Remove dependency on pycrypto and use our own implementation of RC4 cipher
Michael Teo
3 years ago
0 | 0 |
|
1 | 1 |
import types, hmac, binascii, struct, random, string
|
2 | |
from Crypto.Cipher import ARC4
|
|
2 |
from .utils.rc4 import RC4_encrypt
|
3 | 3 |
from utils.pyDes import des
|
4 | 4 |
|
5 | 5 |
try:
|
|
94 | 94 |
# http://grutz.jingojango.net/exploits/davenport-ntlm.html
|
95 | 95 |
session_key = session_signing_key = request_session_key
|
96 | 96 |
if challenge_flags & NTLM_NegotiateKeyExchange:
|
97 | |
cipher = ARC4.new(request_session_key)
|
98 | 97 |
session_signing_key = "".join([ random.choice(string.digits+string.ascii_letters) for _ in range(16) ]).encode('ascii')
|
99 | |
session_key = cipher.encrypt(session_signing_key)
|
|
98 |
session_key = RC4_encrypt(request_session_key, session_signing_key)
|
100 | 99 |
|
101 | 100 |
lm_response_length = len(lm_response)
|
102 | 101 |
lm_response_offset = FORMAT_SIZE
|
|
0 |
|
|
1 |
def RC4_encrypt(key, data):
|
|
2 |
S = list(range(256))
|
|
3 |
j = 0
|
|
4 |
|
|
5 |
key_len = len(key)
|
|
6 |
for i in list(range(256)):
|
|
7 |
j = (j + S[i] + ord(key[i % key_len])) % 256
|
|
8 |
S[i], S[j] = S[j], S[i]
|
|
9 |
|
|
10 |
j = 0
|
|
11 |
y = 0
|
|
12 |
out = []
|
|
13 |
|
|
14 |
for char in data:
|
|
15 |
j = (j + 1) % 256
|
|
16 |
y = (y + S[j]) % 256
|
|
17 |
S[j], S[y] = S[y], S[j]
|
|
18 |
|
|
19 |
out.append(chr(ord(char) ^ S[(S[j] + S[y]) % 256]))
|
|
20 |
|
|
21 |
return ''.join(out)
|
1904 | 1904 |
self.log.info('Performing NTLMv1 authentication (with extended security) with server challenge "%s"', binascii.hexlify(server_challenge))
|
1905 | 1905 |
nt_challenge_response, lm_challenge_response, session_key = ntlm.generateChallengeResponseV1(self.password, server_challenge, True)
|
1906 | 1906 |
|
1907 | |
ntlm_data, signing_session_key = ntlm.generateAuthenticateMessage(server_flags,
|
1908 | |
nt_challenge_response,
|
1909 | |
lm_challenge_response,
|
1910 | |
session_key,
|
1911 | |
self.username,
|
1912 | |
self.domain,
|
1913 | |
self.my_name)
|
|
1907 |
ntlm_data, signing_session_key = ntlm.generateAuthenticateMessage(server_flags,
|
|
1908 |
nt_challenge_response,
|
|
1909 |
lm_challenge_response,
|
|
1910 |
session_key,
|
|
1911 |
self.username,
|
|
1912 |
self.domain,
|
|
1913 |
self.my_name)
|
1914 | 1914 |
|
1915 | 1915 |
if self.log.isEnabledFor(logging.DEBUG):
|
1916 | 1916 |
self.log.debug('NT challenge response is "%s" (%d bytes)', binascii.hexlify(nt_challenge_response), len(nt_challenge_response))
|
0 | 0 |
|
1 | 1 |
import types, hmac, binascii, struct, random, string
|
2 | |
from Crypto.Cipher import ARC4
|
|
2 |
from .utils.rc4 import RC4_encrypt
|
3 | 3 |
from .utils.pyDes import des
|
4 | 4 |
|
5 | 5 |
try:
|
|
94 | 94 |
# http://grutz.jingojango.net/exploits/davenport-ntlm.html
|
95 | 95 |
session_key = session_signing_key = request_session_key
|
96 | 96 |
if challenge_flags & NTLM_NegotiateKeyExchange:
|
97 | |
cipher = ARC4.new(request_session_key)
|
98 | 97 |
session_signing_key = "".join([ random.choice(string.digits+string.ascii_letters) for _ in range(16) ]).encode('ascii')
|
99 | |
session_key = cipher.encrypt(session_signing_key)
|
|
98 |
session_key = RC4_encrypt(request_session_key, session_signing_key)
|
100 | 99 |
|
101 | 100 |
lm_response_length = len(lm_response)
|
102 | 101 |
lm_response_offset = FORMAT_SIZE
|
|
0 |
|
|
1 |
def RC4_encrypt(key, data):
|
|
2 |
S = list(range(256))
|
|
3 |
j = 0
|
|
4 |
|
|
5 |
key_len = len(key)
|
|
6 |
for i in list(range(256)):
|
|
7 |
j = (j + S[i] + key[i % key_len]) % 256
|
|
8 |
S[i], S[j] = S[j], S[i]
|
|
9 |
|
|
10 |
j = 0
|
|
11 |
y = 0
|
|
12 |
out = []
|
|
13 |
|
|
14 |
for char in data:
|
|
15 |
j = (j + 1) % 256
|
|
16 |
y = (y + S[j]) % 256
|
|
17 |
S[j], S[y] = S[y], S[j]
|
|
18 |
|
|
19 |
out.append(char ^ S[(S[j] + S[y]) % 256])
|
|
20 |
|
|
21 |
return bytes(out)
|