[+] 修复 socket 请求中的异常处理

RcoIl · RcoIl · commit eb51e62dab86 · 2021-05-11T11:22:53.000+08:00
diff --git a/SharpDetectionNTLMSSP/FunModule/MSSQL.cs b/SharpDetectionNTLMSSP/FunModule/MSSQL.cs
@@ -4,12 +4,12 @@ class MSSQL : ModuleScan
     {
         public override TriageNTLMSSPKey StartScan(SocketStream socketMessage, TriageNTLMSSPKey _TriageNTLMSSPKey)
         {
-            var response = new byte[1024];
             socketMessage.SendMessage(NTLMSSPBuffer.mssql_buffer_v1);
-            response = socketMessage.ReceiveMessage();
+            var response = socketMessage.ReceiveMessage();
             socketMessage.SendMessage(NTLMSSPBuffer.mssql_buffer_v2);
             response = socketMessage.ReceiveMessage();
 
+            if (response.Length == 0) return null;
             _TriageNTLMSSPKey = ParsingResponse.ParsingSocketStremResponse(response, _TriageNTLMSSPKey, ref response);
 
             return _TriageNTLMSSPKey;
diff --git a/SharpDetectionNTLMSSP/FunModule/SMB.cs b/SharpDetectionNTLMSSP/FunModule/SMB.cs
@@ -7,12 +7,12 @@ class SMB : ModuleScan
     {
         public override TriageNTLMSSPKey StartScan(SocketStream socketMessage, TriageNTLMSSPKey _TriageNTLMSSPKey)
         {
-            var response = new byte[1024];
             socketMessage.SendMessage(NTLMSSPBuffer.smb_buffer_v1);
-            response = socketMessage.ReceiveMessage();
+            var response = socketMessage.ReceiveMessage();
             socketMessage.SendMessage(NTLMSSPBuffer.smb_buffer_v2);
             response = socketMessage.ReceiveMessage();
-            
+            if (response.Length == 0) return null;
+
             _TriageNTLMSSPKey = ParsingResponse.ParsingSocketStremResponse(response, _TriageNTLMSSPKey, ref response);
 
             var veraw = Encoding.Default.GetString(response).Split(new String[] { "\0\0\0" }, StringSplitOptions.RemoveEmptyEntries);
diff --git a/SharpDetectionNTLMSSP/FunModule/WMI.cs b/SharpDetectionNTLMSSP/FunModule/WMI.cs
@@ -7,13 +7,12 @@ class WMI : ModuleScan
     {
         public override TriageNTLMSSPKey StartScan(SocketStream socketMessage, TriageNTLMSSPKey _TriageNTLMSSPKey)
         {
-            var response = new byte[1024];
-            response = NDR64SyntaxtScan(_TriageNTLMSSPKey);
+            var response = NDR64SyntaxtScan(_TriageNTLMSSPKey);
             _TriageNTLMSSPKey.NDR64Syntax = ParsingNDR64Syntax(response);
 
             socketMessage.SendMessage(NTLMSSPBuffer.dcerpc_buffer_v1);
             response = socketMessage.ReceiveMessage();
-
+            if (response.Length == 0) return null;
             _TriageNTLMSSPKey = ParsingResponse.ParsingSocketStremResponse(response, _TriageNTLMSSPKey, ref response);
             return _TriageNTLMSSPKey;
         }
@@ -22,18 +21,25 @@ public byte[] NDR64SyntaxtScan(TriageNTLMSSPKey _TriageNTLMSSPKey)
         {
             var response = new byte[1024];
 
-            var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
-            socket.Connect(_TriageNTLMSSPKey.Target, _TriageNTLMSSPKey.Port);
-            socket.Send(NTLMSSPBuffer.dcerpc_buffer_v2);
-            socket.Receive(response);
-
+            try
+            {
+                var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
+                socket.Connect(_TriageNTLMSSPKey.Target, _TriageNTLMSSPKey.Port);
+                socket.Send(NTLMSSPBuffer.dcerpc_buffer_v2);
+                socket.Receive(response);
+            }
+            catch
+            {
+                return new byte[] { };
+            }
             return response;
         }
 
         private int ParsingNDR64Syntax(Byte[] responseBuffer)
         {
+            if (responseBuffer.Length == 0) return 0;
             var NDR64SyntaxStr = BitConverter.ToString(responseBuffer).Replace("-", "");
-            return NDR64SyntaxStr.Contains("33057171BABE37498319B5DBEF9CCC36") ? 64 : 32;
+            return NDR64SyntaxStr.Contains("33057171BABE37498319B5DBEF9CCC36") ? 64 : 86;
         }
     }
 }
diff --git a/SharpDetectionNTLMSSP/Networking/SocketStream.cs b/SharpDetectionNTLMSSP/Networking/SocketStream.cs
@@ -1,27 +1,26 @@
 ﻿using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Net.Sockets;
-using System.Text;
+using System.Threading;
 
 namespace SharpDetectionNTLMSSP
 {
     class SocketStream
     {
         public Boolean OK = false;
         public Socket socket = null;
+
         public SocketStream(String ip, int port)
         {
             try
             {
                 this.socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
                 socket.Connect(ip, port);
                 OK = true;
-            } 
-            catch 
+            }
+            catch
             {
                 OK = false;
-                return; 
+                return;
             }
         }
 
@@ -31,9 +30,9 @@ public void SendMessage(Byte[] buffer)
             {
                 socket.Send(buffer);
             }
-            catch (Exception ex)
+            catch
             {
-                Console.WriteLine($"[!] Socket Error, during sending: {ex.Message}");
+                return;
             }
         }
 
@@ -44,10 +43,11 @@ public byte[] ReceiveMessage()
             {
                 socket.Receive(response);
             }
-            catch (Exception ex)
+            catch
             {
-                Console.WriteLine($"[!] Socket Error, during receive: {ex.Message}");
+                return new byte[] { };
             }
+
             return response;
         }
     }
diff --git a/SharpDetectionNTLMSSP/Program.cs b/SharpDetectionNTLMSSP/Program.cs
@@ -8,6 +8,7 @@ namespace SharpDetectionNTLMSSP
 {
     class Program
     {
+        private static int count = 0;
         static void ParsingTriageNTLMSSPKey(TriageNTLMSSPKey _TriageNTLMSSPKey)
         {
             var result = String.Empty;
@@ -28,14 +29,15 @@ static void ParsingTriageNTLMSSPKey(TriageNTLMSSPKey _TriageNTLMSSPKey)
             result += String.Format("  [>] NetBIOS computer name: {0}\r\n", _TriageNTLMSSPKey.NbtComputerName);
             result += String.Format("  [>] DNS computer name    : {0}\r\n", _TriageNTLMSSPKey.DnsComputerName);
             result += String.Format("  [>] Time stamp           : {0}\r\n", _TriageNTLMSSPKey.TimeStamp.ToString("yyyy-MM-dd HH-mm-ss ddd"));
-
+            count += 1;
             Console.WriteLine(result);
         }
 
         static void StartDoStuff(string target, int port, string typeKey)
         {
             var socketMessage = new SocketStream(target, port);
             if (!socketMessage.OK) return;
+
             var _TriageNTLMSSPKey = new TriageNTLMSSPKey();
             _TriageNTLMSSPKey.Target = target;
             _TriageNTLMSSPKey.Port = port;
@@ -48,6 +50,7 @@ static void StartDoStuff(string target, int port, string typeKey)
                 _ModuleScan = (ModuleScan)Activator.CreateInstance(type);
             }
             _TriageNTLMSSPKey = _ModuleScan.StartScan(socketMessage, _TriageNTLMSSPKey);
+            if (_TriageNTLMSSPKey == null) return;
             ParsingTriageNTLMSSPKey(_TriageNTLMSSPKey);
         }
 
@@ -120,7 +123,8 @@ static void Main(string[] args)
 
             stopwatch.Stop();
             TimeSpan timespan = stopwatch.Elapsed;
-            Console.WriteLine("[*] Time taken: {0}s", timespan.TotalSeconds);
+            
+            Console.WriteLine("[*] Count: {0}, Time taken: {1}s", count, timespan.TotalSeconds);
         }
     }
 }
diff --git a/SharpDetectionNTLMSSP/lib/ParsingResponse.cs b/SharpDetectionNTLMSSP/lib/ParsingResponse.cs
@@ -43,28 +43,30 @@ private static TriageNTLMSSPKey ParseTargetInfo(byte[] records, TriageNTLMSSPKey
 
         public static TriageNTLMSSPKey ParsingSocketStremResponse(byte[] responseBuffer, TriageNTLMSSPKey _TriageNTLMSSPKey, ref byte[] otherResponseBuffer)
         {
-            var responseBuffer_String = BitConverter.ToString(responseBuffer).Replace("-", "");
-            var NTLMSSP_Bytes_Index = responseBuffer_String.IndexOf("4E544C4D53535000") / 2;
+            try {
+                var responseBuffer_String = BitConverter.ToString(responseBuffer).Replace("-", "");
+                var NTLMSSP_Bytes_Index = responseBuffer_String.IndexOf("4E544C4D53535000") / 2;
 
-            var len = responseBuffer.Length - NTLMSSP_Bytes_Index;
-            var challengeResult = new Byte[len];
-            Array.Copy(responseBuffer, NTLMSSP_Bytes_Index, challengeResult, 0, len);
+                var len = responseBuffer.Length - NTLMSSP_Bytes_Index;
+                var challengeResult = new Byte[len];
+                Array.Copy(responseBuffer, NTLMSSP_Bytes_Index, challengeResult, 0, len);
 
-            NTLM_CHALLENGE_MESSAGE typeMessage = ChallengeFromBytes(challengeResult);
+                NTLM_CHALLENGE_MESSAGE typeMessage = ChallengeFromBytes(challengeResult);
 
-            _TriageNTLMSSPKey.OsBuildNumber = typeMessage.Build;
-            _TriageNTLMSSPKey.OsMajor = typeMessage.Major;
-            _TriageNTLMSSPKey.OsMinor = typeMessage.Minor;
+                _TriageNTLMSSPKey.OsBuildNumber = typeMessage.Build;
+                _TriageNTLMSSPKey.OsMajor = typeMessage.Major;
+                _TriageNTLMSSPKey.OsMinor = typeMessage.Minor;
 
-            var TargetInfo = challengeResult.Skip(typeMessage.TargetInfoBufferOffset).ToArray().Take(typeMessage.TargetInfoLen).ToArray();
-            _TriageNTLMSSPKey = ParseTargetInfo(TargetInfo, _TriageNTLMSSPKey);
-
-            var otherOffset = typeMessage.TargetInfoBufferOffset + typeMessage.TargetInfoLen;
-            len = len - otherOffset;
-            var otherByteResult = new Byte[len];
-            Array.Copy(challengeResult, otherOffset, otherByteResult, 0, len);
-            otherResponseBuffer = otherByteResult;
+                var TargetInfo = challengeResult.Skip(typeMessage.TargetInfoBufferOffset).ToArray().Take(typeMessage.TargetInfoLen).ToArray();
+                _TriageNTLMSSPKey = ParseTargetInfo(TargetInfo, _TriageNTLMSSPKey);
 
+                var otherOffset = typeMessage.TargetInfoBufferOffset + typeMessage.TargetInfoLen;
+                len = len - otherOffset;
+                var otherByteResult = new Byte[len];
+                Array.Copy(challengeResult, otherOffset, otherByteResult, 0, len);
+                otherResponseBuffer = otherByteResult;
+            }
+            catch {}
             return _TriageNTLMSSPKey;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -4,12 +4,12 @@ class MSSQL : ModuleScan`
`4`	`4`	`{`
`5`	`5`	`public override TriageNTLMSSPKey StartScan(SocketStream socketMessage, TriageNTLMSSPKey _TriageNTLMSSPKey)`
`6`	`6`	`{`
`7`		`- var response = new byte[1024];`
`8`	`7`	`socketMessage.SendMessage(NTLMSSPBuffer.mssql_buffer_v1);`
`9`		`- response = socketMessage.ReceiveMessage();`
	`8`	`+ var response = socketMessage.ReceiveMessage();`
`10`	`9`	`socketMessage.SendMessage(NTLMSSPBuffer.mssql_buffer_v2);`
`11`	`10`	`response = socketMessage.ReceiveMessage();`
`12`	`11`
	`12`	`+ if (response.Length == 0) return null;`
`13`	`13`	`_TriageNTLMSSPKey = ParsingResponse.ParsingSocketStremResponse(response, _TriageNTLMSSPKey, ref response);`
`14`	`14`
`15`	`15`	`return _TriageNTLMSSPKey;`
Original file line number	Diff line number	Diff line change
`@@ -7,13 +7,12 @@ class WMI : ModuleScan`
`7`	`7`	`{`
`8`	`8`	`public override TriageNTLMSSPKey StartScan(SocketStream socketMessage, TriageNTLMSSPKey _TriageNTLMSSPKey)`
`9`	`9`	`{`
`10`		`- var response = new byte[1024];`
`11`		`- response = NDR64SyntaxtScan(_TriageNTLMSSPKey);`
	`10`	`+ var response = NDR64SyntaxtScan(_TriageNTLMSSPKey);`
`12`	`11`	`_TriageNTLMSSPKey.NDR64Syntax = ParsingNDR64Syntax(response);`
`13`	`12`
`14`	`13`	`socketMessage.SendMessage(NTLMSSPBuffer.dcerpc_buffer_v1);`
`15`	`14`	`response = socketMessage.ReceiveMessage();`
`16`		`-`
	`15`	`+ if (response.Length == 0) return null;`
`17`	`16`	`_TriageNTLMSSPKey = ParsingResponse.ParsingSocketStremResponse(response, _TriageNTLMSSPKey, ref response);`
`18`	`17`	`return _TriageNTLMSSPKey;`
`19`	`18`	`}`
`@@ -22,18 +21,25 @@ public byte[] NDR64SyntaxtScan(TriageNTLMSSPKey _TriageNTLMSSPKey)`
`22`	`21`	`{`
`23`	`22`	`var response = new byte[1024];`
`24`	`23`
`25`		`- var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);`
`26`		`- socket.Connect(_TriageNTLMSSPKey.Target, _TriageNTLMSSPKey.Port);`
`27`		`- socket.Send(NTLMSSPBuffer.dcerpc_buffer_v2);`
`28`		`- socket.Receive(response);`
`29`		`-`
	`24`	`+ try`
	`25`	`+ {`
	`26`	`+ var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);`
	`27`	`+ socket.Connect(_TriageNTLMSSPKey.Target, _TriageNTLMSSPKey.Port);`
	`28`	`+ socket.Send(NTLMSSPBuffer.dcerpc_buffer_v2);`
	`29`	`+ socket.Receive(response);`
	`30`	`+ }`
	`31`	`+ catch`
	`32`	`+ {`
	`33`	`+ return new byte[] { };`
	`34`	`+ }`
`30`	`35`	`return response;`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`private int ParsingNDR64Syntax(Byte[] responseBuffer)`
`34`	`39`	`{`
	`40`	`+ if (responseBuffer.Length == 0) return 0;`
`35`	`41`	`var NDR64SyntaxStr = BitConverter.ToString(responseBuffer).Replace("-", "");`
`36`		`- return NDR64SyntaxStr.Contains("33057171BABE37498319B5DBEF9CCC36") ? 64 : 32;`
	`42`	`+ return NDR64SyntaxStr.Contains("33057171BABE37498319B5DBEF9CCC36") ? 64 : 86;`
`37`	`43`	`}`
`38`	`44`	`}`
`39`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,27 +1,26 @@`
`1`	`1`	`using System;`
`2`		`-using System.Collections.Generic;`
`3`		`-using System.Linq;`
`4`	`2`	`using System.Net.Sockets;`
`5`		`-using System.Text;`
	`3`	`+using System.Threading;`
`6`	`4`
`7`	`5`	`namespace SharpDetectionNTLMSSP`
`8`	`6`	`{`
`9`	`7`	`class SocketStream`
`10`	`8`	`{`
`11`	`9`	`public Boolean OK = false;`
`12`	`10`	`public Socket socket = null;`
	`11`	`+`
`13`	`12`	`public SocketStream(String ip, int port)`
`14`	`13`	`{`
`15`	`14`	`try`
`16`	`15`	`{`
`17`	`16`	`this.socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);`
`18`	`17`	`socket.Connect(ip, port);`
`19`	`18`	`OK = true;`
`20`		`- }`
`21`		`- catch`
	`19`	`+ }`
	`20`	`+ catch`
`22`	`21`	`{`
`23`	`22`	`OK = false;`
`24`		`- return;`
	`23`	`+ return;`
`25`	`24`	`}`
`26`	`25`	`}`
`27`	`26`
`@@ -31,9 +30,9 @@ public void SendMessage(Byte[] buffer)`
`31`	`30`	`{`
`32`	`31`	`socket.Send(buffer);`
`33`	`32`	`}`
`34`		`- catch (Exception ex)`
	`33`	`+ catch`
`35`	`34`	`{`
`36`		`- Console.WriteLine($"[!] Socket Error, during sending: {ex.Message}");`
	`35`	`+ return;`
`37`	`36`	`}`
`38`	`37`	`}`
`39`	`38`
`@@ -44,10 +43,11 @@ public byte[] ReceiveMessage()`
`44`	`43`	`{`
`45`	`44`	`socket.Receive(response);`
`46`	`45`	`}`
`47`		`- catch (Exception ex)`
	`46`	`+ catch`
`48`	`47`	`{`
`49`		`- Console.WriteLine($"[!] Socket Error, during receive: {ex.Message}");`
	`48`	`+ return new byte[] { };`
`50`	`49`	`}`
	`50`	`+`
`51`	`51`	`return response;`
`52`	`52`	`}`
`53`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ namespace SharpDetectionNTLMSSP`
`8`	`8`	`{`
`9`	`9`	`class Program`
`10`	`10`	`{`
	`11`	`+ private static int count = 0;`
`11`	`12`	`static void ParsingTriageNTLMSSPKey(TriageNTLMSSPKey _TriageNTLMSSPKey)`
`12`	`13`	`{`
`13`	`14`	`var result = String.Empty;`
`@@ -28,14 +29,15 @@ static void ParsingTriageNTLMSSPKey(TriageNTLMSSPKey _TriageNTLMSSPKey)`
`28`	`29`	`result += String.Format(" [>] NetBIOS computer name: {0}\r\n", _TriageNTLMSSPKey.NbtComputerName);`
`29`	`30`	`result += String.Format(" [>] DNS computer name : {0}\r\n", _TriageNTLMSSPKey.DnsComputerName);`
`30`	`31`	`result += String.Format(" [>] Time stamp : {0}\r\n", _TriageNTLMSSPKey.TimeStamp.ToString("yyyy-MM-dd HH-mm-ss ddd"));`
`31`		`-`
	`32`	`+ count += 1;`
`32`	`33`	`Console.WriteLine(result);`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`static void StartDoStuff(string target, int port, string typeKey)`
`36`	`37`	`{`
`37`	`38`	`var socketMessage = new SocketStream(target, port);`
`38`	`39`	`if (!socketMessage.OK) return;`
	`40`	`+`
`39`	`41`	`var _TriageNTLMSSPKey = new TriageNTLMSSPKey();`
`40`	`42`	`_TriageNTLMSSPKey.Target = target;`
`41`	`43`	`_TriageNTLMSSPKey.Port = port;`
`@@ -48,6 +50,7 @@ static void StartDoStuff(string target, int port, string typeKey)`
`48`	`50`	`_ModuleScan = (ModuleScan)Activator.CreateInstance(type);`
`49`	`51`	`}`
`50`	`52`	`_TriageNTLMSSPKey = _ModuleScan.StartScan(socketMessage, _TriageNTLMSSPKey);`
	`53`	`+ if (_TriageNTLMSSPKey == null) return;`
`51`	`54`	`ParsingTriageNTLMSSPKey(_TriageNTLMSSPKey);`
`52`	`55`	`}`
`53`	`56`
`@@ -120,7 +123,8 @@ static void Main(string[] args)`
`120`	`123`
`121`	`124`	`stopwatch.Stop();`
`122`	`125`	`TimeSpan timespan = stopwatch.Elapsed;`
`123`		`- Console.WriteLine("[*] Time taken: {0}s", timespan.TotalSeconds);`
	`126`	`+`
	`127`	`+ Console.WriteLine("[*] Count: {0}, Time taken: {1}s", count, timespan.TotalSeconds);`
`124`	`128`	`}`
`125`	`129`	`}`
`126`	`130`	`}`