Skip to content

Commit

Permalink
bugfix in SEALKEY()
Browse files Browse the repository at this point in the history
  • Loading branch information
NtAlexio2 committed Sep 13, 2024
1 parent db53482 commit d72a96e
Showing 1 changed file with 28 additions and 22 deletions.
50 changes: 28 additions & 22 deletions impacket/ntlm.py
Original file line number Diff line number Diff line change
Expand Up @@ -836,30 +836,36 @@ def SIGNKEY(flags, randomSessionKey, mode = 'Client'):
signKey = None
return signKey

def SEALKEY(flags, randomSessionKey, mode = 'Client'):
if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
if flags & NTLMSSP_NEGOTIATE_128:
sealKey = randomSessionKey
elif flags & NTLMSSP_NEGOTIATE_56:
sealKey = randomSessionKey[:7]
else:
sealKey = randomSessionKey[:5]

if mode == 'Client':
md5 = hashlib.new('md5')
md5.update(sealKey + b'session key to client-to-server sealing key magic constant\x00')
sealKey = md5.digest()
else:
md5 = hashlib.new('md5')
md5.update(sealKey + b'session key to server-to-client sealing key magic constant\x00')
sealKey = md5.digest()
def SEALKEY(flags, randomSessionKey, mode="Client", revision=VERSION.NTLMSSP_REVISION_W2K3):
if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
if flags & NTLMSSP_NEGOTIATE_128:
sealKey = randomSessionKey
elif flags & NTLMSSP_NEGOTIATE_56:
sealKey = randomSessionKey[:7]
else:
sealKey = randomSessionKey[:5]

elif flags & NTLMSSP_NEGOTIATE_56:
sealKey = randomSessionKey[:7] + b'\xa0'
else:
sealKey = randomSessionKey[:5] + b'\xe5\x38\xb0'
if mode == "Client":
md5 = hashlib.new("md5")
md5.update(sealKey + b"session key to client-to-server sealing key magic constant\x00")
sealKey = md5.digest()
else:
md5 = hashlib.new("md5")
md5.update(sealKey + b"session key to server-to-client sealing key magic constant\x00")
sealKey = md5.digest()

elif (flags & NTLMSSP_NEGOTIATE_LM_KEY) or (
flags & NTLMSSP_NEGOTIATE_DATAGRAM
and revision >= VERSION.NTLMSSP_REVISION_W2K3
):
if flags & NTLMSSP_NEGOTIATE_56:
sealKey = randomSessionKey[:7] + b"\xa0"
else:
sealKey = randomSessionKey[:5] + b"\xe5\x38\xb0"
else:
sealKey = randomSessionKey

return sealKey
return sealKey


def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
Expand Down

0 comments on commit d72a96e

Please sign in to comment.