Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option to statically configure SSP challenge #418

Merged
merged 1 commit into from
Nov 16, 2022

Conversation

spameier
Copy link
Contributor

@spameier spameier commented Nov 6, 2022

@obilodeau, is that what you mean in #405? If yes this fixes #405.

Copy link
Collaborator

@obilodeau obilodeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Thanks!

Two minor suggestions, otherwise it seems good to go!

Did you test it? I'm wondering by how much is this really going to improve cracking speed? Eager to try it out.

"""
Create a new NLA Handler.
sink: layer to forward packets to.
state: NTLMSSPState that is shared between both the client-facing handler and the server-facing handler.
"""
print("init calld")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion to remove the debugging statement

Suggested change
print("init calld")

"""
challenge = b'%016x' % secrets.randbits(16 * 4)
if self.challenge == None:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this None check should use is

Suggested change
if self.challenge == None:
if self.challenge is None:

@obilodeau obilodeau added the enhancement New feature or request label Nov 15, 2022
@obilodeau obilodeau added this to the v1.2.0 milestone Nov 15, 2022
@spameier
Copy link
Contributor Author

Sure thing this cannot work when I overwrite the raw challenge with the PDU and then try to use it later again (It worked before renaming randomChallenge). Now it works:

bin/pyrdp-mitm.py:15: DeprecationWarning: There is no current event loop
  asyncioreactor.install(asyncio.get_event_loop())
[2022-11-16 07:35:45,707] - INFO - GLOBAL - pyrdp.mitm - Target: 192.168.254.12:3389
[2022-11-16 07:35:45,708] - INFO - GLOBAL - pyrdp.mitm - Output directory: /home/user/pyrdp-ssp/pyrdp_output
[2022-11-16 07:35:45,712] - INFO - GLOBAL - pyrdp - MITM Server listening on 0.0.0.0:3389
[2022-11-16 07:35:51,642] - INFO - Emma428026 - pyrdp.mitm.connections.tcp - New client connected from 192.168.254.107:4898
[2022-11-16 07:35:51,646] - INFO - Emma428026 - pyrdp.mitm.connections.x224 - Cookie: mstshash=PYRDP-CLI
[2022-11-16 07:35:51,652] - INFO - Emma428026 - pyrdp.mitm.connections.tcp - Server connected
[2022-11-16 07:35:51,669] - INFO - Emma428026 - pyrdp.mitm.connections.x224 - Server requires CredSSP/NLA and we are not configured to support it. Attempting to capture client's NTLM hashes.
[2022-11-16 07:35:51,687] - INFO - Emma428026 - pyrdp.mitm.connections.x224 - Cookie: mstshash=PYRDP-CLI
[2022-11-16 07:35:51,702] - INFO - Emma428026 - pyrdp.mitm.connections.tcp - Server connected
[2022-11-16 07:35:52,726] - INFO - Emma428026 - pyrdp.mitm.connections.cert - Using cached certificate for pyrdp-server.pyrdp.local
CLIENT_RANDOM 637484cb603ffffd2bb18ed2d7978e675836a6aba355a55120199eb18d59d8ef 5f52c26db3deb6259d9cf90b79d2e082ebb3daa8bd4470aa213d39a69ab4465bd80321c28897199fec03d300fa714bce
[2022-11-16 07:35:55,190] - INFO - Emma428026 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::PYRDP-CLIENT:1122334455667788:ab409a03ba70669655136d4272f6c09b:0101000000000000d974f1ad85f9d8019f279d48aca5656d0000000002000a00570049004e004e00540001000a00570049004e004e00540004000a00570049004e004e00540003000a00570049004e004e00540005000a00570049004e004e00540008003000300000000000000000000000002000003ff85b2c9f7f9d79d32a0e2655fb0a431cb6fdd1b225feb60e1cd9253d0c57320a00100000000000000000000000000000000000090034005400450052004d005300520056002f00700079007200640070002d007300650072007600650072002e006c006f00630061006c000000000000000000
[2022-11-16 07:35:55,194] - INFO - Emma428026 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2022-11-16 07:35:55,195] - INFO - Emma428026 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 3.551517963409424, totalInput: 0, totalOutput: 0, replayFilename: rdp_replay_20221116_07-35-51_639_Emma428026.pyrdp
[2022-11-16 07:35:58,860] - INFO - Peggy600554 - pyrdp.mitm.connections.tcp - New client connected from 192.168.254.107:4899
[2022-11-16 07:35:58,862] - INFO - Peggy600554 - pyrdp.mitm.connections.x224 - Cookie: mstshash=PYRDP-CLI
[2022-11-16 07:35:58,865] - INFO - Peggy600554 - pyrdp.mitm.connections.tcp - Server connected
[2022-11-16 07:35:58,876] - INFO - Peggy600554 - pyrdp.mitm.connections.x224 - Server requires CredSSP/NLA and we are not configured to support it. Attempting to capture client's NTLM hashes.
[2022-11-16 07:35:58,877] - INFO - Peggy600554 - pyrdp.mitm.connections.x224 - Cookie: mstshash=PYRDP-CLI
[2022-11-16 07:35:58,883] - INFO - Peggy600554 - pyrdp.mitm.connections.tcp - Server connected
[2022-11-16 07:35:59,902] - INFO - Peggy600554 - pyrdp.mitm.connections.cert - Using cached certificate for pyrdp-server.pyrdp.local
CLIENT_RANDOM 637484cf90ed6495e2c0aa1d42d9fe3ce03d42f8c95181b2df4b497a9a584aa7 fc16d4f90f2a807ced4357c39c4f1cbe5facb82a84bc65682f0c133fd08c4adbfc3d6a1de982f337fa0ba56f7c38f0e6
[2022-11-16 07:35:59,923] - INFO - Peggy600554 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::PYRDP-CLIENT:1122334455667788:fdf2a977cd0d200e165a8f763299a9bf:010100000000000027dcc3b085f9d801688bc78ec2a7128d0000000002000a00570049004e004e00540001000a00570049004e004e00540004000a00570049004e004e00540003000a00570049004e004e00540005000a00570049004e004e00540008003000300000000000000000000000002000003ff85b2c9f7f9d79d32a0e2655fb0a431cb6fdd1b225feb60e1cd9253d0c57320a00100000000000000000000000000000000000090034005400450052004d005300520056002f00700079007200640070002d007300650072007600650072002e006c006f00630061006c000000000000000000
[2022-11-16 07:35:59,927] - INFO - Peggy600554 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2022-11-16 07:35:59,928] - INFO - Peggy600554 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 1.0668704509735107, totalInput: 0, totalOutput: 0, replayFilename: rdp_replay_20221116_07-35-58_860_Peggy600554.pyrdp

@obilodeau obilodeau merged commit ce8ce7e into GoSecure:master Nov 16, 2022
@obilodeau
Copy link
Collaborator

Thanks for your contribution!

@spameier spameier deleted the ssp-challenge branch November 18, 2022 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow the configuration of a hardcoded NetNTLM challenge
2 participants