From d72a96e14aad7919afdb0c7aa8148917fece2560 Mon Sep 17 00:00:00 2001 From: NtAlexio2 Date: Fri, 13 Sep 2024 19:05:48 -0400 Subject: [PATCH] bugfix in SEALKEY() --- impacket/ntlm.py | 50 +++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/impacket/ntlm.py b/impacket/ntlm.py index 94f2e458b6..4769dc6146 100644 --- a/impacket/ntlm.py +++ b/impacket/ntlm.py @@ -836,30 +836,36 @@ def SIGNKEY(flags, randomSessionKey, mode = 'Client'): signKey = None return signKey -def SEALKEY(flags, randomSessionKey, mode = 'Client'): - if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: - if flags & NTLMSSP_NEGOTIATE_128: - sealKey = randomSessionKey - elif flags & NTLMSSP_NEGOTIATE_56: - sealKey = randomSessionKey[:7] - else: - sealKey = randomSessionKey[:5] - - if mode == 'Client': - md5 = hashlib.new('md5') - md5.update(sealKey + b'session key to client-to-server sealing key magic constant\x00') - sealKey = md5.digest() - else: - md5 = hashlib.new('md5') - md5.update(sealKey + b'session key to server-to-client sealing key magic constant\x00') - sealKey = md5.digest() +def SEALKEY(flags, randomSessionKey, mode="Client", revision=VERSION.NTLMSSP_REVISION_W2K3): + if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: + if flags & NTLMSSP_NEGOTIATE_128: + sealKey = randomSessionKey + elif flags & NTLMSSP_NEGOTIATE_56: + sealKey = randomSessionKey[:7] + else: + sealKey = randomSessionKey[:5] - elif flags & NTLMSSP_NEGOTIATE_56: - sealKey = randomSessionKey[:7] + b'\xa0' - else: - sealKey = randomSessionKey[:5] + b'\xe5\x38\xb0' + if mode == "Client": + md5 = hashlib.new("md5") + md5.update(sealKey + b"session key to client-to-server sealing key magic constant\x00") + sealKey = md5.digest() + else: + md5 = hashlib.new("md5") + md5.update(sealKey + b"session key to server-to-client sealing key magic constant\x00") + sealKey = md5.digest() + + elif (flags & NTLMSSP_NEGOTIATE_LM_KEY) or ( + flags & NTLMSSP_NEGOTIATE_DATAGRAM + and revision >= VERSION.NTLMSSP_REVISION_W2K3 + ): + if flags & NTLMSSP_NEGOTIATE_56: + sealKey = randomSessionKey[:7] + b"\xa0" + else: + sealKey = randomSessionKey[:5] + b"\xe5\x38\xb0" + else: + sealKey = randomSessionKey - return sealKey + return sealKey def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):