| 20 | self.output = "NTLMv1 allowed on: {} - LmCompatibilityLevel = {}" |
| 21 | |
| 22 | def on_admin_login(self, context, connection): |
| 23 | try: |
| 24 | remote_ops = RemoteOperations(connection.conn, False) |
| 25 | remote_ops.enableRegistry() |
| 26 | |
| 27 | if remote_ops._RemoteOperations__rrp: |
| 28 | ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp) |
| 29 | reg_handle = ans["phKey"] |
| 30 | ans = rrp.hBaseRegOpenKey( |
| 31 | remote_ops._RemoteOperations__rrp, |
| 32 | reg_handle, |
| 33 | "SYSTEM\\CurrentControlSet\\Control\\Lsa", |
| 34 | ) |
| 35 | key_handle = ans["phkResult"] |
| 36 | rtype = data = None |
| 37 | try: |
| 38 | rtype, data = rrp.hBaseRegQueryValue( |
| 39 | remote_ops._RemoteOperations__rrp, |
| 40 | key_handle, |
| 41 | "lmcompatibilitylevel\x00", |
| 42 | ) |
| 43 | |
| 44 | except rrp.DCERPCSessionError: |
| 45 | context.log.debug("Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set") |
| 46 | |
| 47 | # Changed by Defte |
| 48 | # Unless this keys is set to 3 or higher, NTLMv1 can be used |
| 49 | if data in [0, 1, 2]: |
| 50 | context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data)) |
| 51 | |
| 52 | except DCERPCSessionError as e: |
| 53 | context.log.debug(f"Error connecting to RemoteRegistry: {e}") |
| 54 | finally: |
| 55 | remote_ops.finish() |