├── README.md
├── examples
    └── capture.pcap.zip
├── requirements.txt
└── winrm_decrypt.py


/README.md:
--------------------------------------------------------------------------------
 1 | # decrypt-winrm
 2 | 
 3 | (use python3)
 4 | 
 5 | modified/forked from this gist https://gist.github.com/jborean93/d6ff5e87f8a9f5cb215cd49826523045/ by @jborean93
 6 | 
 7 | install requirements:
 8 | `pip3 install -r requirements.txt`
 9 | 
10 | example usage:
11 | `python3 winrm_decrypt.py -n 8bb1f8635e5708eb95aedf142054fc95 ./capture.pcap`
12 | 
13 | (you can find the working example pcap inside [examples](examples), capture.pcap from HTB Uni CTF Quals 2021
14 | 
15 | or, use the password
16 | `python3 winrm_decrypt.py -p password123 ./capture.pcap`
17 | 
18 | 


--------------------------------------------------------------------------------
/examples/capture.pcap.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/h4sh5/decrypt-winrm/91fbe5ac084d7c14e07d7fe77a52b29e1025fb0c/examples/capture.pcap.zip


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyshark==0.4.3
2 | cryptography==3.3.2
3 | 


--------------------------------------------------------------------------------
/winrm_decrypt.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # PYTHON_ARGCOMPLETE_OK
  4 | 
  5 | # Copyright: (c) 2020 Jordan Borean (@jborean93) <jborean93@gmail.com>
  6 | # MIT License (see LICENSE or https://opensource.org/licenses/MIT)
  7 | 
  8 | # Fork / modifications by Haoxi Tan (haoxi.tan@gmail.com)
  9 | # MIT License (see LICENSE or https://opensource.org/licenses/MIT)
 10 | 
 11 | """
 12 | Script that can read a Wireshark capture .pcapng for a WinRM exchange and decrypt the messages. Currently only supports
 13 | exchanges that were authenticated with NTLM. This is really a POC, a lot of things are missing like NTLMv1 support,
 14 | shorter signing keys, better error handling, etc.
 15 | """
 16 | 
 17 | from __future__ import (absolute_import, division, print_function)
 18 | __metaclass__ = type
 19 | 
 20 | import argparse
 21 | import base64
 22 | import hashlib
 23 | import hmac
 24 | import os
 25 | import pyshark
 26 | import binascii
 27 | import sys
 28 | import struct
 29 | import xml.dom.minidom
 30 | 
 31 | from cryptography.hazmat.primitives.ciphers import (
 32 |     algorithms,
 33 |     Cipher,
 34 | )
 35 | 
 36 | from cryptography.hazmat.backends import (
 37 |     default_backend,
 38 | )
 39 | 
 40 | try:
 41 |     import argcomplete
 42 | except ImportError:
 43 |     argcomplete = None
 44 | 
 45 | 
 46 | class SecurityContext:
 47 | 
 48 |     def __init__(self, port, nt_hash):
 49 |         self.port = port
 50 |         self.tokens = []
 51 |         self.nt_hash = nt_hash
 52 |         self.complete = False
 53 | 
 54 |         self.key_exch = False
 55 |         self.session_key = None
 56 |         self.sign_key_initiate = None
 57 |         self.sign_key_accept = None
 58 |         self.seal_handle_initiate = None
 59 |         self.seal_handle_accept = None
 60 | 
 61 |         self.__initiate_seq_no = 0
 62 |         self.__accept_seq_no = 0
 63 | 
 64 |     @property
 65 |     def _initiate_seq_no(self):
 66 |         val = self.__initiate_seq_no
 67 |         self.__initiate_seq_no += 1
 68 |         return val
 69 | 
 70 |     @property
 71 |     def _accept_seq_no(self):
 72 |         val = self.__accept_seq_no
 73 |         self.__accept_seq_no += 1
 74 |         return val
 75 | 
 76 |     def add_token(self, token):
 77 |         self.tokens.append(token)
 78 | 
 79 |         if token.startswith(b"NTLMSSP\x00\x03"):
 80 |             # Extract the info required to build the session key
 81 |             nt_challenge = self._get_auth_field(20, token)
 82 |             b_domain = self._get_auth_field(28, token) or b""
 83 |             b_username = self._get_auth_field(36, token) or b""
 84 |             encrypted_random_session_key = self._get_auth_field(52, token)
 85 |             flags = struct.unpack("<I", token[60:64])[0]
 86 | 
 87 |             encoding = 'utf-16-le' if flags & 0x00000001 else 'windows-1252'
 88 |             domain = b_domain.decode(encoding)
 89 |             username = b_username.decode(encoding)
 90 | 
 91 |             # Derive the session key
 92 |             nt_proof_str = nt_challenge[:16]
 93 |             response_key_nt = hmac_md5(self.nt_hash, (username.upper() + domain).encode('utf-16-le'))
 94 |             key_exchange_key = hmac_md5(response_key_nt, nt_proof_str)
 95 |             self.key_exch = bool(flags & 0x40000000)
 96 | 
 97 |             if self.key_exch and (flags & (0x00000020 | 0x00000010)):
 98 |                 self.session_key = rc4k(key_exchange_key, encrypted_random_session_key)
 99 | 
100 |             else:
101 |                 self.session_key = key_exchange_key
102 | 
103 |             # Derive the signing and sealing keys
104 |             self.sign_key_initiate = signkey(self.session_key, 'initiate')
105 |             self.sign_key_accept = signkey(self.session_key, 'accept')
106 |             self.seal_handle_initiate = rc4init(sealkey(self.session_key, 'initiate'))
107 |             self.seal_handle_accept = rc4init(sealkey(self.session_key, 'accept'))
108 |             self.complete = True
109 | 
110 |     def unwrap_initiate(self, data):
111 |         print('unwrap_initiate',file=sys.stderr)
112 |         return self._unwrap(self.seal_handle_initiate, self.sign_key_initiate, self._initiate_seq_no, data)
113 | 
114 |     def unwrap_accept(self, data):
115 |         print('unwrap_accept',file=sys.stderr)
116 |         return self._unwrap(self.seal_handle_accept, self.sign_key_accept, self._accept_seq_no, data)
117 | 
118 |     def _unwrap(self, handle, sign_key, seq_no, data):
119 |         header = data[4:20]
120 |         enc_data = data[20:]
121 |         dec_data = handle.update(enc_data)
122 | 
123 |         b_seq_num = struct.pack("<I", seq_no)
124 | 
125 |         checksum = hmac_md5(sign_key, b_seq_num + dec_data)[:8]
126 |         if self.key_exch:
127 |             checksum = handle.update(checksum)
128 |         actual_header = b"\x01\x00\x00\x00" + checksum + b_seq_num
129 | 
130 |         if header != actual_header:
131 |             # raise Exception("Signature verification failed")
132 |             print("Signature verification failed")
133 |             # meh, continue
134 | 
135 |         return dec_data
136 | 
137 |     def _get_auth_field(self, offset, token):
138 |         field_len = struct.unpack("<H", token[offset:offset + 2])[0]
139 |         if field_len:
140 |             field_offset = struct.unpack("<I", token[offset + 4:offset + 8])[0]
141 |             return token[field_offset:field_offset + field_len]
142 | 
143 | 
144 | def hmac_md5(key, data):
145 |     return hmac.new(key, data, digestmod=hashlib.md5).digest()
146 | 
147 | 
148 | def md4(m):
149 |     return hashlib.new('md4', m).digest()
150 | 
151 | 
152 | def md5(m):
153 |     return hashlib.md5(m).digest()
154 | 
155 | 
156 | def ntowfv1(password):
157 |     return md4(password.encode('utf-16-le'))
158 | 
159 | 
160 | def rc4init(k):
161 |     arc4 = algorithms.ARC4(k)
162 |     return Cipher(arc4, mode=None, backend=default_backend()).encryptor()
163 | 
164 | 
165 | def rc4k(k, d):
166 |     return rc4init(k).update(d)
167 | 
168 | 
169 | def sealkey(session_key, usage):
170 |     direction = b"client-to-server" if usage == 'initiate' else b"server-to-client"
171 |     return md5(session_key + b"session key to %s sealing key magic constant\x00" % direction)
172 | 
173 | 
174 | def signkey(session_key, usage):
175 |     direction = b"client-to-server" if usage == 'initiate' else b"server-to-client"
176 |     return md5(session_key + b"session key to %s signing key magic constant\x00" % direction)
177 | 
178 | 
179 | def unpack_message(data):
180 |     # parts = data.split(b'--Encrypted Boundary\r\n')
181 |     parts = list(filter(None, parts))
182 | 
183 |     messages = []
184 |     for i in range(0, len(parts), 2):
185 |         header = parts[i].strip()
186 |         payload = parts[i + 1]
187 | 
188 |         length = int(header.split(b"Length=")[1])
189 | 
190 |         # remove the end MIME block if it exists
191 |         if payload.endswith(b"--Encrypted Boundary--\r\n"):
192 |             payload = payload[:len(payload) - 24]
193 | 
194 |         wrapped_data = payload.replace(b"Content-Type: application/octet-stream\r\n", b"")
195 | 
196 |         messages.append((length, wrapped_data))
197 | 
198 |     return messages
199 | 
200 | 
201 | def pretty_xml(xml_str):
202 |     dom = xml.dom.minidom.parseString(xml_str)
203 |     return dom.toprettyxml()
204 | 
205 | 
206 | def main():
207 |     """Main program entry point."""
208 |     args = parse_args()
209 | 
210 |     if args.password:
211 |         nt_hash = ntowfv1(args.password)
212 | 
213 |     else:
214 |         nt_hash = base64.b16decode(args.hash.upper())
215 | 
216 |     captures = pyshark.FileCapture(os.path.expanduser(os.path.expandvars(args.path)),
217 |                                    display_filter='http and tcp.port == %d' % args.port)
218 | 
219 |     contexts = []
220 |     for cap in captures:
221 |         try:
222 |             source_port = int(cap.tcp.srcport)
223 |             unique_port = source_port if source_port != args.port else int(cap.tcp.dstport)
224 | 
225 |             auth_token = None
226 |             if hasattr(cap.http, 'authorization'):
227 |                 b64_token = cap.http.authorization.split(' ')[1]
228 |                 auth_token = base64.b64decode(b64_token)
229 | 
230 |             elif hasattr(cap.http, 'www_authenticate'):
231 |                 parts = cap.http.www_authenticate.split(' ')
232 |                 if len(parts) > 1:
233 |                     b64_token = parts[1]
234 |                     try:
235 |                         auth_token = base64.b64decode(b64_token)
236 |                     except Exception:
237 |                         continue
238 |                 else:
239 |                     continue
240 | 
241 |             context = None
242 |             if auth_token:
243 |                 if not auth_token.startswith(b"NTLMSSP\x00"):
244 |                     continue
245 | 
246 |                 if auth_token.startswith(b"NTLMSSP\x00\x01"):
247 |                     context = SecurityContext(unique_port, nt_hash)
248 |                     contexts.append(context)
249 | 
250 |                 else:
251 |                     context = [c for c in contexts if c.port == unique_port][-1]
252 |                     if not context:
253 |                         raise ValueError("Missing exisitng NTLM security context")
254 | 
255 |                 context.add_token(auth_token)
256 | 
257 |             if hasattr(cap.http, 'file_data'):
258 |                 if not context:
259 |                     context = next(c for c in contexts if c.port == unique_port)
260 | 
261 |                 if not context.complete:
262 |                     raise ValueError("Cannot decode message without completed context")
263 | 
264 |                 # file_data = cap.http.file_data #.binary_value
265 |                 # messages = unpack_message(file_data)
266 |                 length = int(cap.mime_multipart.data_len)
267 |                 msgdata = binascii.unhexlify(cap.mime_multipart.data)
268 |                 messages = [(length, msgdata)]
269 | 
270 |                 unwrap_func = context.unwrap_accept if source_port == args.port else context.unwrap_initiate
271 | 
272 |                 dec_msgs = []
273 |                 for length, enc_data in messages:
274 |                     msg = unwrap_func(enc_data)
275 |                     # if len(msg) != length:
276 |                         # raise ValueError("Message decryption failed")
277 |                     # print(f'decrypted msg ({len(msg)}):',msg)
278 |                     try:
279 |                         dec_msgs.append(pretty_xml(msg.decode('utf-8')))
280 |                     except Exception as e:
281 |                         print("Exception: ", e)
282 |                         dec_msgs.append("[bad message]")
283 | 
284 | 
285 |                 dec_msgs = "\n".join(dec_msgs)
286 |                 print("No: %s | Time: %s | Source: %s | Destination: %s\n%s\n"
287 |                       % (cap.number, cap.sniff_time.isoformat(), cap.ip.src_host, cap.ip.dst_host, dec_msgs))
288 | 
289 |         except Exception as e:
290 |             raise Exception("Failed to process frame: %s" % cap.number) from e
291 | 
292 | 
293 | def parse_args():
294 |     """Parse and return args."""
295 |     parser = argparse.ArgumentParser(description='Parse network captures from WireShark and decrypts the WinRM '
296 |                                                  'messages that were exchanged.')
297 | 
298 |     parser.add_argument('path',
299 |                         type=str,
300 |                         help='The path to the .pcapng file to decrypt.')
301 | 
302 |     parser.add_argument('--port',
303 |                         dest='port',
304 |                         default=5985,
305 |                         type=int,
306 |                         help='The port to scan for the WinRM HTTP packets (default: 5985).')
307 | 
308 |     secret = parser.add_mutually_exclusive_group()
309 | 
310 |     secret.add_argument('-p', '--password',
311 |                         dest='password',
312 |                         help='The password for the account that was used in the authentication.')
313 | 
314 |     secret.add_argument('-n', '--hash',
315 |                         dest='hash',
316 |                         help='The NT hash for the account that was used in the authentication.')
317 | 
318 |     if argcomplete:
319 |         argcomplete.autocomplete(parser)
320 | 
321 |     return parser.parse_args()
322 | 
323 | 
324 | if __name__ == '__main__':
325 |     main()
326 | 


--------------------------------------------------------------------------------