| ## This file is part of Scapy |
| ## See http://www.secdev.org/projects/scapy for more informations |
| ## Copyright (C) Philippe Biondi <phil@secdev.org> |
| ## This program is published under a GPLv2 license |
| |
| """ |
| SMB (Server Message Block), also known as CIFS. |
| """ |
| |
| from scapy.packet import * |
| from scapy.fields import * |
| from scapy.layers.netbios import NBTSession |
| |
| |
| # SMB NetLogon Response Header |
| class SMBNetlogon_Protocol_Response_Header(Packet): |
| name="SMBNetlogon Protocol Response Header" |
| fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x25,{0x25:"Trans"}), |
| ByteField("Error_Class",0x02), |
| ByteField("Reserved",0), |
| LEShortField("Error_code",4), |
| ByteField("Flags",0), |
| LEShortField("Flags2",0x0000), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",0), |
| LEShortField("UID",0), |
| LEShortField("MID",0), |
| ByteField("WordCount",17), |
| LEShortField("TotalParamCount",0), |
| LEShortField("TotalDataCount",112), |
| LEShortField("MaxParamCount",0), |
| LEShortField("MaxDataCount",0), |
| ByteField("MaxSetupCount",0), |
| ByteField("unused2",0), |
| LEShortField("Flags3",0), |
| ByteField("TimeOut1",0xe8), |
| ByteField("TimeOut2",0x03), |
| LEShortField("unused3",0), |
| LEShortField("unused4",0), |
| LEShortField("ParamCount2",0), |
| LEShortField("ParamOffset",0), |
| LEShortField("DataCount",112), |
| LEShortField("DataOffset",92), |
| ByteField("SetupCount", 3), |
| ByteField("unused5", 0)] |
| |
| # SMB MailSlot Protocol |
| class SMBMailSlot(Packet): |
| name = "SMB Mail Slot Protocol" |
| fields_desc = [LEShortField("opcode", 1), |
| LEShortField("priority", 1), |
| LEShortField("class", 2), |
| LEShortField("size", 135), |
| StrNullField("name","\\MAILSLOT\\NET\\GETDC660")] |
| |
| # SMB NetLogon Protocol Response Tail SAM |
| class SMBNetlogon_Protocol_Response_Tail_SAM(Packet): |
| name = "SMB Netlogon Protocol Response Tail SAM" |
| fields_desc = [ByteEnumField("Command", 0x17, {0x12:"SAM logon request", 0x17:"SAM Active directory Response"}), |
| ByteField("unused", 0), |
| ShortField("Data1", 0), |
| ShortField("Data2", 0xfd01), |
| ShortField("Data3", 0), |
| ShortField("Data4", 0xacde), |
| ShortField("Data5", 0x0fe5), |
| ShortField("Data6", 0xd10a), |
| ShortField("Data7", 0x374c), |
| ShortField("Data8", 0x83e2), |
| ShortField("Data9", 0x7dd9), |
| ShortField("Data10", 0x3a16), |
| ShortField("Data11", 0x73ff), |
| ByteField("Data12", 0x04), |
| StrFixedLenField("Data13", "rmff", 4), |
| ByteField("Data14", 0x0), |
| ShortField("Data16", 0xc018), |
| ByteField("Data18", 0x0a), |
| StrFixedLenField("Data20", "rmff-win2k", 10), |
| ByteField("Data21", 0xc0), |
| ShortField("Data22", 0x18c0), |
| ShortField("Data23", 0x180a), |
| StrFixedLenField("Data24", "RMFF-WIN2K", 10), |
| ShortField("Data25", 0), |
| ByteField("Data26", 0x17), |
| StrFixedLenField("Data27", "Default-First-Site-Name", 23), |
| ShortField("Data28", 0x00c0), |
| ShortField("Data29", 0x3c10), |
| ShortField("Data30", 0x00c0), |
| ShortField("Data31", 0x0200), |
| ShortField("Data32", 0x0), |
| ShortField("Data33", 0xac14), |
| ShortField("Data34", 0x0064), |
| ShortField("Data35", 0x0), |
| ShortField("Data36", 0x0), |
| ShortField("Data37", 0x0), |
| ShortField("Data38", 0x0), |
| ShortField("Data39", 0x0d00), |
| ShortField("Data40", 0x0), |
| ShortField("Data41", 0xffff)] |
| |
| # SMB NetLogon Protocol Response Tail LM2.0 |
| class SMBNetlogon_Protocol_Response_Tail_LM20(Packet): |
| name = "SMB Netlogon Protocol Response Tail LM20" |
| fields_desc = [ByteEnumField("Command",0x06,{0x06:"LM 2.0 Response to logon request"}), |
| ByteField("unused", 0), |
| StrFixedLenField("DblSlash", "\\\\", 2), |
| StrNullField("ServerName","WIN"), |
| LEShortField("LM20Token", 0xffff)] |
| |
| # SMBNegociate Protocol Request Header |
| class SMBNegociate_Protocol_Request_Header(Packet): |
| name="SMBNegociate Protocol Request Header" |
| fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_code",0), |
| ByteField("Flags",0x18), |
| LEShortField("Flags2",0x0000), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",0), |
| LEShortField("ByteCount",12)] |
| |
| # SMB Negociate Protocol Request Tail |
| class SMBNegociate_Protocol_Request_Tail(Packet): |
| name="SMB Negociate Protocol Request Tail" |
| fields_desc=[ByteField("BufferFormat",0x02), |
| StrNullField("BufferData","NT LM 0.12")] |
| |
| # SMBNegociate Protocol Response Advanced Security |
| class SMBNegociate_Protocol_Response_Advanced_Security(Packet): |
| name="SMBNegociate Protocol Response Advanced Security" |
| fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_Code",0), |
| ByteField("Flags",0x98), |
| LEShortField("Flags2",0x0000), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",17), |
| LEShortField("DialectIndex",7), |
| ByteField("SecurityMode",0x03), |
| LEShortField("MaxMpxCount",50), |
| LEShortField("MaxNumberVC",1), |
| LEIntField("MaxBufferSize",16144), |
| LEIntField("MaxRawSize",65536), |
| LEIntField("SessionKey",0x0000), |
| LEShortField("ServerCapabilities",0xf3f9), |
| BitField("UnixExtensions",0,1), |
| BitField("Reserved2",0,7), |
| BitField("ExtendedSecurity",1,1), |
| BitField("CompBulk",0,2), |
| BitField("Reserved3",0,5), |
| # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. |
| LEIntField("ServerTimeHigh",0xD6228000), |
| LEIntField("ServerTimeLow",0x1C4EF94), |
| LEShortField("ServerTimeZone",0x3c), |
| ByteField("EncryptionKeyLength",0), |
| LEFieldLenField("ByteCount", None, "SecurityBlob", adjust=lambda pkt,x:x-16), |
| BitField("GUID",0,128), |
| StrLenField("SecurityBlob", "", length_from=lambda x:x.ByteCount+16)] |
| |
| # SMBNegociate Protocol Response No Security |
| # When using no security, with EncryptionKeyLength=8, you must have an EncryptionKey before the DomainName |
| class SMBNegociate_Protocol_Response_No_Security(Packet): |
| name="SMBNegociate Protocol Response No Security" |
| fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_Code",0), |
| ByteField("Flags",0x98), |
| LEShortField("Flags2",0x0000), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",17), |
| LEShortField("DialectIndex",7), |
| ByteField("SecurityMode",0x03), |
| LEShortField("MaxMpxCount",50), |
| LEShortField("MaxNumberVC",1), |
| LEIntField("MaxBufferSize",16144), |
| LEIntField("MaxRawSize",65536), |
| LEIntField("SessionKey",0x0000), |
| LEShortField("ServerCapabilities",0xf3f9), |
| BitField("UnixExtensions",0,1), |
| BitField("Reserved2",0,7), |
| BitField("ExtendedSecurity",0,1), |
| FlagsField("CompBulk",0,2,"CB"), |
| BitField("Reserved3",0,5), |
| # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. |
| LEIntField("ServerTimeHigh",0xD6228000), |
| LEIntField("ServerTimeLow",0x1C4EF94), |
| LEShortField("ServerTimeZone",0x3c), |
| ByteField("EncryptionKeyLength",8), |
| LEShortField("ByteCount",24), |
| BitField("EncryptionKey",0,64), |
| StrNullField("DomainName","WORKGROUP"), |
| StrNullField("ServerName","RMFF1")] |
| |
| # SMBNegociate Protocol Response No Security No Key |
| class SMBNegociate_Protocol_Response_No_Security_No_Key(Packet): |
| namez="SMBNegociate Protocol Response No Security No Key" |
| fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_Code",0), |
| ByteField("Flags",0x98), |
| LEShortField("Flags2",0x0000), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",17), |
| LEShortField("DialectIndex",7), |
| ByteField("SecurityMode",0x03), |
| LEShortField("MaxMpxCount",50), |
| LEShortField("MaxNumberVC",1), |
| LEIntField("MaxBufferSize",16144), |
| LEIntField("MaxRawSize",65536), |
| LEIntField("SessionKey",0x0000), |
| LEShortField("ServerCapabilities",0xf3f9), |
| BitField("UnixExtensions",0,1), |
| BitField("Reserved2",0,7), |
| BitField("ExtendedSecurity",0,1), |
| FlagsField("CompBulk",0,2,"CB"), |
| BitField("Reserved3",0,5), |
| # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. |
| LEIntField("ServerTimeHigh",0xD6228000), |
| LEIntField("ServerTimeLow",0x1C4EF94), |
| LEShortField("ServerTimeZone",0x3c), |
| ByteField("EncryptionKeyLength",0), |
| LEShortField("ByteCount",16), |
| StrNullField("DomainName","WORKGROUP"), |
| StrNullField("ServerName","RMFF1")] |
| |
| # Session Setup AndX Request |
| class SMBSession_Setup_AndX_Request(Packet): |
| name="Session Setup AndX Request" |
| fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_Code",0), |
| ByteField("Flags",0x18), |
| LEShortField("Flags2",0x0001), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",13), |
| ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), |
| ByteField("Reserved2",0), |
| LEShortField("AndXOffset",96), |
| LEShortField("MaxBufferS",2920), |
| LEShortField("MaxMPXCount",50), |
| LEShortField("VCNumber",0), |
| LEIntField("SessionKey",0), |
| LEFieldLenField("ANSIPasswordLength",None,"ANSIPassword"), |
| LEShortField("UnicodePasswordLength",0), |
| LEIntField("Reserved3",0), |
| LEShortField("ServerCapabilities",0x05), |
| BitField("UnixExtensions",0,1), |
| BitField("Reserved4",0,7), |
| BitField("ExtendedSecurity",0,1), |
| BitField("CompBulk",0,2), |
| BitField("Reserved5",0,5), |
| LEShortField("ByteCount",35), |
| StrLenField("ANSIPassword", "Pass",length_from=lambda x:x.ANSIPasswordLength), |
| StrNullField("Account","GUEST"), |
| StrNullField("PrimaryDomain", ""), |
| StrNullField("NativeOS","Windows 4.0"), |
| StrNullField("NativeLanManager","Windows 4.0"), |
| ByteField("WordCount2",4), |
| ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), |
| ByteField("Reserved6",0), |
| LEShortField("AndXOffset2",0), |
| LEShortField("Flags3",0x2), |
| LEShortField("PasswordLength",0x1), |
| LEShortField("ByteCount2",18), |
| ByteField("Password",0), |
| StrNullField("Path","\\\\WIN2K\\IPC$"), |
| StrNullField("Service","IPC")] |
| |
| # Session Setup AndX Response |
| class SMBSession_Setup_AndX_Response(Packet): |
| name="Session Setup AndX Response" |
| fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), |
| ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), |
| ByteField("Error_Class",0), |
| ByteField("Reserved",0), |
| LEShortField("Error_Code",0), |
| ByteField("Flags",0x90), |
| LEShortField("Flags2",0x1001), |
| LEShortField("PIDHigh",0x0000), |
| LELongField("Signature",0x0), |
| LEShortField("Unused",0x0), |
| LEShortField("TID",0), |
| LEShortField("PID",1), |
| LEShortField("UID",0), |
| LEShortField("MID",2), |
| ByteField("WordCount",3), |
| ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), |
| ByteField("Reserved2",0), |
| LEShortField("AndXOffset",66), |
| LEShortField("Action",0), |
| LEShortField("ByteCount",25), |
| StrNullField("NativeOS","Windows 4.0"), |
| StrNullField("NativeLanManager","Windows 4.0"), |
| StrNullField("PrimaryDomain",""), |
| ByteField("WordCount2",3), |
| ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), |
| ByteField("Reserved3",0), |
| LEShortField("AndXOffset2",80), |
| LEShortField("OptionalSupport",0x01), |
| LEShortField("ByteCount2",5), |
| StrNullField("Service","IPC"), |
| StrNullField("NativeFileSystem","")] |
| |
| bind_layers( NBTSession, SMBNegociate_Protocol_Request_Header, ) |
| bind_layers( NBTSession, SMBNegociate_Protocol_Response_Advanced_Security, ExtendedSecurity=1) |
| bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security, ExtendedSecurity=0, EncryptionKeyLength=8) |
| bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security_No_Key, ExtendedSecurity=0, EncryptionKeyLength=0) |
| bind_layers( NBTSession, SMBSession_Setup_AndX_Request, ) |
| bind_layers( NBTSession, SMBSession_Setup_AndX_Response, ) |
| bind_layers( SMBNegociate_Protocol_Request_Header, SMBNegociate_Protocol_Request_Tail, ) |
| bind_layers( SMBNegociate_Protocol_Request_Tail, SMBNegociate_Protocol_Request_Tail, ) |