Created
March 8, 2023 07:44
-
-
Save testanull/8d9d510b6316e4f273d23317b6e671e3 to your computer and use it in GitHub Desktop.
Python 2 parse ntlm message
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def parseNtlmMsg(msg): | |
def decode_int(byte_string): | |
return int(byte_string[::-1].encode('hex'), 16) | |
def decode_string(byte_string): | |
return byte_string.replace('\x00', '') | |
target_info_fields = msg[40:48] | |
target_info_len = decode_int(target_info_fields[0:2]) | |
target_info_offset = decode_int(target_info_fields[4:8]) | |
target_info_bytes = msg[target_info_offset:target_info_offset+target_info_len] | |
MsvAvEOL = 0x0000 | |
MsvAvNbComputerName = 0x0001 | |
MsvAvNbDomainName = 0x0002 | |
MsvAvDnsComputerName = 0x0003 | |
MsvAvDnsDomainName = 0x0004 | |
target_info = OrderedDict() | |
info_offset = 0 | |
while info_offset < len(target_info_bytes): | |
av_id = decode_int(target_info_bytes[info_offset:info_offset+2]) | |
av_len = decode_int(target_info_bytes[info_offset+2:info_offset+4]) | |
av_value = target_info_bytes[info_offset+4:info_offset+4+av_len] | |
info_offset = info_offset + 4 + av_len | |
if av_id == MsvAvEOL: | |
pass | |
elif av_id == MsvAvNbComputerName: | |
target_info['MsvAvNbComputerName'] = decode_string(av_value) | |
elif av_id == MsvAvNbDomainName: | |
target_info['MsvAvNbDomainName'] = decode_string(av_value) | |
elif av_id == MsvAvDnsComputerName: | |
target_info['MsvAvDnsComputerName'] = decode_string(av_value) | |
elif av_id == MsvAvDnsDomainName: | |
target_info['MsvAvDnsDomainName'] = decode_string(av_value) | |
return target_info |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment