If target server supports SMB >= 3, encrypt packets by default.

* Unless pycrypto experimental is not installed :(
fortra · Mar 21, 2017 · f62fc5c · f62fc5c
1 parent b7c35ec
commit f62fc5c
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/impacket/smb3.py b/impacket/smb3.py
@@ -364,7 +364,7 @@ def sendSMB(self, packet):
                 AES.MODE_CCM
             except:
                 LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
-                raise 
+                raise
             cipher = AES.new(self._Session['EncryptionKey'], AES.MODE_CCM,  transformHeader['Nonce'])
             cipher.update(str(transformHeader)[20:])
             cipherText = cipher.encrypt(plainText)
@@ -656,6 +656,14 @@ def kerberosLogin(self, user, password, domain = '', lmhash = '', nthash = '', a
             if self._Session['SigningRequired'] is True:
                 self._Session['SigningActivated'] = True
             if self._Connection['Dialect'] == SMB2_DIALECT_30:
+                # SMB 3.0. Encryption should be available. Let's enforce it if we have AES CCM available
+                from Crypto.Cipher import AES
+                try:
+                    AES.MODE_CCM
+                    self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
+                except:
+                    LOG.debug(
+                        "Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto")
                 self._Session['ApplicationKey']  = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2APP\x00", "SmbRpc\x00", 128)
                 self._Session['EncryptionKey']   = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerIn \x00", 128)
                 self._Session['DecryptionKey']   = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerOut\x00", 128)
@@ -797,6 +805,13 @@ def login(self, user, password, domain = '', lmhash = '', nthash = ''):
                     if self._Session['SigningRequired'] is True:
                         self._Session['SigningActivated'] = True
                     if self._Connection['Dialect'] == SMB2_DIALECT_30:
+                        # SMB 3.0. Encryption should be available. Let's enforce it if we have AES CCM available
+                        from Crypto.Cipher import AES
+                        try:
+                            AES.MODE_CCM
+                            self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
+                        except:
+                            LOG.debug("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto")
                         self._Session['ApplicationKey']  = crypto.KDF_CounterMode(exportedSessionKey, "SMB2APP\x00", "SmbRpc\x00", 128)
                         self._Session['EncryptionKey']   = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerIn \x00", 128)
                         self._Session['DecryptionKey']   = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerOut\x00", 128)