#!/usr/bin/env python # Impacket - Collection of Python classes for working with network protocols. # # SECUREAUTH LABS. Copyright (C) 2021 SecureAuth Corporation. All rights reserved. # # This software is provided under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # Description: # [MS-RDPBCGR] and [MS-CREDSSP] partial implementation # just to reach CredSSP auth. This example test whether # an account is valid on the target host. # # Author: # Alberto Solino (@agsolino) # # ToDo: # [x] Manage to grab the server's SSL key so we can finalize the whole # authentication process (check [MS-CSSP] section 3.1.5) # from struct import pack, unpack from impacket.examples import logger from impacket.examples.utils import parse_target from impacket.structure import Structure from impacket.spnego import GSSAPI, ASN1_SEQUENCE, ASN1_OCTET_STRING, asn1decode, asn1encode TDPU_CONNECTION_REQUEST = 0xe0 TPDU_CONNECTION_CONFIRM = 0xd0 TDPU_DATA = 0xf0 TPDU_REJECT = 0x50 TPDU_DATA_ACK = 0x60 # RDP_NEG_REQ constants TYPE_RDP_NEG_REQ = 1 PROTOCOL_RDP = 0 PROTOCOL_SSL = 1 PROTOCOL_HYBRID = 2 # RDP_NEG_RSP constants TYPE_RDP_NEG_RSP = 2 EXTENDED_CLIENT_DATA_SUPPORTED = 1 DYNVC_GFX_PROTOCOL_SUPPORTED = 2 # RDP_NEG_FAILURE constants TYPE_RDP_NEG_FAILURE = 3 SSL_REQUIRED_BY_SERVER = 1 SSL_NOT_ALLOWED_BY_SERVER = 2 SSL_CERT_NOT_ON_SERVER = 3 INCONSISTENT_FLAGS = 4 HYBRID_REQUIRED_BY_SERVER = 5 SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 6 class TPKT(Structure): commonHdr = ( ('Version','B=3'), ('Reserved','B=0'), ('Length','>H=len(TPDU)+4'), ('_TPDU','_-TPDU','self["Length"]-4'), ('TPDU',':=""'), ) class TPDU(Structure): commonHdr = ( ('LengthIndicator','B=len(VariablePart)+1'), ('Code','B=0'), ('VariablePart',':=""'), ) def __init__(self, data = None): Structure.__init__(self,data) self['VariablePart']='' class CR_TPDU(Structure): commonHdr = ( ('DST-REF',' # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure by the client and server; the OPTIONAL pubKeyAuth # field is omitted by the client unless the client is sending the last SPNEGO token. # If the client is sending the last SPNEGO token, the TSRequest structure MUST have # both the negoToken and the pubKeyAuth fields filled in. # NTLMSSP stuff auth = ntlm.getNTLMSSPType1('','',True, use_ntlmv2 = True) ts_request = TSRequest() ts_request['NegoData'] = auth.getData() tls.send(ts_request.getData()) buff = tls.recv(4096) ts_request.fromString(buff) # 3. The client encrypts the public key it received from the server (contained # in the X.509 certificate) in the TLS handshake from step 1, by using the # confidentiality support of SPNEGO. The public key that is encrypted is the # ASN.1-encoded SubjectPublicKey sub-field of SubjectPublicKeyInfo from the X.509 # certificate, as specified in [RFC3280] section 4.1. The encrypted key is # encapsulated in the pubKeyAuth field of the TSRequest structure and is sent over # the TLS channel to the server. # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure; the client MUST send its last SPNEGO token to the # server in the negoTokens field (see step 2) along with the encrypted public key # in the pubKeyAuth field. # Last SPNEGO token calculation #ntlmChallenge = ntlm.NTLMAuthChallenge(ts_request['NegoData']) type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, ts_request['NegoData'], username, password, domain, lmhash, nthash, use_ntlmv2 = True) # Get server public key server_cert = tls.get_peer_certificate() pkey = server_cert.get_pubkey() dump = crypto.dump_publickey(crypto.FILETYPE_ASN1, pkey) # Parsing the key from ASN1 encoded dump = dump[24:] cipher = SPNEGOCipher(type3['flags'], exportedSessionKey) signature, cripted_key = cipher.encrypt(dump) ts_request['NegoData'] = type3.getData() ts_request['pubKeyAuth'] = signature.getData() + cripted_key try: # Sending the Type 3 NTLM blob tls.send(ts_request.getData()) # The other end is waiting for the pubKeyAuth field, but looks like it's # not needed to check whether authentication worked. # If auth is unsuccessful, it throws an exception with the previous send(). # If auth is successful, the server waits for the pubKeyAuth and doesn't answer # anything. So, I'm sending garbage so the server returns an error. # Luckily, it's a different error so we can determine whether or not auth worked ;) buff = tls.recv(1024) except Exception as err: if str(err).find("denied") > 0: logging.error("Access Denied") else: logging.error(err) return # 4. After the server receives the public key in step 3, it first verifies that # it has the same public key that it used as part of the TLS handshake in step 1. # The server then adds 1 to the first byte representing the public key (the ASN.1 # structure corresponding to the SubjectPublicKey field, as described in step 3) # and encrypts the binary result by using the SPNEGO encryption services. # Due to the addition of 1 to the binary data, and encryption of the data as a binary # structure, the resulting value may not be valid ASN.1-encoded values. # The encrypted binary data is encapsulated in the pubKeyAuth field of the TSRequest # structure and is sent over the encrypted TLS channel to the client. # The addition of 1 to the first byte of the public key is performed so that the # client-generated pubKeyAuth message cannot be replayed back to the client by an # attacker. # # Note During this phase of the protocol, the OPTIONAL authInfo and negoTokens # fields are omitted from the TSRequest structure. ts_request = TSRequest(buff) # Now we're decrypting the certificate + 1 sent by the server. Not worth checking ;) signature, plain_text = cipher.decrypt(ts_request['pubKeyAuth'][16:]) # 5. After the client successfully verifies server authenticity by performing a # binary comparison of the data from step 4 to that of the data representing # the public key from the server's X.509 certificate (as specified in [RFC3280], # section 4.1), it encrypts the user's credentials (either password or smart card # PIN) by using the SPNEGO encryption services. The resulting value is # encapsulated in the authInfo field of the TSRequest structure and sent over # the encrypted TLS channel to the server. # The TSCredentials structure within the authInfo field of the TSRequest # structure MAY contain either a TSPasswordCreds or a TSSmartCardCreds structure, # but MUST NOT contain both. # # Note During this phase of the protocol, the OPTIONAL pubKeyAuth and negoTokens # fields are omitted from the TSRequest structure. tsp = TSPasswordCreds() tsp['domainName'] = domain tsp['userName'] = username tsp['password'] = password tsc = TSCredentials() tsc['credType'] = 1 # TSPasswordCreds tsc['credentials'] = tsp.getData() signature, cripted_creds = cipher.encrypt(tsc.getData()) ts_request = TSRequest() ts_request['authInfo'] = signature.getData() + cripted_creds tls.send(ts_request.getData()) tls.close() logging.info("Access Granted") # Init the example's logger theme logger.init() print(version.BANNER) parser = argparse.ArgumentParser(add_help = True, description = "Test whether an account is valid on the target " "host using the RDP protocol.") parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') group = parser.add_argument_group('authentication') group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') if len(sys.argv)==1: parser.print_help() sys.exit(1) options = parser.parse_args() domain, username, password, address = parse_target(options.target) if domain is None: domain = '' if password == '' and username != '' and options.hashes is None: from getpass import getpass password = getpass("Password:") check_rdp(address, username, password, domain, options.hashes)