Skip to content

[DEV] Mailslot-Ping: NETLOGON and Browser poisoner additions#34

Open
MatrixEditor wants to merge 5 commits intomasterfrom
feat/mailslot-ping
Open

[DEV] Mailslot-Ping: NETLOGON and Browser poisoner additions#34
MatrixEditor wants to merge 5 commits intomasterfrom
feat/mailslot-ping

Conversation

@MatrixEditor
Copy link
Owner

@MatrixEditor MatrixEditor commented Mar 22, 2026

Added NETLOGON Mailslot Ping support in netbios.py to the Browser protocol poisoner following MS-ADTS Section 6.3.5 specification. This protocol can be leveraged to further mimic the behavior of a domain controller.

Client                                  Server (DC)
  |                                         |
  |  NETLOGON_SAM_LOGON_REQUEST             |
  |  (via \\MAILSLOT\\NET\\NETLOGON)        |
  |  - Computer name                        |
  |  - User name (optional)                 |
  |  - Domain SID (optional)                |
  |  - NtVersion flags                      |
  |---------------------------------------->|
  |                                         |
  |  (Server validates request)             |
  |  - Check domain SID match               |
  |  - Verify user existence                |
  |  - Check PDC role (if PDC query)        |
  |                                         |
  |  NETLOGON_SAM_LOGON_RESPONSE_*          |
  |  (format depends on NtVersion)          |
  |<----------------------------------------|
  |                                         |

Changes:

  • Add netlogon.py protocol module to build NETLOGON responses ([MS-ADTS])
  • Add mailslot.py protocol module to build SMBMailslot_Write transactions ([MS-MAIL])

Merging is blocked by secdev/scapy#4952, because scapy parses NETLOGON_LOGON_QUERY incorrectly.

@MatrixEditor
feat(netlogon): Add methods and and constants to build NETLOGON struc…
689450e 
…tures [MS-ADTS]

- build_response: create a NETLOGON response for NETLOGON_SAM_LOGON_REQUEST or NETLOGON_LOGON_QUERY
@MatrixEditor
feat(mailslot): Add [MS-MAIL] protocol support
83c0dd2 
Public API:
- mailslot_write: build a mailslot datagram and converts it to raw bytes
@MatrixEditor
feat(browser): Add support for mailslot ping
39a7cc1 
- Current implementation does not work completely out of the box due to scapy issues
- remove domain_guid from netlogon response
@MatrixEditor MatrixEditor self-assigned this Mar 22, 2026
@MatrixEditor MatrixEditor added New Protocol Issue or Pull Request describing a new protocol. Dependencies Pull requests / Issues related to dependency updates Type - Enhancement Protocol: LLMNR/mDNS/NetBIOS Errors/Features related to the LLMNR/mDNS/NetBIOS poisoner labels Mar 22, 2026
@MatrixEditor MatrixEditor changed the title [DEV[ Mailslot-Ping: NETLOGON and Browser poisoner additions [DEV] Mailslot-Ping: NETLOGON and Browser poisoner additions Mar 22, 2026
@MatrixEditor
fix(netbios): revert domain_guid removal
02869d2 
- netlogon(NETLOGON_PRIMARY_RESPONSE): Add padding to "UnicodePrimaryDCName" as per [MS-ADTS] § 6.3.1.5
@MatrixEditor
docs: include changes in browser protocol config
30316df 
- Add example definitions to Dementor.toml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@MatrixEditor MatrixEditor

Labels

Dependencies Pull requests / Issues related to dependency updates New Protocol Issue or Pull Request describing a new protocol. Protocol: LLMNR/mDNS/NetBIOS Errors/Features related to the LLMNR/mDNS/NetBIOS poisoner Type - Enhancement

Projects

None yet

Milestone

Stable Initial Release (v1.0.0)

Development

Successfully merging this pull request may close these issues.

1 participant

@MatrixEditor