本文整理汇总了Python中impacket.ntlm.LMOWFv1方法的典型用法代码示例。如果您正苦于以下问题:Python ntlm.LMOWFv1方法的具体用法?Python ntlm.LMOWFv1怎么用?Python ntlm.LMOWFv1使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类impacket.ntlm的用法示例。
在下文中一共展示了ntlm.LMOWFv1方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: hSamrChangePasswordUser
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def hSamrChangePasswordUser(dce, userHandle, oldPassword, newPassword):
request = SamrChangePasswordUser()
request['UserHandle'] = userHandle
from impacket import crypto, ntlm
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
return dce.request(request) 示例2: test_SamrChangePasswordUser
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump() 示例3: test_SamrOemChangePasswordUser2
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = 'A'*(512-len(newPwd)) + newPwd
samUser['Length'] = len(newPwd)
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise 示例4: test_NetrLogonSamLogonEx
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_NetrLogonSamLogonEx(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonEx()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 + 2**14 + 2**7 + 2**9 + 2**5 + 2**11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['ExtraFlags'] = 1
resp = dce.request(request)
resp.dump() 示例5: __decryptHash
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def __decryptHash(self, record, prefixTable=None):
logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
rid = 0
LMHash = None
NTHash = None
for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:
try:
attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])
LOOKUP_TABLE = self.ATTRTYP_TO_ATTID
except Exception as e:
logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e)
# Fallbacking to fixed table and hope for the best
attId = attr['attrTyp']
LOOKUP_TABLE = self.NAME_TO_ATTRTYP
if attId == LOOKUP_TABLE['dBCSPwd']:
if attr['AttrVal']['valCount'] > 0:
encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd)
else:
LMHash = LMOWFv1('', '')
elif attId == LOOKUP_TABLE['unicodePwd']:
if attr['AttrVal']['valCount'] > 0:
encryptedUnicodePwd = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd)
else:
NTHash = NTOWFv1('', '')
elif attId == LOOKUP_TABLE['objectSid']:
if attr['AttrVal']['valCount'] > 0:
objectSid = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])
rid = unpack('<L', objectSid[-4:])[0]
else:
raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
if LMHash is None:
LMHash = drsuapi.removeDESLayer(encryptedLMHash, rid)
if NTHash is None:
NTHash = drsuapi.removeDESLayer(encryptedNTHash, rid)
return rid, hexlify(LMHash), hexlify(NTHash) 示例6: test_SamrOemChangePasswordUser2
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_SamrOemChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
# As you can guess by now, target machine must have the Administrator account with password admin
# NOTE: It's giving me WRONG_PASSWORD 'cause the target test server doesn't hold LM Hashes
# further testing is needed to verify this call works
oldPwd = 'admin'
oldPwdHashLM = ntlm.LMOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashLM = ntlm.LMOWFv1(newPwd)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
from impacket import crypto
request = samr.SamrOemChangePasswordUser2()
request['ServerName'] = ''
request['UserName'] = 'Administrator'
samUser = samr.SAMPR_USER_PASSWORD()
samUser['Buffer'] = b'A'*(512-len(newPwd)) + b(newPwd)
samUser['Length'] = len(newPwd)
pwdBuff = samUser.getData()
rc4 = ARC4.new(oldPwdHashLM)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldLm']['Buffer'] = encBuf
request['OldLmOwfPasswordEncryptedWithNewLm'] = crypto.SamEncryptNTLMHash(oldPwdHashLM, newPwdHashLM)
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_WRONG_PASSWORD') < 0:
raise 示例7: __decryptHash
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def __decryptHash(self, record, prefixTable=None):
logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])
rid = 0
LMHash = None
NTHash = None
for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:
try:
attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])
LOOKUP_TABLE = self.ATTRTYP_TO_ATTID
except Exception, e:
logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e)
# Fallbacking to fixed table and hope for the best
attId = attr['attrTyp']
LOOKUP_TABLE = self.NAME_TO_ATTRTYP
if attId == LOOKUP_TABLE['dBCSPwd']:
if attr['AttrVal']['valCount'] > 0:
encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd)
else:
LMHash = LMOWFv1('', '')
elif attId == LOOKUP_TABLE['unicodePwd']:
if attr['AttrVal']['valCount'] > 0:
encryptedUnicodePwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd)
else:
NTHash = NTOWFv1('', '')
elif attId == LOOKUP_TABLE['objectSid']:
if attr['AttrVal']['valCount'] > 0:
objectSid = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
rid = unpack('<L', objectSid[-4:])[0]
else:
raise Exception('Cannot get objectSid for %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1]) 示例8: dump
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if userAccount['LMHashLength'] == 20:
encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']]
else:
encLMHash = ''
if userAccount['NTHashLength'] == 20:
encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']]
else:
encNTHash = ''
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD)
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
self.__perSecretCallback(answer) 示例9: test_hSamrUnicodeChangePasswordUser2
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_hSamrUnicodeChangePasswordUser2(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
try:
resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus')
resp.dump()
except Exception, e:
if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0:
raise
# Delete the temp user 示例10: test_NetrLogonSamLogon
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_NetrLogonSamLogon(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogon()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Crypto.Cipher import ARC4
except Exception:
print "Warning: You don't have any crypto installed. You need PyCrypto"
print "See http://www.pycrypto.org/"
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2
request['Authenticator'] = self.update_authenticator()
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_USER') < 0:
raise 示例11: hSamrUnicodeChangePasswordUser2
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''):
request = SamrUnicodeChangePasswordUser2()
request['ServerName'] = serverName
request['UserName'] = userName
try:
from Crypto.Cipher import ARC4
except Exception:
LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
LOG.critical("See http://www.pycrypto.org/")
from impacket import crypto, ntlm
if oldPwdHashLM == '' and oldPwdHashNT == '':
oldPwdHashLM = ntlm.LMOWFv1(oldPassword)
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
else:
# Let's convert the hashes to binary form, if not yet
try:
oldPwdHashLM = unhexlify(oldPwdHashLM)
except:
pass
try:
oldPwdHashNT = unhexlify(oldPwdHashNT)
except:
pass
newPwdHashNT = ntlm.NTOWFv1(newPassword)
newPwdHashLM = ntlm.LMOWFv1(newPassword)
samUser = SAMPR_USER_PASSWORD()
try:
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le')
except UnicodeDecodeError:
import sys
samUser['Buffer'] = 'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le')
samUser['Length'] = len(newPassword)*2
pwdBuff = str(samUser)
rc4 = ARC4.new(oldPwdHashNT)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf
request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['LmPresent'] = 0
request['NewPasswordEncryptedWithOldLm'] = NULL
request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL
return dce.request(request) 示例12: dump
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
LOG.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if V[userAccount['NTHashOffset']:][2] == '\x01':
# Old Style hashes
newStyle = False
if userAccount['LMHashLength'] == 20:
encLMHash = SAM_HASH(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
if userAccount['NTHashLength'] == 20:
encNTHash = SAM_HASH(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
else:
# New Style hashes
newStyle = True
if userAccount['LMHashLength'] == 24:
encLMHash = SAM_HASH_AES(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
encNTHash = SAM_HASH_AES(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
LOG.debug('NewStyle hashes is: %s' % newStyle)
if userAccount['LMHashLength'] >= 20:
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD, newStyle)
else:
lmHash = ''
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD, newStyle)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
self.__perSecretCallback(answer) 示例13: dump
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def dump(self):
NTPASSWORD = "NTPASSWORD\0"
LMPASSWORD = "LMPASSWORD\0"
if self.__samFile is None:
# No SAM file provided
return
logging.info('Dumping local SAM hashes (uid:rid:lmhash:nthash)')
self.getHBootKey()
usersKey = 'SAM\\Domains\\Account\\Users'
# Enumerate all the RIDs
rids = self.enumKey(usersKey)
# Remove the Names item
try:
rids.remove('Names')
except:
pass
for rid in rids:
userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey,rid,'V'))[1])
rid = int(rid,16)
V = userAccount['Data']
userName = V[userAccount['NameOffset']:userAccount['NameOffset']+userAccount['NameLength']].decode('utf-16le')
if userAccount['LMHashLength'] == 20:
encLMHash = V[userAccount['LMHashOffset']+4:userAccount['LMHashOffset']+userAccount['LMHashLength']]
else:
encLMHash = ''
if userAccount['NTHashLength'] == 20:
encNTHash = V[userAccount['NTHashOffset']+4:userAccount['NTHashOffset']+userAccount['NTHashLength']]
else:
encNTHash = ''
lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD)
ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD)
if lmHash == '':
lmHash = ntlm.LMOWFv1('','')
if ntHash == '':
ntHash = ntlm.NTOWFv1('','')
answer = "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
self.__itemsFound[rid] = answer
print answer 示例14: hSamrUnicodeChangePasswordUser2
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPassword='', newPassword='', oldPwdHashLM = '', oldPwdHashNT = ''):
request = SamrUnicodeChangePasswordUser2()
request['ServerName'] = serverName
request['UserName'] = userName
try:
from Cryptodome.Cipher import ARC4
except Exception:
LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
LOG.critical("See https://pypi.org/project/pycryptodomex/")
from impacket import crypto, ntlm
if oldPwdHashLM == '' and oldPwdHashNT == '':
oldPwdHashLM = ntlm.LMOWFv1(oldPassword)
oldPwdHashNT = ntlm.NTOWFv1(oldPassword)
else:
# Let's convert the hashes to binary form, if not yet
try:
oldPwdHashLM = unhexlify(oldPwdHashLM)
except:
pass
try:
oldPwdHashNT = unhexlify(oldPwdHashNT)
except:
pass
newPwdHashNT = ntlm.NTOWFv1(newPassword)
samUser = SAMPR_USER_PASSWORD()
try:
samUser['Buffer'] = b'A'*(512-len(newPassword)*2) + newPassword.encode('utf-16le')
except UnicodeDecodeError:
import sys
samUser['Buffer'] = b'A'*(512-len(newPassword)*2) + newPassword.decode(sys.getfilesystemencoding()).encode('utf-16le')
samUser['Length'] = len(newPassword)*2
pwdBuff = samUser.getData()
rc4 = ARC4.new(oldPwdHashNT)
encBuf = rc4.encrypt(pwdBuff)
request['NewPasswordEncryptedWithOldNt']['Buffer'] = encBuf
request['OldNtOwfPasswordEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['LmPresent'] = 0
request['NewPasswordEncryptedWithOldLm'] = NULL
request['OldLmOwfPasswordEncryptedWithNewNt'] = NULL
return dce.request(request) 示例15: test_NetrLogonSamLogonEx
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import LMOWFv1 [as 别名]
def test_NetrLogonSamLogonEx(self):
dce, rpctransport = self.connect()
request = nrpc.NetrLogonSamLogonEx()
request['LogonServer'] = '\x00'
request['ComputerName'] = self.serverName + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain.split('.')[0]
request['LogonInformation']['LogonInteractive']['Identity'][
'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11
request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
else:
lmhash = ntlm.LMOWFv1(self.password)
nthash = ntlm.NTOWFv1(self.password)
try:
from Cryptodome.Cipher import ARC4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
rc4 = ARC4.new(self.sessionKey)
lmhash = rc4.encrypt(lmhash)
rc4 = ARC4.new(self.sessionKey)
nthash = rc4.encrypt(nthash)
request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['ExtraFlags'] = 1
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('STATUS_INTERNAL_ERROR') < 0:
raise