class CRX1New(Packet):
name = "CRX1 New"
fields_desc = [
XShortField('start_bit', 0x7878),
ConditionalField(ByteField(
'default_packet_length',
None,
), lambda pkt: pkt.start_bit == 0x7878),
ConditionalField(ShortField(
'extended_packet_length',
None,
), lambda pkt: pkt.start_bit == 0x7979),
ConditionalField(
PacketLenField('default_packet_content',
None,
CRX1NewPacketContent,
length_from=lambda pkt: pkt.default_packet_length),
lambda pkt: pkt.start_bit == 0x7878),
ConditionalField(
PacketLenField('extended_packet_content',
None,
CRX1NewPacketContent,
length_from=lambda pkt: pkt.extended_packet_length),
lambda pkt: pkt.start_bit == 0x7979),
XShortField('end_bit', 0x0d0a),
]
class IKEv2_payload_Proposal(IKEv2_class):
name = "IKEv2 Proposal"
fields_desc = [
ByteEnumField("next_payload", None, {
0: "last",
2: "Proposal"
}),
ByteField("res", 0),
FieldLenField("length",
None,
"trans",
"H",
adjust=lambda pkt, x: x + 8 +
(pkt.SPIsize if pkt.SPIsize else 0)), # noqa: E501
ByteField("proposal", 1),
ByteEnumField("proto", 1, {
1: "IKEv2",
2: "AH",
3: "ESP"
}),
FieldLenField("SPIsize", None, "SPI", "B"),
ByteField("trans_nb", None),
StrLenField("SPI", "", length_from=lambda pkt: pkt.SPIsize),
PacketLenField("trans",
conf.raw_layer(),
IKEv2_payload_Transform,
length_from=lambda pkt: pkt.length - 8 - pkt.SPIsize
), # noqa: E501
]
class ICMPv6NDOptCGA(_ICMPv6NDGuessPayload, Packet):
name = "ICMPv6NDOptCGA"
fields_desc = [
ByteField("type", 11),
FieldLenField("len",
None,
length_of="CGA_PARAMS",
fmt="B",
adjust=lambda pkt, x:
(x + pkt.padlength + 4) // 8), # noqa: E501
FieldLenField("padlength", 0, length_of="padding", fmt="B"),
ByteField("reserved", 0),
PacketLenField("CGA_PARAMS",
"",
CGA_Params,
length_from=lambda pkt: pkt.len * 8 - pkt.padlength - 4
), # noqa: E501
StrLenField("padding", "", length_from=lambda pkt: pkt.padlength)
] # noqa: E501
def post_build(self, p, pay):
l_ = len(self.CGA_PARAMS)
tmp_len = -(4 + l_) % 8 # Pad to 8 bytes
p = p[:1] + chb((4 + l_ + tmp_len) // 8) + chb(tmp_len) + p[3:4 + l_]
p += b"\x00" * tmp_len + pay
return p
class IKEv2_payload_CERT_CRL(IKEv2_payload_CERT):
name = "IKEv2 Certificate"
fields_desc = [
ByteEnumField("next_payload", None, IKEv2_payload_type),
ByteField("res", 0),
FieldLenField("length", None, "x509CRL", "H", adjust=lambda pkt, x: x + len(pkt.x509CRL) + 5), # noqa: E501
ByteEnumField("cert_type", 7, IKEv2CertificateEncodings),
PacketLenField("x509CRL", X509_CRL(''), X509_CRL, length_from=lambda x:x.length - 5), # noqa: E501
]
class IKEv2_payload_SA(IKEv2_class):
name = "IKEv2 SA"
overload_fields = {IKEv2: {"next_payload": 33}}
fields_desc = [
ByteEnumField("next_payload", None, IKEv2_payload_type),
ByteField("res", 0),
FieldLenField("length", None, "prop", "H", adjust=lambda pkt, x:x + 4),
PacketLenField("prop", conf.raw_layer(), IKEv2_payload_Proposal, length_from=lambda x:x.length - 4), # noqa: E501
]
class ISAKMP_payload_SA(ISAKMP_class):
name = "ISAKMP SA"
fields_desc = [
ByteEnumField("next_payload", None, ISAKMP_payload_type),
ByteField("res", 0),
FieldLenField("length", None, "prop", "H", adjust=lambda pkt, x:x + 12), # noqa: E501
IntEnumField("DOI", 1, {1: "IPSEC"}),
IntEnumField("situation", 1, {1: "identity"}),
PacketLenField("prop", conf.raw_layer(), ISAKMP_payload_Proposal, length_from=lambda x: x.length - 12), # noqa: E501
]
class SMBNegotiate_Response_Extended_Security(_SMBNegotiate_Response):
name = "SMB Negotiate Extended Security Response (SMB)"
WordCount = 0x11
fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [
LEFieldLenField("ByteCount",
None,
length_of="SecurityBlob",
adjust=lambda _, x: x + 16),
UUIDField("GUID", None, uuid_fmt=UUIDField.FORMAT_LE),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.ByteCount - 16)
]
class ISAKMP_payload_Proposal(ISAKMP_class):
name = "IKE proposal"
# ISAKMP_payload_type = 0
fields_desc = [
ByteEnumField("next_payload", None, ISAKMP_payload_type),
ByteField("res", 0),
FieldLenField("length", None, "trans", "H", adjust=lambda pkt, x:x + 8), # noqa: E501
ByteField("proposal", 1),
ByteEnumField("proto", 1, {1: "ISAKMP"}),
FieldLenField("SPIsize", None, "SPI", "B"),
ByteField("trans_nb", None),
StrLenField("SPI", "", length_from=lambda x: x.SPIsize),
PacketLenField("trans", conf.raw_layer(), ISAKMP_payload_Transform, length_from=lambda x: x.length - 8), # noqa: E501
]
class SMB2_Negotiate_Protocol_Response(Packet):
name = "SMB2 Negotiate Protocol Response"
fields_desc = [
XLEShortField("StructureSize", 0),
FlagsField("SecurityMode", 0, -16, {
0x1: "Signing Required",
0x2: "Signing Enabled",
}),
LEShortEnumField("DialectRevision", 0x0, SMB_DIALECTS),
FieldLenField("NegotiateCount",
None,
fmt="<H",
count_of="NegotiateContexts"),
UUIDField("ServerGUID", 0x0, uuid_fmt=UUIDField.FORMAT_LE),
# Capabilities
FlagsField("Capabilities", 0, -32, SMB2_CAPABILITIES),
LEIntField("MaxTransactionSize", 0),
LEIntField("MaxReadSize", 0),
LEIntField("MaxWriteSize", 0),
UTCTimeField("SystemTime",
None,
fmt="<Q",
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7),
UTCTimeField("ServerStartTime",
None,
fmt="<Q",
epoch=[1601, 1, 1, 0, 0, 0],
custom_scaling=1e7),
XLEShortField("SecurityBlobOffset", 0),
FieldLenField("SecurityBlobLength",
None,
fmt="<H",
length_of="SecurityBlob"),
XLEIntField("NegotiateContextOffset", 0),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.SecurityBlobLength),
# Field only exists if Dialect is 0x0311
# Each negotiate context must be 8-byte aligned
ConditionalField(
FieldListField("NegotiateContexts", [],
ReversePadField(
PacketField("Context", None,
SMB2_Negotiate_Context), 8),
count_from=lambda pkt: pkt.NegotiateCount),
lambda x: x.DialectRevision == 0x0311),
]
class OpcDaRequestLE(Packet):
name = "OpcDaRequest"
fields_desc = [
LEIntField('allocHint', 0),
LEShortField('contextId', 0),
LEShortField('opNum', 0),
UUIDField('uuid', str('0001' * 8), uuid_fmt=UUIDField.FORMAT_LE),
PacketLenField('subData',
None,
RequestSubDataLE,
length_from=lambda pkt: pkt.allocHint),
PacketField('authentication', None, AuthentificationProtocol),
]
def extract_padding(self, p):
return b"", p
class SMBSession_Setup_AndX_Response_Extended_Security(Packet):
name = "Session Setup AndX Extended Security Response (SMB)"
WordCount = 7
fields_desc = SMBSession_Setup_AndX_Response.fields_desc[:5] + [
LEFieldLenField("SecurityBlobLength", None, length_of="SecurityBlob"),
LEShortField("ByteCount", 25),
PacketLenField("SecurityBlob",
None,
GSSAPI_BLOB,
length_from=lambda x: x.SecurityBlobLength),
ReversePadField(
_SMBStrNullField("NativeOS", "Windows 4.0"),
2,
b"\0",
),
_SMBStrNullField("NativeLanMan", "Windows 4.0")
]
class OpcDaRequest(Packet):
# DCE 1.1 RPC - 12.6.4.9
name = "OpcDaRequest"
fields_desc = [
IntField('allocHint', 0),
ShortField('contextId', 0),
ShortField('opNum', 0),
ConditionalField(
UUIDField('uuid', str('0001' * 8), uuid_fmt=UUIDField.FORMAT_BE),
lambda pkt: OpcDaHeaderMessage in pkt.firstlayer() and
pkt.firstlayer()[OpcDaHeaderMessage].pfc_flags & 'objectUuid'
),
PacketLenField('stubData', None, RequestStubData,
length_from=lambda pkt: _opc_stubdata_length(pkt)),
PacketField('authentication', None, AuthentificationProtocol),
]
def extract_padding(self, p):
return b"", p
class SAPMS(Packet):
"""SAP Message Server packet
This packet is used for the Message Server protocol.
"""
name = "SAP Message Server"
fields_desc = [
StrFixedLenField("eyecatcher", "**MESSAGE**\x00", 12),
ByteField("version", 0x04),
ByteEnumKeysField("errorno", 0x00, ms_errorno_values),
StrFixedLenField("toname", "-" + " " * 39, 40),
FlagsField("msgtype", 0, 8, ["DIA", "UPD", "ENQ", "BTC", "SPO", "UP2", "ATP", "ICM"]),
ByteField("reserved", 0x00),
ByteEnumKeysField("domain", 0x00, ms_domain_values),
ByteField("reserved", 0x00),
StrFixedLenField("key", "\x00" * 8, 8),
ByteEnumKeysField("flag", 0x01, ms_flag_values),
ByteEnumKeysField("iflag", 0x01, ms_iflag_values),
StrFixedLenField("fromname", "-" + " " * 39, 40),
ConditionalField(ShortField("diag_port", 3200), lambda pkt:pkt.iflag == 0x08 and pkt.flag == 0x02), # for MS_REQUEST+MS_LOGIN_2 it's the diag port
ConditionalField(ShortField("padd", 0x0000), lambda pkt:pkt.iflag != 0x08 or pkt.flag != 0x02),
# OpCode fields
ConditionalField(ByteEnumKeysField("opcode", 0x01, ms_opcode_values), lambda pkt:pkt.iflag in [0x00, 0x01, 0x02, 0x07]), # extending all those fields with MS_SEND_TYPE and MS_SEND_TYPE_ONCE packets
ConditionalField(ByteEnumKeysField("opcode_error", 0x00, ms_opcode_error_values), lambda pkt:pkt.iflag in [0x00, 0x01, 0x02, 0x7]),
ConditionalField(ByteField("opcode_version", 0x01), lambda pkt:pkt.iflag in [0x00, 0x01, 0x02, 0x07]),
ConditionalField(ByteField("opcode_charset", 0x03), lambda pkt:pkt.iflag in [0x00, 0x01, 0x02, 0x07]),
ConditionalField(StrField("opcode_value", ""), lambda pkt:pkt.iflag in [0x00, 0x01] and pkt.opcode not in [0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x11, 0x1c, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2f, 0x43, 0x44, 0x45, 0x46, 0x47, 0x4a]),
ConditionalField(StrField("opcode_trailer", ""), lambda pkt:pkt.iflag in [0x00, 0x01] and pkt.opcode not in [0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x11, 0x1c, 0x1e, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2f, 0x43, 0x44, 0x45, 0x46, 0x47, 0x4a]),
# Dispatcher info
ConditionalField(ByteField("dp_version", 0x0), lambda pkt:pkt.opcode == 0x0 or (pkt.opcode_version == 0x00 and pkt.opcode_charset == 0x00)),
ConditionalField(PacketLenField("dp_info1", SAPDPInfo1(), SAPDPInfo1, length_from=lambda x: 507), lambda pkt:(pkt.opcode == 0x0 or (pkt.opcode_version == 0x00 and pkt.opcode_charset == 0x00)) and pkt.dp_version == 0x0d), # 745 kernel
ConditionalField(PacketLenField("dp_info2", SAPDPInfo2(), SAPDPInfo2, length_from=lambda x: 203), lambda pkt:(pkt.opcode == 0x0 or (pkt.opcode_version == 0x00 and pkt.opcode_charset == 0x00)) and pkt.dp_version == 0x0b), # 720 kernel
ConditionalField(PacketLenField("dp_info3", SAPDPInfo3(), SAPDPInfo3, length_from=lambda x: 179), lambda pkt:(pkt.opcode == 0x0 or (pkt.opcode_version == 0x00 and pkt.opcode_charset == 0x00)) and pkt.dp_version == 0x0e), # 749 kernel
# MS ADM layer
ConditionalField(StrFixedLenField("adm_eyecatcher", "AD-EYECATCH\x00", 12), lambda pkt: pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
ConditionalField(ByteField("adm_version", 0x01), lambda pkt:pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
ConditionalField(ByteEnumKeysField("adm_type", 0x01, ms_adm_type_values), lambda pkt:pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
ConditionalField(IntToStrField("adm_recsize", 104, 11), lambda pkt:pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
ConditionalField(IntToStrField("adm_recno", 1, 11), lambda pkt:pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
ConditionalField(PacketListField("adm_records", None, SAPMSAdmRecord), lambda pkt:pkt.iflag in [0x00, 0x02, 0x05, 0x07] or pkt.opcode == 0x0),
# Server List fields
ConditionalField(PacketListField("clients", None, SAPMSClient1), lambda pkt:pkt.opcode in [0x02, 0x03, 0x04, 0x05] and pkt.opcode_version == 0x01),
ConditionalField(PacketListField("clients", None, SAPMSClient2), lambda pkt:pkt.opcode in [0x02, 0x03, 0x04, 0x05] and pkt.opcode_version == 0x02),
ConditionalField(PacketListField("clients", None, SAPMSClient3), lambda pkt:pkt.opcode in [0x02, 0x03, 0x04, 0x05] and pkt.opcode_version == 0x03),
ConditionalField(PacketListField("clients", None, SAPMSClient4), lambda pkt:pkt.opcode in [0x02, 0x03, 0x04, 0x05] and pkt.opcode_version == 0x04),
# Change IP fields
ConditionalField(IPField("change_ip_addressv4", "0.0.0.0"), lambda pkt:pkt.opcode == 0x06),
ConditionalField(IP6Field("change_ip_addressv6", "::"), lambda pkt:pkt.opcode == 0x06 and pkt.opcode_version == 0x02),
# Get/Set Text fields
ConditionalField(StrFixedLenField("text_name", "", 40), lambda pkt:pkt.opcode in [0x22, 0x23]),
ConditionalField(FieldLenField("text_length", None, length_of="text_value", fmt="!I"), lambda pkt:pkt.opcode in [0x22, 0x23]),
ConditionalField(StrFixedLenField("text_value", "", length_from=lambda pkt:pkt.text_length or 80), lambda pkt:pkt.opcode in [0x22, 0x23]),
# Counter fields
ConditionalField(PacketField("counter", None, SAPMSCounter), lambda pkt:pkt.opcode in [0x24, 0x25, 0x26, 0x27, 0x28, 0x29]),
ConditionalField(PacketListField("counters", None, SAPMSCounter), lambda pkt:pkt.opcode in [0x2a]),
# Security Key 1 fields
ConditionalField(StrFixedLenField("security_name", None, 40), lambda pkt:pkt.opcode in [0x07, 0x08]),
ConditionalField(StrFixedLenField("security_key", None, 256), lambda pkt:pkt.opcode in [0x07, 0x08]),
# Security Key 2 fields
ConditionalField(IPField("security2_addressv4", "0.0.0.0"), lambda pkt:pkt.opcode == 0x09),
ConditionalField(ShortField("security2_port", 0), lambda pkt:pkt.opcode == 0x09),
ConditionalField(StrFixedLenField("security2_key", None, 256), lambda pkt:pkt.opcode == 0x09),
ConditionalField(IP6Field("security2_addressv6", "::"), lambda pkt:pkt.opcode == 0x09),
# Hardware ID field
ConditionalField(StrNullFixedLenField("hwid", "", length=99), lambda pkt:pkt.opcode == 0x0a),
# Statistics
ConditionalField(PacketField("stats", None, SAPMSStat3), lambda pkt:pkt.opcode == 0x11 and pkt.flag == 0x03),
# Codepage
ConditionalField(IntField("codepage", 0), lambda pkt:pkt.opcode == 0x1c and pkt.flag == 0x03),
# Dump Info Request fields
ConditionalField(ByteField("dump_dest", 0x02), lambda pkt:pkt.opcode == 0x1E and pkt.flag == 0x02),
ConditionalField(StrFixedLenField("dump_filler", "\x00\x00\x00", 3), lambda pkt:pkt.opcode == 0x1E and pkt.flag == 0x02),
ConditionalField(ShortField("dump_index", 0x00), lambda pkt:pkt.opcode == 0x1E and pkt.flag == 0x02),
ConditionalField(ShortEnumKeysField("dump_command", 0x01, ms_dump_command_values), lambda pkt:pkt.opcode == 0x1E and pkt.flag == 0x02),
ConditionalField(StrFixedLenField("dump_name", "\x00" * 40, 40), lambda pkt:pkt.opcode == 0x1E and pkt.flag == 0x02),
# File Reload fields
ConditionalField(ByteEnumKeysField("file_reload", 0, ms_file_reload_values), lambda pkt:pkt.opcode == 0x1f),
ConditionalField(StrFixedLenField("file_padding", "\x00\x00", 2), lambda pkt:pkt.opcode == 0x1f),
# Get/Set/Del Logon fields
ConditionalField(PacketField("logon", None, SAPMSLogon), lambda pkt:pkt.opcode in [0x2b, 0x2c, 0x2d]),
# Server Disconnect/Shutdown fields
ConditionalField(PacketField("shutdown_client", None, SAPMSClient3), lambda pkt:pkt.opcode in [0x2e, 0x2f, 0x30, 0x4a]),
ConditionalField(FieldLenField("shutdown_reason_length", None, length_of="shutdown_reason", fmt="!H"), lambda pkt:pkt.opcode in [0x2e, 0x2f, 0x30, 0x4a]),
ConditionalField(StrLenField("shutdown_reason", "", length_from=lambda pkt:pkt.shutdown_reason_length), lambda pkt:pkt.opcode in [0x2e, 0x2f, 0x30, 0x4a]),
# Get/Set Property fields
ConditionalField(PacketField("property", None, SAPMSProperty), lambda pkt:pkt.opcode in [0x43, 0x44, 0x45]),
# IP/Port to name fields
ConditionalField(IPField("ip_to_name_address4", "0.0.0.0"), lambda pkt:pkt.opcode == 0x46 and pkt.opcode_version == 0x01),
ConditionalField(IP6Field("ip_to_name_address6", "::"), lambda pkt:pkt.opcode == 0x46 and pkt.opcode_version == 0x02),
ConditionalField(ShortField("ip_to_name_port", 0), lambda pkt:pkt.opcode == 0x46),
ConditionalField(FieldLenField("ip_to_name_length", None, length_of="ip_to_name", fmt="!I"), lambda pkt:pkt.opcode == 0x46),
ConditionalField(StrLenField("ip_to_name", "", length_from=lambda pkt:pkt.logonname_length), lambda pkt:pkt.opcode == 0x46),
# Check ACL fields
ConditionalField(ShortField("error_code", 0), lambda pkt:pkt.opcode == 0x47),
ConditionalField(StrFixedLenField("acl", "", 46), lambda pkt:pkt.opcode == 0x47),
]