Esempio n. 1
0
        private void TestForSMB(SpoofDetectionResult result)
        {
            SpoofDetectionResult smbTestResult = SMBTester.PerformSMBTest(result.Endpoint.Address, _settings.PreferredIPv4Address);

            if (smbTestResult.Detected)
            {
                _logger.LogMessage(String.Format("Detected service on SMB TCP port at {0}",
                                                 smbTestResult.Endpoint.Address)
                                   , EventLogEntryType.Warning, (Int32)LogEvents.SMBTestSucceeded, (Int16)LogCategories.SpoofNotice,
                                   null);
            }
            else
            {
                _logger.LogMessage(String.Format("Failed to connect to SMB TCP port at {0} with error {1}",
                                                 smbTestResult.Endpoint.Address, smbTestResult.ErrorMessage)
                                   , EventLogEntryType.Information, (Int32)LogEvents.SMBTestFailed,
                                   (Int16)LogCategories.DetectedUnexpectedCondition, null);
            }
            if (smbTestResult.Confidence > HighestConfidenceLevel)
            {
                HighestConfidenceLevel = smbTestResult.Confidence;
                _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
                                   , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice,
                                   null);
            }
        }
Esempio n. 2
0
        private void TestForWPAD(SpoofDetectionResult result)
        {
            SpoofDetectionResult wpadTestResult = WPADTester.PerformWPADTest(IPAddress.Parse(result.Response), 80, _settings.NTLMUsername,
                                                                             _settings.NTLMPassword, _settings.NTLMDomain);

            if (wpadTestResult.Detected)
            {
                _logger.LogMessage(String.Format("Detected active WPAD service at {0} claiming {1}",
                                                 wpadTestResult.Endpoint.Address, wpadTestResult.Response)
                                   , EventLogEntryType.Warning, (Int32)LogEvents.WPADProxyFound, (Int16)LogCategories.SpoofNotice,
                                   null);
            }
            else
            {
                _logger.LogMessage(String.Format("Received HTTP response from WPAD service {0} with error {1}",
                                                 wpadTestResult.Endpoint.Address, wpadTestResult.ErrorMessage)
                                   , EventLogEntryType.Information, (Int32)LogEvents.WPADProxyError,
                                   (Int16)LogCategories.DetectedUnexpectedCondition, null);
            }
            if (wpadTestResult.Confidence > HighestConfidenceLevel)
            {
                HighestConfidenceLevel = wpadTestResult.Confidence;
                _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
                                   , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice,
                                   null);
            }
        }
        internal SpoofDetectionResult ReceiveAndHandleReply(Socket client, Protocol protocol, Byte[] transactionId, IClientActioner clientActioner)
        {
            IPEndPoint sender = null;

            Byte[] replyBuffer;
            try
            {
                replyBuffer = clientActioner.Receive(client, out sender);
            }
            catch (SocketException ex)
            {
                if (ex.ErrorCode == 10060) //Timeout
                {
                    return(null);
                }
                if (ex.ErrorCode == 10004) //Aborted
                {
                    return(null);
                }
                throw;
            }

            if (sender == null || replyBuffer.Length <= 0)
            {
                return(null);
            }

            var result = new SpoofDetectionResult
            {
                Confidence   = ConfidenceLevel.FalsePositive,
                Detected     = false,
                Endpoint     = null,
                ErrorMessage = String.Format("Unable to parse packet sent to port {0}",
                                             ((IPEndPoint)client.LocalEndPoint)?.Port)
                , Protocol = Protocol.Unknown
            };

            try
            {
                result = HandleReply(replyBuffer, sender, transactionId, protocol);
            }
            catch (Exception)
            {
                //Omnomnom - There's all sorts of reasons the parser might crash on a packet, we need to handle all of them
                //until the parser is able to handle those exceptions itself
            }

            return(result);
        }
Esempio n. 4
0
        private void HandleResponseReceivedResult(SpoofDetectionResult result)
        {
            if (result == null)
            {
                return;
            }

            if (result.Protocol == Protocol.WPAD || result.Protocol == Protocol.SMB)
            {
                throw new NotImplementedException(String.Format("Tried to handle an {0} response as an NS response", result.Protocol));
            }

            if (result.Detected)
            {
                _logger.LogMessage(String.Format("Received {0} response from {1} claiming {2}", result.Protocol, result.Endpoint.Address, result.Response)
                                   , EventLogEntryType.Information, (Int32)LogEvents.SpoofDetected, (Int16)LogCategories.SpoofNotice, null);
                if (result.Confidence > HighestConfidenceLevel)
                {
                    HighestConfidenceLevel = result.Confidence;
                    _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
                                       , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null);
                    //Console.WriteLine("[+] *** Spoofing confidence level adjusted to " + highestConfidenceLevel + " ***");
                }

                if (_settings.UseWPADProbes)
                {
                    TestForWPAD(result);
                }
                if (_settings.UseSMBProbes)
                {
                    TestForSMB(result);
                }
            }
            else
            {
                _logger.LogMessage(String.Format("Received response from {1} with error {2} (Expected {0})", result.Protocol, result.Endpoint.Address, result.ErrorMessage)
                                   , EventLogEntryType.Information, (Int32)LogEvents.UnexpectedProtocolResponse, (Int16)LogCategories.DetectedUnexpectedCondition, null);
                if (result.Confidence > HighestConfidenceLevel)
                {
                    HighestConfidenceLevel = result.Confidence;
                    _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
                                       , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null);
                }
            }
        }
Esempio n. 5
0
        public static SpoofDetectionResult PerformWPADTest(IPAddress targetAddress, Int32 targetPort, String username, String password, String domain)
        {
            var targetEndPoint = new IPEndPoint(targetAddress, targetPort);
            var req            = (HttpWebRequest)WebRequest.Create(String.Format("http://{0}:{1}/wpad.dat", targetEndPoint.Address, targetEndPoint.Port));

            req.UnsafeAuthenticatedConnectionSharing = true;
            req.Timeout   = Timeout;
            req.KeepAlive = false;
            if (!String.IsNullOrEmpty(username))
            {
                req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
                if (domain == null)
                {
                    req.Credentials = new NetworkCredential(username, password ?? "");
                }
                else
                {
                    req.Credentials = new NetworkCredential(username, password ?? "", domain);
                }
            }

            req.UserAgent = "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136";

            try
            {
                using (var resp = (HttpWebResponse)req.GetResponse())
                {
                    return(HandleWebResponse(resp, targetEndPoint));
                }
            }
            catch (WebException ex)
            {
                if (ex.Status == WebExceptionStatus.ProtocolError)
                {
                    SpoofDetectionResult result = HandleWebResponse((HttpWebResponse)ex.Response, targetEndPoint);
                    ex.Response.Dispose();
                    return(result);
                }
                else
                {
                    return(new SpoofDetectionResult()
                    {
                        Detected = false,
                        Endpoint = targetEndPoint,
                        ErrorMessage = String.Format("Unknown HTTP error ({0})", ex.Message),
                        Protocol = Protocol.WPAD,
                        Confidence = ConfidenceLevel.FalsePositive
                    });
                }
            }
            catch (Exception ex)
            {
                return(new SpoofDetectionResult()
                {
                    Detected = false,
                    Endpoint = targetEndPoint,
                    ErrorMessage = String.Format("Unable to contact WPAD server ({0})", ex.Message),
                    Protocol = Protocol.WPAD,
                    Confidence = ConfidenceLevel.FalsePositive
                });
            }
        }