| skipped 133 lines |
134 | 134 | | else: |
135 | 135 | | return True |
136 | 136 | | |
| 137 | + | def ParseCTX1Hash(data): |
| 138 | + | def decrypt(ct): |
| 139 | + | pt = '' |
| 140 | + | last = 0 |
| 141 | + | for i in range(0, len(ct), 4): |
| 142 | + | pc = dec_letter(ct[i:i+4], last) |
| 143 | + | pt += pc |
| 144 | + | last ^= ord(pc) |
| 145 | + | return pt |
| 146 | + | |
| 147 | + | def dec_letter(ct, last=0): |
| 148 | + | c = (ord(ct[2]) - 1) & 0x0f |
| 149 | + | d = (ord(ct[3]) - 1) & 0x0f |
| 150 | + | x = c*16+d |
| 151 | + | pc = chr(x^last) |
| 152 | + | return pc |
| 153 | + | |
| 154 | + | x = re.sub('[^A-P]', '', data.upper()) |
| 155 | + | return str(decrypt(x)) |
| 156 | + | |
137 | 157 | | def ParseNTLMHash(data,Challenge): |
138 | 158 | | PacketLen = len(data) |
139 | 159 | | if PacketLen > 0: |
| skipped 202 lines |
342 | 362 | | NTLMSSP1 = re.findall('NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data']) |
343 | 363 | | NTLMSSP2 = re.findall('NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data']) |
344 | 364 | | NTLMSSP3 = re.findall('NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) |
| 365 | + | |
| 366 | + | CTX1_USR = re.findall('<UserName>(.*?)</UserName><Password encoding="ctx1">', decoded['data']) |
| 367 | + | CTX1_PWD = re.findall('<Password encoding="ctx1">(.*?)</Password>', decoded['data']) |
| 368 | + | |
| 369 | + | if CTX1_USR and CTX1_PWD: |
| 370 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 371 | + | try: |
| 372 | + | CTX1_USR = CTX1_USR[0] |
| 373 | + | CTX1_PWD = ParseCTX1Hash(CTX1_PWD[0]) |
| 374 | + | CTX1_CREDS = CTX1_USR + ':' + CTX1_PWD |
| 375 | + | Message = 'Found CTX1 encoded password: %s\n'%CTX1_CREDS |
| 376 | + | print HeadMessage + '\n' + Message |
| 377 | + | except: |
| 378 | + | pass |
| 379 | + | |
345 | 380 | | if activate_cc: |
346 | 381 | | CCMatch = re.findall('.{30}[^\d][3456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data'],re.DOTALL) |
347 | 382 | | CC = re.findall('[^\d][456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data']) |
| skipped 354 lines |
702 | 737 | | except: |
703 | 738 | | raise |
704 | 739 | | |
| 740 | + | |
| 741 | + | |
705 | 742 | | Run() |
706 | 743 | | |
707 | | - | |