SMBServer & NTLMRelayx with IPv6 support

examples/ntlmrelayx.py

@@ -290,7 +290,7 @@ def stop_servers(threads):
 
     # Interface address specification
     parser.add_argument('-ip','--interface-ip', action='store', metavar='INTERFACE_IP', help='IP address of interface to '
-                  'bind SMB and HTTP servers',default='')
+                  'bind relay servers ("0.0.0.0" or "::" if omitted)',default=argparse.SUPPRESS)
 
     serversoptions = parser.add_argument_group()
     serversoptions.add_argument('--no-smb-server', action='store_true', help='Disables the SMB server')
@@ -331,7 +331,7 @@ def stop_servers(threads):
                                                                    'setting the proxy host to the one supplied.')
     parser.add_argument('-wa','--wpad-auth-num', action='store', type=int, default=1, help='Prompt for authentication N times for clients without MS16-077 installed '
                                                                    'before serving a WPAD file. (default=1)')
-    parser.add_argument('-6','--ipv6', action='store_true',help='Listen on both IPv6 and IPv4')
+    parser.add_argument('-6','--ipv6', action='store_true',help='Listen on IPv6')
     parser.add_argument('--remove-mic', action='store_true',help='Remove MIC (exploit CVE-2019-1040)')
     parser.add_argument('--serve-image', action='store',help='local path of the image that will we returned to clients')
     parser.add_argument('-c', action='store', type=str, required=False, metavar = 'COMMAND', help='Command to execute on '
@@ -529,6 +529,9 @@ def stop_servers(threads):
         socks_thread.start()
         threads.add(socks_thread)
 
+    if 'interface_ip' not in options:
+        options.interface_ip = '::' if options.ipv6 else '0.0.0.0'
+
     c = start_servers(options, threads)
 
     # Log multirelay flag status

examples/smbserver.py

@@ -42,8 +42,9 @@
     parser.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes for the Username, format is LMHASH:NTHASH')
     parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
-    parser.add_argument('-ip', '--interface-address', action='store', default='0.0.0.0', help='ip address of listening interface')
+    parser.add_argument('-ip', '--interface-address', action='store', default=argparse.SUPPRESS, help='ip address of listening interface ("0.0.0.0" or "::" if omitted)')
     parser.add_argument('-port', action='store', default='445', help='TCP port for listening incoming connections (default 445)')
+    parser.add_argument('-6','--ipv6', action='store_true',help='Listen on IPv6')
     parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)')
     parser.add_argument('-outputfile', action='store', default=None, help='Output file to log smbserver output messages')
 
@@ -64,7 +65,10 @@
     else:
         comment = options.comment
 
-    server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port))
+    if 'interface_address' not in options:
+        options.interface_address = '::' if options.ipv6 else '0.0.0.0'
+
+    server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port), ipv6=options.ipv6)
 
     if options.outputfile:
         logging.info('Switching output to file %s' % options.outputfile)

impacket/examples/ntlmrelayx/servers/httprelayserver.py

@@ -42,9 +42,13 @@ def __init__(self, server_address, RequestHandlerClass, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             # Tracks the number of times authentication was prompted for WPAD per client
             self.wpad_counters = {}
-            socketserver.TCPServer.__init__(self,server_address, RequestHandlerClass)
+            socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 
     class HTTPHandler(http.server.SimpleHTTPRequestHandler):
         def __init__(self,request, client_address, server):

impacket/examples/ntlmrelayx/servers/rawrelayserver.py

@@ -43,9 +43,12 @@ class RAWServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
         def __init__(self, server_address, RequestHandlerClass, config):
             self.config = config
             self.daemon_threads = True
-            #if self.config.ipv6:
-            #    self.address_family = socket.AF_INET6
-
+            if self.config.ipv6:
+                self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 
     class RAWHandler(socketserver.BaseRequestHandler):

impacket/examples/ntlmrelayx/servers/rpcrelayserver.py

@@ -37,6 +37,10 @@ def __init__(self, server_address, RequestHandlerClass, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             socketserver.TCPServer.allow_reuse_address = True
             socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
 

impacket/examples/ntlmrelayx/servers/smbrelayserver.py

@@ -106,17 +106,13 @@ def __init__(self,config):
         smbConfig.set('IPC$','share type','3')
         smbConfig.set('IPC$','path','')
 
-        # Change address_family to IPv6 if this is configured
-        if self.config.ipv6:
-            SMBSERVER.address_family = socket.AF_INET6
-
         # changed to dereference configuration interfaceIp
         if self.config.listeningPort:
             smbport = self.config.listeningPort
         else:
             smbport = 445
 
-        self.server = SMBSERVER((config.interfaceIp,smbport), config_parser = smbConfig)
+        self.server = SMBSERVER((config.interfaceIp,smbport), config_parser=smbConfig, ipv6=self.config.ipv6)
         if not self.config.disableMulti:
             self.server.setAuthCallback(auth_callback)
         logging.getLogger('impacket.smbserver').setLevel(logging.CRITICAL)

impacket/examples/ntlmrelayx/servers/wcfrelayserver.py

@@ -52,6 +52,10 @@ def __init__(self, server_address, request_handler_class, config):
             self.daemon_threads = True
             if self.config.ipv6:
                 self.address_family = socket.AF_INET6
+                # scope_id (after %) can be present or not - if not, default: 0
+                ip_parts = server_address[0].split('%')
+                scope_id = int(ip_parts[1]) if len(ip_parts) == 2 else 0
+                server_address = server_address + (0, scope_id)
             self.wpad_counters = {}
             socketserver.TCPServer.__init__(self, server_address, request_handler_class)
 

impacket/smbserver.py

@@ -3987,7 +3987,14 @@ def finish(self):
 
 class SMBSERVER(socketserver.ThreadingMixIn, socketserver.TCPServer):
     # class SMBSERVER(socketserver.ForkingMixIn, socketserver.TCPServer):
-    def __init__(self, server_address, handler_class=SMBSERVERHandler, config_parser=None):
+    def __init__(self, server_address, handler_class=SMBSERVERHandler, config_parser=None, ipv6=False):
+        if ipv6:
+            self.address_family = socket.AF_INET6
+            # scope_id (after %) can be present or not - if not, default: 0
+            ip_parts = server_address[0].split('%')
+            scope_id = ip_parts[1] if len(ip_parts) == 2 else 0
+            server_address = server_address + (0, scope_id)
+
         socketserver.TCPServer.allow_reuse_address = True
         socketserver.TCPServer.__init__(self, server_address, handler_class)
 
@@ -4871,10 +4878,9 @@ class SimpleSMBServer:
     :param string configFile: a file with all the servers' configuration. If no file specified, this class will create the basic parameters needed to run. You will need to add your shares manually tho. See addShare() method
     """
 
-    def __init__(self, listenAddress='0.0.0.0', listenPort=445, configFile='', smbserverclass=SMBSERVER):
+    def __init__(self, listenAddress='0.0.0.0', listenPort=445, configFile='', smbserverclass=SMBSERVER, ipv6=False):
         if configFile != '':
-            #self.__server = SMBSERVER((listenAddress, listenPort))
-            self.__server = smbserverclass((listenAddress, listenPort))
+            self.__server = smbserverclass((listenAddress, listenPort), ipv6=ipv6)
             self.__server.processConfigFile(configFile)
             self.__smbConfig = None
         else:
@@ -4899,7 +4905,7 @@ def __init__(self, listenAddress='0.0.0.0', listenPort=445, configFile='', smbse
             self.__smbConfig.set('IPC$', 'read only', 'yes')
             self.__smbConfig.set('IPC$', 'share type', '3')
             self.__smbConfig.set('IPC$', 'path', '')
-            self.__server = smbserverclass((listenAddress, listenPort), config_parser=self.__smbConfig)
+            self.__server = smbserverclass((listenAddress, listenPort), config_parser=self.__smbConfig, ipv6=ipv6)
             self.__server.processConfigFile()
 
         # Now we have to register the MS-SRVS server. This specially important for