ntlm.rb 2 KB
Newer Older
1 2 3 4 5 6 7
# encoding: UTF-8
=begin

BETTERCAP

Author : Simone 'evilsocket' Margaritelli
Email  : evilsocket@gmail.com
Sophie Brun's avatar
Sophie Brun committed
8
Blog   : https://www.evilsocket.net/
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97

This project is released under the GPL 3 license.

=end

module BetterCap
module Network
module Protos
module NTLM

# https://msdn.microsoft.com/en-us/library/ee441774.aspx
# https://developer.gnome.org/evolution-exchange/stable/ximian-connector-ntlm.html
class Packet < Network::Protos::Base
  uint8  :netbios_message_type
  bytes  :netbios_length, :size => 3

  string :smb_protocol, :size => 4, :check => "\xFFSMB"
  uint8  :smb_command
  uint32 :smb_status
  uint8  :smb_flags
  uint16 :smb_flags2
  uint16 :smb_pid_high
  bytes  :smb_signature, :size => 8
  uint16 :smb_reserved
  uint16 :smb_tid
  uint16 :smb_pid_low
  uint16 :smb_uid
  uint16 :smb_mid

  uint8  :word_count
  uint8  :and_x_command
  uint8  :reserved
  uint16 :and_x_offset
  uint16 :max_buffer
  uint16 :max_mpx_count
  uint16 :vc_number
  uint32 :session_key
  uint16 :security_blob_length
  uint32 :reserved_2
  uint32 :capabilities
  uint16 :byte_count

  bytes  :dummy, :size => 12

  string :protocol, :size => 8, :check => "NTLMSSP\x00"
  uint32 :type

  uint16 :lm_resp_len
  uint16 :lm_resp_max_len
  uint32 :lm_resp_off

  uint16 :nt_resp_len
  uint16 :nt_resp_max_len
  uint32 :nt_resp_off

  uint16 :dom_resp_len
  uint16 :dom_resp_max_len
  uint32 :dom_resp_off

  uint16 :user_resp_len
  uint16 :user_resp_max_len
  uint32 :user_resp_off

  uint16 :host_resp_len
  uint16 :host_resp_max_len
  uint32 :host_resp_off

  uint16 :session_resp_len
  uint16 :session_resp_max_len
  uint32 :session_resp_off

  uint32 :flags

  bytes  :lm_response,      :size => :lm_resp_len
  bytes  :ntlm_response,    :size => :nt_resp_len
  string :domain_name,      :size => :dom_resp_len
  string :user_name,        :size => :user_resp_len
  string :host_name,        :size => :host_resp_len
  bytes  :session_key_resp, :size => :session_resp_len

  def is_auth?
    self.type == 0x03 #NTLMSSP_AUTH
  end
end

end
end
end
end