rex 1.0.2 → 2.0.2

data/lib/rex/proto/drda.rb

@@ -0,0 +1,6 @@
+# -*- coding: binary -*-
+require 'rex/proto/drda/constants'
+require 'rex/proto/drda/packet'
+require 'rex/proto/drda/utils'
+
+

data/lib/rex/proto/drda/constants.rb

@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+require 'rex/proto/drda'
+
+module Rex
+module Proto
+module DRDA
+class Constants
+
+require 'rex/text'
+
+# DRDA Code Points
+
+EXCSAT     = 0x1041 # Exchange Server Attributes
+EXTNAM     = 0x115e # External Name
+MGRLVLLS   = 0x1404 # Manager-Level List
+SRVCLSNM   = 0x1147 # Server Class Name
+SRVNAM     = 0x116d # Server Name
+SRVRLSLV   = 0x115a # Server Product Release Level
+ACCSEC     = 0x106d # Access Security
+SECMEC     = 0x11a2 # Security Mechanism
+RDBNAM     = 0x2110 # Relational Database Name
+SECTKN     = 0x11dc # Security Token
+EXCSATRD   = 0x1443 # Server Attributes Reply Data
+ACCSECRD   = 0x14ac # Access Security Reply Data
+SRVDGN     = 0x1153 # Server Diagnostic Information
+RDBNFNRM   = 0x2211 # Relational Database Not Found
+SECCHK     = 0x106e # Security Check
+USERID     = 0x11a0 # Remote User ID
+PASSWORD   = 0x11a1 # Remote Password
+RDBACCCL   = 0x210f # RDB Access Manager Class
+PRDID      = 0x112e # Product-Specific Identifier
+PRDDTA     = 0x2104 # Product-Specific Data
+TYPEDEFNAM = 0x002f # Data Type Definition Name
+TTPEDEFOVR = 0x0035 # TYPEDEF Overrides
+CRRTKN     = 0x2135 # Correlation Token
+TRGDFTRT   = 0x213b # Target Default Value Return
+SQLCARD    = 0x2408 # SQL Communications Area Reply Data
+SECCHKRM   = 0x1219 # Security Check Response Message
+SRVCOD     = 0x1149 # Severity Code
+SECCHKCD   = 0x11a4 # Security Check Code
+ACCRDBRM   = 0x2201 # Access to RDB Completed
+
+def self.const_values
+  self.constants.map {|x| self.const_get x}
+end
+
+end
+end
+end
+end

data/lib/rex/proto/drda/packet.rb

@@ -0,0 +1,253 @@
+# -*- coding: binary -*-
+require 'rex/proto/drda'
+
+module Rex
+module Proto
+module DRDA
+
+class Error < StandardError; end
+class RespError < Error; end
+
+# See:
+# http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_excsat.htm
+class MGRLVLLS_PARAM < Struct.new(:length, :codepoint, :payload)
+  def initialize(args={})
+    self[:codepoint] = Constants::MGRLVLLS
+    self[:payload] = "\x14\x03\x00\x0a\x24\x07\x00\x0a" +
+      "\x14\x74\x00\x05\x24\x0f\x00\x08" +
+      "\x14\x40\x00\x09\x1c\x08\x04\xb8"
+    self[:length] = self[:payload].to_s.size+4
+  end
+  def to_s
+    self.to_a.pack("nna*")
+  end
+end
+
+# Currently, only takes a MGRLVLLS param. Extend the struct
+# when more parameters are defined.
+class EXCSAT_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
+   :codepoint, :mgrlvlls)
+
+  def initialize(args={})
+    self[:magic] = 0xd0
+    self[:format] = 0x41
+    self[:correlid] = 1
+    self[:codepoint] = Constants::EXCSAT
+    self[:mgrlvlls] = args[:mgrlvlls] || MGRLVLLS_PARAM.new.to_s
+    self[:length] = (10 + self[:mgrlvlls].to_s.size)
+    self[:length2] = self[:length]-6
+  end
+
+  def to_s
+    packstr = "nCCnnn"
+    packstr += "a*"  # Pack smarter as more params are added.
+    self.to_a.pack(packstr)
+  end
+end
+
+# See http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_accsec.htm
+# for all sorts of info about SECMEC.
+class SECMEC_PARAM < Struct.new(:length, :codepoint, :payload)
+  def initialize(args={})
+    self[:length] = 6
+    self[:codepoint] = Constants::SECMEC
+    self[:payload] = 3 # Plaintext username and password.
+  end
+  def to_s
+    self.to_a.pack("nnn")
+  end
+end
+
+# Relational Database name parameter.
+class RDBNAM_PARAM < Struct.new(:length, :codepoint, :payload)
+  def initialize(args={})
+    self[:length] = 22 # Since the database name is padded out.
+    self[:codepoint] = Constants::RDBNAM
+    self[:payload] = encode(args[:payload].to_s)
+  end
+
+  def encode(str)
+    Rex::Text.to_ebcdic([str].pack("A18"))
+  end
+
+  def payload=(str)
+    self[:payload] = encode(str.to_s)
+  end
+
+  def to_s
+    self.to_a.pack("nna18")
+  end
+
+end
+
+# The ACCSEC DDM is responsible for picking the security mechanism (SECMEC)
+# which, in our case, will always be plain text username and password. It
+# also sets the relational database name (RDBNAM), if specified. You need
+# one to login, but not to probe.
+class ACCSEC_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
+   :codepoint, :secmec, :rdbnam)
+  def initialize(args={})
+    self[:magic] = 0xd0
+    self[:format] = args[:format] || 0x01
+    self[:correlid] = 2
+    self[:codepoint] = Constants::ACCSEC
+    self[:secmec] = SECMEC_PARAM.new.to_s
+    if args[:dbname] # Include a database name if we're given one.
+      self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
+    end
+    self[:length] =  10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size
+    self[:length2] = self[:length]-6
+  end
+  def dbname=(str)
+    self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
+  end
+  def to_s
+    packstr = "nCCnnna6"
+    packstr += "a22" if self[:rdbnam]
+    self.to_a.pack(packstr)
+  end
+end
+
+class DDM_PARAM < Struct.new(:length, :codepoint, :payload)
+
+  def read(str="")
+    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
+    raise DRDA::RespError, "DDM_PARAM is too short" if str.size < 4
+    (self[:length], self[:codepoint]) =
+      str.unpack("nn")
+    raise DRDA::RespError, "DDM_PARAM Length is too short" if self[:length] < 4
+    rest = str[4,self[:length]-4] # If it's negative or whatever, it'll end up as "".
+    self[:payload] = rest.to_s[0,self[:length]-4]
+    return self
+  end
+
+  def to_s
+    self.to_a.pack("nna*")
+  end
+
+end
+
+class BASIC_DDM < Struct.new(:length, :magic, :format, :correlid,
+  :length2, :codepoint, :payload)
+  def initialize
+    self[:payload] = []
+  end
+
+  def read(str="")
+    self[:payload].clear
+    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
+    raise DRDA::RespError, "Response is too short." if str.size < 10
+    (self[:length],self[:magic],self[:format],
+     self[:correlid],self[:length2],self[:codepoint]) =
+     str.unpack("nCCnnn")
+    sanity_check
+    rest = str[10,self[:length2]-4]
+    i = 0
+    while (i < rest.size)
+      if self[:codepoint] == Constants::SQLCARD # These aren't DDM's.
+        this_param = rest[i,self[:length]-10]
+      else
+        this_param = DDM_PARAM.new.read(rest[i,rest.size])
+      end
+      self[:payload] << this_param
+      i += this_param.to_s.size
+    end
+    return self
+  end
+
+  # Just a quick test.
+  def sanity_check
+    if self[:length] < 10
+      raise DRDA::RespError, "DDM Length is too short."
+    elsif self[:length2] < 4
+      raise DRDA::RespError, "DDM Length2 is too short."
+    elsif self[:length]-6 != self[:length2]
+      raise DRDA::RespError, "Codepoint: 0x#{self[:codepoint].to_s(16)} DDM Length2 (0x#{self[:length2].to_s(16)}) isn't six less than Length (0x#{self[:length].to_s(16)})"
+    end
+  end
+
+  def to_s
+    self.to_a.pack("nCCnnn") + self[:payload].map {|x| x.to_s}.join
+  end
+
+end
+
+class SERVER_PACKET < Array
+
+  def read(str="")
+    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
+    self.clear
+    i = 0
+    while(i < str.size)
+      this_ddm = BASIC_DDM.new.read(str[i,str.size])
+      self << this_ddm
+      i += this_ddm.to_s.size
+    end
+    return self
+  end
+
+  def to_s; self.join; end
+  def sz; self.to_s.size; end
+
+end
+
+class PASSWORD_PARAM < Struct.new(:length, :codepoint, :payload)
+  def initialize(args={})
+    self[:codepoint] = Constants::PASSWORD
+    self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)
+    self[:length] = self[:payload].size + 4
+  end
+  def encode(str)
+    Rex::Text.to_ebcdic(str)
+  end
+  def to_s
+    self.to_a.pack("nna*")
+  end
+end
+
+class USERID_PARAM < Struct.new(:length, :codepoint, :payload)
+  def initialize(args={})
+    self[:codepoint] = Constants::USERID
+    self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)
+    self[:length] = self[:payload].size + 4
+  end
+  def encode(str)
+    Rex::Text.to_ebcdic(str)
+  end
+  def to_s
+    self.to_a.pack("nna*")
+  end
+end
+
+class SECCHK_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
+  :codepoint, :secmec, :rdbnam, :password, :userid)
+  def initialize(args={}) # Takes :dbname, :dbpass, :dbuser
+    self[:magic] = 0xd0
+    self[:format] = 0x01
+    self[:correlid] = 2
+    self[:codepoint] = Constants::SECCHK
+    self[:secmec] = SECMEC_PARAM.new.to_s
+    if args[:dbname] # Include a database name if we're given one.
+      self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
+    end
+    self[:password] = PASSWORD_PARAM.new(:payload => args[:dbpass]).to_s
+    self[:userid] = USERID_PARAM.new(:payload => args[:dbuser]).to_s
+    self[:length] = ( 10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size +
+           self[:password].to_s.size + self[:userid].to_s.size )
+    self[:length2] = self[:length]-6
+  end
+  def dbname=(str)
+    self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
+  end
+  def to_s
+    packstr = "nCCnnna6"
+    packstr += "a22" if self[:rdbnam]
+    packstr += "a*a*" # username and password
+    self.to_a.pack(packstr)
+  end
+end
+
+end
+end
+end
+

data/lib/rex/proto/drda/utils.rb

@@ -0,0 +1,124 @@
+# -*- coding: binary -*-
+require 'rex/proto/drda'
+
+module Rex
+module Proto
+module DRDA
+class Utils
+
+  # Creates a packet with EXCSAT_DDM and an ACCSEC_DDM. This will elicit
+  # a reponse from the target server.
+  def self.client_probe(dbname=nil)
+    pkt = [
+      EXCSAT_DDM.new,
+      ACCSEC_DDM.new(:dbname => dbname)
+    ]
+    pkt.map {|x| x.to_s}.join
+  end
+
+  # Creates a packet with EXCSAT_DDM and an SECCHK_DDM.
+  # In order to ever succeed, you do need a successful probe first.
+  def self.client_auth(args={})
+    dbname = args[:dbname]
+    dbuser = args[:dbuser]
+    dbpass = args[:dbpass]
+    pkt = [
+      ACCSEC_DDM.new(:format => 0x41),
+      SECCHK_DDM.new(:dbname => dbname, :dbuser => dbuser, :dbpass => dbpass)
+    ]
+    pkt.map {|x| x.to_s}.join
+  end
+
+  def self.server_packet_info(obj)
+    info_hash = {}
+    return info_hash unless obj.kind_of? Rex::Proto::DRDA::SERVER_PACKET
+    obj.each do |ddm|
+      case ddm.codepoint
+      when Constants::EXCSATRD
+        info_hash.merge!(_info_excsatrd(ddm))
+      when Constants::ACCSECRD
+        info_hash.merge!(_info_accsecrd(ddm))
+      when Constants::RDBNFNRM
+        info_hash.merge!(_info_rdbnfnrm(ddm))
+      when Constants::SECCHKRM
+        info_hash.merge!(_info_secchkrm(ddm))
+      else
+        next
+      end
+    end
+    return info_hash
+  end
+
+  def self._info_excsatrd(ddm)
+    info_hash = {:excsatrd => true}
+    ddm.payload.each do |param|
+      case param.codepoint
+      when Constants::SRVNAM
+        info_hash[:instance_name] = Rex::Text.from_ebcdic(param.payload)
+      when Constants::SRVCLSNM
+        info_hash[:platform] = Rex::Text.from_ebcdic(param.payload)
+      when Constants::SRVRLSLV
+        info_hash[:version] = Rex::Text.from_ebcdic(param.payload)
+      else
+        next
+      end
+    end
+    return info_hash
+  end
+
+  def self._info_accsecrd(ddm)
+    info_hash = {:accsecrd => true}
+    ddm.payload.each do |param|
+      case param.codepoint
+      when Constants::SECMEC
+        info_hash[:plaintext_auth] = true if param.payload =~ /\x00\x03/n
+      when Constants::SECCHKCD
+        info_hash[:security_check_code] = param.payload.unpack("C").first
+        # A little spurious? This is always nonzero when there's no SECCHKRM DDM.
+        info_hash[:db_login_success] = false unless info_hash[:security_check_code].zero?
+      else
+        next
+      end
+    end
+    return info_hash
+  end
+
+  def self._info_rdbnfnrm(ddm)
+    info_hash = {:rdbnfnrm => true}
+    info_hash[:database_found] = false
+    ddm.payload.each do |param|
+      case param.codepoint
+      when Constants::RDBNAM
+        info_hash[:db_name] = Rex::Text.from_ebcdic(param.payload).unpack("A*").first
+      when Constants::SRVDGN
+        info_hash[:error_message] = Rex::Text.from_ebcdic(param.payload)
+      else
+        next
+      end
+    end
+    return info_hash
+  end
+
+  def self._info_secchkrm(ddm)
+    info_hash = {:secchkrm => true}
+    ddm.payload.each do |param|
+      case param.codepoint
+      when Constants::SRVCOD
+        info_hash[:severity_code] = param.payload.unpack("n").first
+      when Constants::SECCHKCD
+        info_hash[:security_check_code] = param.payload.unpack("C").first
+      else
+        next
+      end
+    end
+    if info_hash[:serverity].to_i.zero? and info_hash[:security_check_code].to_i.zero?
+      info_hash[:db_login_success] = true
+    end
+    return info_hash
+  end
+
+end
+
+end
+end
+end

data/lib/rex/proto/http.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+require 'rex/proto/http/packet'
+require 'rex/proto/http/request'
+require 'rex/proto/http/response'
+require 'rex/proto/http/client'
+require 'rex/proto/http/server'
+require 'rex/proto/http/client_request'

data/lib/rex/proto/http/client.rb

@@ -0,0 +1,722 @@
+# -*- coding: binary -*-
+require 'rex/socket'
+require 'rex/proto/http'
+require 'rex/text'
+require 'digest'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/utils'
+require 'rex/proto/ntlm/exceptions'
+
+require 'rex/proto/http/client_request'
+
+module Rex
+module Proto
+module Http
+
+###
+#
+# Acts as a client to an HTTP server, sending requests and receiving responses.
+#
+# See the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616.html
+#
+###
+class Client
+
+  DefaultUserAgent = ClientRequest::DefaultUserAgent
+
+  #
+  # Creates a new client instance
+  #
+  def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '')
+    self.hostname = host
+    self.port     = port.to_i
+    self.context  = context
+    self.ssl      = ssl
+    self.ssl_version = ssl_version
+    self.proxies  = proxies
+    self.username = username
+    self.password = password
+
+    # Take ClientRequest's defaults, but override with our own
+    self.config = Http::ClientRequest::DefaultConfig.merge({
+      'read_max_data'   => (1024*1024*1),
+      'vhost'           => self.hostname,
+    })
+
+    # XXX: This info should all be controlled by ClientRequest
+    self.config_types = {
+      'uri_encode_mode'        => ['hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-random', 'u-all'],
+      'uri_encode_count'       => 'integer',
+      'uri_full_url'           => 'bool',
+      'pad_method_uri_count'   => 'integer',
+      'pad_uri_version_count'  => 'integer',
+      'pad_method_uri_type'    => ['space', 'tab', 'apache'],
+      'pad_uri_version_type'   => ['space', 'tab', 'apache'],
+      'method_random_valid'    => 'bool',
+      'method_random_invalid'  => 'bool',
+      'method_random_case'     => 'bool',
+      'version_random_valid'   => 'bool',
+      'version_random_invalid' => 'bool',
+      'version_random_case'    => 'bool',
+      'uri_dir_self_reference' => 'bool',
+      'uri_dir_fake_relative'  => 'bool',
+      'uri_use_backslashes'    => 'bool',
+      'pad_fake_headers'       => 'bool',
+      'pad_fake_headers_count' => 'integer',
+      'pad_get_params'         => 'bool',
+      'pad_get_params_count'   => 'integer',
+      'pad_post_params'        => 'bool',
+      'pad_post_params_count'  => 'integer',
+      'uri_fake_end'           => 'bool',
+      'uri_fake_params_start'  => 'bool',
+      'header_folding'         => 'bool',
+      'chunked_size'           => 'integer'
+    }
+
+
+  end
+
+  #
+  # Set configuration options
+  #
+  def set_config(opts = {})
+    opts.each_pair do |var,val|
+      # Default type is string
+      typ = self.config_types[var] || 'string'
+
+      # These are enum types
+      if(typ.class.to_s == 'Array')
+        if not typ.include?(val)
+          raise RuntimeError, "The specified value for #{var} is not one of the valid choices"
+        end
+      end
+
+      # The caller should have converted these to proper ruby types, but
+      # take care of the case where they didn't before setting the
+      # config.
+
+      if(typ == 'bool')
+        val = (val =~ /^(t|y|1)$/i ? true : false || val === true)
+      end
+
+      if(typ == 'integer')
+        val = val.to_i
+      end
+
+      self.config[var]=val
+    end
+  end
+
+  #
+  # Create an arbitrary HTTP request
+  #
+  # @param opts [Hash]
+  # @option opts 'agent'         [String] User-Agent header value
+  # @option opts 'connection'    [String] Connection header value
+  # @option opts 'cookie'        [String] Cookie header value
+  # @option opts 'data'          [String] HTTP data (only useful with some methods, see rfc2616)
+  # @option opts 'encode'        [Bool]   URI encode the supplied URI, default: false
+  # @option opts 'headers'       [Hash]   HTTP headers, e.g. <code>{ "X-MyHeader" => "value" }</code>
+  # @option opts 'method'        [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET
+  # @option opts 'proto'         [String] protocol, default: HTTP
+  # @option opts 'query'         [String] raw query string
+  # @option opts 'raw_headers'   [Hash]   HTTP headers
+  # @option opts 'uri'           [String] the URI to request
+  # @option opts 'version'       [String] version of the protocol, default: 1.1
+  # @option opts 'vhost'         [String] Host header value
+  #
+  # @return [ClientRequest]
+  def request_raw(opts={})
+    opts = self.config.merge(opts)
+
+    opts['ssl']         = self.ssl
+    opts['cgi']         = false
+    opts['port']        = self.port
+
+    req = ClientRequest.new(opts)
+  end
+
+
+  #
+  # Create a CGI compatible request
+  #
+  # @param (see #request_raw)
+  # @option opts (see #request_raw)
+  # @option opts 'ctype'         [String] Content-Type header value, default: +application/x-www-form-urlencoded+
+  # @option opts 'encode_params' [Bool]   URI encode the GET or POST variables (names and values), default: true
+  # @option opts 'vars_get'      [Hash]   GET variables as a hash to be translated into a query string
+  # @option opts 'vars_post'     [Hash]   POST variables as a hash to be translated into POST data
+  #
+  # @return [ClientRequest]
+  def request_cgi(opts={})
+    opts = self.config.merge(opts)
+
+    opts['ctype']       ||= 'application/x-www-form-urlencoded'
+    opts['ssl']         = self.ssl
+    opts['cgi']         = true
+    opts['port']        = self.port
+
+    req = ClientRequest.new(opts)
+    req
+  end
+
+  #
+  # Connects to the remote server if possible.
+  #
+  # @param t [Fixnum] Timeout
+  # @see Rex::Socket::Tcp.create
+  # @return [Rex::Socket::Tcp]
+  def connect(t = -1)
+    # If we already have a connection and we aren't pipelining, close it.
+    if (self.conn)
+      if !pipelining?
+        close
+      else
+        return self.conn
+      end
+    end
+
+    timeout = (t.nil? or t == -1) ? 0 : t
+
+    self.conn = Rex::Socket::Tcp.create(
+      'PeerHost'   => self.hostname,
+      'PeerPort'   => self.port.to_i,
+      'LocalHost'  => self.local_host,
+      'LocalPort'  => self.local_port,
+      'Context'    => self.context,
+      'SSL'        => self.ssl,
+      'SSLVersion' => self.ssl_version,
+      'Proxies'    => self.proxies,
+      'Timeout'    => timeout
+    )
+  end
+
+  #
+  # Closes the connection to the remote server.
+  #
+  def close
+    if (self.conn)
+      self.conn.shutdown
+      self.conn.close unless self.conn.closed?
+    end
+
+    self.conn = nil
+  end
+
+  #
+  # Sends a request and gets a response back
+  #
+  # If the request is a 401, and we have creds, it will attempt to complete
+  # authentication and return the final response
+  #
+  # @return (see #_send_recv)
+  def send_recv(req, t = -1, persist=false)
+    res = _send_recv(req,t,persist)
+    if res and res.code == 401 and res.headers['WWW-Authenticate']
+      res = send_auth(res, req.opts, t, persist)
+    end
+    res
+  end
+
+  #
+  # Transmit an HTTP request and receive the response
+  #
+  # If persist is set, then the request will attempt to reuse an existing
+  # connection.
+  #
+  # Call this directly instead of {#send_recv} if you don't want automatic
+  # authentication handling.
+  #
+  # @return (see #read_response)
+  def _send_recv(req, t = -1, persist=false)
+    @pipeline = persist
+    send_request(req, t)
+    res = read_response(t)
+    res.request = req.to_s if res
+    res
+  end
+
+  #
+  # Send an HTTP request to the server
+  #
+  # @param req [Request,ClientRequest,#to_s] The request to send
+  # @param t (see #connect)
+  #
+  # @return [void]
+  def send_request(req, t = -1)
+    connect(t)
+    conn.put(req.to_s)
+  end
+
+  # Resends an HTTP Request with the propper authentcation headers
+  # set. If we do not support the authentication type the server requires
+  # we return the original response object
+  #
+  # @param res [Response] the HTTP Response object
+  # @param opts [Hash] the options used to generate the original HTTP request
+  # @param t [Fixnum] the timeout for the request in seconds
+  # @param persist [Boolean] whether or not to persist the TCP connection (pipelining)
+  #
+  # @return [Response] the last valid HTTP response object we received
+  def send_auth(res, opts, t, persist)
+    if opts['username'].nil? or opts['username'] == ''
+      if self.username and not (self.username == '')
+        opts['username'] = self.username
+        opts['password'] = self.password
+      else
+        opts['username'] = nil
+        opts['password'] = nil
+      end
+    end
+
+    return res if opts['username'].nil? or opts['username'] == ''
+    supported_auths = res.headers['WWW-Authenticate']
+    if supported_auths.include? 'Basic'
+      opts['headers'] ||= {}
+      opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] )
+      req = request_cgi(opts)
+      res = _send_recv(req,t,persist)
+      return res
+    elsif  supported_auths.include? "Digest"
+      temp_response = digest_auth(opts)
+      if temp_response.kind_of? Rex::Proto::Http::Response
+        res = temp_response
+      end
+      return res
+    elsif supported_auths.include? "NTLM"
+      opts['provider'] = 'NTLM'
+      temp_response = negotiate_auth(opts)
+      if temp_response.kind_of? Rex::Proto::Http::Response
+        res = temp_response
+      end
+      return res
+    elsif supported_auths.include? "Negotiate"
+      opts['provider'] = 'Negotiate'
+      temp_response = negotiate_auth(opts)
+      if temp_response.kind_of? Rex::Proto::Http::Response
+        res = temp_response
+      end
+      return res
+    end
+    return res
+  end
+
+  # Converts username and password into the HTTP Basic authorization
+  # string.
+  #
+  # @return [String] A value suitable for use as an Authorization header
+  def basic_auth_header(username,password)
+    auth_str = username.to_s + ":" + password.to_s
+    auth_str = "Basic " + Rex::Text.encode_base64(auth_str)
+  end
+
+  # Send a series of requests to complete Digest Authentication
+  #
+  # @param opts [Hash] the options used to build an HTTP request
+  #
+  # @return [Response] the last valid HTTP response we received
+  def digest_auth(opts={})
+    @nonce_count = 0
+
+    to = opts['timeout'] || 20
+
+    digest_user = opts['username'] || ""
+    digest_password =  opts['password'] || ""
+
+    method = opts['method']
+    path = opts['uri']
+    iis = true
+    if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS'] == false)
+      iis = false
+    end
+
+    begin
+    @nonce_count += 1
+
+    resp = opts['response']
+
+    if not resp
+      # Get authentication-challenge from server, and read out parameters required
+      r = request_cgi(opts.merge({
+          'uri' => path,
+          'method' => method }))
+      resp = _send_recv(r, to)
+      unless resp.kind_of? Rex::Proto::Http::Response
+        return nil
+      end
+
+      if resp.code != 401
+        return resp
+      end
+      return resp unless resp.headers['WWW-Authenticate']
+    end
+
+    # Don't anchor this regex to the beginning of string because header
+    # folding makes it appear later when the server presents multiple
+    # WWW-Authentication options (such as is the case with IIS configured
+    # for Digest or NTLM).
+    resp['www-authenticate'] =~ /Digest (.*)/
+
+    parameters = {}
+    $1.split(/,[[:space:]]*/).each do |p|
+      k, v = p.split("=", 2)
+      parameters[k] = v.gsub('"', '')
+    end
+
+    qop = parameters['qop']
+
+    if parameters['algorithm'] =~ /(.*?)(-sess)?$/
+      algorithm = case $1
+      when 'MD5' then Digest::MD5
+      when 'SHA1' then Digest::SHA1
+      when 'SHA2' then Digest::SHA2
+      when 'SHA256' then Digest::SHA256
+      when 'SHA384' then Digest::SHA384
+      when 'SHA512' then Digest::SHA512
+      when 'RMD160' then Digest::RMD160
+      else raise Error, "unknown algorithm \"#{$1}\""
+      end
+      algstr = parameters["algorithm"]
+      sess = $2
+    else
+      algorithm = Digest::MD5
+      algstr = "MD5"
+      sess = false
+    end
+
+    a1 = if sess then
+      [
+        algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"),
+        parameters['nonce'],
+        @cnonce
+      ].join ':'
+    else
+      "#{digest_user}:#{parameters['realm']}:#{digest_password}"
+    end
+
+    ha1 = algorithm.hexdigest(a1)
+    ha2 = algorithm.hexdigest("#{method}:#{path}")
+
+    request_digest = [ha1, parameters['nonce']]
+    request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop
+    request_digest << ha2
+    request_digest = request_digest.join ':'
+
+    # Same order as IE7
+    auth = [
+      "Digest username=\"#{digest_user}\"",
+      "realm=\"#{parameters['realm']}\"",
+      "nonce=\"#{parameters['nonce']}\"",
+      "uri=\"#{path}\"",
+      "cnonce=\"#{@cnonce}\"",
+      "nc=#{'%08x' % @nonce_count}",
+      "algorithm=#{algstr}",
+      "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"",
+      # The spec says the qop value shouldn't be enclosed in quotes, but
+      # some versions of IIS require it and Apache accepts it.  Chrome
+      # and Firefox both send it without quotes but IE does it this way.
+      # Use the non-compliant-but-everybody-does-it to be as compatible
+      # as possible by default.  The user can override if they don't like
+      # it.
+      if qop.nil? then
+      elsif iis then
+        "qop=\"#{qop}\""
+      else
+        "qop=#{qop}"
+      end,
+      if parameters.key? 'opaque' then
+        "opaque=\"#{parameters['opaque']}\""
+      end
+    ].compact
+
+    headers ={ 'Authorization' => auth.join(', ') }
+    headers.merge!(opts['headers']) if opts['headers']
+
+    # Send main request with authentication
+    r = request_cgi(opts.merge({
+      'uri' => path,
+      'method' => method,
+      'headers' => headers }))
+    resp = _send_recv(r, to, true)
+    unless resp.kind_of? Rex::Proto::Http::Response
+      return nil
+    end
+
+    return resp
+
+    rescue ::Errno::EPIPE, ::Timeout::Error
+    end
+  end
+
+  #
+  # Builds a series of requests to complete Negotiate Auth. Works essentially
+  # the same way as Digest auth. Same pipelining concerns exist.
+  #
+  # @option opts (see #send_request_cgi)
+  # @option opts provider ["Negotiate","NTLM"] What Negotiate provider to use
+  #
+  # @return [Response] the last valid HTTP response we received
+  def negotiate_auth(opts={})
+    ntlm_options = {
+      :signing          => false,
+      :usentlm2_session => self.config['usentlm2_session'],
+      :use_ntlmv2       => self.config['use_ntlmv2'],
+      :send_lm          => self.config['send_lm'],
+      :send_ntlm        => self.config['send_ntlm']
+    }
+
+    to = opts['timeout'] || 20
+    opts['username'] ||= ''
+    opts['password'] ||= ''
+
+    if opts['provider'] and opts['provider'].include? 'Negotiate'
+      provider = "Negotiate "
+    else
+      provider = 'NTLM '
+    end
+
+    opts['method']||= 'GET'
+    opts['headers']||= {}
+
+    ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options)
+    workstation_name = Rex::Text.rand_text_alpha(rand(8)+6)
+    domain_name = self.config['domain']
+
+    b64_blob = Rex::Text::encode_base64(
+      ::Rex::Proto::NTLM::Utils::make_ntlmssp_blob_init(
+        domain_name,
+        workstation_name,
+        ntlmssp_flags
+    ))
+
+    ntlm_message_1 = provider + b64_blob
+
+    begin
+      # First request to get the challenge
+      opts['headers']['Authorization'] = ntlm_message_1
+      r = request_cgi(opts)
+      resp = _send_recv(r, to)
+      unless resp.kind_of? Rex::Proto::Http::Response
+        return nil
+      end
+
+      return resp unless resp.code == 401 && resp.headers['WWW-Authenticate']
+
+      # Get the challenge and craft the response
+      ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/ni).flatten[0]
+      return resp unless ntlm_challenge
+
+      ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
+      blob_data = ::Rex::Proto::NTLM::Utils.parse_ntlm_type_2_blob(ntlm_message_2)
+
+      challenge_key        = blob_data[:challenge_key]
+      server_ntlmssp_flags = blob_data[:server_ntlmssp_flags]       #else should raise an error
+      default_name         = blob_data[:default_name]         || '' #netbios name
+      default_domain       = blob_data[:default_domain]       || '' #netbios domain
+      dns_host_name        = blob_data[:dns_host_name]        || '' #dns name
+      dns_domain_name      = blob_data[:dns_domain_name]      || '' #dns domain
+      chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time
+
+      spnopt = {:use_spn => self.config['SendSPN'], :name =>  self.hostname}
+
+      resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = ::Rex::Proto::NTLM::Utils.create_lm_ntlm_responses(
+        opts['username'],
+        opts['password'],
+        challenge_key,
+        domain_name,
+        default_name,
+        default_domain,
+        dns_host_name,
+        dns_domain_name,
+        chall_MsvAvTimestamp,
+        spnopt,
+        ntlm_options
+      )
+
+      ntlm_message_3 = ::Rex::Proto::NTLM::Utils.make_ntlmssp_blob_auth(
+        domain_name,
+        workstation_name,
+        opts['username'],
+        resp_lm,
+        resp_ntlm,
+        '',
+        ntlmssp_flags
+      )
+
+      ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
+
+      # Send the response
+      opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}"
+      r = request_cgi(opts)
+      resp = _send_recv(r, to, true)
+      unless resp.kind_of? Rex::Proto::Http::Response
+        return nil
+      end
+      return resp
+
+    rescue ::Errno::EPIPE, ::Timeout::Error
+      return nil
+    end
+  end
+  #
+  # Read a response from the server
+  #
+  # @return [Response]
+  def read_response(t = -1, opts = {})
+
+    resp = Response.new
+    resp.max_data = config['read_max_data']
+
+    # Wait at most t seconds for the full response to be read in.  We only
+    # do this if t was specified as a negative value indicating an infinite
+    # wait cycle.  If t were specified as nil it would indicate that no
+    # response parsing is required.
+
+    return resp if not t
+
+    Timeout.timeout((t < 0) ? nil : t) do
+
+      rv = nil
+      while (
+               rv != Packet::ParseCode::Completed and
+               rv != Packet::ParseCode::Error
+              )
+
+        begin
+
+          buff = conn.get_once(-1, 1)
+          rv   = resp.parse( buff || '' )
+
+        # Handle unexpected disconnects
+        rescue ::Errno::EPIPE, ::EOFError, ::IOError
+          case resp.state
+          when Packet::ParseState::ProcessingHeader
+            resp = nil
+          when Packet::ParseState::ProcessingBody
+            # truncated request, good enough
+            resp.error = :truncated
+          end
+          break
+        end
+
+        # This is a dirty hack for broken HTTP servers
+        if rv == Packet::ParseCode::Completed
+          rbody = resp.body
+          rbufq = resp.bufq
+
+          rblob = rbody.to_s + rbufq.to_s
+          tries = 0
+          begin
+            # XXX: This doesn't deal with chunked encoding or "Content-type: text/html; charset=..."
+            while tries < 1000 and resp.headers["Content-Type"]== "text/html" and rblob !~ /<\/html>/i
+              buff = conn.get_once(-1, 0.05)
+              break if not buff
+              rblob += buff
+              tries += 1
+            end
+          rescue ::Errno::EPIPE, ::EOFError, ::IOError
+          end
+
+          resp.bufq = ""
+          resp.body = rblob
+        end
+      end
+    end
+
+    return resp if not resp
+
+    # As a last minute hack, we check to see if we're dealing with a 100 Continue here.
+    # Most of the time this is handled by the parser via check_100()
+    if resp.proto == '1.1' and resp.code == 100 and not opts[:skip_100]
+      # Read the real response from the body if we found one
+      # If so, our real response became the body, so we re-parse it.
+      if resp.body.to_s =~ /^HTTP/
+        body = resp.body
+        resp = Response.new
+        resp.max_data = config['read_max_data']
+        rv = resp.parse(body)
+      # We found a 100 Continue but didn't read the real reply yet
+      # Otherwise reread the reply, but don't try this hack again
+      else
+        resp = read_response(t, :skip_100 => true)
+      end
+    end
+
+    resp
+  end
+
+  #
+  # Cleans up any outstanding connections and other resources.
+  #
+  def stop
+    close
+  end
+
+  #
+  # Returns whether or not the conn is valid.
+  #
+  def conn?
+    conn != nil
+  end
+
+  #
+  # Whether or not connections should be pipelined.
+  #
+  def pipelining?
+    pipeline
+  end
+
+  #
+  # The client request configuration
+  #
+  attr_accessor :config
+  #
+  # The client request configuration classes
+  #
+  attr_accessor :config_types
+  #
+  # Whether or not pipelining is in use.
+  #
+  attr_accessor :pipeline
+  #
+  # The local host of the client.
+  #
+  attr_accessor :local_host
+  #
+  # The local port of the client.
+  #
+  attr_accessor :local_port
+  #
+  # The underlying connection.
+  #
+  attr_accessor :conn
+  #
+  # The calling context to pass to the socket
+  #
+  attr_accessor :context
+  #
+  # The proxy list
+  #
+  attr_accessor :proxies
+
+  # Auth
+  attr_accessor :username, :password
+
+  # When parsing the request, thunk off the first response from the server, since junk
+  attr_accessor :junk_pipeline
+
+protected
+
+  # https
+  attr_accessor :ssl, :ssl_version # :nodoc:
+
+  attr_accessor :hostname, :port # :nodoc:
+
+
+end
+
+end
+end
+end
+