1 ## This file is part of Scapy 2 ## See http://www.secdev.org/projects/scapy for more informations 3 ## Copyright (C) Philippe Biondi <phil (at] secdev.org> 4 ## This program is published under a GPLv2 license 5 6 """ 7 SMB (Server Message Block), also known as CIFS. 8 """ 9 10 from scapy.packet import * 11 from scapy.fields import * 12 from scapy.layers.netbios import NBTSession 13 14 15 # SMB NetLogon Response Header 16 class SMBNetlogon_Protocol_Response_Header(Packet): 17 name="SMBNetlogon Protocol Response Header" 18 fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), 19 ByteEnumField("Command",0x25,{0x25:"Trans"}), 20 ByteField("Error_Class",0x02), 21 ByteField("Reserved",0), 22 LEShortField("Error_code",4), 23 ByteField("Flags",0), 24 LEShortField("Flags2",0x0000), 25 LEShortField("PIDHigh",0x0000), 26 LELongField("Signature",0x0), 27 LEShortField("Unused",0x0), 28 LEShortField("TID",0), 29 LEShortField("PID",0), 30 LEShortField("UID",0), 31 LEShortField("MID",0), 32 ByteField("WordCount",17), 33 LEShortField("TotalParamCount",0), 34 LEShortField("TotalDataCount",112), 35 LEShortField("MaxParamCount",0), 36 LEShortField("MaxDataCount",0), 37 ByteField("MaxSetupCount",0), 38 ByteField("unused2",0), 39 LEShortField("Flags3",0), 40 ByteField("TimeOut1",0xe8), 41 ByteField("TimeOut2",0x03), 42 LEShortField("unused3",0), 43 LEShortField("unused4",0), 44 LEShortField("ParamCount2",0), 45 LEShortField("ParamOffset",0), 46 LEShortField("DataCount",112), 47 LEShortField("DataOffset",92), 48 ByteField("SetupCount", 3), 49 ByteField("unused5", 0)] 50 51 # SMB MailSlot Protocol 52 class SMBMailSlot(Packet): 53 name = "SMB Mail Slot Protocol" 54 fields_desc = [LEShortField("opcode", 1), 55 LEShortField("priority", 1), 56 LEShortField("class", 2), 57 LEShortField("size", 135), 58 StrNullField("name","\\MAILSLOT\\NET\\GETDC660")] 59 60 # SMB NetLogon Protocol Response Tail SAM 61 class SMBNetlogon_Protocol_Response_Tail_SAM(Packet): 62 name = "SMB Netlogon Protocol Response Tail SAM" 63 fields_desc = [ByteEnumField("Command", 0x17, {0x12:"SAM logon request", 0x17:"SAM Active directory Response"}), 64 ByteField("unused", 0), 65 ShortField("Data1", 0), 66 ShortField("Data2", 0xfd01), 67 ShortField("Data3", 0), 68 ShortField("Data4", 0xacde), 69 ShortField("Data5", 0x0fe5), 70 ShortField("Data6", 0xd10a), 71 ShortField("Data7", 0x374c), 72 ShortField("Data8", 0x83e2), 73 ShortField("Data9", 0x7dd9), 74 ShortField("Data10", 0x3a16), 75 ShortField("Data11", 0x73ff), 76 ByteField("Data12", 0x04), 77 StrFixedLenField("Data13", "rmff", 4), 78 ByteField("Data14", 0x0), 79 ShortField("Data16", 0xc018), 80 ByteField("Data18", 0x0a), 81 StrFixedLenField("Data20", "rmff-win2k", 10), 82 ByteField("Data21", 0xc0), 83 ShortField("Data22", 0x18c0), 84 ShortField("Data23", 0x180a), 85 StrFixedLenField("Data24", "RMFF-WIN2K", 10), 86 ShortField("Data25", 0), 87 ByteField("Data26", 0x17), 88 StrFixedLenField("Data27", "Default-First-Site-Name", 23), 89 ShortField("Data28", 0x00c0), 90 ShortField("Data29", 0x3c10), 91 ShortField("Data30", 0x00c0), 92 ShortField("Data31", 0x0200), 93 ShortField("Data32", 0x0), 94 ShortField("Data33", 0xac14), 95 ShortField("Data34", 0x0064), 96 ShortField("Data35", 0x0), 97 ShortField("Data36", 0x0), 98 ShortField("Data37", 0x0), 99 ShortField("Data38", 0x0), 100 ShortField("Data39", 0x0d00), 101 ShortField("Data40", 0x0), 102 ShortField("Data41", 0xffff)] 103 104 # SMB NetLogon Protocol Response Tail LM2.0 105 class SMBNetlogon_Protocol_Response_Tail_LM20(Packet): 106 name = "SMB Netlogon Protocol Response Tail LM20" 107 fields_desc = [ByteEnumField("Command",0x06,{0x06:"LM 2.0 Response to logon request"}), 108 ByteField("unused", 0), 109 StrFixedLenField("DblSlash", "\\\\", 2), 110 StrNullField("ServerName","WIN"), 111 LEShortField("LM20Token", 0xffff)] 112 113 # SMBNegociate Protocol Request Header 114 class SMBNegociate_Protocol_Request_Header(Packet): 115 name="SMBNegociate Protocol Request Header" 116 fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), 117 ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), 118 ByteField("Error_Class",0), 119 ByteField("Reserved",0), 120 LEShortField("Error_code",0), 121 ByteField("Flags",0x18), 122 LEShortField("Flags2",0x0000), 123 LEShortField("PIDHigh",0x0000), 124 LELongField("Signature",0x0), 125 LEShortField("Unused",0x0), 126 LEShortField("TID",0), 127 LEShortField("PID",1), 128 LEShortField("UID",0), 129 LEShortField("MID",2), 130 ByteField("WordCount",0), 131 LEShortField("ByteCount",12)] 132 133 # SMB Negociate Protocol Request Tail 134 class SMBNegociate_Protocol_Request_Tail(Packet): 135 name="SMB Negociate Protocol Request Tail" 136 fields_desc=[ByteField("BufferFormat",0x02), 137 StrNullField("BufferData","NT LM 0.12")] 138 139 # SMBNegociate Protocol Response Advanced Security 140 class SMBNegociate_Protocol_Response_Advanced_Security(Packet): 141 name="SMBNegociate Protocol Response Advanced Security" 142 fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), 143 ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), 144 ByteField("Error_Class",0), 145 ByteField("Reserved",0), 146 LEShortField("Error_Code",0), 147 ByteField("Flags",0x98), 148 LEShortField("Flags2",0x0000), 149 LEShortField("PIDHigh",0x0000), 150 LELongField("Signature",0x0), 151 LEShortField("Unused",0x0), 152 LEShortField("TID",0), 153 LEShortField("PID",1), 154 LEShortField("UID",0), 155 LEShortField("MID",2), 156 ByteField("WordCount",17), 157 LEShortField("DialectIndex",7), 158 ByteField("SecurityMode",0x03), 159 LEShortField("MaxMpxCount",50), 160 LEShortField("MaxNumberVC",1), 161 LEIntField("MaxBufferSize",16144), 162 LEIntField("MaxRawSize",65536), 163 LEIntField("SessionKey",0x0000), 164 LEShortField("ServerCapabilities",0xf3f9), 165 BitField("UnixExtensions",0,1), 166 BitField("Reserved2",0,7), 167 BitField("ExtendedSecurity",1,1), 168 BitField("CompBulk",0,2), 169 BitField("Reserved3",0,5), 170 # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. 171 LEIntField("ServerTimeHigh",0xD6228000), 172 LEIntField("ServerTimeLow",0x1C4EF94), 173 LEShortField("ServerTimeZone",0x3c), 174 ByteField("EncryptionKeyLength",0), 175 LEFieldLenField("ByteCount", None, "SecurityBlob", adjust=lambda pkt,x:x-16), 176 BitField("GUID",0,128), 177 StrLenField("SecurityBlob", "", length_from=lambda x:x.ByteCount+16)] 178 179 # SMBNegociate Protocol Response No Security 180 # When using no security, with EncryptionKeyLength=8, you must have an EncryptionKey before the DomainName 181 class SMBNegociate_Protocol_Response_No_Security(Packet): 182 name="SMBNegociate Protocol Response No Security" 183 fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), 184 ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), 185 ByteField("Error_Class",0), 186 ByteField("Reserved",0), 187 LEShortField("Error_Code",0), 188 ByteField("Flags",0x98), 189 LEShortField("Flags2",0x0000), 190 LEShortField("PIDHigh",0x0000), 191 LELongField("Signature",0x0), 192 LEShortField("Unused",0x0), 193 LEShortField("TID",0), 194 LEShortField("PID",1), 195 LEShortField("UID",0), 196 LEShortField("MID",2), 197 ByteField("WordCount",17), 198 LEShortField("DialectIndex",7), 199 ByteField("SecurityMode",0x03), 200 LEShortField("MaxMpxCount",50), 201 LEShortField("MaxNumberVC",1), 202 LEIntField("MaxBufferSize",16144), 203 LEIntField("MaxRawSize",65536), 204 LEIntField("SessionKey",0x0000), 205 LEShortField("ServerCapabilities",0xf3f9), 206 BitField("UnixExtensions",0,1), 207 BitField("Reserved2",0,7), 208 BitField("ExtendedSecurity",0,1), 209 FlagsField("CompBulk",0,2,"CB"), 210 BitField("Reserved3",0,5), 211 # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. 212 LEIntField("ServerTimeHigh",0xD6228000), 213 LEIntField("ServerTimeLow",0x1C4EF94), 214 LEShortField("ServerTimeZone",0x3c), 215 ByteField("EncryptionKeyLength",8), 216 LEShortField("ByteCount",24), 217 BitField("EncryptionKey",0,64), 218 StrNullField("DomainName","WORKGROUP"), 219 StrNullField("ServerName","RMFF1")] 220 221 # SMBNegociate Protocol Response No Security No Key 222 class SMBNegociate_Protocol_Response_No_Security_No_Key(Packet): 223 namez="SMBNegociate Protocol Response No Security No Key" 224 fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), 225 ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), 226 ByteField("Error_Class",0), 227 ByteField("Reserved",0), 228 LEShortField("Error_Code",0), 229 ByteField("Flags",0x98), 230 LEShortField("Flags2",0x0000), 231 LEShortField("PIDHigh",0x0000), 232 LELongField("Signature",0x0), 233 LEShortField("Unused",0x0), 234 LEShortField("TID",0), 235 LEShortField("PID",1), 236 LEShortField("UID",0), 237 LEShortField("MID",2), 238 ByteField("WordCount",17), 239 LEShortField("DialectIndex",7), 240 ByteField("SecurityMode",0x03), 241 LEShortField("MaxMpxCount",50), 242 LEShortField("MaxNumberVC",1), 243 LEIntField("MaxBufferSize",16144), 244 LEIntField("MaxRawSize",65536), 245 LEIntField("SessionKey",0x0000), 246 LEShortField("ServerCapabilities",0xf3f9), 247 BitField("UnixExtensions",0,1), 248 BitField("Reserved2",0,7), 249 BitField("ExtendedSecurity",0,1), 250 FlagsField("CompBulk",0,2,"CB"), 251 BitField("Reserved3",0,5), 252 # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. 253 LEIntField("ServerTimeHigh",0xD6228000), 254 LEIntField("ServerTimeLow",0x1C4EF94), 255 LEShortField("ServerTimeZone",0x3c), 256 ByteField("EncryptionKeyLength",0), 257 LEShortField("ByteCount",16), 258 StrNullField("DomainName","WORKGROUP"), 259 StrNullField("ServerName","RMFF1")] 260 261 # Session Setup AndX Request 262 class SMBSession_Setup_AndX_Request(Packet): 263 name="Session Setup AndX Request" 264 fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), 265 ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), 266 ByteField("Error_Class",0), 267 ByteField("Reserved",0), 268 LEShortField("Error_Code",0), 269 ByteField("Flags",0x18), 270 LEShortField("Flags2",0x0001), 271 LEShortField("PIDHigh",0x0000), 272 LELongField("Signature",0x0), 273 LEShortField("Unused",0x0), 274 LEShortField("TID",0), 275 LEShortField("PID",1), 276 LEShortField("UID",0), 277 LEShortField("MID",2), 278 ByteField("WordCount",13), 279 ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), 280 ByteField("Reserved2",0), 281 LEShortField("AndXOffset",96), 282 LEShortField("MaxBufferS",2920), 283 LEShortField("MaxMPXCount",50), 284 LEShortField("VCNumber",0), 285 LEIntField("SessionKey",0), 286 LEFieldLenField("ANSIPasswordLength",None,"ANSIPassword"), 287 LEShortField("UnicodePasswordLength",0), 288 LEIntField("Reserved3",0), 289 LEShortField("ServerCapabilities",0x05), 290 BitField("UnixExtensions",0,1), 291 BitField("Reserved4",0,7), 292 BitField("ExtendedSecurity",0,1), 293 BitField("CompBulk",0,2), 294 BitField("Reserved5",0,5), 295 LEShortField("ByteCount",35), 296 StrLenField("ANSIPassword", "Pass",length_from=lambda x:x.ANSIPasswordLength), 297 StrNullField("Account","GUEST"), 298 StrNullField("PrimaryDomain", ""), 299 StrNullField("NativeOS","Windows 4.0"), 300 StrNullField("NativeLanManager","Windows 4.0"), 301 ByteField("WordCount2",4), 302 ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), 303 ByteField("Reserved6",0), 304 LEShortField("AndXOffset2",0), 305 LEShortField("Flags3",0x2), 306 LEShortField("PasswordLength",0x1), 307 LEShortField("ByteCount2",18), 308 ByteField("Password",0), 309 StrNullField("Path","\\\\WIN2K\\IPC$"), 310 StrNullField("Service","IPC")] 311 312 # Session Setup AndX Response 313 class SMBSession_Setup_AndX_Response(Packet): 314 name="Session Setup AndX Response" 315 fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), 316 ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), 317 ByteField("Error_Class",0), 318 ByteField("Reserved",0), 319 LEShortField("Error_Code",0), 320 ByteField("Flags",0x90), 321 LEShortField("Flags2",0x1001), 322 LEShortField("PIDHigh",0x0000), 323 LELongField("Signature",0x0), 324 LEShortField("Unused",0x0), 325 LEShortField("TID",0), 326 LEShortField("PID",1), 327 LEShortField("UID",0), 328 LEShortField("MID",2), 329 ByteField("WordCount",3), 330 ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), 331 ByteField("Reserved2",0), 332 LEShortField("AndXOffset",66), 333 LEShortField("Action",0), 334 LEShortField("ByteCount",25), 335 StrNullField("NativeOS","Windows 4.0"), 336 StrNullField("NativeLanManager","Windows 4.0"), 337 StrNullField("PrimaryDomain",""), 338 ByteField("WordCount2",3), 339 ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), 340 ByteField("Reserved3",0), 341 LEShortField("AndXOffset2",80), 342 LEShortField("OptionalSupport",0x01), 343 LEShortField("ByteCount2",5), 344 StrNullField("Service","IPC"), 345 StrNullField("NativeFileSystem","")] 346 347 bind_layers( NBTSession, SMBNegociate_Protocol_Request_Header, ) 348 bind_layers( NBTSession, SMBNegociate_Protocol_Response_Advanced_Security, ExtendedSecurity=1) 349 bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security, ExtendedSecurity=0, EncryptionKeyLength=8) 350 bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security_No_Key, ExtendedSecurity=0, EncryptionKeyLength=0) 351 bind_layers( NBTSession, SMBSession_Setup_AndX_Request, ) 352 bind_layers( NBTSession, SMBSession_Setup_AndX_Response, ) 353 bind_layers( SMBNegociate_Protocol_Request_Header, SMBNegociate_Protocol_Request_Tail, ) 354 bind_layers( SMBNegociate_Protocol_Request_Tail, SMBNegociate_Protocol_Request_Tail, ) 355