def do_smb_connect_share(self, target, user, password, share):
self.remote = smb.SMB("*SMBSERVER", target)
self.remote.login(user, password, "LOCALHOST")
self.tid = self.remote._SMB__connect_tree(
"\\\\" + target.upper() + "\\" + share.upper(), smb.SERVICE_ANY,
None)
def connect(self):
if self.error_retry > 3:
self.apn = socket.select_access_point()
try:
del self.netbios
del self.addrs
del self.remote
except:
pass
self.netbios = nmb.NetBIOS(apn=self.apn)
self.dprint(5)
addrs = self.netbios.gethostbyname(self.dest_name)
self.dprint(6)
self.remote = smb.SMB(self.dest_name, addrs[0].get_ip())
if self.remote.is_login_required():
if not self.username:
self.username = self.get_text(
'Enter Username:'******'Username is required').encode('utf-8')
if not self.password:
self.password = self.get_pass(
'Enter Password:'******'Password is required').encode('utf-8')
self.remote.login(self.username, self.password)
self.config.add_host(self.dest_name, self.username, self.password)
self.config.write_config()
self.dprint(7)
def connect(server_name, user, password):
import smb, nmb
logger.info("[samba.py] Crea netbios...")
netbios = nmb.NetBIOS()
logger.info("[samba.py] Averigua IP...")
nbhost = netbios.gethostbyname(server_name)
server_ip = nbhost[0].get_ip()
logger.info("[samba.py] server_ip=" + server_ip)
logger.info("[samba.py] Crea smb...")
remote = smb.SMB(server_name, server_ip)
logger.info("ok")
if remote.is_login_required():
logger.info("[samba.py] Login...")
if user == "":
logger.info("[samba.py] User vacio, se asume 'guest'")
user = "******"
remote.login(user, password)
else:
logger.info("[samba.py] Login no requerido")
return remote
def scan(host):
try:
s = socket.create_connection((host, 445), timeout=timeout)
if s is None:
return
cs = smb.SMB('*SMBSERVER', host, sess_port=445, timeout=timeout)
uid = cs.login('', '')
tid = cs.tree_connect_andx(r'\\\\IPC$', '')
base_probe = (
'\x00\x00\x00\x4a\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x01\x28'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' +
struct.pack('<H', tid) + '\xb9\x1b' + struct.pack('<H', cs._uid) +
'\xb1\xb6\x10\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x4a\x00\x02'
'\x00\x23\x00\x00\x00\x07\x00\x5c\x50\x49\x50\x45\x5c\x00')
doublepulsar_probe = (
'\x00\x00\x00\x4f\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x18\x07\xc0'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' +
struct.pack('<H', tid) + '\x4a\x3d' + struct.pack('<H', cs._uid) +
'\x41\x00\x0f\x0c\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00'
'\x00\xa6\xd9\xa4\x00\x00\x00\x0c\x00\x42\x00\x00\x00\x4e\x00\x01'
'\x00\x0e\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00')
cs._sess._sock.send(base_probe)
res = cs._sess._sock.recv(1024)
status = struct.unpack('<L', res[9:13])[0]
if status == 0xc0000205:
# STATUS_INSUFF_SERVER_RESOURCES
double_infection = False
try:
cs._sess._sock.send(doublepulsar_probe)
res = cs._sess._sock.recv(1024)
code = struct.unpack('<L', res[34:38])[0]
sig1 = struct.unpack('<L', res[18:22])[0]
sig2 = struct.unpack('<L', res[22:26])[0]
if code == 0x51:
double_infection = True
except:
pass
if double_infection:
print('%s - system is vulnerable, DoublePulsa infection - Arch: %s Key:0x%x ' % \
(host, get_arch(sig2),xor_key(sig1)))
else:
print('%s - system is vulnerable' % host)
elif status == 0xc0000008 or status == 0xc0000022:
# STATUS_INVALID_HANDLE or STATUS_ACCESS_DENIED
print('%s - system is not vulnerable' % host)
else:
print('%s - can not detect vulnerable status' % host)
except:
pass
def do_smb_connect(self, target, user, password):
self.remote = smb.SMB("*SMBSERVER", target)
self.remote.login(user, password)
self.tid = self.remote._SMB__connect_tree(
"\\\\" + target.upper() + "\\IPC$", smb.SERVICE_ANY, None)