SPNEGO: add new from_cli_arguments function, improvements

doc/scapy/layers/smb.rst

@@ -76,7 +76,7 @@ You might be wondering if you can pass the ``HashNT`` of the password of the use
 
 .. code:: python
 
-    >>> smbclient("server1.domain.local", ssp=KerberosSSP(SPN="cifs/server1", UPN="[email protected]", PASSWORD="password"))
+    >>> smbclient("server1.domain.local", ssp=KerberosSSP(UPN="[email protected]", PASSWORD="password"))
 
 **smbclient using a** :class:`~scapy.layers.ntlm.KerberosSSP` **created by** `Ticketer++ <kerberos.html#ticketer>`_:
 
@@ -155,7 +155,6 @@ Let's write a script that connects to a share and list the files in the root fol
         KerberosSSP(
             UPN="[email protected]",
             PASSWORD=password,
-            SPN="cifs/server1",
         )
     ])
     # Connect to the server

scapy/config.py

@@ -599,6 +599,7 @@ class ExtsManager(importlib.abc.MetaPathFinder):
     def __init__(self):
         self.exts: List[ScapyExt] = []
         self.all_specs: Dict[str, ScapyExt.ScapyExtSpec] = {}
+        self._loaded: List[str] = []
         # Add to meta_path as we are an import provider
         if self not in sys.meta_path:
             sys.meta_path.append(self)
@@ -628,6 +629,9 @@ def load(self, extension: str):
 
         :param extension: the name of the extension, as installed.
         """
+        if extension in self._loaded:
+            return
+
         try:
             import importlib.metadata
         except ImportError:
@@ -686,6 +690,7 @@ def load(self, extension: str):
 
         # Add to the extension list
         self.exts.append(ext)
+        self._loaded.append(extension)
 
         # If there are bash autocompletions, add them
         if ext.bash_completions:

scapy/layers/gssapi.py

@@ -455,6 +455,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):

scapy/layers/http.py

@@ -942,6 +942,7 @@ def request(
                     self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                         self.sspcontext,
                         ssp_blob,
+                        target_name="http/" + host,
                         req_flags=0,
                         chan_bindings=self.chan_bindings,
                     )

scapy/layers/kerberos.py

@@ -143,6 +143,12 @@
 from scapy.layers.smb2 import STATUS_ERREF
 from scapy.layers.x509 import X509_AlgorithmIdentifier
 
+# Redirect exports from RFC3961
+try:
+    from scapy.libs.rfc3961 import *  # noqa: F401,F403
+except ImportError:
+    pass
+
 # Typing imports
 from typing import (
     Optional,
@@ -4008,7 +4014,8 @@ class KerberosSSP(SSP):
 
     :param ST: the service ticket to use for access.
                If not provided, will be retrieved
-    :param SPN: the SPN of the service to use
+    :param SPN: the SPN of the service to use. If not provided, will use the
+                target_name provided in the GSS_Init_sec_context
     :param UPN: The client UPN
     :param DC_IP: (optional) is ST+KEY are not provided, will need to contact
                   the KDC at this IP. If not provided, will perform dc locator.
@@ -4506,6 +4513,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):
@@ -4536,8 +4544,8 @@ def GSS_Init_sec_context(
             # Do we have a ST?
             if self.ST is None:
                 # Client sends an AP-req
-                if not self.SPN:
-                    raise ValueError("Missing SPN attribute")
+                if not self.SPN and not target_name:
+                    raise ValueError("Missing SPN/target_name attribute")
                 additional_tickets = []
                 if self.U2U:
                     try:
@@ -4559,7 +4567,7 @@ def GSS_Init_sec_context(
                     # Use TGT
                     res = krb_tgs_req(
                         upn=self.UPN,
-                        spn=self.SPN,
+                        spn=self.SPN or target_name,
                         ip=self.DC_IP,
                         sessionkey=self.KEY,
                         ticket=self.TGT,
@@ -4571,7 +4579,7 @@ def GSS_Init_sec_context(
                     # Ask for TGT then ST
                     res = krb_as_and_tgs(
                         upn=self.UPN,
-                        spn=self.SPN,
+                        spn=self.SPN or target_name,
                         ip=self.DC_IP,
                         key=self.KEY,
                         password=self.PASSWORD,

scapy/layers/ldap.py

@@ -1800,6 +1800,7 @@ def __init__(
         verb=True,
     ):
         self.sock = None
+        self.host = None
         self.verb = verb
         self.ssl = False
         self.sslcontext = None
@@ -1815,7 +1816,7 @@ def __init__(
 
     def connect(
         self,
-        ip,
+        host,
         port=None,
         use_ssl=False,
         sslcontext=None,
@@ -1826,7 +1827,7 @@ def connect(
         """
         Initiate a connection
 
-        :param ip: the IP or hostname to connect to.
+        :param host: the IP or hostname to connect to.
         :param port: the port to connect to. (Default: 389 or 636)
 
         :param use_ssl: whether to use LDAPS or not. (Default: False)
@@ -1844,17 +1845,18 @@ def connect(
                 port = 389
         sock = socket.socket()
         self.timeout = timeout
+        self.host = host
         sock.settimeout(timeout)
         if self.verb:
             print(
                 "\u2503 Connecting to %s on port %s%s..."
                 % (
-                    ip,
+                    host,
                     port,
                     " with SSL" if self.ssl else "",
                 )
             )
-        sock.connect((ip, port))
+        sock.connect((host, port))
         if self.verb:
             print(
                 conf.color_theme.green(
@@ -1872,7 +1874,7 @@ def connect(
                     context = ssl.create_default_context()
             else:
                 context = self.sslcontext
-            sock = context.wrap_socket(sock, server_hostname=sni or ip)
+            sock = context.wrap_socket(sock, server_hostname=sni or host)
         # Wrap the socket in a Scapy socket
         if self.ssl:
             self.sock = SSLStreamSocket(sock, LDAP)
@@ -2042,6 +2044,7 @@ def bind(
             # 2. First exchange: Negotiate
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
+                target_name="ldap/" + self.host,
                 req_flags=(
                     GSS_C_FLAGS.GSS_C_REPLAY_FLAG
                     | GSS_C_FLAGS.GSS_C_SEQUENCE_FLAG
@@ -2068,6 +2071,7 @@ def bind(
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
                 GSSAPI_BLOB(val),
+                target_name="ldap/" + self.host,
                 chan_bindings=self.chan_bindings,
             )
             resp = self.sr1(
@@ -2090,6 +2094,7 @@ def bind(
             # GSSAPI or SPNEGO
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
+                target_name="ldap/" + self.host,
                 req_flags=(
                     # Required flags for GSSAPI: RFC4752 sect 3.1
                     GSS_C_FLAGS.GSS_C_REPLAY_FLAG
@@ -2122,6 +2127,7 @@ def bind(
                 self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                     self.sspcontext,
                     GSSAPI_BLOB(val),
+                    target_name="ldap/" + self.host,
                     chan_bindings=self.chan_bindings,
                 )
         else:

scapy/layers/msrpce/msnrpc.py

@@ -475,7 +475,12 @@ def GSS_VerifyMICEx(self, Context, msgs, signature):
         self._unsecure(Context, msgs, signature, False)
 
     def GSS_Init_sec_context(
-        self, Context, token=None, req_flags: Optional[GSS_C_FLAGS] = None
+        self,
+        Context: CONTEXT,
+        token=None,
+        target_name: Optional[str] = None,
+        req_flags: Optional[GSS_C_FLAGS] = None,
+        chan_bindings: bytes = GSS_C_NO_CHANNEL_BINDINGS,
     ):
         if Context is None:
             Context = self.CONTEXT(True, req_flags=req_flags, AES=self.AES)

scapy/layers/msrpce/rpcclient.py

@@ -76,6 +76,7 @@ def __init__(self, transport, ndr64=False, ndrendian="little", verb=True, **kwar
         self.ndr64 = ndr64
         self.ndrendian = ndrendian
         self.verb = verb
+        self.host = None
         self.auth_level = kwargs.pop("auth_level", DCE_C_AUTHN_LEVEL.NONE)
         self.auth_context_id = kwargs.pop("auth_context_id", 0)
         self.ssp = kwargs.pop("ssp", None)  # type: SSP
@@ -100,7 +101,7 @@ def from_smblink(cls, smbcli, smb_kwargs={}, **kwargs):
         )
         return client
 
-    def connect(self, ip, port=None, timeout=5, smb_kwargs={}):
+    def connect(self, host, port=None, timeout=5, smb_kwargs={}):
         """
         Initiate a connection
         """
@@ -113,14 +114,15 @@ def connect(self, ip, port=None, timeout=5, smb_kwargs={}):
                 raise ValueError(
                     "Can't guess the port for transport: %s" % self.transport
                 )
+        self.host = host
         sock = socket.socket()
         sock.settimeout(timeout)
         if self.verb:
             print(
                 "\u2503 Connecting to %s on port %s via %s..."
-                % (ip, port, repr(self.transport))
+                % (host, port, repr(self.transport))
             )
-        sock.connect((ip, port))
+        sock.connect((host, port))
         if self.verb:
             print(
                 conf.color_theme.green(
@@ -313,6 +315,7 @@ def _bind(self, interface, reqcls, respcls):
                         else 0
                     )
                 ),
+                target_name="host/" + self.host,
             )
             if status not in [GSS_S_CONTINUE_NEEDED, GSS_S_COMPLETE]:
                 # Authentication failed.
@@ -349,6 +352,7 @@ def _bind(self, interface, reqcls, respcls):
                 self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                     self.sspcontext,
                     token=resp.auth_verifier.auth_value,
+                    target_name="host/" + self.host,
                 )
             if status in [GSS_S_CONTINUE_NEEDED, GSS_S_COMPLETE]:
                 # Authentication should continue, in two ways:
@@ -390,6 +394,7 @@ def _bind(self, interface, reqcls, respcls):
                         self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                             self.sspcontext,
                             token=resp.auth_verifier.auth_value,
+                            target_name="host/" + self.host,
                         )
         # Check context acceptance
         if (

scapy/layers/ntlm.py

@@ -1388,6 +1388,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):

scapy/layers/smb2.py

@@ -1594,7 +1594,7 @@ def post_build(self, pkt, pay):
                 },
                 config=[
                     ("Offset", _NTLM_ENUM.OFFSET),
-                ]
+                ],
             )
             + pay
         )