class Dot11Auth(Packet): name = "802.11 Authentication" fields_desc = [LEShortEnumField("algo", 0, ["open", "sharedkey"]), LEShortField("seqnum", 0), LEShortEnumField("status", 0, status_code)] def answers(self, other): if self.seqnum == other.seqnum + 1: return 1 return 0
class ResultElementLE(Packet): name = "result" fields_desc = [ LEShortEnumField('resultContextNegotiation', 0, _defResult), ConditionalField(LEShortEnumField('reason', 0, _defReason), lambda pkt: pkt.resultContextNegotiation != 0), PacketField('transferSyntax', '\x00' * 20, SyntaxId), ] def extract_padding(self, p): return b"", p
class SMB2_Preauth_Integrity_Capabilities(Packet): name = "SMB2 Preauth Integrity Capabilities" fields_desc = [ # According to the spec, this field value must be greater than 0 # (cf Section 2.2.3.1.1 of MS-SMB2.pdf) FieldLenField("HashAlgorithmCount", 1, fmt="<H", count_of="HashAlgorithms"), FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"), FieldListField( "HashAlgorithms", [0x0001], LEShortEnumField( "", 0x0, { # As for today, no other hash algorithm is described by the spec 0x0001: "SHA-512", }), count_from=lambda pkt: pkt.HashAlgorithmCount), XStrLenField("Salt", "", length_from=lambda pkt: pkt.SaltLength), ] def default_payload_class(self, payload): return conf.padding_layer
class L2CAP_ConnResp(Packet): name = "L2CAP Conn Resp" fields_desc = [ LEShortField("dcid", 0), LEShortField("scid", 0), LEShortEnumField("result", 0, [ "success", "pend", "cr_bad_psm", "cr_sec_block", "cr_no_mem", "reserved", "cr_inval_scid", "cr_scid_in_use" ]), # noqa: E501 LEShortEnumField("status", 0, ["no_info", "authen_pend", "author_pend", "reserved" ]), # noqa: E501 ] def answers(self, other): return isinstance(other, L2CAP_ConnReq) and self.dcid == other.scid
class SMB2_Negociate_Context(Packet): name = "SMB2 Negociate Context" fields_desc = [ LEShortEnumField("ContextType", 0x0, SMB2_NEGOCIATE_CONTEXT_TYPES), FieldLenField("DataLength", 0x0, fmt="<H", length_of="Data"), IntField("Reserved", 0), ]
class SMB2_Compression_Capabilities(Packet): name = "SMB2 Compression Capabilities" fields_desc = [ FieldLenField( "CompressionAlgorithmCount", 0, fmt="<H", count_of="CompressionAlgorithms" ), ShortField("Padding", 0x0), IntEnumField("Flags", 0x0, { 0x00000000: "SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE", 0x00000001: "SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED", }), FieldListField( "CompressionAlgorithms", None, LEShortEnumField("", 0x0, SMB2_COMPRESSION_ALGORITHMS), count_from=lambda pkt: pkt.CompressionAlgorithmCount, ), # Pad the whole packet on 8 bytes XStrLenField( "Padding2", "", length_from=lambda pkt: (8 - (2 + 2 + 4 + pkt.CompressionAlgorithmCount * 2)) % 8 ), ]
class USBpcap(Packet): name = "USBpcap URB" fields_desc = [ByteField("headerLen", None), ByteField("res", 0), XLELongField("irpId", 0), LEIntEnumField("usbd_status", 0x0, _usbd_status_codes), LEShortEnumField("function", 0, _urb_functions), XByteField("info", 0), LEShortField("bus", 0), LEShortField("device", 0), XByteField("endpoint", 0), ByteEnumField("transfer", 0, _transfer_types), LenField("dataLength", None, fmt="<I")] def post_build(self, p, pay): if self.headerLen is None: headerLen = len(p) if isinstance(self.payload, (USBpcapTransferIsochronous, USBpcapTransferInterrupt, USBpcapTransferControl)): headerLen += len(self.payload) - len(self.payload.payload) p = chb(headerLen) + p[1:] return p + pay def guess_payload_class(self, payload): if self.headerLen == 27: # No Transfer layer return super(USBpcap, self).guess_payload_class(payload) if self.transfer == 0: return USBpcapTransferIsochronous elif self.transfer == 1: return USBpcapTransferInterrupt elif self.transfer == 2: return USBpcapTransferControl return super(USBpcap, self).guess_payload_class(payload)
class OpcDaHeaderNLE(OpcDaHeaderN): name = "OpcDaHeaderNextLE" fields_desc = [ LEShortField('fragLenght', 0), LEShortEnumField('authLenght', 0, _authentification_protocol), LEIntField('callID', 0) ]
class LL_VERSION_IND(Packet): name = "LL_VERSION_IND" fields_desc = [ ByteEnumField("version", 8, BTLE_Versions), LEShortEnumField("Company", 0, BTLE_Corp_IDs), XShortField("subversion", 0) ]
class CtrlPDU(Packet): name = "CtrlPDU" fields_desc = [ XByteField("optcode", 0), ByteEnumField("version", 0, BTLE_Versions), LEShortEnumField("Company", 0, BTLE_Corp_IDs), XShortField("subversion", 0) ]
class OpcDaBind_nakLE(Packet): name = "OpcDaBind_nak" fields_desc = [ LEShortEnumField("providerRejectReason", 0, _rejectBindNack) ] # To complete def extract_padding(self, p): return b"", p
class PPI_Hdr(Packet): name = 'PPI Header' fields_desc = [ LEShortEnumField('pfh_type', 0, PPI_TYPES), LenField('pfh_length', None, fmt='<H'), ] def mysummary(self): return self.sprintf('PPI %pfh_type%')
class L2CAP_InfoReq(Packet): name = "L2CAP Info Req" fields_desc = [ LEShortEnumField("type", 0, { 1: "CL_MTU", 2: "FEAT_MASK" }), StrField("data", "") ]
class L2CAP_InfoResp(Packet): name = "L2CAP Info Resp" fields_desc = [ LEShortField("type", 0), LEShortEnumField("result", 0, ["success", "not_supp"]), StrField("data", ""), ] def answers(self, other): return self.type == other.type
class L2CAP_ConnReq(Packet): name = "L2CAP Conn Req" fields_desc = [ LEShortEnumField("psm", 0, { 1: "SDP", 3: "RFCOMM", 5: "telephony control" }), # noqa: E501 LEShortField("scid", 0), ]
class ItemData(Packet): """Common Packet Format""" name = "Item Data" fields_desc = [ LEShortEnumField("typeId", 0, _itemID), LEShortField("length", 0), XLEStrLenField("data", "", length_from=lambda pkt: pkt.length), ] def extract_padding(self, s): return '', s
class PPI_Geotag_Sensor(HCSIPacket): name = "PPI Sensor" hcsi_fields = [ LEShortEnumField('SensorType', None, sensor_types), SignedByteField('ScaleFactor', None), Fixed6_4Field('Val_X', None), Fixed6_4Field('Val_Y', None), Fixed6_4Field('Val_Z', None), Fixed6_4Field('Val_T', None), Fixed6_4Field('Val_E', None), ] + _hcsi_null_range(7, 28)
class AttributeNameLE(Packet): name = "Attribute" fields_desc = [ LEShortEnumField('attributeItemType', 2, _attribute_type), LEShortField('attributeItemLen', 0), StrLenField('attributeItem', '', length_from=lambda pkt: pkt.attributeItemLen), ] def extract_padding(self, p): return b"", p
class L2CAP_ConfResp(Packet): name = "L2CAP Conf Resp" fields_desc = [ LEShortField("scid", 0), LEShortField("flags", 0), LEShortEnumField( "result", 0, ["success", "unaccept", "reject", "unknown"]), # noqa: E501 ] def answers(self, other): return isinstance(other, L2CAP_ConfReq) and self.scid == other.dcid
class SMB2_Compression_Transform_Header(Packet): name = "SMB2 Compression Transform Header" fields_desc = [ StrFixedLenField("Start", b"\xfcSMB", 4), LEIntField("OriginalCompressedSegmentSize", 0x0), LEShortEnumField("CompressionAlgorithm", 0, SMB2_COMPRESSION_ALGORITHMS), ShortEnumField( "Flags", 0x0, { 0x0000: "SMB2_COMPRESSION_FLAG_NONE", 0x0001: "SMB2_COMPRESSION_FLAG_CHAINED", }), XLEIntField("Offset_or_Length", 0), ]
class SMB2_Negotiate_Protocol_Response(Packet): name = "SMB2 Negotiate Protocol Response" fields_desc = [ XLEShortField("StructureSize", 0), FlagsField("SecurityMode", 0, -16, { 0x1: "Signing Required", 0x2: "Signing Enabled", }), LEShortEnumField("DialectRevision", 0x0, SMB_DIALECTS), FieldLenField("NegotiateCount", None, fmt="<H", count_of="NegotiateContexts"), UUIDField("ServerGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE), # Capabilities FlagsField("Capabilities", 0, -32, SMB2_CAPABILITIES), LEIntField("MaxTransactionSize", 0), LEIntField("MaxReadSize", 0), LEIntField("MaxWriteSize", 0), UTCTimeField("SystemTime", None, fmt="<Q", epoch=[1601, 1, 1, 0, 0, 0], custom_scaling=1e7), UTCTimeField("ServerStartTime", None, fmt="<Q", epoch=[1601, 1, 1, 0, 0, 0], custom_scaling=1e7), XLEShortField("SecurityBlobOffset", 0), FieldLenField("SecurityBlobLength", None, fmt="<H", length_of="SecurityBlob"), XLEIntField("NegotiateContextOffset", 0), PacketLenField("SecurityBlob", None, GSSAPI_BLOB, length_from=lambda x: x.SecurityBlobLength), # Field only exists if Dialect is 0x0311 # Each negotiate context must be 8-byte aligned ConditionalField( FieldListField("NegotiateContexts", [], ReversePadField( PacketField("Context", None, SMB2_Negotiate_Context), 8), count_from=lambda pkt: pkt.NegotiateCount), lambda x: x.DialectRevision == 0x0311), ]
class L2CAP_Hdr(Packet): name = "L2CAP header" fields_desc = [ LEShortField("len", None), LEShortEnumField("cid", 0, { 1: "control", 4: "attribute" }), ] # noqa: E501 def post_build(self, p, pay): p += pay if self.len is None: p = struct.pack("<H", len(pay)) + p[2:] return p
class ENIPTCP(Packet): """Ethernet/IP packet over TCP""" name = "ENIPTCP" fields_desc = [ LEShortEnumField("commandId", None, _commandIdList), LEShortField("length", 0), XLEIntField("session", 0), LEIntEnumField("status", None, _statusList), LELongField("senderContext", 0), LEIntField("options", 0), MultipleTypeField( [ # List Services Reply (PacketField("commandSpecificData", ENIPListServicesReply, ENIPListServicesReply), lambda pkt: pkt.commandId == 0x4), # List Identity Reply (PacketField("commandSpecificData", ENIPListIdentityReply, ENIPListIdentityReply), lambda pkt: pkt.commandId == 0x63), # List Interfaces Reply (PacketField("commandSpecificData", ENIPListInterfacesReply, ENIPListInterfacesReply), lambda pkt: pkt.commandId == 0x64), # Register Session (PacketField("commandSpecificData", ENIPRegisterSession, ENIPRegisterSession), lambda pkt: pkt.commandId == 0x65), # Send RR Data (PacketField("commandSpecificData", ENIPSendRRData, ENIPSendRRData), lambda pkt: pkt.commandId == 0x6f), # Send Unit Data (PacketField("commandSpecificData", ENIPSendUnitData, ENIPSendUnitData), lambda pkt: pkt.commandId == 0x70), ], PacketField( "commandSpecificData", None, CommandSpecificData) # By default ), ] def post_build(self, pkt, pay): if self.length is None and pay: pkt = pkt[:2] + struct.pack("<H", len(pay)) + pkt[4:] return pkt + pay
class SMB2_Encryption_Capabilities(Packet): name = "SMB2 Encryption Capabilities" fields_desc = [ # According to the spec, this field value must be greater than 0 # (cf Section 2.2.3.1.2 of MS-SMB2.pdf) FieldLenField("CipherCount", 1, fmt="<H", count_of="Ciphers"), FieldListField("Ciphers", [0x0001], LEShortEnumField("", 0x0, { 0x0001: "AES-128-CCM", 0x0002: "AES-128-GCM", }), count_from=lambda pkt: pkt.CipherCount), # Pad the whole packet on 8 bytes XStrLenField( "Padding", "", length_from=lambda pkt: (8 - (2 + pkt.CipherCount * 2)) % 8 ), ]
class SMB2_Encryption_Capabilities(Packet): name = "SMB2 Encryption Capabilities" fields_desc = [ # According to the spec, this field value must be greater than 0 # (cf Section 2.2.3.1.2 of MS-SMB2.pdf) FieldLenField("CipherCount", 1, fmt="<H", count_of="Ciphers"), FieldListField("Ciphers", [0x0001], LEShortEnumField("", 0x0, { 0x0001: "AES-128-CCM", 0x0002: "AES-128-GCM", }), count_from=lambda pkt: pkt.CipherCount), ] def default_payload_class(self, payload): return conf.padding_layer
class SMB2_Negociate_Protocol_Response_Header(Packet): name = "SMB2 Negociate Protocol Response Header" fields_desc = [ XLEShortField("StructureSize", 0), FlagsField("SecurityMode", 0, 16, { 0x7: "Signing Required", 0x8: "Signing Enabled", }), LEShortEnumField("Dialect", 0x0, SMB_DIALECTS), FieldLenField( "NegociateCount", 0x0, fmt="<H", count_of="NegociateContexts" ), UUIDField("ServerGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE), # Capabilities FlagsField("Capabilities", 0, 32, SMB2_CAPABILITIES), LEIntField("MaxTransactionSize", 0), LEIntField("MaxReadSize", 0), LEIntField("MaxWriteSize", 0), # TODO FIXME XLongField("SystemTime", 0), XLongField("ServerStartTime", 0), XLEShortField("SecurityBufferOffset", 0), FieldLenField( "SecurityBufferLength", 0, fmt="<H", length_of="SecurityBuffer" ), XLEIntField("NegociateContextOffset", 0), # TODO FIXME XStrLenField( "SecurityBuffer", None, length_from=lambda pkt: pkt.SecurityBufferLength ), PacketListField( "NegociateContexts", [], SMB2_Negociate_Context, count_from=lambda pkt: pkt.NegociateCount ), ]
class SMB2_Negociate_Protocol_Request_Header(Packet): name = "SMB2 Negociate Protocol Request Header" fields_desc = [ XLEShortField("StructureSize", 0), FieldLenField( "DialectCount", 0, fmt="<H", count_of="Dialects" ), # SecurityMode FlagsField("SecurityMode", 0, 16, { 0x7: "Signing Required", 0x8: "Signing Enabled", }), LEShortField("Reserved", 0), # Capabilities FlagsField("Capabilities", 0, 32, SMB2_CAPABILITIES), UUIDField("ClientGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE), XLEIntField("NegociateContextOffset", 0x0), FieldLenField( "NegociateCount", 0x0, fmt="<H", count_of="NegociateContexts" ), ShortField("Reserved2", 0), # Padding the dialects - the whole packet (from the # beginning) should be aligned on 8 bytes ; so the list of # dialects should be aligned on 6 bytes (because it starts # at PKT + 8 * N + 2 PadField(FieldListField( "Dialects", [0x0202], LEShortEnumField("", 0x0, SMB_DIALECTS), count_from=lambda pkt: pkt.DialectCount ), 6), PacketListField( "NegociateContexts", [], SMB2_Negociate_Context, count_from=lambda pkt: pkt.NegociateCount ), ]
class AV_PAIR(Packet): name = "NTLM AV Pair" fields_desc = [ LEShortEnumField( 'AvId', 0, { 0x0000: "MsvAvEOL", 0x0001: "MsvAvNbComputerName", 0x0002: "MsvAvNbDomainName", 0x0003: "MsvAvDnsComputerName", 0x0004: "MsvAvDnsDomainName", 0x0005: "MsvAvDnsTreeName", 0x0006: "MsvAvFlags", 0x0007: "MsvAvTimestamp", 0x0008: "MsvAvSingleHost", 0x0009: "MsvAvTargetName", 0x000A: "MsvAvChannelBindings", }), FieldLenField('AvLen', None, length_of="Value", fmt="<H"), MultipleTypeField([ (LEIntEnumField( 'Value', 1, { 0x0001: "constrained", 0x0002: "MIC integrity", 0x0004: "SPN from untrusted source" }), lambda pkt: pkt.AvId == 0x0006), (UTCTimeField("Value", None, epoch=[1601, 1, 1, 0, 0, 0], custom_scaling=1e7, fmt="<Q"), lambda pkt: pkt.AvId == 0x0007), (PacketField('Value', Single_Host_Data(), Single_Host_Data), lambda pkt: pkt.AvId == 0x0008), (XStrLenField('Value', b"", length_from=lambda pkt: pkt.AvLen), lambda pkt: pkt.AvId == 0x000A), ], StrLenFieldUtf16('Value', b"", length_from=lambda pkt: pkt.AvLen)) ] def default_payload_class(self, payload): return conf.padding_layer
class SMB2_Preauth_Integrity_Capabilities(Packet): name = "SMB2 Preauth Integrity Capabilities" fields_desc = [ # According to the spec, this field value must be greater than 0 # (cf Section 2.2.3.1.1 of MS-SMB2.pdf) FieldLenField( "HashAlgorithmCount", 1, fmt="<H", count_of="HashAlgorithms" ), FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"), FieldListField("HashAlgorithms", [0x0001], LEShortEnumField("", 0x0, { # As for today, no other hash algorithm is described by the spec 0x0001: "SHA-512", }), count_from=lambda pkt: pkt.HashAlgorithmCount), XStrLenField("Salt", "", length_from=lambda pkt: pkt.SaltLength), # Pad the whole packet on 8 bytes XStrLenField( "Padding", "", length_from=lambda pkt: (8 - (4 + pkt.HashAlgorithmCount * 2 + pkt.SaltLength)) % 8 ), ]
class SMB2_Compression_Capabilities(Packet): name = "SMB2 Compression Capabilities" fields_desc = [ FieldLenField("CompressionAlgorithmCount", 0, fmt="<H", count_of="CompressionAlgorithms"), ShortField("Padding", 0x0), IntEnumField( "Flags", 0x0, { 0x00000000: "SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE", 0x00000001: "SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED", }), FieldListField( "CompressionAlgorithms", None, LEShortEnumField("", 0x0, SMB2_COMPRESSION_ALGORITHMS), count_from=lambda pkt: pkt.CompressionAlgorithmCount, ), ] def default_payload_class(self, payload): return conf.padding_layer