Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/scapy/layers/ntlm.py: 35%

1# SPDX-License-Identifier: GPL-2.0-only 

2# This file is part of Scapy 

3# See https://scapy.net/ for more information 

4# Copyright (C) Gabriel Potter 

5 

6""" 

7NTLM 

8 

9This is documented in [MS-NLMP] 

10 

11.. note:: 

12 You will find more complete documentation for this layer over at 

13 `GSSAPI <https://scapy.readthedocs.io/en/latest/layers/gssapi.html#ntlm>`_ 

14""" 

15 

16import copy 

17import time 

18import os 

19import struct 

20 

21from enum import IntEnum 

22 

23from scapy.asn1.asn1 import ASN1_Codecs 

24from scapy.asn1.mib import conf # loads conf.mib 

25from scapy.asn1fields import ( 

26 ASN1F_OID, 

27 ASN1F_PRINTABLE_STRING, 

28 ASN1F_SEQUENCE, 

29 ASN1F_SEQUENCE_OF, 

30) 

31from scapy.asn1packet import ASN1_Packet 

32from scapy.config import crypto_validator 

33from scapy.compat import bytes_base64 

34from scapy.error import log_runtime 

35from scapy.fields import ( 

36 ByteEnumField, 

37 ByteField, 

38 ConditionalField, 

39 Field, 

40 FieldLenField, 

41 FlagsField, 

42 LEIntEnumField, 

43 LEIntField, 

44 LEShortEnumField, 

45 LEShortField, 

46 LEThreeBytesField, 

47 MultipleTypeField, 

48 PacketField, 

49 PacketListField, 

50 StrField, 

51 StrFieldUtf16, 

52 StrFixedLenField, 

53 StrLenFieldUtf16, 

54 UTCTimeField, 

55 XStrField, 

56 XStrFixedLenField, 

57 XStrLenField, 

58 _StrField, 

59) 

60from scapy.packet import Packet 

61from scapy.sessions import StringBuffer 

62 

63from scapy.layers.gssapi import ( 

64 _GSSAPI_OIDS, 

65 _GSSAPI_SIGNATURE_OIDS, 

66 GSS_C_FLAGS, 

67 GSS_C_NO_CHANNEL_BINDINGS, 

68 GSS_S_BAD_BINDINGS, 

69 GSS_S_COMPLETE, 

70 GSS_S_CONTINUE_NEEDED, 

71 GSS_S_DEFECTIVE_CREDENTIAL, 

72 GSS_S_DEFECTIVE_TOKEN, 

73 GSS_S_FLAGS, 

74 GssChannelBindings, 

75 SSP, 

76) 

77 

78# Typing imports 

79from typing import ( 

80 Any, 

81 Callable, 

82 List, 

83 Optional, 

84 Tuple, 

85 Union, 

86) 

87 

88# Crypto imports 

89 

90from scapy.layers.tls.crypto.hash import Hash_MD4, Hash_MD5 

91from scapy.layers.tls.crypto.h_mac import Hmac_MD5 

92 

93########## 

94# Fields # 

95########## 

96 

97 

98# NTLM structures are all in all very complicated. Many fields don't have a fixed 

99# position, but are rather referred to with an offset (from the beginning of the 

100# structure) and a length. In addition to that, there are variants of the structure 

101# with missing fields when running old versions of Windows (sometimes also seen when 

102# talking to products that reimplement NTLM, most notably backup applications). 

103 

104# We add `_NTLMPayloadField` and `_NTLMPayloadPacket` to parse fields that use an 

105# offset, and `_NTLM_post_build` to be able to rebuild those offsets. 

106# In addition, the `NTLM_VARIANT*` allows to select what flavor of NTLM to use 

107# (NT, XP, or Recent). But in real world use only Recent should be used. 

108 

109 

110class _NTLMPayloadField(_StrField[List[Tuple[str, Any]]]): 

111 """Special field used to dissect NTLM payloads. 

112 This isn't trivial because the offsets are variable.""" 

113 

114 __slots__ = [ 

115 "fields", 

116 "fields_map", 

117 "offset", 

118 "length_from", 

119 "force_order", 

120 "offset_name", 

121 ] 

122 islist = True 

123 

124 def __init__( 

125 self, 

126 name, # type: str 

127 offset, # type: Union[int, Callable[[Packet], int]] 

128 fields, # type: List[Field[Any, Any]] 

129 length_from=None, # type: Optional[Callable[[Packet], int]] 

130 force_order=None, # type: Optional[List[str]] 

131 offset_name="BufferOffset", # type: str 

132 ): 

133 # type: (...) -> None 

134 self.offset = offset 

135 self.fields = fields 

136 self.fields_map = {field.name: field for field in fields} 

137 self.length_from = length_from 

138 self.force_order = force_order # whether the order of fields is fixed 

139 self.offset_name = offset_name 

140 super(_NTLMPayloadField, self).__init__( 

141 name, 

142 [ 

143 (field.name, field.default) 

144 for field in fields 

145 if field.default is not None 

146 ], 

147 ) 

148 

149 def _on_payload(self, pkt, x, func): 

150 # type: (Optional[Packet], bytes, str) -> List[Tuple[str, Any]] 

151 if not pkt or not x: 

152 return [] 

153 results = [] 

154 for field_name, value in x: 

155 if field_name not in self.fields_map: 

156 continue 

157 if not isinstance( 

158 self.fields_map[field_name], PacketListField 

159 ) and not isinstance(value, Packet): 

160 value = getattr(self.fields_map[field_name], func)(pkt, value) 

161 results.append((field_name, value)) 

162 return results 

163 

164 def i2h(self, pkt, x): 

165 # type: (Optional[Packet], bytes) -> List[Tuple[str, str]] 

166 return self._on_payload(pkt, x, "i2h") 

167 

168 def h2i(self, pkt, x): 

169 # type: (Optional[Packet], bytes) -> List[Tuple[str, str]] 

170 return self._on_payload(pkt, x, "h2i") 

171 

172 def i2repr(self, pkt, x): 

173 # type: (Optional[Packet], bytes) -> str 

174 return repr(self._on_payload(pkt, x, "i2repr")) 

175 

176 def _o_pkt(self, pkt): 

177 # type: (Optional[Packet]) -> int 

178 if callable(self.offset): 

179 return self.offset(pkt) 

180 return self.offset 

181 

182 def addfield(self, pkt, s, val): 

183 # type: (Optional[Packet], bytes, Optional[List[Tuple[str, str]]]) -> bytes 

184 # Create string buffer 

185 buf = StringBuffer() 

186 buf.append(s, 1) 

187 # Calc relative offset 

188 r_off = self._o_pkt(pkt) - len(s) 

189 if self.force_order: 

190 val.sort(key=lambda x: self.force_order.index(x[0])) 

191 for field_name, value in val: 

192 if field_name not in self.fields_map: 

193 continue 

194 field = self.fields_map[field_name] 

195 offset = pkt.getfieldval(field_name + self.offset_name) 

196 if offset is None: 

197 # No offset specified: calc 

198 offset = len(buf) 

199 else: 

200 # Calc relative offset 

201 offset -= r_off 

202 pad = offset + 1 - len(buf) 

203 # Add padding if necessary 

204 if pad > 0: 

205 buf.append(pad * b"\x00", len(buf)) 

206 buf.append(field.addfield(pkt, bytes(buf), value)[len(buf) :], offset + 1) 

207 return bytes(buf) 

208 

209 def getfield(self, pkt, s): 

210 # type: (Packet, bytes) -> Tuple[bytes, List[Tuple[str, str]]] 

211 if self.length_from is None: 

212 ret, remain = b"", s 

213 else: 

214 len_pkt = self.length_from(pkt) 

215 ret, remain = s[len_pkt:], s[:len_pkt] 

216 if not pkt or not remain: 

217 return s, [] 

218 results = [] 

219 max_offset = 0 

220 o_pkt = self._o_pkt(pkt) 

221 offsets = [ 

222 pkt.getfieldval(x.name + self.offset_name) - o_pkt for x in self.fields 

223 ] 

224 for i, field in enumerate(self.fields): 

225 offset = offsets[i] 

226 try: 

227 length = pkt.getfieldval(field.name + "Len") 

228 except AttributeError: 

229 length = len(remain) - offset 

230 # length can't be greater than the difference with the next offset 

231 try: 

232 length = min(length, min(x - offset for x in offsets if x > offset)) 

233 except ValueError: 

234 pass 

235 if offset < 0: 

236 continue 

237 max_offset = max(offset + length, max_offset) 

238 if remain[offset : offset + length]: 

239 results.append( 

240 ( 

241 offset, 

242 field.name, 

243 field.getfield(pkt, remain[offset : offset + length])[1], 

244 ) 

245 ) 

246 ret += remain[max_offset:] 

247 results.sort(key=lambda x: x[0]) 

248 return ret, [x[1:] for x in results] 

249 

250 

251class _NTLMPayloadPacket(Packet): 

252 _NTLM_PAYLOAD_FIELD_NAME = "Payload" 

253 

254 def __init__( 

255 self, 

256 _pkt=b"", # type: Union[bytes, bytearray] 

257 post_transform=None, # type: Any 

258 _internal=0, # type: int 

259 _underlayer=None, # type: Optional[Packet] 

260 _parent=None, # type: Optional[Packet] 

261 **fields, # type: Any 

262 ): 

263 # pop unknown fields. We can't process them until the packet is initialized 

264 unknown = { 

265 k: fields.pop(k) 

266 for k in list(fields) 

267 if not any(k == f.name for f in self.fields_desc) 

268 } 

269 super(_NTLMPayloadPacket, self).__init__( 

270 _pkt=_pkt, 

271 post_transform=post_transform, 

272 _internal=_internal, 

273 _underlayer=_underlayer, 

274 _parent=_parent, 

275 **fields, 

276 ) 

277 # check unknown fields for implicit ones 

278 local_fields = next( 

279 [y.name for y in x.fields] 

280 for x in self.fields_desc 

281 if x.name == self._NTLM_PAYLOAD_FIELD_NAME 

282 ) 

283 implicit_fields = {k: v for k, v in unknown.items() if k in local_fields} 

284 for k, value in implicit_fields.items(): 

285 self.setfieldval(k, value) 

286 

287 def getfieldval(self, attr): 

288 # Ease compatibility with _NTLMPayloadField 

289 try: 

290 return super(_NTLMPayloadPacket, self).getfieldval(attr) 

291 except AttributeError: 

292 try: 

293 return next( 

294 x[1] 

295 for x in super(_NTLMPayloadPacket, self).getfieldval( 

296 self._NTLM_PAYLOAD_FIELD_NAME 

297 ) 

298 if x[0] == attr 

299 ) 

300 except StopIteration: 

301 raise AttributeError(attr) 

302 

303 def getfield_and_val(self, attr): 

304 # Ease compatibility with _NTLMPayloadField 

305 try: 

306 return super(_NTLMPayloadPacket, self).getfield_and_val(attr) 

307 except ValueError: 

308 PayFields = self.get_field(self._NTLM_PAYLOAD_FIELD_NAME).fields_map 

309 try: 

310 return ( 

311 PayFields[attr], 

312 PayFields[attr].h2i( # cancel out the i2h.. it's dumb i know 

313 self, 

314 next( 

315 x[1] 

316 for x in super(_NTLMPayloadPacket, self).__getattr__( 

317 self._NTLM_PAYLOAD_FIELD_NAME 

318 ) 

319 if x[0] == attr 

320 ), 

321 ), 

322 ) 

323 except (StopIteration, KeyError): 

324 raise ValueError(attr) 

325 

326 def setfieldval(self, attr, val): 

327 # Ease compatibility with _NTLMPayloadField 

328 try: 

329 return super(_NTLMPayloadPacket, self).setfieldval(attr, val) 

330 except AttributeError: 

331 Payload = super(_NTLMPayloadPacket, self).__getattr__( 

332 self._NTLM_PAYLOAD_FIELD_NAME 

333 ) 

334 if attr not in self.get_field(self._NTLM_PAYLOAD_FIELD_NAME).fields_map: 

335 raise AttributeError(attr) 

336 try: 

337 Payload.pop( 

338 next( 

339 i 

340 for i, x in enumerate( 

341 super(_NTLMPayloadPacket, self).__getattr__( 

342 self._NTLM_PAYLOAD_FIELD_NAME 

343 ) 

344 ) 

345 if x[0] == attr 

346 ) 

347 ) 

348 except StopIteration: 

349 pass 

350 Payload.append([attr, val]) 

351 super(_NTLMPayloadPacket, self).setfieldval( 

352 self._NTLM_PAYLOAD_FIELD_NAME, Payload 

353 ) 

354 

355 

356class _NTLM_ENUM(IntEnum): 

357 LEN = 0x0001 

358 MAXLEN = 0x0002 

359 OFFSET = 0x0004 

360 COUNT = 0x0008 

361 PAD8 = 0x1000 

362 

363 

364_NTLM_CONFIG = [ 

365 ("Len", _NTLM_ENUM.LEN), 

366 ("MaxLen", _NTLM_ENUM.MAXLEN), 

367 ("BufferOffset", _NTLM_ENUM.OFFSET), 

368] 

369 

370 

371def _NTLM_post_build(self, p, pay_offset, fields, config=_NTLM_CONFIG): 

372 """Util function to build the offset and populate the lengths""" 

373 for field_name, value in self.fields[self._NTLM_PAYLOAD_FIELD_NAME]: 

374 fld = self.get_field(self._NTLM_PAYLOAD_FIELD_NAME).fields_map[field_name] 

375 length = fld.i2len(self, value) 

376 count = fld.i2count(self, value) 

377 offset = fields[field_name] 

378 i = 0 

379 r = lambda y: {2: "H", 4: "I", 8: "Q"}[y] 

380 for fname, ftype in config: 

381 if isinstance(ftype, dict): 

382 ftype = ftype[field_name] 

383 if ftype & _NTLM_ENUM.LEN: 

384 fval = length 

385 elif ftype & _NTLM_ENUM.OFFSET: 

386 fval = pay_offset 

387 elif ftype & _NTLM_ENUM.MAXLEN: 

388 fval = length 

389 elif ftype & _NTLM_ENUM.COUNT: 

390 fval = count 

391 else: 

392 raise ValueError 

393 if ftype & _NTLM_ENUM.PAD8: 

394 fval += (-fval) % 8 

395 sz = self.get_field(field_name + fname).sz 

396 if self.getfieldval(field_name + fname) is None: 

397 p = ( 

398 p[: offset + i] 

399 + struct.pack("<%s" % r(sz), fval) 

400 + p[offset + i + sz :] 

401 ) 

402 i += sz 

403 pay_offset += length 

404 return p 

405 

406 

407############## 

408# Structures # 

409############## 

410 

411 

412# -- Util: VARIANT class 

413 

414 

415class NTLM_VARIANT(IntEnum): 

416 """ 

417 The message variant to use for NTLM. 

418 """ 

419 

420 NT_OR_2000 = 0 

421 XP_OR_2003 = 1 

422 RECENT = 2 

423 

424 

425class _NTLM_VARIANT_Packet(_NTLMPayloadPacket): 

426 def __init__(self, *args, **kwargs): 

427 self.VARIANT = kwargs.pop("VARIANT", NTLM_VARIANT.RECENT) 

428 super(_NTLM_VARIANT_Packet, self).__init__(*args, **kwargs) 

429 

430 def clone_with(self, *args, **kwargs): 

431 pkt = super(_NTLM_VARIANT_Packet, self).clone_with(*args, **kwargs) 

432 pkt.VARIANT = self.VARIANT 

433 return pkt 

434 

435 def copy(self): 

436 pkt = super(_NTLM_VARIANT_Packet, self).copy() 

437 pkt.VARIANT = self.VARIANT 

438 

439 return pkt 

440 

441 def show2(self, dump=False, indent=3, lvl="", label_lvl=""): 

442 return self.__class__(bytes(self), VARIANT=self.VARIANT).show( 

443 dump, indent, lvl, label_lvl 

444 ) 

445 

446 

447# Sect 2.2 

448 

449 

450class NTLM_Header(Packet): 

451 name = "NTLM Header" 

452 fields_desc = [ 

453 StrFixedLenField("Signature", b"NTLMSSP\0", length=8), 

454 LEIntEnumField( 

455 "MessageType", 

456 3, 

457 { 

458 1: "NEGOTIATE_MESSAGE", 

459 2: "CHALLENGE_MESSAGE", 

460 3: "AUTHENTICATE_MESSAGE", 

461 }, 

462 ), 

463 ] 

464 

465 @classmethod 

466 def dispatch_hook(cls, _pkt=None, *args, **kargs): 

467 if cls is NTLM_Header and _pkt and len(_pkt) >= 10: 

468 MessageType = struct.unpack("<H", _pkt[8:10])[0] 

469 if MessageType == 1: 

470 return NTLM_NEGOTIATE 

471 elif MessageType == 2: 

472 return NTLM_CHALLENGE 

473 elif MessageType == 3: 

474 return NTLM_AUTHENTICATE_V2 

475 return cls 

476 

477 

478# Sect 2.2.2.5 

479_negotiateFlags = [ 

480 "NEGOTIATE_UNICODE", # A 

481 "NEGOTIATE_OEM", # B 

482 "REQUEST_TARGET", # C 

483 "r10", 

484 "NEGOTIATE_SIGN", # D 

485 "NEGOTIATE_SEAL", # E 

486 "NEGOTIATE_DATAGRAM", # F 

487 "NEGOTIATE_LM_KEY", # G 

488 "r9", 

489 "NEGOTIATE_NTLM", # H 

490 "r8", 

491 "J", 

492 "NEGOTIATE_OEM_DOMAIN_SUPPLIED", # K 

493 "NEGOTIATE_OEM_WORKSTATION_SUPPLIED", # L 

494 "NEGOTIATE_LOCAL_CALL", 

495 "NEGOTIATE_ALWAYS_SIGN", # M 

496 "TARGET_TYPE_DOMAIN", # N 

497 "TARGET_TYPE_SERVER", # O 

498 "r6", 

499 "NEGOTIATE_EXTENDED_SESSIONSECURITY", # P 

500 "NEGOTIATE_IDENTIFY", # Q 

501 "r5", 

502 "REQUEST_NON_NT_SESSION_KEY", # R 

503 "NEGOTIATE_TARGET_INFO", # S 

504 "r4", 

505 "NEGOTIATE_VERSION", # T 

506 "r3", 

507 "r2", 

508 "r1", 

509 "NEGOTIATE_128", # U 

510 "NEGOTIATE_KEY_EXCH", # V 

511 "NEGOTIATE_56", # W 

512] 

513 

514 

515def _NTLMStrField(name, default): 

516 return MultipleTypeField( 

517 [ 

518 ( 

519 StrFieldUtf16(name, default), 

520 lambda pkt: pkt.NegotiateFlags.NEGOTIATE_UNICODE, 

521 ) 

522 ], 

523 StrField(name, default), 

524 ) 

525 

526 

527# Sect 2.2.2.10 

528 

529 

530class _NTLM_Version(Packet): 

531 fields_desc = [ 

532 ByteField("ProductMajorVersion", 0), 

533 ByteField("ProductMinorVersion", 0), 

534 LEShortField("ProductBuild", 0), 

535 LEThreeBytesField("res_ver", 0), 

536 ByteEnumField("NTLMRevisionCurrent", 0x0F, {0x0F: "v15"}), 

537 ] 

538 

539 

540# Sect 2.2.1.1 

541 

542 

543class NTLM_NEGOTIATE(_NTLM_VARIANT_Packet, NTLM_Header): 

544 name = "NTLM Negotiate" 

545 __slots__ = ["VARIANT"] 

546 MessageType = 1 

547 OFFSET = lambda pkt: ( 

548 32 

549 if ( 

550 pkt.VARIANT == NTLM_VARIANT.NT_OR_2000 

551 or (pkt.DomainNameBufferOffset or 40) <= 32 

552 ) 

553 else 40 

554 ) 

555 fields_desc = ( 

556 [ 

557 NTLM_Header, 

558 FlagsField("NegotiateFlags", 0, -32, _negotiateFlags), 

559 # DomainNameFields 

560 LEShortField("DomainNameLen", None), 

561 LEShortField("DomainNameMaxLen", None), 

562 LEIntField("DomainNameBufferOffset", None), 

563 # WorkstationFields 

564 LEShortField("WorkstationNameLen", None), 

565 LEShortField("WorkstationNameMaxLen", None), 

566 LEIntField("WorkstationNameBufferOffset", None), 

567 ] 

568 + [ 

569 # VERSION 

570 ConditionalField( 

571 # (not present on some old Windows versions. We use a heuristic) 

572 x, 

573 lambda pkt: pkt.VARIANT >= NTLM_VARIANT.XP_OR_2003 

574 and ( 

575 ( 

576 ( 

577 40 

578 if pkt.DomainNameBufferOffset is None 

579 else pkt.DomainNameBufferOffset or len(pkt.original or b"") 

580 ) 

581 > 32 

582 ) 

583 or pkt.fields.get(x.name, b"") 

584 ), 

585 ) 

586 for x in _NTLM_Version.fields_desc 

587 ] 

588 + [ 

589 # Payload 

590 _NTLMPayloadField( 

591 "Payload", 

592 OFFSET, 

593 [ 

594 # "MUST be encoded using the OEM character set" 

595 StrField("DomainName", b""), 

596 StrField("WorkstationName", b""), 

597 ], 

598 ), 

599 ] 

600 ) 

601 

602 def post_build(self, pkt, pay): 

603 # type: (bytes, bytes) -> bytes 

604 return ( 

605 _NTLM_post_build( 

606 self, 

607 pkt, 

608 self.OFFSET(), 

609 { 

610 "DomainName": 16, 

611 "WorkstationName": 24, 

612 }, 

613 ) 

614 + pay 

615 ) 

616 

617 

618# Challenge 

619 

620 

621class Single_Host_Data(Packet): 

622 fields_desc = [ 

623 LEIntField("Size", None), 

624 LEIntField("Z4", 0), 

625 # "CustomData" guessed using LSAP_TOKEN_INFO_INTEGRITY. 

626 FlagsField( 

627 "Flags", 

628 0, 

629 -32, 

630 { 

631 0x00000001: "UAC-Restricted", 

632 }, 

633 ), 

634 LEIntEnumField( 

635 "TokenIL", 

636 0x00002000, 

637 { 

638 0x00000000: "Untrusted", 

639 0x00001000: "Low", 

640 0x00002000: "Medium", 

641 0x00003000: "High", 

642 0x00004000: "System", 

643 0x00005000: "Protected process", 

644 }, 

645 ), 

646 XStrFixedLenField("MachineID", b"", length=32), 

647 # KB 5068222 - still waiting for [MS-KILE] update (oct. 2025) 

648 ConditionalField( 

649 XStrFixedLenField("PermanentMachineID", None, length=32), 

650 lambda pkt: pkt.Size is None or pkt.Size > 48, 

651 ), 

652 ] 

653 

654 def post_build(self, pkt, pay): 

655 if self.Size is None: 

656 pkt = struct.pack("<I", len(pkt)) + pkt[4:] 

657 return pkt + pay 

658 

659 def default_payload_class(self, payload): 

660 return conf.padding_layer 

661 

662 

663class AV_PAIR(Packet): 

664 name = "NTLM AV Pair" 

665 fields_desc = [ 

666 LEShortEnumField( 

667 "AvId", 

668 0, 

669 { 

670 0x0000: "MsvAvEOL", 

671 0x0001: "MsvAvNbComputerName", 

672 0x0002: "MsvAvNbDomainName", 

673 0x0003: "MsvAvDnsComputerName", 

674 0x0004: "MsvAvDnsDomainName", 

675 0x0005: "MsvAvDnsTreeName", 

676 0x0006: "MsvAvFlags", 

677 0x0007: "MsvAvTimestamp", 

678 0x0008: "MsvAvSingleHost", 

679 0x0009: "MsvAvTargetName", 

680 0x000A: "MsvAvChannelBindings", 

681 }, 

682 ), 

683 FieldLenField("AvLen", None, length_of="Value", fmt="<H"), 

684 MultipleTypeField( 

685 [ 

686 ( 

687 LEIntEnumField( 

688 "Value", 

689 1, 

690 { 

691 0x0001: "constrained", 

692 0x0002: "MIC integrity", 

693 0x0004: "SPN from untrusted source", 

694 }, 

695 ), 

696 lambda pkt: pkt.AvId == 0x0006, 

697 ), 

698 ( 

699 UTCTimeField( 

700 "Value", 

701 None, 

702 epoch=[1601, 1, 1, 0, 0, 0], 

703 custom_scaling=1e7, 

704 fmt="<Q", 

705 ), 

706 lambda pkt: pkt.AvId == 0x0007, 

707 ), 

708 ( 

709 PacketField("Value", Single_Host_Data(), Single_Host_Data), 

710 lambda pkt: pkt.AvId == 0x0008, 

711 ), 

712 ( 

713 XStrLenField("Value", b"", length_from=lambda pkt: pkt.AvLen), 

714 lambda pkt: pkt.AvId == 0x000A, 

715 ), 

716 ], 

717 StrLenFieldUtf16("Value", b"", length_from=lambda pkt: pkt.AvLen), 

718 ), 

719 ] 

720 

721 def default_payload_class(self, payload): 

722 return conf.padding_layer 

723 

724 

725class NTLM_CHALLENGE(_NTLM_VARIANT_Packet, NTLM_Header): 

726 name = "NTLM Challenge" 

727 __slots__ = ["VARIANT"] 

728 MessageType = 2 

729 OFFSET = lambda pkt: ( 

730 48 

731 if ( 

732 pkt.VARIANT == NTLM_VARIANT.NT_OR_2000 

733 or (pkt.TargetInfoBufferOffset or 56) <= 48 

734 ) 

735 else 56 

736 ) 

737 fields_desc = ( 

738 [ 

739 NTLM_Header, 

740 # TargetNameFields 

741 LEShortField("TargetNameLen", None), 

742 LEShortField("TargetNameMaxLen", None), 

743 LEIntField("TargetNameBufferOffset", None), 

744 # 

745 FlagsField("NegotiateFlags", 0, -32, _negotiateFlags), 

746 XStrFixedLenField("ServerChallenge", None, length=8), 

747 XStrFixedLenField("Reserved", None, length=8), 

748 # TargetInfoFields 

749 LEShortField("TargetInfoLen", None), 

750 LEShortField("TargetInfoMaxLen", None), 

751 LEIntField("TargetInfoBufferOffset", None), 

752 ] 

753 + [ 

754 # VERSION 

755 ConditionalField( 

756 # (not present on some old Windows versions. We use a heuristic) 

757 x, 

758 lambda pkt: pkt.VARIANT >= NTLM_VARIANT.XP_OR_2003 

759 and ( 

760 ((pkt.TargetInfoBufferOffset or 56) > 40) 

761 or pkt.fields.get(x.name, b"") 

762 ), 

763 ) 

764 for x in _NTLM_Version.fields_desc 

765 ] 

766 + [ 

767 # Payload 

768 _NTLMPayloadField( 

769 "Payload", 

770 OFFSET, 

771 [ 

772 _NTLMStrField("TargetName", b""), 

773 PacketListField("TargetInfo", [AV_PAIR()], AV_PAIR), 

774 ], 

775 ), 

776 ] 

777 ) 

778 

779 def getAv(self, AvId): 

780 try: 

781 return next(x for x in self.TargetInfo if x.AvId == AvId) 

782 except (StopIteration, AttributeError): 

783 raise IndexError 

784 

785 def post_build(self, pkt, pay): 

786 # type: (bytes, bytes) -> bytes 

787 return ( 

788 _NTLM_post_build( 

789 self, 

790 pkt, 

791 self.OFFSET(), 

792 { 

793 "TargetName": 12, 

794 "TargetInfo": 40, 

795 }, 

796 ) 

797 + pay 

798 ) 

799 

800 

801# Authenticate 

802 

803 

804class LM_RESPONSE(Packet): 

805 fields_desc = [ 

806 StrFixedLenField("Response", b"", length=24), 

807 ] 

808 

809 

810class LMv2_RESPONSE(Packet): 

811 fields_desc = [ 

812 StrFixedLenField("Response", b"", length=16), 

813 StrFixedLenField("ChallengeFromClient", b"", length=8), 

814 ] 

815 

816 

817class NTLM_RESPONSE(Packet): 

818 fields_desc = [ 

819 StrFixedLenField("Response", b"", length=24), 

820 ] 

821 

822 

823class NTLMv2_CLIENT_CHALLENGE(Packet): 

824 fields_desc = [ 

825 ByteField("RespType", 1), 

826 ByteField("HiRespType", 1), 

827 LEShortField("Reserved1", 0), 

828 LEIntField("Reserved2", 0), 

829 UTCTimeField( 

830 "TimeStamp", None, fmt="<Q", epoch=[1601, 1, 1, 0, 0, 0], custom_scaling=1e7 

831 ), 

832 StrFixedLenField("ChallengeFromClient", b"12345678", length=8), 

833 LEIntField("Reserved3", 0), 

834 PacketListField("AvPairs", [AV_PAIR()], AV_PAIR), 

835 ] 

836 

837 def getAv(self, AvId): 

838 try: 

839 return next(x for x in self.AvPairs if x.AvId == AvId) 

840 except StopIteration: 

841 raise IndexError 

842 

843 

844class NTLMv2_RESPONSE(NTLMv2_CLIENT_CHALLENGE): 

845 fields_desc = [ 

846 XStrFixedLenField("NTProofStr", b"", length=16), 

847 NTLMv2_CLIENT_CHALLENGE, 

848 ] 

849 

850 def computeNTProofStr(self, ResponseKeyNT, ServerChallenge): 

851 """ 

852 Set temp to ConcatenationOf(Responserversion, HiResponserversion, 

853 Z(6), Time, ClientChallenge, Z(4), ServerName, Z(4)) 

854 Set NTProofStr to HMAC_MD5(ResponseKeyNT, 

855 ConcatenationOf(CHALLENGE_MESSAGE.ServerChallenge,temp)) 

856 

857 Remember ServerName = AvPairs 

858 """ 

859 Responserversion = b"\x01" 

860 HiResponserversion = b"\x01" 

861 

862 ServerName = b"".join(bytes(x) for x in self.AvPairs) 

863 temp = b"".join( 

864 [ 

865 Responserversion, 

866 HiResponserversion, 

867 b"\x00" * 6, 

868 struct.pack("<Q", self.TimeStamp), 

869 self.ChallengeFromClient, 

870 b"\x00" * 4, 

871 ServerName, 

872 # Final Z(4) is the EOL AvPair 

873 ] 

874 ) 

875 return HMAC_MD5(ResponseKeyNT, ServerChallenge + temp) 

876 

877 

878class NTLM_AUTHENTICATE(_NTLM_VARIANT_Packet, NTLM_Header): 

879 name = "NTLM Authenticate" 

880 __slots__ = ["VARIANT"] 

881 MessageType = 3