Windows/Crypto rework: CertTree, Kerberos PKINIT, Netlogon's Kerberos secure channel, better NTLM variants

[gpotter2]

This is a pretty big PR that changes many aspects related to the cryptography of Windows protocols. This is removes the Chain helper class, which was pretty much useless and replaces it with better alternatives. This PR:

• add CMS signing / check
• add CSR support
• big internal refactoring of SPNEGOSSP to make the code easier to read, in addition to enforcing MIC rules (safer). The initial code tried to use a common function for both client and server which was unreadable.
• bugfix: compounded encrypted SMB packets would crash the state machine.
• refactor (a lot) scapy/layers/tls/cert.py add add documentation
  • Chain wasn't as useful as it could be. We now have a CertTree class that serves as a certificate store (think like Windows), and properly links certificates against their issuer, to a list of root CAs
  • getchain() allows to find a chain of certificates towards one
  • verify() says if a certificate can be verified against the store
• support PKINIT in Kerberos
• Load KRB5CCNAME in SPNEGO.from_cli_arguments
• much better support of X509_AlgorithmIdentifier
• fix Kerberos handling in DCE/RPC passive sniffing
• improve Kerberos handling of the "DELEGATION"-related structures
• KerberosSSP now supports simply having a TGT, and can also be created from Ticketer using ssp()
• Improve DCE/RPC context handling (keeps the context IDs when re-binding to the same interface, etc.)
• Add support for Kerberos secure channels in MS-NRPC
• Add the ability to chose between WindowsNT, Windows2000 and Windows2003+ variants of NTLM when building packets
• add an ability to NOT send channel bindings in HTTP
• add doc regarding some existing Kerberos features (e.g. FAST)

[codecov]

Codecov Report

❌ Patch coverage is 72.07425% with 346 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.85%. Comparing base (e73137e) to head (08c3315).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
scapy/layers/kerberos.py	28.57%	130 Missing ⚠️
scapy/layers/tls/cert.py	76.83%	79 Missing ⚠️
scapy/layers/msrpce/msnrpc.py	19.60%	41 Missing ⚠️
scapy/layers/ntlm.py	67.92%	34 Missing ⚠️
scapy/layers/spnego.py	87.44%	28 Missing ⚠️
scapy/layers/msrpce/rpcclient.py	50.00%	24 Missing ⚠️
scapy/layers/gssapi.py	87.50%	2 Missing ⚠️
scapy/layers/x509.py	98.50%	2 Missing ⚠️
scapy/libs/rfc3961.py	81.81%	2 Missing ⚠️
scapy/asn1fields.py	88.88%	1 Missing ⚠️
... and 3 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4879      +/-   ##
==========================================
- Coverage   80.86%   80.85%   -0.02%     
==========================================
  Files         368      369       +1     
  Lines       90271    90941     +670     
==========================================
+ Hits        72996    73528     +532     
- Misses      17275    17413     +138     

Files with missing lines	Coverage Δ
scapy/asn1/mib.py	91.87% <100.00%> (+0.26%)	⬆️
scapy/layers/dcerpc.py	90.10% <100.00%> (+0.04%)	⬆️
scapy/layers/http.py	83.68% <100.00%> (+0.02%)	⬆️
scapy/layers/ldap.py	67.11% <ø> (+0.12%)	⬆️
scapy/layers/msrpce/rpcserver.py	89.14% <ø> (ø)
scapy/layers/smb.py	76.70% <ø> (-0.36%)	⬇️
scapy/layers/smbclient.py	73.05% <100.00%> (ø)
scapy/layers/smbserver.py	72.78% <ø> (ø)
scapy/layers/tls/handshake_sslv2.py	91.98% <100.00%> (ø)
scapy/modules/ticketer.py	41.64% <100.00%> (+0.49%)	⬆️
... and 13 more

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR significantly refactors Scapy's Windows cryptography infrastructure with major improvements to certificate handling, Kerberos PKINIT support, and DCE/RPC functionality.

Key Changes:

• Replaces the Chain helper class with a more sophisticated CertTree class that properly organizes certificates in a tree structure with ROOT CA verification
• Implements PKINIT (Public Key Cryptography for Initial Authentication in Kerberos) with Diffie-Hellman key exchange
• Adds support for loading Kerberos credentials from KRB5CCNAME environment variable and ccache files
• Introduces NTLM variant support (WindowsNT, Windows2000, Windows2003+) for backward compatibility
• Implements CMS (Cryptographic Message Syntax) signing and verification
• Adds Kerberos secure channel support in MS-NRPC (Netlogon)
• Improves DCE/RPC context management and binding

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
scapy/layers/tls/cert.py	Major refactor: adds CertTree, CertList, CMS_Engine classes; improves certificate verification
scapy/layers/x509.py	Enhanced X509_AlgorithmIdentifier with proper RFC compliance and MultipleTypeField handling
scapy/layers/kerberos.py	PKINIT implementation, octetstring2key, enhanced KerberosSSP with TGT support
scapy/layers/ntlm.py	NTLM_VARIANT system for supporting different Windows versions
scapy/layers/spnego.py	KRB5CCNAME support, ccache loading, improved from_cli_arguments
scapy/modules/ticketer.py	Enhanced ssp() method to distinguish TGT/ST, added iter_tickets()
scapy/layers/msrpce/rpcclient.py	Better context management, endpoint resolution, impersonation level support
scapy/layers/msrpce/msnrpc.py	Kerberos secure channel in Netlogon
scapy/libs/rfc3961.py	RFC4556 octetstring2key implementation
test files	Comprehensive test coverage for new features

Comments suppressed due to low confidence (2)

scapy/layers/smbclient.py:695

• This expression mutates a default value.

            use_ioctl=kwargs.pop("use_ioctl", True),

scapy/layers/smbclient.py:696

• This expression mutates a default value.

            timeout=kwargs.pop("timeout", 3),

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.