Added RDP Gateway bruteforce support.

Had to suppress certain exceptions in pycurl due to RDP Gateway not closing HTTP connection.
7 years ago · 05f42839c3
parent 02783fb3d0
commit 05f42839c3
1 changed files with 41 additions and 3 deletions
--- a/patator.py
+++ b/patator.py
@ -3644,7 +3644,14 @@ class HTTP_fuzz(TCP_Cache):
      host = '%s:%s' % (host, port)

    url = urlunparse((scheme, host, path, params, query, fragment))
-    perform_fp(fp, method, url, header, body)
+    try:
+      perform_fp(fp, method, url, header, body)
+    except pycurl.error as e:
+      if e[0]!=28:
+        raise
+      match=re.compile('^Operation timed out after \d+ milliseconds with (\d+) bytes received$').match(e[1])
+      if not match or match.group(1)=='0':
+        raise

    target = {}
    target['ip'] = fp.getinfo(pycurl.PRIMARY_IP)
@ -3673,6 +3680,35 @@ class HTTP_fuzz(TCP_Cache):

 # }}}

+# RDP_gateway {{{
+try:
+  import uuid
+except ImportError:
+  notfound.append('uuid')
+
+class RDP_gateway(HTTP_fuzz):
+  '''Brute-force RDP Gateway'''
+
+  # Make sure to set reasonably small timeout. If authentication is successful Gateway server does not set Content-length header nor closes connection and we have to wait until a connection is killed.
+  usage_hints = (
+      """%prog rdp_gateway url='https://example.com/remoteDesktopGateway/' user_pass=COMBO00:COMBO01 0=logins -x ignore:code=401 timeout=1""",
+    )
+
+  def execute(self, *args, **kwargs):
+
+    if 'method' not in kwargs:
+      kwargs['method']='RDG_OUT_DATA'
+
+    rdg_connection_id="RDG-Connection-Id: {" + str(uuid.uuid4()) + '}'
+    if 'header' not in kwargs:
+      kwargs['header'] = rdg_connection_id
+    else:
+      kwargs['header'] = rdg_connection_id + "\n" + kwargs['header']
+
+    return HTTP_fuzz.execute(self, *args, **kwargs)
+
+# }}}
+
 # AJP {{{
 try:
  from ajpy.ajp import AjpForwardRequest
@ -4691,6 +4727,7 @@ modules = [
  ('smtp_vrfy', (Controller, SMTP_vrfy)),
  ('smtp_rcpt', (Controller, SMTP_rcpt)),
  ('finger_lookup', (Controller_Finger, Finger_lookup)),
+  ('rdp_gateway', (Controller_HTTP, RDP_gateway)),
  ('http_fuzz', (Controller_HTTP, HTTP_fuzz)),
  ('ajp_fuzz', (Controller, AJP_fuzz)),
  ('pop_login', (Controller, POP_login)),
@ -4724,8 +4761,9 @@ modules = [

 dependencies = {
  'paramiko': [('ssh_login',), 'http://www.lag.net/paramiko/', '1.7.7.1'],
-  'pycurl': [('http_fuzz',), 'http://pycurl.sourceforge.net/', '7.19.3'],
-  'libcurl': [('http_fuzz',), 'https://curl.haxx.se/', '7.21.0'],
+  'pycurl': [('http_fuzz', 'rdp_gateway',), 'http://pycurl.sourceforge.net/', '7.19.3'],
+  'libcurl': [('http_fuzz', 'rdp_gateway',), 'https://curl.haxx.se/', '7.21.0'],
+  'uuid': [('rdp_gateway',), '', ''],
  'ajpy': [('ajp_fuzz',), 'https://github.com/hypn0s/AJPy/', '0.0.1'],
  'openldap': [('ldap_login',), 'http://www.openldap.org/', '2.4.24'],
  'impacket': [('smb_login','smb_lookupsid','mssql_login'), 'https://github.com/CoreSecurity/impacket', '0.9.12'],