librex 0.0.12 → 0.0.13

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -63,6 +63,7 @@ class Console::CommandDispatcher::Core
 			"migrate"    => "Migrate the server to another process",
 			"use"        => "Load a one or more meterpreter extensions",
 			"quit"       => "Terminate the meterpreter session",
+			"resource"   => "Run the commands stored in a file",
 			"read"       => "Reads data from a channel",
 			"run"        => "Executes a meterpreter script or Post module",
 			"bgrun"      => "Executes a meterpreter script as a background thread",
@@ -598,6 +599,49 @@ class Console::CommandDispatcher::Core
 		return true
 	end
 
+	def cmd_resource_tabs(str, words)
+		return [] if words.length > 1
+
+		tab_complete_filenames(str, words)
+	end
+	
+	def cmd_resource(*args)
+		if args.empty?
+			print(
+				"Usage: resource path1 path2" +
+				  "Run the commands stored in the supplied files.\n")
+			return false
+		end
+		args.each do |glob|
+			files = ::Dir.glob(::File.expand_path(glob))
+			if files.empty?
+				print_error("No such file #{glob}")
+				next
+			end
+			files.each do |filename|
+				print_status("Reading #{filename}")
+				if (not ::File.readable?(filename))
+					print_error("Could not read file #{filename}")
+					next
+				else
+					::File.open(filename, "r").each_line do |line|
+						next if line.strip.length < 1
+						next if line[0,1] == "#"
+						begin
+							print_status("Running #{line}")
+							client.console.run_single(line)
+						rescue ::Exception => e
+							print_error("Error Running Command #{line}: #{e.class} #{e}")
+						end
+
+					end
+				end
+			end
+		end
+	end
+
+
+
 	@@client_extension_search_paths = [ ::File.join(Rex::Root, "post", "meterpreter", "ui", "console", "command_dispatcher") ]
 
 	def self.add_client_extension_search_path(path)

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -457,8 +457,8 @@ class Console::CommandDispatcher::Stdapi::Sys
 	#
 	def cmd_sysinfo(*args)
 		info = client.sys.config.sysinfo
-		width = 0
-		info.keys.each { |k| width = k.length if k.length > width }
+		width = "Meterpreter".length
+		info.keys.each { |k| width = k.length if k.length > width and info[k] }
 
 		info.each_pair do |key, value|
 			print_line("#{key.ljust(width+1)}: #{value}") if value

data/lib/rex/proto/dhcp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 11745 2011-02-12 22:25:02Z jduck $
+# $Id: server.rb 12030 2011-03-20 00:33:02Z scriptjunkie $
 
 require 'rex/socket'
 require 'rex/proto/dhcp'
@@ -236,11 +236,12 @@ protected
 		pkt << buf[1..7] #hwtype, hwlen, hops, txid
 		pkt << "\x00\x00\x00\x00"  #elapsed, flags
 		pkt << clientip
-
-		# give next ip address (not super reliable high volume but it should work for a basic server)
-		self.current_ip += 1
-		if self.current_ip > self.end_ip
-			self.current_ip = self.start_ip
+		if messageType == DHCPDiscover
+			# give next ip address (not super reliable high volume but it should work for a basic server)
+			self.current_ip += 1
+			if self.current_ip > self.end_ip
+				self.current_ip = self.start_ip
+			end
 		end
 		pkt << Rex::Socket.addr_iton(self.current_ip)
 		pkt << self.ipstring #next server ip

data/lib/rex/proto/ntlm/utils.rb

@@ -1,8 +1,14 @@
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/crypt'
+
 module Rex
 module Proto
 module NTLM
 class Utils
 
+	CONST = Rex::Proto::NTLM::Constants
+	CRYPT = Rex::Proto::NTLM::Crypt
+
   	#duplicate from lib/rex/proto/smb/utils cause we only need this fonction from Rex::Proto::SMB::Utils
 	# Convert a unix timestamp to a 64-bit signed server time
 	def self.time_unix_to_smb(unix_time)
@@ -12,6 +18,11 @@ class Utils
 		return [thi, tlo]
 	end
 
+	# Determine whether the password is a known hash format
+	def self.is_pass_ntlm_hash?(str)
+		str.downcase =~ /^[0-9a-f]{32}:[0-9a-f]{32}$/
+	end
+
 	#
 	# Prepends an ASN1 formatted length field to a piece of data
 	#
@@ -116,6 +127,26 @@ class Utils
 		return blob	
 	end	
 
+	# BLOB without GSS usefull for ntlmssp type 1 message
+	def self.make_ntlmssp_blob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
+		blob =	"NTLMSSP\x00" +
+			[1, flags].pack('VV') +
+
+			[
+				domain.length,  #length
+				domain.length,  #max length
+				32
+			].pack('vvV') +
+
+			[
+				name.length,	#length
+				name.length, 	#max length
+				domain.length + 32
+			].pack('vvV') +	
+
+			domain + name
+		return blob
+	end
 
 	# GSS BLOB usefull for ntlmssp type 1 message
 	def self.make_ntlmssp_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
@@ -135,22 +166,7 @@ class Utils
 					) +
 					"\xa2" + self.asn1encode(
 						"\x04" + self.asn1encode(
-							"NTLMSSP\x00" +
-							[1, flags].pack('VV') +
-
-							[
-								domain.length,  #length
-								domain.length,  #max length
-								32
-							].pack('vvV') +
-
-							[
-								name.length,	#length
-								name.length, 	#max length
-								domain.length + 32
-							].pack('vvV') +	
-
-							domain + name
+							make_ntlmssp_blob_init(domain, name, flags)
 						)
 					)
 				)
@@ -161,33 +177,6 @@ class Utils
 	end
 
 
-	# GSS BLOB usefull for ntlmssp type 2 message
-	def self.make_ntlmssp_secblob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
-		
-		blob =
-			"\xa1" + self.asn1encode(
-				"\x30" + self.asn1encode(
-					"\xa0" + self.asn1encode(
-						"\x0a" + self.asn1encode(
-							"\x01"
-						)
-					) +
-					"\xa1" + self.asn1encode(
-						"\x06" + self.asn1encode(
-							"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
-						)
-					) +
-					"\xa2" + self.asn1encode(
-						"\x04" + self.asn1encode(
-							make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
-						)
-					)
-				)	
-			)
-
-		return blob
-	end
-
 	# BLOB without GSS usefull for ntlm type 2 message 
 	def self.make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
 
@@ -219,10 +208,35 @@ class Utils
 		return blob
 	end
 
+	# GSS BLOB usefull for ntlmssp type 2 message
+	def self.make_ntlmssp_secblob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+		
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x01"
+						)
+					) +
+					"\xa1" + self.asn1encode(
+						"\x06" + self.asn1encode(
+							"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+						)
+					)
+				)	
+			)
 
-	# GSS BLOB Usefull for ntlmssp type 3 message
-	def self.make_ntlmssp_secblob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
+		return blob
+	end
 
+	# BLOB without GSS Usefull for ntlmssp type 3 message
+	def self.make_ntlmssp_blob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
 		lm ||= "\x00" * 24
 		ntlm ||= "\x00" * 24		
 	
@@ -232,59 +246,67 @@ class Utils
 		session    = enc_session_key
 
 		ptr  = 64 
+
+		blob = "NTLMSSP\x00" +
+			[ 3 ].pack('V') +
+		
+			[	# Lan Manager Response
+				lm.length,
+				lm.length,
+				(ptr)
+			].pack('vvV') +
+		
+			[	# NTLM Manager Response
+				ntlm.length,
+				ntlm.length,
+				(ptr += lm.length)
+			].pack('vvV') +		
+				
+			[	# Domain Name
+				domain_uni.length,
+				domain_uni.length,
+				(ptr += ntlm.length)
+			].pack('vvV') +		
+
+			[	# Username
+				user_uni.length,
+				user_uni.length,
+				(ptr += domain_uni.length)
+			].pack('vvV') +		
+
+			[	# Hostname
+				name_uni.length,
+				name_uni.length,
+				(ptr += user_uni.length)
+			].pack('vvV') +		
+		
+			[	# Session Key (none)
+				session.length,
+				session.length,
+				(ptr += name_uni.length)
+			].pack('vvV') +		
+
+			[ flags ].pack('V') +
+
+			lm +
+			ntlm +
+			domain_uni +
+			user_uni +
+			name_uni + 
+			session + "\x00" 
+		return blob
+
+	end
+
+	# GSS BLOB Usefull for ntlmssp type 3 message
+	def self.make_ntlmssp_secblob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
+
 		blob =
 			"\xa1" + self.asn1encode(
 				"\x30" + self.asn1encode(
 					"\xa2" + self.asn1encode(
 						"\x04" + self.asn1encode(
-					
-							"NTLMSSP\x00" +
-							[ 3 ].pack('V') +
-							
-							[	# Lan Manager Response
-								lm.length,
-								lm.length,
-								(ptr)
-							].pack('vvV') +
-							
-							[	# NTLM Manager Response
-								ntlm.length,
-								ntlm.length,
-								(ptr += lm.length)
-							].pack('vvV') +		
-									
-							[	# Domain Name
-								domain_uni.length,
-								domain_uni.length,
-								(ptr += ntlm.length)
-							].pack('vvV') +		
-			
-							[	# Username
-								user_uni.length,
-								user_uni.length,
-								(ptr += domain_uni.length)
-							].pack('vvV') +		
-			
-							[	# Hostname
-								name_uni.length,
-								name_uni.length,
-								(ptr += user_uni.length)
-							].pack('vvV') +		
-							
-							[	# Session Key (none)
-								session.length,
-								session.length,
-								(ptr += name_uni.length)
-							].pack('vvV') +		
-			
-							[ flags ].pack('V') +
-				
-							lm +
-							ntlm +
-							domain_uni +
-							user_uni +
-							name_uni + 
-							session + "\x00" 
+						make_ntlmssp_blob_auth(domain, name, user, lm, ntlm, enc_session_key, flags )
 					)
 				)
 			)
@@ -308,13 +330,107 @@ class Utils
 		return blob
 	end
 
+	# Return the correct ntlmflags upon the configuration
+	def self.make_ntlm_flags(opt = {})
+
+		signing 		= opt[:signing] 		!= nil ? opt[:signing] : false
+		usentlm2_session 	= opt[:usentlm2_session]	!= nil ? opt[:usentlm2_session] : true
+		use_ntlmv2 		= opt[:use_ntlmv2] 		!= nil ? opt[:use_ntlmv2] : false
+		send_lm 		= opt[:send_lm] 		!= nil ? opt[:send_lm] : true
+		send_ntlm 		= opt[:send_ntlm] 		!= nil ? opt[:send_ntlm] : true
+		use_lanman_key 		= opt[:use_lanman_key] 		!= nil ? opt[:use_lanman_key] : false
+
+		if signing 
+			ntlmssp_flags = 0xe2088215
+		else
+
+			ntlmssp_flags = 0xa2080205
+		end
+
+		if usentlm2_session
+			if use_ntlmv2
+				#set Negotiate Target Info
+				ntlmssp_flags |= CONST::NEGOTIATE_TARGET_INFO	
+			end
+
+		else
+			#remove the ntlm2_session flag
+			ntlmssp_flags &= 0xfff7ffff
+			#set lanmanflag only when lm and ntlm are sent
+			if send_lm
+				ntlmssp_flags |= CONST::NEGOTIATE_LMKEY if use_lanman_key
+			end
+		end
+	
+		#we can also downgrade ntlm2_session when we send only lmv1
+		ntlmssp_flags &= 0xfff7ffff if usentlm2_session && (not use_ntlmv2) && (not send_ntlm)
+
+		return ntlmssp_flags
+	end
+
+
+	# Parse an ntlm type 2 challenge blob and return usefull data
+	def self.parse_ntlm_type_2_blob(blob)
+		data = {}
+		# Extract the NTLM challenge key the lazy way
+		cidx = blob.index("NTLMSSP\x00\x02\x00\x00\x00")
+
+		if not cidx
+			raise XCEPT::NTLM2MissingChallenge
+		end
+
+		data[:challenge_key] = blob[cidx + 24, 8]
+
+		data[:server_ntlmssp_flags] = blob[cidx + 20, 4].unpack("V")[0]
+
+		# Extract the address list from the blob
+		alist_len,alist_mlen,alist_off = blob[cidx + 40, 8].unpack("vvV")
+		alist_buf = blob[cidx + alist_off, alist_len]
+
+		while(alist_buf.length > 0)
+			atype, alen = alist_buf.slice!(0,4).unpack('vv')
+			break if atype == 0x00
+			addr = alist_buf.slice!(0, alen)
+			case atype
+			when 1
+				#netbios name
+				data[:default_name] =  addr.gsub("\x00", '')
+			when 2
+				#netbios domain
+				data[:default_domain] = addr.gsub("\x00", '')
+			when 3
+				#dns name
+				data[:dns_host_name] =  addr.gsub("\x00", '')
+			when 4
+				#dns domain
+				data[:dns_domain_name] =  addr.gsub("\x00", '')
+			when 5
+				#The FQDN of the forest.
+			when 6
+				#A 32-bit value indicating server or client configuration
+			when 7
+				#Client time
+				data[:chall_MsvAvTimestamp] = addr
+			when 8
+				#A Restriction_Encoding structure 
+			when 9
+				#The SPN of the target server. 
+			when 10
+				#A channel bindings hash.
+			end
+		end
+		return data
+	end
+
 	# This function return an ntlmv2 client challenge
-	def self.make_ntlmv2_clientchallenge(win_domain, win_name, dns_domain, dns_name, client_challenge = nil, chall_MsvAvTimestamp = nil)
+	# This is a partial implementation, full description is in [MS-NLMP].pdf around 3.1.5.2.1 :-/
+	def self.make_ntlmv2_clientchallenge(win_domain, win_name, dns_domain, dns_name, 
+						client_challenge = nil, chall_MsvAvTimestamp = nil, spnopt = {})
 		
 		client_challenge ||= Rex::Text.rand_text(8)
 		# We have to set the timestamps here to the one in the challenge message from server if present
-		# If we don't do that, recent server like seven will send a STATUS_INVALID_PARAMETER error packet
-		timestamp = chall_MsvAvTimestamp != nil ? chall_MsvAvTimestamp : self.time_unix_to_smb(Time.now.to_i).reverse.pack("VV")
+		# If we don't do that, recent server like Seven/2008 will send a STATUS_INVALID_PARAMETER error packet
+		timestamp = chall_MsvAvTimestamp != '' ? chall_MsvAvTimestamp : self.time_unix_to_smb(Time.now.to_i).reverse.pack("VV")
 		# Make those values unicode as requested
 		win_domain = Rex::Text.to_unicode(win_domain)
 		win_name = Rex::Text.to_unicode(win_name)
@@ -328,6 +444,14 @@ class Utils
 		addr_list  << [3, dns_name.length].pack('vv') + dns_name
 		addr_list  << [7, 8].pack('vv') + timestamp
 
+		# Windows Seven / 2008r2 Request this type if in local security policies,
+		# Microsoft network server : Server SPN target name validation level is set to <Required from client>
+		# otherwise it send an STATUS_ACCESS_DENIED packet 
+		if spnopt[:use_spn]
+			spn= Rex::Text.to_unicode("cifs/#{spnopt[:name] || 'unknow'}")
+			addr_list  << [9, spn.length].pack('vv') + spn
+		end
+		
 		# MAY BE USEFUL FOR FUTURE
 		# Seven (client) add at least one more av that is of type MsAvRestrictions (8)	
 		# maybe this will be usefull with future windows OSs but has no use at all for the moment afaik		
@@ -338,10 +462,6 @@ class Utils
 		# Seven (client) and maybe others versions also add an av of type MsvChannelBindings (10) but the hash is "\x00" * 16
 		# addr_list  << [10, 16].pack('vv') + "\x00" * 16
 		
-		# Seven and maybe other versions also add an av of type MsvAvTargetName(9) with value cifs/target(_ip)
-		# implementing it will necessary require knowing the target here, todo... :-/
-		# spn= Rex::Text.to_unicode("cifs/RHOST")
-		# addr_list  << [9, spn.length].pack('vv') + spn
 
 		addr_list  << [0, 0].pack('vv')
 		ntlm_clientchallenge = 	[1,1,0,0].pack("CCvV") + #RespType, HiRespType, Reserved1, Reserved2
@@ -352,6 +472,291 @@ class Utils
 
 	end
 
+	# create lm/ntlm responses
+	def self.create_lm_ntlm_responses(user, pass, challenge_key, domain = '', default_name = '', default_domain = '',
+					dns_host_name = '', dns_domain_name = '', chall_MsvAvTimestamp = nil, spnopt = {}, opt = {} )
+
+		usentlm2_session 	= opt[:usentlm2_session]	!= nil ? opt[:usentlm2_session] : true
+		use_ntlmv2 		= opt[:use_ntlmv2] 		!= nil ? opt[:use_ntlmv2] : false
+		send_lm 		= opt[:send_lm] 		!= nil ? opt[:send_lm] : true
+		send_ntlm 		= opt[:send_ntlm] 		!= nil ? opt[:send_ntlm] : true
+
+		#calculate the lm/ntlm response
+		resp_lm = "\x00" * 24
+		resp_ntlm = "\x00" * 24
+
+		client_challenge = Rex::Text.rand_text(8)
+		ntlm_cli_challenge = ''
+		if send_ntlm  #should be default
+			if usentlm2_session
+				if use_ntlmv2
+					ntlm_cli_challenge = self.make_ntlmv2_clientchallenge(default_domain, default_name, dns_domain_name, 
+												dns_host_name,client_challenge , 
+												chall_MsvAvTimestamp, spnopt)
+					if self.is_pass_ntlm_hash?(pass)
+						argntlm = { 	
+							:ntlmv2_hash =>  CRYPT::ntlmv2_hash(
+												user, 
+												[ pass.upcase()[33,65] ].pack('H32'), 
+												domain,{:pass_is_hash => true}
+											),
+							:challenge   => challenge_key 
+						}
+					else
+						argntlm = {
+							:ntlmv2_hash =>  CRYPT::ntlmv2_hash(user, pass, domain),
+							:challenge   =>  challenge_key 
+						}
+					end
+
+					optntlm = { :nt_client_challenge => ntlm_cli_challenge}
+					ntlmv2_response = CRYPT::ntlmv2_response(argntlm,optntlm)
+					resp_ntlm = ntlmv2_response 
+					
+					if send_lm
+						if self.is_pass_ntlm_hash?(pass)
+							arglm = {
+								:ntlmv2_hash =>  CRYPT::ntlmv2_hash(
+													user, 								
+													[ pass.upcase()[33,65] ].pack('H32'), 
+													domain,{:pass_is_hash => true}
+												),
+								:challenge   => challenge_key 
+							}
+						else
+							arglm = {
+								:ntlmv2_hash =>  CRYPT::ntlmv2_hash(user,pass, domain),
+								:challenge   => challenge_key 
+							}
+						end
+						
+						optlm = { :client_challenge => client_challenge }
+						resp_lm = CRYPT::lmv2_response(arglm, optlm)
+					else
+						resp_lm = "\x00" * 24
+					end
+
+				else # ntlm2_session
+					if self.is_pass_ntlm_hash?(pass)
+						argntlm = { 
+							:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'), 
+							:challenge => challenge_key 
+						}
+					else
+						argntlm = {
+							:ntlm_hash =>  CRYPT::ntlm_hash(pass), 
+							:challenge => challenge_key 
+						}
+					end
+					
+					optntlm = {	:client_challenge => client_challenge}
+					resp_ntlm = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24]
+					
+					# Generate the fake LANMAN hash
+					resp_lm = client_challenge + ("\x00" * 16)
+				end
+
+			else # we use lmv1/ntlmv1
+				if self.is_pass_ntlm_hash?(pass)
+					argntlm = {
+						:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'), 
+						:challenge =>  challenge_key 
+					}
+				else
+					argntlm = {
+						:ntlm_hash =>  CRYPT::ntlm_hash(pass), 
+						:challenge =>  challenge_key 
+					}
+				end
+				
+				resp_ntlm = CRYPT::ntlm_response(argntlm)
+				if send_lm
+					if self.is_pass_ntlm_hash?(pass)
+						arglm = {
+							:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+							:challenge =>  challenge_key 
+						}
+					else
+						arglm = {
+							:lm_hash => CRYPT::lm_hash(pass),
+							:challenge =>  challenge_key 
+						}
+					end
+					resp_lm = CRYPT::lm_response(arglm)
+				else
+					#when windows does not send lm in ntlmv1 type response,
+					# it gives lm response the same value as ntlm response
+					resp_lm  = resp_ntlm
+				end
+			end
+		else #send_ntlm = false 
+			#lmv2
+			if usentlm2_session && use_ntlmv2
+				if self.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:ntlmv2_hash =>  CRYPT::ntlmv2_hash(
+											user, 
+											[ pass.upcase()[33,65] ].pack('H32'), 
+											domain,{:pass_is_hash => true}
+										),
+						:challenge => challenge_key 
+					}
+				else
+					arglm = {
+						:ntlmv2_hash =>  CRYPT::ntlmv2_hash(user,pass, domain),
+						:challenge => challenge_key 
+					}
+				end
+				optlm = { :client_challenge => client_challenge }
+				resp_lm = CRYPT::lmv2_response(arglm, optlm)
+			else
+				if self.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+						:challenge =>  challenge_key 
+					}
+				else
+					arglm = {
+						:lm_hash => CRYPT::lm_hash(pass),
+						:challenge =>  challenge_key 
+					}
+				end
+				resp_lm = CRYPT::lm_response(arglm)
+			end
+			resp_ntlm = ""
+		end
+		return resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge
+	end
+
+	# create the session key
+	def self.create_session_key(server_ntlmssp_flags, user, pass, domain, challenge_key,
+					client_challenge = '', ntlm_cli_challenge = '' , opt = {} )
+
+		usentlm2_session 	= opt[:usentlm2_session]	!= nil ? opt[:usentlm2_session] : true
+		use_ntlmv2 		= opt[:use_ntlmv2] 		!= nil ? opt[:use_ntlmv2] : false
+		send_lm 		= opt[:send_lm] 		!= nil ? opt[:send_lm] : true
+		send_ntlm 		= opt[:send_ntlm] 		!= nil ? opt[:send_ntlm] : true
+		use_lanman_key 		= opt[:use_lanman_key] 		!= nil ? opt[:use_lanman_key] : false
+
+		# Create the sessionkey (aka signing key, aka mackey) and encrypted session key
+		# Server will decide for key_size and key_exchange
+		enc_session_key = ''
+		signing_key = ''
+
+		# Set default key size and key exchange values
+		key_size = 40
+		key_exchange = false
+		# Remove ntlmssp.negotiate56
+		ntlmssp_flags &= 0x7fffffff
+		# Remove ntlmssp.negotiatekeyexch
+		ntlmssp_flags &= 0xbfffffff
+		# Remove ntlmssp.negotiate128
+		ntlmssp_flags &= 0xdfffffff
+		# Check the keyexchange
+		if server_ntlmssp_flags & CONST::NEGOTIATE_KEY_EXCH != 0 then
+			key_exchange = true
+			ntlmssp_flags |= CONST::NEGOTIATE_KEY_EXCH
+		end
+		# Check 128bits
+		if server_ntlmssp_flags & CONST::NEGOTIATE_128 != 0 then
+			key_size = 128
+			ntlmssp_flags |= CONST::NEGOTIATE_128
+			ntlmssp_flags |= CONST::NEGOTIATE_56
+		# Check 56bits
+		else
+			if server_ntlmssp_flags & CONST::NEGOTIATE_56 != 0 then
+				key_size = 56
+				ntlmssp_flags |= CONST::NEGOTIATE_56
+			end
+		end
+
+		# Generate the user session key
+		lanman_weak = false
+		if send_ntlm  # Should be default
+			if usentlm2_session
+				if use_ntlmv2
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::ntlmv2_user_session_key(user, 
+												[ pass.upcase()[33,65] ].pack('H32'),
+										 		domain, 
+												challenge_key, ntlm_cli_challenge, 
+												{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::ntlmv2_user_session_key(user, pass, domain, 
+											challenge_key, ntlm_cli_challenge)
+					end
+				else
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::ntlm2_session_user_session_key([ pass.upcase()[33,65] ].pack('H32'), 
+														challenge_key, 
+														client_challenge, 
+														{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::ntlm2_session_user_session_key(pass, challenge_key, 
+														client_challenge)
+					end
+				end
+			else # lmv1/ntlmv1
+				# lanman_key may also be used without ntlm response but it is not so much used
+				# so we don't care about this feature 
+				if send_lm && use_lanman_key
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::lanman_session_key([ pass.upcase()[0,32] ].pack('H32'), 
+												challenge_key, 
+												{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::lanman_session_key(pass, challenge_key)
+					end
+					lanman_weak = true
+				
+
+				else
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::ntlmv1_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
+													{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::ntlmv1_user_session_key(pass)
+					end
+				end
+			end
+		else
+				if usentlm2_session && use_ntlmv2
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::lmv2_user_session_key(user, [ pass.upcase()[33,65] ].pack('H32'), 
+												domain, 
+												challenge_key, client_challenge, 
+												{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::lmv2_user_session_key(user, pass, domain, 
+												challenge_key, client_challenge)
+					end
+				else
+					if self.is_pass_ntlm_hash?(pass)
+						user_session_key = CRYPT::lmv1_user_session_key([ pass.upcase()[0,32] ].pack('H32'), 
+													{:pass_is_hash => true})
+					else
+						user_session_key = CRYPT::lmv1_user_session_key(pass)
+					end
+				end
+		end
+
+		user_session_key = CRYPT::make_weak_sessionkey(user_session_key,key_size, lanman_weak)			
+
+		# Sessionkey and encrypted session key
+		if key_exchange
+			signing_key = Rex::Text.rand_text(16)
+			enc_session_key = CRYPT::encrypt_sessionkey(signing_key, user_session_key)
+		else
+			signing_key = user_session_key
+		end
+		
+		return signing_key, enc_session_key
+	
+		
+	end
+	
+
+
 end
 end
 end