher.enctype
apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
blob['MechToken'] = encoder.encode(apReq)
# From here back to ldap3
ldapconnection.open(read_server_info=False)
request = bind_operation(ldapconnection.version, SASL, None, None, ldapconnection.sasl_mechanism, blob.getData())
response = ldapconnection.post_send_single_response(ldapconnection.send('bindRequest', request, None))[0]
ldapconnection.result = response
if response['result'] == 0:
ldapconnection.bound = True
ldapconnection.refresh_server_info()
return response['result'] == 0
Example #7
| Source File: smbrelayclient.py From krbrelayx with MIT License | 5 votes |
|
def sendNegotiatev2(self, negotiateMessage):
v2client = self.session.getSMBServer()
sessionSetup = SMB2SessionSetup()
sessionSetup['Flags'] = 0
# Let's build a NegTokenInit with the NTLMSSP
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = v2client.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = v2client.sendSMB(packet)
ans = v2client.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
v2client._Session['SessionID'] = ans['SessionID']
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
return respToken['ResponseToken']
return False
Example #8
| Source File: smbrelayclient.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def sendNegotiatev2(self, negotiateMessage):
v2client = self.session.getSMBServer()
sessionSetup = SMB2SessionSetup()
sessionSetup['Flags'] = 0
# Let's build a NegTokenInit with the NTLMSSP
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = negotiateMessage
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = v2client.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = v2client.sendSMB(packet)
ans = v2client.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
v2client._Session['SessionID'] = ans['SessionID']
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
return respToken['ResponseToken']
return False
Example #9
| Source File: smbrelayclient.py From CVE-2019-1040 with MIT License | 5 votes |
|
def sendNegotiatev2(self, negotiateMessage):
v2client = self.session.getSMBServer()
sessionSetup = SMB2SessionSetup()
sessionSetup['Flags'] = 0
# Let's build a NegTokenInit with the NTLMSSP
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = negotiateMessage
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = v2client.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = v2client.sendSMB(packet)
ans = v2client.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
v2client._Session['SessionID'] = ans['SessionID']
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
return respToken['ResponseToken']
return False
Example #10
| Source File: smbrelayclient.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
|
def sendNegotiate(self, negotiateMessage):
smb = NewSMBPacket()
smb['Flags1'] = SMB.FLAGS1_PATHCASELESS
smb['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY
# Are we required to sign SMB? If so we do it, if not we skip it
if self._SignatureRequired:
smb['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()
sessionSetup['Parameters']['MaxBufferSize'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VcNumber'] = 1
sessionSetup['Parameters']['SessionKey'] = 0
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)
sessionSetup['Parameters'].getData()
sessionSetup['Data']['SecurityBlob'] = blob.getData()
# Fake Data here, don't want to get us fingerprinted
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
self.sendSMB(smb)
smb = self.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except Exception:
logging.error("SessionSetup Error!")
raise
else:
# We will need to use this uid field for all future requests/responses
self._uid = smb['Uid']
# Now we have to extract the blob to continue the auth process
sessionResponse = SMBCommand(smb['Data'][0])
sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
return respToken['ResponseToken']
Example #11
| Source File: smbrelayclient.py From cracke-dit with MIT License | 4 votes |
|
def sendNegotiate(self, negotiateMessage):
smb = NewSMBPacket()
smb['Flags1'] = SMB.FLAGS1_PATHCASELESS
smb['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY
# Are we required to sign SMB? If so we do it, if not we skip it
if self._SignatureRequired:
smb['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()
sessionSetup['Parameters']['MaxBufferSize'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VcNumber'] = 1
sessionSetup['Parameters']['SessionKey'] = 0
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)
sessionSetup['Parameters'].getData()
sessionSetup['Data']['SecurityBlob'] = blob.getData()
# Fake Data here, don't want to get us fingerprinted
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
self.sendSMB(smb)
smb = self.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except Exception:
logging.error("SessionSetup Error!")
raise
else:
# We will need to use this uid field for all future requests/responses
self._uid = smb['Uid']
# Now we have to extract the blob to continue the auth process
sessionResponse = SMBCommand(smb['Data'][0])
sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
return respToken['ResponseToken']
Example #12
| Source File: smb.py From cracke-dit with MIT License | 4 votes |
|
def getNegoAnswer(recvPacket):
smbCommand = SMBCommand(recvPacket['Data'][0])
respSMBCommand = SMBCommand(SMB.SMB_COM_NEGOTIATE)
resp = NewSMBPacket()
resp['Flags1'] = SMB.FLAGS1_REPLY
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
dialects = smbCommand['Data'].split('\x02')
index = dialects.index('NT LM 0.12\x00') - 1
# Let's fill the data for NTLM
if recvPacket['Flags2'] & SMB.FLAGS2_EXTENDED_SECURITY:
resp['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY | SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_UNICODE
_dialects_data = SMBExtended_Security_Data()
_dialects_data['ServerGUID'] = 'A' * 16
blob = SPNEGO_NegTokenInit()
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
_dialects_data['SecurityBlob'] = blob.getData()
_dialects_parameters = SMBExtended_Security_Parameters()
_dialects_parameters[
'Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_NT_SMBS | SMB.CAP_UNICODE
_dialects_parameters['ChallengeLength'] = 0
else:
resp['Flags2'] = SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_UNICODE
_dialects_parameters = SMBNTLMDialect_Parameters()
_dialects_data = SMBNTLMDialect_Data()
_dialects_data['Payload'] = ''
_dialects_data['Challenge'] = '\x11\x22\x33\x44\x55\x66\x77\x88'
_dialects_parameters['ChallengeLength'] = 8
_dialects_parameters['Capabilities'] = SMB.CAP_USE_NT_ERRORS | SMB.CAP_NT_SMBS
_dialects_parameters['Capabilities'] |= SMB.CAP_RPC_REMOTE_APIS
_dialects_parameters['DialectIndex'] = index
_dialects_parameters['SecurityMode'] = SMB.SECURITY_AUTH_ENCRYPTED | SMB.SECURITY_SHARE_USER
_dialects_parameters['MaxMpxCount'] = 1
_dialects_parameters['MaxNumberVcs'] = 1
_dialects_parameters['MaxBufferSize'] = 64000
_dialects_parameters['MaxRawSize'] = 65536
_dialects_parameters['SessionKey'] = 0
_dialects_parameters['LowDateTime'] = 0
_dialects_parameters['HighDateTime'] = 0
_dialects_parameters['ServerTimeZone'] = 0
respSMBCommand['Data'] = _dialects_data
respSMBCommand['Parameters'] = _dialects_parameters
resp.addCommand(respSMBCommand)
return resp
Example #13
| Source File: smbrelayclient.py From Exchange2domain with MIT License | 4 votes |
|
def sendNegotiatev1(self, negotiateMessage):
v1client = self.session.getSMBServer()
smb = NewSMBPacket()
smb['Flags1'] = SMB.FLAGS1_PATHCASELESS
smb['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY
# Are we required to sign SMB? If so we do it, if not we skip it
if v1client.is_signing_required():
smb['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()
sessionSetup['Parameters']['MaxBufferSize'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VcNumber'] = 1
sessionSetup['Parameters']['SessionKey'] = 0
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)
sessionSetup['Parameters'].getData()
sessionSetup['Data']['SecurityBlob'] = blob.getData()
# Fake Data here, don't want to get us fingerprinted
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
v1client.sendSMB(smb)
smb = v1client.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except Exception:
LOG.error("SessionSetup Error!")
raise
else:
# We will need to use this uid field for all future requests/responses
v1client.set_uid(smb['Uid'])
# Now we have to extract the blob to continue the auth process
sessionResponse = SMBCommand(smb['Data'][0])
sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
return respToken['ResponseToken']
Example #14
| Source File: smbrelayclient.py From krbrelayx with MIT License | 4 votes |
|
def sendNegotiatev1(self, negotiateMessage):
v1client = self.session.getSMBServer()
smb = NewSMBPacket()
smb['Flags1'] = SMB.FLAGS1_PATHCASELESS
smb['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY
# Are we required to sign SMB? If so we do it, if not we skip it
if v1client.is_signing_required():
smb['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()
sessionSetup['Parameters']['MaxBufferSize'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VcNumber'] = 1
sessionSetup['Parameters']['SessionKey'] = 0
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)
sessionSetup['Parameters'].getData()
sessionSetup['Data']['SecurityBlob'] = blob.getData()
# Fake Data here, don't want to get us fingerprinted
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
v1client.sendSMB(smb)
smb = v1client.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except Exception:
LOG.error("SessionSetup Error!")
raise
else:
# We will need to use this uid field for all future requests/responses
v1client.set_uid(smb['Uid'])
# Now we have to extract the blob to continue the auth process
sessionResponse = SMBCommand(smb['Data'][0])
sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
return respToken['ResponseToken']
Example #15
| Source File: smbrelayclient.py From PiBunny with MIT License | 4 votes |
|
def sendNegotiate(self, negotiateMessage):
smb = NewSMBPacket()
smb['Flags1'] = SMB.FLAGS1_PATHCASELESS
smb['Flags2'] = SMB.FLAGS2_EXTENDED_SECURITY
# Are we required to sign SMB? If so we do it, if not we skip it
if self._SignatureRequired:
smb['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()
sessionSetup['Parameters']['MaxBufferSize'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VcNumber'] = 1
sessionSetup['Parameters']['SessionKey'] = 0
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
blob['MechToken'] = str(negotiateMessage)
sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)
sessionSetup['Parameters'].getData()
sessionSetup['Data']['SecurityBlob'] = blob.getData()
# Fake Data here, don't want to get us fingerprinted
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
self.sendSMB(smb)
smb = self.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except Exception:
logging.error("SessionSetup Error!")
raise
else:
# We will need to use this uid field for all future requests/responses
self._uid = smb['Uid']
# Now we have to extract the blob to continue the auth process
sessionResponse = SMBCommand(smb['Data'][0])
sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
return respToken['ResponseToken']
