class Dot11Auth(Packet):
name = "802.11 Authentication"
fields_desc = [LEShortEnumField("algo", 0, ["open", "sharedkey"]),
LEShortField("seqnum", 0),
LEShortEnumField("status", 0, status_code)]
def answers(self, other):
if self.seqnum == other.seqnum + 1:
return 1
return 0
class ResultElementLE(Packet):
name = "result"
fields_desc = [
LEShortEnumField('resultContextNegotiation', 0, _defResult),
ConditionalField(LEShortEnumField('reason', 0, _defReason),
lambda pkt: pkt.resultContextNegotiation != 0),
PacketField('transferSyntax', '\x00' * 20, SyntaxId),
]
def extract_padding(self, p):
return b"", p
class SMB2_Preauth_Integrity_Capabilities(Packet):
name = "SMB2 Preauth Integrity Capabilities"
fields_desc = [
# According to the spec, this field value must be greater than 0
# (cf Section 2.2.3.1.1 of MS-SMB2.pdf)
FieldLenField("HashAlgorithmCount",
1,
fmt="<H",
count_of="HashAlgorithms"),
FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"),
FieldListField(
"HashAlgorithms",
[0x0001],
LEShortEnumField(
"",
0x0,
{
# As for today, no other hash algorithm is described by the spec
0x0001: "SHA-512",
}),
count_from=lambda pkt: pkt.HashAlgorithmCount),
XStrLenField("Salt", "", length_from=lambda pkt: pkt.SaltLength),
]
def default_payload_class(self, payload):
return conf.padding_layer
class L2CAP_ConnResp(Packet):
name = "L2CAP Conn Resp"
fields_desc = [
LEShortField("dcid", 0),
LEShortField("scid", 0),
LEShortEnumField("result", 0, [
"success", "pend", "cr_bad_psm", "cr_sec_block", "cr_no_mem",
"reserved", "cr_inval_scid", "cr_scid_in_use"
]), # noqa: E501
LEShortEnumField("status", 0,
["no_info", "authen_pend", "author_pend", "reserved"
]), # noqa: E501
]
def answers(self, other):
return isinstance(other, L2CAP_ConnReq) and self.dcid == other.scid
class SMB2_Negociate_Context(Packet):
name = "SMB2 Negociate Context"
fields_desc = [
LEShortEnumField("ContextType", 0x0, SMB2_NEGOCIATE_CONTEXT_TYPES),
FieldLenField("DataLength", 0x0, fmt="<H", length_of="Data"),
IntField("Reserved", 0),
]
class SMB2_Compression_Capabilities(Packet):
name = "SMB2 Compression Capabilities"
fields_desc = [
FieldLenField(
"CompressionAlgorithmCount", 0,
fmt="<H",
count_of="CompressionAlgorithms"
),
ShortField("Padding", 0x0),
IntEnumField("Flags", 0x0, {
0x00000000: "SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE",
0x00000001: "SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED",
}),
FieldListField(
"CompressionAlgorithms",
None,
LEShortEnumField("", 0x0, SMB2_COMPRESSION_ALGORITHMS),
count_from=lambda pkt: pkt.CompressionAlgorithmCount,
),
# Pad the whole packet on 8 bytes
XStrLenField(
"Padding2", "",
length_from=lambda pkt:
(8 - (2 + 2 + 4 + pkt.CompressionAlgorithmCount * 2)) % 8
),
]
class USBpcap(Packet):
name = "USBpcap URB"
fields_desc = [ByteField("headerLen", None),
ByteField("res", 0),
XLELongField("irpId", 0),
LEIntEnumField("usbd_status", 0x0, _usbd_status_codes),
LEShortEnumField("function", 0, _urb_functions),
XByteField("info", 0),
LEShortField("bus", 0),
LEShortField("device", 0),
XByteField("endpoint", 0),
ByteEnumField("transfer", 0, _transfer_types),
LenField("dataLength", None, fmt="<I")]
def post_build(self, p, pay):
if self.headerLen is None:
headerLen = len(p)
if isinstance(self.payload, (USBpcapTransferIsochronous,
USBpcapTransferInterrupt,
USBpcapTransferControl)):
headerLen += len(self.payload) - len(self.payload.payload)
p = chb(headerLen) + p[1:]
return p + pay
def guess_payload_class(self, payload):
if self.headerLen == 27:
# No Transfer layer
return super(USBpcap, self).guess_payload_class(payload)
if self.transfer == 0:
return USBpcapTransferIsochronous
elif self.transfer == 1:
return USBpcapTransferInterrupt
elif self.transfer == 2:
return USBpcapTransferControl
return super(USBpcap, self).guess_payload_class(payload)
class OpcDaHeaderNLE(OpcDaHeaderN):
name = "OpcDaHeaderNextLE"
fields_desc = [
LEShortField('fragLenght', 0),
LEShortEnumField('authLenght', 0, _authentification_protocol),
LEIntField('callID', 0)
]
class LL_VERSION_IND(Packet):
name = "LL_VERSION_IND"
fields_desc = [
ByteEnumField("version", 8, BTLE_Versions),
LEShortEnumField("Company", 0, BTLE_Corp_IDs),
XShortField("subversion", 0)
]
class CtrlPDU(Packet):
name = "CtrlPDU"
fields_desc = [
XByteField("optcode", 0),
ByteEnumField("version", 0, BTLE_Versions),
LEShortEnumField("Company", 0, BTLE_Corp_IDs),
XShortField("subversion", 0)
]
class OpcDaBind_nakLE(Packet):
name = "OpcDaBind_nak"
fields_desc = [
LEShortEnumField("providerRejectReason", 0, _rejectBindNack)
] # To complete
def extract_padding(self, p):
return b"", p
class PPI_Hdr(Packet):
name = 'PPI Header'
fields_desc = [
LEShortEnumField('pfh_type', 0, PPI_TYPES),
LenField('pfh_length', None, fmt='<H'),
]
def mysummary(self):
return self.sprintf('PPI %pfh_type%')
class L2CAP_InfoReq(Packet):
name = "L2CAP Info Req"
fields_desc = [
LEShortEnumField("type", 0, {
1: "CL_MTU",
2: "FEAT_MASK"
}),
StrField("data", "")
]
class L2CAP_InfoResp(Packet):
name = "L2CAP Info Resp"
fields_desc = [
LEShortField("type", 0),
LEShortEnumField("result", 0, ["success", "not_supp"]),
StrField("data", ""),
]
def answers(self, other):
return self.type == other.type
class L2CAP_ConnReq(Packet):
name = "L2CAP Conn Req"
fields_desc = [
LEShortEnumField("psm", 0, {
1: "SDP",
3: "RFCOMM",
5: "telephony control"
}), # noqa: E501
LEShortField("scid", 0),
]
class ItemData(Packet):
"""Common Packet Format"""
name = "Item Data"
fields_desc = [
LEShortEnumField("typeId", 0, _itemID),
LEShortField("length", 0),
XLEStrLenField("data", "", length_from=lambda pkt: pkt.length),
]
def extract_padding(self, s):
return '', s
class PPI_Geotag_Sensor(HCSIPacket):
name = "PPI Sensor"
hcsi_fields = [
LEShortEnumField('SensorType', None, sensor_types),
SignedByteField('ScaleFactor', None),
Fixed6_4Field('Val_X', None),
Fixed6_4Field('Val_Y', None),
Fixed6_4Field('Val_Z', None),
Fixed6_4Field('Val_T', None),
Fixed6_4Field('Val_E', None),
] + _hcsi_null_range(7, 28)
class AttributeNameLE(Packet):
name = "Attribute"
fields_desc = [
LEShortEnumField('attributeItemType', 2, _attribute_type),
LEShortField('attributeItemLen', 0),
StrLenField('attributeItem',
'',
length_from=lambda pkt: pkt.attributeItemLen),
]
def extract_padding(self, p):
return b"", p
class L2CAP_ConfResp(Packet):
name = "L2CAP Conf Resp"
fields_desc = [
LEShortField("scid", 0),
LEShortField("flags", 0),
LEShortEnumField(
"result", 0,
["success", "unaccept", "reject", "unknown"]), # noqa: E501
]
def answers(self, other):
return isinstance(other, L2CAP_ConfReq) and self.scid == other.dcid
class SMB2_Compression_Transform_Header(Packet):
name = "SMB2 Compression Transform Header"
fields_desc = [
StrFixedLenField("Start", b"\xfcSMB", 4),
LEIntField("OriginalCompressedSegmentSize", 0x0),
LEShortEnumField("CompressionAlgorithm", 0,
SMB2_COMPRESSION_ALGORITHMS),
ShortEnumField(
"Flags", 0x0, {
0x0000: "SMB2_COMPRESSION_FLAG_NONE",
0x0001: "SMB2_COMPRESSION_FLAG_CHAINED",
}),
XLEIntField("Offset_or_Length", 0),
]
class SMB2_Negotiate_Protocol_Response(Packet):
name = "SMB2 Negotiate Protocol Response"
fields_desc = [
XLEShortField("StructureSize", 0),
FlagsField("SecurityMode", 0, -16, {
0x1: "Signing Required",
0x2: "Signing Enabled",
}),
LEShortEnumField("DialectRevision", 0x0, SMB_DIALECTS),
FieldLenField("NegotiateCount",
None,
fmt="<H",
count_of="NegotiateContexts"),
UUIDField("ServerGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE),
# Capabilities
FlagsField("Capabilities", 0, -32, SMB2_CAPABILITIES),
LEIntField("MaxTransactionSize", 0),
LEIntField("MaxReadSize", 0),
LEIntField("MaxWriteSize", 0),
UTCTimeField("SystemTime",
None,
fmt="<Q",
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7),
UTCTimeField("ServerStartTime",
None,
fmt="<Q",
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7),
XLEShortField("SecurityBlobOffset", 0),
FieldLenField("SecurityBlobLength",
None,
fmt="<H",
length_of="SecurityBlob"),
XLEIntField("NegotiateContextOffset", 0),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.SecurityBlobLength),
# Field only exists if Dialect is 0x0311
# Each negotiate context must be 8-byte aligned
ConditionalField(
FieldListField("NegotiateContexts", [],
ReversePadField(
PacketField("Context", None,
SMB2_Negotiate_Context), 8),
count_from=lambda pkt: pkt.NegotiateCount),
lambda x: x.DialectRevision == 0x0311),
]
class L2CAP_Hdr(Packet):
name = "L2CAP header"
fields_desc = [
LEShortField("len", None),
LEShortEnumField("cid", 0, {
1: "control",
4: "attribute"
}),
] # noqa: E501
def post_build(self, p, pay):
p += pay
if self.len is None:
p = struct.pack("<H", len(pay)) + p[2:]
return p
class ENIPTCP(Packet):
"""Ethernet/IP packet over TCP"""
name = "ENIPTCP"
fields_desc = [
LEShortEnumField("commandId", None, _commandIdList),
LEShortField("length", 0),
XLEIntField("session", 0),
LEIntEnumField("status", None, _statusList),
LELongField("senderContext", 0),
LEIntField("options", 0),
MultipleTypeField(
[
# List Services Reply
(PacketField("commandSpecificData", ENIPListServicesReply,
ENIPListServicesReply),
lambda pkt: pkt.commandId == 0x4),
# List Identity Reply
(PacketField("commandSpecificData", ENIPListIdentityReply,
ENIPListIdentityReply),
lambda pkt: pkt.commandId == 0x63),
# List Interfaces Reply
(PacketField("commandSpecificData", ENIPListInterfacesReply,
ENIPListInterfacesReply),
lambda pkt: pkt.commandId == 0x64),
# Register Session
(PacketField("commandSpecificData", ENIPRegisterSession,
ENIPRegisterSession),
lambda pkt: pkt.commandId == 0x65),
# Send RR Data
(PacketField("commandSpecificData", ENIPSendRRData,
ENIPSendRRData),
lambda pkt: pkt.commandId == 0x6f),
# Send Unit Data
(PacketField("commandSpecificData", ENIPSendUnitData,
ENIPSendUnitData),
lambda pkt: pkt.commandId == 0x70),
],
PacketField(
"commandSpecificData",
None,
CommandSpecificData) # By default
),
]
def post_build(self, pkt, pay):
if self.length is None and pay:
pkt = pkt[:2] + struct.pack("<H", len(pay)) + pkt[4:]
return pkt + pay
class SMB2_Encryption_Capabilities(Packet):
name = "SMB2 Encryption Capabilities"
fields_desc = [
# According to the spec, this field value must be greater than 0
# (cf Section 2.2.3.1.2 of MS-SMB2.pdf)
FieldLenField("CipherCount", 1, fmt="<H", count_of="Ciphers"),
FieldListField("Ciphers", [0x0001], LEShortEnumField("", 0x0, {
0x0001: "AES-128-CCM",
0x0002: "AES-128-GCM",
}), count_from=lambda pkt: pkt.CipherCount),
# Pad the whole packet on 8 bytes
XStrLenField(
"Padding", "",
length_from=lambda pkt: (8 - (2 + pkt.CipherCount * 2)) % 8
),
]
class SMB2_Encryption_Capabilities(Packet):
name = "SMB2 Encryption Capabilities"
fields_desc = [
# According to the spec, this field value must be greater than 0
# (cf Section 2.2.3.1.2 of MS-SMB2.pdf)
FieldLenField("CipherCount", 1, fmt="<H", count_of="Ciphers"),
FieldListField("Ciphers", [0x0001],
LEShortEnumField("", 0x0, {
0x0001: "AES-128-CCM",
0x0002: "AES-128-GCM",
}),
count_from=lambda pkt: pkt.CipherCount),
]
def default_payload_class(self, payload):
return conf.padding_layer
class SMB2_Negociate_Protocol_Response_Header(Packet):
name = "SMB2 Negociate Protocol Response Header"
fields_desc = [
XLEShortField("StructureSize", 0),
FlagsField("SecurityMode", 0, 16, {
0x7: "Signing Required",
0x8: "Signing Enabled",
}),
LEShortEnumField("Dialect", 0x0, SMB_DIALECTS),
FieldLenField(
"NegociateCount", 0x0,
fmt="<H",
count_of="NegociateContexts"
),
UUIDField("ServerGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE),
# Capabilities
FlagsField("Capabilities", 0, 32, SMB2_CAPABILITIES),
LEIntField("MaxTransactionSize", 0),
LEIntField("MaxReadSize", 0),
LEIntField("MaxWriteSize", 0),
# TODO FIXME
XLongField("SystemTime", 0),
XLongField("ServerStartTime", 0),
XLEShortField("SecurityBufferOffset", 0),
FieldLenField(
"SecurityBufferLength", 0,
fmt="<H",
length_of="SecurityBuffer"
),
XLEIntField("NegociateContextOffset", 0),
# TODO FIXME
XStrLenField(
"SecurityBuffer", None,
length_from=lambda pkt: pkt.SecurityBufferLength
),
PacketListField(
"NegociateContexts", [],
SMB2_Negociate_Context,
count_from=lambda pkt: pkt.NegociateCount
),
]
class SMB2_Negociate_Protocol_Request_Header(Packet):
name = "SMB2 Negociate Protocol Request Header"
fields_desc = [
XLEShortField("StructureSize", 0),
FieldLenField(
"DialectCount", 0,
fmt="<H",
count_of="Dialects"
),
# SecurityMode
FlagsField("SecurityMode", 0, 16, {
0x7: "Signing Required",
0x8: "Signing Enabled",
}),
LEShortField("Reserved", 0),
# Capabilities
FlagsField("Capabilities", 0, 32, SMB2_CAPABILITIES),
UUIDField("ClientGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE),
XLEIntField("NegociateContextOffset", 0x0),
FieldLenField(
"NegociateCount", 0x0,
fmt="<H",
count_of="NegociateContexts"
),
ShortField("Reserved2", 0),
# Padding the dialects - the whole packet (from the
# beginning) should be aligned on 8 bytes ; so the list of
# dialects should be aligned on 6 bytes (because it starts
# at PKT + 8 * N + 2
PadField(FieldListField(
"Dialects", [0x0202],
LEShortEnumField("", 0x0, SMB_DIALECTS),
count_from=lambda pkt: pkt.DialectCount
), 6),
PacketListField(
"NegociateContexts", [],
SMB2_Negociate_Context,
count_from=lambda pkt: pkt.NegociateCount
),
]
class AV_PAIR(Packet):
name = "NTLM AV Pair"
fields_desc = [
LEShortEnumField(
'AvId', 0, {
0x0000: "MsvAvEOL",
0x0001: "MsvAvNbComputerName",
0x0002: "MsvAvNbDomainName",
0x0003: "MsvAvDnsComputerName",
0x0004: "MsvAvDnsDomainName",
0x0005: "MsvAvDnsTreeName",
0x0006: "MsvAvFlags",
0x0007: "MsvAvTimestamp",
0x0008: "MsvAvSingleHost",
0x0009: "MsvAvTargetName",
0x000A: "MsvAvChannelBindings",
}),
FieldLenField('AvLen', None, length_of="Value", fmt="<H"),
MultipleTypeField([
(LEIntEnumField(
'Value', 1, {
0x0001: "constrained",
0x0002: "MIC integrity",
0x0004: "SPN from untrusted source"
}), lambda pkt: pkt.AvId == 0x0006),
(UTCTimeField("Value",
None,
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7,
fmt="<Q"), lambda pkt: pkt.AvId == 0x0007),
(PacketField('Value', Single_Host_Data(),
Single_Host_Data), lambda pkt: pkt.AvId == 0x0008),
(XStrLenField('Value', b"", length_from=lambda pkt: pkt.AvLen),
lambda pkt: pkt.AvId == 0x000A),
], StrLenFieldUtf16('Value', b"", length_from=lambda pkt: pkt.AvLen))
]
def default_payload_class(self, payload):
return conf.padding_layer
class SMB2_Preauth_Integrity_Capabilities(Packet):
name = "SMB2 Preauth Integrity Capabilities"
fields_desc = [
# According to the spec, this field value must be greater than 0
# (cf Section 2.2.3.1.1 of MS-SMB2.pdf)
FieldLenField(
"HashAlgorithmCount", 1,
fmt="<H",
count_of="HashAlgorithms"
),
FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"),
FieldListField("HashAlgorithms", [0x0001], LEShortEnumField("", 0x0, {
# As for today, no other hash algorithm is described by the spec
0x0001: "SHA-512",
}), count_from=lambda pkt: pkt.HashAlgorithmCount),
XStrLenField("Salt", "", length_from=lambda pkt: pkt.SaltLength),
# Pad the whole packet on 8 bytes
XStrLenField(
"Padding", "",
length_from=lambda pkt:
(8 - (4 + pkt.HashAlgorithmCount * 2 + pkt.SaltLength)) % 8
),
]
class SMB2_Compression_Capabilities(Packet):
name = "SMB2 Compression Capabilities"
fields_desc = [
FieldLenField("CompressionAlgorithmCount",
0,
fmt="<H",
count_of="CompressionAlgorithms"),
ShortField("Padding", 0x0),
IntEnumField(
"Flags", 0x0, {
0x00000000: "SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE",
0x00000001: "SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED",
}),
FieldListField(
"CompressionAlgorithms",
None,
LEShortEnumField("", 0x0, SMB2_COMPRESSION_ALGORITHMS),
count_from=lambda pkt: pkt.CompressionAlgorithmCount,
),
]
def default_payload_class(self, payload):
return conf.padding_layer