librex 0.0.13 → 0.0.15
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +1 -1
- data/Rakefile +1 -0
- metadata +3 -435
- data/lib/rex/LICENSE +0 -29
- data/lib/rex/arch.rb +0 -103
- data/lib/rex/arch/sparc.rb +0 -75
- data/lib/rex/arch/sparc.rb.ut.rb +0 -18
- data/lib/rex/arch/x86.rb +0 -513
- data/lib/rex/arch/x86.rb.ut.rb +0 -93
- data/lib/rex/assembly/nasm.rb +0 -104
- data/lib/rex/assembly/nasm.rb.ut.rb +0 -22
- data/lib/rex/codepage.map +0 -104
- data/lib/rex/compat.rb +0 -311
- data/lib/rex/constants.rb +0 -113
- data/lib/rex/elfparsey.rb +0 -11
- data/lib/rex/elfparsey/elf.rb +0 -123
- data/lib/rex/elfparsey/elfbase.rb +0 -258
- data/lib/rex/elfparsey/exceptions.rb +0 -27
- data/lib/rex/elfscan.rb +0 -12
- data/lib/rex/elfscan/scanner.rb +0 -207
- data/lib/rex/elfscan/search.rb +0 -46
- data/lib/rex/encoder/alpha2.rb +0 -31
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +0 -68
- data/lib/rex/encoder/alpha2/alpha_upper.rb +0 -79
- data/lib/rex/encoder/alpha2/generic.rb +0 -114
- data/lib/rex/encoder/alpha2/unicode_mixed.rb +0 -117
- data/lib/rex/encoder/alpha2/unicode_upper.rb +0 -129
- data/lib/rex/encoder/ndr.rb +0 -89
- data/lib/rex/encoder/ndr.rb.ut.rb +0 -44
- data/lib/rex/encoder/nonalpha.rb +0 -61
- data/lib/rex/encoder/nonupper.rb +0 -64
- data/lib/rex/encoder/xdr.rb +0 -106
- data/lib/rex/encoder/xdr.rb.ut.rb +0 -29
- data/lib/rex/encoder/xor.rb +0 -69
- data/lib/rex/encoder/xor/dword.rb +0 -13
- data/lib/rex/encoder/xor/dword_additive.rb +0 -13
- data/lib/rex/encoders/xor_dword.rb +0 -35
- data/lib/rex/encoders/xor_dword_additive.rb +0 -53
- data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +0 -12
- data/lib/rex/encoding/xor.rb +0 -20
- data/lib/rex/encoding/xor.rb.ts.rb +0 -14
- data/lib/rex/encoding/xor/byte.rb +0 -15
- data/lib/rex/encoding/xor/byte.rb.ut.rb +0 -21
- data/lib/rex/encoding/xor/dword.rb +0 -21
- data/lib/rex/encoding/xor/dword.rb.ut.rb +0 -15
- data/lib/rex/encoding/xor/dword_additive.rb +0 -92
- data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +0 -15
- data/lib/rex/encoding/xor/exceptions.rb +0 -17
- data/lib/rex/encoding/xor/generic.rb +0 -146
- data/lib/rex/encoding/xor/generic.rb.ut.rb +0 -120
- data/lib/rex/encoding/xor/qword.rb +0 -15
- data/lib/rex/encoding/xor/word.rb +0 -21
- data/lib/rex/encoding/xor/word.rb.ut.rb +0 -13
- data/lib/rex/exceptions.rb +0 -275
- data/lib/rex/exceptions.rb.ut.rb +0 -44
- data/lib/rex/exploitation/cmdstager.rb +0 -9
- data/lib/rex/exploitation/cmdstager/base.rb +0 -175
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +0 -142
- data/lib/rex/exploitation/cmdstager/debug_write.rb +0 -136
- data/lib/rex/exploitation/cmdstager/tftp.rb +0 -63
- data/lib/rex/exploitation/cmdstager/vbs.rb +0 -128
- data/lib/rex/exploitation/egghunter.rb +0 -277
- data/lib/rex/exploitation/egghunter.rb.ut.rb +0 -25
- data/lib/rex/exploitation/encryptjs.rb +0 -77
- data/lib/rex/exploitation/heaplib.js.b64 +0 -331
- data/lib/rex/exploitation/heaplib.rb +0 -94
- data/lib/rex/exploitation/javascriptosdetect.rb +0 -897
- data/lib/rex/exploitation/obfuscatejs.rb +0 -335
- data/lib/rex/exploitation/omelet.rb +0 -320
- data/lib/rex/exploitation/omelet.rb.ut.rb +0 -13
- data/lib/rex/exploitation/opcodedb.rb +0 -818
- data/lib/rex/exploitation/opcodedb.rb.ut.rb +0 -279
- data/lib/rex/exploitation/seh.rb +0 -92
- data/lib/rex/exploitation/seh.rb.ut.rb +0 -19
- data/lib/rex/file.rb +0 -112
- data/lib/rex/file.rb.ut.rb +0 -16
- data/lib/rex/image_source.rb +0 -12
- data/lib/rex/image_source/disk.rb +0 -60
- data/lib/rex/image_source/image_source.rb +0 -46
- data/lib/rex/image_source/memory.rb +0 -37
- data/lib/rex/io/bidirectional_pipe.rb +0 -157
- data/lib/rex/io/datagram_abstraction.rb +0 -35
- data/lib/rex/io/stream.rb +0 -319
- data/lib/rex/io/stream_abstraction.rb +0 -197
- data/lib/rex/io/stream_server.rb +0 -211
- data/lib/rex/job_container.rb +0 -187
- data/lib/rex/logging.rb +0 -4
- data/lib/rex/logging/log_dispatcher.rb +0 -179
- data/lib/rex/logging/log_sink.rb +0 -42
- data/lib/rex/logging/sinks/flatfile.rb +0 -55
- data/lib/rex/logging/sinks/stderr.rb +0 -43
- data/lib/rex/machparsey.rb +0 -9
- data/lib/rex/machparsey/exceptions.rb +0 -34
- data/lib/rex/machparsey/mach.rb +0 -209
- data/lib/rex/machparsey/machbase.rb +0 -408
- data/lib/rex/machscan.rb +0 -9
- data/lib/rex/machscan/scanner.rb +0 -217
- data/lib/rex/mime.rb +0 -9
- data/lib/rex/mime/header.rb +0 -77
- data/lib/rex/mime/message.rb +0 -144
- data/lib/rex/mime/part.rb +0 -20
- data/lib/rex/nop/opty2.rb +0 -108
- data/lib/rex/nop/opty2.rb.ut.rb +0 -23
- data/lib/rex/nop/opty2_tables.rb +0 -300
- data/lib/rex/ole.rb +0 -205
- data/lib/rex/ole/clsid.rb +0 -47
- data/lib/rex/ole/difat.rb +0 -141
- data/lib/rex/ole/directory.rb +0 -231
- data/lib/rex/ole/direntry.rb +0 -240
- data/lib/rex/ole/docs/dependencies.txt +0 -8
- data/lib/rex/ole/docs/references.txt +0 -1
- data/lib/rex/ole/fat.rb +0 -99
- data/lib/rex/ole/header.rb +0 -204
- data/lib/rex/ole/minifat.rb +0 -77
- data/lib/rex/ole/propset.rb +0 -144
- data/lib/rex/ole/samples/create_ole.rb +0 -27
- data/lib/rex/ole/samples/dir.rb +0 -35
- data/lib/rex/ole/samples/dump_stream.rb +0 -34
- data/lib/rex/ole/samples/ole_info.rb +0 -23
- data/lib/rex/ole/storage.rb +0 -395
- data/lib/rex/ole/stream.rb +0 -53
- data/lib/rex/ole/substorage.rb +0 -49
- data/lib/rex/ole/util.rb +0 -157
- data/lib/rex/parser/arguments.rb +0 -97
- data/lib/rex/parser/arguments.rb.ut.rb +0 -67
- data/lib/rex/parser/ini.rb +0 -185
- data/lib/rex/parser/ini.rb.ut.rb +0 -29
- data/lib/rex/parser/ip360_aspl_xml.rb +0 -102
- data/lib/rex/parser/ip360_xml.rb +0 -93
- data/lib/rex/parser/nessus_xml.rb +0 -118
- data/lib/rex/parser/netsparker_xml.rb +0 -94
- data/lib/rex/parser/nexpose_xml.rb +0 -131
- data/lib/rex/parser/nmap_xml.rb +0 -121
- data/lib/rex/parser/retina_xml.rb +0 -109
- data/lib/rex/payloads.rb +0 -1
- data/lib/rex/payloads/win32.rb +0 -2
- data/lib/rex/payloads/win32/common.rb +0 -26
- data/lib/rex/payloads/win32/kernel.rb +0 -53
- data/lib/rex/payloads/win32/kernel/common.rb +0 -54
- data/lib/rex/payloads/win32/kernel/migration.rb +0 -12
- data/lib/rex/payloads/win32/kernel/recovery.rb +0 -50
- data/lib/rex/payloads/win32/kernel/stager.rb +0 -194
- data/lib/rex/peparsey.rb +0 -12
- data/lib/rex/peparsey/exceptions.rb +0 -32
- data/lib/rex/peparsey/pe.rb +0 -212
- data/lib/rex/peparsey/pe_memdump.rb +0 -63
- data/lib/rex/peparsey/pebase.rb +0 -1680
- data/lib/rex/peparsey/section.rb +0 -136
- data/lib/rex/pescan.rb +0 -13
- data/lib/rex/pescan/analyze.rb +0 -309
- data/lib/rex/pescan/scanner.rb +0 -206
- data/lib/rex/pescan/search.rb +0 -56
- data/lib/rex/platforms.rb +0 -1
- data/lib/rex/platforms/windows.rb +0 -51
- data/lib/rex/poly.rb +0 -132
- data/lib/rex/poly/block.rb +0 -477
- data/lib/rex/poly/register.rb +0 -100
- data/lib/rex/poly/register/x86.rb +0 -40
- data/lib/rex/post.rb +0 -8
- data/lib/rex/post/dir.rb +0 -51
- data/lib/rex/post/file.rb +0 -172
- data/lib/rex/post/file_stat.rb +0 -220
- data/lib/rex/post/gen.pl +0 -13
- data/lib/rex/post/io.rb +0 -182
- data/lib/rex/post/meterpreter.rb +0 -4
- data/lib/rex/post/meterpreter/channel.rb +0 -445
- data/lib/rex/post/meterpreter/channel_container.rb +0 -54
- data/lib/rex/post/meterpreter/channels/pool.rb +0 -160
- data/lib/rex/post/meterpreter/channels/pools/file.rb +0 -62
- data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +0 -103
- data/lib/rex/post/meterpreter/channels/stream.rb +0 -87
- data/lib/rex/post/meterpreter/client.rb +0 -364
- data/lib/rex/post/meterpreter/client_core.rb +0 -274
- data/lib/rex/post/meterpreter/dependencies.rb +0 -3
- data/lib/rex/post/meterpreter/extension.rb +0 -32
- data/lib/rex/post/meterpreter/extensions/espia/espia.rb +0 -58
- data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +0 -16
- data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +0 -94
- data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +0 -21
- data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +0 -57
- data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +0 -15
- data/lib/rex/post/meterpreter/extensions/priv/fs.rb +0 -118
- data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +0 -61
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +0 -111
- data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +0 -28
- data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +0 -101
- data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +0 -26
- data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +0 -333
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +0 -282
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +0 -266
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +0 -103
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +0 -48
- data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +0 -144
- data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +0 -73
- data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +0 -56
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +0 -137
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +0 -180
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +0 -167
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +0 -208
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun.rb.ts.rb +0 -6
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +0 -38106
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb.ut.rb +0 -31
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +0 -47
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb.ut.rb +0 -36
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +0 -1818
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +0 -96
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +0 -3848
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +0 -26
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +0 -153
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +0 -21
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +0 -3169
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +0 -599
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +0 -318
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +0 -100
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb.ut.rb +0 -42
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +0 -148
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb.ut.rb +0 -127
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +0 -309
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +0 -204
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +0 -51
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +0 -630
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +0 -75
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb.ut.rb +0 -103
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +0 -149
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +0 -97
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +0 -192
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +0 -41
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +0 -61
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +0 -370
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +0 -129
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +0 -55
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +0 -336
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +0 -141
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +0 -279
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +0 -193
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +0 -102
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +0 -180
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +0 -211
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +0 -227
- data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +0 -63
- data/lib/rex/post/meterpreter/inbound_packet_handler.rb +0 -30
- data/lib/rex/post/meterpreter/object_aliases.rb +0 -83
- data/lib/rex/post/meterpreter/packet.rb +0 -688
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +0 -431
- data/lib/rex/post/meterpreter/packet_parser.rb +0 -94
- data/lib/rex/post/meterpreter/packet_response_waiter.rb +0 -83
- data/lib/rex/post/meterpreter/ui/console.rb +0 -137
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +0 -62
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +0 -730
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +0 -108
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +0 -241
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +0 -231
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +0 -61
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +0 -98
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +0 -51
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +0 -132
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +0 -187
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +0 -65
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +0 -442
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +0 -298
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +0 -486
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +0 -315
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +0 -157
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +0 -95
- data/lib/rex/post/permission.rb +0 -26
- data/lib/rex/post/process.rb +0 -57
- data/lib/rex/post/thread.rb +0 -57
- data/lib/rex/post/ui.rb +0 -52
- data/lib/rex/proto.rb +0 -13
- data/lib/rex/proto.rb.ts.rb +0 -8
- data/lib/rex/proto/dcerpc.rb +0 -6
- data/lib/rex/proto/dcerpc.rb.ts.rb +0 -9
- data/lib/rex/proto/dcerpc/client.rb +0 -361
- data/lib/rex/proto/dcerpc/client.rb.ut.rb +0 -491
- data/lib/rex/proto/dcerpc/exceptions.rb +0 -150
- data/lib/rex/proto/dcerpc/handle.rb +0 -47
- data/lib/rex/proto/dcerpc/handle.rb.ut.rb +0 -85
- data/lib/rex/proto/dcerpc/ndr.rb +0 -72
- data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +0 -41
- data/lib/rex/proto/dcerpc/packet.rb +0 -253
- data/lib/rex/proto/dcerpc/packet.rb.ut.rb +0 -56
- data/lib/rex/proto/dcerpc/response.rb +0 -187
- data/lib/rex/proto/dcerpc/response.rb.ut.rb +0 -15
- data/lib/rex/proto/dcerpc/uuid.rb +0 -84
- data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +0 -46
- data/lib/rex/proto/dhcp.rb +0 -7
- data/lib/rex/proto/dhcp/constants.rb +0 -33
- data/lib/rex/proto/dhcp/server.rb +0 -292
- data/lib/rex/proto/drda.rb +0 -5
- data/lib/rex/proto/drda.rb.ts.rb +0 -17
- data/lib/rex/proto/drda/constants.rb +0 -49
- data/lib/rex/proto/drda/constants.rb.ut.rb +0 -23
- data/lib/rex/proto/drda/packet.rb +0 -252
- data/lib/rex/proto/drda/packet.rb.ut.rb +0 -109
- data/lib/rex/proto/drda/utils.rb +0 -123
- data/lib/rex/proto/drda/utils.rb.ut.rb +0 -84
- data/lib/rex/proto/http.rb +0 -5
- data/lib/rex/proto/http.rb.ts.rb +0 -12
- data/lib/rex/proto/http/client.rb +0 -821
- data/lib/rex/proto/http/client.rb.ut.rb +0 -95
- data/lib/rex/proto/http/handler.rb +0 -46
- data/lib/rex/proto/http/handler/erb.rb +0 -128
- data/lib/rex/proto/http/handler/erb.rb.ut.rb +0 -21
- data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +0 -1
- data/lib/rex/proto/http/handler/proc.rb +0 -60
- data/lib/rex/proto/http/handler/proc.rb.ut.rb +0 -24
- data/lib/rex/proto/http/header.rb +0 -161
- data/lib/rex/proto/http/header.rb.ut.rb +0 -46
- data/lib/rex/proto/http/packet.rb +0 -407
- data/lib/rex/proto/http/packet.rb.ut.rb +0 -165
- data/lib/rex/proto/http/request.rb +0 -356
- data/lib/rex/proto/http/request.rb.ut.rb +0 -214
- data/lib/rex/proto/http/response.rb +0 -90
- data/lib/rex/proto/http/response.rb.ut.rb +0 -149
- data/lib/rex/proto/http/server.rb +0 -369
- data/lib/rex/proto/http/server.rb.ut.rb +0 -79
- data/lib/rex/proto/ntlm.rb +0 -7
- data/lib/rex/proto/ntlm.rb.ut.rb +0 -177
- data/lib/rex/proto/ntlm/base.rb +0 -326
- data/lib/rex/proto/ntlm/constants.rb +0 -74
- data/lib/rex/proto/ntlm/crypt.rb +0 -415
- data/lib/rex/proto/ntlm/exceptions.rb +0 -9
- data/lib/rex/proto/ntlm/message.rb +0 -533
- data/lib/rex/proto/ntlm/utils.rb +0 -763
- data/lib/rex/proto/proxy/socks4a.rb +0 -440
- data/lib/rex/proto/rfb.rb +0 -19
- data/lib/rex/proto/rfb.rb.ut.rb +0 -37
- data/lib/rex/proto/rfb/cipher.rb +0 -84
- data/lib/rex/proto/rfb/client.rb +0 -207
- data/lib/rex/proto/rfb/constants.rb +0 -52
- data/lib/rex/proto/smb.rb +0 -7
- data/lib/rex/proto/smb.rb.ts.rb +0 -8
- data/lib/rex/proto/smb/client.rb +0 -1952
- data/lib/rex/proto/smb/client.rb.ut.rb +0 -223
- data/lib/rex/proto/smb/constants.rb +0 -1047
- data/lib/rex/proto/smb/constants.rb.ut.rb +0 -18
- data/lib/rex/proto/smb/crypt.rb +0 -36
- data/lib/rex/proto/smb/evasions.rb +0 -66
- data/lib/rex/proto/smb/exceptions.rb +0 -858
- data/lib/rex/proto/smb/simpleclient.rb +0 -306
- data/lib/rex/proto/smb/simpleclient.rb.ut.rb +0 -128
- data/lib/rex/proto/smb/utils.rb +0 -103
- data/lib/rex/proto/smb/utils.rb.ut.rb +0 -20
- data/lib/rex/proto/sunrpc.rb +0 -1
- data/lib/rex/proto/sunrpc/client.rb +0 -195
- data/lib/rex/proto/tftp.rb +0 -12
- data/lib/rex/proto/tftp/constants.rb +0 -39
- data/lib/rex/proto/tftp/server.rb +0 -497
- data/lib/rex/proto/tftp/server.rb.ut.rb +0 -28
- data/lib/rex/script.rb +0 -42
- data/lib/rex/script/base.rb +0 -59
- data/lib/rex/script/meterpreter.rb +0 -15
- data/lib/rex/script/shell.rb +0 -9
- data/lib/rex/service.rb +0 -48
- data/lib/rex/service_manager.rb +0 -141
- data/lib/rex/service_manager.rb.ut.rb +0 -32
- data/lib/rex/services/local_relay.rb +0 -423
- data/lib/rex/socket.rb +0 -684
- data/lib/rex/socket.rb.ut.rb +0 -107
- data/lib/rex/socket/comm.rb +0 -119
- data/lib/rex/socket/comm/local.rb +0 -412
- data/lib/rex/socket/comm/local.rb.ut.rb +0 -75
- data/lib/rex/socket/ip.rb +0 -130
- data/lib/rex/socket/parameters.rb +0 -345
- data/lib/rex/socket/parameters.rb.ut.rb +0 -51
- data/lib/rex/socket/range_walker.rb +0 -346
- data/lib/rex/socket/range_walker.rb.ut.rb +0 -55
- data/lib/rex/socket/ssl_tcp.rb +0 -184
- data/lib/rex/socket/ssl_tcp.rb.ut.rb +0 -39
- data/lib/rex/socket/ssl_tcp_server.rb +0 -122
- data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +0 -61
- data/lib/rex/socket/subnet_walker.rb +0 -75
- data/lib/rex/socket/subnet_walker.rb.ut.rb +0 -28
- data/lib/rex/socket/switch_board.rb +0 -278
- data/lib/rex/socket/switch_board.rb.ut.rb +0 -52
- data/lib/rex/socket/tcp.rb +0 -76
- data/lib/rex/socket/tcp.rb.ut.rb +0 -64
- data/lib/rex/socket/tcp_server.rb +0 -67
- data/lib/rex/socket/tcp_server.rb.ut.rb +0 -44
- data/lib/rex/socket/udp.rb +0 -164
- data/lib/rex/socket/udp.rb.ut.rb +0 -44
- data/lib/rex/struct2.rb +0 -5
- data/lib/rex/struct2/c_struct.rb +0 -181
- data/lib/rex/struct2/c_struct_template.rb +0 -39
- data/lib/rex/struct2/constant.rb +0 -26
- data/lib/rex/struct2/element.rb +0 -44
- data/lib/rex/struct2/generic.rb +0 -73
- data/lib/rex/struct2/restraint.rb +0 -54
- data/lib/rex/struct2/s_string.rb +0 -72
- data/lib/rex/struct2/s_struct.rb +0 -111
- data/lib/rex/sync.rb +0 -6
- data/lib/rex/sync/event.rb +0 -94
- data/lib/rex/sync/read_write_lock.rb +0 -176
- data/lib/rex/sync/ref.rb +0 -57
- data/lib/rex/sync/thread_safe.rb +0 -82
- data/lib/rex/test.rb +0 -35
- data/lib/rex/text.rb +0 -1149
- data/lib/rex/text.rb.ut.rb +0 -190
- data/lib/rex/thread_factory.rb +0 -42
- data/lib/rex/time.rb +0 -65
- data/lib/rex/transformer.rb +0 -115
- data/lib/rex/transformer.rb.ut.rb +0 -38
- data/lib/rex/ui.rb +0 -21
- data/lib/rex/ui/interactive.rb +0 -254
- data/lib/rex/ui/output.rb +0 -78
- data/lib/rex/ui/output/none.rb +0 -18
- data/lib/rex/ui/progress_tracker.rb +0 -96
- data/lib/rex/ui/subscriber.rb +0 -149
- data/lib/rex/ui/text/color.rb +0 -97
- data/lib/rex/ui/text/color.rb.ut.rb +0 -18
- data/lib/rex/ui/text/dispatcher_shell.rb +0 -467
- data/lib/rex/ui/text/input.rb +0 -117
- data/lib/rex/ui/text/input/buffer.rb +0 -75
- data/lib/rex/ui/text/input/readline.rb +0 -129
- data/lib/rex/ui/text/input/socket.rb +0 -95
- data/lib/rex/ui/text/input/stdio.rb +0 -45
- data/lib/rex/ui/text/irb_shell.rb +0 -57
- data/lib/rex/ui/text/output.rb +0 -80
- data/lib/rex/ui/text/output/buffer.rb +0 -61
- data/lib/rex/ui/text/output/file.rb +0 -43
- data/lib/rex/ui/text/output/socket.rb +0 -43
- data/lib/rex/ui/text/output/stdio.rb +0 -40
- data/lib/rex/ui/text/progress_tracker.rb +0 -56
- data/lib/rex/ui/text/progress_tracker.rb.ut.rb +0 -34
- data/lib/rex/ui/text/shell.rb +0 -328
- data/lib/rex/ui/text/table.rb +0 -279
- data/lib/rex/ui/text/table.rb.ut.rb +0 -55
- data/lib/rex/zip.rb +0 -93
- data/lib/rex/zip/archive.rb +0 -184
- data/lib/rex/zip/blocks.rb +0 -182
- data/lib/rex/zip/entry.rb +0 -104
- data/lib/rex/zip/samples/comment.rb +0 -32
- data/lib/rex/zip/samples/mkwar.rb +0 -138
- data/lib/rex/zip/samples/mkzip.rb +0 -19
- data/lib/rex/zip/samples/recursive.rb +0 -58
data/lib/rex/proto/ntlm/utils.rb
DELETED
@@ -1,763 +0,0 @@
|
|
1
|
-
require 'rex/proto/ntlm/constants'
|
2
|
-
require 'rex/proto/ntlm/crypt'
|
3
|
-
|
4
|
-
module Rex
|
5
|
-
module Proto
|
6
|
-
module NTLM
|
7
|
-
class Utils
|
8
|
-
|
9
|
-
CONST = Rex::Proto::NTLM::Constants
|
10
|
-
CRYPT = Rex::Proto::NTLM::Crypt
|
11
|
-
|
12
|
-
#duplicate from lib/rex/proto/smb/utils cause we only need this fonction from Rex::Proto::SMB::Utils
|
13
|
-
# Convert a unix timestamp to a 64-bit signed server time
|
14
|
-
def self.time_unix_to_smb(unix_time)
|
15
|
-
t64 = (unix_time + 11644473600) * 10000000
|
16
|
-
thi = (t64 & 0xffffffff00000000) >> 32
|
17
|
-
tlo = (t64 & 0x00000000ffffffff)
|
18
|
-
return [thi, tlo]
|
19
|
-
end
|
20
|
-
|
21
|
-
# Determine whether the password is a known hash format
|
22
|
-
def self.is_pass_ntlm_hash?(str)
|
23
|
-
str.downcase =~ /^[0-9a-f]{32}:[0-9a-f]{32}$/
|
24
|
-
end
|
25
|
-
|
26
|
-
#
|
27
|
-
# Prepends an ASN1 formatted length field to a piece of data
|
28
|
-
#
|
29
|
-
def self.asn1encode(str = '')
|
30
|
-
res = ''
|
31
|
-
|
32
|
-
# If the high bit of the first byte is 1, it contains the number of
|
33
|
-
# length bytes that follow
|
34
|
-
|
35
|
-
case str.length
|
36
|
-
when 0 .. 0x7F
|
37
|
-
res = [str.length].pack('C') + str
|
38
|
-
when 0x80 .. 0xFF
|
39
|
-
res = [0x81, str.length].pack('CC') + str
|
40
|
-
when 0x100 .. 0xFFFF
|
41
|
-
res = [0x82, str.length].pack('Cn') + str
|
42
|
-
when 0x10000 .. 0xffffff
|
43
|
-
res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str
|
44
|
-
when 0x1000000 .. 0xffffffff
|
45
|
-
res = [0x84, str.length].pack('CN') + str
|
46
|
-
else
|
47
|
-
raise "ASN1 str too long"
|
48
|
-
end
|
49
|
-
return res
|
50
|
-
end
|
51
|
-
|
52
|
-
# GSS functions
|
53
|
-
|
54
|
-
# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
|
55
|
-
# mechTypes: 2 items :
|
56
|
-
# -MechType: 1.3.6.1.4.1.311.2.2.30 (SNMPv2-SMI::enterprises.311.2.2.30)
|
57
|
-
# -MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
|
58
|
-
#
|
59
|
-
# this is the default on Win7
|
60
|
-
def self.make_simple_negotiate_secblob_resp
|
61
|
-
blob =
|
62
|
-
"\x60" + self.asn1encode(
|
63
|
-
"\x06" + self.asn1encode(
|
64
|
-
"\x2b\x06\x01\x05\x05\x02"
|
65
|
-
) +
|
66
|
-
"\xa0" + self.asn1encode(
|
67
|
-
"\x30" + self.asn1encode(
|
68
|
-
"\xa0" + self.asn1encode(
|
69
|
-
"\x30" + self.asn1encode(
|
70
|
-
"\x06" + self.asn1encode(
|
71
|
-
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
|
72
|
-
)
|
73
|
-
)
|
74
|
-
)
|
75
|
-
)
|
76
|
-
)
|
77
|
-
)
|
78
|
-
|
79
|
-
return blob
|
80
|
-
end
|
81
|
-
|
82
|
-
# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
|
83
|
-
# mechTypes: 4 items :
|
84
|
-
# MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
|
85
|
-
# MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
|
86
|
-
# MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - User to User)
|
87
|
-
# MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
|
88
|
-
# mechListMIC:
|
89
|
-
# principal: account@domain
|
90
|
-
def self.make_negotiate_secblob_resp(account, domain)
|
91
|
-
blob =
|
92
|
-
"\x60" + self.asn1encode(
|
93
|
-
"\x06" + self.asn1encode(
|
94
|
-
"\x2b\x06\x01\x05\x05\x02"
|
95
|
-
) +
|
96
|
-
"\xa0" + self.asn1encode(
|
97
|
-
"\x30" + self.asn1encode(
|
98
|
-
"\xa0" + self.asn1encode(
|
99
|
-
"\x30" + self.asn1encode(
|
100
|
-
"\x06" + self.asn1encode(
|
101
|
-
"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"
|
102
|
-
) +
|
103
|
-
"\x06" + self.asn1encode(
|
104
|
-
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
|
105
|
-
) +
|
106
|
-
"\x06" + self.asn1encode(
|
107
|
-
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
|
108
|
-
) +
|
109
|
-
"\x06" + self.asn1encode(
|
110
|
-
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
|
111
|
-
)
|
112
|
-
)
|
113
|
-
) +
|
114
|
-
"\xa3" + self.asn1encode(
|
115
|
-
"\x30" + self.asn1encode(
|
116
|
-
"\xa0" + self.asn1encode(
|
117
|
-
"\x1b" + self.asn1encode(
|
118
|
-
account + '@' + domain
|
119
|
-
)
|
120
|
-
)
|
121
|
-
)
|
122
|
-
)
|
123
|
-
)
|
124
|
-
)
|
125
|
-
)
|
126
|
-
|
127
|
-
return blob
|
128
|
-
end
|
129
|
-
|
130
|
-
# BLOB without GSS usefull for ntlmssp type 1 message
|
131
|
-
def self.make_ntlmssp_blob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
|
132
|
-
blob = "NTLMSSP\x00" +
|
133
|
-
[1, flags].pack('VV') +
|
134
|
-
|
135
|
-
[
|
136
|
-
domain.length, #length
|
137
|
-
domain.length, #max length
|
138
|
-
32
|
139
|
-
].pack('vvV') +
|
140
|
-
|
141
|
-
[
|
142
|
-
name.length, #length
|
143
|
-
name.length, #max length
|
144
|
-
domain.length + 32
|
145
|
-
].pack('vvV') +
|
146
|
-
|
147
|
-
domain + name
|
148
|
-
return blob
|
149
|
-
end
|
150
|
-
|
151
|
-
# GSS BLOB usefull for ntlmssp type 1 message
|
152
|
-
def self.make_ntlmssp_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
|
153
|
-
blob =
|
154
|
-
"\x60" + self.asn1encode(
|
155
|
-
"\x06" + self.asn1encode(
|
156
|
-
"\x2b\x06\x01\x05\x05\x02"
|
157
|
-
) +
|
158
|
-
"\xa0" + self.asn1encode(
|
159
|
-
"\x30" + self.asn1encode(
|
160
|
-
"\xa0" + self.asn1encode(
|
161
|
-
"\x30" + self.asn1encode(
|
162
|
-
"\x06" + self.asn1encode(
|
163
|
-
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
|
164
|
-
)
|
165
|
-
)
|
166
|
-
) +
|
167
|
-
"\xa2" + self.asn1encode(
|
168
|
-
"\x04" + self.asn1encode(
|
169
|
-
make_ntlmssp_blob_init(domain, name, flags)
|
170
|
-
)
|
171
|
-
)
|
172
|
-
)
|
173
|
-
)
|
174
|
-
)
|
175
|
-
|
176
|
-
return blob
|
177
|
-
end
|
178
|
-
|
179
|
-
|
180
|
-
# BLOB without GSS usefull for ntlm type 2 message
|
181
|
-
def self.make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
|
182
|
-
|
183
|
-
addr_list = ''
|
184
|
-
addr_list << [2, win_domain.length].pack('vv') + win_domain
|
185
|
-
addr_list << [1, win_name.length].pack('vv') + win_name
|
186
|
-
addr_list << [4, dns_domain.length].pack('vv') + dns_domain
|
187
|
-
addr_list << [3, dns_name.length].pack('vv') + dns_name
|
188
|
-
addr_list << [0, 0].pack('vv')
|
189
|
-
|
190
|
-
ptr = 0
|
191
|
-
blob = "NTLMSSP\x00" +
|
192
|
-
[2].pack('V') +
|
193
|
-
[
|
194
|
-
win_domain.length, # length
|
195
|
-
win_domain.length, # max length
|
196
|
-
(ptr += 48) # offset
|
197
|
-
].pack('vvV') +
|
198
|
-
[ flags ].pack('V') +
|
199
|
-
chall +
|
200
|
-
"\x00\x00\x00\x00\x00\x00\x00\x00" +
|
201
|
-
[
|
202
|
-
addr_list.length, # length
|
203
|
-
addr_list.length, # max length
|
204
|
-
(ptr += win_domain.length)
|
205
|
-
].pack('vvV') +
|
206
|
-
win_domain +
|
207
|
-
addr_list
|
208
|
-
return blob
|
209
|
-
end
|
210
|
-
|
211
|
-
# GSS BLOB usefull for ntlmssp type 2 message
|
212
|
-
def self.make_ntlmssp_secblob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
|
213
|
-
|
214
|
-
blob =
|
215
|
-
"\xa1" + self.asn1encode(
|
216
|
-
"\x30" + self.asn1encode(
|
217
|
-
"\xa0" + self.asn1encode(
|
218
|
-
"\x0a" + self.asn1encode(
|
219
|
-
"\x01"
|
220
|
-
)
|
221
|
-
) +
|
222
|
-
"\xa1" + self.asn1encode(
|
223
|
-
"\x06" + self.asn1encode(
|
224
|
-
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
|
225
|
-
)
|
226
|
-
) +
|
227
|
-
"\xa2" + self.asn1encode(
|
228
|
-
"\x04" + self.asn1encode(
|
229
|
-
make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
|
230
|
-
)
|
231
|
-
)
|
232
|
-
)
|
233
|
-
)
|
234
|
-
|
235
|
-
return blob
|
236
|
-
end
|
237
|
-
|
238
|
-
# BLOB without GSS Usefull for ntlmssp type 3 message
|
239
|
-
def self.make_ntlmssp_blob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
|
240
|
-
lm ||= "\x00" * 24
|
241
|
-
ntlm ||= "\x00" * 24
|
242
|
-
|
243
|
-
domain_uni = Rex::Text.to_unicode(domain)
|
244
|
-
user_uni = Rex::Text.to_unicode(user)
|
245
|
-
name_uni = Rex::Text.to_unicode(name)
|
246
|
-
session = enc_session_key
|
247
|
-
|
248
|
-
ptr = 64
|
249
|
-
|
250
|
-
blob = "NTLMSSP\x00" +
|
251
|
-
[ 3 ].pack('V') +
|
252
|
-
|
253
|
-
[ # Lan Manager Response
|
254
|
-
lm.length,
|
255
|
-
lm.length,
|
256
|
-
(ptr)
|
257
|
-
].pack('vvV') +
|
258
|
-
|
259
|
-
[ # NTLM Manager Response
|
260
|
-
ntlm.length,
|
261
|
-
ntlm.length,
|
262
|
-
(ptr += lm.length)
|
263
|
-
].pack('vvV') +
|
264
|
-
|
265
|
-
[ # Domain Name
|
266
|
-
domain_uni.length,
|
267
|
-
domain_uni.length,
|
268
|
-
(ptr += ntlm.length)
|
269
|
-
].pack('vvV') +
|
270
|
-
|
271
|
-
[ # Username
|
272
|
-
user_uni.length,
|
273
|
-
user_uni.length,
|
274
|
-
(ptr += domain_uni.length)
|
275
|
-
].pack('vvV') +
|
276
|
-
|
277
|
-
[ # Hostname
|
278
|
-
name_uni.length,
|
279
|
-
name_uni.length,
|
280
|
-
(ptr += user_uni.length)
|
281
|
-
].pack('vvV') +
|
282
|
-
|
283
|
-
[ # Session Key (none)
|
284
|
-
session.length,
|
285
|
-
session.length,
|
286
|
-
(ptr += name_uni.length)
|
287
|
-
].pack('vvV') +
|
288
|
-
|
289
|
-
[ flags ].pack('V') +
|
290
|
-
|
291
|
-
lm +
|
292
|
-
ntlm +
|
293
|
-
domain_uni +
|
294
|
-
user_uni +
|
295
|
-
name_uni +
|
296
|
-
session + "\x00"
|
297
|
-
return blob
|
298
|
-
|
299
|
-
end
|
300
|
-
|
301
|
-
# GSS BLOB Usefull for ntlmssp type 3 message
|
302
|
-
def self.make_ntlmssp_secblob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
|
303
|
-
|
304
|
-
blob =
|
305
|
-
"\xa1" + self.asn1encode(
|
306
|
-
"\x30" + self.asn1encode(
|
307
|
-
"\xa2" + self.asn1encode(
|
308
|
-
"\x04" + self.asn1encode(
|
309
|
-
make_ntlmssp_blob_auth(domain, name, user, lm, ntlm, enc_session_key, flags )
|
310
|
-
)
|
311
|
-
)
|
312
|
-
)
|
313
|
-
)
|
314
|
-
return blob
|
315
|
-
end
|
316
|
-
|
317
|
-
|
318
|
-
# GSS BLOB Usefull for SMB Success
|
319
|
-
def self.make_ntlmv2_secblob_success
|
320
|
-
blob =
|
321
|
-
"\xa1" + self.asn1encode(
|
322
|
-
"\x30" + self.asn1encode(
|
323
|
-
"\xa0" + self.asn1encode(
|
324
|
-
"\x0a" + self.asn1encode(
|
325
|
-
"\x00"
|
326
|
-
)
|
327
|
-
)
|
328
|
-
)
|
329
|
-
)
|
330
|
-
return blob
|
331
|
-
end
|
332
|
-
|
333
|
-
# Return the correct ntlmflags upon the configuration
|
334
|
-
def self.make_ntlm_flags(opt = {})
|
335
|
-
|
336
|
-
signing = opt[:signing] != nil ? opt[:signing] : false
|
337
|
-
usentlm2_session = opt[:usentlm2_session] != nil ? opt[:usentlm2_session] : true
|
338
|
-
use_ntlmv2 = opt[:use_ntlmv2] != nil ? opt[:use_ntlmv2] : false
|
339
|
-
send_lm = opt[:send_lm] != nil ? opt[:send_lm] : true
|
340
|
-
send_ntlm = opt[:send_ntlm] != nil ? opt[:send_ntlm] : true
|
341
|
-
use_lanman_key = opt[:use_lanman_key] != nil ? opt[:use_lanman_key] : false
|
342
|
-
|
343
|
-
if signing
|
344
|
-
ntlmssp_flags = 0xe2088215
|
345
|
-
else
|
346
|
-
|
347
|
-
ntlmssp_flags = 0xa2080205
|
348
|
-
end
|
349
|
-
|
350
|
-
if usentlm2_session
|
351
|
-
if use_ntlmv2
|
352
|
-
#set Negotiate Target Info
|
353
|
-
ntlmssp_flags |= CONST::NEGOTIATE_TARGET_INFO
|
354
|
-
end
|
355
|
-
|
356
|
-
else
|
357
|
-
#remove the ntlm2_session flag
|
358
|
-
ntlmssp_flags &= 0xfff7ffff
|
359
|
-
#set lanmanflag only when lm and ntlm are sent
|
360
|
-
if send_lm
|
361
|
-
ntlmssp_flags |= CONST::NEGOTIATE_LMKEY if use_lanman_key
|
362
|
-
end
|
363
|
-
end
|
364
|
-
|
365
|
-
#we can also downgrade ntlm2_session when we send only lmv1
|
366
|
-
ntlmssp_flags &= 0xfff7ffff if usentlm2_session && (not use_ntlmv2) && (not send_ntlm)
|
367
|
-
|
368
|
-
return ntlmssp_flags
|
369
|
-
end
|
370
|
-
|
371
|
-
|
372
|
-
# Parse an ntlm type 2 challenge blob and return usefull data
|
373
|
-
def self.parse_ntlm_type_2_blob(blob)
|
374
|
-
data = {}
|
375
|
-
# Extract the NTLM challenge key the lazy way
|
376
|
-
cidx = blob.index("NTLMSSP\x00\x02\x00\x00\x00")
|
377
|
-
|
378
|
-
if not cidx
|
379
|
-
raise XCEPT::NTLM2MissingChallenge
|
380
|
-
end
|
381
|
-
|
382
|
-
data[:challenge_key] = blob[cidx + 24, 8]
|
383
|
-
|
384
|
-
data[:server_ntlmssp_flags] = blob[cidx + 20, 4].unpack("V")[0]
|
385
|
-
|
386
|
-
# Extract the address list from the blob
|
387
|
-
alist_len,alist_mlen,alist_off = blob[cidx + 40, 8].unpack("vvV")
|
388
|
-
alist_buf = blob[cidx + alist_off, alist_len]
|
389
|
-
|
390
|
-
while(alist_buf.length > 0)
|
391
|
-
atype, alen = alist_buf.slice!(0,4).unpack('vv')
|
392
|
-
break if atype == 0x00
|
393
|
-
addr = alist_buf.slice!(0, alen)
|
394
|
-
case atype
|
395
|
-
when 1
|
396
|
-
#netbios name
|
397
|
-
data[:default_name] = addr.gsub("\x00", '')
|
398
|
-
when 2
|
399
|
-
#netbios domain
|
400
|
-
data[:default_domain] = addr.gsub("\x00", '')
|
401
|
-
when 3
|
402
|
-
#dns name
|
403
|
-
data[:dns_host_name] = addr.gsub("\x00", '')
|
404
|
-
when 4
|
405
|
-
#dns domain
|
406
|
-
data[:dns_domain_name] = addr.gsub("\x00", '')
|
407
|
-
when 5
|
408
|
-
#The FQDN of the forest.
|
409
|
-
when 6
|
410
|
-
#A 32-bit value indicating server or client configuration
|
411
|
-
when 7
|
412
|
-
#Client time
|
413
|
-
data[:chall_MsvAvTimestamp] = addr
|
414
|
-
when 8
|
415
|
-
#A Restriction_Encoding structure
|
416
|
-
when 9
|
417
|
-
#The SPN of the target server.
|
418
|
-
when 10
|
419
|
-
#A channel bindings hash.
|
420
|
-
end
|
421
|
-
end
|
422
|
-
return data
|
423
|
-
end
|
424
|
-
|
425
|
-
# This function return an ntlmv2 client challenge
|
426
|
-
# This is a partial implementation, full description is in [MS-NLMP].pdf around 3.1.5.2.1 :-/
|
427
|
-
def self.make_ntlmv2_clientchallenge(win_domain, win_name, dns_domain, dns_name,
|
428
|
-
client_challenge = nil, chall_MsvAvTimestamp = nil, spnopt = {})
|
429
|
-
|
430
|
-
client_challenge ||= Rex::Text.rand_text(8)
|
431
|
-
# We have to set the timestamps here to the one in the challenge message from server if present
|
432
|
-
# If we don't do that, recent server like Seven/2008 will send a STATUS_INVALID_PARAMETER error packet
|
433
|
-
timestamp = chall_MsvAvTimestamp != '' ? chall_MsvAvTimestamp : self.time_unix_to_smb(Time.now.to_i).reverse.pack("VV")
|
434
|
-
# Make those values unicode as requested
|
435
|
-
win_domain = Rex::Text.to_unicode(win_domain)
|
436
|
-
win_name = Rex::Text.to_unicode(win_name)
|
437
|
-
dns_domain = Rex::Text.to_unicode(dns_domain)
|
438
|
-
dns_name = Rex::Text.to_unicode(dns_name)
|
439
|
-
# Make the AV_PAIRs
|
440
|
-
addr_list = ''
|
441
|
-
addr_list << [2, win_domain.length].pack('vv') + win_domain
|
442
|
-
addr_list << [1, win_name.length].pack('vv') + win_name
|
443
|
-
addr_list << [4, dns_domain.length].pack('vv') + dns_domain
|
444
|
-
addr_list << [3, dns_name.length].pack('vv') + dns_name
|
445
|
-
addr_list << [7, 8].pack('vv') + timestamp
|
446
|
-
|
447
|
-
# Windows Seven / 2008r2 Request this type if in local security policies,
|
448
|
-
# Microsoft network server : Server SPN target name validation level is set to <Required from client>
|
449
|
-
# otherwise it send an STATUS_ACCESS_DENIED packet
|
450
|
-
if spnopt[:use_spn]
|
451
|
-
spn= Rex::Text.to_unicode("cifs/#{spnopt[:name] || 'unknow'}")
|
452
|
-
addr_list << [9, spn.length].pack('vv') + spn
|
453
|
-
end
|
454
|
-
|
455
|
-
# MAY BE USEFUL FOR FUTURE
|
456
|
-
# Seven (client) add at least one more av that is of type MsAvRestrictions (8)
|
457
|
-
# maybe this will be usefull with future windows OSs but has no use at all for the moment afaik
|
458
|
-
# restriction_encoding = [48,0,0,0].pack("VVV") + # Size, Z4, IntegrityLevel, SubjectIntegrityLevel
|
459
|
-
# Rex::Text.rand_text(32) # MachineId generated on startup on win7 and above
|
460
|
-
# addr_list << [8, restriction_encoding.length].pack('vv') + restriction_encoding
|
461
|
-
|
462
|
-
# Seven (client) and maybe others versions also add an av of type MsvChannelBindings (10) but the hash is "\x00" * 16
|
463
|
-
# addr_list << [10, 16].pack('vv') + "\x00" * 16
|
464
|
-
|
465
|
-
|
466
|
-
addr_list << [0, 0].pack('vv')
|
467
|
-
ntlm_clientchallenge = [1,1,0,0].pack("CCvV") + #RespType, HiRespType, Reserved1, Reserved2
|
468
|
-
timestamp + #Timestamp
|
469
|
-
client_challenge + #clientchallenge
|
470
|
-
[0].pack("V") + #Reserved3
|
471
|
-
addr_list + "\x00" * 4
|
472
|
-
|
473
|
-
end
|
474
|
-
|
475
|
-
# create lm/ntlm responses
|
476
|
-
def self.create_lm_ntlm_responses(user, pass, challenge_key, domain = '', default_name = '', default_domain = '',
|
477
|
-
dns_host_name = '', dns_domain_name = '', chall_MsvAvTimestamp = nil, spnopt = {}, opt = {} )
|
478
|
-
|
479
|
-
usentlm2_session = opt[:usentlm2_session] != nil ? opt[:usentlm2_session] : true
|
480
|
-
use_ntlmv2 = opt[:use_ntlmv2] != nil ? opt[:use_ntlmv2] : false
|
481
|
-
send_lm = opt[:send_lm] != nil ? opt[:send_lm] : true
|
482
|
-
send_ntlm = opt[:send_ntlm] != nil ? opt[:send_ntlm] : true
|
483
|
-
|
484
|
-
#calculate the lm/ntlm response
|
485
|
-
resp_lm = "\x00" * 24
|
486
|
-
resp_ntlm = "\x00" * 24
|
487
|
-
|
488
|
-
client_challenge = Rex::Text.rand_text(8)
|
489
|
-
ntlm_cli_challenge = ''
|
490
|
-
if send_ntlm #should be default
|
491
|
-
if usentlm2_session
|
492
|
-
if use_ntlmv2
|
493
|
-
ntlm_cli_challenge = self.make_ntlmv2_clientchallenge(default_domain, default_name, dns_domain_name,
|
494
|
-
dns_host_name,client_challenge ,
|
495
|
-
chall_MsvAvTimestamp, spnopt)
|
496
|
-
if self.is_pass_ntlm_hash?(pass)
|
497
|
-
argntlm = {
|
498
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(
|
499
|
-
user,
|
500
|
-
[ pass.upcase()[33,65] ].pack('H32'),
|
501
|
-
domain,{:pass_is_hash => true}
|
502
|
-
),
|
503
|
-
:challenge => challenge_key
|
504
|
-
}
|
505
|
-
else
|
506
|
-
argntlm = {
|
507
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(user, pass, domain),
|
508
|
-
:challenge => challenge_key
|
509
|
-
}
|
510
|
-
end
|
511
|
-
|
512
|
-
optntlm = { :nt_client_challenge => ntlm_cli_challenge}
|
513
|
-
ntlmv2_response = CRYPT::ntlmv2_response(argntlm,optntlm)
|
514
|
-
resp_ntlm = ntlmv2_response
|
515
|
-
|
516
|
-
if send_lm
|
517
|
-
if self.is_pass_ntlm_hash?(pass)
|
518
|
-
arglm = {
|
519
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(
|
520
|
-
user,
|
521
|
-
[ pass.upcase()[33,65] ].pack('H32'),
|
522
|
-
domain,{:pass_is_hash => true}
|
523
|
-
),
|
524
|
-
:challenge => challenge_key
|
525
|
-
}
|
526
|
-
else
|
527
|
-
arglm = {
|
528
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(user,pass, domain),
|
529
|
-
:challenge => challenge_key
|
530
|
-
}
|
531
|
-
end
|
532
|
-
|
533
|
-
optlm = { :client_challenge => client_challenge }
|
534
|
-
resp_lm = CRYPT::lmv2_response(arglm, optlm)
|
535
|
-
else
|
536
|
-
resp_lm = "\x00" * 24
|
537
|
-
end
|
538
|
-
|
539
|
-
else # ntlm2_session
|
540
|
-
if self.is_pass_ntlm_hash?(pass)
|
541
|
-
argntlm = {
|
542
|
-
:ntlm_hash => [ pass.upcase()[33,65] ].pack('H32'),
|
543
|
-
:challenge => challenge_key
|
544
|
-
}
|
545
|
-
else
|
546
|
-
argntlm = {
|
547
|
-
:ntlm_hash => CRYPT::ntlm_hash(pass),
|
548
|
-
:challenge => challenge_key
|
549
|
-
}
|
550
|
-
end
|
551
|
-
|
552
|
-
optntlm = { :client_challenge => client_challenge}
|
553
|
-
resp_ntlm = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24]
|
554
|
-
|
555
|
-
# Generate the fake LANMAN hash
|
556
|
-
resp_lm = client_challenge + ("\x00" * 16)
|
557
|
-
end
|
558
|
-
|
559
|
-
else # we use lmv1/ntlmv1
|
560
|
-
if self.is_pass_ntlm_hash?(pass)
|
561
|
-
argntlm = {
|
562
|
-
:ntlm_hash => [ pass.upcase()[33,65] ].pack('H32'),
|
563
|
-
:challenge => challenge_key
|
564
|
-
}
|
565
|
-
else
|
566
|
-
argntlm = {
|
567
|
-
:ntlm_hash => CRYPT::ntlm_hash(pass),
|
568
|
-
:challenge => challenge_key
|
569
|
-
}
|
570
|
-
end
|
571
|
-
|
572
|
-
resp_ntlm = CRYPT::ntlm_response(argntlm)
|
573
|
-
if send_lm
|
574
|
-
if self.is_pass_ntlm_hash?(pass)
|
575
|
-
arglm = {
|
576
|
-
:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
|
577
|
-
:challenge => challenge_key
|
578
|
-
}
|
579
|
-
else
|
580
|
-
arglm = {
|
581
|
-
:lm_hash => CRYPT::lm_hash(pass),
|
582
|
-
:challenge => challenge_key
|
583
|
-
}
|
584
|
-
end
|
585
|
-
resp_lm = CRYPT::lm_response(arglm)
|
586
|
-
else
|
587
|
-
#when windows does not send lm in ntlmv1 type response,
|
588
|
-
# it gives lm response the same value as ntlm response
|
589
|
-
resp_lm = resp_ntlm
|
590
|
-
end
|
591
|
-
end
|
592
|
-
else #send_ntlm = false
|
593
|
-
#lmv2
|
594
|
-
if usentlm2_session && use_ntlmv2
|
595
|
-
if self.is_pass_ntlm_hash?(pass)
|
596
|
-
arglm = {
|
597
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(
|
598
|
-
user,
|
599
|
-
[ pass.upcase()[33,65] ].pack('H32'),
|
600
|
-
domain,{:pass_is_hash => true}
|
601
|
-
),
|
602
|
-
:challenge => challenge_key
|
603
|
-
}
|
604
|
-
else
|
605
|
-
arglm = {
|
606
|
-
:ntlmv2_hash => CRYPT::ntlmv2_hash(user,pass, domain),
|
607
|
-
:challenge => challenge_key
|
608
|
-
}
|
609
|
-
end
|
610
|
-
optlm = { :client_challenge => client_challenge }
|
611
|
-
resp_lm = CRYPT::lmv2_response(arglm, optlm)
|
612
|
-
else
|
613
|
-
if self.is_pass_ntlm_hash?(pass)
|
614
|
-
arglm = {
|
615
|
-
:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
|
616
|
-
:challenge => challenge_key
|
617
|
-
}
|
618
|
-
else
|
619
|
-
arglm = {
|
620
|
-
:lm_hash => CRYPT::lm_hash(pass),
|
621
|
-
:challenge => challenge_key
|
622
|
-
}
|
623
|
-
end
|
624
|
-
resp_lm = CRYPT::lm_response(arglm)
|
625
|
-
end
|
626
|
-
resp_ntlm = ""
|
627
|
-
end
|
628
|
-
return resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge
|
629
|
-
end
|
630
|
-
|
631
|
-
# create the session key
|
632
|
-
def self.create_session_key(server_ntlmssp_flags, user, pass, domain, challenge_key,
|
633
|
-
client_challenge = '', ntlm_cli_challenge = '' , opt = {} )
|
634
|
-
|
635
|
-
usentlm2_session = opt[:usentlm2_session] != nil ? opt[:usentlm2_session] : true
|
636
|
-
use_ntlmv2 = opt[:use_ntlmv2] != nil ? opt[:use_ntlmv2] : false
|
637
|
-
send_lm = opt[:send_lm] != nil ? opt[:send_lm] : true
|
638
|
-
send_ntlm = opt[:send_ntlm] != nil ? opt[:send_ntlm] : true
|
639
|
-
use_lanman_key = opt[:use_lanman_key] != nil ? opt[:use_lanman_key] : false
|
640
|
-
|
641
|
-
# Create the sessionkey (aka signing key, aka mackey) and encrypted session key
|
642
|
-
# Server will decide for key_size and key_exchange
|
643
|
-
enc_session_key = ''
|
644
|
-
signing_key = ''
|
645
|
-
|
646
|
-
# Set default key size and key exchange values
|
647
|
-
key_size = 40
|
648
|
-
key_exchange = false
|
649
|
-
# Remove ntlmssp.negotiate56
|
650
|
-
ntlmssp_flags &= 0x7fffffff
|
651
|
-
# Remove ntlmssp.negotiatekeyexch
|
652
|
-
ntlmssp_flags &= 0xbfffffff
|
653
|
-
# Remove ntlmssp.negotiate128
|
654
|
-
ntlmssp_flags &= 0xdfffffff
|
655
|
-
# Check the keyexchange
|
656
|
-
if server_ntlmssp_flags & CONST::NEGOTIATE_KEY_EXCH != 0 then
|
657
|
-
key_exchange = true
|
658
|
-
ntlmssp_flags |= CONST::NEGOTIATE_KEY_EXCH
|
659
|
-
end
|
660
|
-
# Check 128bits
|
661
|
-
if server_ntlmssp_flags & CONST::NEGOTIATE_128 != 0 then
|
662
|
-
key_size = 128
|
663
|
-
ntlmssp_flags |= CONST::NEGOTIATE_128
|
664
|
-
ntlmssp_flags |= CONST::NEGOTIATE_56
|
665
|
-
# Check 56bits
|
666
|
-
else
|
667
|
-
if server_ntlmssp_flags & CONST::NEGOTIATE_56 != 0 then
|
668
|
-
key_size = 56
|
669
|
-
ntlmssp_flags |= CONST::NEGOTIATE_56
|
670
|
-
end
|
671
|
-
end
|
672
|
-
|
673
|
-
# Generate the user session key
|
674
|
-
lanman_weak = false
|
675
|
-
if send_ntlm # Should be default
|
676
|
-
if usentlm2_session
|
677
|
-
if use_ntlmv2
|
678
|
-
if self.is_pass_ntlm_hash?(pass)
|
679
|
-
user_session_key = CRYPT::ntlmv2_user_session_key(user,
|
680
|
-
[ pass.upcase()[33,65] ].pack('H32'),
|
681
|
-
domain,
|
682
|
-
challenge_key, ntlm_cli_challenge,
|
683
|
-
{:pass_is_hash => true})
|
684
|
-
else
|
685
|
-
user_session_key = CRYPT::ntlmv2_user_session_key(user, pass, domain,
|
686
|
-
challenge_key, ntlm_cli_challenge)
|
687
|
-
end
|
688
|
-
else
|
689
|
-
if self.is_pass_ntlm_hash?(pass)
|
690
|
-
user_session_key = CRYPT::ntlm2_session_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
|
691
|
-
challenge_key,
|
692
|
-
client_challenge,
|
693
|
-
{:pass_is_hash => true})
|
694
|
-
else
|
695
|
-
user_session_key = CRYPT::ntlm2_session_user_session_key(pass, challenge_key,
|
696
|
-
client_challenge)
|
697
|
-
end
|
698
|
-
end
|
699
|
-
else # lmv1/ntlmv1
|
700
|
-
# lanman_key may also be used without ntlm response but it is not so much used
|
701
|
-
# so we don't care about this feature
|
702
|
-
if send_lm && use_lanman_key
|
703
|
-
if self.is_pass_ntlm_hash?(pass)
|
704
|
-
user_session_key = CRYPT::lanman_session_key([ pass.upcase()[0,32] ].pack('H32'),
|
705
|
-
challenge_key,
|
706
|
-
{:pass_is_hash => true})
|
707
|
-
else
|
708
|
-
user_session_key = CRYPT::lanman_session_key(pass, challenge_key)
|
709
|
-
end
|
710
|
-
lanman_weak = true
|
711
|
-
|
712
|
-
|
713
|
-
else
|
714
|
-
if self.is_pass_ntlm_hash?(pass)
|
715
|
-
user_session_key = CRYPT::ntlmv1_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
|
716
|
-
{:pass_is_hash => true})
|
717
|
-
else
|
718
|
-
user_session_key = CRYPT::ntlmv1_user_session_key(pass)
|
719
|
-
end
|
720
|
-
end
|
721
|
-
end
|
722
|
-
else
|
723
|
-
if usentlm2_session && use_ntlmv2
|
724
|
-
if self.is_pass_ntlm_hash?(pass)
|
725
|
-
user_session_key = CRYPT::lmv2_user_session_key(user, [ pass.upcase()[33,65] ].pack('H32'),
|
726
|
-
domain,
|
727
|
-
challenge_key, client_challenge,
|
728
|
-
{:pass_is_hash => true})
|
729
|
-
else
|
730
|
-
user_session_key = CRYPT::lmv2_user_session_key(user, pass, domain,
|
731
|
-
challenge_key, client_challenge)
|
732
|
-
end
|
733
|
-
else
|
734
|
-
if self.is_pass_ntlm_hash?(pass)
|
735
|
-
user_session_key = CRYPT::lmv1_user_session_key([ pass.upcase()[0,32] ].pack('H32'),
|
736
|
-
{:pass_is_hash => true})
|
737
|
-
else
|
738
|
-
user_session_key = CRYPT::lmv1_user_session_key(pass)
|
739
|
-
end
|
740
|
-
end
|
741
|
-
end
|
742
|
-
|
743
|
-
user_session_key = CRYPT::make_weak_sessionkey(user_session_key,key_size, lanman_weak)
|
744
|
-
|
745
|
-
# Sessionkey and encrypted session key
|
746
|
-
if key_exchange
|
747
|
-
signing_key = Rex::Text.rand_text(16)
|
748
|
-
enc_session_key = CRYPT::encrypt_sessionkey(signing_key, user_session_key)
|
749
|
-
else
|
750
|
-
signing_key = user_session_key
|
751
|
-
end
|
752
|
-
|
753
|
-
return signing_key, enc_session_key
|
754
|
-
|
755
|
-
|
756
|
-
end
|
757
|
-
|
758
|
-
|
759
|
-
|
760
|
-
end
|
761
|
-
end
|
762
|
-
end
|
763
|
-
end
|