diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2018-05-02 22:41:15 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2018-05-02 22:41:15 -0400 |
| commit | 3b7fea570f89541d6c8faeeb2f0242cb5c05fca6 (patch) | |
| tree | dc3de00eb8d35b26f1fc672ac9da3d99f6562d7d | |
| parent | 93b5687e40025eec2d14efb2f45cfb4c0227c720 (diff) | |
| download | Inveigh-3b7fea570f89541d6c8faeeb2f0242cb5c05fca6.tar.gz Inveigh-3b7fea570f89541d6c8faeeb2f0242cb5c05fca6.zip | |
Inveigh-Relay and Invoke-SMBEnum group membership updates
Added ability to Inveigh-Relay and Invoke-SMBEnum to identify groups vs
users when enumerating group memberships.
| -rw-r--r-- | Inveigh-Relay.ps1 | 37 | ||||
| -rw-r--r-- | Invoke-SMBEnum.ps1 | 47 |
2 files changed, 65 insertions, 19 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1 index 91f589b..767d4af 100644 --- a/Inveigh-Relay.ps1 +++ b/Inveigh-Relay.ps1 @@ -1998,24 +1998,15 @@ $SMB_relay_functions_scriptblock = function New-RelayEnumObject { - param ($IP,$Targeted,$Sessions,$Administrators,$Shares,$NetSessions,$LocalUsers,$SMB2,$Signing,$SMBServer,$LastActivity) - - if(!$Sessions) - { - #$Sessions = New-Object System.Collections.ArrayList - } - - if(!$Administrators) - { - #$Administrators = New-Object System.Collections.ArrayList - } + param ($IP,$Targeted,$Sessions,$AdministratorUsers,$AdministratorGroups,$Shares,$NetSessions,$LocalUsers,$SMB2,$Signing,$SMBServer,$LastActivity) $relay_object = New-Object PSObject Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumeration_list.Count Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions - Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrators" $Administrators + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers @@ -2056,7 +2047,7 @@ $SMB_relay_functions_scriptblock = ForEach($session in $initiator_sessions) { - $targets = $inveigh.enumeration_list | Where-Object {$_.Administrators -contains $session} | Select-Object -expand IP + $targets = $inveigh.enumeration_list | Where-Object {$_."Administrator Users" -contains $session} | Select-Object -expand IP $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $targets_filtered -IncludeEqual -ExcludeDifferent -PassThru if($targets) @@ -3531,7 +3522,8 @@ $SMB_relay_functions_scriptblock = $response_domain_start = $response_domain_count * 12 + 172 $response_domain_end = $response_domain_start $response_domain_length_start = 160 - $enumerate_group_list = New-Object System.Collections.ArrayList + $enumerate_group_user_list = New-Object System.Collections.ArrayList + $enumerate_group_group_list = New-Object System.Collections.ArrayList $response_domain_list = @() $i = 0 @@ -3572,7 +3564,8 @@ $SMB_relay_functions_scriptblock = while($i -lt $response_user_count) { - $response_user_object = New-Object PSObject + #$response_user_object = New-Object PSObject + [Byte[]]$response_user_type_bytes = $client_receive[($response_user_length_start - 4)] [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) $response_SID_index_start = $response_user_length_start + 8 @@ -3600,7 +3593,16 @@ $SMB_relay_functions_scriptblock = #Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Domain $response_domain_list[$response_SID_index] $response_user_length_start = $response_user_length_start + 16 $response_administrator = $response_domain_list[$response_SID_index] + "\" + $response_user - $enumerate_group_list.Add($response_administrator) > $null + + if($response_user_type_bytes -eq 1) + { + $enumerate_group_user_list.Add($response_administrator) > $null + } + else + { + $enumerate_group_group_list.Add($response_administrator) > $null + } + $i++ } @@ -4469,7 +4471,8 @@ $SMB_relay_functions_scriptblock = #$inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | ForEach-Object {$_.Administrators = $response_group_list} {$_.Users = $response_user_list} {$_.Shares = $response_share_list} {$_.NetSessions = $response_netsession_list} $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | Select-Object -expand Index - $inveigh.enumeration_list[$target_index].Administrators = $enumerate_group_list + $inveigh.enumeration_list[$target_index]."Administrator Users" = $enumerate_group_user_list + $inveigh.enumeration_list[$target_index]."Administrator Groups" = $enumerate_group_group_list $inveigh.enumeration_list[$target_index]."Local Users" = $enumerate_user_list $inveigh.enumeration_list[$target_index].Shares = $enumerate_share_list $inveigh.enumeration_list[$target_index].NetSessions = $enumerate_netsession_list diff --git a/Invoke-SMBEnum.ps1 b/Invoke-SMBEnum.ps1 index f911b2e..669aa41 100644 --- a/Invoke-SMBEnum.ps1 +++ b/Invoke-SMBEnum.ps1 @@ -2158,11 +2158,12 @@ if($client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$se $response_user_end = $response_user_start $response_user_length_start = 152 $response_user_list = @() + $response_username_list = @() + $response_user_type_list = @() $i = 0 while($i -lt $response_user_count) { - $response_user_object = New-Object PSObject [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) $response_user_end = $response_user_start + $response_user_length @@ -2183,8 +2184,38 @@ if($client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$se $response_user = $response_user -replace "-00","" $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $response_user = New-Object System.String ($response_user,0,$response_user.Length) - Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user + $response_username_list += $response_user $response_user_length_start = $response_user_length_start + 8 + $i++ + } + + $response_user_type_array_bytes = $client_receive[($response_user_end + 14)..($response_user_end + 13 + ($response_user_count * 4))] + $response_user_type_start = 0 + + for($i = 0; $i -lt $response_user_count; $i++) + { + $response_user_type_bytes = $response_user_type_array_bytes[($response_user_type_start..($response_user_type_start + 3))] + $response_user_type_start += 4 + $response_user_type = [System.BitConverter]::ToInt16($response_user_type_bytes,0) + + if($response_user_type -eq 1) + { + $response_user_type_list += "user" + } + else + { + $response_user_type_list += "group" + } + + } + + $i = 0 + + ForEach($user in $response_username_list) + { + $response_user_object = New-Object PSObject + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $user + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Type $response_user_type_list[$i] $response_user_list += $response_user_object $i++ } @@ -2246,6 +2277,7 @@ if($client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$se while($i -lt $response_user_count) { $response_user_object = New-Object PSObject + [Byte[]]$response_user_type_bytes = $client_receive[($response_user_length_start - 4)] [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) $response_SID_index_start = $response_user_length_start + 8 @@ -2265,12 +2297,23 @@ if($client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$se $response_user_start += $response_user_length + 12 } + if($response_user_type_bytes -eq 1) + { + $response_user_type = "user" + } + else + { + $response_user_type = "group" + } + + $response_user = [System.BitConverter]::ToString($response_user_bytes) $response_user = $response_user -replace "-00","" $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $response_user = New-Object System.String ($response_user,0,$response_user.Length) Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Domain $response_domain_list[$response_SID_index] + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Type $response_user_type $response_user_length_start = $response_user_length_start + 16 $response_user_list += $response_user_object $i++ |