#******************************************************************************** #* Dionaea #* - catches bugs - #* #* #* #* Copyright (C) 2009 Paul Baecher & Markus Koetter & Mark Schloesser & Tan Kean Siong #* #* This program is free software; you can redistribute it and/or #* modify it under the terms of the GNU General Public License #* as published by the Free Software Foundation; either version 2 #* of the License, or (at your option) any later version. #* #* This program is distributed in the hope that it will be useful, #* but WITHOUT ANY WARRANTY; without even the implied warranty of #* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #* GNU General Public License for more details. #* #* You should have received a copy of the GNU General Public License #* along with this program; if not, write to the Free Software #* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. #* #* #* contact nepenthesdev@gmail.com #* #*******************************************************************************/ import datetime from uuid import UUID from .packet import * from .fieldtypes import * # # http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf # # Capabilities CAP_RAW_MODE = 0x0001 # The server supports SMB_COM_READ_ANDX_RAW and SMB_COM_WRITE_RAW (obsolescent) CAP_MPX_MODE = 0x0002 # The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX (obsolescent) CAP_UNICODE = 0x0004 # The server supports UNICODE strings CAP_LARGE_FILES = 0x0008 # The server supports large files with 64 bit offsets CAP_NT_SMBS = 0x0010 # The server supports the SMBs particular to the NT LM 0.12 dialect. Implies CAP_NT_FIND. CAP_RPC_REMOTE_APIS = 0x0020 # The server supports remote admin API requests via DCE RPC CAP_STATUS32 = 0x0040 # The server can respond with 32 bit status codes in Status.Status CAP_LEVEL_II_OPLOCKS = 0x0080 # The server supports level 2 oplocks CAP_LOCK_AND_READ = 0x0100 # The server supports the SMB,SMB_COM_LOCK_AND_READ CAP_NT_FIND = 0x0200 # Reserved CAP_DFS = 0x1000 # The server is DFS aware CAP_INFOLEVEL_PASSTHRU = 0x2000 # The server supports NT information level requests passing through CAP_LARGE_READX = 0x4000 # The server supports large SMB_COM_READ_ANDX (up to 64k) CAP_LARGE_WRITEX = 0x8000 # The server supports large SMB_COM_WRITE_ANDX (up to 64k) CAP_UNIX = 0x00800000 # The server supports CIFS Extensions for UNIX. (See Appendix D for more detail) CAP_RESERVED = 0x02000000 # Reserved for future use CAP_BULK_TRANSFER = 0x20000000 # The server supports SMB_BULK_READ, SMB_BULK_WRITE (should be 0, no known implementations) CAP_COMPRESSED_DATA = 0x40000000 # The server supports compressed data transfer (BULK_TRANSFER capability is required to support compressed data transfer). CAP_EXTENDED_SECURITY = 0x80000000 # The server supports extended security exchanges SMB_Negotiate_Capabilities = { CAP_RAW_MODE :'RAW_MODE', CAP_MPX_MODE :'MPX_MODE', CAP_UNICODE :'UNICODE', CAP_LARGE_FILES :'LARGE_FILES', CAP_NT_SMBS :'NT_SMBS', CAP_RPC_REMOTE_APIS :'RPC_REMOTE_APIS', CAP_STATUS32 :'STATUS32', CAP_LEVEL_II_OPLOCKS :'LEVEL_II_OPLOCKS', CAP_LOCK_AND_READ :'LOCK_AND_READ', CAP_NT_FIND :'NT_FIND', CAP_DFS :'DFS', CAP_INFOLEVEL_PASSTHRU :'INFOLEVEL_PASSTHRU', CAP_LARGE_READX :'LARGE_READX', CAP_LARGE_WRITEX :'LARGE_WRITEX', CAP_UNIX :'UNIX', CAP_RESERVED :'RESERVED', CAP_BULK_TRANSFER :'BULK_TRANSFER', CAP_COMPRESSED_DATA :'COMPRESSED_DATA', CAP_EXTENDED_SECURITY :'EXTENDED_SECURITY', } # SMB_Header.Flags SMB_FLAGS_LOCK_AND_READ = (1<<0) # Reserved for obsolescent requests LOCK_AND_READ, WRITE_AND_CLOSE LANMAN1.0 SMB_FLAGS_RECEIVE_BUFFER_POSTED = (1<<1) # SMB_FLAGS_CASES_ENSITIVITY = (1<<3) # When on, all pathnames in this SMB must be treated as case-less. When off, the pathnames are case sensitive. LANMAN1.0 SMB_FLAGS_CANONICAL_PATHNAMES = (1<<4) # Obsolescent \u2013 client case maps (canonicalizes) file and directory names; servers must ignore this flag. 5 Reserved for obsolescent requests \u2013 oplocks supported for SMB_COM_OPEN, SMB_COM_CREATE and SMB_COM_CREATE_NEW. Servers must ignore when processing all other SMB commands. LANMAN1.0 SMB_FLAGS_OPLOCKS = (1<<5) # SMB_FLAGS_NOTIFY = (1<<6) # SMB_FLAGS_REQUEST_RESPONSE = (1<<7) # When on, this SMB is being sent from the server in response to a client request. The Command field usually contains the same value in a protocol request from the client to the server as in the matching response from the server to the client. This bit unambiguously distinguishes the command request from the command response. SMB_Header_Flags = { SMB_FLAGS_LOCK_AND_READ :"LOCK_AND_READ", SMB_FLAGS_RECEIVE_BUFFER_POSTED :"RECEIVE_BUFFER_POSTED", SMB_FLAGS_CASES_ENSITIVITY :"CASES_ENSITIVITY", SMB_FLAGS_CANONICAL_PATHNAMES :"CANONICAL_PATHNAMES", SMB_FLAGS_OPLOCKS :"OPLOCKS", SMB_FLAGS_NOTIFY :"NOTIFY", SMB_FLAGS_REQUEST_RESPONSE :"REQUEST_RESPONSE", } # SMB_Header.Flags2 SMB_FLAGS2_KNOWS_LONG_NAMES = (1<<0) # If set in a request, the server may return long components in path names in the response. LM1.2X002 SMB_FLAGS2_KNOWS_EAS = (1<<1) # If set, the client is aware of extended attributes (EAs). SMB_FLAGS2_SECURITY_SIGNATURE = (1<<2) # If set, the SMB is integrity checked. SMB_FLAGS2_RESERVED1 = (1<<3) # Reserved for future use SMB_FLAGS2_IS_LONG_NAME = (1<<6) # If set, any path name in the request is a long name. SMB_FLAGS2_EXT_SEC = (1<<11) # If set, the client is aware of Extended Security negotiation. NT LM 0.12 SMB_FLAGS2_DFS = (1<<12) # If set, any request pathnames in this SMB should be resolved in the Distributed File System. NT LM 0.12 SMB_FLAGS2_PAGING_IO = (1<<13) # If set, indicates that a read will be permitted if the client does not have read permission but does have execute permission. This flag is only useful on a read request. SMB_FLAGS2_ERR_STATUS = (1<<14) # If set, specifies that the returned error code is a 32 bit error code in Status.Status. Otherwise the Status.DosError.ErrorClass and Status.DosError.Error fields contain the DOS-style error information. When passing NT status codes is negotiated, this flag should be set for every SMB. NT LM 0.12 SMB_FLAGS2_UNICODE = (1<<15) # If set, any fields of datatype STRING in this SMB message are encoded as UNICODE. Otherwise, they are in ASCII. The character encoding for Unicode fields SHOULD be UTF-16 (little endian). NT LM 0.12 SMB_Header_Flags2 = { SMB_FLAGS2_KNOWS_LONG_NAMES :'KNOWS_LONG_NAMES', SMB_FLAGS2_KNOWS_EAS :'KNOWS_EAS', SMB_FLAGS2_SECURITY_SIGNATURE :'SECURITY_SIGNATURE', SMB_FLAGS2_RESERVED1 :'RESERVED1', SMB_FLAGS2_IS_LONG_NAME :'IS_LONG_NAME', SMB_FLAGS2_EXT_SEC :'EXT_SEC', SMB_FLAGS2_DFS :'DFS', SMB_FLAGS2_PAGING_IO :'PAGING_IO', SMB_FLAGS2_ERR_STATUS :'ERR_STATUS', SMB_FLAGS2_UNICODE :'UNICODE', } # SMB_Header.Command SMB_COM_CREATE_DIRECTORY = 0x00 SMB_COM_DELETE_DIRECTORY = 0x01 SMB_COM_OPEN = 0x02 SMB_COM_CREATE = 0x03 SMB_COM_CLOSE = 0x04 SMB_COM_FLUSH = 0x05 SMB_COM_DELETE = 0x06 SMB_COM_RENAME = 0x07 SMB_COM_QUERY_INFORMATION = 0x08 SMB_COM_SET_INFORMATION = 0x09 SMB_COM_READ = 0x0A SMB_COM_WRITE = 0x0B SMB_COM_LOCK_BYTE_RANGE = 0x0C SMB_COM_UNLOCK_BYTE_RANGE = 0x0D SMB_COM_CREATE_TEMPORARY = 0x0E SMB_COM_CREATE_NEW = 0x0F SMB_COM_CHECK_DIRECTORY = 0x10 SMB_COM_PROCESS_EXIT = 0x11 SMB_COM_SEEK = 0x12 SMB_COM_LOCK_AND_READ = 0x13 SMB_COM_WRITE_AND_UNLOCK = 0x14 SMB_COM_READ_RAW = 0x1A SMB_COM_READ_MPX = 0x1B SMB_COM_READ_MPX_SECONDARY = 0x1C SMB_COM_WRITE_RAW = 0x1D SMB_COM_WRITE_MPX = 0x1E SMB_COM_WRITE_MPX_SECONDARY = 0x1F SMB_COM_WRITE_COMPLETE = 0x20 SMB_COM_QUERY_SERVER = 0x21 SMB_COM_SET_INFORMATION2 = 0x22 SMB_COM_QUERY_INFORMATION2 = 0x23 SMB_COM_LOCKING_ANDX = 0x24 SMB_COM_TRANSACTION = 0x25 SMB_COM_TRANSACTION_SECONDARY = 0x26 SMB_COM_IOCTL = 0x27 SMB_COM_IOCTL_SECONDARY = 0x28 SMB_COM_COPY = 0x29 SMB_COM_MOVE = 0x2A SMB_COM_ECHO = 0x2B SMB_COM_WRITE_AND_CLOSE = 0x2C SMB_COM_OPEN_ANDX = 0x2D SMB_COM_READ_ANDX = 0x2E SMB_COM_WRITE_ANDX = 0x2F SMB_COM_NEW_FILE_SIZE = 0x30 SMB_COM_CLOSE_AND_TREE_DISC = 0x31 SMB_COM_TRANSACTION2 = 0x32 SMB_COM_TRANSACTION2_SECONDARY = 0x33 SMB_COM_FIND_CLOSE2 = 0x34 SMB_COM_FIND_NOTIFY_CLOSE = 0x35 SMB_COM_TREE_CONNECT = 0x70 SMB_COM_TREE_DISCONNECT = 0x71 SMB_COM_NEGOTIATE = 0x72 SMB_COM_SESSION_SETUP_ANDX = 0x73 SMB_COM_LOGOFF_ANDX = 0x74 SMB_COM_TREE_CONNECT_ANDX = 0x75 SMB_COM_QUERY_INFORMATION_DISK = 0x80 SMB_COM_SEARCH = 0x81 SMB_COM_FIND = 0x82 SMB_COM_FIND_UNIQUE = 0x83 SMB_COM_FIND_CLOSE = 0x84 SMB_COM_NT_TRANSACT = 0xA0 SMB_COM_NT_TRANSACT_SECONDARY = 0xA1 SMB_COM_NT_CREATE_ANDX = 0xA2 SMB_COM_NT_CANCEL = 0xA4 SMB_COM_NT_RENAME = 0xA5 SMB_COM_OPEN_PRINT_FILE = 0xC0 SMB_COM_WRITE_PRINT_FILE = 0xC1 SMB_COM_CLOSE_PRINT_FILE = 0xC2 SMB_COM_GET_PRINT_QUEUE = 0xC3 SMB_COM_READ_BULK = 0xD8 SMB_COM_WRITE_BULK = 0xD9 SMB_COM_WRITE_BULK_DATA = 0xDA SMB_COM_NONE = 0xFF SMB_Commands = { SMB_COM_CREATE_DIRECTORY :"SMB_COM_CREATE_DIRECTORY", SMB_COM_DELETE_DIRECTORY :"SMB_COM_DELETE_DIRECTORY", SMB_COM_OPEN :"SMB_COM_OPEN", SMB_COM_CREATE :"SMB_COM_CREATE", SMB_COM_CLOSE :"SMB_COM_CLOSE", SMB_COM_FLUSH :"SMB_COM_FLUSH", SMB_COM_DELETE :"SMB_COM_DELETE", SMB_COM_RENAME :"SMB_COM_RENAME", SMB_COM_QUERY_INFORMATION :"SMB_COM_QUERY_INFORMATION", SMB_COM_SET_INFORMATION :"SMB_COM_SET_INFORMATION", SMB_COM_READ :"SMB_COM_READ", SMB_COM_WRITE :"SMB_COM_WRITE", SMB_COM_LOCK_BYTE_RANGE :"SMB_COM_LOCK_BYTE_RANGE", SMB_COM_UNLOCK_BYTE_RANGE :"SMB_COM_UNLOCK_BYTE_RANGE", SMB_COM_CREATE_TEMPORARY :"SMB_COM_CREATE_TEMPORARY", SMB_COM_CREATE_NEW :"SMB_COM_CREATE_NEW", SMB_COM_CHECK_DIRECTORY :"SMB_COM_CHECK_DIRECTORY", SMB_COM_PROCESS_EXIT :"SMB_COM_PROCESS_EXIT", SMB_COM_SEEK :"SMB_COM_SEEK", SMB_COM_LOCK_AND_READ :"SMB_COM_LOCK_AND_READ", SMB_COM_WRITE_AND_UNLOCK :"SMB_COM_WRITE_AND_UNLOCK", SMB_COM_READ_RAW :"SMB_COM_READ_RAW", SMB_COM_READ_MPX :"SMB_COM_READ_MPX", SMB_COM_READ_MPX_SECONDARY :"SMB_COM_READ_MPX_SECONDARY", SMB_COM_WRITE_RAW :"SMB_COM_WRITE_RAW", SMB_COM_WRITE_MPX :"SMB_COM_WRITE_MPX", SMB_COM_WRITE_MPX_SECONDARY :"SMB_COM_WRITE_MPX_SECONDARY", SMB_COM_WRITE_COMPLETE :"SMB_COM_WRITE_COMPLETE", SMB_COM_QUERY_SERVER :"SMB_COM_QUERY_SERVER", SMB_COM_SET_INFORMATION2 :"SMB_COM_SET_INFORMATION2", SMB_COM_QUERY_INFORMATION2 :"SMB_COM_QUERY_INFORMATION2", SMB_COM_LOCKING_ANDX :"SMB_COM_LOCKING_ANDX", SMB_COM_TRANSACTION :"SMB_COM_TRANSACTION", SMB_COM_TRANSACTION_SECONDARY :"SMB_COM_TRANSACTION_SECONDARY", SMB_COM_IOCTL :"SMB_COM_IOCTL", SMB_COM_IOCTL_SECONDARY :"SMB_COM_IOCTL_SECONDARY", SMB_COM_COPY :"SMB_COM_COPY", SMB_COM_MOVE :"SMB_COM_MOVE", SMB_COM_ECHO :"SMB_COM_ECHO", SMB_COM_WRITE_AND_CLOSE :"SMB_COM_WRITE_AND_CLOSE", SMB_COM_OPEN_ANDX :"SMB_COM_OPEN_ANDX", SMB_COM_READ_ANDX :"SMB_COM_READ_ANDX", SMB_COM_WRITE_ANDX :"SMB_COM_WRITE_ANDX", SMB_COM_NEW_FILE_SIZE :"SMB_COM_NEW_FILE_SIZE", SMB_COM_CLOSE_AND_TREE_DISC :"SMB_COM_CLOSE_AND_TREE_DISC", SMB_COM_TRANSACTION2 :"SMB_COM_TRANSACTION2", SMB_COM_TRANSACTION2_SECONDARY :"SMB_COM_TRANSACTION2_SECONDARY", SMB_COM_FIND_CLOSE2 :"SMB_COM_FIND_CLOSE2", SMB_COM_FIND_NOTIFY_CLOSE :"SMB_COM_FIND_NOTIFY_CLOSE", SMB_COM_TREE_CONNECT :"SMB_COM_TREE_CONNECT", SMB_COM_TREE_DISCONNECT :"SMB_COM_TREE_DISCONNECT", SMB_COM_NEGOTIATE :"SMB_COM_NEGOTIATE", SMB_COM_SESSION_SETUP_ANDX :"SMB_COM_SESSION_SETUP_ANDX", SMB_COM_LOGOFF_ANDX :"SMB_COM_LOGOFF_ANDX", SMB_COM_TREE_CONNECT_ANDX :"SMB_COM_TREE_CONNECT_ANDX", SMB_COM_QUERY_INFORMATION_DISK :"SMB_COM_QUERY_INFORMATION_DISK", SMB_COM_SEARCH :"SMB_COM_SEARCH", SMB_COM_FIND :"SMB_COM_FIND", SMB_COM_FIND_UNIQUE :"SMB_COM_FIND_UNIQUE", SMB_COM_FIND_CLOSE :"SMB_COM_FIND_CLOSE", SMB_COM_NT_TRANSACT :"SMB_COM_NT_TRANSACT", SMB_COM_NT_TRANSACT_SECONDARY :"SMB_COM_NT_TRANSACT_SECONDARY", SMB_COM_NT_CREATE_ANDX :"SMB_COM_NT_CREATE_ANDX", SMB_COM_NT_CANCEL :"SMB_COM_NT_CANCEL", SMB_COM_NT_RENAME :"SMB_COM_NT_RENAME", SMB_COM_OPEN_PRINT_FILE :"SMB_COM_OPEN_PRINT_FILE", SMB_COM_WRITE_PRINT_FILE :"SMB_COM_WRITE_PRINT_FILE", SMB_COM_CLOSE_PRINT_FILE :"SMB_COM_CLOSE_PRINT_FILE", SMB_COM_GET_PRINT_QUEUE :"SMB_COM_GET_PRINT_QUEUE", SMB_COM_READ_BULK :"SMB_COM_READ_BULK", SMB_COM_WRITE_BULK :"SMB_COM_WRITE_BULK", SMB_COM_WRITE_BULK_DATA :"SMB_COM_WRITE_BULK_DATA", SMB_COM_NONE :"SMB_COM_NONE", } SMB_TRANS2_OPEN2 = 0x00 # Create file with extended attributes SMB_TRANS2_FIND_FIRST2 = 0x01 # Begin search for files SMB_TRANS2_FIND_NEXT2 = 0x02 # Resume search for files SMB_TRANS2_QUERY_FS_INFORMATION = 0x03 # Get file system information SMB_TRANS_SET_FS_INFORMATION = 0x04 # Reserved (?) SMB_TRANS2_QUERY_PATH_INFORMATION = 0x05 # Get information about a named file or directory SMB_TRANS2_SET_PATH_INFORMATION = 0x06 # Set information about a named file or directory SMB_TRANS2_QUERY_FILE_INFORMATION = 0x07 # Get information about a handle SMB_TRANS2_SET_FILE_INFORMATION = 0x08 # Set information by handle SMB_TRANS2_FSCTL = 0x09 # Not implemented by NT server SMB_TRANS2_IOCTL2 = 0x0A # Not implemented by NT server SMB_TRANS2_FIND_NOTIFY_FIRST = 0x0B # Not implemented by NT server SMB_TRANS2_FIND_NOTIFY_NEXT = 0x0C # Not implemented by NT server SMB_TRANS2_CREATE_DIRECTORY = 0x0D # Create directory with extended attributes SMB_TRANS2_SESSION_SETUP = 0x0E # Session setup with extended security information SMB_Trans2_Commands = { SMB_TRANS2_OPEN2 :"TRANS2_OPEN2", SMB_TRANS2_FIND_FIRST2 :"TRANS2_FIND_FIRST2", SMB_TRANS2_FIND_NEXT2 :"TRANS2_FIND_NEXT2", SMB_TRANS2_QUERY_FS_INFORMATION :"TRANS2_QUERY_FS_INFORMATION", SMB_TRANS_SET_FS_INFORMATION :"TRANS2_SET_FS_INFORMATION", SMB_TRANS2_QUERY_PATH_INFORMATION :"TRANS2_QUERY_PATH_INFORMATION", SMB_TRANS2_SET_PATH_INFORMATION :"TRANS2_SET_PATH_INFORMATION", SMB_TRANS2_QUERY_FILE_INFORMATION :"TRANS2_QUERY_FILE_INFORMATION", SMB_TRANS2_SET_FILE_INFORMATION :"TRANS2_SET_FILE_INFORMATION", SMB_TRANS2_FSCTL :"TRANS2_FSCTL", SMB_TRANS2_IOCTL2 :"TRANS2_IOCTL2", SMB_TRANS2_FIND_NOTIFY_FIRST :"TRANS2_FIND_NOTIFY_FIRST", SMB_TRANS2_FIND_NOTIFY_NEXT :"TRANS2_FIND_NOTIFY_NEXT", SMB_TRANS2_CREATE_DIRECTORY :"TRANS2_CREATE_DIRECTORY", SMB_TRANS2_SESSION_SETUP :"TRANS2_SESSION_SETUP", } DCERPC_PacketTypes = { 11:"Bind", 12:"Bind Ack", 0:"Request", } # NT Create AndX Flags # page 76 SMB_CF_NONE = 0x00 SMB_CF_REQ_OPLOCK = 0x02 # Request an oplock SMB_CF_REQ_BATCH_OPLOCK = 0x04 # Request a batch oplock SMB_CF_TARGET_DIRECTORY = 0x08 # Target of open must be directory SMB_CreateFlags = { SMB_CF_NONE :'NONE', SMB_CF_REQ_OPLOCK :'REQ_OPLOCK', SMB_CF_REQ_BATCH_OPLOCK :'REQ_BATCH_OPLOCK', SMB_CF_TARGET_DIRECTORY :'TARGET_DIRECTORY', } # File Attribute Encoding SMB_FA_READONLY = 0x0001 # Read only file SMB_FA_HIDDEN = 0x0002 # Hidden file SMB_FA_SYSTEM = 0x0004 # System file SMB_FA_VOLUME = 0x0008 # Volume SMB_FA_DIRECTORY = 0x0010 # Directory SMB_FA_ARCHIVE = 0x0020 # Archive file SMB_FA_DEVICE = 0x0040 # Device SMB_FA_NORMAL = 0x0080 # Normal SMB_FA_TEMP = 0x0100 # Temporary SMB_FA_SPARSE = 0x0200 # Sparse SMB_FA_REPARSE = 0x0400 # Reparse SMB_FA_COMPRESS = 0x0800 # Compressed SMB_FA_OFFLINE = 0x1000 # Offline SMB_FA_INDEX = 0x2000 # Indexed SMB_FA_ENCRYPTED = 0x4000 # Encrypted SMB_FileAttributes = { SMB_FA_READONLY : "READONLY", SMB_FA_HIDDEN : "HIDDEN", SMB_FA_SYSTEM : "SYSTEM", SMB_FA_VOLUME : "VOLUME", SMB_FA_DIRECTORY : "DIRECTORY", SMB_FA_ARCHIVE : "ARCHIVE", SMB_FA_DEVICE : "DEVICE", SMB_FA_NORMAL : "NORMAL", SMB_FA_TEMP : "TEMP", SMB_FA_SPARSE : "SPARSE", SMB_FA_REPARSE : "REPARSE", SMB_FA_COMPRESS : "COMPRESS", SMB_FA_OFFLINE : "OFFLINE", SMB_FA_INDEX : "INDEX", SMB_FA_ENCRYPTED : "ENCRYPTED", } # Share Access SMB_FILE_NO_SHARE = 0x00000000 # Prevents the file from being shared. SMB_FILE_SHARE_READ = 0x00000001 # Other open operations can be performed on the file for read access. SMB_FILE_SHARE_WRITE = 0x00000002 # Other open operations can be performed on the file for write access. SMB_FILE_SHARE_DELET = 0x00000004 # Other open operations can be performed on the file for delete access. SMB_ShareAccess = { SMB_FILE_NO_SHARE :"NO_SHARE", SMB_FILE_SHARE_READ :"READ", SMB_FILE_SHARE_WRITE :"WRITE", SMB_FILE_SHARE_DELET :"DELETE" } # CreateOptions SMB_CREATOPT_NONE =(0) SMB_CREATOPT_DIRECTORY =(1<<0) SMB_CREATOPT_WRITETHROUGH =(1<<1) SMB_CREATOPT_SEQONLY =(1<<2) SMB_CREATOPT_INTERMBUF =(1<<3) SMB_CREATOPT_SYNCIOALERT =(1<<4) SMB_CREATOPT_SYNCIONOALERT =(1<<5) SMB_CREATOPT_NONDIRECTORY =(1<<6) SMB_CREATOPT_CREATETREECONN =(1<<7) SMB_CREATOPT_COMPLETEIFOPLOCK =(1<<8) SMB_CREATOPT_NOEAKNOWLEDGE =(1<<9) SMB_CREATOPT_LONG_FILENAMES =(1<<10) SMB_CREATOPT_RANDOMACCESS =(1<<11) SMB_CREATOPT_DELETE_ON_CLOSE =(1<<12) SMB_CREATOPT_OPEN_BY_ID =(1<<13) SMB_CREATOPT_BACKUP_INTENT =(1<<14) SMB_CREATOPT_NOCOMPRESSION =(1<<15) SMB_CREATOPT_RESERVE_OPFILTER =(1<<20) SMB_CREATOPT_OPEN_REPARSE_POINT =(1<<21) SMB_CREATOPT_OPEN_NO_RECALL =(1<<22) SMB_CREATOPT_OPEN_FOR_SPACE_QUERY =(1<<23) SMB_CreateOptions = { SMB_CREATOPT_NONE :"NONE", SMB_CREATOPT_DIRECTORY :"DIRECTORY", SMB_CREATOPT_WRITETHROUGH :"WRITETHROUGH", SMB_CREATOPT_SEQONLY :"SEQONLY", SMB_CREATOPT_INTERMBUF :"INTERMBUF", SMB_CREATOPT_SYNCIOALERT :"SYNCIOALERT", SMB_CREATOPT_SYNCIONOALERT :"SYNCIONOALERT", SMB_CREATOPT_NONDIRECTORY :"NONDIRECTORY", SMB_CREATOPT_CREATETREECONN :"CREATETREECONN", SMB_CREATOPT_COMPLETEIFOPLOCK :"COMPLETEIFOPLOCK", SMB_CREATOPT_NOEAKNOWLEDGE :"NOEAKNOWLEDGE", SMB_CREATOPT_LONG_FILENAMES :"LONG_FILENAMES", SMB_CREATOPT_RANDOMACCESS :"RANDOMACCESS", SMB_CREATOPT_DELETE_ON_CLOSE :"DELETE_ON_CLOSE", SMB_CREATOPT_OPEN_BY_ID :"OPEN_BY_ID", SMB_CREATOPT_BACKUP_INTENT :"BACKUP_INTENT", SMB_CREATOPT_NOCOMPRESSION :"NOCOMPRESSION", SMB_CREATOPT_RESERVE_OPFILTER :"RESERVE_OPFILTER", SMB_CREATOPT_OPEN_REPARSE_POINT :"OPEN_REPARSE_POINT", SMB_CREATOPT_OPEN_NO_RECALL :"OPEN_NO_RECALL", SMB_CREATOPT_OPEN_FOR_SPACE_QUERY :"OPEN_FOR_SPACE_QUERY", } # CreateFlags SMB_CREATEFL_NONE = (0) SMB_CREATEFL_EXCL_OPLOCK = (1<<2) SMB_CREATEFL_BATCH_OPLOCK = (1<<3) SMB_CREATEFL_CREATE_DIRECTORY = (1<<4) SMB_CREATEFL_EXT_RESP = (1<<5) SMB_CreateFlags = { SMB_CREATEFL_NONE : "NONE", SMB_CREATEFL_EXCL_OPLOCK : "EXCL_OPLOCK", SMB_CREATEFL_BATCH_OPLOCK : "BATCH_OPLOCK", SMB_CREATEFL_CREATE_DIRECTORY : "CREATE_DIRECTORY", SMB_CREATEFL_EXT_RESP : "EXT_RESP", } # Access Mask Flags SMB_AM_NONE = (0) SMB_AM_READ = (1<<0) SMB_AM_WRITE = (1<<1) SMB_AM_APPEND = (1<<2) SMB_AM_READ_EA = (1<<3) SMB_AM_WRITE_EA = (1<<4) SMB_AM_EXECUTE = (1<<5) SMB_AM_DELETE_CHILD = (1<<6) SMB_AM_READ_ATTR = (1<<7) SMB_AM_WRITE_ATTR = (1<<8) SMB_AM_DELETE = (1<<16) SMB_AM_READ_CTRL = (1<<17) SMB_AM_WRITE_DAC = (1<<18) SMB_AM_WRITE_OWNER = (1<<19) SMB_AM_SYNC = (1<<20) SMB_AM_MAX_SEC = (1<<24) SMB_AM_MAX_ALLOWED = (1<<25) SMB_AM_GENERIC_ALL = (1<<28) SMB_AM_GENERIC_EXECUTE = (1<<29) SMB_AM_GENERIC_WRITE = (1<<30) SMB_AM_GENERIC_READ = (1<<31) SMB_AccessMask = { SMB_AM_NONE :"NONE", SMB_AM_READ :"READ", SMB_AM_WRITE :"WRITE", SMB_AM_APPEND :"APPEND", SMB_AM_READ_EA :"READ_EA", SMB_AM_WRITE_EA :"WRITE_EA", SMB_AM_EXECUTE :"EXECUTE", SMB_AM_DELETE_CHILD :"DELETE_CHILD", SMB_AM_READ_ATTR :"READ_ATTR", SMB_AM_WRITE_ATTR :"WRITE_ATTR", SMB_AM_DELETE :"DELETE", SMB_AM_READ_CTRL :"READ_CTRL", SMB_AM_WRITE_DAC :"WRITE_DAC", SMB_AM_WRITE_OWNER :"WRITE_OWNER", SMB_AM_SYNC :"SYNC", SMB_AM_MAX_SEC :"MAX_SEC", SMB_AM_MAX_ALLOWED :"MAX_ALLOWED", SMB_AM_GENERIC_ALL :"GENERIC_ALL", SMB_AM_GENERIC_EXECUTE :"GENERIC_EXECUTE", SMB_AM_GENERIC_WRITE :"GENERIC_WRITE", SMB_AM_GENERIC_READ :"GENERIC_READ", } # Security Flags SMB_SECFLAGS_CTX_TRACKING = (1<<0) SMB_SECFLAGS_EFFECTIVE_ONLY = (1<<1) SMB_SecurityFlags = { SMB_SECFLAGS_CTX_TRACKING :"CTX_TRACKING", SMB_SECFLAGS_EFFECTIVE_ONLY :"EFFECTIVE_ONLY", } # Write Mode SMB_WM_WRITETHROUGH = 0x001 SMB_WM_RETURNREMAINING = 0x002 SMB_WM_WRITERAW = 0x004 SMB_WM_MSGSTART = 0x008 SMB_WriteMode = { SMB_WM_WRITETHROUGH :"WRITETHROUGH", SMB_WM_RETURNREMAINING:"RETURNREMAINING", SMB_WM_WRITERAW :"WRITERAW", SMB_WM_MSGSTART :"MSGSTART", } class SMBNullField(StrField): def __init__(self, name, default, fmt="H", remain=0, utf16=True): if utf16: UnicodeNullField.__init__(self, name, default, fmt, remain) else: StrNullField.__init__(self, name, default, fmt, remain) def addfield(self, pkt, s, val): if pkt.firstlayer().getlayer(SMB_Header).Flags2 & SMB_FLAGS2_UNICODE: return UnicodeNullField.addfield(self, pkt, s, val) else: return StrNullField.addfield(self, pkt, s, val) def getfield(self, pkt, s): smbhdr = pkt while not isinstance(smbhdr, SMB_Header) and smbhdr != None: smbhdr = smbhdr.underlayer if smbhdr and smbhdr.Flags2 & 0x8000: return UnicodeNullField.getfield(self, pkt, s) else: return StrNullField.getfield(self, pkt, s) def i2m(self, pkt, s): smbhdr = pkt while not isinstance(smbhdr, SMB_Header) and smbhdr != None: smbhdr = smbhdr.underlayer if smbhdr and smbhdr.Flags2 & 0x8000: return UnicodeNullField.i2m(self, pkt, s) else: return StrNullField.i2m(self, pkt, s) def i2repr(self, pkt, s): smbhdr = pkt while not isinstance(smbhdr, SMB_Header) and smbhdr != None: smbhdr = smbhdr.underlayer if smbhdr and smbhdr.Flags2 & 0x8000: return UnicodeNullField.i2repr(self, pkt, s) else: return StrNullField.i2repr(self, pkt, s) def size(self, pkt, s): smbhdr = pkt while not isinstance(smbhdr, SMB_Header) and smbhdr != None: smbhdr = smbhdr.underlayer if smbhdr and smbhdr.Flags2 & 0x8000: return UnicodeNullField.size(self, pkt, s) else: return StrNullField.size(self, pkt, s) class UUIDField(StrFixedLenField): def __init__(self, name, default): StrFixedLenField.__init__(self, name, default, 16) def i2repr(self, pkt, v): return str(UUID(bytes_le=v)) class NBTSession(Packet): name="NBT Session Packet" fields_desc= [ ByteEnumField("TYPE",0, {0x00:"Session Message", 0x81:"Session Request", 0x82:"Positive Session Response", 0x83:"Negative Session Response", 0x84:"Retarget Session Response", 0x85:"Session Keepalive"}), BitField("RESERVED",0x00,7), BitField("LENGTH",0,17) ] def post_build(self, p, pay): self.LENGTH = len(pay) p = self.do_build() return p+pay class NBTSession_Request(Packet): name="NBT Session Request" fields_desc= [ StrNullField("CalledName","ALICE"), StrNullField("CallingName","BOB"), ] class SMB_Header(Packet): name="SMB Header" fields_desc = [ StrFixedLenField("Start",b'\xffSMB',4), XByteEnumField("Command",SMB_COM_NEGOTIATE,SMB_Commands), LEIntField("Status",0), # XByteField("Flags",0x98), FlagsField("Flags", 0x98, 8, SMB_Header_Flags), # XLEShortField("Flags2",SMB_FLAGS2_KNOWS_LONG_NAMES|SMB_FLAGS2_UNICODE), FlagsField("Flags2", SMB_FLAGS2_KNOWS_LONG_NAMES|SMB_FLAGS2_UNICODE, -16, SMB_Header_Flags2), LEShortField("PIDHigh",0x0000), LELongField("Signature",0x0), LEShortField("Unused",0x0), LEShortField("TID",0xffff), LEShortField("PID",0), LEShortField("UID",0), LEShortField("MID",0), ] class SMB_Parameters(Packet): name="SMB Parameters" fields_desc = [ FieldLenField('Wordcount', None, fmt='B', length_of="Words"), StrLenField('Words', '', length_from = lambda pkt: pkt.Wordcount*2), ] class SMB_Data(Packet): name="SMB Data" fields_desc = [ FieldLenField('ByteCount', None, fmt='