i SrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSK r SSK J r J r J r SSKJr SSKJrJrJrJr SSKJrJrJrJr SSKJrJrJrJrJrJ r J!r!J"r" SSK#J$r$J%r%J&r&J'r' SS K(J)r) SS K*J+r+J,r,J-r-J.r.J/r/J0r0J1r1J2r2J3r3J4r4J5r5J6r6J7r7J8r8 S r9SSK:r:S r9S r<SS K=J>r> S r text_valuesinfoav_id raw_valuevalues r;_parse_ntlm_target_infor[bsE       K D'--/ DHH E  !E djj  *E dnn $ NE d&& &!ll$..y/D/DELLN#--i.B.BCJJL E$$Y/668E Z.?@)0, Kr=datac  UR5n[UR[S9[R "SUSS5S[R "SUSS5S[R "SUSS5SS .[R "SUSS 5S[R "SUS S 5S[R "SUS S 5SS .[ UR5URURS .S.nU$)N enum_typeqA ==vb}5a8mmD&B-8;"MM$r" >qA 't||4**++  C& Jr=c UR5n[R"SUSS5S[R"SUSS5S[R"SUSS5SS.[UR[ S 9[ R"US S 5R5[ R"US S 5R5[R"SUS S 5S[R"SUS S5S[R"SUSS5SS.[UR5UR[UR5S.S.nU$)Nr` rrardrcrfr^rerl(*,0) TargetNamer)TargetNameFieldsrServerChallenger1TargetInfoFieldsrrq)rrrsrtr rMrr6r7r9r<r+rJr[r>rws r;_parse_ntlm_challengers1 YY[F==vb}5a8mmD&B-8;"MM$r" >qA &djjNK!++F2bM:AAC$$VBr]3::<==vb}5a8mmD&B-8;"MM$r" >qA 't||4**1$2B2BC  C* Jr=passwordc~ UR5n[R"SUSS5S[R"SUSS5S[R"SUSS5SS.[R"SUSS 5S[R"SUS S 5S[R"SUS S 5SS.[R"SUS S 5S[R"SUS S 5S[R"SUS S5SS.[R"SUSS5S[R"SUSS5S[R"SUSS5SS.[R"SUSS5S[R"SUSS5S[R"SUSS5SS.[R"SUSS5S[R"SUSS5S[R"SUSS5SS.[UR[ S9[ UR5UR(a.[R"UR5R5OSSSURURURSS.S. nSnURnUR nU(aSSS.nU(a[#U5S :Xa-SUS'[R"U5R5US'OYSUS'[R"USS5R5US'[R"USS5R5US 'XsS!S"'U(GaSSS#.n[#U5S :Xa.S$US'[R"U5R5US%'GOdUSSn S&US'[R"U 5R5US%'[$R"USS5n USSn U R&U R([R"SU S'S(5S[R"SU S(S)5S[+U R,5[R"U R.5R5[R"SU S S 5S[1U R25[R"SU S*S5SS+. US,'U(a-[5US!S-[7U5US!S.5n [9X5nXS!S/'UR:(a4[R"UR:5R5US!S0'UR[ R<-(a}UR[ R>-(d"UR[ R@-(a9Sn U(a/[CU[DRF"[HUR:55n OUn U (a$[R"U 5R5OS1US2'U$)3Nr`r|r}rrardrcrfrerkrl$&r~r.r468<r^)LmChallengeResponseNtChallengeResponsermUserNamernEncryptedRandomSessionKey) LmChallengeResponseFieldsNtChallengeResponseFieldsroUserNameFieldsrpEncryptedRandomSessionKeyFieldsrrMICrq) ResponseType LMProofStrLMv1rrLMv2ChallengeFromClientrqr)r NTProofStrNTLMv1rNTLMv2) RespType HiRespType Reserved1 Reserved2 TimeStampr Reserved3AvPairs Reserved4ClientChallengerrmrrzFailed to derive SessionKey)%rrrsrtr rMrr<r+micr6r7r9ru user_namervlm_challenge_responsent_challenge_responselenr resp_type hi_resp_typerO time_stampchallenge_from_clientr[av_pairsr r r encrypted_random_session_keykey_exchsignsealrtypingcastbytes)r\rrxrykey_exchange_keylm_response_datant_response_data lm_response nt_response nt_proof_str challenge b_challengeresponse_key_nt session_keys r;_parse_ntlm_authenticaters YY[F==vb}5a8mmD&B-8;"MM$r" >qA& ==vb}5a8mmD&B-8;"MM$r" >qA& ==vb}5a8mmD&B-8;"MM$r" >qA ==vb}5a8mmD&B-8;"MM$r" >qA ==vb}5a8mmD&B-8;"MM$r" >qA ==vb}5a8mmD&B-8;"MM$r" >qA, &djjNK&t||46:hhv)002D#'#'**++)-  E*)CX1111 5  3'7#8B#>*0K '(.(8(89I(J(Q(Q(SK %+1K '(.(8(89I#29N(O(V(V(XK %171A1ABRSUSVBW1X1_1_1aK- .0;I,- 5  B &*2K '(.(8(89I(J(Q(Q(SK %,CR0L*2K '(.(8(8(F(M(M(OK %+223CBC3HII*23/K&//'44#]]4Qq1AB1E#]]4Qq1AB1E !5!56'-'7'7 8W8W'X'_'_'a#]]4R1CDQG293E3EF#]]4RS1AB1E .K) *")#i.*DghFWY\]fYghtYu"v#+O#J 0;I,- ((6<6F6FtGhGh6i6p6p6rI23 zzN+++n>Q>Q1QUYU_U_bpbubuUu /UDDeDe1fgK' BM((5<<>SeC  Jr=secretencodingcUR(a)URVs/sHn[U[S9PM snOSnSnUR(a[ URXS9nU=(d SnUUR b[ UR 5OSUURb.[R"UR5R5OSS.nUR(dUR(a`UR(aURRU5OSUR(aURRU5OSS.US'U$s snf)Nr^rrutf-8) mechTypesreqFlags mechToken mechListMIC)hintName hintAddressnegHints) mech_typesrr mech_token parse_token req_flagsr mech_list_micr6r7r9 hint_name hint_address)r\rrmrrrys r;_parse_spnego_initr>s  QUP_P_DOOLOq*Q'2OLeiJJ  S "7H 37>>3MK/SWHLHZHZHfv''(:(:;BBDlp  C ~~**<@>>--h7tAEARAR4,,33H=X\ J J-MsEcrUR(a[UR[S9OSnSnUR(a[ URXS9nUR b[UR 5OSUUUR b.[R"UR 5R5OSS.nU$)Nr^r)negState supportedMech responseTokenr) supported_mechrrresponse_tokenr neg_staterr6r7r9)r\rrrrrys r;_parse_spnego_respr\s LPK^K^Z 3 3wGdhNN $T%8%8[37..2LJt~~.RV''HLHZHZHfv''(:(:;BBDlp  C Jr=viewc[[R"SUSS5S5nUSSnUSSnUSSn[R"SUSS5SnUSSnUSUnXSn[R"SUSS5SnUSSnUSUnXSn/nU(a_[[R"SUSS5S5nUR UR SUR S35 USSnU(aM_[R"SUSS5Sn USSnUSU n X Sn/n U (aN[[R"SU SS5S5n U R [U 55 U SSn U (aMN[R"SUSS5Sn USSnUSU nX Sn[US 5n[U5[R"U5R5[R"U5R5UU US .$) N>HrrrlB - 0x04XT)ProtocolVersionRandom SessionID CipherSuitesCompressionMethods Extensions) r%rsrtrrUnamerZrr_parse_tls_extensionsr6r7r9)rprotocol_versionrandomsession_id_len session_idcipher_suites_lencipher_suites_view cipher_suitescscompression_methods_lencompression_methods_viewcompression_methodscmextensions_lenextensions_view extensionss r;!_parse_tls_handshake_client_hellorpsQ*&--d2Ah*G*JK 8D #2YF 9D]]3Ra1!4N 8Do~&J  D dD!H5a8 8D001 " #DM  FMM$0B2A0FGJ Kybhhs^<=/3   %mmCbq:1= 8D#$<%<= ( )D " !&--5Mbq5Q"RST"U V"":b>2#;AB#?  # " ]]4bq215N 8D?N+O  D&=J&&67""6*113%%j188:%1  r=c[[R"SUSS5S5nUSSnUSSnUSSn[R"SUSS5SnUSSnUSUnXSn[[R"SUSS5S5nUSSn[ [R"SUSS5S5nUSSn[R"SUSS5SnUSSnUSUnXSn[ US5n [ U5[R"U5R5[R"U5R5URSURS 3[ U5U S .$) NrrrrlrrFrr)rrr CipherSuiteCompressionMethodr) r%rsrtrrrrr6r7r9rrZ) rrrrr cipher_suitecompression_methodrrrs r;!_parse_tls_handshake_server_hellors*&--d2Ah*G*JK 8D #2YF 9D]]3Ra1!4N 8Do~&J  D!&--d2Ah"?"BCL 8D-fmmCbq.J1.MN 8D]]4bq215N 8D?N+O  D&>J&&67""6*113%%j188:&++,E,2D2DS1IJ'(:;  r=c*[R"SUSS5SnUSSnUSUnXSn/nU(aN[[R"SUSS5S5nUR[ U55 USSnU(aMN[R"SUSS5SnUSSnUSUnXSn/nU(aN[ [R"SUSS5S5nUR[ U55 USSnU(aMN[R"SUSS5Sn USSnUSU n X Sn/n U (a[R"SU SS5Sn U SSn U SU n XSn [ U 5Hn[ U5Hn[UR5Sn[ U5unn[[U55nU R[ U5URR5RS5S.5 M M U (aMUUU S.$) Nrrrrrr)OIDrD)CertificateTypesSignatureAlgorithmsCertificateAuthorities) rsrtrrUrr(rrrxrrtobytesr9)rcert_types_lencert_types_view cert_typesct sig_algos_lensig_algos_view sig_algosalgodn_lendn_viewdns entry_len entry_viewdn_entrydn_setdn_datadn_oiddn_stroids r;(_parse_tls_handshake_certificate_requestr(s9]]3Ra1!4N 8D?N+O  DJ  %fmmC!9L&Ma&P Q*R.))!"- / MM$Ra1!4M 8D.=)N  DI !&--nRa6H"I!"LMD)*'+ . ]]4bq *1 -F 8D7FmG =D C MM$ 4Q7 !"+Zi( *%,Z8H.x8%fmm4Q7!5g!>+,I&,QR )#!'!6!6!8!?!?!H 99 '('("% r=rc[[R"SUSS5S5nUSSn[[R"SUSS5S5nUSSn[R"SUSS5SnUSSnUSUR 5nXSnSnU[ R :a+[[R"SUSS5S5nUSSn[R"SUSS5SnUSSnUSUR 5n[U5[U5[R"U5R5U(a [U5OS[R"U5R5S.$)Nrrrrr) CurveTypeCurve PublicKeySignatureAlgorithm Signature) r!rsrtr)rr%tls1_2r(rr6r7r9) rr curve_typecurve pubkey_lenpubkeysignature_algo signature_len signatures r;(_parse_tls_handshake_server_key_exchanger7sp  c48 ?E 8DsD!H-a0J 8D +:  & & (F  DN-444+FMM$Ra,I!,LMABxMM$Ra1!4M 8D^m$,,.I +E"%%f-446[[+[R"SUSS5S55nGO U[R,:Xa|[R"SUSS5SnUSSU-n/nU(aLUR[[/[R"SUSS5S555 USSnU(aMLGO}U[R0:XGahU(a[R"SUSS5SnUSSU-n/nU(a[[R"SUSS5S5n[R"SUSS 5SnUS S U-R 5nUR[U5[ R""U5R 5S .5 US U-SnU(aMO[[R"SUSS5S5n[R"SUSS 5SnUS S U-R 5n[U5[ R""U5R 5S .nS [U50nUbUUS 'UcU(a'[ R""U5R 5US 'URU5 U(aGMU$s sn f)Nrrrrrr)TypeNamer)GroupKey ExtensionTypeDataRawData)r#rsrt server_namer'rr9rUrec_point_formatslistr"supported_groupsr)&application_layer_protocol_negotiationsession_ticketr6r7signature_algorithmsr(supported_versionsr%psk_key_exchange_modesr& key_share)rr8rext_typeext_lenext_datar\data_len data_view name_typename_lenrbalpn_lenkey_share_groupkey_exchange_len key_exchange formated_datas r;rr&sJ #FMM$Ra$A!$DEABx--d2Ah/2ABx>H~ a<D )55 5}}T8BQ<8;H Q\2ID-fmmC2A.OPQ.RS !==y1~>qA Q\2::<CCGL *9 5 $ &a(ln5 )):: :}}S(2A,7:H Q\2I=A)_M_J/23_DMD ):: :}}T8BQ<8;H Q\2ID J'8tYWYXY]9[\]9^'_`a%abM ))PP P}}T8BQ<8;H Q\2ID!==im>@D )>> >}}T8BQ<8;H Q\2ID J'9&--iXZYZm:\]^:_'`ab%abM ))<< <!==hrl;A>$QX6 KK +=fmmDR[\^]^R_>`ab>c+d ef )!" I i ""4V]]4RTST5VWX5Y"Z[ )@@ @}}S(2A,7:H Q\2ID J''J1'M$#,Q5E1E#F#N#N#PLKK%/%@#)#3#3L#A#H#H#J !*!.>*>*@ AI i#4FMM$QSRS 4UVW4X"Y#)==x!}#Ea#H 'A0@,@AIIK '8!++L9@@B Z1   $(M& !  x'-'7'7'A'H'H'JM) $-(k $n mNs [2argscF[U5nUR(a[UR5nOUR(a[R R [R R[R RUR555n[U5n[R RU5(d[SU-5e[USS9nUR5nSSS5 O([RRR5n[ R""SW5(aH[$R&"[ R("SSUR+5R-555n[ R""SU5(a$[$R."UR+55n[ R""S U5(a [1U5nO[3X!R4UR6S 9nUR8S :XaH[:(a=[<R>"5nS Ul URCU[RD5 g[G[HRJ"US S95 g!,(df  GNp=f)zMain program entry point.zCannot find file at path '%s'rb)modeNs^[a-fA-F0-9\s]+$s[\s]r=s<^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$s[||||][||]rr*Fr)indent)& parse_argstokenrfileospathabspath expanduser expandvarsexists ValueErroropenreadsysstdinbufferrematchr6 b16decodesubstripupper b64decodeparse_tls_tokenrrr output_formatHAS_YAMLr*YAMLdefault_flow_styledumpstdoutprintjsondumps)rY parsed_argsrx file_path b_file_pathfd token_infoys r;mainrsT"K+++,   (:(:277;M;MkN^N^;_(`aI"9-K77>>+.. !@9!LMMk-.-YY%%**,F xx$f--!!"&&3 8L8L8N"OP xxOQWXX!!&,,.1 xxA6JJ$V,  0B0B[MaMab   F*xx IIK$ z3::& djjA.//.-s .J J c [R"SS9nUR5nURSSSSS9 URSS S S S S 9 URSSSS9 URSSSS/SSSSS9 URSSSSSS9 [(a[ R "U5 URU5nURS:Xa[(d [S5eU$) zParse and return args.zCParse Microsoft authentication tokens into a human readable format.) descriptionz-tz--tokenr_zBRaw base64 encoded or hex string token as a command line argument.)desthelpz-fz--filer`zPath to file that contains raw bytes, base64, or hex string of token to parse, Defaults to reading from stdin if neither -t or -f is specified.)defaultrrz --encodingrzThe encoding to use when trying to decode text fields from bytes in tokens that don't have a negotiated encoding. This defaults to 'windows-1252' for NTLM tokens and 'utf-8' for Kerberos/SPNEGO tokens.z--formatz--output-formatr|r*ruc"UR5$)N)lower)ss r;parse_args..s qwwyr=zSet the output format of the token, default is (json). Using yaml requires the ruamel.yaml Python library to be installed pip install pyspnego[yaml].)choicesrrtyperz--secretz --passwordrNzOptional info that is the secret information for a protocol that can be used to decrypt encrypted fields and/or derive the unique session key in the exchange. This is currently only supported by NTLM tokens to generate the session key.)rrrz6Cannot output as yaml as ruamel.yaml is not installed.) argparseArgumentParseradd_mutually_exclusive_group add_argumentHAS_ARGCOMPLETE argcomplete autocompleter^rurvrg)rYparserr\r~s r;r^r^s%  $ $1v wF  . . 0D ig,p   2   l    >   .   (##D)K  F*88QRR r=rxmechc&SnU(a+[U[5(d[R"U5n[XSUS9nSnSn[U[5(a<S n[UR[S 9[URURXS 9S .nGO [U[5(a[XQU5nS U;aSnOSnO[U[ 5(aSn[#XQU5nO[U[$[&[(45(ac[UR*5n[U[$5(a [-U5nOc[U[&5(a [/U5nOB[1XQ5nO6[U[25(a![UR*5n[5XQU5nUU[ R"U5R5S.$![a>nSS[ U5-[ R"U5R5S.sSnA$SnAff=f)a :param b_data: A byte string of the token to parse. This can be a NTLM or GSSAPI (SPNEGO/Kerberos) token. :param secret: The secret data used to decrypt fields and/or derive session keys. :param encoding: The encoding to use for token fields that represent text. This is only used for fields where there is no negotiation for the encoding of that particular field. Defaults to 'windows-1252' for NTLM and 'utf-8' for Kerberos. :return: A dict containing the parsed token data. NT)runwraprz4Unknown - Failed to parse see Data for more details.zFailed to parse token: %s) MessageTyper@rAUnknownz5Failed to parse SPNEGO token due to unknown mech typezSPNEGO InitialContextTokenr^)rrr)thisMechinnerContextTokenrzSPNEGO NegTokenInit2zSPNEGO NegTokenInitzSPNEGO NegTokenResp) isinstancerfrom_oidr ExceptionrOr6r7r9rr this_mechrinner_context_tokenrrrrrrr MESSAGE_TYPErzrrrr ) rxrrrgss_mechr_emsg_typer\s r;rrs*.H JtW--##D) V4(SHLrz>I Certificater, HandshakeTyper@rA) ContentTyper) memoryviewr rsrtr% handshaker$ client_hellor server_hellor certificater6r7rr9certificate_requestr(server_key_exchanger7client_key_exchangerrU)rxrres content_typer token_length token_viewr\handshake_type message_lenhandshake_viewhandshake_datacert_lenkey_lenformatted_handshake_dataformatted_datas r;rtrtTs/ f D C %fmmCbq&B1&EF -fmmD$q).LQ.OP}}T4!95a8 !a,./ KO >33 3D!8sJWYXYN9[\]9^!_$mmD'JqO2KLQO !+AK!@PT!%<%I%II%F~%VN#'>'K'KK%F~%VN#'>'J'JJ%}}T7^BQ=O3OPQRSH%v'7'7q1x<8X8`8`8b'c'j'j'l&N$'>'R'RR%Mn%]N#'>'R'RR%Mn%oN#'>'R'RR$mmC1CDQGG#V%5%5nQW6U6]6]6_%`%g%g%i&N $Z%?J("-7EV46<6F6FzRcTUXcTcGdGlGlGn6o6v6v6x(3 45'K(9: K*P&l3)*:;8   %)6 "$*$4$4T:LA "A $&'w $z Jr=__main__r)NN)NNN)\__doc__rr6r|os.pathrarmrsrjr spnego._asn1rrrspnego._contextrspnego._kerberosrrr r spnego._ntlm_raw.cryptor r r rspnego._ntlm_raw.messagesrrrrrrrrspnego._spnegorrrr spnego._textrspnego._tls_structrrrrr r!r"r#r$r%r&r'r(r)rr ImportErrorrvruamelr*OptionalDictrOUnionintr<ListAnyr[rzrrrrrrrr(r7boolrr Namespacer^rrrt__name__argvr=r;rsq    $ ED   YX!" O  H  __W %  __V[[fll38& &,& __V[[S&**_!=>?&R fkk#vzz/.J2 fkk#vzz/.J6|<|6??3;O|TZT_T_`cekeoeo`oTp|B$(%)  OOC ooc" [[fjj! @$(%)  OOC ooc" [[fjj! (2 2 [[fjj!2j" " [[fjj!"J6 6 [[fjj!6r   (  [[fjj! F} }} [[S&**_-.}@$0v{{3$0D$0N7V[[%7(*<*<7x$(%)8< J J OOC Jooc"J //&,,sG|4 5 J  [[fjj! JZG G [[S&**_-.GT z!"q    s$O O OOO#"O#