Removing PyCrypto messages and replacing them with pycryptodomex

fortra · Sep 4, 2018 · 36d57e5 · 36d57e5 · alxchk · Sep 23, 2018
1 parent 6710253
commit 36d57e5
Show file tree

Hide file tree

Showing 13 changed files with 28 additions and 58 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -74,8 +74,6 @@ May 2015: 0.9.13:
       d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
       e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
       f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
-   * SMB3 encryption support. Pycrypto experimental version that supports
-     AES_CCM is required.
    * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
    * SMBSERVER improvements:
       a. SMB2 (2.002) dialect experimental support. 

diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ Requirements
    1. If you want to run the examples and you have Python < 2.7, you
       will need to install the `argparse` package for them to work.
    2. For Kerberos support you will need `pyasn1` package
-   3. For cryptographic operations you will need `pycrypto` package
+   3. For cryptographic operations you will need `pycryptodomex` package
    4. For some examples you will need `pyOpenSSL` (rdp_check.py) and ldap3 (ntlmrelayx.py)
    5. For ntlmrelayx.py you will also need `ldapdomaindump`, `flask` and `ldap3`
    6. If you're under Windows, you will need `pyReadline`

diff --git a/examples/mimikatz.py b/examples/mimikatz.py
@@ -29,8 +29,8 @@
 try:
     from Cryptodome.Cipher import ARC4
 except Exception:
-    logging.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    logging.critical("See http://www.pycrypto.org/")
+    logging.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    logging.critical("See https://pypi.org/project/pycryptodomex/")
 
 # If you wanna have readline like functionality in Windows, install pyreadline
 try:

diff --git a/examples/smbrelayx.py b/examples/smbrelayx.py
@@ -73,8 +73,8 @@
 try:
  from Cryptodome.Cipher import DES, AES, ARC4
 except Exception:
-    logging.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    logging.critical("See http://www.pycrypto.org/")
+    logging.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    logging.critical("See https://pypi.org/project/pycryptodomex/")
 
 # Global Variables
 # This is the list of hosts that have been attacked already in case -one-shot was chosen

diff --git a/impacket/crypto.py b/impacket/crypto.py
@@ -22,8 +22,8 @@
 try:
     from Cryptodome.Cipher import DES, AES, ARC4
 except Exception:
-    LOG.error("Warning: You don't have any crypto installed. You need PyCrypto")
-    LOG.error("See http://www.pycrypto.org/")
+    LOG.error("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.error("See https://pypi.org/project/pycryptodomex/")
 from struct import pack, unpack
 from impacket.structure import Structure
 import hmac, hashlib

diff --git a/impacket/dcerpc/v5/drsuapi.py b/impacket/dcerpc/v5/drsuapi.py
@@ -36,8 +36,8 @@
 try:
     from Cryptodome.Cipher import ARC4, DES
 except Exception:
-    LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    LOG.critical("See http://www.pycrypto.org/")
+    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.critical("See https://pypi.org/project/pycryptodomex/")
 
 MSRPC_UUID_DRSUAPI = uuidtup_to_bin(('E3514235-4B06-11D1-AB04-00C04FC2DCD2','4.0'))
 

diff --git a/impacket/dcerpc/v5/nrpc.py b/impacket/dcerpc/v5/nrpc.py
@@ -35,8 +35,8 @@
 try:
     from Cryptodome.Cipher import DES, AES, ARC4
 except Exception:
-    LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    LOG.critical("See http://www.pycrypto.org/")
+    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.critical("See https://pypi.org/project/pycryptodomex/")
 
 MSRPC_UUID_NRPC = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB', '1.0'))
 

diff --git a/impacket/dcerpc/v5/samr.py b/impacket/dcerpc/v5/samr.py
@@ -2756,8 +2756,8 @@ def hSamrUnicodeChangePasswordUser2(dce, serverName='\x00', userName='', oldPass
     try:
         from Cryptodome.Cipher import ARC4
     except Exception:
-        LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-        LOG.critical("See http://www.pycrypto.org/")
+        LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+        LOG.critical("See https://pypi.org/project/pycryptodomex/")
     from impacket import crypto, ntlm
 
     if oldPwdHashLM == '' and oldPwdHashNT == '':

diff --git a/impacket/examples/secretsdump.py b/impacket/examples/secretsdump.py
@@ -77,8 +77,8 @@
     from Cryptodome.Cipher import DES, ARC4, AES
     from Cryptodome.Hash import HMAC, MD4
 except ImportError:
-    LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    LOG.critical("See http://www.pycrypto.org/")
+    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.critical("See https://pypi.org/project/pycryptodomex/")
 
 
 # Structures

diff --git a/impacket/ntlm.py b/impacket/ntlm.py
@@ -43,8 +43,8 @@ def computeResponse(flags, serverChallenge, clientChallenge, serverName, domain,
     from Cryptodome.Cipher import DES
     from Cryptodome.Hash import MD4
 except Exception:
-    LOG.critical("Warning: You don't have any crypto installed. You need PyCrypto")
-    LOG.critical("See http://www.pycrypto.org/")
+    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.critical("See https://pypi.org/project/pycryptodomex/")
 
 NTLM_AUTH_NONE          = 1
 NTLM_AUTH_CONNECT       = 2

diff --git a/impacket/smb3.py b/impacket/smb3.py
@@ -33,6 +33,7 @@
 from binascii import a2b_hex
 from contextlib import contextmanager
 from pyasn1.type.univ import noValue
+from Cryptodome.Cipher import AES
 
 from impacket import nmb, ntlm, uuid, crypto, LOG
 from impacket.smb3structs import *
@@ -367,12 +368,6 @@ def sendSMB(self, packet):
             transformHeader['OriginalMessageSize'] = len(plainText)
             transformHeader['EncryptionAlgorithm'] = SMB2_ENCRYPTION_AES128_CCM
             transformHeader['SessionID'] = self._Session['SessionID'] 
-            from Cryptodome.Cipher import AES
-            try: 
-                AES.MODE_CCM
-            except:
-                LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
-                raise
             cipher = AES.new(self._Session['EncryptionKey'], AES.MODE_CCM,  transformHeader['Nonce'])
             cipher.update(str(transformHeader)[20:])
             cipherText = cipher.encrypt(plainText)
@@ -392,12 +387,6 @@ def recvSMB(self, packetID = None):
         if data.get_trailer().startswith('\xfdSMB'):
             # Packet is encrypted
             transformHeader = SMB2_TRANSFORM_HEADER(data.get_trailer())
-            from Cryptodome.Cipher import AES
-            try: 
-                AES.MODE_CCM
-            except:
-                LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
-                raise 
             cipher = AES.new(self._Session['DecryptionKey'], AES.MODE_CCM,  transformHeader['Nonce'][:11])
             cipher.update(str(transformHeader)[20:])
             plainText = cipher.decrypt(data.get_trailer()[len(SMB2_TRANSFORM_HEADER()):])
@@ -419,12 +408,6 @@ def recvSMB(self, packetID = None):
                 else:
                     # Packet is encrypted
                     transformHeader = SMB2_TRANSFORM_HEADER(data.get_trailer())
-                    from Cryptodome.Cipher import AES
-                    try: 
-                        AES.MODE_CCM
-                    except:
-                        LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
-                        raise 
                     cipher = AES.new(self._Session['DecryptionKey'], AES.MODE_CCM,  transformHeader['Nonce'][:11])
                     cipher.update(str(transformHeader)[20:])
                     plainText = cipher.decrypt(data.get_trailer()[len(SMB2_TRANSFORM_HEADER()):])
@@ -665,13 +648,7 @@ def kerberosLogin(self, user, password, domain = '', lmhash = '', nthash = '', a
                 self._Session['SigningActivated'] = True
             if self._Connection['Dialect'] == SMB2_DIALECT_30:
                 # SMB 3.0. Encryption should be available. Let's enforce it if we have AES CCM available
-                from Cryptodome.Cipher import AES
-                try:
-                    AES.MODE_CCM
-                    self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
-                except:
-                    LOG.debug(
-                        "Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto")
+                self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
                 self._Session['ApplicationKey']  = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2APP\x00", "SmbRpc\x00", 128)
                 self._Session['EncryptionKey']   = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerIn \x00", 128)
                 self._Session['DecryptionKey']   = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerOut\x00", 128)
@@ -815,12 +792,7 @@ def login(self, user, password, domain = '', lmhash = '', nthash = ''):
                         self._Session['SigningActivated'] = True
                     if self._Connection['Dialect'] == SMB2_DIALECT_30:
                         # SMB 3.0. Encryption should be available. Let's enforce it if we have AES CCM available
-                        from Cryptodome.Cipher import AES
-                        try:
-                            AES.MODE_CCM
-                            self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
-                        except:
-                            LOG.debug("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto")
+                        self._Session['SessionFlags'] |= SMB2_SESSION_FLAG_ENCRYPT_DATA
                         self._Session['ApplicationKey']  = crypto.KDF_CounterMode(exportedSessionKey, "SMB2APP\x00", "SmbRpc\x00", 128)
                         self._Session['EncryptionKey']   = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerIn \x00", 128)
                         self._Session['DecryptionKey']   = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerOut\x00", 128)

diff --git a/tests/SMB_RPC/test_nrpc.py b/tests/SMB_RPC/test_nrpc.py
@@ -561,8 +561,8 @@ def test_NetrLogonSamLogonEx(self):
         try:
             from Cryptodome.Cipher import ARC4
         except Exception:
-            print "Warning: You don't have any crypto installed. You need PyCrypto"
-            print "See http://www.pycrypto.org/"
+            print("Warning: You don't have any crypto installed. You need pycryptodomex")
+            print("See https://pypi.org/project/pycryptodomex/")
 
         rc4 = ARC4.new(self.sessionKey)
         lmhash = rc4.encrypt(lmhash)
@@ -598,8 +598,8 @@ def test_NetrLogonSamLogonWithFlags(self):
         try:
             from Cryptodome.Cipher import ARC4
         except Exception:
-            print "Warning: You don't have any crypto installed. You need PyCrypto"
-            print "See http://www.pycrypto.org/"
+            print("Warning: You don't have any crypto installed. You need pycryptodomex")
+            print("See https://pypi.org/project/pycryptodomex/")
 
         rc4 = ARC4.new(self.sessionKey)
         lmhash = rc4.encrypt(lmhash)

diff --git a/tests/SMB_RPC/test_samr.py b/tests/SMB_RPC/test_samr.py
@@ -2690,8 +2690,8 @@ def test_SamrOemChangePasswordUser2(self):
         try:
             from Cryptodome.Cipher import ARC4
         except Exception:
-            print "Warning: You don't have any crypto installed. You need PyCrypto"
-            print "See http://www.pycrypto.org/"
+            print("Warning: You don't have any crypto installed. You need pycryptodomex")
+            print("See https://pypi.org/project/pycryptodomex/")
 
         from impacket import crypto
         request = samr.SamrOemChangePasswordUser2()
@@ -2757,8 +2757,8 @@ def test_SamrUnicodeChangePasswordUser2(self):
         try:
             from Cryptodome.Cipher import ARC4
         except Exception:
-            print "Warning: You don't have any crypto installed. You need PyCrypto"
-            print "See http://www.pycrypto.org/"
+            print("Warning: You don't have any crypto installed. You need pycryptodomex")
+            print("See https://pypi.org/project/pycryptodomex/")
 
         from impacket import crypto
         request = samr.SamrUnicodeChangePasswordUser2()