⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 kerberos_func.inc

📁 漏洞扫描源码,可以扫描linux,windows,交换机路由器
💻 INC
📖 第 1 页 / 共 4 页
字号:
🔍
1234 
 if (ord(kid[0]) != 2) # AP-REP   return NULL;  aprep = der_parse_data (tag:0x6F, data:list[3]); if (isnull (aprep))   return NULL;  seq = der_parse_sequence (seq:aprep, num:4, list:FALSE); if (isnull (seq))   return NULL; pvno = der_parse_int (i:seq[0]); if (isnull (pvno) || (pvno != 5))   return NULL;  msg_type = der_parse_int (i:seq[1]); if (isnull (msg_type) || (msg_type != 15)) # AP-REP   return NULL;  enc_part = der_parse_sequence (seq:seq[2], num:3, list:NULL); if (isnull (enc_part))   return NULL; enc_type = der_parse_int (i:enc_part[0]); if (isnull (enc_type) || (supported_encryption_type(type:enc_type) == FALSE))   return NULL; encrypted = der_parse_octet_string (string:enc_part[2]); if (isnull (encrypted))   return NULL;  decrypted = kerberos_decrypt (key:key, type:raw_dword(d:12), data:encrypted, real_key:TRUE, enc_type:enc_type, realm:realm, principal:name); if (isnull (decrypted))   return NULL; # we need to extract the subkey if present for SMB Signing enc_part = der_parse_data (tag:0x7b, data:decrypted); if (isnull (enc_part))   return NULL; seq = der_parse_sequence (seq:enc_part, num:4, list:NULL); if (isnull (seq))   return NULL;  ret = NULL; ret [0] = 0; if (seq[2] != NULL) {  seq = der_parse_sequence (seq:seq[2], num:2, list:NULL);  if (isnull (seq))    return NULL;  enc_type = der_parse_int (i:seq[0]);  if (isnull (enc_type) || (supported_encryption_type(type:enc_type) == FALSE))    return NULL;    enc_key = der_parse_octet_string (string:seq[1]);  if (isnull (enc_key))   return NULL;  ret[0] = 1;  ret[1] = enc_key; } return ret;}#---------------------------------------------------------## Function    : raw_ntlmssp_negotiate                     ## Description : generate NTLMSSP_NEGOCIATE blob           ##---------------------------------------------------------#function raw_ntlmssp_negotiate (){ local_var ntlmssp; ntlmssp = "NTLMSSP" + raw_string (0x00); ntlmssp += raw_dword (d:1); # NTLMSSP_NEGOTIATE ntlmssp += raw_dword (d:NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2);  # Flags ntlmssp += ntlmssp_data (data:NULL,offset:0); # workstation domain NULL ntlmssp += ntlmssp_data (data:NULL,offset:0); # workstation name NULL  # Version 1.0 ntlmssp += raw_byte (b:5) + raw_byte (b:1); # Version Number = 0 ntlmssp += raw_word (w:2600); # Unknown value ntlmssp += raw_string (0x00,0x00,0x00,0x0F); return ntlmssp;}#---------------------------------------------------------## Function    : ntlmssp_negotiate_securityblob            ## Description : Return NTLMSSP_NEGOCIATE blob             ##---------------------------------------------------------#function ntlmssp_negotiate_securityblob (){ local_var mechtypes, mechtoken, ntlmssp, offset; mechtypes = der_encode (tag:0x30, data:der_encode_oid (oid:"1.3.6.1.4.1.311.2.2.10"));  ntlmssp = raw_ntlmssp_negotiate (); mechtoken = der_encode_octet_string (string:ntlmssp);  return der_encode_negtokeninit (mechtypes:mechtypes, reqflags:NULL, mechtoken:mechtoken, mechlistmic:NULL);}#---------------------------------------------------------## Function    : raw_ntlmssp_parse_challenge               ## Description : Return NTLM challenge                     ##---------------------------------------------------------#function raw_ntlmssp_parse_challenge (data){ local_var init, msg, d_len, offset, domain, challenge, addr_list, ret; ret = NULL; init = substr (data, 0, 7); if ("NTLMSSP" >!< init)   return NULL;  msg = substr (data, 8, 11); if ("02000000" >!< hexstr(msg)) # NTLMSSP_CHALLENGE   return NULL; d_len = get_word (blob:data, pos:12); offset = get_dword (blob:data, pos:16); domain = substr (data, offset, offset+d_len-1); challenge = substr (data, 24, 31); d_len = get_word (blob:data, pos:40); offset = get_word (blob:data, pos:44); addr_list = substr (data, offset, offset+d_len-1); ret[0] = challenge; ret[1] = domain; ret[2] = addr_list; return ret;}#---------------------------------------------------------## Function    : ntlmssp_parse_challenge                   ## Description : Return NTLM challenge                     ##---------------------------------------------------------#function ntlmssp_parse_challenge (data){ local_var negtokentarg, negresult, supportedmech, responsetoken, init, msg, challenge, d_len, offset, domain, ret;  negtokentarg = der_parse_spnego_resp (sdata:data); if (isnull (negtokentarg))   return NULL;  negresult = negtokentarg[0]; if (negresult != 1) # Accept Incomplete   return NULL;  supportedmech = negtokentarg[1];  if ("1.3.6.1.4.1.311.2.2.10" >!< supportedmech)   return NULL;  responsetoken = negtokentarg[2]; if (!responsetoken)   return NULL;  if (strlen(responsetoken) < 40)   return NULL; return raw_ntlmssp_parse_challenge (data:responsetoken); init = substr (responsetoken, 0, 7); if ("NTLMSSP" >!< init)   return NULL;  msg = substr (responsetoken, 8, 11); if ("02000000" >!< hexstr(msg)) # NTLMSSP_CHALLENGE   return NULL; d_len = get_word (blob:responsetoken, pos:12); offset = get_dword (blob:responsetoken, pos:16); domain = substr (responsetoken, offset, offset+d_len-1); challenge = substr (responsetoken, 24, 31); ret[0] = challenge; ret[1] = domain; return ret;}#---------------------------------------------------------## Function    : ntlmssp_parse_response                    ## Description : Return NTLM Result                        ##---------------------------------------------------------#function ntlmssp_parse_response (data){ local_var negtokentarg, negresult;  negtokentarg = der_parse_spnego_resp (sdata:data); if (isnull (negtokentarg))   return NULL;  negresult = negtokentarg[0]; return negresult;}#---------------------------------------------------------## Function    : ntlmssp_data                              ## Description : Return NTLMSSP data                       ##               word  data_len                            ##               word  data_len                            ##		dword offset_data                         ##---------------------------------------------------------#function ntlmssp_data (data,offset){ return raw_word (w:strlen(data)) + raw_word (w:strlen(data)) + raw_dword (d:offset);}#---------------------------------------------------------## Function    : raw_ntlmssp_auth_securityblob             ## Description : Return NTLMSSP_AUTH blob                  ##---------------------------------------------------------#function raw_ntlmssp_auth_securityblob (password, login, hash, domain, challenge){ local_var ntlmssp,nt,response; local_var hostname,sessionkey,lm,offset,key,ret; sessionkey = lm = nt = NULL; hostname = domain; # Systems with Extended Security Authentication support NTLMv2 so NTLMv1 is useless here (?)  if (login) {  response = LMv2_Response (password:password, login:login, hash:hash, domain:domain, challenge:challenge);  lm = response[0];  key = response[1]; } else {  lm = raw_string (0x00); } #response = NTLM_Response (password:password, hash:hash, challenge:challenge); #nt = response[0]; offset = 0x48; # First text;  ntlmssp = "NTLMSSP" + raw_string (0x00); ntlmssp += raw_dword (d:3); # NTLMSSP_AUTH  # Lan Manager response = NULL ntlmssp += ntlmssp_data (data:lm,offset:offset); offset += strlen (lm); # NTLM Response ntlmssp += ntlmssp_data (data:nt,offset:offset); offset += strlen(nt); # Domain name = NULL ntlmssp += ntlmssp_data (data:domain, offset:offset); offset += strlen (domain);  # User name ntlmssp += ntlmssp_data (data:login, offset:offset); offset += strlen (login); # Host name = NULL ntlmssp += ntlmssp_data (data:hostname, offset:offset); offset += strlen (hostname);  # Session Key = NULL ntlmssp += ntlmssp_data (data:sessionkey, offset:offset); offset += strlen (sessionkey);  ntlmssp += raw_dword (d:NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2); # Flags # Version 1.0 ntlmssp += raw_byte (b:1) + raw_byte (b:0); # Version Number = 0 ntlmssp += raw_word (w:0); # Unknown value ntlmssp += raw_string (0x00,0x00,0x00,0x0F); ntlmssp += lm + nt + domain + login + hostname + sessionkey;  ret = NULL; ret[0] = ntlmssp; ret[1] = key; return ret;}#---------------------------------------------------------## Function    : ntlmssp_auth_securityblob                 ## Description : Return NTLMSSP_AUTH blob                  ##---------------------------------------------------------#function ntlmssp_auth_securityblob (password,login,hash,domain,challenge){ local_var ntlmssp, responsetoken, ret; ret = raw_ntlmssp_auth_securityblob (password:password, login:login, hash:hash, domain:domain, challenge:challenge); ntlmssp = der_encode_octet_string (string:ret[0]); responsetoken = der_encode (tag:0xA2, data:ntlmssp); responsetoken = der_encode_list (list:responsetoken); ret[0] = ret[1]; ret[1] = der_encode (tag:0xA1, data:responsetoken);  return ret;}#---------------------------------------------------------## Function    : kerberos_ssh                              ## Description : Return kerberos blob                      ##---------------------------------------------------------#function kerberos_ssh (login,password,realm,host,seqnum){ local_var ret, soc2, resp, rep, req, cksum, checksum, apreq, innercontexttoken, initialcontexttoken, session; soc2 = open_sock_kdc (); if (isnull (soc2))   return NULL; req = der_encode_asreq (principal:login, realm:realm, password:password, enc_type:3); send (socket:soc2, data:req); resp = recv (socket:soc2, length:4096); if (!resp) {   close (soc2);   return NULL; } rep = der_decode_asrep(password:password, data:resp); session = rep; if (!resp) {   close (soc2);   return NULL; } req = der_encode_tgsreq (session:session,name:host); send (socket:soc2, data:req); resp = recv (socket:soc2, length:4096); close (soc2); if (!resp)   return NULL;    rep = der_decode_tgsrep(session:session, data:resp); session = rep; if (isnull (rep))   return NULL;    cksum = raw_dword (d:16) + # bnd length         crap (data:raw_string(0),length:16) + #bnd         raw_dword (d:32|2) + # flags          checksum = NULL; checksum[0] = der_encode_int32 (i:0x8003); checksum[1] = der_encode (tag:0x04, data:cksum); apreq = der_encode_apreq(session:session, type:11, _checksum:der_encode_sequence (seq:checksum), _seqnum:seqnum); innercontexttoken = raw_string(0x01,0x00) + apreq; initialcontexttoken = der_encode_oid(oid:"1.2.840.113554.1.2.2")+innercontexttoken; ret = NULL; ret[0] = session[1]; ret[1] = der_encode (tag:0x60, data:initialcontexttoken); return ret;}#---------------------------------------------------------## Function    : gssapi_ssh_get_mic                        ## Description : Return gssapi mic                         ##---------------------------------------------------------#function gssapi_ssh_get_mic (data, key, seqnum){ local_var hash, des_cksum, seq_num, crypted, mic; hash = MD5 ( raw_string(0x01,0x01,0x00,0x00,0xFF,0xFF,0xFF,0xFF) +               data ); des_cksum = des_cbc_checksum (key:key,data:hash,iv:raw_string(0,0,0,0,0,0,0,0)); seq_num = raw_dword (d:seqnum) + raw_dword (d:0); crypted = des_cbc_encrypt (data:seq_num, key:key, iv:des_cksum, encrypt:1); mic = der_encode (tag:0x60, data:der_encode_oid(oid:"1.2.840.113554.1.2.2") + raw_string (0x01,0x01,0x00,0x00,0xFF,0xFF,0xFF,0xFF) + crypted + des_cksum); return mic;}#---------------------------------------------------------## Function    : check_gssapi_token                        ## Description : Return 1 if trusted/accepted              ##---------------------------------------------------------#function check_gssapi_token (data, key, realm, principal){ local_var list, oid, seq, kid, aprep, pvno, msg_type, enc_part, enc_type, encrypted, decrypted, enc_key, kerberosblob, ret;   kerberosblob = der_parse_data (tag:0x60, data:data); if (isnull (kerberosblob) || (strlen(kerberosblob)<14))   return NULL; list = NULL; list[1] = substr(kerberosblob,0,10); list[2] = substr(kerberosblob,11,12); list[3] = substr(kerberosblob,13,strlen(kerberosblob)-1); oid = der_parse_oid (oid:list[1]); if (!oid || ("1.2.840.113554.1.2.2" >!< oid))   return NULL;  kid = list[2]; if (ord(kid[0]) != 2) # AP-REP   return NULL;  aprep = der_parse_data (tag:0x6F, data:list[3]); if (isnull (aprep))   return NULL;  seq = der_parse_sequence (seq:aprep, num:4, list:FALSE); if (isnull (seq))   return NULL; pvno = der_parse_int (i:seq[0]); if (isnull (pvno) || (pvno != 5))   return NULL;  msg_type = der_parse_int (i:seq[1]); if (isnull (msg_type) || (msg_type != 15)) # AP-REP   return NULL;  enc_part = der_parse_sequence (seq:seq[2], num:3, list:NULL); if (isnull (enc_part))   return NULL; enc_type = der_parse_int (i:enc_part[0]); if (isnull (enc_type) || (supported_encryption_type(type:enc_type) == FALSE))   return NULL; encrypted = der_parse_octet_string (string:enc_part[2]); if (isnull (encrypted))   return NULL;  decrypted = kerberos_decrypt (key:key, type:raw_dword(d:12), data:encrypted, real_key:TRUE, enc_type:enc_type, realm:realm, principal:principal); if (isnull (decrypted))   return NULL; # we need to extract the subkey if present for SMB Signing enc_part = der_parse_data (tag:0x7b, data:decrypted); if (isnull (enc_part))   return NULL; seq = der_parse_sequence (seq:enc_part, num:4, list:NULL); if (isnull (seq))   return NULL;  ret = NULL; ret [0] = 0; if (seq[2] != NULL) {  seq = der_parse_sequence (seq:seq[2], num:2, list:NULL);  if (isnull (seq))    return NULL;  enc_type = der_parse_int (i:seq[0]);  if (isnull (enc_type) || (supported_encryption_type(type:enc_type) == FALSE))    return NULL;    enc_key = der_parse_octet_string (string:seq[1]);  if (isnull (enc_key))   return NULL;  ret[0] = 1;  ret[1] = enc_key; } return ret;}
1234

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -