# Copyright (c) 2003-2016 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Author: Alberto Solino (@agsolino)
#
# Description:
# [MS-SMB2] Protocol Implementation (SMB2 and SMB3)
# As you might see in the code, it's implemented strictly following
# the structures defined in the protocol specification. This may
# not be the most efficient way (e.g. self._Connection is the
# same to self._Session in the context of this library ) but
# it certainly helps following the document way easier.
#
# ToDo:
# [X] Implement SMB2_CHANGE_NOTIFY
# [X] Implement SMB2_QUERY_INFO
# [X] Implement SMB2_SET_INFO
# [ ] Implement SMB2_OPLOCK_BREAK
# [X] Implement SMB3 signing
# [ ] Implement SMB3 encryption
# [ ] Add more backward compatible commands from the smb.py code
# [ ] Fix up all the 'ToDo' comments inside the code
#
import socket
import ntpath
import random
import string
import struct
from binascii import a2b_hex
from contextlib import contextmanager
from impacket import nmb, ntlm, uuid, crypto, LOG
from impacket.smb3structs import *
from impacket.nt_errors import STATUS_SUCCESS, STATUS_MORE_PROCESSING_REQUIRED, STATUS_INVALID_PARAMETER, \
STATUS_NO_MORE_FILES, STATUS_PENDING, STATUS_NOT_IMPLEMENTED, ERROR_MESSAGES
from impacket.spnego import SPNEGO_NegTokenInit, TypesMech, SPNEGO_NegTokenResp
# For signing
import hashlib, hmac, copy
# Structs to be used
TREE_CONNECT = {
'ShareName' : '',
'TreeConnectId' : 0,
'Session' : 0,
'IsDfsShare' : False,
# If the client implements the SMB 3.0 dialect,
# the client MUST also implement the following
'IsCAShare' : False,
'EncryptData' : False,
'IsScaleoutShare' : False,
# Outside the protocol
'NumberOfUses' : 0,
}
FILE = {
'OpenTable' : [],
'LeaseKey' : '',
'LeaseState' : 0,
'LeaseEpoch' : 0,
}
OPEN = {
'FileID' : '',
'TreeConnect' : 0,
'Connection' : 0, # Not Used
'Oplocklevel' : 0,
'Durable' : False,
'FileName' : '',
'ResilientHandle' : False,
'LastDisconnectTime' : 0,
'ResilientTimeout' : 0,
'OperationBuckets' : [],
# If the client implements the SMB 3.0 dialect,
# the client MUST implement the following
'CreateGuid' : '',
'IsPersistent' : False,
'DesiredAccess' : '',
'ShareMode' : 0,
'CreateOption' : '',
'FileAttributes' : '',
'CreateDisposition' : '',
}
REQUEST = {
'CancelID' : '',
'Message' : '',
'Timestamp' : 0,
}
CHANNEL = {
'SigningKey' : '',
'Connection' : 0,
}
class SessionError(Exception):
def __init__( self, error = 0, packet=0):
Exception.__init__(self)
self.error = error
self.packet = packet
def get_error_code( self ):
return self.error
def get_error_packet( self ):
return self.packet
def __str__( self ):
return 'SMB SessionError: %s(%s)' % (ERROR_MESSAGES[self.error])
class SMB3:
def __init__(self, remote_name, remote_host, my_name = None, host_type = nmb.TYPE_SERVER, sess_port = 445, timeout=60, UDP = 0, preferredDialect = None, session = None):
# [MS-SMB2] Section 3
self.RequireMessageSigning = False #
self.ConnectionTable = {}
self.GlobalFileTable = {}
self.ClientGuid = ''.join([random.choice(string.letters) for i in range(16)])
# Only for SMB 3.0
self.EncryptionAlgorithmList = ['AES-CCM']
self.MaxDialect = []
self.RequireSecureNegotiate = False
# Per Transport Connection Data
self._Connection = {
# Indexed by SessionID
#'SessionTable' : {},
# Indexed by MessageID
'OutstandingRequests' : {},
'OutstandingResponses' : {}, #
'SequenceWindow' : 0, #
'GSSNegotiateToken' : '', #
'MaxTransactSize' : 0, #
'MaxReadSize' : 0, #
'MaxWriteSize' : 0, #
'ServerGuid' : '', #
'RequireSigning' : False, #
'ServerName' : '', #
# If the client implements the SMB 2.1 or SMB 3.0 dialects, it MUST
# also implement the following
'Dialect' : '', #
'SupportsFileLeasing' : False, #
'SupportsMultiCredit' : False, #
# If the client implements the SMB 3.0 dialect,
# it MUST also implement the following
'SupportsDirectoryLeasing' : False, #
'SupportsMultiChannel' : False, #
'SupportsPersistentHandles': False, #
'SupportsEncryption' : False, #
'ClientCapabilities' : 0,
'ServerCapabilities' : 0, #
'ClientSecurityMode' : 0, #
'ServerSecurityMode' : 0, #
# Outside the protocol
'ServerIP' : '', #
}
self._Session = {
'SessionID' : 0, #
'TreeConnectTable' : {}, #
'SessionKey' : '', #
'SigningRequired' : False, #
'Connection' : 0, #
'UserCredentials' : '', #
'OpenTable' : {}, #
# If the client implements the SMB 3.0 dialect,
# it MUST also implement the following
'ChannelList' : [],
'ChannelSequence' : 0,
#'EncryptData' : False,
'EncryptData' : True,
'EncryptionKey' : '',
'DecryptionKey' : '',
'SigningKey' : '',
'ApplicationKey' : '',
# Outside the protocol
'SessionFlags' : 0, #
'ServerName' : '', #
'ServerDomain' : '', #
'ServerDNSDomainName' : '', #
'ServerOS' : '', #
'SigningActivated' : False, #
}
self.SMB_PACKET = SMB2Packet
self._timeout = timeout
self._Connection['ServerIP'] = remote_host
self._NetBIOSSession = None
self.__userName = ''
self.__password = ''
self.__domain = ''
self.__lmhash = ''
self.__nthash = ''
self.__kdc = ''
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
if sess_port == 445 and remote_name == '*SMBSERVER':
self._Connection['ServerName'] = remote_host
else:
self._Connection['ServerName'] = remote_name
if session is None:
if not my_name:
my_name = socket.gethostname()
i = string.find(my_name, '.')
if i > -1:
my_name = my_name[:i]
if UDP:
self._NetBIOSSession = nmb.NetBIOSUDPSession(my_name, self._Connection['ServerName'], remote_host, host_type, sess_port, self._timeout)
else:
self._NetBIOSSession = nmb.NetBIOSTCPSession(my_name, self._Connection['ServerName'], remote_host, host_type, sess_port, self._timeout)
self.negotiateSession(preferredDialect)
else:
self._NetBIOSSession = session
# We should increase the SequenceWindow since a packet was already received.
self._Connection['SequenceWindow'] += 1
# Let's negotiate again using the same connection
self.negotiateSession(preferredDialect)
def printStatus(self):
print "CONNECTION"
for i in self._Connection.items():
print "%-40s : %s" % i
print
print "SESSION"
for i in self._Session.items():
print "%-40s : %s" % i
def getServerName(self):
return self._Session['ServerName']
def getServerIP(self):
return self._Connection['ServerIP']
def getServerDomain(self):
return self._Session['ServerDomain']
def getServerDNSDomainName(self):
return self._Session['ServerDNSDomainName']
def getServerOS(self):
return self._Session['ServerOS']
def getServerOSMajor(self):
return self._Session['ServerOSMajor']
def getServerOSMinor(self):
return self._Session['ServerOSMinor']
def getServerOSBuild(self):
return self._Session['ServerOSBuild']
def isGuestSession(self):
return self._Session['SessionFlags'] & SMB2_SESSION_FLAG_IS_GUEST
def setTimeout(self, timeout):
self._timeout = timeout
@contextmanager
def useTimeout(self, timeout):
prev_timeout = self.getTimeout(timeout)
try:
yield
finally:
self.setTimeout(prev_timeout)
def getDialect(self):
return self._Connection['Dialect']
def signSMB(self, packet):
packet['Signature'] = '\x00'*16
if self._Connection['Dialect'] == SMB2_DIALECT_21 or self._Connection['Dialect'] == SMB2_DIALECT_002:
if len(self._Session['SessionKey']) > 0:
signature = hmac.new(self._Session['SessionKey'], str(packet), hashlib.sha256).digest()
packet['Signature'] = signature[:16]
else:
if len(self._Session['SessionKey']) > 0:
p = str(packet)
signature = crypto.AES_CMAC(self._Session['SigningKey'], p, len(p))
packet['Signature'] = signature
def sendSMB(self, packet):
# The idea here is to receive multiple/single commands and create a compound request, and send it
# Should return the MessageID for later retrieval. Implement compounded related requests.
# If Connection.Dialect is equal to "3.000" and if Connection.SupportsMultiChannel or
# Connection.SupportsPersistentHandles is TRUE, the client MUST set ChannelSequence in the
# SMB2 header to Session.ChannelSequence
# Check this is not a CANCEL request. If so, don't consume sequece numbers
if packet['Command'] is not SMB2_CANCEL:
packet['MessageID'] = self._Connection['SequenceWindow']
self._Connection['SequenceWindow'] += 1
packet['SessionID'] = self._Session['SessionID']
# Default the credit charge to 1 unless set by the caller
if packet.fields.has_key('CreditCharge') is False:
packet['CreditCharge'] = 1
# Standard credit request after negotiating protocol
if self._Connection['SequenceWindow'] > 3:
packet['CreditRequestResponse'] = 127
messageId = packet['MessageID']
if self._Session['SigningActivated'] is True and self._Connection['SequenceWindow'] > 2:
if packet['TreeID'] > 0 and self._Session['TreeConnectTable'].has_key(packet['TreeID']) is True:
if self._Session['TreeConnectTable'][packet['TreeID']]['EncryptData'] is False:
packet['Flags'] = SMB2_FLAGS_SIGNED
self.signSMB(packet)
elif packet['TreeID'] == 0:
packet['Flags'] = SMB2_FLAGS_SIGNED
self.signSMB(packet)
if (self._Session['SessionFlags'] & SMB2_SESSION_FLAG_ENCRYPT_DATA) or ( packet['TreeID'] != 0 and self._Session['TreeConnectTable'][packet['TreeID']]['EncryptData'] is True):
plainText = str(packet)
transformHeader = SMB2_TRANSFORM_HEADER()
transformHeader['Nonce'] = ''.join([random.choice(string.letters) for i in range(11)])
transformHeader['OriginalMessageSize'] = len(plainText)
transformHeader['EncryptionAlgorithm'] = SMB2_ENCRYPTION_AES128_CCM
transformHeader['SessionID'] = self._Session['SessionID']
from Crypto.Cipher import AES
try:
AES.MODE_CCM
except:
LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
raise
cipher = AES.new(self._Session['EncryptionKey'], AES.MODE_CCM, transformHeader['Nonce'])
cipher.update(str(transformHeader)[20:])
cipherText = cipher.encrypt(plainText)
transformHeader['Signature'] = cipher.digest()
packet = str(transformHeader) + cipherText
self._NetBIOSSession.send_packet(str(packet))
return messageId
def recvSMB(self, packetID = None):
# First, verify we don't have the packet already
if self._Connection['OutstandingResponses'].has_key(packetID):
return self._Connection['OutstandingResponses'].pop(packetID)
data = self._NetBIOSSession.recv_packet(self._timeout)
if data.get_trailer().startswith('\xfdSMB'):
# Packet is encrypted
transformHeader = SMB2_TRANSFORM_HEADER(data.get_trailer())
from Crypto.Cipher import AES
try:
AES.MODE_CCM
except:
LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
raise
cipher = AES.new(self._Session['DecryptionKey'], AES.MODE_CCM, transformHeader['Nonce'][:11])
cipher.update(str(transformHeader)[20:])
plainText = cipher.decrypt(data.get_trailer()[len(SMB2_TRANSFORM_HEADER()):])
#cipher.verify(transformHeader['Signature'])
packet = SMB2Packet(plainText)
else:
# In all SMB dialects for a response this field is interpreted as the Status field.
# This field can be set to any value. For a list of valid status codes,
# see [MS-ERREF] section 2.3.
packet = SMB2Packet(data.get_trailer())
# Loop while we receive pending requests
if packet['Status'] == STATUS_PENDING:
status = STATUS_PENDING
while status == STATUS_PENDING:
data = self._NetBIOSSession.recv_packet(self._timeout)
if data.get_trailer().startswith('\xfeSMB'):
packet = SMB2Packet(data.get_trailer())
else:
# Packet is encrypted
transformHeader = SMB2_TRANSFORM_HEADER(data.get_trailer())
from Crypto.Cipher import AES
try:
AES.MODE_CCM
except:
LOG.critical("Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.\nDownload it from https://www.dlitz.net/software/pycrypto ")
raise
cipher = AES.new(self._Session['DecryptionKey'], AES.MODE_CCM, transformHeader['Nonce'][:11])
cipher.update(str(transformHeader)[20:])
plainText = cipher.decrypt(data.get_trailer()[len(SMB2_TRANSFORM_HEADER()):])
#cipher.verify(transformHeader['Signature'])
packet = SMB2Packet(plainText)
status = packet['Status']
if packet['MessageID'] == packetID or packetID is None:
# if self._Session['SigningRequired'] is True:
# self.signSMB(packet)
# Let's update the sequenceWindow based on the CreditsCharged
self._Connection['SequenceWindow'] += (packet['CreditCharge'] - 1)
return packet
else:
self._Connection['OutstandingResponses'][packet['MessageID']] = packet
return self.recvSMB(packetID)
def negotiateSession(self, preferredDialect = None):
packet = self.SMB_PACKET()
packet['Command'] = SMB2_NEGOTIATE
negSession = SMB2Negotiate()
negSession['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED
if self.RequireMessageSigning is True:
negSession['SecurityMode'] |= SMB2_NEGOTIATE_SIGNING_REQUIRED
negSession['Capabilities'] = SMB2_GLOBAL_CAP_ENCRYPTION
negSession['ClientGuid'] = self.ClientGuid
if preferredDialect is not None:
negSession['Dialects'] = [preferredDialect]
else:
negSession['Dialects'] = [SMB2_DIALECT_002, SMB2_DIALECT_21, SMB2_DIALECT_30]
negSession['DialectCount'] = len(negSession['Dialects'])
packet['Data'] = negSession
# Storing this data for later use
self._Connection['ClientSecurityMode'] = negSession['SecurityMode']
self._Connection['Capabilities'] = negSession['Capabilities']
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
# ToDo this:
# If the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, the client MUST issue a new
# SMB2 NEGOTIATE request as described in section 3.2.4.2.2.2 with the only exception
# that the client MUST allocate sequence number 1 from Connection.SequenceWindow, and MUST set
# MessageId field of the SMB2 header to 1. Otherwise, the client MUST proceed as follows.
negResp = SMB2Negotiate_Response(ans['Data'])
self._Connection['MaxTransactSize'] = min(0x100000,negResp['MaxTransactSize'])
self._Connection['MaxReadSize'] = min(0x100000,negResp['MaxReadSize'])
self._Connection['MaxWriteSize'] = min(0x100000,negResp['MaxWriteSize'])
self._Connection['ServerGuid'] = negResp['ServerGuid']
self._Connection['GSSNegotiateToken'] = negResp['Buffer']
self._Connection['Dialect'] = negResp['DialectRevision']
if (negResp['SecurityMode'] & SMB2_NEGOTIATE_SIGNING_REQUIRED) == SMB2_NEGOTIATE_SIGNING_REQUIRED:
self._Connection['RequireSigning'] = True
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_LEASING) == SMB2_GLOBAL_CAP_LEASING:
self._Connection['SupportsFileLeasing'] = True
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_LARGE_MTU) == SMB2_GLOBAL_CAP_LARGE_MTU:
self._Connection['SupportsMultiCredit'] = True
if self._Connection['Dialect'] == SMB2_DIALECT_30:
# Switching to the right packet format
self.SMB_PACKET = SMB3Packet
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_DIRECTORY_LEASING) == SMB2_GLOBAL_CAP_DIRECTORY_LEASING:
self._Connection['SupportsDirectoryLeasing'] = True
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_MULTI_CHANNEL) == SMB2_GLOBAL_CAP_MULTI_CHANNEL:
self._Connection['SupportsMultiChannel'] = True
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_PERSISTENT_HANDLES) == SMB2_GLOBAL_CAP_PERSISTENT_HANDLES:
self._Connection['SupportsPersistentHandles'] = True
if (negResp['Capabilities'] & SMB2_GLOBAL_CAP_ENCRYPTION) == SMB2_GLOBAL_CAP_ENCRYPTION:
self._Connection['SupportsEncryption'] = True
self._Connection['ServerCapabilities'] = negResp['Capabilities']
self._Connection['ServerSecurityMode'] = negResp['SecurityMode']
def getCredentials(self):
return (
self.__userName,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
self.__TGT,
self.__TGS)
def kerberosLogin(self, user, password, domain = '', lmhash = '', nthash = '', aesKey='', kdcHost = '', TGT=None, TGS=None):
# If TGT or TGS are specified, they are in the form of:
# TGS['KDC_REP'] = the response from the server
# TGS['cipher'] = the cipher used
# TGS['sessionKey'] = the sessionKey
# If we have hashes, normalize them
if lmhash != '' or nthash != '':
if len(lmhash) % 2: lmhash = '0%s' % lmhash
if len(nthash) % 2: nthash = '0%s' % nthash
try: # just in case they were converted already
lmhash = a2b_hex(lmhash)
nthash = a2b_hex(nthash)
except:
pass
self.__userName = user
self.__password = password
self.__domain = domain
self.__lmhash = lmhash
self.__nthash = nthash
self.__kdc = kdcHost
self.__aesKey = aesKey
self.__TGT = TGT
self.__TGS = TGS
sessionSetup = SMB2SessionSetup()
if self.RequireMessageSigning is True:
sessionSetup['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_REQUIRED
else:
sessionSetup['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED
sessionSetup['Flags'] = 0
#sessionSetup['Capabilities'] = SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_DFS
# Importing down here so pyasn1 is not required if kerberos is not used.
from impacket.krb5.asn1 import AP_REQ, Authenticator, TGS_REP, seq_set
from impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS
from impacket.krb5 import constants
from impacket.krb5.types import Principal, KerberosTime, Ticket
from pyasn1.codec.der import decoder, encoder
import datetime
# First of all, we need to get a TGT for the user
userName = Principal(user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
if TGT is None:
if TGS is None:
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, password, domain, lmhash, nthash, aesKey, kdcHost)
else:
tgt = TGT['KDC_REP']
cipher = TGT['cipher']
sessionKey = TGT['sessionKey']
# Save the ticket
# If you want, for debugging purposes
# from impacket.krb5.ccache import CCache
# ccache = CCache()
# try:
# if TGS is None:
# ccache.fromTGT(tgt, oldSessionKey, sessionKey)
# else:
# ccache.fromTGS(TGS['KDC_REP'], TGS['oldSessionKey'], TGS['sessionKey'] )
# ccache.saveFile('/tmp/ticket.bin')
# except Exception, e:
# print e
# pass
# Now that we have the TGT, we should ask for a TGS for cifs
if TGS is None:
serverName = Principal('cifs/%s' % (self._Connection['ServerName']), type=constants.PrincipalNameType.NT_SRV_INST.value)
tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey)
else:
tgs = TGS['KDC_REP']
cipher = TGS['cipher']
sessionKey = TGS['sessionKey']
# Let's build a NegTokenInit with a Kerberos REQ_AP
blob = SPNEGO_NegTokenInit()
# Kerberos
blob['MechTypes'] = [TypesMech['MS KRB5 - Microsoft Kerberos 5']]
# Let's extract the ticket from the TGS
tgs = decoder.decode(tgs, asn1Spec = TGS_REP())[0]
ticket = Ticket()
ticket.from_asn1(tgs['ticket'])
# Now let's build the AP_REQ
apReq = AP_REQ()
apReq['pvno'] = 5
apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
opts = list()
apReq['ap-options'] = constants.encodeFlags(opts)
seq_set(apReq,'ticket', ticket.to_asn1)
authenticator = Authenticator()
authenticator['authenticator-vno'] = 5
authenticator['crealm'] = domain
seq_set(authenticator, 'cname', userName.components_to_asn1)
now = datetime.datetime.utcnow()
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = KerberosTime.to_asn1(now)
encodedAuthenticator = encoder.encode(authenticator)
# Key Usage 11
# AP-REQ Authenticator (includes application authenticator
# subkey), encrypted with the application session key
# (Section 5.5.1)
encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 11, encodedAuthenticator, None)
apReq['authenticator'] = None
apReq['authenticator']['etype'] = cipher.enctype
apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
blob['MechToken'] = encoder.encode(apReq)
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
packet = self.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
self._Session['SessionID'] = ans['SessionID']
self._Session['SigningRequired'] = self._Connection['RequireSigning']
self._Session['UserCredentials'] = (user, password, domain, lmhash, nthash)
self._Session['Connection'] = self._NetBIOSSession.get_socket()
self._Session['SessionKey'] = sessionKey.contents[:16]
if self._Session['SigningRequired'] is True and self._Connection['Dialect'] == SMB2_DIALECT_30:
self._Session['SigningKey'] = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCMAC\x00", "SmbSign\x00", 128)
# Calculate the key derivations for dialect 3.0
if self._Session['SigningRequired'] is True:
self._Session['SigningActivated'] = True
if self._Connection['Dialect'] == SMB2_DIALECT_30:
self._Session['ApplicationKey'] = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2APP\x00", "SmbRpc\x00", 128)
self._Session['EncryptionKey'] = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerIn \x00", 128)
self._Session['DecryptionKey'] = crypto.KDF_CounterMode(self._Session['SessionKey'], "SMB2AESCCM\x00", "ServerOut\x00", 128)
return True
else:
# We clean the stuff we used in case we want to authenticate again
# within the same connection
self._Session['UserCredentials'] = ''
self._Session['Connection'] = 0
self._Session['SessionID'] = 0
self._Session['SigningRequired'] = False
self._Session['SigningKey'] = ''
self._Session['SessionKey'] = ''
self._Session['SigningActivated'] = False
raise
def login(self, user, password, domain = '', lmhash = '', nthash = ''):
# If we have hashes, normalize them
if lmhash != '' or nthash != '':
if len(lmhash) % 2: lmhash = '0%s' % lmhash
if len(nthash) % 2: nthash = '0%s' % nthash
try: # just in case they were converted already
lmhash = a2b_hex(lmhash)
nthash = a2b_hex(nthash)
except:
pass
self.__userName = user
self.__password = password
self.__domain = domain
self.__lmhash = lmhash
self.__nthash = nthash
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
sessionSetup = SMB2SessionSetup()
if self.RequireMessageSigning is True:
sessionSetup['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_REQUIRED
else:
sessionSetup['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED
sessionSetup['Flags'] = 0
#sessionSetup['Capabilities'] = SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_DFS
# Let's build a NegTokenInit with the NTLMSSP
# TODO: In the future we should be able to choose different providers
blob = SPNEGO_NegTokenInit()
# NTLMSSP
blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]
auth = ntlm.getNTLMSSPType1('','', self._Connection['RequireSigning'])
blob['MechToken'] = str(auth)
sessionSetup['SecurityBufferLength'] = len(blob)
sessionSetup['Buffer'] = blob.getData()
# ToDo:
# If this authentication is for establishing an alternative channel for an existing Session, as specified
# in section 3.2.4.1.7, the client MUST also set the following values:
# The SessionId field in the SMB2 header MUST be set to the Session.SessionId for the new
# channel being established.
# The SMB2_SESSION_FLAG_BINDING bit MUST be set in the Flags field.
# The PreviousSessionId field MUST be set to zero.
packet = self.SMB_PACKET()
packet['Command'] = SMB2_SESSION_SETUP
packet['Data'] = sessionSetup
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
self._Session['SessionID'] = ans['SessionID']
self._Session['SigningRequired'] = self._Connection['RequireSigning']
self._Session['UserCredentials'] = (user, password, domain, lmhash, nthash)
self._Session['Connection'] = self._NetBIOSSession.get_socket()
sessionSetupResponse = SMB2SessionSetup_Response(ans['Data'])
respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])
# Let's parse some data and keep it to ourselves in case it is asked
ntlmChallenge = ntlm.NTLMAuthChallenge(respToken['ResponseToken'])
if ntlmChallenge['TargetInfoFields_len'] > 0:
av_pairs = ntlm.AV_PAIRS(ntlmChallenge['TargetInfoFields'][:ntlmChallenge['TargetInfoFields_len']])
if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:
try:
self._Session['ServerName'] = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
except:
# For some reason, we couldn't decode Unicode here.. silently discard the operation
pass
if av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] is not None:
try:
if self._Session['ServerName'] != av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME][1].decode('utf-16le'):
self._Session['ServerDomain'] = av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME][1].decode('utf-16le')
except:
# For some reason, we couldn't decode Unicode here.. silently discard the operation
pass
if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] is not None:
try:
self._Session['ServerDNSDomainName'] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode('utf-16le')
except:
# For some reason, we couldn't decode Unicode here.. silently discard the operation
pass
# Parse Version to know the target Operating system name. Not provided elsewhere anymore
if ntlmChallenge.fields.has_key('Version'):
version = ntlmChallenge['Version']
if len(version) >= 4:
self._Session['ServerOS'] = "Windows %d.%d Build %d" % (ord(version[0]), ord(version[1]), struct.unpack('<H',version[2:4])[0])
self._Session["ServerOSMajor"] = ord(version[0])
self._Session["ServerOSMinor"] = ord(version[1])
self._Session["ServerOSBuild"] = struct.unpack('<H',version[2:4])[0]
type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash)
if exportedSessionKey is not None:
self._Session['SessionKey'] = exportedSessionKey
if self._Session['SigningRequired'] is True and self._Connection['Dialect'] == SMB2_DIALECT_30:
self._Session['SigningKey'] = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCMAC\x00", "SmbSign\x00", 128)
respToken2 = SPNEGO_NegTokenResp()
respToken2['ResponseToken'] = str(type3)
# Reusing the previous structure
sessionSetup['SecurityBufferLength'] = len(respToken2)
sessionSetup['Buffer'] = respToken2.getData()
packetID = self.sendSMB(packet)
packet = self.recvSMB(packetID)
try:
if packet.isValidAnswer(STATUS_SUCCESS):
sessionSetupResponse = SMB2SessionSetup_Response(packet['Data'])
self._Session['SessionFlags'] = sessionSetupResponse['SessionFlags']
# Calculate the key derivations for dialect 3.0
if self._Session['SigningRequired'] is True:
self._Session['SigningActivated'] = True
if self._Connection['Dialect'] == SMB2_DIALECT_30:
self._Session['ApplicationKey'] = crypto.KDF_CounterMode(exportedSessionKey, "SMB2APP\x00", "SmbRpc\x00", 128)
self._Session['EncryptionKey'] = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerIn \x00", 128)
self._Session['DecryptionKey'] = crypto.KDF_CounterMode(exportedSessionKey, "SMB2AESCCM\x00", "ServerOut\x00", 128)
return True
except:
# We clean the stuff we used in case we want to authenticate again
# within the same connection
self._Session['UserCredentials'] = ''
self._Session['Connection'] = 0
self._Session['SessionID'] = 0
self._Session['SigningRequired'] = False
self._Session['SigningKey'] = ''
self._Session['SessionKey'] = ''
self._Session['SigningActivated'] = False
raise
def connectTree(self, share):
# Just in case this came with the full path (maybe an SMB1 client), let's just leave
# the sharename, we'll take care of the rest
#print self._Session['TreeConnectTable']
share = share.split('\\')[-1]
if self._Session['TreeConnectTable'].has_key(share):
# Already connected, no need to reconnect
treeEntry = self._Session['TreeConnectTable'][share]
treeEntry['NumberOfUses'] += 1
self._Session['TreeConnectTable'][treeEntry['TreeConnectId']]['NumberOfUses'] += 1
return treeEntry['TreeConnectId']
#path = share
try:
_, _, _, _, sockaddr = socket.getaddrinfo(self._Connection['ServerIP'], 80, 0, 0, socket.IPPROTO_TCP)[0]
remoteHost = sockaddr[0]
except:
remoteHost = self._Connection['ServerIP']
path = '\\\\' + remoteHost + '\\' +share
treeConnect = SMB2TreeConnect()
treeConnect['Buffer'] = path.encode('utf-16le')
treeConnect['PathLength'] = len(path)*2
packet = self.SMB_PACKET()
packet['Command'] = SMB2_TREE_CONNECT
packet['Data'] = treeConnect
packetID = self.sendSMB(packet)
packet = self.recvSMB(packetID)
if packet.isValidAnswer(STATUS_SUCCESS):
treeConnectResponse = SMB2TreeConnect_Response(packet['Data'])
treeEntry = copy.deepcopy(TREE_CONNECT)
treeEntry['ShareName'] = share
treeEntry['TreeConnectId'] = packet['TreeID']
treeEntry['Session'] = packet['SessionID']
treeEntry['NumberOfUses'] += 1
if (treeConnectResponse['Capabilities'] & SMB2_SHARE_CAP_DFS) == SMB2_SHARE_CAP_DFS:
treeEntry['IsDfsShare'] = True
if (treeConnectResponse['Capabilities'] & SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY) == SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY:
treeEntry['IsCAShare'] = True
if self._Connection['Dialect'] == SMB2_DIALECT_30:
if (self._Connection['SupportsEncryption'] is True) and ((treeConnectResponse['ShareFlags'] & SMB2_SHAREFLAG_ENCRYPT_DATA) == SMB2_SHAREFLAG_ENCRYPT_DATA):
treeEntry['EncryptData'] = True
# ToDo: This and what follows
# If Session.EncryptData is FALSE, the client MUST then generate an encryption key, a
# decryption key as specified in section 3.1.4.2, by providing the following inputs and store
# them in Session.EncryptionKey and Session.DecryptionKey:
if (treeConnectResponse['Capabilities'] & SMB2_SHARE_CAP_SCALEOUT) == SMB2_SHARE_CAP_SCALEOUT:
treeEntry['IsScaleoutShare'] = True
self._Session['TreeConnectTable'][packet['TreeID']] = treeEntry
self._Session['TreeConnectTable'][share] = treeEntry
return packet['TreeID']
def disconnectTree(self, treeId):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['TreeConnectTable'].has_key(treeId):
# More than 1 use? descrease it and return, if not, send the packet
if self._Session['TreeConnectTable'][treeId]['NumberOfUses'] > 1:
treeEntry = self._Session['TreeConnectTable'][treeId]
treeEntry['NumberOfUses'] -= 1
self._Session['TreeConnectTable'][treeEntry['ShareName']]['NumberOfUses'] -= 1
return True
packet = self.SMB_PACKET()
packet['Command'] = SMB2_TREE_DISCONNECT
packet['TreeID'] = treeId
treeDisconnect = SMB2TreeDisconnect()
packet['Data'] = treeDisconnect
packetID = self.sendSMB(packet)
packet = self.recvSMB(packetID)
if packet.isValidAnswer(STATUS_SUCCESS):
shareName = self._Session['TreeConnectTable'][treeId]['ShareName']
del(self._Session['TreeConnectTable'][shareName])
del(self._Session['TreeConnectTable'][treeId])
return True
def create(self, treeId, fileName, desiredAccess, shareMode, creationOptions, creationDisposition, fileAttributes, impersonationLevel = SMB2_IL_IMPERSONATION, securityFlags = 0, oplockLevel = SMB2_OPLOCK_LEVEL_NONE, createContexts = None):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
fileName = string.replace(fileName, '/', '\\')
if len(fileName) > 0:
fileName = ntpath.normpath(fileName)
if fileName[0] == '\\':
fileName = fileName[1:]
if self._Session['TreeConnectTable'][treeId]['IsDfsShare'] is True:
pathName = fileName
else:
pathName = '\\\\' + self._Connection['ServerName'] + '\\' + fileName
fileEntry = copy.deepcopy(FILE)
fileEntry['LeaseKey'] = uuid.generate()
fileEntry['LeaseState'] = SMB2_LEASE_NONE
self.GlobalFileTable[pathName] = fileEntry
if self._Connection['Dialect'] == SMB2_DIALECT_30 and self._Connection['SupportsDirectoryLeasing'] is True:
# Is this file NOT on the root directory?
if len(fileName.split('\\')) > 2:
parentDir = ntpath.dirname(pathName)
if self.GlobalFileTable.has_key(parentDir):
LOG.critical("Don't know what to do now! :-o")
raise
else:
parentEntry = copy.deepcopy(FILE)
parentEntry['LeaseKey'] = uuid.generate()
parentEntry['LeaseState'] = SMB2_LEASE_NONE
self.GlobalFileTable[parentDir] = parentEntry
packet = self.SMB_PACKET()
packet['Command'] = SMB2_CREATE
packet['TreeID'] = treeId
if self._Session['TreeConnectTable'][treeId]['IsDfsShare'] is True:
packet['Flags'] = SMB2_FLAGS_DFS_OPERATIONS
smb2Create = SMB2Create()
smb2Create['SecurityFlags'] = 0
smb2Create['RequestedOplockLevel'] = oplockLevel
smb2Create['ImpersonationLevel'] = impersonationLevel
smb2Create['DesiredAccess'] = desiredAccess
smb2Create['FileAttributes'] = fileAttributes
smb2Create['ShareAccess'] = shareMode
smb2Create['CreateDisposition'] = creationDisposition
smb2Create['CreateOptions'] = creationOptions
smb2Create['NameLength'] = len(fileName)*2
if fileName != '':
smb2Create['Buffer'] = fileName.encode('utf-16le')
else:
smb2Create['Buffer'] = '\x00'
if createContexts is not None:
smb2Create['Buffer'] += createContexts
smb2Create['CreateContextsOffset'] = len(SMB2Packet()) + SMB2Create.SIZE + smb2Create['NameLength']
smb2Create['CreateContextsLength'] = len(createContexts)
else:
smb2Create['CreateContextsOffset'] = 0
smb2Create['CreateContextsLength'] = 0
packet['Data'] = smb2Create
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
createResponse = SMB2Create_Response(ans['Data'])
openFile = copy.deepcopy(OPEN)
openFile['FileID'] = createResponse['FileID']
openFile['TreeConnect'] = treeId
openFile['Oplocklevel'] = oplockLevel
openFile['Durable'] = False
openFile['ResilientHandle'] = False
openFile['LastDisconnectTime'] = 0
openFile['FileName'] = pathName
# ToDo: Complete the OperationBuckets
if self._Connection['Dialect'] == SMB2_DIALECT_30:
openFile['DesiredAccess'] = oplockLevel
openFile['ShareMode'] = oplockLevel
openFile['CreateOptions'] = oplockLevel
openFile['FileAttributes'] = oplockLevel
openFile['CreateDisposition'] = oplockLevel
# ToDo: Process the contexts
self._Session['OpenTable'][str(createResponse['FileID'])] = openFile
# The client MUST generate a handle for the Open, and it MUST
# return success and the generated handle to the calling application.
# In our case, str(FileID)
return str(createResponse['FileID'])
def close(self, treeId, fileId):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_CLOSE
packet['TreeID'] = treeId
smbClose = SMB2Close()
smbClose['Flags'] = 0
smbClose['FileID'] = fileId
packet['Data'] = smbClose
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
del(self.GlobalFileTable[self._Session['OpenTable'][fileId]['FileName']])
del(self._Session['OpenTable'][fileId])
# ToDo Remove stuff from GlobalFileTable
return True
def read(self, treeId, fileId, offset = 0, bytesToRead = 0, waitAnswer = True):
# IMPORTANT NOTE: As you can see, this was coded as a recursive function
# Hence, you can exhaust the memory pretty easy ( large bytesToRead )
# This function should NOT be used for reading files directly, but another higher
# level function should be used that will break the read into smaller pieces
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_READ
packet['TreeID'] = treeId
if self._Connection['MaxReadSize'] < bytesToRead:
maxBytesToRead = self._Connection['MaxReadSize']
else:
maxBytesToRead = bytesToRead
if self._Connection['Dialect'] != SMB2_DIALECT_002 and self._Connection['SupportsMultiCredit'] is True:
packet['CreditCharge'] = ( 1 + (maxBytesToRead - 1) / 65536)
else:
maxBytesToRead = min(65536,bytesToRead)
smbRead = SMB2Read()
smbRead['Padding'] = 0x50
smbRead['FileID'] = fileId
smbRead['Length'] = maxBytesToRead
smbRead['Offset'] = offset
packet['Data'] = smbRead
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
readResponse = SMB2Read_Response(ans['Data'])
retData = readResponse['Buffer']
if readResponse['DataRemaining'] > 0:
retData += self.read(treeId, fileId, offset+len(retData), readResponse['DataRemaining'], waitAnswer)
return retData
def write(self, treeId, fileId, data, offset = 0, bytesToWrite = 0, waitAnswer = True):
# IMPORTANT NOTE: As you can see, this was coded as a recursive function
# Hence, you can exhaust the memory pretty easy ( large bytesToWrite )
# This function should NOT be used for writing directly to files, but another higher
# level function should be used that will break the writes into smaller pieces
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_WRITE
packet['TreeID'] = treeId
if self._Connection['MaxWriteSize'] < bytesToWrite:
maxBytesToWrite = self._Connection['MaxWriteSize']
else:
maxBytesToWrite = bytesToWrite
if self._Connection['Dialect'] != SMB2_DIALECT_002 and self._Connection['SupportsMultiCredit'] is True:
packet['CreditCharge'] = ( 1 + (maxBytesToWrite - 1) / 65536)
else:
maxBytesToWrite = min(65536,bytesToWrite)
smbWrite = SMB2Write()
smbWrite['FileID'] = fileId
smbWrite['Length'] = maxBytesToWrite
smbWrite['Offset'] = offset
smbWrite['WriteChannelInfoOffset'] = 0
smbWrite['Buffer'] = data[:maxBytesToWrite]
packet['Data'] = smbWrite
packetID = self.sendSMB(packet)
if waitAnswer is True:
ans = self.recvSMB(packetID)
else:
return maxBytesToWrite
if ans.isValidAnswer(STATUS_SUCCESS):
writeResponse = SMB2Write_Response(ans['Data'])
bytesWritten = writeResponse['Count']
if bytesWritten < bytesToWrite:
bytesWritten += self.write(treeId, fileId, data[bytesWritten:], offset+bytesWritten, bytesToWrite-bytesWritten, waitAnswer)
return bytesWritten
def queryDirectory(self, treeId, fileId, searchString = '*', resumeIndex = 0, informationClass = FILENAMES_INFORMATION, maxBufferSize = None, enumRestart = False, singleEntry = False):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_QUERY_DIRECTORY
packet['TreeID'] = treeId
queryDirectory = SMB2QueryDirectory()
queryDirectory['FileInformationClass'] = informationClass
if resumeIndex != 0 :
queryDirectory['Flags'] = SMB2_INDEX_SPECIFIED
queryDirectory['FileIndex'] = resumeIndex
queryDirectory['FileID'] = fileId
if maxBufferSize is None:
maxBufferSize = self._Connection['MaxReadSize']
queryDirectory['OutputBufferLength'] = maxBufferSize
queryDirectory['FileNameLength'] = len(searchString)*2
queryDirectory['Buffer'] = searchString.encode('utf-16le')
packet['Data'] = queryDirectory
if self._Connection['Dialect'] != SMB2_DIALECT_002 and self._Connection['SupportsMultiCredit'] is True:
packet['CreditCharge'] = ( 1 + (maxBufferSize - 1) / 65536)
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
queryDirectoryResponse = SMB2QueryDirectory_Response(ans['Data'])
return queryDirectoryResponse['Buffer']
def echo(self):
packet = self.SMB_PACKET()
packet['Command'] = SMB2_ECHO
smbEcho = SMB2Echo()
packet['Data'] = smbEcho
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
return True
def cancel(self, packetID):
packet = self.SMB_PACKET()
packet['Command'] = SMB2_CANCEL
packet['MessageID'] = packetID
smbCancel = SMB2Cancel()
packet['Data'] = smbCancel
self.sendSMB(packet)
def ioctl(self, treeId, fileId = None, ctlCode = -1, flags = 0, inputBlob = '', maxInputResponse = None, maxOutputResponse = None, waitAnswer = 1):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if fileId is None:
fileId = '\xff'*16
else:
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_IOCTL
packet['TreeID'] = treeId
smbIoctl = SMB2Ioctl()
smbIoctl['FileID'] = fileId
smbIoctl['CtlCode'] = ctlCode
smbIoctl['MaxInputResponse'] = maxInputResponse
smbIoctl['MaxOutputResponse'] = maxOutputResponse
smbIoctl['InputCount'] = len(inputBlob)
if len(inputBlob) == 0:
smbIoctl['InputOffset'] = 0
smbIoctl['Buffer'] = '\x00'
else:
smbIoctl['Buffer'] = inputBlob
smbIoctl['OutputOffset'] = 0
smbIoctl['MaxOutputResponse'] = maxOutputResponse
smbIoctl['Flags'] = flags
packet['Data'] = smbIoctl
packetID = self.sendSMB(packet)
if waitAnswer == 0:
return True
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
smbIoctlResponse = SMB2Ioctl_Response(ans['Data'])
return smbIoctlResponse['Buffer']
def flush(self,treeId, fileId):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_FLUSH
packet['TreeID'] = treeId
smbFlush = SMB2Flush()
smbFlush['FileID'] = fileId
packet['Data'] = smbFlush
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
return True
def lock(self, treeId, fileId, locks, lockSequence = 0):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_LOCK
packet['TreeID'] = treeId
smbLock = SMB2Lock()
smbLock['FileID'] = fileId
smbLock['LockCount'] = len(locks)
smbLock['LockSequence'] = lockSequence
smbLock['Locks'] = ''.join(str(x) for x in locks)
packet['Data'] = smbLock
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
smbFlushResponse = SMB2Lock_Response(ans['Data'])
return True
# ToDo:
# If Open.ResilientHandle is TRUE or Connection.SupportsMultiChannel is TRUE, the client MUST
# do the following:
# The client MUST scan through Open.OperationBuckets and find an element with its Free field
# set to TRUE. If no such element could be found, an implementation-specific error MUST be
# returned to the application.
# Let the zero-based array index of the element chosen above be referred to as BucketIndex, and
# let BucketNumber = BucketIndex +1.
# Set Open.OperationBuckets[BucketIndex].Free = FALSE
# Let the SequenceNumber of the element chosen above be referred to as BucketSequence.
# The LockSequence field of the SMB2 lock request MUST be set to (BucketNumber<< 4) +
# BucketSequence.
# Increment the SequenceNumber of the element chosen above using MOD 16 arithmetic.
def logoff(self):
packet = self.SMB_PACKET()
packet['Command'] = SMB2_LOGOFF
smbLogoff = SMB2Logoff()
packet['Data'] = smbLogoff
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
# We clean the stuff we used in case we want to authenticate again
# within the same connection
self._Session['UserCredentials'] = ''
self._Session['Connection'] = 0
self._Session['SessionID'] = 0
self._Session['SigningRequired'] = False
self._Session['SigningKey'] = ''
self._Session['SessionKey'] = ''
self._Session['SigningActivated'] = False
return True
def queryInfo(self, treeId, fileId, inputBlob = '', infoType = SMB2_0_INFO_FILE, fileInfoClass = SMB2_FILE_STANDARD_INFO, additionalInformation = 0, flags = 0 ):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_QUERY_INFO
packet['TreeID'] = treeId
queryInfo = SMB2QueryInfo()
queryInfo['FileID'] = fileId
queryInfo['InfoType'] = SMB2_0_INFO_FILE
queryInfo['FileInfoClass'] = fileInfoClass
queryInfo['OutputBufferLength'] = 65535
queryInfo['AdditionalInformation'] = additionalInformation
if len(inputBlob) == 0:
queryInfo['InputBufferOffset'] = 0
queryInfo['Buffer'] = '\x00'
else:
queryInfo['InputBufferLength'] = len(inputBlob)
queryInfo['Buffer'] = inputBlob
queryInfo['Flags'] = flags
packet['Data'] = queryInfo
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
queryResponse = SMB2QueryInfo_Response(ans['Data'])
return queryResponse['Buffer']
def setInfo(self, treeId, fileId, inputBlob = '', infoType = SMB2_0_INFO_FILE, fileInfoClass = SMB2_FILE_STANDARD_INFO, additionalInformation = 0 ):
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if self._Session['OpenTable'].has_key(fileId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
packet = self.SMB_PACKET()
packet['Command'] = SMB2_SET_INFO
packet['TreeID'] = treeId
setInfo = SMB2SetInfo()
setInfo['InfoType'] = SMB2_0_INFO_FILE
setInfo['FileInfoClass'] = fileInfoClass
setInfo['BufferLength'] = len(inputBlob)
setInfo['AdditionalInformation'] = additionalInformation
setInfo['FileID'] = fileId
setInfo['Buffer'] = inputBlob
packet['Data'] = setInfo
packetID = self.sendSMB(packet)
ans = self.recvSMB(packetID)
if ans.isValidAnswer(STATUS_SUCCESS):
return True
def getSessionKey(self):
if self.getDialect() == SMB2_DIALECT_30:
return self._Session['ApplicationKey']
else:
return self._Session['SessionKey']
def setSessionKey(self, key):
if self.getDialect() == SMB2_DIALECT_30:
self._Session['ApplicationKey'] = key
else:
self._Session['SessionKey'] = key
######################################################################
# Higher level functions
def rename(self, shareName, oldPath, newPath):
oldPath = string.replace(oldPath,'/', '\\')
oldPath = ntpath.normpath(oldPath)
if len(oldPath) > 0 and oldPath[0] == '\\':
oldPath = oldPath[1:]
newPath = string.replace(newPath,'/', '\\')
newPath = ntpath.normpath(newPath)
if len(newPath) > 0 and newPath[0] == '\\':
newPath = newPath[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
fileId = self.create(treeId, oldPath, MAXIMUM_ALLOWED ,FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, 0x200020, FILE_OPEN, 0)
renameReq = FILE_RENAME_INFORMATION_TYPE_2()
renameReq['ReplaceIfExists'] = 1
renameReq['RootDirectory'] = '\x00'*8
renameReq['FileNameLength'] = len(newPath)*2
renameReq['FileName'] = newPath.encode('utf-16le')
self.setInfo(treeId, fileId, renameReq, infoType = SMB2_0_INFO_FILE, fileInfoClass = SMB2_FILE_RENAME_INFO)
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
return True
def writeFile(self, treeId, fileId, data, offset = 0):
finished = False
writeOffset = offset
while not finished:
if len(data) == 0:
break
writeData = data[:self._Connection['MaxWriteSize']]
data = data[self._Connection['MaxWriteSize']:]
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
writeOffset += written
return writeOffset - offset
def listPath(self, shareName, path, password = None):
# ToDo: Handle situations where share is password protected
path = string.replace(path,'/', '\\')
path = ntpath.normpath(path)
if len(path) > 0 and path[0] == '\\':
path = path[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
# ToDo, we're assuming it's a directory, we should check what the file type is
fileId = self.create(treeId, ntpath.dirname(path), FILE_READ_ATTRIBUTES | FILE_READ_DATA ,FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN, 0)
res = ''
files = []
from impacket import smb
while True:
try:
res = self.queryDirectory( treeId, fileId, ntpath.basename(path), maxBufferSize = 65535, informationClass = FILE_FULL_DIRECTORY_INFORMATION )
nextOffset = 1
while nextOffset != 0:
fileInfo = smb.SMBFindFileFullDirectoryInfo(smb.SMB.FLAGS2_UNICODE)
fileInfo.fromString(res)
files.append(smb.SharedFile(fileInfo['CreationTime'],fileInfo['LastAccessTime'],fileInfo['LastChangeTime'],fileInfo['EndOfFile'],fileInfo['AllocationSize'],fileInfo['ExtFileAttributes'],fileInfo['FileName'].decode('utf-16le'), fileInfo['FileName'].decode('utf-16le')))
nextOffset = fileInfo['NextEntryOffset']
res = res[nextOffset:]
except SessionError, e:
if (e.get_error_code()) != STATUS_NO_MORE_FILES:
raise
break
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
return files
def mkdir(self, shareName, pathName, password = None):
# ToDo: Handle situations where share is password protected
pathName = string.replace(pathName,'/', '\\')
pathName = ntpath.normpath(pathName)
if len(pathName) > 0 and pathName[0] == '\\':
pathName = pathName[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
fileId = self.create(treeId, pathName,GENERIC_ALL ,FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, FILE_CREATE, 0)
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
return True
def rmdir(self, shareName, pathName, password = None):
# ToDo: Handle situations where share is password protected
pathName = string.replace(pathName,'/', '\\')
pathName = ntpath.normpath(pathName)
if len(pathName) > 0 and pathName[0] == '\\':
pathName = pathName[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
fileId = self.create(treeId, pathName, DELETE, FILE_SHARE_DELETE, FILE_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, FILE_OPEN, 0)
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
return True
def remove(self, shareName, pathName, password = None):
# ToDo: Handle situations where share is password protected
pathName = string.replace(pathName,'/', '\\')
pathName = ntpath.normpath(pathName)
if len(pathName) > 0 and pathName[0] == '\\':
pathName = pathName[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
fileId = self.create(treeId, pathName,DELETE | FILE_READ_ATTRIBUTES, FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, FILE_OPEN, 0)
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
return True
def retrieveFile(self, shareName, path, callback, mode = FILE_OPEN, offset = 0, password = None, shareAccessMode = FILE_SHARE_READ):
# ToDo: Handle situations where share is password protected
path = string.replace(path,'/', '\\')
path = ntpath.normpath(path)
if len(path) > 0 and path[0] == '\\':
path = path[1:]
treeId = self.connectTree(shareName)
fileId = None
from impacket import smb
try:
fileId = self.create(treeId, path, FILE_READ_DATA, shareAccessMode, FILE_NON_DIRECTORY_FILE, mode, 0)
res = self.queryInfo(treeId, fileId)
fileInfo = smb.SMBQueryFileStandardInfo(res)
fileSize = fileInfo['EndOfFile']
if (fileSize-offset) < self._Connection['MaxReadSize']:
# Skip reading 0 bytes files.
if (fileSize-offset) > 0:
data = self.read(treeId, fileId, offset, fileSize-offset)
callback(data)
else:
written = 0
toBeRead = fileSize-offset
while written < toBeRead:
data = self.read(treeId, fileId, offset, self._Connection['MaxReadSize'])
written += len(data)
offset += len(data)
callback(data)
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
def storeFile(self, shareName, path, callback, mode = FILE_OVERWRITE_IF, offset = 0, password = None, shareAccessMode = FILE_SHARE_WRITE):
# ToDo: Handle situations where share is password protected
path = string.replace(path,'/', '\\')
path = ntpath.normpath(path)
if len(path) > 0 and path[0] == '\\':
path = path[1:]
treeId = self.connectTree(shareName)
fileId = None
try:
fileId = self.create(treeId, path, FILE_WRITE_DATA, shareAccessMode, FILE_NON_DIRECTORY_FILE, mode, 0)
finished = False
writeOffset = offset
while not finished:
data = callback(self._Connection['MaxWriteSize'])
if len(data) == 0:
break
written = self.write(treeId, fileId, data, writeOffset, len(data))
writeOffset += written
finally:
if fileId is not None:
self.close(treeId, fileId)
self.disconnectTree(treeId)
def waitNamedPipe(self, treeId, pipename, timeout = 5):
pipename = ntpath.basename(pipename)
if self._Session['TreeConnectTable'].has_key(treeId) is False:
raise SessionError(STATUS_INVALID_PARAMETER)
if len(pipename) > 0xffff:
raise SessionError(STATUS_INVALID_PARAMETER)
pipeWait = FSCTL_PIPE_WAIT_STRUCTURE()
pipeWait['Timeout'] = timeout*100000
pipeWait['NameLength'] = len(pipename)*2
pipeWait['TimeoutSpecified'] = 1
pipeWait['Name'] = pipename.encode('utf-16le')
return self.ioctl(treeId, None, FSCTL_PIPE_WAIT,flags=SMB2_0_IOCTL_IS_FSCTL, inputBlob=pipeWait, maxInputResponse = 0, maxOutputResponse=0)
def getIOCapabilities(self):
res = dict()
res['MaxReadSize'] = self._Connection['MaxReadSize']
res['MaxWriteSize'] = self._Connection['MaxWriteSize']
return res
######################################################################
# Backward compatibility functions and alias for SMB1 and DCE Transports
# NOTE: It is strongly recommended not to use these commands
# when implementing new client calls.
get_server_name = getServerName
get_server_domain = getServerDomain
get_server_dns_domain_name = getServerDNSDomainName
get_remote_name = getServerName
get_remote_host = getServerIP
get_server_os = getServerOS
get_server_os_major = getServerOSMajor
get_server_os_minor = getServerOSMinor
get_server_os_build = getServerOSBuild
tree_connect_andx = connectTree
tree_connect = connectTree
connect_tree = connectTree
disconnect_tree = disconnectTree
set_timeout = setTimeout
use_timeout = useTimeout
stor_file = storeFile
retr_file = retrieveFile
list_path = listPath
def __del__(self):
if self._NetBIOSSession:
self._NetBIOSSession.close()
def doesSupportNTLMv2(self):
# Always true :P
return True
def is_login_required(self):
# Always true :P
return True
def is_signing_required(self):
return self._Session["SigningRequired"]
def nt_create_andx(self, treeId, fileName, smb_packet=None, cmd = None):
if len(fileName) > 0 and fileName[0] == '\\':
fileName = fileName[1:]
if cmd is not None:
from impacket import smb
ntCreate = smb.SMBCommand(data = str(cmd))
params = smb.SMBNtCreateAndX_Parameters(ntCreate['Parameters'])
return self.create(treeId, fileName, params['AccessMask'], params['ShareAccess'],
params['CreateOptions'], params['Disposition'], params['FileAttributes'],
params['Impersonation'], params['SecurityFlags'])
else:
return self.create(treeId, fileName,
FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA |
FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | READ_CONTROL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE, FILE_OPEN, 0 )
def get_socket(self):
return self._NetBIOSSession.get_socket()
def write_andx(self,tid,fid,data, offset = 0, wait_answer=1, write_pipe_mode = False, smb_packet=None):
# ToDo: Handle the custom smb_packet situation
return self.write(tid, fid, data, offset, len(data))
def TransactNamedPipe(self, tid, fid, data, noAnswer = 0, waitAnswer = 1, offset = 0):
return self.ioctl(tid, fid, FSCTL_PIPE_TRANSCEIVE, SMB2_0_IOCTL_IS_FSCTL, data, maxOutputResponse = 65535, waitAnswer = noAnswer | waitAnswer)
def TransactNamedPipeRecv(self):
ans = self.recvSMB()
if ans.isValidAnswer(STATUS_SUCCESS):
smbIoctlResponse = SMB2Ioctl_Response(ans['Data'])
return smbIoctlResponse['Buffer']
def read_andx(self, tid, fid, offset=0, max_size = None, wait_answer=1, smb_packet=None):
# ToDo: Handle the custom smb_packet situation
if max_size is None:
max_size = self._Connection['MaxReadSize']
return self.read(tid, fid, offset, max_size, wait_answer)
def list_shared(self):
# In the context of SMB2/3, forget about the old LANMAN, throw NOT IMPLEMENTED
raise SessionError(STATUS_NOT_IMPLEMENTED)
def open_andx(self, tid, fileName, open_mode, desired_access):
# ToDo Return all the attributes of the file
if len(fileName) > 0 and fileName[0] == '\\':
fileName = fileName[1:]
fileId = self.create(tid,fileName,desired_access, open_mode, FILE_NON_DIRECTORY_FILE, open_mode, 0)
return fileId, 0, 0, 0, 0, 0, 0, 0, 0