Adding IPv6 support to NTLMRelayX (should update after #2023 - utils.get_address() -)

Author: gabrielg5

examples/ntlmrelayx.py

@@ -290,7 +290,7 @@ def stop_servers(threads):
 
     # Interface address specification
     parser.add_argument('-ip','--interface-ip', action='store', metavar='INTERFACE_IP', help='IP address of interface to '
-                  'bind SMB and HTTP servers',default='')
+                  'bind relay servers ("0.0.0.0" or "::" if omitted)',default=argparse.SUPPRESS)
 
     serversoptions = parser.add_argument_group()
     serversoptions.add_argument('--no-smb-server', action='store_true', help='Disables the SMB server')
@@ -331,7 +331,7 @@ def stop_servers(threads):
                                                                    'setting the proxy host to the one supplied.')
     parser.add_argument('-wa','--wpad-auth-num', action='store', type=int, default=1, help='Prompt for authentication N times for clients without MS16-077 installed '
                                                                    'before serving a WPAD file. (default=1)')
-    parser.add_argument('-6','--ipv6', action='store_true',help='Listen on both IPv6 and IPv4')
+    parser.add_argument('-6','--ipv6', action='store_true',help='Listen on IPv6')
     parser.add_argument('--remove-mic', action='store_true',help='Remove MIC (exploit CVE-2019-1040)')
     parser.add_argument('--serve-image', action='store',help='local path of the image that will we returned to clients')
     parser.add_argument('-c', action='store', type=str, required=False, metavar = 'COMMAND', help='Command to execute on '
@@ -529,6 +529,9 @@ def stop_servers(threads):
         socks_thread.start()
         threads.add(socks_thread)
 
+    if 'interface_ip' not in options:
+        options.interface_ip = '::' if options.ipv6 else '0.0.0.0'
+
     c = start_servers(options, threads)
 
     # Log multirelay flag status

impacket/examples/ntlmrelayx/servers/httprelayserver.py

@@ -42,9 +42,13 @@ def __init__(self, server_address, RequestHandlerClass, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             # Tracks the number of times authentication was prompted for WPAD per client
             self.wpad_counters = {}
-            socketserver.TCPServer.__init__(self,server_address, RequestHandlerClass)
+            socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 
     class HTTPHandler(http.server.SimpleHTTPRequestHandler):
         def __init__(self,request, client_address, server):

impacket/examples/ntlmrelayx/servers/rawrelayserver.py

@@ -43,9 +43,12 @@ class RAWServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
         def __init__(self, server_address, RequestHandlerClass, config):
             self.config = config
             self.daemon_threads = True
-            #if self.config.ipv6:
-            #    self.address_family = socket.AF_INET6
-
+            if self.config.ipv6:
+                self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 
     class RAWHandler(socketserver.BaseRequestHandler):

impacket/examples/ntlmrelayx/servers/rpcrelayserver.py

@@ -37,6 +37,10 @@ def __init__(self, server_address, RequestHandlerClass, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             socketserver.TCPServer.allow_reuse_address = True
             socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 

impacket/examples/ntlmrelayx/servers/smbrelayserver.py

@@ -106,17 +106,13 @@ def __init__(self,config):
         smbConfig.set('IPC$','share type','3')
         smbConfig.set('IPC$','path','')
 
-        # Change address_family to IPv6 if this is configured
-        if self.config.ipv6:
-            SMBSERVER.address_family = socket.AF_INET6
-
         # changed to dereference configuration interfaceIp
         if self.config.listeningPort:
             smbport = self.config.listeningPort
         else:
             smbport = 445
 
-        self.server = SMBSERVER((config.interfaceIp,smbport), config_parser = smbConfig)
+        self.server = SMBSERVER((config.interfaceIp,smbport), config_parser=smbConfig, ipv6=self.config.ipv6)
         if not self.config.disableMulti:
             self.server.setAuthCallback(auth_callback)
         logging.getLogger('impacket.smbserver').setLevel(logging.CRITICAL)

impacket/examples/ntlmrelayx/servers/wcfrelayserver.py

@@ -52,6 +52,10 @@ def __init__(self, server_address, request_handler_class, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             self.wpad_counters = {}
             socketserver.TCPServer.__init__(self, server_address, request_handler_class)