Changed the complete LDAP parsing hash algo (ntlmv2 bug).

2025-08-19 21:03:33 -07:00 · 2017-09-04 23:15:27 -03:00 · 2017-09-04 23:15:27 -03:00 · 679cf65cff
commit 679cf65cff
parent be26b504b5
1 changed files with 42 additions and 26 deletions
--- a/servers/LDAP.py
+++ b/servers/LDAP.py
@ -27,37 +27,53 @@ def ParseSearch(data):
 	elif re.search(r'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
 		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
-def ParseLDAPHash(data, client, Challenge):
+def ParseLDAPHash(data,client, Challenge):  #Parse LDAP NTLMSSP v1/v2
-	SSPIStart = data[42:]
+        SSPIStart  = data.find('NTLMSSP')
-	LMhashLen = struct.unpack('<H',data[54:56])[0]
+        SSPIString = data[SSPIStart:]
 	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
 	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
 	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
 	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
 	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
-	if LMhashLen > 10:
+	if NthashLen == 24:
-		LMhashOffset = struct.unpack('<H',data[58:60])[0]
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
-		
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
-		NthashLen    = struct.unpack('<H',data[64:66])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		NthashOffset = struct.unpack('<H',data[66:68])[0]
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
-		NtHash       = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
-		
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		DomainLen    = struct.unpack('<H',data[72:74])[0]
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, Challenge.encode('hex'))
 		DomainOffset = struct.unpack('<H',data[74:76])[0]
 		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
 		UserLen      = struct.unpack('<H',data[80:82])[0]
 		UserOffset   = struct.unpack('<H',data[82:84])[0]
 		User         = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
 		WriteHash    = User + "::" + Domain + ":" + LMHash + ":" + NtHash + ":" + Challenge.encode('hex')
 		SaveToDb({
-			'module': 'LDAP',
+			'module': 'LDAP', 
-			'type': 'NTLMv1',
+			'type': 'NTLMv1-SSP', 
-			'client': client,
+			'client': client, 
-			'user': Domain+'\\'+User,
+			'user': Domain+'\\'+Username, 
-			'hash': NtHash,
+			'hash': SMBHash, 
 			'fullhash': WriteHash,
 		})
-	
+
 	if NthashLen > 60:
 		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
 		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
 		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
 		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
 		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
 		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
 		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, Challenge.encode('hex'), SMBHash[:32], SMBHash[32:])
 		SaveToDb({
 			'module': 'LDAP', 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'user': Domain+'\\'+Username, 
 			'hash': SMBHash, 
 			'fullhash': WriteHash,
 		})
 	if LMhashLen < 2 and settings.Config.Verbose:
 		print text("[LDAP] Ignoring anonymous NTLM authentication")