class Dot11EltRSN(Dot11Elt): name = "802.11 RSN information" fields_desc = [ ByteField("ID", 48), ByteField("len", None), LEShortField("version", 1), PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite), LEFieldLenField("nb_pairwise_cipher_suites", 1, count_of="pairwise_cipher_suites"), PacketListField("pairwise_cipher_suites", [RSNCipherSuite()], RSNCipherSuite, count_from=lambda p: p.nb_pairwise_cipher_suites), LEFieldLenField("nb_akm_suites", 1, count_of="akm_suites"), PacketListField("akm_suites", [AKMSuite()], AKMSuite, count_from=lambda p: p.nb_akm_suites), BitField("mfp_capable", 0, 1), BitField("mfp_required", 0, 1), BitField("gtksa_replay_counter", 0, 2), BitField("ptksa_replay_counter", 0, 2), BitField("no_pairwise", 0, 1), BitField("pre_auth", 0, 1), BitField("reserved", 0, 8), ConditionalField( PacketField("pmkids", None, PMKIDListPacket), lambda pkt: (0 if pkt.len is None else pkt.len - (12 + (pkt.nb_pairwise_cipher_suites * 4) + (pkt.nb_akm_suites * 4)) >= 18)) ]
class Dot11EltMicrosoftWPA(Dot11Elt): name = "802.11 Microsoft WPA" fields_desc = [ ByteField("ID", 221), ByteField("len", None), X3BytesField("oui", 0x0050f2), XByteField("type", 0x01), LEShortField("version", 1), PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite), LEFieldLenField( "nb_pairwise_cipher_suites", 1, count_of="pairwise_cipher_suites" ), PacketListField( "pairwise_cipher_suites", RSNCipherSuite(), RSNCipherSuite, count_from=lambda p: p.nb_pairwise_cipher_suites ), LEFieldLenField( "nb_akm_suites", 1, count_of="akm_suites" ), PacketListField( "akm_suites", AKMSuite(), AKMSuite, count_from=lambda p: p.nb_akm_suites ) ]
class Dot11EltRSN(Packet): """The enc, cipher, and auth members contain the decoded 'security' details""" name = '802.11 RSN Information Element' cipher_suites = { '\x00\x0f\xac\x00': 'GROUP', '\x00\x0f\xac\x01': 'WEP', '\x00\x0f\xac\x02': 'TKIP', '\x00\x0f\xac\x04': 'CCMP', '\x00\x0f\xac\x05': 'WEP' } auth_suites = { '\x00\x0f\xac\x01': 'MGT', '\x00\x0f\xac\x02': 'PSK' } fields_desc = [ ByteField('ID', 0), FieldLenField("len", None, "info", "B"), LEShortField('version', 1), StrFixedLenField('group_cipher_suite', '', length=4), LEFieldLenField('pairwise_cipher_suite_count', 1, count_of='pairwise_cipher_suite'), FieldListField('pairwise_cipher_suite', None, StrFixedLenField('','', length=4), count_from=lambda pkt: pkt.pairwise_cipher_suite_count), LEFieldLenField('auth_cipher_suite_count', 1, count_of='auth_cipher_suite'), FieldListField('auth_cipher_suite', None, StrFixedLenField('','',length=4), count_from=lambda pkt: pkt.auth_cipher_suite_count), BitField('rsn_cap_pre_auth', 0, 1), BitField('rsn_cap_no_pairwise', 0, 1), BitField('rsn_cap_ptksa_replay_counter', 0, 2), BitField('rsn_cap_gtksa_replay_counter', 0, 2), BitField('rsn_cap_mgmt_frame_protect_required', 0, 1), BitField('rsn_cap_mgmt_frame_protect_capable', 0, 1), BitField('rsn_cap_reserved_1', 0, 1), BitField('rsn_cap_peer_key_enabled', 0, 1), BitField('rsn_cap_reserved_2', 0, 6), ] def post_dissection(self, pkt): """Parse cipher suites to determine encryption, cipher, and authentication methods""" self.enc = 'WPA2' # Everything is assumed to be WPA self.cipher = '' self.auth = '' ciphers = [self.cipher_suites.get(pairwise_cipher) for pairwise_cipher in self.getfieldval('pairwise_cipher_suite')] if 'GROUP' in ciphers: ciphers = [self.cipher_suites.get(group_cipher, '') for group_cipher in self.getfieldval('group_cipher_suite')] for cipher in ['CCMP', 'TKIP', 'WEP']: if cipher in ciphers: self.cipher = cipher break if 'WEP' == self.cipher: self.enc = 'WEP' for auth_cipher in self.getfieldval('auth_cipher_suite'): self.auth = self.auth_suites.get(auth_cipher, '') break
class Dot11EltRSN(Dot11Elt): name = "802.11 RSN information" match_subclass = True fields_desc = [ ByteEnumField("ID", 48, _dot11_info_elts_ids), ByteField("len", None), LEShortField("version", 1), PacketField("group_cipher_suite", RSNCipherSuite(), RSNCipherSuite), LEFieldLenField( "nb_pairwise_cipher_suites", None, count_of="pairwise_cipher_suites" ), PacketListField( "pairwise_cipher_suites", [RSNCipherSuite()], RSNCipherSuite, count_from=lambda p: p.nb_pairwise_cipher_suites ), LEFieldLenField( "nb_akm_suites", None, count_of="akm_suites" ), PacketListField( "akm_suites", [AKMSuite()], AKMSuite, count_from=lambda p: p.nb_akm_suites ), BitField("mfp_capable", 0, 1), BitField("mfp_required", 0, 1), BitField("gtksa_replay_counter", 0, 2), BitField("ptksa_replay_counter", 0, 2), BitField("no_pairwise", 0, 1), BitField("pre_auth", 0, 1), BitField("reserved", 0, 8), ConditionalField( PacketField("pmkids", None, PMKIDListPacket), lambda pkt: ( 0 if pkt.len is None else pkt.len - ( 12 + pkt.nb_pairwise_cipher_suites * 4 + pkt.nb_akm_suites * 4 ) >= 2 ) ), ConditionalField( PacketField("group_management_cipher_suite", RSNCipherSuite(cipher=0x6), RSNCipherSuite), lambda pkt: pkt.mfp_capable == 1 ) ]
class SMBNegotiate_Response_NoSecurity(_SMBNegotiate_Response): name = "SMB Negotiate No-Security Response (CIFS)" fields_desc = [ ByteField("WordCount", 0x1), LEShortField("DialectIndex", 7), FlagsField("SecurityMode", 0x03, 8, [ "USER_SECURITY", "ENCRYPT_PASSWORDS", "SECURITY_SIGNATURES_ENABLED", "SECURITY_SIGNATURES_REQUIRED" ]), LEShortField("MaxMpxCount", 50), LEShortField("MaxNumberVC", 1), LEIntField("MaxBufferSize", 16144), LEIntField("MaxRawSize", 65536), LEIntField("SessionKey", 0x0000), FlagsField("ServerCapabilities", 0xf3f9, -32, _SMB_ServerCapabilities), UTCTimeField("ServerTime", None, fmt="<Q", epoch=[1601, 1, 1, 0, 0, 0], custom_scaling=1e7), LEShortField("ServerTimeZone", 0x3c), ByteField("ChallengeLength", 0), # aka EncryptionKeyLength LEFieldLenField("ByteCount", None, length_of="DomainName", adjust=lambda pkt, x: x + len(pkt.Challenge)), StrLenField( "Challenge", b"", # aka EncryptionKey length_from=lambda pkt: pkt.ChallengeLength), StrNullField("DomainName", "WORKGROUP") ]
class SMBSession_Setup_AndX_Request(Packet): name = "Session Setup AndX Request" fields_desc = [ StrFixedLenField("Start", b"\xffSMB", 4), ByteEnumField("Command", 0x73, {0x73: "SMB_COM_SESSION_SETUP_ANDX"}), # noqa: E501 ByteField("Error_Class", 0), ByteField("Reserved", 0), LEShortField("Error_Code", 0), ByteField("Flags", 0x18), LEShortField("Flags2", 0x0001), LEShortField("PIDHigh", 0x0000), LELongField("Signature", 0x0), LEShortField("Unused", 0x0), LEShortField("TID", 0), LEShortField("PID", 1), LEShortField("UID", 0), LEShortField("MID", 2), ByteField("WordCount", 13), ByteEnumField("AndXCommand", 0x75, {0x75: "SMB_COM_TREE_CONNECT_ANDX"}), # noqa: E501 ByteField("Reserved2", 0), LEShortField("AndXOffset", 96), LEShortField("MaxBufferS", 2920), LEShortField("MaxMPXCount", 50), LEShortField("VCNumber", 0), LEIntField("SessionKey", 0), LEFieldLenField("ANSIPasswordLength", None, "ANSIPassword"), LEShortField("UnicodePasswordLength", 0), LEIntField("Reserved3", 0), LEShortField("ServerCapabilities", 0x05), BitField("UnixExtensions", 0, 1), BitField("Reserved4", 0, 7), BitField("ExtendedSecurity", 0, 1), BitField("CompBulk", 0, 2), BitField("Reserved5", 0, 5), LEShortField("ByteCount", 35), StrLenField("ANSIPassword", "Pass", length_from=lambda x: x.ANSIPasswordLength), # noqa: E501 StrNullField("Account", "GUEST"), StrNullField("PrimaryDomain", ""), StrNullField("NativeOS", "Windows 4.0"), StrNullField("NativeLanManager", "Windows 4.0"), ByteField("WordCount2", 4), ByteEnumField("AndXCommand2", 0xFF, {0xFF: "SMB_COM_NONE"}), ByteField("Reserved6", 0), LEShortField("AndXOffset2", 0), LEShortField("Flags3", 0x2), LEShortField("PasswordLength", 0x1), LEShortField("ByteCount2", 18), ByteField("Password", 0), StrNullField("Path", "\\\\WIN2K\\IPC$"), StrNullField("Service", "IPC") ]
class PMKIDListPacket(Packet): name = "PMKIDs" fields_desc = [ LEFieldLenField("nb_pmkids", 0, count_of="pmk_id_list"), FieldListField("pmkid_list", None, XStrFixedLenField("", "", length=16), count_from=lambda pkt: pkt.nb_pmkids) ] def extract_padding(self, s): return "", s
class SMBNegotiate_Request(Packet): name = "SMB Negotiate Request" fields_desc = [ ByteField("WordCount", 0), LEFieldLenField("ByteCount", None, length_of="Dialects", adjust=lambda pkt, x: x + 1), PacketListField("Dialects", [SMB_Dialect()], SMB_Dialect, length_from=lambda pkt: pkt.ByteCount) ]
class SMBSession_Setup_AndX_Request(Packet): name = "Session Setup AndX Request (CIFS)" fields_desc = [ ByteField("WordCount", 13), ByteEnumField("AndXCommand", 0x75, SMB_COM), ByteField("AndXReserved", 0), LEShortField("AndXOffset", 96), LEShortField("MaxBufferSize", 2920), LEShortField("MaxMPXCount", 50), LEShortField("VCNumber", 0), LEIntField("SessionKey", 0), LEFieldLenField("OEMPasswordLength", None, length_of="OEMPassword"), LEFieldLenField("UnicodePasswordLength", None, length_of="UnicodePassword"), LEIntField("Reserved", 0), FlagsField("ServerCapabilities", 0x05, -32, _SMB_ServerCapabilities), LEShortField("ByteCount", 35), XStrLenField("OEMPassword", "Pass", length_from=lambda x: x.OEMPasswordLength), XStrLenField("UnicodePassword", "Pass", length_from=lambda x: x.UnicodePasswordLength), ReversePadField(StrNullField("AccountName", "GUEST"), 2, b"\0"), _SMBStrNullField("PrimaryDomain", ""), _SMBStrNullField("NativeOS", "Windows 4.0"), _SMBStrNullField("NativeLanMan", "Windows 4.0"), # Off spec? ByteField("WordCount2", 4), ByteEnumField("AndXCommand2", 0xFF, {0xFF: "SMB_COM_NONE"}), ByteField("Reserved6", 0), LEShortField("AndXOffset2", 0), LEShortField("Flags3", 0x2), LEShortField("PasswordLength", 0x1), LEShortField("ByteCount2", 18), ByteField("Password", 0), StrNullField("Path", "\\\\WIN2K\\IPC$"), StrNullField("Service", "IPC") ]
class LenStringPacketLE(Packet): name = "len string packet" fields_desc = [ LEFieldLenField('length', 0, length_of='data', fmt="<H"), ConditionalField( StrLenField('data', None, length_from=lambda pkt: pkt.length + 2), lambda pkt: pkt.length == 0), ConditionalField( StrLenField('data', '', length_from=lambda pkt: pkt.length), lambda pkt: pkt.length != 0), ] def extract_padding(self, p): return b"", p
class SMBNegotiate_Response_Extended_Security(_SMBNegotiate_Response): name = "SMB Negotiate Extended Security Response (SMB)" WordCount = 0x11 fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [ LEFieldLenField("ByteCount", None, length_of="SecurityBlob", adjust=lambda _, x: x + 16), UUIDField("GUID", None, uuid_fmt=UUIDField.FORMAT_LE), PacketLenField("SecurityBlob", None, GSSAPI_BLOB, length_from=lambda x: x.ByteCount - 16) ]
class SMBNegotiate_Response_Security(_SMBNegotiate_Response): name = "SMB Negotiate Non-Extended Security Response (SMB)" WordCount = 0x11 fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [ LEFieldLenField("ByteCount", None, length_of="DomainName", adjust=lambda pkt, x: x + len(pkt.Challenge) + len( pkt.ServerName)), StrLenField( "Challenge", b"", # aka EncryptionKey length_from=lambda pkt: pkt.ChallengeLength), StrNullField("DomainName", "WORKGROUP"), StrNullFieldUtf16("ServerName", "RMFF1") ]
class PCOMBinaryResponse(PCOMBinary): name = "PCOM/Binary Response" fields_desc = [ StrFixedLenField("stx", "/_OPLC", 6), XByteField("reserved1", 0xfe), XByteField("id", 0x0), XByteField("reserved2", 0x1), LEX3BytesField("reserved3", 0x0), PCOMBinaryCommandField("command", None), XByteField("reserved4", 0x0), StrFixedLenField("commandSpecific", '', 6), LEFieldLenField("len", 0, length_of="data"), XLEShortField("headerChksum", None), StrLenField("data", '', length_from=lambda pkt: pkt.len), XLEShortField("footerChksum", None), XByteField("etx", 0x5c) ]
class SMBSession_Setup_AndX_Response_Extended_Security(Packet): name = "Session Setup AndX Extended Security Response (SMB)" WordCount = 7 fields_desc = SMBSession_Setup_AndX_Response.fields_desc[:5] + [ LEFieldLenField("SecurityBlobLength", None, length_of="SecurityBlob"), LEShortField("ByteCount", 25), PacketLenField("SecurityBlob", None, GSSAPI_BLOB, length_from=lambda x: x.SecurityBlobLength), ReversePadField( _SMBStrNullField("NativeOS", "Windows 4.0"), 2, b"\0", ), _SMBStrNullField("NativeLanMan", "Windows 4.0") ]
class OpcDaFackLE(Packet): name = "OpcDaFackLE" fields_desc = [ LEShortField('version', 0), ByteField('pad', 0), LEShortField('windowSize', 0), LEIntField('maxTsdu', 0), LEIntField('maxFragSize', 0), LEShortField('serialNum', 0), LEFieldLenField('selackLen', 0, count_of='selack', fmt="<H"), PacketListField('selack', None, LEIntField, count_from=lambda pkt: pkt.selackLen), ] def extract_padding(self, p): return b"", p
class SMBNegociate_Protocol_Response_Advanced_Security(Packet): name = "SMBNegociate Protocol Response Advanced Security" fields_desc = [ StrFixedLenField("Start", b"\xffSMB", 4), ByteEnumField("Command", 0x72, {0x72: "SMB_COM_NEGOTIATE"}), ByteField("Error_Class", 0), ByteField("Reserved", 0), LEShortField("Error_Code", 0), ByteField("Flags", 0x98), LEShortField("Flags2", 0x0000), LEShortField("PIDHigh", 0x0000), LELongField("Signature", 0x0), LEShortField("Unused", 0x0), LEShortField("TID", 0), LEShortField("PID", 1), LEShortField("UID", 0), LEShortField("MID", 2), ByteField("WordCount", 17), LEShortField("DialectIndex", 7), ByteField("SecurityMode", 0x03), LEShortField("MaxMpxCount", 50), LEShortField("MaxNumberVC", 1), LEIntField("MaxBufferSize", 16144), LEIntField("MaxRawSize", 65536), LEIntField("SessionKey", 0x0000), LEShortField("ServerCapabilities", 0xf3f9), BitField("UnixExtensions", 0, 1), BitField("Reserved2", 0, 7), BitField("ExtendedSecurity", 1, 1), BitField("CompBulk", 0, 2), BitField("Reserved3", 0, 5), # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. # noqa: E501 LEIntField("ServerTimeHigh", 0xD6228000), LEIntField("ServerTimeLow", 0x1C4EF94), LEShortField("ServerTimeZone", 0x3c), ByteField("EncryptionKeyLength", 0), LEFieldLenField("ByteCount", None, "SecurityBlob", adjust=lambda pkt, x: x - 16), # noqa: E501 BitField("GUID", 0, 128), StrLenField("SecurityBlob", "", length_from=lambda x: x.ByteCount + 16) ] # noqa: E501