diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2018-03-26 22:54:30 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2018-03-26 22:54:30 -0400 |
| commit | ac5f0e258448772c6b414ccbc8b925e6f8224f00 (patch) | |
| tree | 0219220843db7adaebcd05d0ea7c446b11030324 | |
| parent | fc57371c8e82d5aa6af90a9b39d892aefcf809c3 (diff) | |
| download | Inveigh-ac5f0e258448772c6b414ccbc8b925e6f8224f00.tar.gz Inveigh-ac5f0e258448772c6b414ccbc8b925e6f8224f00.zip | |
Updated Invoke-SMBEnum
| -rw-r--r-- | Invoke-SMBEnum.ps1 | 3099 |
1 files changed, 2096 insertions, 1003 deletions
diff --git a/Invoke-SMBEnum.ps1 b/Invoke-SMBEnum.ps1 index 8ee4534..c683ee1 100644 --- a/Invoke-SMBEnum.ps1 +++ b/Invoke-SMBEnum.ps1 @@ -22,7 +22,10 @@ username. NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Action -(NetSession,Share,User) Default = Share +(All,Group,NetSession,Share,User) Default = Share: Enumeration action to perform. + +.PARAMETER Group +Default = Administrators: Group to enumerate. .PARAMETER Sleep Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this @@ -60,9 +63,10 @@ param [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Target, [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Username, [parameter(ParameterSetName='Default',Mandatory=$false)][String]$Domain, - [parameter(Mandatory=$false)][ValidateSet("NetSession","Share","User")][String]$Action = "Share", + [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Action = "All", [parameter(ParameterSetName='Default',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][String]$Service, + [parameter(Mandatory=$false)][String]$Group = "Administrators", [parameter(ParameterSetName='Default',Mandatory=$false)][Switch]$SigningCheck, [parameter(ParameterSetName='Session',Mandatory=$false)][Int]$Session, [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Logoff, @@ -72,9 +76,9 @@ param function ConvertFrom-PacketOrderedDictionary { - param($packet_ordered_dictionary) + param($OrderedDictionary) - ForEach($field in $packet_ordered_dictionary.Values) + ForEach($field in $OrderedDictionary.Values) { $byte_array += $field } @@ -86,700 +90,824 @@ function ConvertFrom-PacketOrderedDictionary function New-PacketNetBIOSSessionService { - param([Int]$packet_header_length,[Int]$packet_data_length) + param([Int]$HeaderLength,[Int]$DataLength) - [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length) - $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0] + [Byte[]]$length = ([System.BitConverter]::GetBytes($HeaderLength + $DataLength))[2..0] - $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary - $packet_NetBIOSSessionService.Add("Message_Type",[Byte[]](0x00)) - $packet_NetBIOSSessionService.Add("Length",[Byte[]]($packet_netbios_session_service_length)) + $NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary + $NetBIOSSessionService.Add("MessageType",[Byte[]](0x00)) + $NetBIOSSessionService.Add("Length",[Byte[]]($length)) - return $packet_NetBIOSSessionService + return $NetBIOSSessionService } #SMB1 function New-PacketSMBHeader { - param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) - - $packet_process_ID = $packet_process_ID[0,1] - - $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) - $packet_SMBHeader.Add("Command",$packet_command) - $packet_SMBHeader.Add("ErrorClass",[Byte[]](0x00)) - $packet_SMBHeader.Add("Reserved",[Byte[]](0x00)) - $packet_SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00)) - $packet_SMBHeader.Add("Flags",$packet_flags) - $packet_SMBHeader.Add("Flags2",$packet_flags2) - $packet_SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00)) - $packet_SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00)) - $packet_SMBHeader.Add("TreeID",$packet_tree_ID) - $packet_SMBHeader.Add("ProcessID",$packet_process_ID) - $packet_SMBHeader.Add("UserID",$packet_user_ID) - $packet_SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00)) - - return $packet_SMBHeader + param([Byte[]]$Command,[Byte[]]$Flags,[Byte[]]$Flags2,[Byte[]]$TreeID,[Byte[]]$ProcessID,[Byte[]]$UserID) + + $ProcessID = $ProcessID[0,1] + + $SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary + $SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) + $SMBHeader.Add("Command",$Command) + $SMBHeader.Add("ErrorClass",[Byte[]](0x00)) + $SMBHeader.Add("Reserved",[Byte[]](0x00)) + $SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00)) + $SMBHeader.Add("Flags",$Flags) + $SMBHeader.Add("Flags2",$Flags2) + $SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00)) + $SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00)) + $SMBHeader.Add("TreeID",$TreeID) + $SMBHeader.Add("ProcessID",$ProcessID) + $SMBHeader.Add("UserID",$UserID) + $SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00)) + + return $SMBHeader } function New-PacketSMBNegotiateProtocolRequest { - param([String]$packet_version) + param([String]$Version) - if($packet_version -eq 'SMB1') + if($Version -eq 'SMB1') { - [Byte[]]$packet_byte_count = 0x0c,0x00 + [Byte[]]$byte_count = 0x0c,0x00 } else { - [Byte[]]$packet_byte_count = 0x22,0x00 + [Byte[]]$byte_count = 0x22,0x00 } - $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00)) - $packet_SMBNegotiateProtocolRequest.Add("ByteCount",$packet_byte_count) - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02)) - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00)) + $SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00)) + $SMBNegotiateProtocolRequest.Add("ByteCount",$byte_count) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02)) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00)) - if($packet_version -ne 'SMB1') + if($version -ne 'SMB1') { - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02)) - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00)) - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02)) - $packet_SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00)) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02)) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00)) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02)) + $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00)) } - return $packet_SMBNegotiateProtocolRequest + return $SMBNegotiateProtocolRequest } #SMB2 function New-PacketSMB2Header { - param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) - - [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 - - $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) - $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00)) - $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00)) - $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) - $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) - $packet_SMB2Header.Add("Command",$packet_command) - $packet_SMB2Header.Add("CreditRequest",$packet_credit_request) - $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2Header.Add("MessageID",$packet_message_ID) - $packet_SMB2Header.Add("ProcessID",$packet_process_ID) - $packet_SMB2Header.Add("TreeID",$packet_tree_ID) - $packet_SMB2Header.Add("SessionID",$packet_session_ID) - $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - - return $packet_SMB2Header + param([Byte[]]$Command,[Byte[]]$CreditRequest,[Int]$MessageID,[Byte[]]$ProcessID,[Byte[]]$TreeID,[Byte[]]$SessionID) + + [Byte[]]$message_ID = [System.BitConverter]::GetBytes($MessageID) + + if($message_ID.Length -eq 4) + { + $message_ID += 0x00,0x00,0x00,0x00 + } + + $SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) + $SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00)) + $SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00)) + $SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) + $SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2Header.Add("Command",$Command) + $SMB2Header.Add("CreditRequest",$CreditRequest) + $SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2Header.Add("MessageID",$message_ID) + $SMB2Header.Add("ProcessID",$ProcessID) + $SMB2Header.Add("TreeID",$TreeID) + $SMB2Header.Add("SessionID",$SessionID) + $SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + return $SMB2Header } function New-PacketSMB2NegotiateProtocolRequest { - $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00)) - $packet_SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02)) - $packet_SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02)) - - return $packet_SMB2NegotiateProtocolRequest + $SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00)) + $SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00)) + $SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00)) + $SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00)) + $SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02)) + $SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02)) + + return $SMB2NegotiateProtocolRequest } function New-PacketSMB2SessionSetupRequest { - param([Byte[]]$packet_security_blob) - - [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length) - $packet_security_blob_length = $packet_security_blob_length[0,1] - - $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00)) - $packet_SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00)) - $packet_SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01)) - $packet_SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00)) - $packet_SMB2SessionSetupRequest.Add("SecurityBufferLength",$packet_security_blob_length) - $packet_SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2SessionSetupRequest.Add("Buffer",$packet_security_blob) - - return $packet_SMB2SessionSetupRequest + param([Byte[]]$SecurityBlob) + + [Byte[]]$security_buffer_length = ([System.BitConverter]::GetBytes($SecurityBlob.Length))[0,1] + + $SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00)) + $SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00)) + $SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01)) + $SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00)) + $SMB2SessionSetupRequest.Add("SecurityBufferLength",$security_buffer_length) + $SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2SessionSetupRequest.Add("Buffer",$SecurityBlob) + + return $SMB2SessionSetupRequest } function New-PacketSMB2TreeConnectRequest { - param([Byte[]]$packet_path) + param([Byte[]]$Buffer) - [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length) - $packet_path_length = $packet_path_length[0,1] + [Byte[]]$path_length = ([System.BitConverter]::GetBytes($Buffer.Length))[0,1] - $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00)) - $packet_SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00)) - $packet_SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00)) - $packet_SMB2TreeConnectRequest.Add("PathLength",$packet_path_length) - $packet_SMB2TreeConnectRequest.Add("Buffer",$packet_path) + $SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00)) + $SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00)) + $SMB2TreeConnectRequest.Add("PathLength",$path_length) + $SMB2TreeConnectRequest.Add("Buffer",$Buffer) - return $packet_SMB2TreeConnectRequest + return $SMB2TreeConnectRequest } function New-PacketSMB2CreateRequestFile { - param([Byte[]]$packet_named_pipe) - - $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length) - $packet_named_pipe_length = $packet_named_pipe_length[0,1] - - $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2CreateRequestFile.Add("StructureSize",[Byte[]](0x39,0x00)) - $packet_SMB2CreateRequestFile.Add("Flags",[Byte[]](0x00)) - $packet_SMB2CreateRequestFile.Add("RequestedOplockLevel",[Byte[]](0x00)) - $packet_SMB2CreateRequestFile.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("FileAttributes",[Byte[]](0x80,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("ShareAccess",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("CreateOptions",[Byte[]](0x40,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("NameOffset",[Byte[]](0x78,0x00)) - $packet_SMB2CreateRequestFile.Add("NameLength",$packet_named_pipe_length) - $packet_SMB2CreateRequestFile.Add("CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2CreateRequestFile.Add("Buffer",$packet_named_pipe) - - return $packet_SMB2CreateRequestFile + param([Byte[]]$NamedPipe) + + $name_length = ([System.BitConverter]::GetBytes($NamedPipe.Length))[0,1] + + $SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2CreateRequestFile.Add("StructureSize",[Byte[]](0x39,0x00)) + $SMB2CreateRequestFile.Add("Flags",[Byte[]](0x00)) + $SMB2CreateRequestFile.Add("RequestedOplockLevel",[Byte[]](0x00)) + $SMB2CreateRequestFile.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("FileAttributes",[Byte[]](0x80,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("ShareAccess",[Byte[]](0x01,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("CreateOptions",[Byte[]](0x40,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("NameOffset",[Byte[]](0x78,0x00)) + $SMB2CreateRequestFile.Add("NameLength",$name_length) + $SMB2CreateRequestFile.Add("CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2CreateRequestFile.Add("Buffer",$NamedPipe) + + return $SMB2CreateRequestFile } function New-PacketSMB2QueryInfoRequest { - param ([Byte[]]$packet_info_type,[Byte[]]$packet_file_info_class,[Byte[]]$packet_output_buffer_length,[Byte[]]$packet_input_buffer_offset,[Byte[]]$packet_file_ID,[Int]$packet_buffer) - - [Byte[]]$packet_buffer_bytes = ,0x00 * $packet_buffer - - $packet_SMB2QueryInfoRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2QueryInfoRequest.Add("StructureSize",[Byte[]](0x29,0x00)) - $packet_SMB2QueryInfoRequest.Add("InfoType",$packet_info_type) - $packet_SMB2QueryInfoRequest.Add("FileInfoClass",$packet_file_info_class) - $packet_SMB2QueryInfoRequest.Add("OutputBufferLength",$packet_output_buffer_length) - $packet_SMB2QueryInfoRequest.Add("InputBufferOffset",$packet_input_buffer_offset) - $packet_SMB2QueryInfoRequest.Add("Reserved",[Byte[]](0x00,0x00)) - $packet_SMB2QueryInfoRequest.Add("InputBufferLength",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2QueryInfoRequest.Add("AdditionalInformation",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2QueryInfoRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2QueryInfoRequest.Add("FileID",$packet_file_ID) - - if($packet_buffer -gt 0) + param ([Byte[]]$InfoType,[Byte[]]$FileInfoClass,[Byte[]]$OutputBufferLength,[Byte[]]$InputBufferOffset,[Byte[]]$FileID,[Int]$Buffer) + + [Byte[]]$buffer_bytes = ,0x00 * $Buffer + + $SMB2QueryInfoRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2QueryInfoRequest.Add("StructureSize",[Byte[]](0x29,0x00)) + $SMB2QueryInfoRequest.Add("InfoType",$InfoType) + $SMB2QueryInfoRequest.Add("FileInfoClass",$FileInfoClass) + $SMB2QueryInfoRequest.Add("OutputBufferLength",$OutputBufferLength) + $SMB2QueryInfoRequest.Add("InputBufferOffset",$InputBufferOffset) + $SMB2QueryInfoRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2QueryInfoRequest.Add("InputBufferLength",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2QueryInfoRequest.Add("AdditionalInformation",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2QueryInfoRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2QueryInfoRequest.Add("FileID",$FileID) + + if($Buffer -gt 0) { - $packet_SMB2QueryInfoRequest.Add("Buffer",$packet_buffer_bytes) + $SMB2QueryInfoRequest.Add("Buffer",$buffer_bytes) } - return $packet_SMB2QueryInfoRequest + return $SMB2QueryInfoRequest } function New-PacketSMB2ReadRequest { - param ([Byte[]]$packet_file_ID) - - $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00)) - $packet_SMB2ReadRequest.Add("Padding",[Byte[]](0x50)) - $packet_SMB2ReadRequest.Add("Flags",[Byte[]](0x00)) - $packet_SMB2ReadRequest.Add("Length",[Byte[]](0x00,0x00,0x10,0x00)) - $packet_SMB2ReadRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2ReadRequest.Add("FileID",$packet_file_ID) - $packet_SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00)) - $packet_SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00)) - $packet_SMB2ReadRequest.Add("Buffer",[Byte[]](0x30)) - - return $packet_SMB2ReadRequest + param ([Byte[]]$FileID) + + $SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00)) + $SMB2ReadRequest.Add("Padding",[Byte[]](0x50)) + $SMB2ReadRequest.Add("Flags",[Byte[]](0x00)) + $SMB2ReadRequest.Add("Length",[Byte[]](0x00,0x00,0x10,0x00)) + $SMB2ReadRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2ReadRequest.Add("FileID",$FileID) + $SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00)) + $SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00)) + $SMB2ReadRequest.Add("Buffer",[Byte[]](0x30)) + + return $SMB2ReadRequest } function New-PacketSMB2WriteRequest { - param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length) - - [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length) - - $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00)) - $packet_SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00)) - $packet_SMB2WriteRequest.Add("Length",$packet_write_length) - $packet_SMB2WriteRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_SMB2WriteRequest.Add("FileID",$packet_file_ID) - $packet_SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00)) - $packet_SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00)) - $packet_SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) - - return $packet_SMB2WriteRequest + param([Byte[]]$FileID,[Int]$RPCLength) + + [Byte[]]$write_length = [System.BitConverter]::GetBytes($RPCLength) + + $SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00)) + $SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00)) + $SMB2WriteRequest.Add("Length",$write_length) + $SMB2WriteRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $SMB2WriteRequest.Add("FileID",$FileID) + $SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00)) + $SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00)) + $SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) + + return $SMB2WriteRequest } function New-PacketSMB2CloseRequest { - param ([Byte[]]$packet_file_ID) + param ([Byte[]]$FileID) - $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00)) - $packet_SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00)) - $packet_SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2CloseRequest.Add("FileID",$packet_file_ID) + $SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00)) + $SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00)) + $SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2CloseRequest.Add("FileID",$FileID) - return $packet_SMB2CloseRequest + return $SMB2CloseRequest } function New-PacketSMB2TreeDisconnectRequest { - $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00)) - $packet_SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00)) + $SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00)) - return $packet_SMB2TreeDisconnectRequest + return $SMB2TreeDisconnectRequest } function New-PacketSMB2SessionLogoffRequest { - $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00)) - $packet_SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00)) + $SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00)) - return $packet_SMB2SessionLogoffRequest + return $SMB2SessionLogoffRequest } function New-PacketSMB2IoctlRequest { - param([Byte[]]$packet_function,[Byte[]]$packet_file_name,[Int]$packet_length,[Int]$packet_out_size) - - [Byte[]]$packet_length_bytes = [System.BitConverter]::GetBytes($packet_length + 24) - [Byte[]]$packet_out_size_bytes = [System.BitConverter]::GetBytes($packet_out_size) - - $packet_SMB2IoctlRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SMB2IoctlRequest.Add("StructureSize",[Byte[]](0x39,0x00)) - $packet_SMB2IoctlRequest.Add("Reserved",[Byte[]](0x00,0x00)) - $packet_SMB2IoctlRequest.Add("Function",$packet_function) - $packet_SMB2IoctlRequest.Add("GUIDHandle",$packet_file_name) - $packet_SMB2IoctlRequest.Add("InData_Offset",[Byte[]](0x78,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("InData_Length",$packet_length_bytes) - $packet_SMB2IoctlRequest.Add("MaxIoctlInSize",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("OutData_Offset",[Byte[]](0x78,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("OutData_Length",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("MaxIoctlOutSize",$packet_out_size_bytes) - $packet_SMB2IoctlRequest.Add("Flags",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) - - if($packet_out_size -eq 40) + param([Byte[]]$Function,[Byte[]]$FileName,[Int]$Length,[Int]$OutSize) + + [Byte[]]$indata_length = [System.BitConverter]::GetBytes($Length + 24) + [Byte[]]$out_size = [System.BitConverter]::GetBytes($OutSize) + + $SMB2IoctlRequest = New-Object System.Collections.Specialized.OrderedDictionary + $SMB2IoctlRequest.Add("StructureSize",[Byte[]](0x39,0x00)) + $SMB2IoctlRequest.Add("Reserved",[Byte[]](0x00,0x00)) + $SMB2IoctlRequest.Add("Function",$Function) + $SMB2IoctlRequest.Add("GUIDHandle",$FileName) + $SMB2IoctlRequest.Add("InData_Offset",[Byte[]](0x78,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("InData_Length",$indata_length) + $SMB2IoctlRequest.Add("MaxIoctlInSize",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("OutData_Offset",[Byte[]](0x78,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("OutData_Length",[Byte[]](0x00,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("MaxIoctlOutSize",$out_size) + $SMB2IoctlRequest.Add("Flags",[Byte[]](0x01,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) + + if($out_size -eq 40) { - $packet_SMB2IoctlRequest.Add("InData_Capabilities",[Byte[]](0x7f,0x00,0x00,0x00)) - $packet_SMB2IoctlRequest.Add("InData_ClientGUID",[Byte[]](0xc7,0x11,0x73,0x1e,0xa5,0x7d,0x39,0x47,0xaf,0x92,0x2d,0x88,0xc0,0x44,0xb1,0x1e)) - $packet_SMB2IoctlRequest.Add("InData_SecurityMode",[Byte[]](0x01)) - $packet_SMB2IoctlRequest.Add("InData_Unknown",[Byte[]](0x00)) - $packet_SMB2IoctlRequest.Add("InData_DialectCount",[Byte[]](0x02,0x00)) - $packet_SMB2IoctlRequest.Add("InData_Dialect",[Byte[]](0x02,0x02)) - $packet_SMB2IoctlRequest.Add("InData_Dialect2",[Byte[]](0x10,0x02)) + $SMB2IoctlRequest.Add("InData_Capabilities",[Byte[]](0x7f,0x00,0x00,0x00)) + $SMB2IoctlRequest.Add("InData_ClientGUID",[Byte[]](0xc7,0x11,0x73,0x1e,0xa5,0x7d,0x39,0x47,0xaf,0x92,0x2d,0x88,0xc0,0x44,0xb1,0x1e)) + $SMB2IoctlRequest.Add("InData_SecurityMode",[Byte[]](0x01)) + $SMB2IoctlRequest.Add("InData_Unknown",[Byte[]](0x00)) + $SMB2IoctlRequest.Add("InData_DialectCount",[Byte[]](0x02,0x00)) + $SMB2IoctlRequest.Add("InData_Dialect",[Byte[]](0x02,0x02)) + $SMB2IoctlRequest.Add("InData_Dialect2",[Byte[]](0x10,0x02)) } - return $packet_SMB2IoctlRequest + return $SMB2IoctlRequest } #NTLM function New-PacketNTLMSSPNegotiate { - param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version) - - [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length) - $packet_NTLMSSP_length = $packet_NTLMSSP_length[0] - [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32 - [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22 - [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20 - [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2 - - $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary - $packet_NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60)) - $packet_NTLMSSPNegotiate.Add("InitialcontextTokenLength",$packet_ASN_length_1) - $packet_NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06)) - $packet_NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06)) - $packet_NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02)) - $packet_NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0)) - $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength",$packet_ASN_length_2) - $packet_NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30)) - $packet_NTLMSSPNegotiate.Add("InnerContextTokenLength2",$packet_ASN_length_3) - $packet_NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0)) - $packet_NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e)) - $packet_NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30)) - $packet_NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c)) - $packet_NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06)) - $packet_NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a)) - $packet_NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a)) - $packet_NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2)) - $packet_NTLMSSPNegotiate.Add("MechTokenLength",$packet_ASN_length_4) - $packet_NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04)) - $packet_NTLMSSPNegotiate.Add("NTLMSSPLength",$packet_NTLMSSP_length) - $packet_NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) - $packet_NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_NTLMSSPNegotiate.Add("NegotiateFlags",$packet_negotiate_flags) - $packet_NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - - if($packet_version) + param([Byte[]]$NegotiateFlags,[Byte[]]$Version) + + [Byte[]]$NTLMSSP_length = ([System.BitConverter]::GetBytes($Version.Length + 32))[0] + [Byte[]]$ASN_length_1 = $NTLMSSP_length[0] + 32 + [Byte[]]$ASN_length_2 = $NTLMSSP_length[0] + 22 + [Byte[]]$ASN_length_3 = $NTLMSSP_length[0] + 20 + [Byte[]]$ASN_length_4 = $NTLMSSP_length[0] + 2 + + $NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary + $NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60)) + $NTLMSSPNegotiate.Add("InitialcontextTokenLength",$ASN_length_1) + $NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06)) + $NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06)) + $NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02)) + $NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0)) + $NTLMSSPNegotiate.Add("InnerContextTokenLength",$ASN_length_2) + $NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30)) + $NTLMSSPNegotiate.Add("InnerContextTokenLength2",$ASN_length_3) + $NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0)) + $NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e)) + $NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30)) + $NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c)) + $NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06)) + $NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a)) + $NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a)) + $NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2)) + $NTLMSSPNegotiate.Add("MechTokenLength",$ASN_length_4) + $NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04)) + $NTLMSSPNegotiate.Add("NTLMSSPLength",$NTLMSSP_length) + $NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $NTLMSSPNegotiate.Add("NegotiateFlags",$NegotiateFlags) + $NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + if($Version) { - $packet_NTLMSSPNegotiate.Add("Version",$packet_version) + $NTLMSSPNegotiate.Add("Version",$Version) } - return $packet_NTLMSSPNegotiate + return $NTLMSSPNegotiate } function New-PacketNTLMSSPAuth { - param([Byte[]]$packet_NTLM_response) - - [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length) - $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0] - [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12) - $packet_ASN_length_1 = $packet_ASN_length_1[1,0] - [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8) - $packet_ASN_length_2 = $packet_ASN_length_2[1,0] - [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4) - $packet_ASN_length_3 = $packet_ASN_length_3[1,0] - - $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary - $packet_NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82)) - $packet_NTLMSSPAuth.Add("ASNLength",$packet_ASN_length_1) - $packet_NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82)) - $packet_NTLMSSPAuth.Add("ASNLength2",$packet_ASN_length_2) - $packet_NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82)) - $packet_NTLMSSPAuth.Add("ASNLength3",$packet_ASN_length_3) - $packet_NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82)) - $packet_NTLMSSPAuth.Add("NTLMSSPLength",$packet_NTLMSSP_length) - $packet_NTLMSSPAuth.Add("NTLMResponse",$packet_NTLM_response) - - return $packet_NTLMSSPAuth + param([Byte[]]$NTLMResponse) + + [Byte[]]$NTLMSSP_length = ([System.BitConverter]::GetBytes($NTLMResponse.Length))[1,0] + [Byte[]]$ASN_length_1 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 12))[1,0] + [Byte[]]$ASN_length_2 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 8))[1,0] + [Byte[]]$ASN_length_3 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 4))[1,0] + + $NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary + $NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82)) + $NTLMSSPAuth.Add("ASNLength",$ASN_length_1) + $NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82)) + $NTLMSSPAuth.Add("ASNLength2",$ASN_length_2) + $NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82)) + $NTLMSSPAuth.Add("ASNLength3",$ASN_length_3) + $NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82)) + $NTLMSSPAuth.Add("NTLMSSPLength",$NTLMSSP_length) + $NTLMSSPAuth.Add("NTLMResponse",$NTLMResponse) + + return $NTLMSSPAuth } #RPC function New-PacketRPCBind { - param([Byte[]]$packet_frag_length,[Int]$packet_call_ID,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) - - [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) - - $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary - $packet_RPCBind.Add("Version",[Byte[]](0x05)) - $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) - $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) - $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) - $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) - $packet_RPCBind.Add("FragLength",$packet_frag_length) - $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) - $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) - $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) - $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) - $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) - $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) - $packet_RPCBind.Add("ContextID",$packet_context_ID) - $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) - $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) - $packet_RPCBind.Add("Interface",$packet_UUID) - $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) - $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) - $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) - $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) - - if($packet_num_ctx_items[0] -eq 2) + param([Byte[]]$FragLength,[Int]$CallID,[Byte[]]$NumCtxItems,[Byte[]]$ContextID,[Byte[]]$UUID,[Byte[]]$UUIDVersion) + + [Byte[]]$call_ID = [System.BitConverter]::GetBytes($CallID) + + $RPCBind = New-Object System.Collections.Specialized.OrderedDictionary + $RPCBind.Add("Version",[Byte[]](0x05)) + $RPCBind.Add("VersionMinor",[Byte[]](0x00)) + $RPCBind.Add("PacketType",[Byte[]](0x0b)) + $RPCBind.Add("PacketFlags",[Byte[]](0x03)) + $RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $RPCBind.Add("FragLength",$FragLength) + $RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) + $RPCBind.Add("CallID",$call_ID) + $RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) + $RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) + $RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) + $RPCBind.Add("NumCtxItems",$NumCtxItems) + $RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) + $RPCBind.Add("ContextID",$ContextID) + $RPCBind.Add("NumTransItems",[Byte[]](0x01)) + $RPCBind.Add("Unknown2",[Byte[]](0x00)) + $RPCBind.Add("Interface",$UUID) + $RPCBind.Add("InterfaceVer",$UUIDVersion) + $RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) + $RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) + $RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) + + if($NumCtxItems[0] -eq 2) { - $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) - $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) - $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) - $packet_RPCBind.Add("Interface2",$packet_UUID) - $packet_RPCBind.Add("InterfaceVer2",$packet_UUID_version) - $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) - $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + $RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) + $RPCBind.Add("NumTransItems2",[Byte[]](0x01)) + $RPCBind.Add("Unknown3",[Byte[]](0x00)) + $RPCBind.Add("Interface2",$UUID) + $RPCBind.Add("InterfaceVer2",$UUIDVersion) + $RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } - elseif($packet_num_ctx_items[0] -eq 3) + elseif($NumCtxItems[0] -eq 3) { - $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) - $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) - $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) - $packet_RPCBind.Add("Interface2",$packet_UUID) - $packet_RPCBind.Add("InterfaceVer2",$packet_UUID_version) - $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) - $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) - $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) - $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) - $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) - $packet_RPCBind.Add("Interface3",$packet_UUID) - $packet_RPCBind.Add("InterfaceVer3",$packet_UUID_version) - $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) - $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) + $RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) + $RPCBind.Add("NumTransItems2",[Byte[]](0x01)) + $RPCBind.Add("Unknown3",[Byte[]](0x00)) + $RPCBind.Add("Interface2",$UUID) + $RPCBind.Add("InterfaceVer2",$UUIDVersion) + $RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) + $RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + $RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) + $RPCBind.Add("NumTransItems3",[Byte[]](0x01)) + $RPCBind.Add("Unknown4",[Byte[]](0x00)) + $RPCBind.Add("Interface3",$UUID) + $RPCBind.Add("InterfaceVer3",$UUIDVersion) + $RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) + $RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) } - if($packet_call_ID -eq 3) + if($call_ID -eq 3) { - $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) - $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) - $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) - $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) - $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) - $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) - $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) + $RPCBind.Add("AuthType",[Byte[]](0x0a)) + $RPCBind.Add("AuthLevel",[Byte[]](0x02)) + $RPCBind.Add("AuthPadLength",[Byte[]](0x00)) + $RPCBind.Add("AuthReserved",[Byte[]](0x00)) + $RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) + $RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) + $RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } - return $packet_RPCBind + return $RPCBind } function New-PacketRPCRequest { - param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) + param([Byte[]]$Flags,[Int]$ServiceLength,[Int]$AuthLength,[Int]$AuthPadding,[Byte[]]$CallID,[Byte[]]$ContextID,[Byte[]]$Opnum,[Byte[]]$Data) - if($packet_auth_length -gt 0) + if($AuthLength -gt 0) { - $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 + $full_auth_length = $AuthLength + $AuthPadding + 8 } - [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) - [Byte[]]$packet_frag_length = $packet_write_length[0,1] - [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) - [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length) - $packet_auth_length = $packet_auth_length[0,1] - - $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary - $packet_RPCRequest.Add("Version",[Byte[]](0x05)) - $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) - $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) - $packet_RPCRequest.Add("PacketFlags",$packet_flags) - $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) - $packet_RPCRequest.Add("FragLength",$packet_frag_length) - $packet_RPCRequest.Add("AuthLength",$packet_auth_length) - $packet_RPCRequest.Add("CallID",$packet_call_ID) - $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) - $packet_RPCRequest.Add("ContextID",$packet_context_ID) - $packet_RPCRequest.Add("Opnum",$packet_opnum) - - if($packet_data.Length) + [Byte[]]$write_length = [System.BitConverter]::GetBytes($ServiceLength + 24 + $full_auth_length + $Data.Length) + [Byte[]]$frag_length = $write_length[0,1] + [Byte[]]$alloc_hint = [System.BitConverter]::GetBytes($ServiceLength + $Data.Length) + [Byte[]]$auth_length = ([System.BitConverter]::GetBytes($AuthLength))[0,1] + + $RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary + $RPCRequest.Add("Version",[Byte[]](0x05)) + $RPCRequest.Add("VersionMinor",[Byte[]](0x00)) + $RPCRequest.Add("PacketType",[Byte[]](0x00)) + $RPCRequest.Add("PacketFlags",$Flags) + $RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $RPCRequest.Add("FragLength",$frag_length) + $RPCRequest.Add("AuthLength",$auth_length) + $RPCRequest.Add("CallID",$CallID) + $RPCRequest.Add("AllocHint",$alloc_hint) + $RPCRequest.Add("ContextID",$ContextID) + $RPCRequest.Add("Opnum",$Opnum) + + if($data.Length) { - $packet_RPCRequest.Add("Data",$packet_data) + $RPCRequest.Add("Data",$Data) } - return $packet_RPCRequest + return $RPCRequest } function New-PacketSRVSVCNetSessEnum { - param([String]$packet_target) + param([String]$ServerUNC) - [Byte[]]$packet_server_UNC = [System.Text.Encoding]::Unicode.GetBytes($packet_target) - - [String]$packet_server_UNC_padding_check = $packet_target.Length / 4 + [Byte[]]$server_UNC = [System.Text.Encoding]::Unicode.GetBytes($ServerUNC) + [Byte[]]$max_count = [System.BitConverter]::GetBytes($ServerUNC.Length + 1) - if($packet_target.Length % 2) + if($ServerUNC.Length % 2) { - $packet_server_UNC += 0x00,0x00 + $server_UNC += 0x00,0x00 } else { - $packet_server_UNC += 0x00,0x00,0x00,0x00 + $server_UNC += 0x00,0x00,0x00,0x00 } - [Byte[]]$packet_MaxCount = [System.BitConverter]::GetBytes($packet_target.Length + 1) - - $packet_SRVSVCNetSessEnum = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SRVSVCNetSessEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToServerUNC_MaxCount",$packet_MaxCount) - $packet_SRVSVCNetSessEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToServerUNC_ActualCount",$packet_MaxCount) - $packet_SRVSVCNetSessEnum.Add("PointerToServerUNC_ServerUNC",$packet_server_UNC) - $packet_SRVSVCNetSessEnum.Add("PointerToClient_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToClient_MaxCount",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToClient_Offset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToClient_ActualCount",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToClient_Client",[Byte[]](0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser",[Byte[]](0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser_ReferentID",[Byte[]](0x08,0x00,0x02,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser_MaxCount",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser_Offset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser_ActualCount",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToUser_User",[Byte[]](0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToLevel",[Byte[]](0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToLevel_Level",[Byte[]](0x0a,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_Ctr",[Byte[]](0x0a,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_ReferentID",[Byte[]](0x0c,0x00,0x02,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_Count",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetSessEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff)) - $packet_SRVSVCNetSessEnum.Add("PointerToResumeHandle_ReferentID",[Byte[]](0x10,0x00,0x02,0x00)) - $packet_SRVSVCNetSessEnum.Add("PointerToResumeHandle_ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) - - return $packet_SRVSVCNetSessEnum + $SRVSVCNetSessEnum = New-Object System.Collections.Specialized.OrderedDictionary + $SRVSVCNetSessEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $SRVSVCNetSessEnum.Add("PointerToServerUNC_MaxCount",$max_count) + $SRVSVCNetSessEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToServerUNC_ActualCount",$max_count) + $SRVSVCNetSessEnum.Add("PointerToServerUNC_ServerUNC",$server_UNC) + $SRVSVCNetSessEnum.Add("PointerToClient_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $SRVSVCNetSessEnum.Add("PointerToClient_MaxCount",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToClient_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToClient_ActualCount",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToClient_Client",[Byte[]](0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser",[Byte[]](0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser_ReferentID",[Byte[]](0x08,0x00,0x02,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser_MaxCount",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser_ActualCount",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToUser_User",[Byte[]](0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToLevel",[Byte[]](0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToLevel_Level",[Byte[]](0x0a,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_Ctr",[Byte[]](0x0a,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_ReferentID",[Byte[]](0x0c,0x00,0x02,0x00)) + $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_Count",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetSessEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff)) + $SRVSVCNetSessEnum.Add("PointerToResumeHandle_ReferentID",[Byte[]](0x10,0x00,0x02,0x00)) + $SRVSVCNetSessEnum.Add("PointerToResumeHandle_ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) + + return $SRVSVCNetSessEnum } # LSA function New-PacketLSAOpenPolicy { - param([String]$packet_target) - - $packet_LSAOpenPolicy = New-Object System.Collections.Specialized.OrderedDictionary - $packet_LSAOpenPolicy.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) - $packet_LSAOpenPolicy.Add("PointerToSystemName_System",[Byte[]](0x5c,0x00)) - $packet_LSAOpenPolicy.Add("PointerToSystemName_Unknown",[Byte[]](0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_Len",[Byte[]](0x18,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer2",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_Attributes",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer3",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_Qos_Len",[Byte[]](0x0c,0x00,0x00,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ImpersonationLevel",[Byte[]](0x02,0x00)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ContextMode",[Byte[]](0x01)) - $packet_LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_EffectiveOnly",[Byte[]](0x00)) - $packet_LSAOpenPolicy.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) - - return $packet_LSAOpenPolicy + $LSAOpenPolicy = New-Object System.Collections.Specialized.OrderedDictionary + $LSAOpenPolicy.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $LSAOpenPolicy.Add("PointerToSystemName_System",[Byte[]](0x5c,0x00)) + $LSAOpenPolicy.Add("PointerToSystemName_Unknown",[Byte[]](0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_Len",[Byte[]](0x18,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer2",[Byte[]](0x00,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_Attributes",[Byte[]](0x00,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer3",[Byte[]](0x00,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_Qos_Len",[Byte[]](0x0c,0x00,0x00,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ImpersonationLevel",[Byte[]](0x02,0x00)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ContextMode",[Byte[]](0x01)) + $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_EffectiveOnly",[Byte[]](0x00)) + $LSAOpenPolicy.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + + return $LSAOpenPolicy } function New-PacketLSAQueryInfoPolicy { - param([Byte[]]$packet_policy_handle) + param([Byte[]]$Handle) - $packet_LSAQueryInfoPolicy = New-Object System.Collections.Specialized.OrderedDictionary - $packet_LSAQueryInfoPolicy.Add("PointerToHandle",$packet_policy_handle) - $packet_LSAQueryInfoPolicy.Add("Level",[Byte[]](0x05,0x00)) + $LSAQueryInfoPolicy = New-Object System.Collections.Specialized.OrderedDictionary + $LSAQueryInfoPolicy.Add("PointerToHandle",$Handle) + $LSAQueryInfoPolicy.Add("Level",[Byte[]](0x05,0x00)) - return $packet_LSAQueryInfoPolicy + return $LSAQueryInfoPolicy } function New-PacketLSAClose { - param([Byte[]]$packet_policy_handle) + param([Byte[]]$Handle) - $packet_LSAClose = New-Object System.Collections.Specialized.OrderedDictionary - $packet_LSAClose.Add("PointerToHandle",$packet_policy_handle) + $LSAClose = New-Object System.Collections.Specialized.OrderedDictionary + $LSAClose.Add("PointerToHandle",$Handle) - return $packet_LSAClose + return $LSAClose +} + +function New-PacketLSALookupSids +{ + param([Byte[]]$Handle,[Byte[]]$SIDArray) + + $LSALookupSids = New-Object System.Collections.Specialized.OrderedDictionary + $LSALookupSids.Add("PointerToHandle",$Handle) + $LSALookupSids.Add("PointerToSIDs_SIDArray",$SIDArray) + $LSALookupSids.Add("PointerToNames_count",[Byte[]](0x00,0x00,0x00,0x00)) + $LSALookupSids.Add("PointerToNames_NULL_pointer",[Byte[]](0x00,0x00,0x00,0x00)) + $LSALookupSids.Add("PointerToNames_level",[Byte[]](0x01,0x00)) + $LSALookupSids.Add("PointerToCount",[Byte[]](0x00,0x00)) + $LSALookupSids.Add("PointerToCount_count",[Byte[]](0x00,0x00,0x00,0x00)) + + return $LSALookupSids } # SAMR +function New-PacketSAMRConnect2 +{ + param([String]$SystemName) + + [Byte[]]$system_name = [System.Text.Encoding]::Unicode.GetBytes($SystemName) + [Byte[]]$max_count = [System.BitConverter]::GetBytes($SystemName.Length + 1) + + if($SystemName.Length % 2) + { + $system_name += 0x00,0x00 + } + else + { + $system_name += 0x00,0x00,0x00,0x00 + } + + $SAMRConnect2 = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRConnect2.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $SAMRConnect2.Add("PointerToSystemName_MaxCount",$max_count) + $SAMRConnect2.Add("PointerToSystemName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SAMRConnect2.Add("PointerToSystemName_ActualCount",$max_count) + $SAMRConnect2.Add("PointerToSystemName_SystemName",$system_name) + $SAMRConnect2.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + + return $SAMRConnect2 +} + function New-PacketSAMRConnect5 { - param([String]$packet_target) + param([String]$SystemName) - $SMB_path = "\\" + $packet_target - [Byte[]]$packet_system_name = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) - [Byte[]]$packet_max_count = [System.BitConverter]::GetBytes($SMB_path.Length + 1) + $SystemName = "\\" + $SystemName + [Byte[]]$system_name = [System.Text.Encoding]::Unicode.GetBytes($SystemName) + [Byte[]]$max_count = [System.BitConverter]::GetBytes($SystemName.Length + 1) - if($SMB_path.Length % 2) + if($SystemName.Length % 2) { - $packet_system_name += 0x00,0x00 + $system_name += 0x00,0x00 } else { - $packet_system_name += 0x00,0x00,0x00,0x00 + $system_name += 0x00,0x00,0x00,0x00 } - $packet_SAMRConnect5 = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SAMRConnect5.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) - $packet_SAMRConnect5.Add("PointerToSystemName_MaxCount",$packet_max_count) - $packet_SAMRConnect5.Add("PointerToSystemName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SAMRConnect5.Add("PointerToSystemName_ActualCount",$packet_max_count) - $packet_SAMRConnect5.Add("PointerToSystemName_SystemName",$packet_system_name) - $packet_SAMRConnect5.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) - $packet_SAMRConnect5.Add("LevelIn",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_ClientVersion",[Byte[]](0x02,0x00,0x00,0x00)) - $packet_SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_Unknown",[Byte[]](0x00,0x00,0x00,0x00)) - - return $packet_SAMRConnect5 + $SAMRConnect5 = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRConnect5.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $SAMRConnect5.Add("PointerToSystemName_MaxCount",$max_count) + $SAMRConnect5.Add("PointerToSystemName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SAMRConnect5.Add("PointerToSystemName_ActualCount",$max_count) + $SAMRConnect5.Add("PointerToSystemName_SystemName",$system_name) + $SAMRConnect5.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + $SAMRConnect5.Add("LevelIn",[Byte[]](0x01,0x00,0x00,0x00)) + $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn",[Byte[]](0x01,0x00,0x00,0x00)) + $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_ClientVersion",[Byte[]](0x02,0x00,0x00,0x00)) + $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_Unknown",[Byte[]](0x00,0x00,0x00,0x00)) + + return $SAMRConnect5 } +function New-PacketSAMRGetMembersInAlias +{ + param([Byte[]]$Handle) + + $SAMRGetMembersInAlias = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRGetMembersInAlias.Add("PointerToConnectHandle",$Handle) + + return $SAMRGetMembersInAlias +} + +function New-PacketSAMRClose +{ + param([Byte[]]$Handle) + + $SAMRClose = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRClose.Add("PointerToConnectHandle",$Handle) + + return $SAMRClose +} + +function New-PacketSAMROpenAlias +{ + param([Byte[]]$Handle,[Byte[]]$RID) + + $SAMROpenAlias = New-Object System.Collections.Specialized.OrderedDictionary + $SAMROpenAlias.Add("PointerToConnectHandle",$Handle) + $SAMROpenAlias.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + $SAMROpenAlias.Add("RID",$RID) + + return $SAMROpenAlias +} + +function New-PacketSAMROpenGroup +{ + param([Byte[]]$Handle,[Byte[]]$RID) + + $SAMROpenGroup = New-Object System.Collections.Specialized.OrderedDictionary + $SAMROpenGroup.Add("PointerToConnectHandle",$Handle) + $SAMROpenGroup.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + $SAMROpenGroup.Add("RID",$RID) + + return $SAMROpenGroup +} + +function New-PacketSAMRQueryGroupMember +{ + param([Byte[]]$Handle) + + $SAMRQueryGroupMember = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRQueryGroupMember.Add("PointerToGroupHandle",$Handle) + + return $SAMRQueryGroupMember +} function New-PacketSAMROpenDomain { - param([Byte[]]$packet_connect_handle,[Byte[]]$packet_sid) + param([Byte[]]$Handle,[Byte[]]$SIDCount,[Byte[]]$SID) - $packet_SAMROpenDomain = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SAMROpenDomain.Add("PointerToConnectHandle",$packet_connect_handle) - $packet_SAMROpenDomain.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) - $packet_SAMROpenDomain.Add("PointerToSid_Count",[Byte[]](0x04,0x00,0x00,0x00)) - $packet_SAMROpenDomain.Add("PointerToSid_Sid",$packet_sid) + $SAMROpenDomain = New-Object System.Collections.Specialized.OrderedDictionary + $SAMROpenDomain.Add("PointerToConnectHandle",$Handle) + $SAMROpenDomain.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + $SAMROpenDomain.Add("PointerToSid_Count",$SIDCount) + $SAMROpenDomain.Add("PointerToSid_Sid",$SID) - return $packet_SAMROpenDomain + return $SAMROpenDomain } function New-PacketSAMREnumDomainUsers { - param([Byte[]]$packet_domain_handle) + param([Byte[]]$Handle) + + $SAMREnumDomainUsers = New-Object System.Collections.Specialized.OrderedDictionary + $SAMREnumDomainUsers.Add("PointerToDomainHandle",$Handle) + $SAMREnumDomainUsers.Add("PointerToResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) + $SAMREnumDomainUsers.Add("AcctFlags",[Byte[]](0x10,0x00,0x00,0x00)) + $SAMREnumDomainUsers.Add("MaxSize",[Byte[]](0xff,0xff,0x00,0x00)) - $packet_SAMROpenDomain = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SAMROpenDomain.Add("PointerToDomainHandle",$packet_domain_handle) - $packet_SAMROpenDomain.Add("PointerToResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SAMROpenDomain.Add("AcctFlags",[Byte[]](0x10,0x00,0x00,0x00)) - $packet_SAMROpenDomain.Add("MaxSize",[Byte[]](0xff,0xff,0x00,0x00)) + return $SAMREnumDomainUsers +} - return $packet_SAMROpenDomain +function New-PacketSAMRLookupNames +{ + param([Byte[]]$Handle,[String]$Names) + + [Byte[]]$names_bytes = [System.Text.Encoding]::Unicode.GetBytes($Names) + [Byte[]]$name_len = ([System.BitConverter]::GetBytes($names_bytes.Length))[0,1] + [Byte[]]$max_count = [System.BitConverter]::GetBytes($Names.Length) + + $SAMRLookupNames = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRLookupNames.Add("PointerToDomainHandle",$Handle) + $SAMRLookupNames.Add("NumNames",[Byte[]](0x01,0x00,0x00,0x00)) + $SAMRLookupNames.Add("PointerToNames_MaxCount",[Byte[]](0xe8,0x03,0x00,0x00)) + $SAMRLookupNames.Add("PointerToNames_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SAMRLookupNames.Add("PointerToNames_ActualCount",[Byte[]](0x01,0x00,0x00,0x00)) + $SAMRLookupNames.Add("PointerToNames_Names_NameLen",$name_len) + $SAMRLookupNames.Add("PointerToNames_Names_NameSize",$name_len) + $SAMRLookupNames.Add("PointerToNames_Names_Name_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $SAMRLookupNames.Add("PointerToNames_Names_Name_MaxCount",$max_count) + $SAMRLookupNames.Add("PointerToNames_Names_Name_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SAMRLookupNames.Add("PointerToNames_Names_Name_ActualCount",$max_count) + $SAMRLookupNames.Add("PointerToNames_Names_Name_Names",$names_bytes) + + return $SAMRLookupNames +} + +function New-PacketSAMRLookupRids +{ + param([Byte[]]$Handle,[Byte[]]$RIDCount,[Byte[]]$Rids) + + $SAMRLookupRIDS = New-Object System.Collections.Specialized.OrderedDictionary + $SAMRLookupRIDS.Add("PointerToDomainHandle",$Handle) + $SAMRLookupRIDS.Add("NumRids",$RIDCount) + $SAMRLookupRIDS.Add("Unknown",[Byte[]](0xe8,0x03,0x00,0x00,0x00,0x00,0x00,0x00)) + $SAMRLookupRIDS.Add("NumRids2",$RIDCount) + $SAMRLookupRIDS.Add("Rids",$Rids) + + return $SAMRLookupRIDS } function New-PacketSRVSVCNetShareEnumAll { - param([String]$packet_target) + param([String]$ServerUNC) - $SMB_path = "\\" + $packet_target - [Byte[]]$packet_server_UNC = [System.Text.Encoding]::Unicode.GetBytes($packet_target) + $ServerUNC = "\\" + $ServerUNC + [Byte[]]$server_UNC = [System.Text.Encoding]::Unicode.GetBytes($ServerUNC) + [Byte[]]$max_count = [System.BitConverter]::GetBytes($ServerUNC.Length + 1) - if($SMB_path.Length % 2) + if($ServerUNC.Length % 2) { - $packet_server_UNC += 0x00,0x00 + $server_UNC += 0x00,0x00 } else { - $packet_server_UNC += 0x00,0x00,0x00,0x00 + $server_UNC += 0x00,0x00,0x00,0x00 } - [Byte[]]$packet_max_count = [System.BitConverter]::GetBytes($packet_target.Length + 1) - - $packet_SRVSVCNetShareEnum = New-Object System.Collections.Specialized.OrderedDictionary - $packet_SRVSVCNetShareEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToServerUNC_MaxCount",$packet_max_count) - $packet_SRVSVCNetShareEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToServerUNC_ActualCount",$packet_max_count) - $packet_SRVSVCNetShareEnum.Add("PointerToServerUNC_ServerUNC",$packet_server_UNC) - $packet_SRVSVCNetShareEnum.Add("PointerToLevel_Level",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Ctr",[Byte[]](0x01,0x00,0x00,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_Ctr1_Count",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_SRVSVCNetShareEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff)) - $packet_SRVSVCNetShareEnum.Add("ReferentID",[Byte[]](0x08,0x00,0x02,0x00)) - $packet_SRVSVCNetShareEnum.Add("ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) - - return $packet_SRVSVCNetShareEnum + $SRVSVCNetShareEnum = New-Object System.Collections.Specialized.OrderedDictionary + $SRVSVCNetShareEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $SRVSVCNetShareEnum.Add("PointerToServerUNC_MaxCount",$max_count) + $SRVSVCNetShareEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetShareEnum.Add("PointerToServerUNC_ActualCount",$max_count) + $SRVSVCNetShareEnum.Add("PointerToServerUNC_ServerUNC",$server_UNC) + $SRVSVCNetShareEnum.Add("PointerToLevel_Level",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Ctr",[Byte[]](0x01,0x00,0x00,0x00)) + $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_ReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_Ctr1_Count",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_NullPointer",[Byte[]](0x00,0x00,0x00,0x00)) + $SRVSVCNetShareEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff)) + $SRVSVCNetShareEnum.Add("ReferentID",[Byte[]](0x08,0x00,0x02,0x00)) + $SRVSVCNetShareEnum.Add("ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00)) + + return $SRVSVCNetShareEnum } function DataLength2 @@ -829,12 +957,12 @@ if($PSBoundParameters.ContainsKey('Session')) $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +[Byte[]]$process_ID = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if(!$inveigh_session) { - $SMB_client = New-Object System.Net.Sockets.TCPClient - $SMB_client.Client.ReceiveTimeout = 5000 + $client = New-Object System.Net.Sockets.TCPClient + $client.Client.ReceiveTimeout = 5000 } if(!$startup_error -and !$inveigh_session) @@ -842,7 +970,7 @@ if(!$startup_error -and !$inveigh_session) try { - $SMB_client.Connect($Target,"445") + $client.Connect($Target,"445") } catch { @@ -851,46 +979,55 @@ if(!$startup_error -and !$inveigh_session) } -if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$session].Connected)) +if($client.Connected -or (!$startup_error -and $inveigh.session_socket_table[$session].Connected)) { - $SMB_client_receive = New-Object System.Byte[] 81920 + $client_receive = New-Object System.Byte[] 81920 if(!$inveigh_session) { - $SMB_client_stream = $SMB_client.GetStream() - $SMB_client_stage = 'NegotiateSMB' + $client_stream = $client.GetStream() + $stage = 'NegotiateSMB' - while($SMB_client_stage -ne 'exit') + while($stage -ne 'Exit') { - switch ($SMB_client_stage) + switch ($stage) { 'NegotiateSMB' { - $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID 0x00,0x00 $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + + try + { + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + } + catch + { + Write-Output "[-] Something went wrong" + throw + } - if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42') + if([System.BitConverter]::ToString($client_receive[4..7]) -eq 'ff-53-4d-42') { $SMB_version = 'SMB1' - $SMB_client_stage = 'NTLMSSPNegotiate' + $stage = 'NTLMSSPNegotiate' - if([System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') + if([System.BitConverter]::ToString($client_receive[39]) -eq '0f') { if($SigningCheck) { Write-Output "[+] SMB signing is required" - $SMB_client_stage = 'exit' + $stage = 'exit' } else { @@ -907,7 +1044,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SigningCheck) { Write-Output "[+] SMB signing is not required" - $SMB_client_stage = 'exit' + $stage = 'exit' } else { @@ -921,15 +1058,15 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB_client_stage = 'NegotiateSMB2' + $stage = 'NegotiateSMB2' - if([System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03') + if([System.BitConverter]::ToString($client_receive[70]) -eq '03') { if($SigningCheck) { Write-Output "[+] SMB signing is required" - $SMB_client_stage = 'exit' + $stage = 'exit' } else { @@ -946,7 +1083,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SigningCheck) { Write-Output "[+] SMB signing is not required" - $SMB_client_stage = 'exit' + $stage = 'exit' } else { @@ -963,20 +1100,30 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'NegotiateSMB2' { - $SMB2_tree_ID = 0x00,0x00,0x00,0x00 - $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $tree_ID = 0x00,0x00,0x00,0x00 + $session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $message_ID = 1 + $packet_SMB_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $message_ID $process_ID $tree_ID $session_ID + $packet_SMB_data = New-PacketSMB2NegotiateProtocolRequest + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'NTLMSSPNegotiate' + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + + try + { + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'NTLMSSPNegotiate' + } + catch + { + Write-Output "[-] Something went wrong" + throw + } + } 'NTLMSSPNegotiate' @@ -984,7 +1131,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMB_version -eq 'SMB1') { - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID 0x00,0x00 if($SMB_signing) { @@ -998,26 +1145,36 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } else { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $message_ID $process_ID $tree_ID $session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags 0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate - $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'exit' + try + { + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'exit' + + } + catch + { + Write-Output "[-] Something went wrong" + throw + } + } } @@ -1026,15 +1183,15 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if(!$SigningCheck) { - $SMB_NTLMSSP = [System.BitConverter]::ToString($SMB_client_receive) + $SMB_NTLMSSP = [System.BitConverter]::ToString($client_receive) $SMB_NTLMSSP = $SMB_NTLMSSP -replace "-","" $SMB_NTLMSSP_index = $SMB_NTLMSSP.IndexOf("4E544C4D53535000") $SMB_NTLMSSP_bytes_index = $SMB_NTLMSSP_index / 2 - $SMB_domain_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 12) $SMB_client_receive - $SMB_target_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 40) $SMB_client_receive - $SMB_session_ID = $SMB_client_receive[44..51] - $SMB_NTLM_challenge = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 24)..($SMB_NTLMSSP_bytes_index + 31)] - $SMB_target_details = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] + $SMB_domain_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 12) $client_receive + $SMB_target_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 40) $client_receive + $session_ID = $client_receive[44..51] + $SMB_NTLM_challenge = $client_receive[($SMB_NTLMSSP_bytes_index + 24)..($SMB_NTLMSSP_bytes_index + 31)] + $SMB_target_details = $client_receive[($SMB_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] $SMB_target_time_bytes = $SMB_target_details[($SMB_target_details.Length - 12)..($SMB_target_details.Length - 5)] $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} @@ -1120,8 +1277,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMB_version -eq 'SMB1') { - $SMB_user_ID = $SMB_client_receive[32,33] - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes $SMB_user_ID + $SMB_user_ID = $client_receive[32,33] + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID $SMB_user_ID if($SMB_signing) { @@ -1136,54 +1293,63 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } else { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x01,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth - $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - - if($SMB_version -eq 'SMB1') + try { + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null - if([System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') + if($SMB_version -eq 'SMB1') { - Write-Verbose "[+] $output_username successfully authenticated on $Target" - $login_successful = $true + + if([System.BitConverter]::ToString($client_receive[9..12]) -eq '00-00-00-00') + { + Write-Verbose "[+] $output_username successfully authenticated on $Target" + $login_successful = $true + } + else + { + Write-Output "[-] $output_username failed to authenticate on $Target" + $login_successful = $false + } + } else { - Write-Output "[-] $output_username failed to authenticate on $Target" - $login_successful = $false + if([System.BitConverter]::ToString($client_receive[12..15]) -eq '00-00-00-00') + { + Write-Verbose "[+] $output_username successfully authenticated on $Target" + $login_successful = $true + } + else + { + Write-Output "[-] $output_username failed to authenticate on $Target" + $login_successful = $false + } + } } - else + catch { - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00') - { - Write-Verbose "[+] $output_username successfully authenticated on $Target" - $login_successful = $true - } - else - { - Write-Output "[-] $output_username failed to authenticate on $Target" - $login_successful = $false - } - + Write-Output "[-] Something went wrong" + $login_successful = $false } } @@ -1203,25 +1369,26 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $inveigh.session_lock_table[$session] = 'locked' - $SMB_client = $inveigh.session_socket_table[$session] - $SMB_client_stream = $SMB_client.GetStream() - $SMB_session_ID = $inveigh.session_table[$session] - $SMB2_message_ID = $inveigh.session_message_ID_table[$session] - $SMB2_tree_ID = 0x00,0x00,0x00,0x00 + $client = $inveigh.session_socket_table[$session] + $client_stream = $client.GetStream() + $session_ID = $inveigh.session_table[$session] + $message_ID = $inveigh.session_message_ID_table[$session] + $tree_ID = 0x00,0x00,0x00,0x00 } - $SMB_path = "\\" + $Target + "\IPC$" - $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) - - if($Action -eq 'Share' -or $Action -eq 'NetSession') + if($Action -eq 'All') { - $SMB_named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88 + $action_stage = 'group' } - elseif($Action -eq 'User') + else { - $SMB_named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xab + $action_stage = $Action } - + + $SMB_path = "\\" + $Target + "\IPC$" + $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) + $j = 0 + if($SMB_version -eq 'SMB1') { Write-Output "[-] SMB1 is not supported" @@ -1229,53 +1396,94 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB_client_stage = 'TreeConnect' + $stage = 'TreeConnect' - :SMB_execute_loop while ($SMB_client_stage -ne 'exit') + :SMB_execute_loop while ($stage -ne 'exit') { - switch ($SMB_client_stage) + switch ($stage) { 'TreeConnect' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + + if($share_list.Count -gt 0) + { + + if($share_list[$j] -eq 'IPC$') + { + $j++ + } + + $SMB_path = "\\" + $Target + "\" + $share_list[$j] + $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) + + } + + $packet_SMB_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data try { - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB2_tree_ID = $SMB_client_receive[40..43] - $SMB_client_stage = 'CreateRequest' + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $tree_ID = $client_receive[40..43] + $access_mask = $null + + if($client_receive[76] -eq 92) + { + $tree_access_mask = 0x00,0x00,0x00,0x00 + } + else + { + $tree_access_mask = $client_receive[80..83] + } + + if($share_list.Count -gt 0) + { + + ForEach($byte in $tree_access_mask) + { + $access_mask = [System.Convert]::ToString($byte,2).PadLeft(8,'0') + $access_mask + } + + $response_object_list | Where-Object {$_.Share -eq $share_list[$j]} | ForEach-Object {$_."Access Mask"=$access_mask} + $stage = 'TreeDisconnect' + } + else + { + $tree_IPC = $tree_ID + $stage = 'CreateRequest' + } + } catch { Write-Output "[-] Session connection is closed" - $SMB_client_stage = 'Exit' + $stage = 'Exit' } } @@ -1283,309 +1491,419 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequest' { - if($Action -eq 'Share' -or $action -eq 'NetSession') + if($action_stage -eq 'Share' -or $action_stage -eq 'NetSession') { - $SMB_named_pipe_bytes = 0x73,0x00,0x72,0x00,0x76,0x00,0x73,0x00,0x76,0x00,0x63,0x00 # srvsvc + $named_pipe = 0x73,0x00,0x72,0x00,0x76,0x00,0x73,0x00,0x76,0x00,0x63,0x00 # srvsvc } - elseif($SAMR_step -eq 2) + elseif($step -eq 1) { - $SMB_named_pipe_bytes = 0x73,0x00,0x61,0x00,0x6d,0x00,0x72,0x00 # samr + $named_pipe = 0x73,0x00,0x61,0x00,0x6d,0x00,0x72,0x00 # samr } else { - $SMB_named_pipe_bytes = 0x6c,0x00,0x73,0x00,0x61,0x00,0x72,0x00,0x70,0x00,0x63,0x00 # lsarpc + $named_pipe = 0x6c,0x00,0x73,0x00,0x61,0x00,0x72,0x00,0x70,0x00,0x63,0x00 # lsarpc } - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes - $packet_SMB2_data["DesiredAccess"] = 0x9f,0x01,0x12,0x00 - $packet_SMB2_data["FileAttributes"] = 0x00,0x00,0x00,0x00 - $packet_SMB2_data["ShareAccess"] = 0x07,0x00,0x00,0x00 - $packet_SMB2_data["CreateOptions"] = 0x00,0x00,0x00,0x00 - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2CreateRequestFile $named_pipe + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data try { - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $file_ID = $client_receive[132..147] } catch { Write-Output "[-] Session connection is closed" - $SMB_client_stage = 'Exit' + $stage = 'Exit' } - if($Refresh -and $SMB_client_stage -ne 'Exit') + if($Refresh -and $stage -ne 'Exit') { Write-Output "[+] Session refreshed" - $SMB_client_stage = 'Exit' + $stage = 'Exit' } - elseif($SAMR_step -eq 2) + elseif($step -ge 2) { - $SMB_file_GUID = $SMB_client_receive[132..147] - $SMB_client_stage = 'RPCBind' + $stage = 'RPCBind' } - elseif($SMB_client_stage -ne 'Exit') + elseif($stage -ne 'Exit') { - $SMB_file_GUID = $SMB_client_receive[132..147] - $SMB_client_stage = 'QueryInfoRequest' + $stage = 'QueryInfoRequest' } } 'QueryInfoRequest' - { - $SMB_file_ID = $SMB_client_receive[132..147] - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2QueryInfoRequest 0x01 0x05 0x18,0x00,0x00,0x00 0x68,0x00 $SMB_file_ID - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2QueryInfoRequest 0x01 0x05 0x18,0x00,0x00,0x00 0x68,0x00 $file_ID + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + + try + { + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $file_ID = $client_receive[132..147] + $stage = 'RPCBind' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'RPCBind' } 'RPCBind' { - $SMB_named_pipe_bytes = 0x73,0x00,0x72,0x00,0x76,0x00,0x73,0x00,0x76,0x00,0x63,0x00 # srvsvc - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $named_pipe = 0x73,0x00,0x72,0x00,0x76,0x00,0x73,0x00,0x76,0x00,0x63,0x00 # srvsvc + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - if($Action -eq 'Share') + if($action_stage -eq 'Share') { - $SMB_named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88 - $packet_RPC_data = New-PacketRPCBind 0x48,0x00 2 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x03,0x00 - $SMB_client_stage_next = 'NetShareEnumAll' + $named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88 + $packet_RPC_data = New-PacketRPCBind 0x48,0x00 2 0x01 0x00,0x00 $named_pipe_UUID 0x03,0x00 + $stage_next = 'NetShareEnumAll' } - elseif($Action -eq 'NetSession') + elseif($action_stage -eq 'NetSession') { - $packet_RPC_data = New-PacketRPCBind 0x74,0x00 2 0x02 0x00,0x00 $SMB_named_pipe_UUID 0x03,0x00 - $SMB_client_stage_next = 'NetSessEnum' + $named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88 + $packet_RPC_data = New-PacketRPCBind 0x74,0x00 2 0x02 0x00,0x00 $named_pipe_UUID 0x03,0x00 + $stage_next = 'NetSessEnum' } - elseif($SAMR_step -eq 2) + elseif($step -eq 1) { - $SMB_named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xac - $packet_RPC_data = New-PacketRPCBind 0x48,0x00 5 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x01,0x00 - $SMB_file_ID = $SMB_file_GUID - $SMB_client_stage_next = 'Connect5' + $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xac + $packet_RPC_data = New-PacketRPCBind 0x48,0x00 5 0x01 0x00,0x00 $named_pipe_UUID 0x01,0x00 + + if($action_stage -eq 'User') + { + $stage_next = 'Connect5' + } + else + { + $stage_next = 'Connect2' + } + + } + elseif($step -gt 2) + { + $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xab + $named_pipe = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0x76,0x00,0x63,0x00 + $packet_RPC_data = New-PacketRPCBind 0x48,0x00 14 0x01 0x00,0x00 $named_pipe_UUID 0x00,0x00 + $stage_next = 'LSAOpenPolicy' } else { - $SMB_named_pipe_bytes = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0x76,0x00,0x63,0x00 - $packet_RPC_data = New-PacketRPCBind 0x48,0x00 1 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x00,0x00 - $SMB_client_stage_next = 'LSAOpenPolicy' + $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xab + $named_pipe = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0x76,0x00,0x63,0x00 + $packet_RPC_data = New-PacketRPCBind 0x48,0x00 1 0x01 0x00,0x00 $named_pipe_UUID 0x00,0x00 + $stage_next = 'LSAOpenPolicy' } $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $packet_SMB_data = New-PacketSMB2WriteRequest $file_ID $RPC_data.Length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'ReadRequest' - + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'ReadRequest' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } } 'ReadRequest' { Start-Sleep -m $Sleep - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID - $packet_SMB2_data["Length"] = 0x00,0x04,0x00,0x00 - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2ReadRequest $file_ID + $packet_SMB_data["Length"] = 0x00,0x04,0x00,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + try { - $SMB_client_stage = $SMB_client_stage_next + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + + if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00') + { + $stage = $stage_next + } + else + { + $stage = 'StatusPending' + } + } - else + catch { - $SMB_client_stage = 'StatusPending' + Write-Output "[-] Something went wrong" + $stage = 'Exit' } } 'StatusPending' { - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $client_stream.Read($client_receive,0,$client_receive.Length) > $null - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00') { - $SMB_client_stage = $SMB_client_stage_next + $stage = $stage_next } } 'LSAOpenPolicy' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } $packet_LSARPC_data = New-PacketLSAOpenPolicy $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $LSARPC_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x06,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $LSARPC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$policy_handle = $client_receive[140..159] + + if($step -gt 2) + { + $stage = 'LSALookupSids' + } + else + { + $stage = 'LSAQueryInfoPolicy' + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'LSALookupSids' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_LSARPC_data = New-PacketLSALookupSids $policy_handle $SID_array + $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280 + $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x10,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'LSAQueryInfoPolicy' - $SMB_client_stage_next = 'CheckAccess' + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'ParseLookupSids' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + } 'LSAQueryInfoPolicy' { - [Byte[]]$SMB_policy_handle = $SMB_client_receive[140..159] - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + [Byte[]]$policy_handle = $client_receive[140..159] + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_LSARPC_data = New-PacketLSAQueryInfoPolicy $SMB_policy_handle + $packet_LSARPC_data = New-PacketLSAQueryInfoPolicy $policy_handle $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $LSARPC_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x07,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $LSARPC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'LSAClose' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'LSAClose' - $SMB_client_stage_next = 'CheckAccess' } 'LSAClose' { - [Byte[]]$LSA_domain_length_bytes = $SMB_client_receive[148..149] + [Byte[]]$LSA_domain_length_bytes = $client_receive[148..149] $LSA_domain_length = [System.BitConverter]::ToInt16($LSA_domain_length_bytes,0) - [Byte[]]$LSA_domain_actual_count_bytes = $SMB_client_receive[168..171] + [Byte[]]$LSA_domain_actual_count_bytes = $client_receive[168..171] $LSA_domain_actual_count = [System.BitConverter]::ToInt32($LSA_domain_actual_count_bytes,0) if($LSA_domain_actual_count % 2) @@ -1593,175 +1911,653 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $LSA_domain_length += 2 } - [Byte[]]$LSA_domain_SID = $SMB_client_receive[(176 + $LSA_domain_length)..(199 + $LSA_domain_length)] - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + [Byte[]]$LSA_domain_SID = $client_receive[(176 + $LSA_domain_length)..(199 + $LSA_domain_length)] + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_LSARPC_data = New-PacketLSAClose $SMB_policy_handle + $packet_LSARPC_data = New-PacketLSAClose $policy_handle $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $LSARPC_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $LSARPC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'CloseRequest' + $step++ + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'Connect2' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMRConnect2 $Target + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x06,0x00,0x00,0x00 0x00,0x00 0x39,0x00 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'OpenDomain' + $step++ + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $LSARPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'CloseRequest' - $SAMR_step = 2 - $SMB_client_stage_next = 'CheckAccess' } 'Connect5' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } $packet_SAMR_data = New-PacketSAMRConnect5 $Target $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $SAMR_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x06,0x00,0x00,0x00 0x00,0x00 0x40,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $SAMR_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage = 'OpenDomain' + $step++ + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'OpenDomain' - $SAMR_step = 3 - $SMB_client_stage_next = 'CheckAccess' } 'OpenDomain' { - [Byte[]]$SAMR_connect_handle = $SMB_client_receive[156..175] - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + + if($step -eq 5 -and $action_stage -eq 'Group') + { + $LSA_domain_SID = 0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00 + $SID_count = 0x01,0x00,0x00,0x00 + } + elseif($action_stage -eq 'Group') + { + $SID_count = 0x04,0x00,0x00,0x00 + [Byte[]]$SAMR_connect_handle = $client_receive[140..159] + } + else + { + $SID_count = 0x04,0x00,0x00,0x00 + [Byte[]]$SAMR_connect_handle = $client_receive[156..175] + } + + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SAMR_data = New-PacketSAMROpenDomain $SAMR_connect_handle $LSA_domain_SID + $packet_SAMR_data = New-PacketSAMROpenDomain $SAMR_connect_handle $SID_count $LSA_domain_SID $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $SAMR_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x07,0x00,0x00,0x00 0x00,0x00 0x07,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $SAMR_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$SAMR_domain_handle = $client_receive[140..159] + $step++ + + if($action_stage -eq 'User') + { + $stage = 'EnumDomainUsers' + } + else + { + $stage = 'LookupNames' + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'LookupNames' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMRLookupNames $SAMR_domain_handle $Group + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x08,0x00,0x00,0x00 0x00,0x00 0x11,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$SAMR_RID = $client_receive[152..155] + $step++ + + if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0') + { + $stage = 'SAMRCloseRequest' + } + else + { + + if($step -eq 4) + { + $stage = 'OpenGroup' + } + else + { + $stage = 'OpenAlias' + } + + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'OpenAlias' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMROpenAlias $SAMR_domain_handle $SAMR_RID + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0c,0x00,0x00,0x00 0x00,0x00 0x1b,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $step++ + + if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0') + { + $stage = 'SAMRCloseRequest' + } + else + { + $stage = 'GetMembersInAlias' + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'OpenGroup' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMROpenGroup $SAMR_domain_handle $SAMR_RID + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x09,0x00,0x00,0x00 0x00,0x00 0x13,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$group_handle = $client_receive[140..159] + $step++ + $stage = 'QueryGroupMember' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'QueryGroupMember' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMRQueryGroupMember $group_handle + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x10,0x00,0x00,0x00 0x00,0x00 0x19,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$RID_count_bytes = $client_receive[144..147] + $RID_count = [System.BitConverter]::ToInt16($RID_count_bytes,0) + [Byte[]]$RID_list = $client_receive[160..(159 + ($RID_count * 4))] + $step++ + $stage = 'LookupRids' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'LookupRids' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMRLookupRids $SAMR_domain_handle $RID_count_bytes $RID_list + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0b,0x00,0x00,0x00 0x00,0x00 0x12,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $step++ + $stage = 'ParseLookupRids' + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'GetMembersInAlias' + { + [Byte[]]$SAMR_policy_handle = $client_receive[140..159] + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SAMR_data = New-PacketSAMRGetMembersInAlias $SAMR_policy_handle + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0d,0x00,0x00,0x00 0x00,0x00 0x21,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + [Byte[]]$SID_array = $client_receive[140..([System.BitConverter]::ToInt16($client_receive[3..1],0) - 1)] + $step++ + + if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0') + { + $stage = 'SAMRCloseRequest' + } + else + { + $stage = 'CreateRequest' + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + + } + + 'SAMRCloseRequest' + { + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID + + if($SMB_signing) + { + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 + } + $packet_SAMR_data = New-PacketSAMRClose $SAMR_domain_handle + $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data + $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x09,0x00,0x00,0x00 0x00,0x00 0x01,0x00 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $step++ + + if($step -eq 8) + { + Write-Output "[-] $Group group not found" + $stage = 'TreeDisconnect' + } + else + { + $stage = 'OpenDomain' + } + + } + catch + { + Write-Output "[-] Something went wrong" + $stage = 'Exit' } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'EnumDomainUsers' - $SAMR_step = 3 - $SMB_client_stage_next = 'CheckAccess' } 'EnumDomainUsers' { - [Byte[]]$SAMR_domain_handle = $SMB_client_receive[140..159] - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + [Byte[]]$SAMR_domain_handle = $client_receive[140..159] + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } $packet_SAMR_data = New-PacketSAMREnumDomainUsers $SAMR_domain_handle $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x08,0x00,0x00,0x00 0x00,0x00 0x0d,0x00 - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $SAMR_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $SAMR_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SAMR_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SAMR_step = 3 - $SMB_client_stage_next = 'ParseUsers' - - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + try { - $SMB_client_stage = $SMB_client_stage_next + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $step++ + $stage = 'ParseUsers' } - else + catch { - $SMB_client_stage = 'StatusPending' + Write-Output "[-] Something went wrong" + $stage = 'Exit' } } 'ParseUsers' { - [Byte[]]$response_user_count_bytes = $SMB_client_receive[148..151] + [Byte[]]$response_user_count_bytes = $client_receive[148..151] $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0) $response_user_start = $response_user_count * 12 + 172 $response_user_end = $response_user_start @@ -1773,14 +2569,14 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table while($i -lt $response_user_count) { $response_user_object = New-Object PSObject - [Byte[]]$response_user_length_bytes = $SMB_client_receive[$response_user_length_start..($response_user_length_start + 1)] + [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) - [Byte[]]$response_RID_bytes = $SMB_client_receive[$response_RID_start..($response_RID_start + 3)] + [Byte[]]$response_RID_bytes = $client_receive[$response_RID_start..($response_RID_start + 3)] $response_RID = [System.BitConverter]::ToInt16($response_RID_bytes,0) $response_user_end = $response_user_start + $response_user_length - [Byte[]]$response_actual_count_bytes = $SMB_client_receive[($response_user_start - 4)..($response_user_start - 1)] + [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)] $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0) - [Byte[]]$response_user_bytes = $SMB_client_receive[$response_user_start..($response_user_end - 1)] + [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)] if($response_actual_count % 2) { @@ -1803,53 +2599,202 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $i++ } + if($Action -eq 'All') + { + Write-Output "Local Users:" + } + Write-Output $response_user_list | Sort-Object -property Username |Format-Table -AutoSize - $SMB_client_stage = 'CloseRequest' + $stage = 'CloseRequest' + } + + 'ParseLookupRids' + { + [Byte[]]$response_user_count_bytes = $client_receive[140..143] + $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0) + $response_user_start = $response_user_count * 8 + 164 + $response_user_end = $response_user_start + $response_user_length_start = 152 + $response_user_list = @() + $i = 0 + + while($i -lt $response_user_count) + { + $response_user_object = New-Object PSObject + [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] + $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) + $response_user_end = $response_user_start + $response_user_length + [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)] + $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0) + [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)] + + if($response_actual_count % 2) + { + $response_user_start += $response_user_length + 14 + } + else + { + $response_user_start += $response_user_length + 12 + } + + $response_user = [System.BitConverter]::ToString($response_user_bytes) + $response_user = $response_user -replace "-00","" + $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $response_user = New-Object System.String ($response_user,0,$response_user.Length) + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user + $response_user_length_start = $response_user_length_start + 8 + $response_user_list += $response_user_object + $i++ + } + + if($Action -eq 'All') + { + Write-Output "$Group Users:" + } + + Write-Output $response_user_list | Sort-Object -property Username |Format-Table -AutoSize + $stage = 'CloseRequest' + } + + 'ParseLookupSids' + { + [Byte[]]$response_domain_count_bytes = $client_receive[144..147] + $response_domain_count = [System.BitConverter]::ToInt16($response_domain_count_bytes,0) + $response_domain_start = $response_domain_count * 12 + 172 + $response_domain_end = $response_domain_start + $response_domain_length_start = 160 + $response_domain_list = @() + $i = 0 + + while($i -lt $response_domain_count) + { + [Byte[]]$response_domain_length_bytes = $client_receive[$response_domain_length_start..($response_domain_length_start + 1)] + $response_domain_length = [System.BitConverter]::ToInt16($response_domain_length_bytes,0) + $response_domain_end = $response_domain_start + $response_domain_length + [Byte[]]$response_actual_count_bytes = $client_receive[($response_domain_start - 4)..($response_domain_start - 1)] + $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0) + [Byte[]]$response_domain_bytes = $client_receive[$response_domain_start..($response_domain_end - 1)] + + if($response_actual_count % 2) + { + $response_domain_start += $response_domain_length + 42 + } + else + { + $response_domain_start += $response_domain_length + 40 + } + + $response_domain = [System.BitConverter]::ToString($response_domain_bytes) + $response_domain = $response_domain -replace "-00","" + $response_domain = $response_domain.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $response_domain = New-Object System.String ($response_domain,0,$response_domain.Length) + $response_domain_list += $response_domain + $response_domain_length_start = $response_domain_length_start + 12 + $i++ + } + + [Byte[]]$response_user_count_bytes = $client_receive[($response_domain_start - 4)..($response_domain_start - 1)] + $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0) + $response_user_start = $response_user_count * 16 + $response_domain_start + 12 + $response_user_end = $response_user_start + $response_user_length_start = $response_domain_start + 4 + $response_user_list = @() + $i = 0 + + while($i -lt $response_user_count) + { + $response_user_object = New-Object PSObject + [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)] + $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0) + $response_SID_index_start = $response_user_length_start + 8 + [Byte[]]$response_SID_index_bytes = $client_receive[$response_SID_index_start..($response_SID_index_start + 3)] + $response_SID_index = [System.BitConverter]::ToInt16($response_SID_index_bytes,0) + $response_user_end = $response_user_start + $response_user_length + [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)] + $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0) + [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)] + + if($response_actual_count % 2) + { + $response_user_start += $response_user_length + 14 + } + else + { + $response_user_start += $response_user_length + 12 + } + + $response_user = [System.BitConverter]::ToString($response_user_bytes) + $response_user = $response_user -replace "-00","" + $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $response_user = New-Object System.String ($response_user,0,$response_user.Length) + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user + Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Domain $response_domain_list[$response_SID_index] + $response_user_length_start = $response_user_length_start + 16 + $response_user_list += $response_user_object + $i++ + } + + if($Action -eq 'All') + { + Write-Output "$Group Group Members:" + } + + Write-Output $response_user_list | Sort-Object -property Username |Format-Table -AutoSize + $stage = 'CloseRequest' } 'NetShareEnumAll' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } $packet_SRVSVC_data = New-PacketSRVSVCNetShareEnumAll $Target $SRVSVC_data = ConvertFrom-PacketOrderedDictionary $packet_SRVSVC_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $SRVSVC_data.Length 4280 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SRVSVC_data.Length 4280 $packet_RPC_data = New-PacketRPCRequest 0x03 $SRVSVC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $SRVSVC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SRVSVC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SRVSVC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SRVSVC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage_next = 'ParseSRVSVC' - - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + try { - $SMB_client_stage = $SMB_client_stage_next + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage_next = 'ParseSRVSVC' + + if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00') + { + $stage = $stage_next + } + else + { + $stage = 'StatusPending' + } + } - else + catch { - $SMB_client_stage = 'StatusPending' + Write-Output "[-] Something went wrong" + $stage = 'Exit' } } @@ -1857,7 +2802,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'ParseSRVSVC' { $response_object_list = @() - [Byte[]]$response_count_bytes = $SMB_client_receive[152..155] + $share_list = @() + [Byte[]]$response_count_bytes = $client_receive[152..155] $response_count = [System.BitConverter]::ToInt32($response_count_bytes,0) $response_item_index = 164 $i = 0 @@ -1881,7 +2827,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table else { - if($action -eq 'Share') + if($action_stage -eq 'Share') { $response_item_index += $response_count * 12 } @@ -1893,10 +2839,10 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $response_item_object = New-Object PSObject - [Byte[]]$response_item_length_bytes = $SMB_client_receive[$response_item_index..($response_item_index + 3)] + [Byte[]]$response_item_length_bytes = $client_receive[$response_item_index..($response_item_index + 3)] $response_item_length = [System.BitConverter]::ToInt32($response_item_length_bytes,0) $response_item_index += 12 - [Byte[]]$response_item_bytes = $SMB_client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))] + [Byte[]]$response_item_bytes = $client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))] $response_item = [System.BitConverter]::ToString($response_item_bytes) $response_item = $response_item -replace "-00","" $response_item = $response_item.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} @@ -1911,21 +2857,36 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $response_item_index += $response_item_length * 2 } - [Byte[]]$response_item_length_bytes = $SMB_client_receive[$response_item_index..($response_item_index + 3)] + [Byte[]]$response_item_length_bytes = $client_receive[$response_item_index..($response_item_index + 3)] $response_item_length = [System.BitConverter]::ToInt32($response_item_length_bytes,0) $response_item_index += 12 - [Byte[]]$response_item_2_bytes = $SMB_client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))] + [Byte[]]$response_item_2_bytes = $client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))] $response_item_2 = [System.BitConverter]::ToString($response_item_2_bytes) $response_item_2 = $response_item_2 -replace "-00","" $response_item_2 = $response_item_2.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $response_item_2 = New-Object System.String ($response_item_2,0,$response_item_2.Length) - $response_object_list += $response_item_object - $i++ - if($action -eq 'Share') + if($action_stage -eq 'Share') { + $share_list += $response_item Add-Member -InputObject $response_item_object -MemberType NoteProperty -Name Share $response_item Add-Member -InputObject $response_item_object -MemberType NoteProperty -Name Description $response_item_2 + + if($response_item -eq 'IPC$') + { + + ForEach($byte in $tree_access_mask) + { + $access_mask = [System.Convert]::ToString($byte,2).PadLeft(8,'0') + $access_mask + } + + Add-Member -InputObject $response_item_object -MemberType NoteProperty -Name "Access Mask" $access_mask + } + else + { + Add-Member -InputObject $response_item_object -MemberType NoteProperty -Name "Access Mask" "" + } + } else { @@ -1933,178 +2894,310 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table Add-Member -InputObject $response_item_object -MemberType NoteProperty -Name Source $response_item } + $response_object_list += $response_item_object + $i++ + } + + if($Action -eq 'All' -and $action_stage -eq 'Share') + { + Write-Output "Shares:" + } + elseif($Action -eq 'All' -and $action_stage -eq 'NetSession') + { + Write-Output "NetSessions:" + $response_object_list | Sort-Object -property Share |Format-Table -AutoSize + } + + if($Action -eq 'NetSession') + { + $response_object_list | Sort-Object -property Share |Format-Table -AutoSize } - Write-Output $response_object_list | Sort-Object -property Share |Format-Table -AutoSize - $SMB_client_stage = 'CloseRequest' + $stage = 'CloseRequest' } 'NetSessEnum' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } $packet_SRVSVC_data = New-PacketSRVSVCNetSessEnum $Target $SRVSVC_data = ConvertFrom-PacketOrderedDictionary $packet_SRVSVC_data - $packet_SMB2_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $SMB_file_GUID $SRVSVC_data.Length 1024 + $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SRVSVC_data.Length 1024 $packet_RPC_data = New-PacketRPCRequest 0x03 $SRVSVC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $SRVSVC_data.Length - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SRVSVC_data.Length + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SRVSVC_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SRVSVC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage_next = 'ParseSRVSVC' - - if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + try { - $SMB_client_stage = $SMB_client_stage_next + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + $stage_next = 'ParseSRVSVC' + + if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00') + { + $stage = $stage_next + } + else + { + $stage = 'StatusPending' + } + } - else + catch { - $SMB_client_stage = 'StatusPending' - } + Write-Output "[-] Something went wrong" + $stage = 'Exit' + } + } 'CloseRequest' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2CloseRequest $file_ID + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - - if($SAMR_step -eq 2) + try { - $SMB_client_stage = 'CreateRequest' + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + + if($step -eq 1) + { + $stage = 'CreateRequest' + } + elseif($action_stage -eq 'Share' -and $share_list.Count -gt 0) + { + $stage = 'TreeConnect' + } + else + { + $stage = 'TreeDisconnect' + } + } - else + catch { - $SMB_client_stage = 'TreeDisconnect' + Write-Output "[-] Something went wrong" + $stage = 'Exit' } } 'TreeDisconnect' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2TreeDisconnectRequest + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - - if($inveigh_session -and !$Logoff) + try { - $SMB_client_stage = 'Exit' + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + + if($Action -eq 'All') + { + + switch ($action_stage) + { + + 'group' + { + $action_stage = "user" + $stage = "treeconnect" + $step = 0 + } + + 'user' + { + $action_stage = "netsession" + $stage = "treeconnect" + } + + 'netsession' + { + $action_stage = "share" + $stage = "treeconnect" + } + + 'share' + { + + if($share_list.Count -gt 0 -and $j -lt $share_list.Count - 1) + { + $stage = 'TreeConnect' + $j++ + } + elseif($share_list.Count -gt 0 -and $j -eq $share_list.Count - 1) + { + $response_object_list | Sort-Object -property Share |Format-Table -AutoSize + $tree_ID = $tree_IPC + $stage = 'TreeDisconnect' + $j++ + } + else + { + + if($inveigh_session -and !$Logoff) + { + $stage = 'Exit' + } + else + { + $stage = 'Logoff' + } + + } + + } + + } + + } + else + { + + if($action_stage -eq 'Share' -and $share_list.Count -gt 0 -and $j -lt $share_list.Count - 1) + { + $stage = 'TreeConnect' + $j++ + } + elseif($action_stage -eq 'Share' -and $share_list.Count -gt 0 -and $j -eq $share_list.Count - 1) + { + $response_object_list | Sort-Object -property Share |Format-Table -AutoSize + $tree_ID = $tree_IPC + $stage = 'TreeDisconnect' + $j++ + } + else + { + + if($inveigh_session -and !$Logoff) + { + $stage = 'Exit' + } + else + { + $stage = 'Logoff' + } + + } + + } + } - else + catch { - $SMB_client_stage = 'Logoff' + Write-Output "[-] Something went wrong" + $stage = 'Exit' } } 'Logoff' { - $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $message_ID++ + $packet_SMB_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $message_ID $process_ID $tree_ID $session_ID if($SMB_signing) { - $packet_SMB2_header["Flags"] = 0x08,0x00,0x00,0x00 + $packet_SMB_header["Flags"] = 0x08,0x00,0x00,0x00 } - $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header - $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data - $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $packet_SMB_data = New-PacketSMB2SessionLogoffRequest + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service if($SMB_signing) { - $SMB2_sign = $SMB2_header + $SMB2_data - $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) - $SMB2_signature = $SMB2_signature[0..15] - $packet_SMB2_header["Signature"] = $SMB2_signature - $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB_sign = $SMB_header + $SMB_data + $SMB_signature = $HMAC_SHA256.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..15] + $packet_SMB_header["Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header } - $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null - $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null - $SMB_client_stage = 'Exit' + try + { + $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $client_stream.Write($client_send,0,$client_send.Length) > $null + $client_stream.Flush() + $client_stream.Read($client_receive,0,$client_receive.Length) > $null + } + catch + { + Write-Output "[-] Something went wrong" + } + + $stage = 'Exit' } } - - if($SMBExec_failed) - { - BREAK SMB_execute_loop - } } @@ -2115,14 +3208,14 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($inveigh_session -and $Inveigh) { $inveigh.session_lock_table[$session] = 'open' - $inveigh.session_message_ID_table[$session] = $SMB2_message_ID + $inveigh.session_message_ID_table[$session] = $message_ID $inveigh.session_list[$session] | Where-Object {$_."Last Activity" = Get-Date -format s} } if(!$inveigh_session -or $Logoff) { - $SMB_client.Close() - $SMB_client_stream.Close() + $client.Close() + $client_stream.Close() } } |