SPNEGO: add new from_cli_arguments function, improvements

Author: gpotter2

scapy/layers/kerberos.py

@@ -143,6 +143,12 @@
 from scapy.layers.smb2 import STATUS_ERREF
 from scapy.layers.x509 import X509_AlgorithmIdentifier
 
+# Redirect exports from RFC3961
+try:
+    from scapy.libs.rfc3961 import *  # noqa: F401,F403
+except ImportError:
+    pass
+
 # Typing imports
 from typing import (
     Optional,

scapy/layers/smbclient.py

@@ -20,7 +20,6 @@
 import threading
 
 from scapy.automaton import ATMT, Automaton, ObjectPipe
-from scapy.base_classes import Net
 from scapy.config import conf
 from scapy.error import Scapy_Exception
 from scapy.fields import UTCTimeField
@@ -29,8 +28,6 @@
     CLIUtil,
     pretty_list,
     human_size,
-    valid_ip,
-    valid_ip6,
 )
 from scapy.volatile import RandUUID
 
@@ -40,12 +37,6 @@
     GSS_S_CONTINUE_NEEDED,
     GSS_C_FLAGS,
 )
-from scapy.layers.inet6 import Net6
-from scapy.layers.kerberos import (
-    KerberosSSP,
-    krb_as_and_tgs,
-    _parse_upn,
-)
 from scapy.layers.msrpce.raw.ms_srvs import (
     LPSHARE_ENUM_STRUCT,
     NetrShareEnum_Request,
@@ -54,7 +45,6 @@
 )
 from scapy.layers.ntlm import (
     NTLMSSP,
-    MD4le,
 )
 from scapy.layers.smb import (
     SMBNegotiate_Request,
@@ -1104,11 +1094,12 @@ class smbclient(CLIUtil):
     :param UPN: the upn to use (DOMAIN/USER, DOMAIN\USER, USER@DOMAIN or USER)
     :param guest: use guest mode (over NTLM)
     :param ssp: if provided, use this SSP for auth.
-    :param kerberos: if available, whether to use Kerberos or not
     :param kerberos_required: require kerberos
     :param port: the TCP port. default 445
     :param password: (string) if provided, used for auth
     :param HashNt: (bytes) if provided, used for auth (NTLM)
+    :param HashAes256Sha96: (bytes) if provided, used for auth (Kerberos)
+    :param HashAes128Sha96: (bytes) if provided, used for auth (Kerberos)
     :param ST: if provided, the service ticket to use (Kerberos)
     :param KEY: if provided, the session key associated to the ticket (Kerberos)
     :param cli: CLI mode (default True). False to use for scripting
@@ -1125,9 +1116,10 @@ def __init__(
         UPN: str = None,
         password: str = None,
         guest: bool = False,
-        kerberos: bool = True,
         kerberos_required: bool = False,
-        HashNt: str = None,
+        HashNt: bytes = None,
+        HashAes256Sha96: bytes = None,
+        HashAes128Sha96: bytes = None,
         port: int = 445,
         timeout: int = 2,
         debug: int = 0,
@@ -1141,71 +1133,30 @@ def __init__(
     ):
         if cli:
             self._depcheck()
-        hostname = None
-        # Check if target is a hostname / Check IP
-        if ":" in target:
-            family = socket.AF_INET6
-            if not valid_ip6(target):
-                hostname = target
-            target = str(Net6(target))
-        else:
-            family = socket.AF_INET
-            if not valid_ip(target):
-                hostname = target
-            target = str(Net(target))
         assert UPN or ssp or guest, "Either UPN, ssp or guest must be provided !"
         # Do we need to build a SSP?
         if ssp is None:
             # Create the SSP (only if not guest mode)
             if not guest:
-                # Check UPN
-                try:
-                    _, realm = _parse_upn(UPN)
-                    if realm == ".":
-                        # Local
-                        kerberos = False
-                except ValueError:
-                    # not a UPN: NTLM
-                    kerberos = False
-                # Do we need to ask the password?
-                if HashNt is None and password is None and ST is None:
-                    # yes.
-                    from prompt_toolkit import prompt
-
-                    password = prompt("Password: ", is_password=True)
-                ssps = []
-                # Kerberos
-                if kerberos and hostname:
-                    if ST is None:
-                        resp = krb_as_and_tgs(
-                            upn=UPN,
-                            spn="cifs/%s" % hostname,
-                            password=password,
-                            debug=debug,
-                        )
-                        if resp is not None:
-                            ST, KEY = resp.tgsrep.ticket, resp.sessionkey
-                    if ST:
-                        ssps.append(KerberosSSP(UPN=UPN, ST=ST, KEY=KEY, debug=debug))
-                    elif kerberos_required:
-                        raise ValueError(
-                            "Kerberos required but target isn't a hostname !"
-                        )
-                elif kerberos_required:
-                    raise ValueError(
-                        "Kerberos required but domain not specified in the UPN, "
-                        "or target isn't a hostname !"
-                    )
-                # NTLM
-                if not kerberos_required:
-                    if HashNt is None and password is not None:
-                        HashNt = MD4le(password)
-                    ssps.append(NTLMSSP(UPN=UPN, HASHNT=HashNt))
-                # Build the SSP
-                ssp = SPNEGOSSP(ssps)
+                ssp = SPNEGOSSP.from_cli_arguments(
+                    UPN=UPN,
+                    target=target,
+                    password=password,
+                    HashNt=HashNt,
+                    HashAes256Sha96=HashAes256Sha96,
+                    HashAes128Sha96=HashAes128Sha96,
+                    ST=ST,
+                    KEY=KEY,
+                    kerberos_required=kerberos_required,
+                )
             else:
                 # Guest mode
                 ssp = None
+        # Check if target is IPv4 or IPv6
+        if ":" in target:
+            family = socket.AF_INET6
+        else:
+            family = socket.AF_INET
         # Open socket
         sock = socket.socket(family, socket.SOCK_STREAM)
         # Configure socket for SMB:

scapy/layers/spnego.py

@@ -38,6 +38,7 @@
     ASN1F_optional,
 )
 from scapy.asn1packet import ASN1_Packet
+from scapy.base_classes import Net
 from scapy.fields import (
     FieldListField,
     LEIntEnumField,
@@ -56,7 +57,12 @@
     XStrLenField,
 )
 from scapy.packet import Packet, bind_layers
+from scapy.utils import (
+    valid_ip,
+    valid_ip6,
+)
 
+from scapy.layers.inet6 import Net6
 from scapy.layers.gssapi import (
     GSSAPI_BLOB,
     GSSAPI_BLOB_SIGNATURE,
@@ -75,8 +81,13 @@
 # SSP Providers
 from scapy.layers.kerberos import (
     Kerberos,
+    KerberosSSP,
+    krb_as_and_tgs,
+    _parse_upn,
 )
 from scapy.layers.ntlm import (
+    NTLMSSP,
+    MD4le,
     NEGOEX_EXCHANGE_NTLM,
     NTLM_Header,
     _NTLMPayloadField,
@@ -619,6 +630,112 @@ def __init__(self, ssps, **kwargs):
         self.force_supported_mechtypes = kwargs.pop("force_supported_mechtypes", None)
         super(SPNEGOSSP, self).__init__(**kwargs)
 
+    @classmethod
+    def from_cli_arguments(
+        cls,
+        UPN: str,
+        target: str,
+        password: str = None,
+        HashNt: bytes = None,
+        HashAes256Sha96: bytes = None,
+        HashAes128Sha96: bytes = None,
+        kerberos_required: bool = False,
+        ST=None,
+        KEY=None,
+        debug: int = 0,
+    ):
+        """
+        Initialize a SPNEGOSSP from a list of many arguments.
+        This is useful in a CLI, with NTLM and Kerberos supported by default.
+
+        :param UPN: the UPN of the user to use.
+        :param target: the target IP/hostname entered by the user.
+        :param kerberos_required: require kerberos
+        :param password: (string) if provided, used for auth
+        :param HashNt: (bytes) if provided, used for auth (NTLM)
+        :param HashAes256Sha96: (bytes) if provided, used for auth (Kerberos)
+        :param HashAes128Sha96: (bytes) if provided, used for auth (Kerberos)
+        :param ST: if provided, the service ticket to use (Kerberos)
+        :param KEY: if ST provided, the session key associated to the ticket (Kerberos).
+                    Else, the user secret key.
+        """
+        kerberos = True
+        hostname = None
+        # Check if target is a hostname / Check IP
+        if ":" in target:
+            if not valid_ip6(target):
+                hostname = target
+            target = str(Net6(target))
+        else:
+            if not valid_ip(target):
+                hostname = target
+            target = str(Net(target))
+        # Check UPN
+        try:
+            _, realm = _parse_upn(UPN)
+            if realm == ".":
+                # Local
+                kerberos = False
+        except ValueError:
+            # not a UPN: NTLM only
+            kerberos = False
+        # Do we need to ask the password?
+        if HashNt is None and password is None and ST is None:
+            # yes.
+            from prompt_toolkit import prompt
+
+            password = prompt("Password: ", is_password=True)
+        ssps = []
+        # Kerberos
+        if kerberos and hostname:
+            # Get ticket if we don't already have one.
+            if ST is None:
+                # In this case, KEY is supposed to be the user's key.
+                from scapy.libs.rfc3961 import Key, EncryptionType
+                if KEY is None and HashAes256Sha96:
+                    KEY = Key(
+                        EncryptionType.AES256_CTS_HMAC_SHA1_96,
+                        HashAes256Sha96,
+                    )
+                elif KEY is None and HashAes128Sha96:
+                    KEY = Key(
+                        EncryptionType.AES128_CTS_HMAC_SHA1_96,
+                        HashAes128Sha96,
+                    )
+                elif KEY is None and HashNt:
+                    KEY = Key(
+                        EncryptionType.RC4_HMAC,
+                        HashNt,
+                    )
+                # Get the ticket.
+                resp = krb_as_and_tgs(
+                    upn=UPN,
+                    key=KEY,
+                    spn="cifs/%s" % hostname,
+                    password=password,
+                    debug=debug,
+                )
+                if resp is not None:
+                    ST, KEY = resp.tgsrep.ticket, resp.sessionkey
+            if ST:
+                ssps.append(KerberosSSP(UPN=UPN, ST=ST, KEY=KEY, debug=debug))
+            elif kerberos_required:
+                raise ValueError(
+                    "Kerberos required but target isn't a hostname !"
+                )
+        elif kerberos_required:
+            raise ValueError(
+                "Kerberos required but domain not specified in the UPN, "
+                "or target isn't a hostname !"
+            )
+        # NTLM
+        if not kerberos_required:
+            if HashNt is None and password is not None:
+                HashNt = MD4le(password)
+            ssps.append(NTLMSSP(UPN=UPN, HASHNT=HashNt))
+        # Build the SSP
+        return cls(ssps)
+
     def _extract_gssapi(self, Context, x):
         status, otherMIC, rawToken = None, None, False
         # Extract values from GSSAPI

scapy/libs/rfc3961.py

@@ -22,10 +22,12 @@
 # TODO: support cipher states...
 
 __all__ = [
-    "EncryptionType",
     "ChecksumType",
-    "Key",
+    "EncryptionType",
     "InvalidChecksum",
+    "KRB_FX_CF2",
+    "Key",
+    "SP800108_KDFCTR",
     "_rfc1964pad",
 ]