Added nt_hash and parse_lm_nt_hashes functions in sectools.windows.cr…

…ypto
p0dalirius · Jul 31, 2022 · 506a29e · 506a29e
1 parent e0bf18a
commit 506a29e
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 24 deletions.
diff --git a/sectools/windows/crypto.py b/sectools/windows/crypto.py
@@ -4,12 +4,32 @@
 # Author             : Podalirius (@podalirius_)
 # Date created       : 30 Jul 2022
 
+import re
+import hashlib
+
+
 def parse_lm_nt_hashes(lm_nt_hashes_string):
-    lm_hash = ""
-    nt_hash = ""
-    if hashes is not None:
-        if ":" in hashes:
-            lm_hash = hashes.split(":")[0]
-            nt_hash = hashes.split(":")[1]
-        else:
-            nt_hash = hashes
+    lm_hash_value, nt_hash_value = "", ""
+    matched = re.match("([0-9a-f]{32})?(:)?([0-9a-f]{32})?", lm_nt_hashes_string.strip().lower())
+
+    m_lm_hash, m_sep, m_nt_hash = matched.groups()
+    print(m_lm_hash, m_sep, m_nt_hash)
+    if m_lm_hash is None and m_sep is None and m_nt_hash is None:
+        lm_hash_value, nt_hash_value = "", ""
+    elif m_lm_hash is None and m_nt_hash is not None:
+        lm_hash_value = "aad3b435b51404eeaad3b435b51404ee"
+        nt_hash_value = m_nt_hash
+    elif m_lm_hash is not None and m_nt_hash is None:
+        lm_hash_value = m_lm_hash
+        nt_hash_value = nt_hash("")
+    return lm_hash_value, nt_hash_value
+
+
+def nt_hash(data):
+    if type(data) == str:
+        data = bytes(data, 'utf-16-le')
+
+    ctx = hashlib.new('md4', data)
+    nt_hash_value = ctx.hexdigest()
+
+    return nt_hash_value
diff --git a/sectools/windows/ldap.py b/sectools/windows/ldap.py
@@ -5,28 +5,14 @@
 # Date created       : 30 Jul 2022
 
 
+from sectools.windows.crypto import parse_lm_nt_hashes
 import binascii
 import ldap3
 import logging
 import os
 import ssl
 
 
-def get_machine_name(auth_domain, auth_dc_ip):
-    if auth_dc_ip is not None:
-        s = SMBConnection(auth_dc_ip, auth_dc_ip)
-    else:
-        s = SMBConnection(auth_domain, auth_domain)
-    try:
-        s.login('', '')
-    except Exception:
-        if s.getServerName() == '':
-            raise Exception('Error while anonymous logging into %s' % auth_domain)
-    else:
-        s.logoff()
-    return s.getServerName()
-
-
 def __init_ldap_connection(target, tls_version, dc_ip, domain, username, password, lmhash, nthash, use_ldaps=False, auth_key=None):
     user = '%s\\%s' % (domain, username)
     if tls_version is not None:
@@ -90,14 +76,15 @@ def init_ldap_session(auth_domain, auth_dc_ip, auth_username, auth_password, aut
 
 def get_computers_from_domain(auth_domain, auth_dc_ip, auth_username, auth_password, auth_hashes):
 
+    auth_lm_hash, auth_nt_hash = parse_lm_nt_hashes(auth_hashes)
+
     ldap_server, ldap_session = init_ldap_session(
         auth_domain=auth_domain,
         auth_dc_ip=auth_dc_ip,
         auth_username=auth_username,
         auth_password=auth_password,
         auth_lm_hash=auth_lm_hash,
         auth_nt_hash=auth_nt_hash,
-        use_kerberos=False,
         use_ldaps=False
     )