Adding http_ntlmrelay module #589

Merged
merged 7 commits into from Aug 21, 2012

Conversation

Projects
None yet
3 participants
@webstersprodigy
Contributor

webstersprodigy commented Jul 10, 2012

This is a generic purpose NTLM relaying module. It acts as an HTTP server, and relays the credentials forwarded by the browser to other protocols (currently SMB and HTTP). It supports multiple HTTP/SMB operations, it supports NTLMv2, and it also supports attack chaining, so the result of one attack can be used in future attacks.

I have a few test configurations available here: http://sdrv.ms/MemcNN. Here are the contents from the README:

Test Setup

In every case, there are at least two external machines involved, domain_client and domain_victim. Both are assumed to be domain joined, and have users with permission.

The attack scenario is this:

After running the module with configured options, domain_client will visit the URI and negotiate windows creds. These credentials will relay to domain_victim, performing the configured action.

These scenarios have been tested on actual sites. However, the name details have sometimes been modified, both to avoid disclosure and to make the testing scenarios easier to understand.In terms of config, I've tested this on default win server 2008r2 and win server 2003 active directories with NTLM enabled IE8/9, Firefox, and chrome connecting to the HTTP server.

In each demo directory, there are resource.rc files that contain info regarding a scenario. In order of usability complexity, these are:

  1. fileopts (relays to an smb server to list contents, write a file, read a file, remove a file, psexec)
  2. corpcard (relays to an internal website and extracts information)
  3. email_parking (relays to a different internal website and extracts information)
  4. csrf_wiki (obtains a CSRF token and cookie, and uses these in a second request to perform an operation on mediawiki)
  5. super_pwn (obtains computernames from an internal website, scans these for 445, and then relays to these for a meterpreter shell)

webstersprodigy added some commits Jul 10, 2012

Improved smb_put reliability
The .write function was having issues with large files, the
connection would close or sometimes there would be errors.
I changed thefunction to act more like smb_relay and it works better.
+
+ Complicated custom attacks requiring multiple requests that depend on each
+ other can be written using the SYNC* options. For example, a typical CSRF
+ typical CSRF style attack might look like:

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

"typical CSRF" doubled.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

"typical CSRF" doubled.

+
+ register_options([
+ OptBool.new('RSSL', [true, "SSL on the remote connection ", false]),
+ OptString.new('RTYPE', [true,

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

You seem to be using this option in a manner equivalent to the meaning of Actions.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

You seem to be using this option in a manner equivalent to the meaning of Actions.

This comment has been minimized.

@webstersprodigy

webstersprodigy Jul 21, 2012

Contributor

I might need some direction on this one. I need the module to always have the 'WebServer' action, and then exactly one of the 'RTYPE' actions/options. (e.g. it wouldn't be as straightforward as other modules I've looked at, like tftp_transfer_util or http_put)

@webstersprodigy

webstersprodigy Jul 21, 2012

Contributor

I might need some direction on this one. I need the module to always have the 'WebServer' action, and then exactly one of the 'RTYPE' actions/options. (e.g. it wouldn't be as straightforward as other modules I've looked at, like tftp_transfer_util or http_put)

This comment has been minimized.

@todb-r7

todb-r7 Aug 20, 2012

Contributor

Looks like OptEnum is the way to go on this. There's a decent OptEnum usage example in MSSQL Payload

@todb-r7

todb-r7 Aug 20, 2012

Contributor

Looks like OptEnum is the way to go on this. There's a decent OptEnum usage example in MSSQL Payload

lib/rex/proto/smb/client.rb
@@ -962,7 +962,7 @@ def session_setup_with_ntlmssp_blob(blob = '', do_recv = true)
ret = self.smb_send(pkt.to_s)
return ret if not do_recv
- self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, false)
+ self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

Changing this in the library code is pretty dangerous. Will require some serious testing of other users of this method.

Since this method doesn't do anything else before or after the do_recv check, better would be to pass do_recv=false and call smb_recv_parse yourself.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

Changing this in the library code is pretty dangerous. Will require some serious testing of other users of this method.

Since this method doesn't do anything else before or after the do_recv check, better would be to pass do_recv=false and call smb_recv_parse yourself.

This comment has been minimized.

@webstersprodigy

webstersprodigy Jul 20, 2012

Contributor

Great idea. I knew this was bad, but was debating on the right way to do it.

@webstersprodigy

webstersprodigy Jul 20, 2012

Contributor

Great idea. I knew this was bad, but was debating on the right way to do it.

+ theaders['Content-Length'] = (datastore['FINALPUTDATA'].length + 4).to_s()
+ end
+
+ # HTTP_HEADERFILE is how thie module supports cookies, multipart forms, etc

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

typo: "thie" -> "this"

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

typo: "thie" -> "this"

+
+ # HTTP_HEADERFILE is how thie module supports cookies, multipart forms, etc
+ if datastore['HTTP_HEADERFILE'] != nil
+ print_status("Including extra headers from: #{datastore['SYNCFILE']}")

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

Should SYNCFILE be HTTP_HEADERFILE here?

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

Should SYNCFILE be HTTP_HEADERFILE here?

+ print_status("Including extra headers from: #{datastore['SYNCFILE']}")
+ #previous request might create the file, so error thrown at runtime
+ if not ::File.readable?(datastore['HTTP_HEADERFILE'])
+ print_error("SYNCFILE unreadable, aborting")

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

SYNCFILE -> HTTP_HEADERFILE

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

SYNCFILE -> HTTP_HEADERFILE

+ end
+ #if verbose, print the response
+ if datastore['VERBOSE']
+ print_status(resp)

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

use vprint_status instead of this

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

use vprint_status instead of this

+ arg = get_hash_info(hash)
+ dhash = Rex::Text.decode_base64(hash)
+
+ blob =

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

A comment documenting this constants would be nice.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

A comment documenting this constants would be nice.

+ ser_sock.client.open("\\" << path, 0x1)
+ resp = ser_sock.client.read()
+ print_status("Reading #{resp['Payload'].v['ByteCount']} bytes from #{datastore['RHOST']}")
+ if datastore["VERBOSE"]

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

vprint_status

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

vprint_status

+
+ type = datastore['RESPPAGE'].split('.')[-1].downcase
+ #images can be especially useful (e.g. in email signatures)
+ if type == 'png' or type == 'gif' or type == 'jpg' or type == 'jpeg'

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

I think this construct is a little less awkard like so:

case type
when 'png', 'gif', 'jpg', 'jpeg'
    ...
end
@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

I think this construct is a little less awkard like so:

case type
when 'png', 'gif', 'jpg', 'jpeg'
    ...
end
+ 'uri' => datastore['RURIPATH'],
+ 'method' => method,
+ 'version' => '1.1',
+ 'headers' => theaders,

This comment has been minimized.

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

There is also a 'raw_headers' option which would save you the effort of parsing above

@jlee-r7

jlee-r7 Jul 20, 2012

Contributor

There is also a 'raw_headers' option which would save you the effort of parsing above

@ghost ghost assigned jlee-r7 Aug 20, 2012

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 20, 2012

Contributor

Added a suggestion to use OptEnum instead of OptString -- other than that, looks okay to me; @jlee-r7 can you test and merge?

Contributor

todb-r7 commented Aug 20, 2012

Added a suggestion to use OptEnum instead of OptString -- other than that, looks okay to me; @jlee-r7 can you test and merge?

@webstersprodigy

This comment has been minimized.

Show comment
Hide comment
@webstersprodigy

webstersprodigy Aug 21, 2012

Contributor

@todb-r7 Thanks for the suggestion, OptEnum is a better fit. Updated in the latest commit.

Contributor

webstersprodigy commented Aug 21, 2012

@todb-r7 Thanks for the suggestion, OptEnum is a better fit. Updated in the latest commit.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 21, 2012

Contributor

The change to the SMB library looks like it impacts only one other module, and that one depends on the defaults anyway.

Thanks for the quick update, @webstersprodigy , testing now.

Contributor

todb-r7 commented Aug 21, 2012

The change to the SMB library looks like it impacts only one other module, and that one depends on the defaults anyway.

Thanks for the quick update, @webstersprodigy , testing now.

@todb-r7 todb-r7 merged commit 65b29d1 into rapid7:master Aug 21, 2012

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Aug 21, 2012

Contributor

FWIW, @webstersprodigy here's my commit of your module.

http://git.io/gwc0kg

Just eyeballing, there are many places to make the code more robust to exception raises, if you're inclined, but I didn't see any show stoppers in there.

Contributor

todb-r7 commented Aug 21, 2012

FWIW, @webstersprodigy here's my commit of your module.

http://git.io/gwc0kg

Just eyeballing, there are many places to make the code more robust to exception raises, if you're inclined, but I didn't see any show stoppers in there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment