Backport changes to RC4-encrypted session key generation from python3 to python2.
Michael Teo
3 years ago
| 401 | 401 |
|
| 402 | 402 |
if self.is_signing_active:
|
| 403 | 403 |
self.log.info("SMB signing activated. All SMB messages will be signed.")
|
| 404 | |
self.signing_session_key = (session_key + '\0'*16)[:16]
|
|
404 |
self.signing_session_key = session_key
|
|
405 |
if self.log.isEnabledFor(logging.DEBUG):
|
|
406 |
self.log.info("SMB signing key is %s", binascii.hexlify(self.signing_session_key))
|
|
407 |
|
| 405 | 408 |
if self.capabilities & CAP_EXTENDED_SECURITY:
|
| 406 | 409 |
self.signing_challenge_response = None
|
| 407 | 410 |
else:
|
| 0 | 0 |
|
| 1 | |
import types, hmac, binascii, struct, random
|
|
1 |
import types, hmac, binascii, struct, random, string
|
|
2 |
from Crypto.Cipher import ARC4
|
| 2 | 3 |
from utils.pyDes import des
|
| 3 | 4 |
|
| 4 | 5 |
try:
|
|
| 80 | 81 |
return s
|
| 81 | 82 |
|
| 82 | 83 |
|
| 83 | |
def generateAuthenticateMessage(challenge_flags, nt_response, lm_response, session_key, user, domain = 'WORKGROUP', workstation = 'LOCALHOST'):
|
|
84 |
def generateAuthenticateMessage(challenge_flags, nt_response, lm_response, request_session_key, user, domain = 'WORKGROUP', workstation = 'LOCALHOST'):
|
| 84 | 85 |
"""
|
| 85 | 86 |
References:
|
| 86 | 87 |
===========
|
|
| 88 | 89 |
"""
|
| 89 | 90 |
FORMAT = '<8sIHHIHHIHHIHHIHHIHHII'
|
| 90 | 91 |
FORMAT_SIZE = struct.calcsize(FORMAT)
|
|
92 |
|
|
93 |
# [MS-NLMP]: 3.1.5.1.2
|
|
94 |
# http://grutz.jingojango.net/exploits/davenport-ntlm.html
|
|
95 |
session_key = request_session_key
|
|
96 |
if challenge_flags & NTLM_NegotiateKeyExchange:
|
|
97 |
cipher = ARC4.new(request_session_key)
|
|
98 |
session_key = cipher.encrypt("".join([ random.choice(string.digits+string.ascii_letters) for _ in range(16) ]).encode('ascii'))
|
| 91 | 99 |
|
| 92 | 100 |
lm_response_length = len(lm_response)
|
| 93 | 101 |
lm_response_offset = FORMAT_SIZE
|