## This file is part of Scapy ## See http://www.secdev.org/projects/scapy for more informations ## Copyright (C) Philippe Biondi ## This program is published under a GPLv2 license """ SMB (Server Message Block), also known as CIFS. """ from scapy.packet import * from scapy.fields import * from scapy.layers.netbios import NBTSession # SMB NetLogon Response Header class SMBNetlogon_Protocol_Response_Header(Packet): name="SMBNetlogon Protocol Response Header" fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x25,{0x25:"Trans"}), ByteField("Error_Class",0x02), ByteField("Reserved",0), LEShortField("Error_code",4), ByteField("Flags",0), LEShortField("Flags2",0x0000), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",0), LEShortField("UID",0), LEShortField("MID",0), ByteField("WordCount",17), LEShortField("TotalParamCount",0), LEShortField("TotalDataCount",112), LEShortField("MaxParamCount",0), LEShortField("MaxDataCount",0), ByteField("MaxSetupCount",0), ByteField("unused2",0), LEShortField("Flags3",0), ByteField("TimeOut1",0xe8), ByteField("TimeOut2",0x03), LEShortField("unused3",0), LEShortField("unused4",0), LEShortField("ParamCount2",0), LEShortField("ParamOffset",0), LEShortField("DataCount",112), LEShortField("DataOffset",92), ByteField("SetupCount", 3), ByteField("unused5", 0)] # SMB MailSlot Protocol class SMBMailSlot(Packet): name = "SMB Mail Slot Protocol" fields_desc = [LEShortField("opcode", 1), LEShortField("priority", 1), LEShortField("class", 2), LEShortField("size", 135), StrNullField("name","\\MAILSLOT\\NET\\GETDC660")] # SMB NetLogon Protocol Response Tail SAM class SMBNetlogon_Protocol_Response_Tail_SAM(Packet): name = "SMB Netlogon Protocol Response Tail SAM" fields_desc = [ByteEnumField("Command", 0x17, {0x12:"SAM logon request", 0x17:"SAM Active directory Response"}), ByteField("unused", 0), ShortField("Data1", 0), ShortField("Data2", 0xfd01), ShortField("Data3", 0), ShortField("Data4", 0xacde), ShortField("Data5", 0x0fe5), ShortField("Data6", 0xd10a), ShortField("Data7", 0x374c), ShortField("Data8", 0x83e2), ShortField("Data9", 0x7dd9), ShortField("Data10", 0x3a16), ShortField("Data11", 0x73ff), ByteField("Data12", 0x04), StrFixedLenField("Data13", "rmff", 4), ByteField("Data14", 0x0), ShortField("Data16", 0xc018), ByteField("Data18", 0x0a), StrFixedLenField("Data20", "rmff-win2k", 10), ByteField("Data21", 0xc0), ShortField("Data22", 0x18c0), ShortField("Data23", 0x180a), StrFixedLenField("Data24", "RMFF-WIN2K", 10), ShortField("Data25", 0), ByteField("Data26", 0x17), StrFixedLenField("Data27", "Default-First-Site-Name", 23), ShortField("Data28", 0x00c0), ShortField("Data29", 0x3c10), ShortField("Data30", 0x00c0), ShortField("Data31", 0x0200), ShortField("Data32", 0x0), ShortField("Data33", 0xac14), ShortField("Data34", 0x0064), ShortField("Data35", 0x0), ShortField("Data36", 0x0), ShortField("Data37", 0x0), ShortField("Data38", 0x0), ShortField("Data39", 0x0d00), ShortField("Data40", 0x0), ShortField("Data41", 0xffff)] # SMB NetLogon Protocol Response Tail LM2.0 class SMBNetlogon_Protocol_Response_Tail_LM20(Packet): name = "SMB Netlogon Protocol Response Tail LM20" fields_desc = [ByteEnumField("Command",0x06,{0x06:"LM 2.0 Response to logon request"}), ByteField("unused", 0), StrFixedLenField("DblSlash", "\\\\", 2), StrNullField("ServerName","WIN"), LEShortField("LM20Token", 0xffff)] # SMBNegociate Protocol Request Header class SMBNegociate_Protocol_Request_Header(Packet): name="SMBNegociate Protocol Request Header" fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_code",0), ByteField("Flags",0x18), LEShortField("Flags2",0x0000), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",0), LEShortField("ByteCount",12)] # SMB Negociate Protocol Request Tail class SMBNegociate_Protocol_Request_Tail(Packet): name="SMB Negociate Protocol Request Tail" fields_desc=[ByteField("BufferFormat",0x02), StrNullField("BufferData","NT LM 0.12")] # SMBNegociate Protocol Response Advanced Security class SMBNegociate_Protocol_Response_Advanced_Security(Packet): name="SMBNegociate Protocol Response Advanced Security" fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_Code",0), ByteField("Flags",0x98), LEShortField("Flags2",0x0000), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",17), LEShortField("DialectIndex",7), ByteField("SecurityMode",0x03), LEShortField("MaxMpxCount",50), LEShortField("MaxNumberVC",1), LEIntField("MaxBufferSize",16144), LEIntField("MaxRawSize",65536), LEIntField("SessionKey",0x0000), LEShortField("ServerCapabilities",0xf3f9), BitField("UnixExtensions",0,1), BitField("Reserved2",0,7), BitField("ExtendedSecurity",1,1), BitField("CompBulk",0,2), BitField("Reserved3",0,5), # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. LEIntField("ServerTimeHigh",0xD6228000), LEIntField("ServerTimeLow",0x1C4EF94), LEShortField("ServerTimeZone",0x3c), ByteField("EncryptionKeyLength",0), LEFieldLenField("ByteCount", None, "SecurityBlob", adjust=lambda pkt,x:x-16), BitField("GUID",0,128), StrLenField("SecurityBlob", "", length_from=lambda x:x.ByteCount+16)] # SMBNegociate Protocol Response No Security # When using no security, with EncryptionKeyLength=8, you must have an EncryptionKey before the DomainName class SMBNegociate_Protocol_Response_No_Security(Packet): name="SMBNegociate Protocol Response No Security" fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_Code",0), ByteField("Flags",0x98), LEShortField("Flags2",0x0000), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",17), LEShortField("DialectIndex",7), ByteField("SecurityMode",0x03), LEShortField("MaxMpxCount",50), LEShortField("MaxNumberVC",1), LEIntField("MaxBufferSize",16144), LEIntField("MaxRawSize",65536), LEIntField("SessionKey",0x0000), LEShortField("ServerCapabilities",0xf3f9), BitField("UnixExtensions",0,1), BitField("Reserved2",0,7), BitField("ExtendedSecurity",0,1), FlagsField("CompBulk",0,2,"CB"), BitField("Reserved3",0,5), # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. LEIntField("ServerTimeHigh",0xD6228000), LEIntField("ServerTimeLow",0x1C4EF94), LEShortField("ServerTimeZone",0x3c), ByteField("EncryptionKeyLength",8), LEShortField("ByteCount",24), BitField("EncryptionKey",0,64), StrNullField("DomainName","WORKGROUP"), StrNullField("ServerName","RMFF1")] # SMBNegociate Protocol Response No Security No Key class SMBNegociate_Protocol_Response_No_Security_No_Key(Packet): namez="SMBNegociate Protocol Response No Security No Key" fields_desc = [StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x72,{0x72:"SMB_COM_NEGOTIATE"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_Code",0), ByteField("Flags",0x98), LEShortField("Flags2",0x0000), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",17), LEShortField("DialectIndex",7), ByteField("SecurityMode",0x03), LEShortField("MaxMpxCount",50), LEShortField("MaxNumberVC",1), LEIntField("MaxBufferSize",16144), LEIntField("MaxRawSize",65536), LEIntField("SessionKey",0x0000), LEShortField("ServerCapabilities",0xf3f9), BitField("UnixExtensions",0,1), BitField("Reserved2",0,7), BitField("ExtendedSecurity",0,1), FlagsField("CompBulk",0,2,"CB"), BitField("Reserved3",0,5), # There have been 127490112000000000 tenths of micro-seconds between 1st january 1601 and 1st january 2005. 127490112000000000=0x1C4EF94D6228000, so ServerTimeHigh=0xD6228000 and ServerTimeLow=0x1C4EF94. LEIntField("ServerTimeHigh",0xD6228000), LEIntField("ServerTimeLow",0x1C4EF94), LEShortField("ServerTimeZone",0x3c), ByteField("EncryptionKeyLength",0), LEShortField("ByteCount",16), StrNullField("DomainName","WORKGROUP"), StrNullField("ServerName","RMFF1")] # Session Setup AndX Request class SMBSession_Setup_AndX_Request(Packet): name="Session Setup AndX Request" fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_Code",0), ByteField("Flags",0x18), LEShortField("Flags2",0x0001), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",13), ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), ByteField("Reserved2",0), LEShortField("AndXOffset",96), LEShortField("MaxBufferS",2920), LEShortField("MaxMPXCount",50), LEShortField("VCNumber",0), LEIntField("SessionKey",0), LEFieldLenField("ANSIPasswordLength",None,"ANSIPassword"), LEShortField("UnicodePasswordLength",0), LEIntField("Reserved3",0), LEShortField("ServerCapabilities",0x05), BitField("UnixExtensions",0,1), BitField("Reserved4",0,7), BitField("ExtendedSecurity",0,1), BitField("CompBulk",0,2), BitField("Reserved5",0,5), LEShortField("ByteCount",35), StrLenField("ANSIPassword", "Pass",length_from=lambda x:x.ANSIPasswordLength), StrNullField("Account","GUEST"), StrNullField("PrimaryDomain", ""), StrNullField("NativeOS","Windows 4.0"), StrNullField("NativeLanManager","Windows 4.0"), ByteField("WordCount2",4), ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), ByteField("Reserved6",0), LEShortField("AndXOffset2",0), LEShortField("Flags3",0x2), LEShortField("PasswordLength",0x1), LEShortField("ByteCount2",18), ByteField("Password",0), StrNullField("Path","\\\\WIN2K\\IPC$"), StrNullField("Service","IPC")] # Session Setup AndX Response class SMBSession_Setup_AndX_Response(Packet): name="Session Setup AndX Response" fields_desc=[StrFixedLenField("Start",b"\xffSMB",4), ByteEnumField("Command",0x73,{0x73:"SMB_COM_SESSION_SETUP_ANDX"}), ByteField("Error_Class",0), ByteField("Reserved",0), LEShortField("Error_Code",0), ByteField("Flags",0x90), LEShortField("Flags2",0x1001), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0), LEShortField("PID",1), LEShortField("UID",0), LEShortField("MID",2), ByteField("WordCount",3), ByteEnumField("AndXCommand",0x75,{0x75:"SMB_COM_TREE_CONNECT_ANDX"}), ByteField("Reserved2",0), LEShortField("AndXOffset",66), LEShortField("Action",0), LEShortField("ByteCount",25), StrNullField("NativeOS","Windows 4.0"), StrNullField("NativeLanManager","Windows 4.0"), StrNullField("PrimaryDomain",""), ByteField("WordCount2",3), ByteEnumField("AndXCommand2",0xFF,{0xFF:"SMB_COM_NONE"}), ByteField("Reserved3",0), LEShortField("AndXOffset2",80), LEShortField("OptionalSupport",0x01), LEShortField("ByteCount2",5), StrNullField("Service","IPC"), StrNullField("NativeFileSystem","")] bind_layers( NBTSession, SMBNegociate_Protocol_Request_Header, ) bind_layers( NBTSession, SMBNegociate_Protocol_Response_Advanced_Security, ExtendedSecurity=1) bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security, ExtendedSecurity=0, EncryptionKeyLength=8) bind_layers( NBTSession, SMBNegociate_Protocol_Response_No_Security_No_Key, ExtendedSecurity=0, EncryptionKeyLength=0) bind_layers( NBTSession, SMBSession_Setup_AndX_Request, ) bind_layers( NBTSession, SMBSession_Setup_AndX_Response, ) bind_layers( SMBNegociate_Protocol_Request_Header, SMBNegociate_Protocol_Request_Tail, ) bind_layers( SMBNegociate_Protocol_Request_Tail, SMBNegociate_Protocol_Request_Tail, )