Squirtle the Browser-based NTLM Attack Toolkit
Ruby Python JavaScript C HTML
Switch branches/tags
Nothing to show
Clone or download
kurt.grutzmacher
kurt.grutzmacher Update for msf 3.2-trunk.
Latest commit 0603083 Nov 17, 2008
Permalink
Failed to load latest commit information.
evilagents Update for msf 3.2-trunk. Nov 18, 2008
examples ToorCon X Updates! Sep 28, 2008
staticdata Welcome to Squirtle! Jul 23, 2008
COPYING Welcome to Squirtle! Jul 23, 2008
ChangeLog ToorCon X Updates! Sep 28, 2008
README No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
README.sql No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
decodentlm-typemsg.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_controller.rb Added output of Type 3 messages. Sep 22, 2008
sq_db.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_mysql.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_ntlmfuncs.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_postgres.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_sqlite.rb ToorCon X Updates! Sep 28, 2008
sq_sqltables.sql No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
sq_victim.rb ToorCon X Updates! Sep 28, 2008
squirtle-debug.html Welcome to Squirtle! Jul 23, 2008
squirtle-debug.js Welcome to Squirtle! Jul 23, 2008
squirtle.html Welcome to Squirtle! Jul 23, 2008
squirtle.js Welcome to Squirtle! Jul 23, 2008
squirtle.rb No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008
squirtle.yaml No longer requires Metasploit Framework, added MySQL and Postgres sup… Sep 22, 2008

README

SQUIRTLE - The NTLM Single Sign-On Controller
version 1.1 - ToorCon release (September, 2008)

The purpose of this little doodad is to help you prove to your employer, your
client, your best friend, your dog, or God that NTLM is truly dead. It does
this by taking control of any browser that comes into contact with it and
making it perform NTLM authentication at will. By using a set of API calls
you can embed Squirtle into existing penetration toolkits, proxies or other
fun tools at your disposal.

Requirements
------------

  o  Ruby language interpreter (1.8.6 tested)
  o  ActiveRecord RubyGem (sudo gem install activerecord)
  o  Ruby GEMs for SQL server of choice (sqlite3, mysql, postgres)
  o  JSON RubyGem (sudo gem install json) - http://json.rubyforge.org/
  o  INSIDE a corporate network

Why Inside?
-----------

NTLM Authentication from web browsers occurs when a user connects to a
URL that the browser believes is within a trusted internet zone (for
Internet Explorer). Mozilla FireFox can be configured to deliver NTLM
authentication based upon hostnames or masks.

While there have been methods of forcing the browser to believe it's
connected to a lower-security zone using Flash objects or Java applets
they typically revolve around deficiencies within the languages and are
eventually patched.

Using Squirtle
--------------

Running Squirtle is easy:

 Step 1: Modify squirtle.yaml to fit your configuration
 Step 2: "ruby squirtle.rb"
 Step 3: Point browsers towards http://yourserver:8080/

What to do after that depends upon you.

 Option 1: Crack the LM or NTLM hashes with static nonce
 Option 2: Use Rainbowtables on the LM hashes with static nonce
 Option 3: Combine Squirtle with your own proxy code using the Squirtle API
 Option 4: Make cookies!

Redirecting Console Output
--------------------------

Webrick spits a lot of crap out in STDERR. Until we complete the console
commands you can redirect STDERR to a log file or /dev/null.

  $ ./squirtle 2>/dev/null

This will help for devices that have slow screens (mobile devices mostly)

Success Stories
---------------

Well this is a proof of concept/borderline munition tool so I don't think many
stories will come out of it being used "successfully". However I can say that
the tool works in my lab and in limited enterprise testing on the following:

 Squirtle Boxes:
	Apple Macintosh OS X 10.5.4 - ruby 1.8.6 (2007-03-13 patchlevel 0) [i686-darwin8.10.1]
	Gentoo Linux - ruby 1.8.6 (2008-03-03 patchlevel 114) [i686-linux]
	
 Victims:
	Windows XP SP2, IE 6.0.2900.2180.xpsp2_rtm.040803-2158
	Windows XP SP2, IE 6.0.2900.2180.xp_sp2_qfe.070227-2300CO
	
 Evil Agents:
	NTLMAPS modified for Squirtle - http://code.google.com/p/squirtle/source/browse/ntlmaps-squirtle

WARNING! ACHTUNG!
-----------------

Like most security tools, this can be used for good or evil. If you try to use
it within your enterprise without approval from your management, you may have
created a "resume generating" event for yourself. Get the approval you need
before treading further.

Support and Enhancements
------------------------

This is free software and will be supported and enhanced as I have time. Any
patches submitted will be graciously reviewed and applied if applicable.


Kurt Grutzmacher
grutz [at] jingojango dot net