sensepost · randomwalksp · Feb 7, 2019
diff --git a/cmd/root.go b/cmd/root.go
@@ -8,8 +8,10 @@ import (
 	"os"
 	"strings"
 	"time"
-
+	"net"
+	"context"
 	"github.com/sensepost/godoh/dnsclient"
+	"github.com/sensepost/godoh/utils"
 
 	log "github.com/sirupsen/logrus"
 
@@ -23,6 +25,9 @@ var dnsDomain string
 var dnsProviderName string
 var dnsProvider dnsclient.Client
 var validateSSL bool
+var proxyAddr string
+var proxyUsername string
+var proxyPassword string
 
 // rootCmd represents the base command when called without any subcommands
 var rootCmd = &cobra.Command{
@@ -54,6 +59,7 @@ func init() {
 	cobra.OnInitialize(validateDNSDomain)
 	cobra.OnInitialize(seedRand)
 	cobra.OnInitialize(configureSSLValidation)
+	cobra.OnInitialize(configureProxy)
 
 	// if the DNS domain was configured at compile time, remove the flag
 	if dnsDomain == "" {
@@ -66,8 +72,12 @@ func init() {
 		"Preferred DNS provider to use. [possible: googlefront, google, cloudflare, quad9, raw]")
 	rootCmd.PersistentFlags().BoolVarP(&validateSSL,
 		"validate-certificate", "K", false, "Validate DoH provider SSL certificates")
+        rootCmd.PersistentFlags().StringVarP(&proxyAddr, "proxy", "", "", "Use NTLM proxy, i.e hostname:port")
+        rootCmd.PersistentFlags().StringVarP(&proxyUsername, "proxy-username", "", "", "NTLM proxy username to use (blank: attempt to use running user's credentials) ")
+        rootCmd.PersistentFlags().StringVarP(&proxyPassword, "proxy-password", "", "", "NTLM proxy password to use (blank: attempt to use running user's credentials) ")
 }
 
+
 func seedRand() {
 	rand.Seed(time.Now().UTC().UnixNano())
 }
@@ -108,6 +118,42 @@ func validateDNSProvider() {
 	log.Infof("Using `%s` as preferred provider\n", dnsProviderName)
 }
 
+func configureProxy() {
+
+	if proxyAddr!="" {
+
+		if ( (proxyUsername =="" && proxyPassword !="")||(proxyUsername !="" && proxyPassword =="") ) {
+			log.Fatalf("Proxy username or password were not provided")
+		}
+
+		dialContext := (&net.Dialer{
+					KeepAlive: 30 * time.Second,
+					Timeout:   30 * time.Second,
+				}).DialContext
+
+		ntlmDialContext := func(ctx context.Context, network, address string) (net.Conn, error) {
+					conn, err := dialContext(ctx, network, proxyAddr)
+					if err != nil {
+						return conn, err
+					}
+					log.Infof("Attempting to inject NTLM authentication")
+	                                err = utils.ProxySetup(conn, address, proxyUsername,proxyPassword)
+					if err != nil {
+						log.Fatalf("Failed to inject NTLM authentication: %v.", err)
+						return conn, err
+					}
+					return conn, err
+	        }
+		http.DefaultTransport.(*http.Transport).Proxy=nil
+		http.DefaultTransport.(*http.Transport).DialContext=ntlmDialContext
+
+	} else {
+		if (proxyUsername !="" || proxyPassword !="") {
+			log.Fatalf("Proxy address not set, however proxy credentials were provided")
+		}
+	}
+}
+
 func configureSSLValidation() {
 	if !validateSSL {
 		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}

diff --git a/utils/go-ntlm-auth/LICENSE.txt b/utils/go-ntlm-auth/LICENSE.txt
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 G-Research
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/utils/go-ntlm-auth/README.md b/utils/go-ntlm-auth/README.md
@@ -0,0 +1,16 @@
+# go-ntlm-auth
+
+This is an implementation of NTLM for Go that was implemented using Windows SSPI
+(Security Support Provider Interface). It differs from other implemenations of
+NTLM as it uses the default credentials of the account that the application is
+running with, meaning the username and password does not have to be provided in
+plain text.
+
+## Usage Notes
+
+This is currently only implemented for Windows.
+
+### References
+https://github.com/G-Research/go-ntlm-auth - original author
+https://github.com/denisenkom/go-mssqldb - sspi_windows.go used as ntlm_windows.go to perform Win32 calls to SSPI
+https://github.com/github/git-lfs/blob/master/lfs/ntlm.go - git-lfs used as basis for NTLM authentication logic
diff --git a/utils/go-ntlm-auth/ntlm/ntlm.go b/utils/go-ntlm-auth/ntlm/ntlm.go
@@ -0,0 +1,21 @@
+package ntlm
+
+import (
+	"encoding/base64"
+	"fmt"
+)
+
+func ParseChallengeResponse(header string) ([]byte, error) {
+	if len(header) < 6 {
+		return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)
+	}
+
+	//parse out the "NTLM " at the beginning of the response
+	challenge := header[5:]
+	val, err := base64.StdEncoding.DecodeString(challenge)
+
+	if err != nil {
+		return nil, err
+	}
+	return []byte(val), nil
+}
diff --git a/utils/go-ntlm-auth/ntlm/ntlmAuthenticator.go b/utils/go-ntlm-auth/ntlm/ntlmAuthenticator.go
@@ -0,0 +1,8 @@
+package ntlm
+
+// NtlmAuthenticator defines interface to provide methods to get byte arrays required for NTLM authentication
+type NtlmAuthenticator interface {
+	GetNegotiateBytes() ([]byte, error)
+	GetResponseBytes([]byte) ([]byte, error)
+	ReleaseContext()
+}
diff --git a/utils/go-ntlm-auth/ntlm/ntlm_other.go b/utils/go-ntlm-auth/ntlm/ntlm_other.go
@@ -0,0 +1,13 @@
+// +build !windows
+
+package ntlm
+
+// NTLM authentication is only currently implemented on Windows
+func GetDefaultCredentialsAuth() (NtlmAuthenticator, bool) {
+	return nil, false
+}
+
+func GetAuth(user, password, service, workstation string) (NtlmAuthenticator, bool) {
+	return nil, false
+}
+
diff --git a/utils/go-ntlm-auth/ntlm/ntlm_test.go b/utils/go-ntlm-auth/ntlm/ntlm_test.go
@@ -0,0 +1,42 @@
+package ntlm
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+)
+
+func TestNtlmHeaderParseValid(t *testing.T) {
+	header := "NTLM " + base64.StdEncoding.EncodeToString([]byte("Some data"))
+	bytes, err := ParseChallengeResponse(header)
+
+	if err != nil {
+		t.Fatalf("Unexpected exception!")
+	}
+
+	// Check NTLM has been stripped from response
+	if strings.HasPrefix(string(bytes), "NTLM") {
+		t.Fatalf("Response contains NTLM prefix!")
+	}
+}
+
+func TestNtlmHeaderParseInvalidLength(t *testing.T) {
+	header := "NTL"
+	ret, err := ParseChallengeResponse(header)
+	if ret != nil {
+		t.Errorf("Unexpected challenge response: %v", ret)
+	}
+
+	if err == nil {
+		t.Errorf("Expected error, got none!")
+	}
+}
+
+func TestNtlmHeaderParseInvalid(t *testing.T) {
+	header := base64.StdEncoding.EncodeToString([]byte("NTLM I am a moose"))
+	_, err := ParseChallengeResponse(header)
+
+	if err == nil {
+		t.Fatalf("Expected error, got none!")
+	}
+}