(token, connData, smbServer, rawNTLM)
| 2982 | |
| 2983 | @staticmethod |
| 2984 | def _ntlm_auth(token, connData, smbServer, rawNTLM): |
| 2985 | # Here we only handle NTLMSSP, depending on what stage of the |
| 2986 | # authentication we are, we act on it |
| 2987 | messageType = struct.unpack('<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0] |
| 2988 | respSMBCommand = smb2.SMB2SessionSetup_Response() |
| 2989 | |
| 2990 | if messageType == 0x01: |
| 2991 | # NEGOTIATE_MESSAGE |
| 2992 | negotiateMessage = ntlm.NTLMAuthNegotiate() |
| 2993 | negotiateMessage.fromString(token) |
| 2994 | # Let's store it in the connection data |
| 2995 | connData['NEGOTIATE_MESSAGE'] = negotiateMessage |
| 2996 | # Let's build the answer flags |
| 2997 | # TODO: Parse all the flags. With this we're leaving some clients out |
| 2998 | |
| 2999 | ansFlags = 0 |
| 3000 | |
| 3001 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_56: |
| 3002 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_56 |
| 3003 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_128: |
| 3004 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_128 |
| 3005 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH: |
| 3006 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH |
| 3007 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: |
| 3008 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY |
| 3009 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE: |
| 3010 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_UNICODE |
| 3011 | if negotiateMessage['flags'] & ntlm.NTLM_NEGOTIATE_OEM: |
| 3012 | ansFlags |= ntlm.NTLM_NEGOTIATE_OEM |
| 3013 | if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_SIGN: |
| 3014 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_SIGN |
| 3015 | |
| 3016 | ansFlags |= ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_REQUEST_TARGET |
| 3017 | |
| 3018 | if smbServer._SMBSERVER__dropSSP: |
| 3019 | ansFlags = (ntlm.NTLMSSP_DROP_SSP_STATIC | 0) |
| 3020 | # Generate the AV_PAIRS |
| 3021 | av_pairs = ntlm.AV_PAIRS() |
| 3022 | # important for signing support, as NetrLogonSamLogonWithFlags checks these! |
| 3023 | if "." in smbServer.getServerDomain(): |
| 3024 | av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] = smbServer.getServerDomain().split(".")[0].upper().encode('utf-16le') |
| 3025 | av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] = smbServer.getServerDomain().encode('utf-16le') |
| 3026 | else: |
| 3027 | av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] = smbServer.getServerDomain().upper().encode('utf-16le') |
| 3028 | |
| 3029 | av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME] = smbServer.getServerName().upper().encode('utf-16le') |
| 3030 | av_pairs[ntlm.NTLMSSP_AV_TIME] = struct.pack('<q', ( |
| 3031 | 116444736000000000 + calendar.timegm(time.gmtime()) * 10000000)) |
| 3032 | |
| 3033 | challengeMessage = ntlm.NTLMAuthChallenge() |
| 3034 | challengeMessage['flags'] = ansFlags |
| 3035 | challengeMessage['domain_len'] = len(smbServer.getServerDomain().encode('utf-16le')) |
| 3036 | challengeMessage['domain_max_len'] = challengeMessage['domain_len'] |
| 3037 | challengeMessage['domain_offset'] = 40 + 16 |
| 3038 | challengeMessage['challenge'] = smbServer.getSMBChallenge() |
| 3039 | challengeMessage['domain_name'] = smbServer.getServerDomain().encode('utf-16le') |
| 3040 | challengeMessage['TargetInfoFields_len'] = len(av_pairs) |
| 3041 | challengeMessage['TargetInfoFields_max_len'] = len(av_pairs) |
no test coverage detected