Commit c70d50acec2fa171ed89540641514ca620a20ca8 - pysmb

Move the RC4-encrypted session key generation from base.py to ntlm.py. The RC4-encrypted session key generated is only used when "Negotiate Key Exchange" flag is set. Michael Teo 3 years ago

2 changed file(s) with 15 addition(s) and 15 deletion(s). Raw diff Collapse all Expand all

-13

python3/smb/base.py less more

8	8	from nmb.base import NMBSession
9	9	from .utils import convertFILETIMEtoEpoch
10	10	from . import ntlm, securityblob
11		from six import b
12		import random
13		import string
14		from Crypto.Cipher import ARC4
15	11
16	12	try:
17	13	import hashlib

374	370	self.log.info('Performing NTLMv1 authentication (on SMB2) with server challenge "%s"', binascii.hexlify(server_challenge))
375	371	nt_challenge_response, lm_challenge_response, session_key = ntlm.generateChallengeResponseV1(self.password, server_challenge, True)
376	372
377		session_base_key = session_key
378		session_sign_key = b("".join([random.choice(string.digits+string.ascii_letters) for _ in range(16)]))
379		cipher = ARC4.new(session_key)
380		cipher_encrypt = cipher.encrypt
381		session_encrypted_key = cipher_encrypt(session_sign_key)
382		self.log.info("SMB keys = %s:%s:%s", session_encrypted_key.hex(), session_base_key.hex(), session_sign_key.hex())
383	373	ntlm_data = ntlm.generateAuthenticateMessage(server_flags,
384	374	nt_challenge_response,
385	375	lm_challenge_response,
386		session_encrypted_key,
	376	session_key,
387	377	self.username,
388	378	self.domain,
389	379	self.my_name)

406	396
407	397	if self.is_signing_active:
408	398	self.log.info("SMB signing activated. All SMB messages will be signed.")
409		self.signing_session_key = session_sign_key
410		self.log.info("SMB signing key = %s", self.signing_session_key.hex())
	399	self.signing_session_key = session_key
	400	if self.log.isEnabledFor(logging.DEBUG):
	401	self.log.info("SMB signing key is %s", binascii.hexlify(self.signing_session_key))
	402
411	403	if self.capabilities & CAP_EXTENDED_SECURITY:
412	404	self.signing_challenge_response = None
413	405	else:

+10

-2

python3/smb/ntlm.py less more

0	0
1		import types, hmac, binascii, struct, random
	1	import types, hmac, binascii, struct, random, string
	2	from Crypto.Cipher import ARC4
2	3	from .utils.pyDes import des
3	4
4	5	try:

80	81	return s
81	82
82	83
83		def generateAuthenticateMessage(challenge_flags, nt_response, lm_response, session_key, user, domain = 'WORKGROUP', workstation = 'LOCALHOST'):
	84	def generateAuthenticateMessage(challenge_flags, nt_response, lm_response, request_session_key, user, domain = 'WORKGROUP', workstation = 'LOCALHOST'):
84	85	"""
85	86	References:
86	87	===========

88	89	"""
89	90	FORMAT = '<8sIHHIHHIHHIHHIHHIHHII'
90	91	FORMAT_SIZE = struct.calcsize(FORMAT)
	92
	93	# [MS-NLMP]: 3.1.5.1.2
	94	# http://grutz.jingojango.net/exploits/davenport-ntlm.html
	95	session_key = request_session_key
	96	if challenge_flags & NTLM_NegotiateKeyExchange:
	97	cipher = ARC4.new(request_session_key)
	98	session_key = cipher.encrypt("".join([ random.choice(string.digits+string.ascii_letters) for _ in range(16) ]).encode('ascii'))
91	99
92	100	lm_response_length = len(lm_response)
93	101	lm_response_offset = FORMAT_SIZE