private void TestForSMB(SpoofDetectionResult result) { SpoofDetectionResult smbTestResult = SMBTester.PerformSMBTest(result.Endpoint.Address, _settings.PreferredIPv4Address); if (smbTestResult.Detected) { _logger.LogMessage(String.Format("Detected service on SMB TCP port at {0}", smbTestResult.Endpoint.Address) , EventLogEntryType.Warning, (Int32)LogEvents.SMBTestSucceeded, (Int16)LogCategories.SpoofNotice, null); } else { _logger.LogMessage(String.Format("Failed to connect to SMB TCP port at {0} with error {1}", smbTestResult.Endpoint.Address, smbTestResult.ErrorMessage) , EventLogEntryType.Information, (Int32)LogEvents.SMBTestFailed, (Int16)LogCategories.DetectedUnexpectedCondition, null); } if (smbTestResult.Confidence > HighestConfidenceLevel) { HighestConfidenceLevel = smbTestResult.Confidence; _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel) , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null); } }
private void TestForWPAD(SpoofDetectionResult result) { SpoofDetectionResult wpadTestResult = WPADTester.PerformWPADTest(IPAddress.Parse(result.Response), 80, _settings.NTLMUsername, _settings.NTLMPassword, _settings.NTLMDomain); if (wpadTestResult.Detected) { _logger.LogMessage(String.Format("Detected active WPAD service at {0} claiming {1}", wpadTestResult.Endpoint.Address, wpadTestResult.Response) , EventLogEntryType.Warning, (Int32)LogEvents.WPADProxyFound, (Int16)LogCategories.SpoofNotice, null); } else { _logger.LogMessage(String.Format("Received HTTP response from WPAD service {0} with error {1}", wpadTestResult.Endpoint.Address, wpadTestResult.ErrorMessage) , EventLogEntryType.Information, (Int32)LogEvents.WPADProxyError, (Int16)LogCategories.DetectedUnexpectedCondition, null); } if (wpadTestResult.Confidence > HighestConfidenceLevel) { HighestConfidenceLevel = wpadTestResult.Confidence; _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel) , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null); } }
internal SpoofDetectionResult ReceiveAndHandleReply(Socket client, Protocol protocol, Byte[] transactionId, IClientActioner clientActioner) { IPEndPoint sender = null; Byte[] replyBuffer; try { replyBuffer = clientActioner.Receive(client, out sender); } catch (SocketException ex) { if (ex.ErrorCode == 10060) //Timeout { return(null); } if (ex.ErrorCode == 10004) //Aborted { return(null); } throw; } if (sender == null || replyBuffer.Length <= 0) { return(null); } var result = new SpoofDetectionResult { Confidence = ConfidenceLevel.FalsePositive, Detected = false, Endpoint = null, ErrorMessage = String.Format("Unable to parse packet sent to port {0}", ((IPEndPoint)client.LocalEndPoint)?.Port) , Protocol = Protocol.Unknown }; try { result = HandleReply(replyBuffer, sender, transactionId, protocol); } catch (Exception) { //Omnomnom - There's all sorts of reasons the parser might crash on a packet, we need to handle all of them //until the parser is able to handle those exceptions itself } return(result); }
private void HandleResponseReceivedResult(SpoofDetectionResult result) { if (result == null) { return; } if (result.Protocol == Protocol.WPAD || result.Protocol == Protocol.SMB) { throw new NotImplementedException(String.Format("Tried to handle an {0} response as an NS response", result.Protocol)); } if (result.Detected) { _logger.LogMessage(String.Format("Received {0} response from {1} claiming {2}", result.Protocol, result.Endpoint.Address, result.Response) , EventLogEntryType.Information, (Int32)LogEvents.SpoofDetected, (Int16)LogCategories.SpoofNotice, null); if (result.Confidence > HighestConfidenceLevel) { HighestConfidenceLevel = result.Confidence; _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel) , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null); //Console.WriteLine("[+] *** Spoofing confidence level adjusted to " + highestConfidenceLevel + " ***"); } if (_settings.UseWPADProbes) { TestForWPAD(result); } if (_settings.UseSMBProbes) { TestForSMB(result); } } else { _logger.LogMessage(String.Format("Received response from {1} with error {2} (Expected {0})", result.Protocol, result.Endpoint.Address, result.ErrorMessage) , EventLogEntryType.Information, (Int32)LogEvents.UnexpectedProtocolResponse, (Int16)LogCategories.DetectedUnexpectedCondition, null); if (result.Confidence > HighestConfidenceLevel) { HighestConfidenceLevel = result.Confidence; _logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel) , EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null); } } }
public static SpoofDetectionResult PerformWPADTest(IPAddress targetAddress, Int32 targetPort, String username, String password, String domain) { var targetEndPoint = new IPEndPoint(targetAddress, targetPort); var req = (HttpWebRequest)WebRequest.Create(String.Format("http://{0}:{1}/wpad.dat", targetEndPoint.Address, targetEndPoint.Port)); req.UnsafeAuthenticatedConnectionSharing = true; req.Timeout = Timeout; req.KeepAlive = false; if (!String.IsNullOrEmpty(username)) { req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested; if (domain == null) { req.Credentials = new NetworkCredential(username, password ?? ""); } else { req.Credentials = new NetworkCredential(username, password ?? "", domain); } } req.UserAgent = "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136"; try { using (var resp = (HttpWebResponse)req.GetResponse()) { return(HandleWebResponse(resp, targetEndPoint)); } } catch (WebException ex) { if (ex.Status == WebExceptionStatus.ProtocolError) { SpoofDetectionResult result = HandleWebResponse((HttpWebResponse)ex.Response, targetEndPoint); ex.Response.Dispose(); return(result); } else { return(new SpoofDetectionResult() { Detected = false, Endpoint = targetEndPoint, ErrorMessage = String.Format("Unknown HTTP error ({0})", ex.Message), Protocol = Protocol.WPAD, Confidence = ConfidenceLevel.FalsePositive }); } } catch (Exception ex) { return(new SpoofDetectionResult() { Detected = false, Endpoint = targetEndPoint, ErrorMessage = String.Format("Unable to contact WPAD server ({0})", ex.Message), Protocol = Protocol.WPAD, Confidence = ConfidenceLevel.FalsePositive }); } }