Merged in smb-av-pairs-flags-detector-support (pull request fortra#3)

added a smb login argument for av pairs flags detector usage Approved-by: Dor Green
ArmisSecurity · May 30, 2021 · ac495f5 · ac495f5
2 parents 0c4a1a0 + d166670
commit ac495f5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/impacket/ntlm.py b/impacket/ntlm.py
@@ -34,7 +34,11 @@
 
 
 def computeResponse(flags, serverChallenge, clientChallenge, serverName, domain, user, password, lmhash='', nthash='',
-                    use_ntlmv2=USE_NTLMv2):
+                    use_ntlmv2=USE_NTLMv2, av_pair_flags_detector=False):
+    if av_pair_flags_detector:  # trigger the detector malformed flags structure (for ARMIS VMS SMBAvPairsFlagsScan)
+        av_pairs = AV_PAIRS(serverName)
+        av_pairs[NTLMSSP_AV_FLAGS] = 3 * b"\0"  # valid size is 4
+        serverName = av_pairs.getData()
     if use_ntlmv2:
         return computeResponseNTLMv2(flags, serverChallenge, clientChallenge, serverName, domain, user, password,
                                      lmhash, nthash, use_ntlmv2=use_ntlmv2)
@@ -590,7 +594,8 @@ def getNTLMSSPType1(workstation='', domain='', signingRequired = False, use_ntlm
 
     return auth
 
-def getNTLMSSPType3(type1, type2, user, password, domain, lmhash = '', nthash = '', use_ntlmv2 = USE_NTLMv2):
+def getNTLMSSPType3(type1, type2, user, password, domain, lmhash = '', nthash = '', use_ntlmv2 = USE_NTLMv2,
+                    av_pair_flags_detector=False):
 
     # Safety check in case somebody sent password = None.. That's not allowed. Setting it to '' and hope for the best.
     if password is None:
@@ -629,7 +634,7 @@ def getNTLMSSPType3(type1, type2, user, password, domain, lmhash = '', nthash =
 
     ntResponse, lmResponse, sessionBaseKey = computeResponse(ntlmChallenge['flags'], ntlmChallenge['challenge'],
                                                              clientChallenge, serverName, domain, user, password,
-                                                             lmhash, nthash, use_ntlmv2)
+                                                             lmhash, nthash, use_ntlmv2, av_pair_flags_detector)
 
     # Let's check the return flags
     if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) == 0:

diff --git a/impacket/smb3.py b/impacket/smb3.py
@@ -857,7 +857,7 @@ def kerberosLogin(self, user, password, domain = '', lmhash = '', nthash = '', a
             raise Exception('Unsuccessful Login')
 
 
-    def login(self, user, password, domain = '', lmhash = '', nthash = ''):
+    def login(self, user, password, domain = '', lmhash = '', nthash = '', av_pair_flags_detector=False):
         # If we have hashes, normalize them
         if lmhash != '' or nthash != '':
             if len(lmhash) % 2:     lmhash = '0%s' % lmhash
@@ -968,7 +968,7 @@ def login(self, user, password, domain = '', lmhash = '', nthash = ''):
                         self._Session["ServerOSMinor"] = indexbytes(version,1)
                         self._Session["ServerOSBuild"] = struct.unpack('<H',version[2:4])[0]
 
-            type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash)
+            type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash, av_pair_flags_detector)