New relay servers, fix error with SMB

examples/ntlmrelayx.py

@@ -50,10 +50,16 @@
 import json
 from time import sleep
 from threading import Thread
+from pathlib import Path
 
 from impacket import version
 from impacket.examples import logger
-from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer, RPCRelayServer, WinRMRelayServer, WinRMSRelayServer, MSSQLRelayServer, RDPRelayServer 
+from impacket.examples.ntlmrelayx.servers import (SMBRelayServer, HTTPRelayServer,
+                                                  WCFRelayServer, RAWRelayServer,
+                                                  RPCRelayServer, WinRMRelayServer,
+                                                  WinRMSRelayServer, MSSQLRelayServer,
+                                                  RDPRelayServer, SMTPRelayServer,
+                                                  IMAPRelayServer, POP3RelayServer) 
 from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig, parse_listening_ports
 from impacket.examples.ntlmrelayx.utils.targetsutils import TargetsProcessor, TargetsFileWatcher
 from impacket.examples.ntlmrelayx.servers.socksserver import SOCKS
@@ -253,6 +259,21 @@ def start_servers(options, threads):
                 c.setMSSQLDb(options.mssql_db)
         elif server is RDPRelayServer:
             c.setListeningPort(options.rdp_port)
+        elif server is SMTPRelayServer:
+            c.setListeningPort(options.smtp_port)
+            if options.smtp_server_cert and options.smtp_server_key:
+                c.set_smtp_server_cert(options.smtp_server_cert)
+                c.set_smtp_server_key(options.smtp_server_key)
+        elif server is IMAPRelayServer:
+            c.setListeningPort(options.imap_port)
+            if options.imap_server_cert and options.imap_server_key:
+                c.set_imap_server_cert(options.imap_server_cert)
+                c.set_imap_server_key(options.imap_server_key)
+        elif server is POP3RelayServer:
+            c.setListeningPort(options.pop3_port)
+            if options.pop3_server_cert and options.pop3_server_key:
+                c.set_pop3_server_cert(options.pop3_server_cert)
+                c.set_pop3_server_key(options.pop3_server_key)
 
         s = server(c)
         s.start()
@@ -308,6 +329,9 @@ def stop_servers(threads):
     serversoptions.add_argument('--no-winrm-server', action='store_true', help='Disables the WinRM server')
     serversoptions.add_argument('--no-mssql-server', action='store_true', help='Disables the MSSQL server')
     serversoptions.add_argument('--no-rdp-server', action='store_true', help='Disables the RDP server')
+    serversoptions.add_argument('--no-smtp-server', action='store_true', help="Disables the SMTP server")
+    serversoptions.add_argument('--no-imap-server', action='store_true', help="Disables the IMAP server")
+    serversoptions.add_argument('--no-pop3-server', action='store_true', help="Disables the POP3 server")
 
     parser.add_argument('--smb-port', type=int, help='Port to listen on smb server', default=445)
     parser.add_argument('--http-port', help='Port(s) to listen on HTTP server. Can specify multiple ports by separating them with `,`, and ranges with `-`. Ex: `80,8000-8010`', default="80")
@@ -316,6 +340,9 @@ def stop_servers(threads):
     parser.add_argument('--rpc-port', type=int, help='Port to listen on rpc server', default=135)
     parser.add_argument('--mssql-port', type=int, help='Port to listen on mssql server', default=1433)
     parser.add_argument('--rdp-port', type=int, help='Port to listen on rdp server', default=3389)
+    parser.add_argument('--smtp-port', type=int, help='Port to listen on smtp server', default=25)
+    parser.add_argument('--imap-port', type=int, help='Port to listen on imap server', default=143)
+    parser.add_argument('--pop3-port', type=int, help='Port to listen on pop3 server', default=110)
 
     parser.add_argument('--no-multirelay', action="store_true", required=False, help='If set, disable multi-host relay (SMB and HTTP servers)')
     parser.add_argument('--keep-relaying', action="store_true", required=False, help='If set, keeps relaying to a target even after a successful connection on it')
@@ -443,6 +470,14 @@ def stop_servers(threads):
     sccmdpoptions.add_argument('--sccm-dp-extensions', action='store', required=False, help='A custom list of extensions to look for when downloading files from the SCCM Distribution Point. If not provided, defaults to .ps1,.bat,.xml,.txt,.pfx')
     sccmdpoptions.add_argument('--sccm-dp-files', action='store', required=False, help='The path to a file containing a list of specific URLs to download from the Distribution Point, instead of downloading by extensions. Providing this argument will skip file indexing')
 
+    # MAIL options
+    mailoptions = parser.add_argument_group("MAIL Servers options")
+    mailoptions.add_argument('--smtp-server-cert', required=False, type=Path, help="Path to SMTP Server certificate (in PEM format)")
+    mailoptions.add_argument('--smtp-server-key', required=False, type=Path, help="Path to SMTP Server private key (in PEM format)")
+    mailoptions.add_argument('--imap-server-cert', required=False, type=Path, help="Path to IMAP Server certificate (in PEM format)")
+    mailoptions.add_argument('--imap-server-key', required=False, type=Path, help="Path to IMAP Server private key (in PEM format)")
+    mailoptions.add_argument('--pop3-server-cert', required=False, type=Path, help="Path to POP3 Server certificate (in PEM format)")
+    mailoptions.add_argument('--pop3-server-key', required=False, type=Path, help="Path to POP3 Server private key (in PEM format)")
     try:
        options = parser.parse_args()
     except Exception as e:
@@ -536,6 +571,16 @@ def stop_servers(threads):
 
     if not options.no_rdp_server:
         RELAY_SERVERS.append(RDPRelayServer)
+
+    if not options.no_smtp_server:
+        RELAY_SERVERS.append(SMTPRelayServer)
+
+    if not options.no_imap_server:
+        RELAY_SERVERS.append(IMAPRelayServer)
+
+    if not options.no_pop3_server:
+        RELAY_SERVERS.append(POP3RelayServer)
+
 
     if targetSystem is not None and options.w:
         watchthread = TargetsFileWatcher(targetSystem)

impacket/examples/ntlmrelayx/clients/smbrelayclient.py

@@ -431,6 +431,7 @@ def sendStandardSecurityAuth(self, sessionSetupData):
         flags2 = v1client.get_flags()[1]
         v1client.set_flags(flags2=flags2 & (~SMB.FLAGS2_EXTENDED_SECURITY))
         if sessionSetupData['Account'] != '':
+            LOG.debug("(SMB) sessionnSetupData Account is not empty. Send them to server")
             smb = NewSMBPacket()
             smb['Flags1'] = 8
 
@@ -440,7 +441,7 @@ def sendStandardSecurityAuth(self, sessionSetupData):
 
             sessionSetup['Parameters']['MaxBuffer'] = 65535
             sessionSetup['Parameters']['MaxMpxCount'] = 2
-            sessionSetup['Parameters']['VCNumber'] = os.getpid()
+            sessionSetup['Parameters']['VCNumber'] = os.getpid() & 0xFFFF
             sessionSetup['Parameters']['SessionKey'] = v1client._dialects_parameters['SessionKey']
             sessionSetup['Parameters']['AnsiPwdLength'] = len(sessionSetupData['AnsiPwd'])
             sessionSetup['Parameters']['UnicodePwdLength'] = len(sessionSetupData['UnicodePwd'])
@@ -466,6 +467,7 @@ def sendStandardSecurityAuth(self, sessionSetupData):
                 return smb, STATUS_SUCCESS
         else:
             # Anonymous login, send STATUS_ACCESS_DENIED so we force the client to send his credentials
+            LOG.debug("(SMB1) Anonymous login, send STATUS_ACCESS_DENIED")
             clientResponse = None
             errorCode = STATUS_ACCESS_DENIED
 

impacket/examples/ntlmrelayx/servers/__init__.py

@@ -17,3 +17,6 @@
 from impacket.examples.ntlmrelayx.servers.winrmsrelayserver import WinRMSRelayServer
 from impacket.examples.ntlmrelayx.servers.rdprelayserver import RDPRelayServer
 from impacket.examples.ntlmrelayx.servers.mssqlrelayserver import MSSQLRelayServer
+from impacket.examples.ntlmrelayx.servers.smtprelayserver import SMTPRelayServer
+from impacket.examples.ntlmrelayx.servers.imaprelayserver import IMAPRelayServer
+from impacket.examples.ntlmrelayx.servers.pop3relayserver import POP3RelayServer