-
-
Save h4sh5/1cc22aa46037f253ca6c785d846b8cf3 to your computer and use it in GitHub Desktop.
Random Session Key calculator based off of data from a packet capture
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import hashlib | |
| import hmac | |
| import argparse | |
| import binascii | |
| #stolen from impacket. Thank you all for your wonderful contributions to the community | |
| try: | |
| from Cryptodome.Cipher import ARC4 | |
| from Cryptodome.Cipher import DES | |
| from Cryptodome.Hash import MD4 | |
| except Exception: | |
| LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex") | |
| LOG.critical("See https://pypi.org/project/pycryptodomex/") | |
| def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey): | |
| cipher = ARC4.new(keyExchangeKey) | |
| cipher_encrypt = cipher.encrypt | |
| sessionKey = cipher_encrypt(exportedSessionKey) | |
| return sessionKey | |
| ### | |
| parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).") | |
| parser.add_argument("-u","--user",required=True,help="User name") | |
| parser.add_argument("-d","--domain",required=True, help="Domain name") | |
| parser.add_argument("-p","--password",required=True,help="Password of User") | |
| parser.add_argument("-n","--ntproofstr",required=True,help="NTProofStr. This can be found in PCAP (provide Hex Stream)") | |
| parser.add_argument("-k","--key",required=True,help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)") | |
| parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity") | |
| args = parser.parse_args() | |
| #Upper Case User and Domain | |
| user = str(args.user).upper().encode('utf-16le') | |
| domain = str(args.domain).upper().encode('utf-16le') | |
| #Create 'NTLM' Hash of password | |
| passw = args.password.encode('utf-16le') | |
| hash1 = hashlib.new('md4', passw) | |
| password = hash1.digest() | |
| #Calculate the ResponseNTKey | |
| h = hmac.new(password, digestmod=hashlib.md5) | |
| h.update(user+domain) | |
| respNTKey = h.digest() | |
| #Use NTProofSTR and ResponseNTKey to calculate Key Excahnge Key | |
| NTproofStr = binascii.unhexlify(args.ntproofstr) | |
| h = hmac.new(respNTKey, digestmod=hashlib.md5) | |
| h.update(NTproofStr) | |
| KeyExchKey = h.digest() | |
| #Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4 | |
| RsessKey = generateEncryptedSessionKey(KeyExchKey, binascii.unhexlify(args.key)) | |
| if args.verbose: | |
| print("USER+DOMAIN: " + user.decode() + "" + domain.decode()) | |
| print("PASS HASH: " + binascii.hexlify(password).decode()) | |
| print("RESP NT: " + binascii.hexlify(respNTKey).decode()) | |
| print("NT PROOF: " + binascii.hexlify(NTproofStr).decode()) | |
| print("KeyExKey: " + binascii.hexlify(KeyExchKey).decode()) | |
| print('Random SK:', binascii.hexlify(RsessKey).decode()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment