No clue. In my notes, need to test.

Need to switch to single database connection instead of one/thread

After a rule executes, determine way to keep a thread of that connection open and perform additional actions against it. Long dev cycle ahead on this one....

PoC written. Need to implement. more issues to come as it builds

Not currently supported. add dns support and detection if target is an ip or DNS entry.

Needs DB structure. Also detect if auth was successful, but just didn't have enough permissions.

In environments with multiple DC trees, need to work on which server has which and follow referrals

Workaround for now is an IPTables rule ;)

Not sure what to include in the CLI, but basic options that don't require full on http access. Such as:

• Currently Authenticated Users
• Create a rule
• View Rules
• Generate Payload

Instead of just offering html file for download, host the HTML file in /$folder/

Instances such as a vuln scanner or *nix system that won't respect the smb reauth and automatically perform it. Need to

• Detect if user doesn't support reauth command
• If IP is in the "internal range" (config option in future?) then mark that source IP as not supporting reauth
• Use the auth from the detection that it doesnt work to say "this source IP is this user"

Needs further investigation. Placeholder for now

Instances where client won't auto-auth (i.e. *nix/mac systems), provide a wpad.dat or other payload.

HTTP(s) Proxy with keep-alive to use only one auth and provide access to a website.

Need to detect and prevent the following occurrences.

• relaying back to original targeted client
• targeted service does not support relaying due to signing enabled

Need to dig back in old code as to how to respond to reject null users and get actual auth.

Upon connection, info on client (i.e. the client sid and hostname) is obtained. Should store this in a db for further info beyond just rdns

for some reason CHANGEME in Ews_id_query is not being subed. Not sure issue.

For tracking of SE campaigns, logging should include the path requested for both HTTP and SMB servers!

Not sure what this is, but it was in my notes. Needs further investigatoin

Left bar does not remove users after they go away. SMB shouldn't be hard, http might have minor issues with keep-alive being preserved.

Allow different ports for clients to connect to and flag if target is ssl.

Payload for when access to sql is obtained or sqli is present to determine the connect to smb with the system account hosting the DB, write to a file (desktop.inis etc.)

Known issue. Need to create menu options and pages.

Current guess is SID is not using local sid and odd WCTs of IP addys require extra \x00\x00

Create javascript payload for injection either MITM or persistent XSS. Provide for download or locally hosted.

Add the following:

• add email rules to fwd a copy to someone else
• view / modify calendar
• Send as user
• pull contacts
• access other folders other than their own

New issues to be created basd on which one of these get finished in time for derby

Either meta-refresh of iframe, ajax-ify, flash of window, or something to notify user that a wild new user has appeared!

to be added to payload page

Fake server connection that always has the response since the hash is known. Requires further ntlm library dev for challenge generation.

Show if rule was executed, what time, what user, and response - provide ability to retry again.

Instead of dumping straight to xml file, should it go into a different file format for opening up in outlook/thunderbird/other or stay in xml file format and make a searchable/gui front end webmail?

Currently API is only "wait for" with a timeout. Generate second API page to pass back a request ID and third to take requestid as param and spit back status. Should include another api request for deleting the requestid from actionlist.

'nuff said.

Not sure how to integrate into rules. Possibly just rely on http proxy development.

Create rule logic to allow any user. Needs to do the following

1. Perform API Actions First, then Other Rules, then rules.
2. user domain == $DOMAIN
3. User has not failed connecting to $TARGET before, else find another user.

Needs much more investigation. For some reason SMB -> LDAP does not work. Auth goes ok but subsequent transmission fails. Current theory is NTLMv2 signing flag is setting LDAP signing.

Testing in API reveals that some messages containing \x0a are getting the bytes removed as gsub is picking them up as \n.

Very Low on feature request list. Add option to respond with a valid wpad.dat and mitm all their http traffic (ssl untampered) or relay to another mitm toolset for http traffic.

Add ability to specify priority for Rules and Subactions.