Attachment 7493 Details for Bug 40745 – get-ad-nthash.py

get-ad-nthash.py

get-ad-nthash.py (text/x-python), 5.21 KB, created by Felix Botner on 2016-02-22 15:13:20 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Felix Botner

Created: 2016-02-22 15:13:20 CET

Size: 5.21 KB

patch

obsolete

># https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py
># https://github.com/byt3bl33d3r/CrackMapExec
>
>from samba.credentials import Credentials, DONT_USE_KERBEROS
>from samba import gensec, Ldb, drs_utils
>from samba.param import LoadParm
>from samba.dcerpc import drsuapi, misc, drsblobs, security
>from binascii import unhexlify, hexlify
>import hashlib
>from Crypto.Cipher import ARC4, DES
>from struct import pack
>import samba.dcerpc.security
>import Crypto.Cipher.ARC4
>from samba.ndr import ndr_pack, ndr_unpack, ndr_print
>import binascii
>
>from samba.samdb import SamDB
>from samba.auth import system_session
>import ldb
>
>
># rpcclient  -U administrator%Univention.98  10.200.7.132
># setuserinfo win1 18 univention
>
>samname = "Administrator"
>acct_pass = "Univention.98"
>domain = "w2k12"
>user = "win4"
>#user = "Administrator"
>server = "10.200.7.132"
>
>lp = LoadParm()
>
>repl_creds = Credentials()
>repl_creds.guess(lp)
>repl_creds.set_kerberos_state(DONT_USE_KERBEROS)
>repl_creds.set_username(samname)
>repl_creds.set_password(acct_pass)
>
>
>binding_options = "seal,print"
>drs, drsuapi_handle, bind_supported_extensions = drs_utils.drsuapi_connect(server, lp, repl_creds)
>
>
>
>
>def decrypt(key, data, rid):
>	salt = data[0:16]
>	check_sum = data[16:]
>	md5 = hashlib.new('md5')
>	md5.update(key)
>	md5.update(salt)
>	finalMD5 = md5.digest()
>	cipher = ARC4.new(finalMD5)
>	plainText = cipher.decrypt(data[16:])
>	hash = removeDESLayer(plainText[4:], rid)
>	return hexlify(hash)
>
>def transformKey(InputKey):
>	# Section 2.2.11.1.2 Encrypting a 64-Bit Block with a 7-Byte Key
>	OutputKey = []
>	OutputKey.append( chr(ord(InputKey[0]) >> 0x01) )
>	OutputKey.append( chr(((ord(InputKey[0])&0x01)<<6) | (ord(InputKey[1])>>2)) )
>	OutputKey.append( chr(((ord(InputKey[1])&0x03)<<5) | (ord(InputKey[2])>>3)) )
>	OutputKey.append( chr(((ord(InputKey[2])&0x07)<<4) | (ord(InputKey[3])>>4)) )
>	OutputKey.append( chr(((ord(InputKey[3])&0x0F)<<3) | (ord(InputKey[4])>>5)) )
>	OutputKey.append( chr(((ord(InputKey[4])&0x1F)<<2) | (ord(InputKey[5])>>6)) )
>	OutputKey.append( chr(((ord(InputKey[5])&0x3F)<<1) | (ord(InputKey[6])>>7)) )
>	OutputKey.append( chr(ord(InputKey[6]) & 0x7F) )
>	
>	for i in range(8):
>	    OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)
>	
>	return "".join(OutputKey)
>
>def deriveKey(baseKey):
>	# 2.2.11.1.3 Deriving Key1 and Key2 from a Little-Endian, Unsigned Integer Key
>	# Let I be the little-endian, unsigned integer.
>	# Let I[X] be the Xth byte of I, where I is interpreted as a zero-base-index array of bytes.
>	# Note that because I is in little-endian byte order, I[0] is the least significant byte.
>	# Key1 is a concatenation of the following values: I[0], I[1], I[2], I[3], I[0], I[1], I[2].
>	# Key2 is a concatenation of the following values: I[3], I[0], I[1], I[2], I[3], I[0], I[1]
>	key = pack('<L',baseKey)
>	key1 = key[0] + key[1] + key[2] + key[3] + key[0] + key[1] + key[2]
>	key2 = key[3] + key[0] + key[1] + key[2] + key[3] + key[0] + key[1]
>	return transformKey(key1),transformKey(key2)
>
>def removeDESLayer(cryptedHash, rid):
>	Key1,Key2 = deriveKey(rid)
>	Crypt1 = DES.new(Key1, DES.MODE_ECB)
>	Crypt2 = DES.new(Key2, DES.MODE_ECB)
>	decryptedHash = Crypt1.decrypt(cryptedHash[:8]) + Crypt2.decrypt(cryptedHash[8:])
>	return decryptedHash
>
>dcinfo = drsuapi.DsGetDCInfoRequest1()
>dcinfo.level = 1
>dcinfo.domain_name = domain
>i, o = drs.DsGetDomainControllerInfo(drsuapi_handle, 1, dcinfo)
>computer_dn = o.array[0].computer_dn
>
>req = drsuapi.DsNameRequest1()
>names = drsuapi.DsNameString()
>names.str = '%s\%s' % (domain, user)
>req.format_offered = drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT
>req.format_desired = drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779
>req.count = 1
>req.names = [names]
>i, o = drs.DsCrackNames(drsuapi_handle, 1, req)
>user_dn = o.array[0].result_name
>
>req = drsuapi.DsNameRequest1()
>names = drsuapi.DsNameString()
>names.str = computer_dn
>req.format_offered = drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779
>req.format_desired = drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID
>req.count = 1
>req.names = [names]
>i, o = drs.DsCrackNames(drsuapi_handle, 1, req)
>source_dsa_guid = o.array[0].result_name
>guid = source_dsa_guid.replace('{', '').replace('}', '').encode('utf8')
>
>#guid = "e121f416-5309-4b2a-83ee-2f04593951d5"
>#user_dn = "CN=win1,CN=Users,DC=w2k12,DC=test"
>
>req8 = drsuapi.DsGetNCChangesRequest8()
>req8.destination_dsa_guid = misc.GUID(guid)
>req8.source_dsa_invocation_id = misc.GUID(guid)
>req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
>req8.naming_context.dn = user_dn
>req8.replica_flags = 0
>req8.max_object_count = 402
>req8.max_ndr_size = 402116
>req8.extended_op = drsuapi.DRSUAPI_EXOP_REPL_SECRET
>req8.fsmo_info = 0
>
>while True:
>	(level, ctr) = drs.DsGetNCChanges(drsuapi_handle, 8, req8)
>	rid = None
>	unicode_blob = None
>	if ctr.first_object is None:
>		break
>	for i in ctr.first_object.object.attribute_ctr.attributes:
>		if str(i.attid) == "589970":
>		# DRSUAPI_ATTID_objectSid
>			if i.value_ctr.values:
>				for j in i.value_ctr.values:
>					sid = ndr_unpack(security.dom_sid, j.blob)
>					_tmp, rid = sid.split()
>		if str(i.attid) == "589914":
>		# DRSUAPI_ATTID_unicodePwd
>			if i.value_ctr.values:
>				for j in i.value_ctr.values:
>					unicode_blob = j.blob
>	if rid and unicode_blob:
>		nt_hash = decrypt(drs.user_session_key, unicode_blob, rid)
>		print nt_hash
>
>	if ctr.more_data == 0:
>		break

Actions: View

Attachments on bug 40745: 7493 | 7494