Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Squirtle the Browser-based NTLM Attack Toolkit
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
SQUIRTLE - The NTLM Single Sign-On Controller version 1.1 - ToorCon release (September, 2008) The purpose of this little doodad is to help you prove to your employer, your client, your best friend, your dog, or God that NTLM is truly dead. It does this by taking control of any browser that comes into contact with it and making it perform NTLM authentication at will. By using a set of API calls you can embed Squirtle into existing penetration toolkits, proxies or other fun tools at your disposal. Requirements ------------ o Ruby language interpreter (1.8.6 tested) o ActiveRecord RubyGem (sudo gem install activerecord) o Ruby GEMs for SQL server of choice (sqlite3, mysql, postgres) o JSON RubyGem (sudo gem install json) - http://json.rubyforge.org/ o INSIDE a corporate network Why Inside? ----------- NTLM Authentication from web browsers occurs when a user connects to a URL that the browser believes is within a trusted internet zone (for Internet Explorer). Mozilla FireFox can be configured to deliver NTLM authentication based upon hostnames or masks. While there have been methods of forcing the browser to believe it's connected to a lower-security zone using Flash objects or Java applets they typically revolve around deficiencies within the languages and are eventually patched. Using Squirtle -------------- Running Squirtle is easy: Step 1: Modify squirtle.yaml to fit your configuration Step 2: "ruby squirtle.rb" Step 3: Point browsers towards http://yourserver:8080/ What to do after that depends upon you. Option 1: Crack the LM or NTLM hashes with static nonce Option 2: Use Rainbowtables on the LM hashes with static nonce Option 3: Combine Squirtle with your own proxy code using the Squirtle API Option 4: Make cookies! Redirecting Console Output -------------------------- Webrick spits a lot of crap out in STDERR. Until we complete the console commands you can redirect STDERR to a log file or /dev/null. $ ./squirtle 2>/dev/null This will help for devices that have slow screens (mobile devices mostly) Success Stories --------------- Well this is a proof of concept/borderline munition tool so I don't think many stories will come out of it being used "successfully". However I can say that the tool works in my lab and in limited enterprise testing on the following: Squirtle Boxes: Apple Macintosh OS X 10.5.4 - ruby 1.8.6 (2007-03-13 patchlevel 0) [i686-darwin8.10.1] Gentoo Linux - ruby 1.8.6 (2008-03-03 patchlevel 114) [i686-linux] Victims: Windows XP SP2, IE 6.0.2900.2180.xpsp2_rtm.040803-2158 Windows XP SP2, IE 6.0.2900.2180.xp_sp2_qfe.070227-2300CO Evil Agents: NTLMAPS modified for Squirtle - http://code.google.com/p/squirtle/source/browse/ntlmaps-squirtle WARNING! ACHTUNG! ----------------- Like most security tools, this can be used for good or evil. If you try to use it within your enterprise without approval from your management, you may have created a "resume generating" event for yourself. Get the approval you need before treading further. Support and Enhancements ------------------------ This is free software and will be supported and enhanced as I have time. Any patches submitted will be graciously reviewed and applied if applicable. Kurt Grutzmacher grutz [at] jingojango dot net