Added anonymous session handling in httprelayserver.py

It should fix #1132
fortra · Oct 14, 2021 · bbdabd8 · bbdabd8
1 parent ff7c521
commit bbdabd8
Showing 1 changed file with 36 additions and 18 deletions.
diff --git a/impacket/examples/ntlmrelayx/servers/httprelayserver.py b/impacket/examples/ntlmrelayx/servers/httprelayserver.py
@@ -166,24 +166,42 @@ def do_PROPFIND(self):
             elif messageType == 3:
                 authenticateMessage = ntlm.NTLMAuthChallengeResponse()
                 authenticateMessage.fromString(token)
-                if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
-                    LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
-                        self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('utf-16le'),
-                        authenticateMessage['user_name'].decode('utf-16le')))
-                else:
-                    LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
-                        self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('ascii'),
-                        authenticateMessage['user_name'].decode('ascii')))
-                self.do_ntlm_auth(token, authenticateMessage)
-                self.do_attack()
 
+                if not self.do_ntlm_auth(token,authenticateMessage):
+                    if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
+                        LOG.info("Authenticating against %s://%s as %s\\%s FAILED" % (
+                            self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('utf-16le'),
+                            authenticateMessage['user_name'].decode('utf-16le')))
+                    else:
+                        LOG.info("Authenticating against %s://%s as %s\\%s FAILED" % (
+                            self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('ascii'),
+                            authenticateMessage['user_name'].decode('ascii')))
+                    # Only skip to next if the login actually failed, not if it was just anonymous login or a system account
+                    # which we don't want
+                    if authenticateMessage['user_name'] != b'':
+                        self.server.config.target.logTarget(self.target)
+                        # No anonymous login, go to next host and avoid triggering a popup
+                        self.do_REDIRECT()
+                    else:
+                        #If it was an anonymous login, send 401
+                        self.do_AUTHHEAD(b'NTLM', proxy=proxy)
+                else:
+                    if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
+                        LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
+                            self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('utf-16le'),
+                            authenticateMessage['user_name'].decode('utf-16le')))
+                    else:
+                        LOG.info("Authenticating against %s://%s as %s\\%s SUCCEED" % (
+                            self.target.scheme, self.target.netloc, authenticateMessage['domain_name'].decode('ascii'),
+                            authenticateMessage['user_name'].decode('ascii')))
 
-                self.send_response(207, "Multi-Status")
-                self.send_header('Content-Type', 'application/xml')
-                self.send_header('Content-Length', str(len(content)))
-                self.end_headers()
-                self.wfile.write(content)
-                return
+                    self.do_attack()
+                    self.send_response(207, "Multi-Status")
+                    self.send_header('Content-Type', 'application/xml')
+                    self.send_header('Content-Length', str(len(content)))
+                    self.end_headers()
+                    self.wfile.write(content)
+            return
 
         def do_AUTHHEAD(self, message = b'', proxy=False):
             if proxy:
@@ -302,7 +320,7 @@ def do_GET(self):
 
                     # Only skip to next if the login actually failed, not if it was just anonymous login or a system account
                     # which we don't want
-                    if authenticateMessage['user_name'] != '': # and authenticateMessage['user_name'][-1] != '$':
+                    if authenticateMessage['user_name'] != b'': # and authenticateMessage['user_name'][-1] != '$':
                         self.server.config.target.logTarget(self.target)
                         # No anonymous login, go to next host and avoid triggering a popup
                         self.do_REDIRECT()
@@ -383,7 +401,7 @@ def do_ntlm_auth(self,token,authenticateMessage):
                 self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('ascii'),
                                             authenticateMessage['user_name'].decode('ascii'))).upper()
 
-            if authenticateMessage['user_name'] != '' or self.target.hostname == '127.0.0.1':
+            if authenticateMessage['user_name'] != b'' or self.target.hostname == '127.0.0.1':
                 clientResponse, errorCode = self.client.sendAuth(token)
             else:
                 # Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials, except