# -*- coding: binary -*- require 'rex/socket' require 'rex/proto/http' require 'rex/text' require 'digest' require 'rex/proto/ntlm/crypt' require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' require 'rex/proto/http/client_request' module Rex module Proto module Http ### # # Acts as a client to an HTTP server, sending requests and receiving responses. # # See the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616.html # ### class Client DefaultUserAgent = ClientRequest::DefaultUserAgent # # Creates a new client instance # def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '') self.hostname = host self.port = port.to_i self.context = context self.ssl = ssl self.ssl_version = ssl_version self.proxies = proxies self.username = username self.password = password # Take ClientRequest's defaults, but override with our own self.config = Http::ClientRequest::DefaultConfig.merge({ 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, }) # XXX: This info should all be controlled by ClientRequest self.config_types = { 'uri_encode_mode' => ['hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-random', 'u-all'], 'uri_encode_count' => 'integer', 'uri_full_url' => 'bool', 'pad_method_uri_count' => 'integer', 'pad_uri_version_count' => 'integer', 'pad_method_uri_type' => ['space', 'tab', 'apache'], 'pad_uri_version_type' => ['space', 'tab', 'apache'], 'method_random_valid' => 'bool', 'method_random_invalid' => 'bool', 'method_random_case' => 'bool', 'version_random_valid' => 'bool', 'version_random_invalid' => 'bool', 'version_random_case' => 'bool', 'uri_dir_self_reference' => 'bool', 'uri_dir_fake_relative' => 'bool', 'uri_use_backslashes' => 'bool', 'pad_fake_headers' => 'bool', 'pad_fake_headers_count' => 'integer', 'pad_get_params' => 'bool', 'pad_get_params_count' => 'integer', 'pad_post_params' => 'bool', 'pad_post_params_count' => 'integer', 'uri_fake_end' => 'bool', 'uri_fake_params_start' => 'bool', 'header_folding' => 'bool', 'chunked_size' => 'integer' } end # # Set configuration options # def set_config(opts = {}) opts.each_pair do |var,val| # Default type is string typ = self.config_types[var] || 'string' # These are enum types if typ.is_a?(Array) if not typ.include?(val) raise RuntimeError, "The specified value for #{var} is not one of the valid choices" end end # The caller should have converted these to proper ruby types, but # take care of the case where they didn't before setting the # config. if(typ == 'bool') val = (val =~ /^(t|y|1)$/i ? true : false || val === true) end if(typ == 'integer') val = val.to_i end self.config[var]=val end end # # Create an arbitrary HTTP request # # @param opts [Hash] # @option opts 'agent' [String] User-Agent header value # @option opts 'connection' [String] Connection header value # @option opts 'cookie' [String] Cookie header value # @option opts 'data' [String] HTTP data (only useful with some methods, see rfc2616) # @option opts 'encode' [Bool] URI encode the supplied URI, default: false # @option opts 'headers' [Hash] HTTP headers, e.g. { "X-MyHeader" => "value" } # @option opts 'method' [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET # @option opts 'proto' [String] protocol, default: HTTP # @option opts 'query' [String] raw query string # @option opts 'raw_headers' [Hash] HTTP headers # @option opts 'uri' [String] the URI to request # @option opts 'version' [String] version of the protocol, default: 1.1 # @option opts 'vhost' [String] Host header value # # @return [ClientRequest] def request_raw(opts={}) opts = self.config.merge(opts) opts['ssl'] = self.ssl opts['cgi'] = false opts['port'] = self.port req = ClientRequest.new(opts) end # # Create a CGI compatible request # # @param (see #request_raw) # @option opts (see #request_raw) # @option opts 'ctype' [String] Content-Type header value, default: +application/x-www-form-urlencoded+ # @option opts 'encode_params' [Bool] URI encode the GET or POST variables (names and values), default: true # @option opts 'vars_get' [Hash] GET variables as a hash to be translated into a query string # @option opts 'vars_post' [Hash] POST variables as a hash to be translated into POST data # # @return [ClientRequest] def request_cgi(opts={}) opts = self.config.merge(opts) opts['ctype'] ||= 'application/x-www-form-urlencoded' opts['ssl'] = self.ssl opts['cgi'] = true opts['port'] = self.port req = ClientRequest.new(opts) req end # # Connects to the remote server if possible. # # @param t [Fixnum] Timeout # @see Rex::Socket::Tcp.create # @return [Rex::Socket::Tcp] def connect(t = -1) # If we already have a connection and we aren't pipelining, close it. if (self.conn) if !pipelining? close else return self.conn end end timeout = (t.nil? or t == -1) ? 0 : t self.conn = Rex::Socket::Tcp.create( 'PeerHost' => self.hostname, 'PeerPort' => self.port.to_i, 'LocalHost' => self.local_host, 'LocalPort' => self.local_port, 'Context' => self.context, 'SSL' => self.ssl, 'SSLVersion' => self.ssl_version, 'Proxies' => self.proxies, 'Timeout' => timeout ) end # # Closes the connection to the remote server. # def close if (self.conn) self.conn.shutdown self.conn.close unless self.conn.closed? end self.conn = nil end # # Sends a request and gets a response back # # If the request is a 401, and we have creds, it will attempt to complete # authentication and return the final response # # @return (see #_send_recv) def send_recv(req, t = -1, persist=false) res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] res = send_auth(res, req.opts, t, persist) end res end # # Transmit an HTTP request and receive the response # # If persist is set, then the request will attempt to reuse an existing # connection. # # Call this directly instead of {#send_recv} if you don't want automatic # authentication handling. # # @return (see #read_response) def _send_recv(req, t = -1, persist=false) @pipeline = persist send_request(req, t) res = read_response(t) res.request = req.to_s if res res end # # Send an HTTP request to the server # # @param req [Request,ClientRequest,#to_s] The request to send # @param t (see #connect) # # @return [void] def send_request(req, t = -1) connect(t) conn.put(req.to_s) end # Resends an HTTP Request with the propper authentcation headers # set. If we do not support the authentication type the server requires # we return the original response object # # @param res [Response] the HTTP Response object # @param opts [Hash] the options used to generate the original HTTP request # @param t [Fixnum] the timeout for the request in seconds # @param persist [Boolean] whether or not to persist the TCP connection (pipelining) # # @return [Response] the last valid HTTP response object we received def send_auth(res, opts, t, persist) if opts['username'].nil? or opts['username'] == '' if self.username and not (self.username == '') opts['username'] = self.username opts['password'] = self.password else opts['username'] = nil opts['password'] = nil end end return res if opts['username'].nil? or opts['username'] == '' supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' opts['headers'] ||= {} opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] ) req = request_cgi(opts) res = _send_recv(req,t,persist) return res elsif supported_auths.include? "Digest" temp_response = digest_auth(opts) if temp_response.kind_of? Rex::Proto::Http::Response res = temp_response end return res elsif supported_auths.include? "NTLM" opts['provider'] = 'NTLM' temp_response = negotiate_auth(opts) if temp_response.kind_of? Rex::Proto::Http::Response res = temp_response end return res elsif supported_auths.include? "Negotiate" opts['provider'] = 'Negotiate' temp_response = negotiate_auth(opts) if temp_response.kind_of? Rex::Proto::Http::Response res = temp_response end return res end return res end # Converts username and password into the HTTP Basic authorization # string. # # @return [String] A value suitable for use as an Authorization header def basic_auth_header(username,password) auth_str = username.to_s + ":" + password.to_s auth_str = "Basic " + Rex::Text.encode_base64(auth_str) end # Send a series of requests to complete Digest Authentication # # @param opts [Hash] the options used to build an HTTP request # # @return [Response] the last valid HTTP response we received def digest_auth(opts={}) @nonce_count = 0 to = opts['timeout'] || 20 digest_user = opts['username'] || "" digest_password = opts['password'] || "" method = opts['method'] path = opts['uri'] iis = true if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS'] == false) iis = false end begin @nonce_count += 1 resp = opts['response'] if not resp # Get authentication-challenge from server, and read out parameters required r = request_cgi(opts.merge({ 'uri' => path, 'method' => method })) resp = _send_recv(r, to) unless resp.kind_of? Rex::Proto::Http::Response return nil end if resp.code != 401 return resp end return resp unless resp.headers['WWW-Authenticate'] end # Don't anchor this regex to the beginning of string because header # folding makes it appear later when the server presents multiple # WWW-Authentication options (such as is the case with IIS configured # for Digest or NTLM). resp['www-authenticate'] =~ /Digest (.*)/ parameters = {} $1.split(/,[[:space:]]*/).each do |p| k, v = p.split("=", 2) parameters[k] = v.gsub('"', '') end qop = parameters['qop'] if parameters['algorithm'] =~ /(.*?)(-sess)?$/ algorithm = case $1 when 'MD5' then Digest::MD5 when 'SHA1' then Digest::SHA1 when 'SHA2' then Digest::SHA2 when 'SHA256' then Digest::SHA256 when 'SHA384' then Digest::SHA384 when 'SHA512' then Digest::SHA512 when 'RMD160' then Digest::RMD160 else raise Error, "unknown algorithm \"#{$1}\"" end algstr = parameters["algorithm"] sess = $2 else algorithm = Digest::MD5 algstr = "MD5" sess = false end a1 = if sess then [ algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), parameters['nonce'], @cnonce ].join ':' else "#{digest_user}:#{parameters['realm']}:#{digest_password}" end ha1 = algorithm.hexdigest(a1) ha2 = algorithm.hexdigest("#{method}:#{path}") request_digest = [ha1, parameters['nonce']] request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop request_digest << ha2 request_digest = request_digest.join ':' # Same order as IE7 auth = [ "Digest username=\"#{digest_user}\"", "realm=\"#{parameters['realm']}\"", "nonce=\"#{parameters['nonce']}\"", "uri=\"#{path}\"", "cnonce=\"#{@cnonce}\"", "nc=#{'%08x' % @nonce_count}", "algorithm=#{algstr}", "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", # The spec says the qop value shouldn't be enclosed in quotes, but # some versions of IIS require it and Apache accepts it. Chrome # and Firefox both send it without quotes but IE does it this way. # Use the non-compliant-but-everybody-does-it to be as compatible # as possible by default. The user can override if they don't like # it. if qop.nil? then elsif iis then "qop=\"#{qop}\"" else "qop=#{qop}" end, if parameters.key? 'opaque' then "opaque=\"#{parameters['opaque']}\"" end ].compact headers ={ 'Authorization' => auth.join(', ') } headers.merge!(opts['headers']) if opts['headers'] # Send main request with authentication r = request_cgi(opts.merge({ 'uri' => path, 'method' => method, 'headers' => headers })) resp = _send_recv(r, to, true) unless resp.kind_of? Rex::Proto::Http::Response return nil end return resp rescue ::Errno::EPIPE, ::Timeout::Error end end # # Builds a series of requests to complete Negotiate Auth. Works essentially # the same way as Digest auth. Same pipelining concerns exist. # # @option opts (see #send_request_cgi) # @option opts provider ["Negotiate","NTLM"] What Negotiate provider to use # # @return [Response] the last valid HTTP response we received def negotiate_auth(opts={}) ntlm_options = { :signing => false, :usentlm2_session => self.config['usentlm2_session'], :use_ntlmv2 => self.config['use_ntlmv2'], :send_lm => self.config['send_lm'], :send_ntlm => self.config['send_ntlm'] } to = opts['timeout'] || 20 opts['username'] ||= '' opts['password'] ||= '' if opts['provider'] and opts['provider'].include? 'Negotiate' provider = "Negotiate " else provider = 'NTLM ' end opts['method']||= 'GET' opts['headers']||= {} ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) workstation_name = Rex::Text.rand_text_alpha(rand(8)+6) domain_name = self.config['domain'] b64_blob = Rex::Text::encode_base64( ::Rex::Proto::NTLM::Utils::make_ntlmssp_blob_init( domain_name, workstation_name, ntlmssp_flags )) ntlm_message_1 = provider + b64_blob begin # First request to get the challenge opts['headers']['Authorization'] = ntlm_message_1 r = request_cgi(opts) resp = _send_recv(r, to) unless resp.kind_of? Rex::Proto::Http::Response return nil end return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] # Get the challenge and craft the response ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/ni).flatten[0] return resp unless ntlm_challenge ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) blob_data = ::Rex::Proto::NTLM::Utils.parse_ntlm_type_2_blob(ntlm_message_2) challenge_key = blob_data[:challenge_key] server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error default_name = blob_data[:default_name] || '' #netbios name default_domain = blob_data[:default_domain] || '' #netbios domain dns_host_name = blob_data[:dns_host_name] || '' #dns name dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time spnopt = {:use_spn => self.config['SendSPN'], :name => self.hostname} resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = ::Rex::Proto::NTLM::Utils.create_lm_ntlm_responses( opts['username'], opts['password'], challenge_key, domain_name, default_name, default_domain, dns_host_name, dns_domain_name, chall_MsvAvTimestamp, spnopt, ntlm_options ) ntlm_message_3 = ::Rex::Proto::NTLM::Utils.make_ntlmssp_blob_auth( domain_name, workstation_name, opts['username'], resp_lm, resp_ntlm, '', ntlmssp_flags ) ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) # Send the response opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" r = request_cgi(opts) resp = _send_recv(r, to, true) unless resp.kind_of? Rex::Proto::Http::Response return nil end return resp rescue ::Errno::EPIPE, ::Timeout::Error return nil end end # # Read a response from the server # # @return [Response] def read_response(t = -1, opts = {}) resp = Response.new resp.max_data = config['read_max_data'] # Wait at most t seconds for the full response to be read in. We only # do this if t was specified as a negative value indicating an infinite # wait cycle. If t were specified as nil it would indicate that no # response parsing is required. return resp if not t Timeout.timeout((t < 0) ? nil : t) do rv = nil while ( rv != Packet::ParseCode::Completed and rv != Packet::ParseCode::Error ) begin buff = conn.get_once(-1, 1) rv = resp.parse( buff || '' ) # Handle unexpected disconnects rescue ::Errno::EPIPE, ::EOFError, ::IOError case resp.state when Packet::ParseState::ProcessingHeader resp = nil when Packet::ParseState::ProcessingBody # truncated request, good enough resp.error = :truncated end break end # This is a dirty hack for broken HTTP servers if rv == Packet::ParseCode::Completed rbody = resp.body rbufq = resp.bufq rblob = rbody.to_s + rbufq.to_s tries = 0 begin # XXX: This doesn't deal with chunked encoding or "Content-type: text/html; charset=..." while tries < 1000 and resp.headers["Content-Type"]== "text/html" and rblob !~ /<\/html>/i buff = conn.get_once(-1, 0.05) break if not buff rblob += buff tries += 1 end rescue ::Errno::EPIPE, ::EOFError, ::IOError end resp.bufq = "" resp.body = rblob end end end return resp if not resp # As a last minute hack, we check to see if we're dealing with a 100 Continue here. # Most of the time this is handled by the parser via check_100() if resp.proto == '1.1' and resp.code == 100 and not opts[:skip_100] # Read the real response from the body if we found one # If so, our real response became the body, so we re-parse it. if resp.body.to_s =~ /^HTTP/ body = resp.body resp = Response.new resp.max_data = config['read_max_data'] rv = resp.parse(body) # We found a 100 Continue but didn't read the real reply yet # Otherwise reread the reply, but don't try this hack again else resp = read_response(t, :skip_100 => true) end end resp end # # Cleans up any outstanding connections and other resources. # def stop close end # # Returns whether or not the conn is valid. # def conn? conn != nil end # # Whether or not connections should be pipelined. # def pipelining? pipeline end # # The client request configuration # attr_accessor :config # # The client request configuration classes # attr_accessor :config_types # # Whether or not pipelining is in use. # attr_accessor :pipeline # # The local host of the client. # attr_accessor :local_host # # The local port of the client. # attr_accessor :local_port # # The underlying connection. # attr_accessor :conn # # The calling context to pass to the socket # attr_accessor :context # # The proxy list # attr_accessor :proxies # Auth attr_accessor :username, :password # When parsing the request, thunk off the first response from the server, since junk attr_accessor :junk_pipeline protected # https attr_accessor :ssl, :ssl_version # :nodoc: attr_accessor :hostname, :port # :nodoc: end end end end