From 9679d6ba1d29a8cfb827f9bde181b16867fdde07 Mon Sep 17 00:00:00 2001 From: Cauan Date: Tue, 1 Oct 2024 19:46:05 +1000 Subject: [PATCH 1/2] Update httprelayserver.py - re-encode username and domain utf-16le encode authenticateMessage['domain_name', 'user_name'] when ascii encoded to improve compatibility with other such as outputToJohnFormat which is generating output files with wrong encoding. --- .../ntlmrelayx/servers/httprelayserver.py | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/impacket/examples/ntlmrelayx/servers/httprelayserver.py b/impacket/examples/ntlmrelayx/servers/httprelayserver.py index 78f3dd1a12..19c8a4f52a 100644 --- a/impacket/examples/ntlmrelayx/servers/httprelayserver.py +++ b/impacket/examples/ntlmrelayx/servers/httprelayserver.py @@ -361,12 +361,12 @@ def do_local_auth(self, messageType, token, proxy): authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) - if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE: - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() - else: - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('ascii'), - authenticateMessage['user_name'].decode('ascii'))).upper() + if not (authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE): + authenticateMessage['domain_name'] = authenticateMessage['domain_name'].decode('ascii').encode('utf-16le') + authenticateMessage['user_name'] = authenticateMessage['user_name'].decode('ascii').encode('utf-16le') + + self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), + authenticateMessage['user_name'].decode('utf-16le'))).upper() self.target = self.server.config.target.getTarget(identity = self.authUser) if self.target is None: @@ -441,13 +441,13 @@ def do_relay(self, messageType, token, proxy, content = None): authenticateMessage.fromString(token) if self.server.config.disableMulti: - if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE: - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() - else: - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('ascii'), - authenticateMessage['user_name'].decode('ascii'))).upper() - + if not (authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE): + authenticateMessage['domain_name'] = authenticateMessage['domain_name'].decode('ascii').encode('utf-16le') + authenticateMessage['user_name'] = authenticateMessage['user_name'].decode('ascii').encode('utf-16le') + + self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), + authenticateMessage['user_name'].decode('utf-16le'))).upper() + target = '%s://%s@%s' % (self.target.scheme, self.authUser.replace("/", '\\'), self.target.netloc) if not self.do_ntlm_auth(token, authenticateMessage): From 78ffd7f7ad35abb12f18550f472bc14cf5519702 Mon Sep 17 00:00:00 2001 From: Cauan Date: Wed, 2 Oct 2024 15:25:59 +1000 Subject: [PATCH 2/2] Update httprelayserver.py Code fix to work with taget file. --- .../ntlmrelayx/servers/httprelayserver.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/impacket/examples/ntlmrelayx/servers/httprelayserver.py b/impacket/examples/ntlmrelayx/servers/httprelayserver.py index 19c8a4f52a..e58f6c47d1 100644 --- a/impacket/examples/ntlmrelayx/servers/httprelayserver.py +++ b/impacket/examples/ntlmrelayx/servers/httprelayserver.py @@ -366,7 +366,7 @@ def do_local_auth(self, messageType, token, proxy): authenticateMessage['user_name'] = authenticateMessage['user_name'].decode('ascii').encode('utf-16le') self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() + authenticateMessage['user_name'].decode('utf-16le'))).upper() self.target = self.server.config.target.getTarget(identity = self.authUser) if self.target is None: @@ -440,15 +440,14 @@ def do_relay(self, messageType, token, proxy, content = None): authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) - if self.server.config.disableMulti: - if not (authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE): - authenticateMessage['domain_name'] = authenticateMessage['domain_name'].decode('ascii').encode('utf-16le') - authenticateMessage['user_name'] = authenticateMessage['user_name'].decode('ascii').encode('utf-16le') + if not (authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE): + authenticateMessage['domain_name'] = authenticateMessage['domain_name'].decode('ascii').encode('utf-16le') + authenticateMessage['user_name'] = authenticateMessage['user_name'].decode('ascii').encode('utf-16le') - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() - - target = '%s://%s@%s' % (self.target.scheme, self.authUser.replace("/", '\\'), self.target.netloc) + self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), + authenticateMessage['user_name'].decode('utf-16le'))).upper() + + target = '%s://%s@%s' % (self.target.scheme, self.authUser.replace("/", '\\'), self.target.netloc) if not self.do_ntlm_auth(token, authenticateMessage): LOG.error("Authenticating against %s://%s as %s FAILED" % (self.target.scheme, self.target.netloc,