(connId, smbServer, recvPacket)
| 3197 | |
| 3198 | @staticmethod |
| 3199 | def smb2SessionSetup(connId, smbServer, recvPacket): |
| 3200 | connData = smbServer.getConnectionData(connId, checkStatus=False) |
| 3201 | |
| 3202 | sessionSetupData = smb2.SMB2SessionSetup(recvPacket['Data']) |
| 3203 | |
| 3204 | connData['Capabilities'] = sessionSetupData['Capabilities'] |
| 3205 | |
| 3206 | securityBlob = sessionSetupData['Buffer'] |
| 3207 | |
| 3208 | rawNTLM = False |
| 3209 | authType = None |
| 3210 | if struct.unpack('B', securityBlob[0:1])[0] == ASN1_AID: |
| 3211 | # NEGOTIATE packet |
| 3212 | blob = SPNEGO_NegTokenInit(securityBlob) |
| 3213 | token = blob['MechToken'] |
| 3214 | if len(blob['MechTypes'][0]) > 0: |
| 3215 | # Is this GSSAPI NTLM or something else we don't support? |
| 3216 | authType = blob['MechTypes'][0] |
| 3217 | supported_mechtypes = [] |
| 3218 | if smbServer.getKerberosSupport() and smbServer.getComputerAccountCredentials()["username"]: |
| 3219 | # if computer account credentials are provided, we can also use kerberos |
| 3220 | supported_mechtypes += [TypesMech['MS KRB5 - Microsoft Kerberos 5'], TypesMech['KRB5 - Kerberos 5'], TypesMech['KRB5 - Kerberos 5 - User to User']] |
| 3221 | if smbServer.getNTLMSupport(): |
| 3222 | supported_mechtypes += [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']] |
| 3223 | if authType not in supported_mechtypes: |
| 3224 | # Nope, do we know it? |
| 3225 | if authType in MechTypes: |
| 3226 | mechStr = MechTypes[authType] |
| 3227 | else: |
| 3228 | mechStr = hexlify(authType) |
| 3229 | smbServer.log("Unsupported MechType '%s'" % mechStr, logging.DEBUG, connData=connData) |
| 3230 | |
| 3231 | return [SMB2Commands.generic_negTokenResp()], None, STATUS_MORE_PROCESSING_REQUIRED |
| 3232 | elif struct.unpack('B', securityBlob[0:1])[0] == ASN1_SUPPORTED_MECH: |
| 3233 | # AUTH packet |
| 3234 | blob = SPNEGO_NegTokenResp(securityBlob) |
| 3235 | token = blob['ResponseToken'] |
| 3236 | if b'NTLMSSP\x00' in token and smbServer.getNTLMSupport(): |
| 3237 | authType = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] |
| 3238 | elif smbServer.getKerberosSupport(): |
| 3239 | authType = TypesMech['MS KRB5 - Microsoft Kerberos 5'] |
| 3240 | else: |
| 3241 | return [SMB2Commands.generic_negTokenResp()], None, STATUS_MORE_PROCESSING_REQUIRED |
| 3242 | elif securityBlob.startswith(b'NTLMSSP\x00') and smbServer.getNTLMSupport(): |
| 3243 | # No GSSAPI stuff, raw NTLMSSP |
| 3244 | rawNTLM = True |
| 3245 | token = securityBlob |
| 3246 | authType = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] |
| 3247 | else: |
| 3248 | smbServer.log("Unknown or unsupported security blob type", logging.ERROR, connData=connData) |
| 3249 | return [SMB2Commands.generic_negTokenResp()], None, STATUS_MORE_PROCESSING_REQUIRED |
| 3250 | |
| 3251 | if authType in [TypesMech['MS KRB5 - Microsoft Kerberos 5'], TypesMech['KRB5 - Kerberos 5'], TypesMech['KRB5 - Kerberos 5 - User to User']]: |
| 3252 | respSMBCommand, errorCode = SMB2Commands._kerberos_auth(token, connData, smbServer) |
| 3253 | elif authType == TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']: |
| 3254 | respSMBCommand, errorCode = SMB2Commands._ntlm_auth(token, connData, smbServer, rawNTLM) |
| 3255 | |
| 3256 | # From now on, the client can ask for other commands |
nothing calls this directly
no test coverage detected