class Dot11EltRSN(Dot11Elt):
name = "802.11 RSN information"
fields_desc = [
ByteField("ID", 48),
ByteField("len", None),
LEShortField("version", 1),
PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite),
LEFieldLenField("nb_pairwise_cipher_suites",
1,
count_of="pairwise_cipher_suites"),
PacketListField("pairwise_cipher_suites", [RSNCipherSuite()],
RSNCipherSuite,
count_from=lambda p: p.nb_pairwise_cipher_suites),
LEFieldLenField("nb_akm_suites", 1, count_of="akm_suites"),
PacketListField("akm_suites", [AKMSuite()],
AKMSuite,
count_from=lambda p: p.nb_akm_suites),
BitField("mfp_capable", 0, 1),
BitField("mfp_required", 0, 1),
BitField("gtksa_replay_counter", 0, 2),
BitField("ptksa_replay_counter", 0, 2),
BitField("no_pairwise", 0, 1),
BitField("pre_auth", 0, 1),
BitField("reserved", 0, 8),
ConditionalField(
PacketField("pmkids", None, PMKIDListPacket), lambda pkt:
(0 if pkt.len is None else pkt.len -
(12 + (pkt.nb_pairwise_cipher_suites * 4) +
(pkt.nb_akm_suites * 4)) >= 18))
]
class Dot11EltMicrosoftWPA(Dot11Elt):
name = "802.11 Microsoft WPA"
fields_desc = [
ByteField("ID", 221),
ByteField("len", None),
X3BytesField("oui", 0x0050f2),
XByteField("type", 0x01),
LEShortField("version", 1),
PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite),
LEFieldLenField(
"nb_pairwise_cipher_suites",
1,
count_of="pairwise_cipher_suites"
),
PacketListField(
"pairwise_cipher_suites",
RSNCipherSuite(),
RSNCipherSuite,
count_from=lambda p: p.nb_pairwise_cipher_suites
),
LEFieldLenField(
"nb_akm_suites",
1,
count_of="akm_suites"
),
PacketListField(
"akm_suites",
AKMSuite(),
AKMSuite,
count_from=lambda p: p.nb_akm_suites
)
]
class Dot11EltRSN(Packet):
"""The enc, cipher, and auth members contain the decoded 'security' details"""
name = '802.11 RSN Information Element'
cipher_suites = { '\x00\x0f\xac\x00': 'GROUP',
'\x00\x0f\xac\x01': 'WEP',
'\x00\x0f\xac\x02': 'TKIP',
'\x00\x0f\xac\x04': 'CCMP',
'\x00\x0f\xac\x05': 'WEP' }
auth_suites = { '\x00\x0f\xac\x01': 'MGT',
'\x00\x0f\xac\x02': 'PSK' }
fields_desc = [
ByteField('ID', 0),
FieldLenField("len", None, "info", "B"),
LEShortField('version', 1),
StrFixedLenField('group_cipher_suite', '', length=4),
LEFieldLenField('pairwise_cipher_suite_count', 1, count_of='pairwise_cipher_suite'),
FieldListField('pairwise_cipher_suite', None, StrFixedLenField('','', length=4), count_from=lambda pkt: pkt.pairwise_cipher_suite_count),
LEFieldLenField('auth_cipher_suite_count', 1, count_of='auth_cipher_suite'),
FieldListField('auth_cipher_suite', None, StrFixedLenField('','',length=4), count_from=lambda pkt: pkt.auth_cipher_suite_count),
BitField('rsn_cap_pre_auth', 0, 1),
BitField('rsn_cap_no_pairwise', 0, 1),
BitField('rsn_cap_ptksa_replay_counter', 0, 2),
BitField('rsn_cap_gtksa_replay_counter', 0, 2),
BitField('rsn_cap_mgmt_frame_protect_required', 0, 1),
BitField('rsn_cap_mgmt_frame_protect_capable', 0, 1),
BitField('rsn_cap_reserved_1', 0, 1),
BitField('rsn_cap_peer_key_enabled', 0, 1),
BitField('rsn_cap_reserved_2', 0, 6),
]
def post_dissection(self, pkt):
"""Parse cipher suites to determine encryption, cipher, and authentication methods"""
self.enc = 'WPA2' # Everything is assumed to be WPA
self.cipher = ''
self.auth = ''
ciphers = [self.cipher_suites.get(pairwise_cipher) for pairwise_cipher in self.getfieldval('pairwise_cipher_suite')]
if 'GROUP' in ciphers:
ciphers = [self.cipher_suites.get(group_cipher, '') for group_cipher in self.getfieldval('group_cipher_suite')]
for cipher in ['CCMP', 'TKIP', 'WEP']:
if cipher in ciphers:
self.cipher = cipher
break
if 'WEP' == self.cipher:
self.enc = 'WEP'
for auth_cipher in self.getfieldval('auth_cipher_suite'):
self.auth = self.auth_suites.get(auth_cipher, '')
break
class Dot11EltRSN(Dot11Elt):
name = "802.11 RSN information"
match_subclass = True
fields_desc = [
ByteEnumField("ID", 48, _dot11_info_elts_ids),
ByteField("len", None),
LEShortField("version", 1),
PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite),
LEFieldLenField(
"nb_pairwise_cipher_suites",
None,
count_of="pairwise_cipher_suites"
),
PacketListField(
"pairwise_cipher_suites",
[RSNCipherSuite()],
RSNCipherSuite,
count_from=lambda p: p.nb_pairwise_cipher_suites
),
LEFieldLenField(
"nb_akm_suites",
None,
count_of="akm_suites"
),
PacketListField(
"akm_suites",
[AKMSuite()],
AKMSuite,
count_from=lambda p: p.nb_akm_suites
),
BitField("mfp_capable", 0, 1),
BitField("mfp_required", 0, 1),
BitField("gtksa_replay_counter", 0, 2),
BitField("ptksa_replay_counter", 0, 2),
BitField("no_pairwise", 0, 1),
BitField("pre_auth", 0, 1),
BitField("reserved", 0, 8),
ConditionalField(
PacketField("pmkids", None, PMKIDListPacket),
lambda pkt: (
0 if pkt.len is None else
pkt.len - (
12 +
pkt.nb_pairwise_cipher_suites * 4 +
pkt.nb_akm_suites * 4
) >= 2
)
),
ConditionalField(
PacketField("group_management_cipher_suite",
RSNCipherSuite(cipher=0x6), RSNCipherSuite),
lambda pkt: pkt.mfp_capable == 1
)
]
class SMBNegotiate_Response_NoSecurity(_SMBNegotiate_Response):
name = "SMB Negotiate No-Security Response (CIFS)"
fields_desc = [
ByteField("WordCount", 0x1),
LEShortField("DialectIndex", 7),
FlagsField("SecurityMode", 0x03, 8, [
"USER_SECURITY", "ENCRYPT_PASSWORDS",
"SECURITY_SIGNATURES_ENABLED", "SECURITY_SIGNATURES_REQUIRED"
]),
LEShortField("MaxMpxCount", 50),
LEShortField("MaxNumberVC", 1),
LEIntField("MaxBufferSize", 16144),
LEIntField("MaxRawSize", 65536),
LEIntField("SessionKey", 0x0000),
FlagsField("ServerCapabilities", 0xf3f9, -32, _SMB_ServerCapabilities),
UTCTimeField("ServerTime",
None,
fmt="<Q",
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7),
LEShortField("ServerTimeZone", 0x3c),
ByteField("ChallengeLength", 0), # aka EncryptionKeyLength
LEFieldLenField("ByteCount",
None,
length_of="DomainName",
adjust=lambda pkt, x: x + len(pkt.Challenge)),
StrLenField(
"Challenge",
b"", # aka EncryptionKey
length_from=lambda pkt: pkt.ChallengeLength),
StrNullField("DomainName", "WORKGROUP")
]
class SMBSession_Setup_AndX_Request(Packet):
name = "Session Setup AndX Request"
fields_desc = [
StrFixedLenField("Start", b"\xffSMB", 4),
ByteEnumField("Command", 0x73,
{0x73: "SMB_COM_SESSION_SETUP_ANDX"}), # noqa: E501
ByteField("Error_Class", 0),
ByteField("Reserved", 0),
LEShortField("Error_Code", 0),
ByteField("Flags", 0x18),
LEShortField("Flags2", 0x0001),
LEShortField("PIDHigh", 0x0000),
LELongField("Signature", 0x0),
LEShortField("Unused", 0x0),
LEShortField("TID", 0),
LEShortField("PID", 1),
LEShortField("UID", 0),
LEShortField("MID", 2),
ByteField("WordCount", 13),
ByteEnumField("AndXCommand", 0x75,
{0x75: "SMB_COM_TREE_CONNECT_ANDX"}), # noqa: E501
ByteField("Reserved2", 0),
LEShortField("AndXOffset", 96),
LEShortField("MaxBufferS", 2920),
LEShortField("MaxMPXCount", 50),
LEShortField("VCNumber", 0),
LEIntField("SessionKey", 0),
LEFieldLenField("ANSIPasswordLength", None, "ANSIPassword"),
LEShortField("UnicodePasswordLength", 0),
LEIntField("Reserved3", 0),
LEShortField("ServerCapabilities", 0x05),
BitField("UnixExtensions", 0, 1),
BitField("Reserved4", 0, 7),
BitField("ExtendedSecurity", 0, 1),
BitField("CompBulk", 0, 2),
BitField("Reserved5", 0, 5),
LEShortField("ByteCount", 35),
StrLenField("ANSIPassword",
"Pass",
length_from=lambda x: x.ANSIPasswordLength), # noqa: E501
StrNullField("Account", "GUEST"),
StrNullField("PrimaryDomain", ""),
StrNullField("NativeOS", "Windows 4.0"),
StrNullField("NativeLanManager", "Windows 4.0"),
ByteField("WordCount2", 4),
ByteEnumField("AndXCommand2", 0xFF, {0xFF: "SMB_COM_NONE"}),
ByteField("Reserved6", 0),
LEShortField("AndXOffset2", 0),
LEShortField("Flags3", 0x2),
LEShortField("PasswordLength", 0x1),
LEShortField("ByteCount2", 18),
ByteField("Password", 0),
StrNullField("Path", "\\\\WIN2K\\IPC$"),
StrNullField("Service", "IPC")
]
class PMKIDListPacket(Packet):
name = "PMKIDs"
fields_desc = [
LEFieldLenField("nb_pmkids", 0, count_of="pmk_id_list"),
FieldListField("pmkid_list",
None,
XStrFixedLenField("", "", length=16),
count_from=lambda pkt: pkt.nb_pmkids)
]
def extract_padding(self, s):
return "", s
class SMBNegotiate_Request(Packet):
name = "SMB Negotiate Request"
fields_desc = [
ByteField("WordCount", 0),
LEFieldLenField("ByteCount",
None,
length_of="Dialects",
adjust=lambda pkt, x: x + 1),
PacketListField("Dialects", [SMB_Dialect()],
SMB_Dialect,
length_from=lambda pkt: pkt.ByteCount)
]
class SMBSession_Setup_AndX_Request(Packet):
name = "Session Setup AndX Request (CIFS)"
fields_desc = [
ByteField("WordCount", 13),
ByteEnumField("AndXCommand", 0x75, SMB_COM),
ByteField("AndXReserved", 0),
LEShortField("AndXOffset", 96),
LEShortField("MaxBufferSize", 2920),
LEShortField("MaxMPXCount", 50),
LEShortField("VCNumber", 0),
LEIntField("SessionKey", 0),
LEFieldLenField("OEMPasswordLength", None, length_of="OEMPassword"),
LEFieldLenField("UnicodePasswordLength",
None,
length_of="UnicodePassword"),
LEIntField("Reserved", 0),
FlagsField("ServerCapabilities", 0x05, -32, _SMB_ServerCapabilities),
LEShortField("ByteCount", 35),
XStrLenField("OEMPassword",
"Pass",
length_from=lambda x: x.OEMPasswordLength),
XStrLenField("UnicodePassword",
"Pass",
length_from=lambda x: x.UnicodePasswordLength),
ReversePadField(StrNullField("AccountName", "GUEST"), 2, b"\0"),
_SMBStrNullField("PrimaryDomain", ""),
_SMBStrNullField("NativeOS", "Windows 4.0"),
_SMBStrNullField("NativeLanMan", "Windows 4.0"),
# Off spec?
ByteField("WordCount2", 4),
ByteEnumField("AndXCommand2", 0xFF, {0xFF: "SMB_COM_NONE"}),
ByteField("Reserved6", 0),
LEShortField("AndXOffset2", 0),
LEShortField("Flags3", 0x2),
LEShortField("PasswordLength", 0x1),
LEShortField("ByteCount2", 18),
ByteField("Password", 0),
StrNullField("Path", "\\\\WIN2K\\IPC$"),
StrNullField("Service", "IPC")
]
class LenStringPacketLE(Packet):
name = "len string packet"
fields_desc = [
LEFieldLenField('length', 0, length_of='data', fmt="<H"),
ConditionalField(
StrLenField('data', None, length_from=lambda pkt: pkt.length + 2),
lambda pkt: pkt.length == 0),
ConditionalField(
StrLenField('data', '', length_from=lambda pkt: pkt.length),
lambda pkt: pkt.length != 0),
]
def extract_padding(self, p):
return b"", p
class SMBNegotiate_Response_Extended_Security(_SMBNegotiate_Response):
name = "SMB Negotiate Extended Security Response (SMB)"
WordCount = 0x11
fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [
LEFieldLenField("ByteCount",
None,
length_of="SecurityBlob",
adjust=lambda _, x: x + 16),
UUIDField("GUID", None, uuid_fmt=UUIDField.FORMAT_LE),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.ByteCount - 16)
]
class SMBNegotiate_Response_Security(_SMBNegotiate_Response):
name = "SMB Negotiate Non-Extended Security Response (SMB)"
WordCount = 0x11
fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [
LEFieldLenField("ByteCount",
None,
length_of="DomainName",
adjust=lambda pkt, x: x + len(pkt.Challenge) + len(
pkt.ServerName)),
StrLenField(
"Challenge",
b"", # aka EncryptionKey
length_from=lambda pkt: pkt.ChallengeLength),
StrNullField("DomainName", "WORKGROUP"),
StrNullFieldUtf16("ServerName", "RMFF1")
]
class PCOMBinaryResponse(PCOMBinary):
name = "PCOM/Binary Response"
fields_desc = [
StrFixedLenField("stx", "/_OPLC", 6),
XByteField("reserved1", 0xfe),
XByteField("id", 0x0),
XByteField("reserved2", 0x1),
LEX3BytesField("reserved3", 0x0),
PCOMBinaryCommandField("command", None),
XByteField("reserved4", 0x0),
StrFixedLenField("commandSpecific", '', 6),
LEFieldLenField("len", 0, length_of="data"),
XLEShortField("headerChksum", None),
StrLenField("data", '', length_from=lambda pkt: pkt.len),
XLEShortField("footerChksum", None),
XByteField("etx", 0x5c)
]
class SMBSession_Setup_AndX_Response_Extended_Security(Packet):
name = "Session Setup AndX Extended Security Response (SMB)"
WordCount = 7
fields_desc = SMBSession_Setup_AndX_Response.fields_desc[:5] + [
LEFieldLenField("SecurityBlobLength", None, length_of="SecurityBlob"),
LEShortField("ByteCount", 25),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.SecurityBlobLength),
ReversePadField(
_SMBStrNullField("NativeOS", "Windows 4.0"),
2,
b"\0",
),
_SMBStrNullField("NativeLanMan", "Windows 4.0")
]
class OpcDaFackLE(Packet):
name = "OpcDaFackLE"
fields_desc = [
LEShortField('version', 0),
ByteField('pad', 0),
LEShortField('windowSize', 0),
LEIntField('maxTsdu', 0),
LEIntField('maxFragSize', 0),
LEShortField('serialNum', 0),
LEFieldLenField('selackLen', 0, count_of='selack', fmt="<H"),
PacketListField('selack',
None,
LEIntField,
count_from=lambda pkt: pkt.selackLen),
]
def extract_padding(self, p):
return b"", p
class SMBNegociate_Protocol_Response_Advanced_Security(Packet):
name = "SMBNegociate Protocol Response Advanced Security"
fields_desc = [
StrFixedLenField("Start", b"\xffSMB", 4),
ByteEnumField("Command", 0x72, {0x72: "SMB_COM_NEGOTIATE"}),
ByteField("Error_Class", 0),
ByteField("Reserved", 0),
LEShortField("Error_Code", 0),
ByteField("Flags", 0x98),
LEShortField("Flags2", 0x0000),
LEShortField("PIDHigh", 0x0000),
LELongField("Signature", 0x0),
LEShortField("Unused", 0x0),
LEShortField("TID", 0),
LEShortField("PID", 1),
LEShortField("UID", 0),
LEShortField("MID", 2),
ByteField("WordCount", 17),
LEShortField("DialectIndex", 7),
ByteField("SecurityMode", 0x03),
LEShortField("MaxMpxCount", 50),
LEShortField("MaxNumberVC", 1),
LEIntField("MaxBufferSize", 16144),
LEIntField("MaxRawSize", 65536),
LEIntField("SessionKey", 0x0000),
LEShortField("ServerCapabilities", 0xf3f9),
BitField("UnixExtensions", 0, 1),
BitField("Reserved2", 0, 7),
BitField("ExtendedSecurity", 1, 1),
BitField("CompBulk", 0, 2),
BitField("Reserved3", 0, 5),
# There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. # noqa: E501
LEIntField("ServerTimeHigh", 0xD6228000),
LEIntField("ServerTimeLow", 0x1C4EF94),
LEShortField("ServerTimeZone", 0x3c),
ByteField("EncryptionKeyLength", 0),
LEFieldLenField("ByteCount",
None,
"SecurityBlob",
adjust=lambda pkt, x: x - 16), # noqa: E501
BitField("GUID", 0, 128),
StrLenField("SecurityBlob", "", length_from=lambda x: x.ByteCount + 16)
] # noqa: E501