shadowbrokers-exploits/windows/Resources/Ep/Commands/CommandLine/PidGuesser_Command.xml

<?xml version='1.0' ?>

<Plugin id='31394'>

 <Command id='16' name='PidGuesser'>

  <Help>guesses ipid values for EnergyVampire</Help>

  <Input optionprefix='-'>

   <Option name='ip' optional='false'>
    <Argument name='addr' data='ip' optional='false' />
    <Help>target machine</Help>
   </Option>

   <Option name='protocol' optional='false'>
    <Argument name='type' optional='false'>
     <Value string='rpc_nbt'>
	<Set data='protocoltype' value='1' />
     </Value>
     <Value string='rpc_smb'>
	<Set data='protocoltype' value='2' />
     </Value>
    </Argument>
    <Help>protocol type</Help>
   </Option>

   <Option name='redirectionport' optional='true'>
    <Argument name='port' data='redirectionport' optional='false' />
    <Help>port for redirector</Help>
   </Option>

   <Option name='packetlimit' optional='true'>
    <Argument name='number' optional='true' >
	<Value string='unlimited'>
	  <Set data='packetnumber' value='2147483647' />
	  <Set data='refIndexMaxOffset' value='16' />
	</Value>
	<Value string='40000'>
	  <Set data='packetnumber' value='40000' />
	  <Set data='refIndexMaxOffset' value='16' />
	</Value>
	<Value string='20000'>
	  <Set data='packetnumber' value='20000' />
	  <Set data='refIndexMaxOffset' value='16' />
	</Value>
	<Value string='15000'>
	  <Set data='packetnumber' value='15000' />
	  <Set data='refIndexMaxOffset' value='16' />
	</Value>
	<Value string='13000'>
	  <Set data='packetnumber' value='13000' />
	  <Set data='refIndexMaxOffset' value='13' />
	</Value>
	<Value string='5500'>
	  <Set data='packetnumber' value='5500' />
	  <Set data='refIndexMaxOffset' value='5' />
	</Value>
	<Value string='4000'>
	  <Set data='packetnumber' value='4000' />
	  <Set data='refIndexMaxOffset' value='4' />
	</Value>
		
    </Argument>
    <Help>Maximum number of packets to send [DEFAULT: unlimited]</Help>
    <Help>unlimited packets,     100% success rate</Help>
    <Help>40000     packets,     95% success rate</Help>
    <Help>20000     packets,     90% success rate</Help>
    <Help>15000     packets,     85% success rate</Help>
    <Help>13000     packets,     80% success rate</Help>
    <Help>5500      packets,     70% success rate</Help>
    <Help>4000      packets,     60% success rate</Help>
   </Option>


   <Option name='rpcip' optional='true'>
    <Argument name='addr' data='rpcip' optional='false' />
    <Help>RPC Server IP Address> (if different than Socket IP Address)</Help>
   </Option>


   <Option name='rpcendpoint' optional='true'>
    <Argument name='endpoint' data='rpcendpoint' optional='false' />
    <Help>RPC Endpoint [DEFAULT: \pipe\browser]</Help>
   </Option>


   <Option name='destNetbiosName' optional='true'>
    <Argument name='dNetName' data='destNetbiosName' optional='false' />
    <Help>Destination NETBIOS Name (15 characters or less)</Help>
    <Help>[DEFAULT: *SMBSERVER]</Help>
   </Option>


   <Option name='srcNetbiosName' optional='true'>
    <Argument name='sNetName' data='srcNetbiosName' optional='false' />
    <Help>Source NETBIOS Name (15 characters or less)</Help>
    <Help>[DEFAULT: *SMBCLIENT]</Help>
   </Option>


   <Option name='timeout' optional='true'>
    <Argument name='timevalue' data='timeout' optional='false' />
    <Help>Time in seconds to wait for reply [DEFAULT: 30 sec]</Help>
   </Option>



   

  </Input>

  <Output>
	<Data name='ip' type='ipv4addr'/>
	<Data name='protocoltype' type='uint8_t' />
   	<Data name='redirectionport' type='uint32_t'/>
   	<Data name='rpcip' type='ipv4addr'/>
   	<Data name='packetnumber' type='uint32_t' default='2147483647' />
   	<Data name='refIndexMaxOffset' type='uint32_t' default='16' />
   	<Data name='rpcendpoint' type='string' default='\pipe\browser'/>
	<Data name='destNetbiosName' type='string' default='*SMBSERVER'/>
	<Data name='srcNetbiosName' type='string' default='*SMBCLIENT'/>
	<Data name='timeout' type='uint32_t' default='30'/>
  </Output>

 </Command>

</Plugin>