fix: NTLM 和 RPC 接口漏报问题

NTLM 和 RPC 接口漏报问题
X1r0z · Aug 8, 2023 · 464d8a6 · 464d8a6
1 parent 1893e56
commit 464d8a6
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -74,7 +74,6 @@ $ ./EBurstGo -url https://192.168.30.11 -domain hack-my.com -user users.txt -pas
 ```
 
 已知 bug:
-- 当协程数量过大时, 部分利用 NTLM 进行身份认证的接口可能出现漏报
 - 在使用 ActiveSync 接口进行爆破时, 如果凭据正确, 服务器会在大约 20s 之后响应, 期间会阻塞当前协程 (不过好像是 ActiveSync 本身的特性)
-- `/rpc` 和 `/oab` 接口存在问题, 待解决
+- `/oab` 接口存在问题, 待解决
 - `/powershell` 接口 (Kerberos 认证) 待支持
diff --git a/lib/ntlmbrute.go b/lib/ntlmbrute.go
@@ -1,6 +1,8 @@
 package lib
 
 import (
+	"crypto/tls"
+	"github.com/Azure/go-ntlmssp"
 	"net/http"
 	"time"
 )
@@ -10,9 +12,24 @@ func NtlmBruteWorker(info *TaskInfo) {
 	for data := range info.task {
 		username, password := data[0], data[1]
 		Log.Debug("[*] 尝试: %v:%v", username, password)
+
+		client := &http.Client{
+			Transport: ntlmssp.Negotiator{
+				RoundTripper: &http.Transport{
+					TLSClientConfig: &tls.Config{
+						InsecureSkipVerify: true,
+						Renegotiation:      tls.RenegotiateOnceAsClient,
+					},
+				},
+			},
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}
 		req, _ := http.NewRequest("GET", info.u, nil)
 		req.SetBasicAuth(info.domain+"\\"+username, password)
-		res, _ := NtlmClient.Do(req)
+		res, _ := client.Do(req)
+
 		if res.StatusCode == 403 {
 			Log.Failed("[*] 403 错误")
 		} else if res.StatusCode != 401 && res.StatusCode != 408 && res.StatusCode != 504 {

diff --git a/lib/util.go b/lib/util.go
@@ -2,7 +2,6 @@ package lib
 
 import (
 	"crypto/tls"
-	"github.com/Azure/go-ntlmssp"
 	"net/http"
 )
 
@@ -30,18 +29,4 @@ var Client = &http.Client{
 	},
 }
 
-var NtlmClient = &http.Client{
-	Transport: ntlmssp.Negotiator{
-		RoundTripper: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-				Renegotiation:      tls.RenegotiateOnceAsClient,
-			},
-		},
-	},
-	CheckRedirect: func(req *http.Request, via []*http.Request) error {
-		return http.ErrUseLastResponse
-	},
-}
-
 var Log *Logging