private void TestForSMB(SpoofDetectionResult result)
{
SpoofDetectionResult smbTestResult = SMBTester.PerformSMBTest(result.Endpoint.Address, _settings.PreferredIPv4Address);
if (smbTestResult.Detected)
{
_logger.LogMessage(String.Format("Detected service on SMB TCP port at {0}",
smbTestResult.Endpoint.Address)
, EventLogEntryType.Warning, (Int32)LogEvents.SMBTestSucceeded, (Int16)LogCategories.SpoofNotice,
null);
}
else
{
_logger.LogMessage(String.Format("Failed to connect to SMB TCP port at {0} with error {1}",
smbTestResult.Endpoint.Address, smbTestResult.ErrorMessage)
, EventLogEntryType.Information, (Int32)LogEvents.SMBTestFailed,
(Int16)LogCategories.DetectedUnexpectedCondition, null);
}
if (smbTestResult.Confidence > HighestConfidenceLevel)
{
HighestConfidenceLevel = smbTestResult.Confidence;
_logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
, EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice,
null);
}
}
private void TestForWPAD(SpoofDetectionResult result)
{
SpoofDetectionResult wpadTestResult = WPADTester.PerformWPADTest(IPAddress.Parse(result.Response), 80, _settings.NTLMUsername,
_settings.NTLMPassword, _settings.NTLMDomain);
if (wpadTestResult.Detected)
{
_logger.LogMessage(String.Format("Detected active WPAD service at {0} claiming {1}",
wpadTestResult.Endpoint.Address, wpadTestResult.Response)
, EventLogEntryType.Warning, (Int32)LogEvents.WPADProxyFound, (Int16)LogCategories.SpoofNotice,
null);
}
else
{
_logger.LogMessage(String.Format("Received HTTP response from WPAD service {0} with error {1}",
wpadTestResult.Endpoint.Address, wpadTestResult.ErrorMessage)
, EventLogEntryType.Information, (Int32)LogEvents.WPADProxyError,
(Int16)LogCategories.DetectedUnexpectedCondition, null);
}
if (wpadTestResult.Confidence > HighestConfidenceLevel)
{
HighestConfidenceLevel = wpadTestResult.Confidence;
_logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
, EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice,
null);
}
}
internal SpoofDetectionResult ReceiveAndHandleReply(Socket client, Protocol protocol, Byte[] transactionId, IClientActioner clientActioner)
{
IPEndPoint sender = null;
Byte[] replyBuffer;
try
{
replyBuffer = clientActioner.Receive(client, out sender);
}
catch (SocketException ex)
{
if (ex.ErrorCode == 10060) //Timeout
{
return(null);
}
if (ex.ErrorCode == 10004) //Aborted
{
return(null);
}
throw;
}
if (sender == null || replyBuffer.Length <= 0)
{
return(null);
}
var result = new SpoofDetectionResult
{
Confidence = ConfidenceLevel.FalsePositive,
Detected = false,
Endpoint = null,
ErrorMessage = String.Format("Unable to parse packet sent to port {0}",
((IPEndPoint)client.LocalEndPoint)?.Port)
, Protocol = Protocol.Unknown
};
try
{
result = HandleReply(replyBuffer, sender, transactionId, protocol);
}
catch (Exception)
{
//Omnomnom - There's all sorts of reasons the parser might crash on a packet, we need to handle all of them
//until the parser is able to handle those exceptions itself
}
return(result);
}
private void HandleResponseReceivedResult(SpoofDetectionResult result)
{
if (result == null)
{
return;
}
if (result.Protocol == Protocol.WPAD || result.Protocol == Protocol.SMB)
{
throw new NotImplementedException(String.Format("Tried to handle an {0} response as an NS response", result.Protocol));
}
if (result.Detected)
{
_logger.LogMessage(String.Format("Received {0} response from {1} claiming {2}", result.Protocol, result.Endpoint.Address, result.Response)
, EventLogEntryType.Information, (Int32)LogEvents.SpoofDetected, (Int16)LogCategories.SpoofNotice, null);
if (result.Confidence > HighestConfidenceLevel)
{
HighestConfidenceLevel = result.Confidence;
_logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
, EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null);
//Console.WriteLine("[+] *** Spoofing confidence level adjusted to " + highestConfidenceLevel + " ***");
}
if (_settings.UseWPADProbes)
{
TestForWPAD(result);
}
if (_settings.UseSMBProbes)
{
TestForSMB(result);
}
}
else
{
_logger.LogMessage(String.Format("Received response from {1} with error {2} (Expected {0})", result.Protocol, result.Endpoint.Address, result.ErrorMessage)
, EventLogEntryType.Information, (Int32)LogEvents.UnexpectedProtocolResponse, (Int16)LogCategories.DetectedUnexpectedCondition, null);
if (result.Confidence > HighestConfidenceLevel)
{
HighestConfidenceLevel = result.Confidence;
_logger.LogMessage(String.Format("Spoofing confidence level adjusted to {0}", HighestConfidenceLevel)
, EventLogEntryType.Warning, (Int32)LogEvents.ConfidenceLevelIncreased, (Int16)LogCategories.SpoofNotice, null);
}
}
}
public static SpoofDetectionResult PerformWPADTest(IPAddress targetAddress, Int32 targetPort, String username, String password, String domain)
{
var targetEndPoint = new IPEndPoint(targetAddress, targetPort);
var req = (HttpWebRequest)WebRequest.Create(String.Format("http://{0}:{1}/wpad.dat", targetEndPoint.Address, targetEndPoint.Port));
req.UnsafeAuthenticatedConnectionSharing = true;
req.Timeout = Timeout;
req.KeepAlive = false;
if (!String.IsNullOrEmpty(username))
{
req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
if (domain == null)
{
req.Credentials = new NetworkCredential(username, password ?? "");
}
else
{
req.Credentials = new NetworkCredential(username, password ?? "", domain);
}
}
req.UserAgent = "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136";
try
{
using (var resp = (HttpWebResponse)req.GetResponse())
{
return(HandleWebResponse(resp, targetEndPoint));
}
}
catch (WebException ex)
{
if (ex.Status == WebExceptionStatus.ProtocolError)
{
SpoofDetectionResult result = HandleWebResponse((HttpWebResponse)ex.Response, targetEndPoint);
ex.Response.Dispose();
return(result);
}
else
{
return(new SpoofDetectionResult()
{
Detected = false,
Endpoint = targetEndPoint,
ErrorMessage = String.Format("Unknown HTTP error ({0})", ex.Message),
Protocol = Protocol.WPAD,
Confidence = ConfidenceLevel.FalsePositive
});
}
}
catch (Exception ex)
{
return(new SpoofDetectionResult()
{
Detected = false,
Endpoint = targetEndPoint,
ErrorMessage = String.Format("Unable to contact WPAD server ({0})", ex.Message),
Protocol = Protocol.WPAD,
Confidence = ConfidenceLevel.FalsePositive
});
}
}
