Last active
November 2, 2024 11:55
-
-
Save khr0x40sh/747de1195bbe19f752e5f02dc22fce01 to your computer and use it in GitHub Desktop.
Random Session Key calculator based off of data from a packet capture
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
import hmac | |
import argparse | |
#stolen from impacket. Thank you all for your wonderful contributions to the community | |
try: | |
from Cryptodome.Cipher import ARC4 | |
from Cryptodome.Cipher import DES | |
from Cryptodome.Hash import MD4 | |
except Exception: | |
LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex") | |
LOG.critical("See https://pypi.org/project/pycryptodomex/") | |
def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey): | |
cipher = ARC4.new(keyExchangeKey) | |
cipher_encrypt = cipher.encrypt | |
sessionKey = cipher_encrypt(exportedSessionKey) | |
return sessionKey | |
### | |
parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).") | |
parser.add_argument("-u","--user",required=True,help="User name") | |
parser.add_argument("-d","--domain",required=True, help="Domain name") | |
parser.add_argument("-p","--password",required=True,help="Password of User") | |
parser.add_argument("-n","--ntproofstr",required=True,help="NTProofStr. This can be found in PCAP (provide Hex Stream)") | |
parser.add_argument("-k","--key",required=True,help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)") | |
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity") | |
args = parser.parse_args() | |
#Upper Case User and Domain | |
user = str(args.user).upper().encode('utf-16le') | |
domain = str(args.domain).upper().encode('utf-16le') | |
#Create 'NTLM' Hash of password | |
passw = args.password.encode('utf-16le') | |
hash1 = hashlib.new('md4', passw) | |
password = hash1.digest() | |
#Calculate the ResponseNTKey | |
h = hmac.new(password, digestmod=hashlib.md5) | |
h.update(user+domain) | |
respNTKey = h.digest() | |
#Use NTProofSTR and ResponseNTKey to calculate Key Excahnge Key | |
NTproofStr = args.ntproofstr.decode('hex') | |
h = hmac.new(respNTKey, digestmod=hashlib.md5) | |
h.update(NTproofStr) | |
KeyExchKey = h.digest() | |
#Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4 | |
RsessKey = generateEncryptedSessionKey(KeyExchKey,args.key.decode('hex')) | |
if args.verbose: | |
print "USER WORK: " + user + "" + domain | |
print "PASS HASH: " + password.encode('hex') | |
print "RESP NT: " + respNTKey.encode('hex') | |
print "NT PROOF: " + NTproofStr.encode('hex') | |
print "KeyExKey: " + KeyExchKey.encode('hex') | |
print "Random SK: " + RsessKey.encode('hex') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for this! I'm throwing my hat in the ring.
I've made a fork of this for Python3 which is interactive; if you don't specify the parameters, it should ask you for the values.
My forked version will check to see if pycryptodomex is installed, and if not, it will install it.
It will also accept NTML hashes directly as well as passwords.
Please feel free to check it out!
https://gist.github.com/cicero343/b8eac1a5e5ac46d15ac8dee805388fc4