New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding http_ntlmrelay module #589

Merged
merged 7 commits into from Aug 21, 2012

Conversation

Projects
None yet
3 participants
@webstersprodigy
Contributor

webstersprodigy commented Jul 10, 2012

This is a generic purpose NTLM relaying module. It acts as an HTTP server, and relays the credentials forwarded by the browser to other protocols (currently SMB and HTTP). It supports multiple HTTP/SMB operations, it supports NTLMv2, and it also supports attack chaining, so the result of one attack can be used in future attacks.

I have a few test configurations available here: http://sdrv.ms/MemcNN. Here are the contents from the README:

Test Setup

In every case, there are at least two external machines involved, domain_client and domain_victim. Both are assumed to be domain joined, and have users with permission.

The attack scenario is this:

After running the module with configured options, domain_client will visit the URI and negotiate windows creds. These credentials will relay to domain_victim, performing the configured action.

These scenarios have been tested on actual sites. However, the name details have sometimes been modified, both to avoid disclosure and to make the testing scenarios easier to understand.In terms of config, I've tested this on default win server 2008r2 and win server 2003 active directories with NTLM enabled IE8/9, Firefox, and chrome connecting to the HTTP server.

In each demo directory, there are resource.rc files that contain info regarding a scenario. In order of usability complexity, these are:

  1. fileopts (relays to an smb server to list contents, write a file, read a file, remove a file, psexec)
  2. corpcard (relays to an internal website and extracts information)
  3. email_parking (relays to a different internal website and extracts information)
  4. csrf_wiki (obtains a CSRF token and cookie, and uses these in a second request to perform an operation on mediawiki)
  5. super_pwn (obtains computernames from an internal website, scans these for 445, and then relays to these for a meterpreter shell)

webstersprodigy added some commits Jul 10, 2012

Improved smb_put reliability
The .write function was having issues with large files, the
connection would close or sometimes there would be errors.
I changed thefunction to act more like smb_relay and it works better.

@ghost ghost assigned jlee-r7 Aug 20, 2012

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 20, 2012

Contributor

Added a suggestion to use OptEnum instead of OptString -- other than that, looks okay to me; @jlee-r7 can you test and merge?

Contributor

todb-r7 commented Aug 20, 2012

Added a suggestion to use OptEnum instead of OptString -- other than that, looks okay to me; @jlee-r7 can you test and merge?

@webstersprodigy

This comment has been minimized.

Show comment
Hide comment
@webstersprodigy

webstersprodigy Aug 21, 2012

Contributor

@todb-r7 Thanks for the suggestion, OptEnum is a better fit. Updated in the latest commit.

Contributor

webstersprodigy commented Aug 21, 2012

@todb-r7 Thanks for the suggestion, OptEnum is a better fit. Updated in the latest commit.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 21, 2012

Contributor

The change to the SMB library looks like it impacts only one other module, and that one depends on the defaults anyway.

Thanks for the quick update, @webstersprodigy , testing now.

Contributor

todb-r7 commented Aug 21, 2012

The change to the SMB library looks like it impacts only one other module, and that one depends on the defaults anyway.

Thanks for the quick update, @webstersprodigy , testing now.

@todb-r7 todb-r7 merged commit 65b29d1 into rapid7:master Aug 21, 2012

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 21, 2012

Contributor

FWIW, @webstersprodigy here's my commit of your module.

http://git.io/gwc0kg

Just eyeballing, there are many places to make the code more robust to exception raises, if you're inclined, but I didn't see any show stoppers in there.

Contributor

todb-r7 commented Aug 21, 2012

FWIW, @webstersprodigy here's my commit of your module.

http://git.io/gwc0kg

Just eyeballing, there are many places to make the code more robust to exception raises, if you're inclined, but I didn't see any show stoppers in there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment