Smb fingerprinter fix

This commit is contained in:
VakarisZ 2019-10-25 13:18:48 +03:00
parent 5ea4dc3d1b
commit 2a7d196cb7
1 changed files with 53 additions and 52 deletions

View File

@ -12,7 +12,7 @@ SMB_SERVICE = 'tcp-445'
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
class Packet(object): class Packet:
fields = odict([ fields = odict([
("data", ""), ("data", ""),
]) ])
@ -25,78 +25,79 @@ class Packet(object):
else: else:
self.fields[k] = v self.fields[k] = v
def __str__(self): def to_byte_string(self):
return "".join(map(str, list(self.fields.values()))) content_list = [(x.to_byte_string() if hasattr(x, "to_byte_string") else x) for x in self.fields.values()]
return b"".join(content_list)
##### SMB Packets ##### ##### SMB Packets #####
class SMBHeader(Packet): class SMBHeader(Packet):
fields = odict([ fields = odict([
("proto", "\xff\x53\x4d\x42"), ("proto", b"\xff\x53\x4d\x42"),
("cmd", "\x72"), ("cmd", b"\x72"),
("errorcode", "\x00\x00\x00\x00"), ("errorcode", b"\x00\x00\x00\x00"),
("flag1", "\x00"), ("flag1", b"\x00"),
("flag2", "\x00\x00"), ("flag2", b"\x00\x00"),
("pidhigh", "\x00\x00"), ("pidhigh", b"\x00\x00"),
("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"), ("signature", b"\x00\x00\x00\x00\x00\x00\x00\x00"),
("reserved", "\x00\x00"), ("reserved", b"\x00\x00"),
("tid", "\x00\x00"), ("tid", b"\x00\x00"),
("pid", "\x00\x00"), ("pid", b"\x00\x00"),
("uid", "\x00\x00"), ("uid", b"\x00\x00"),
("mid", "\x00\x00"), ("mid", b"\x00\x00"),
]) ])
class SMBNego(Packet): class SMBNego(Packet):
fields = odict([ fields = odict([
("wordcount", "\x00"), ("wordcount", b"\x00"),
("bcc", "\x62\x00"), ("bcc", b"\x62\x00"),
("data", "") ("data", "")
]) ])
def calculate(self): def calculate(self):
self.fields["bcc"] = struct.pack("<h", len(str(self.fields["data"]))) self.fields["bcc"] = struct.pack("<h", len(self.fields["data"].to_byte_string()))
class SMBNegoFingerData(Packet): class SMBNegoFingerData(Packet):
fields = odict([ fields = odict([
("separator1", "\x02"), ("separator1", b"\x02"),
("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"), ("dialect1", b"\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
("separator2", "\x02"), ("separator2", b"\x02"),
("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"), ("dialect2", b"\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
("separator3", "\x02"), ("separator3", b"\x02"),
("dialect3", ("dialect3",
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"), b"\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
("separator4", "\x02"), ("separator4", b"\x02"),
("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"), ("dialect4", b"\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
("separator5", "\x02"), ("separator5", b"\x02"),
("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"), ("dialect5", b"\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
("separator6", "\x02"), ("separator6", b"\x02"),
("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"), ("dialect6", b"\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
]) ])
class SMBSessionFingerData(Packet): class SMBSessionFingerData(Packet):
fields = odict([ fields = odict([
("wordcount", "\x0c"), ("wordcount", b"\x0c"),
("AndXCommand", "\xff"), ("AndXCommand", b"\xff"),
("reserved", "\x00"), ("reserved", b"\x00"),
("andxoffset", "\x00\x00"), ("andxoffset", b"\x00\x00"),
("maxbuff", "\x04\x11"), ("maxbuff", b"\x04\x11"),
("maxmpx", "\x32\x00"), ("maxmpx", b"\x32\x00"),
("vcnum", "\x00\x00"), ("vcnum", b"\x00\x00"),
("sessionkey", "\x00\x00\x00\x00"), ("sessionkey", b"\x00\x00\x00\x00"),
("securitybloblength", "\x4a\x00"), ("securitybloblength", b"\x4a\x00"),
("reserved2", "\x00\x00\x00\x00"), ("reserved2", b"\x00\x00\x00\x00"),
("capabilities", "\xd4\x00\x00\xa0"), ("capabilities", b"\xd4\x00\x00\xa0"),
("bcc1", ""), ("bcc1", ""),
("Data", ("Data",
"\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"), b"\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
]) ])
def calculate(self): def calculate(self):
self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2] self.fields["bcc1"] = struct.pack("<i", len(self.fields["Data"]))[:2]
class SMBFinger(HostFinger): class SMBFinger(HostFinger):
@ -116,30 +117,30 @@ class SMBFinger(HostFinger):
self.init_service(host.services, SMB_SERVICE, SMB_PORT) self.init_service(host.services, SMB_SERVICE, SMB_PORT)
h = SMBHeader(cmd="\x72", flag1="\x18", flag2="\x53\xc8") h = SMBHeader(cmd=b"\x72", flag1=b"\x18", flag2=b"\x53\xc8")
n = SMBNego(data=SMBNegoFingerData()) n = SMBNego(data=SMBNegoFingerData())
n.calculate() n.calculate()
packet_ = str(h) + str(n) packet_ = h.to_byte_string() + n.to_byte_string()
buffer = struct.pack(">i", len(packet_)) + packet_.encode() buffer = struct.pack(">i", len(packet_)) + packet_
s.send(buffer) s.send(buffer)
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == "\x72\x00": if data[8:10] == b"\x72\x00":
header = SMBHeader(cmd="\x73", flag1="\x18", flag2="\x17\xc8", uid="\x00\x00") header = SMBHeader(cmd=b"\x73", flag1=b"\x18", flag2=b"\x17\xc8", uid=b"\x00\x00")
body = SMBSessionFingerData() body = SMBSessionFingerData()
body.calculate() body.calculate()
packet_ = str(header) + str(body) packet_ = header.to_byte_string() + body.to_byte_string()
buffer = struct.pack(">i", len(packet_)) + packet_.encode() buffer = struct.pack(">i", len(packet_)) + packet_
s.send(buffer) s.send(buffer)
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == "\x73\x16": if data[8:10] == b"\x73\x16":
length = struct.unpack('<H', data[43:45])[0] length = struct.unpack('<H', data[43:45])[0]
os_version, service_client = tuple( os_version, service_client = tuple(
[e.replace(b'\x00', b'') for e in data[47 + length:].split(b'\x00\x00\x00')[:2]]) [e.replace(b'\x00', b'').decode() for e in data[47 + length:].split(b'\x00\x00\x00')[:2]])
if os_version.lower() != 'unix': if os_version.lower() != 'unix':
host.os['type'] = 'windows' host.os['type'] = 'windows'