📄 smb_cifs.inc
字号:
# -*- Fundamental -*-## # (C) 2006 Tenable Network Security## This script is released under one of the Tenable Script Licenses and may not# be used from within scripts released under another license without the# authorization from Tenable Network Security Inc.## See the following licenses for details :# http://www.nessus.org/plugins/RegisteredFeed.pdf# http://www.nessus.org/plugins/TenableCommercial.pdf# http://www.nessus.org/plugins/DirectFeed.pdf# http://www.nessus.org/plugins/DirectFeedCommercial.pdf### @NOGPL@## smb_cifs.inc# $Revision: 1.6 $##==================================================================## Section 3. SMB functions ##==================================================================##---------------------------------------------------------## Function : smb_parameters ## Description : Create SMB parameters structure ##---------------------------------------------------------#function smb_parameters (data){ local_var count; if ( !data ) count = 0; else count = strlen (data) / 2; return raw_byte (b:count) + data;}#---------------------------------------------------------## Function : smb_data ## Description : Create SMB data structure ##---------------------------------------------------------#function smb_data (data){ local_var count; if ( isnull(data) ) count = 0; else count = strlen (data); return raw_word (w:count) + data;}function netbios_header (type, length){ return raw_byte (b:type) + raw_string ( (length>>16) & 255, (length>>8) & 255, (length) & 255 );}#---------------------------------------------------------## Function : netbios_packet ## Description : Convert SMB to netbios packet ##---------------------------------------------------------## ## BYTE Type; # 0 = session message ## BYTE Length[3]; # length is on 24bits ## ##---------------------------------------------------------#function netbios_packet (header,parameters,data){ local_var length, netbios, head, hash, MAC, key; key = session_get_mackey(); if (key) { hash = MD5 (key + header + parameters + data); MAC = substr( hash, 0, 7); head = substr (header, 0, 13) + MAC + substr (header, 22, 31); previous_hash = MAC; } else head = header; length = strlen (head) + strlen (parameters) + strlen (data); netbios = netbios_header (type:0, length:length) + head + parameters + data; return netbios;}#---------------------------------------------------------## Function : smb_recv ## Description : Receive network smb packet ##---------------------------------------------------------#function smb_recv (){ local_var header, len, trailer, socket, timeout, tmp, hash, key; socket = session_get_socket (); timeout = session_get_timeout (); header = recv(socket:socket, length:4, min:4, timeout:timeout); if (strlen(header) < 4) return(NULL); len = 65535 * ord(header[1]) + 256 * ord(header[2]) + ord(header[3]); if (len < 32) return (NULL); if (len > 100000) len = 100000; trailer = recv(socket:socket, length:len, min:len, timeout:timeout); if (strlen(trailer) < len ) return(NULL); if ( session_get_mackey() ) { key = session_get_mackey(); tmp = substr (trailer,0,13) + raw_dword (d:session_get_sequencenumber()) + raw_dword (d:0) + substr (trailer, 22, strlen(trailer)-1); hash = substr(MD5 (key + tmp),0,7); # if signature is not correct we stop if (hash >!< substr(trailer, 14, 21)) { if (strlen (key) == 16) { session_set_mackey (key:crap(data:raw_string(0),length:16)); tmp = substr (trailer,0,13) + raw_dword (d:session_get_sequencenumber()) + raw_dword (d:0) + substr (trailer, 22, strlen(trailer)-1); hash = substr(MD5 (session_get_mackey () + tmp),0,7); # guest logon disable smb signing if (previous_hash >< substr(trailer, 14, 21)) session_set_mackey (key:NULL); # if signature is not correct we stop else if (hash >!< substr(trailer, 14, 21)) return NULL; } else return NULL; } } if (session_get_mackey()) session_increase_sequencenumber(); return trailer;}#---------------------------------------------------------## Function : smb_sendrecv ## Description : Perform a client/server exchange ##---------------------------------------------------------#function smb_sendrecv(data){ local_var socket; socket = session_get_socket(); send (socket:socket, data:data); if (session_get_mackey()) session_increase_sequencenumber(); return smb_recv ();}#---------------------------------------------------------## Function : get_header_flags ## Description : Extract Flags ##---------------------------------------------------------#function get_header_flags(header){ return get_byte (blob:header, pos:9);}#---------------------------------------------------------## Function : get_header_flags2 ## Description : Extract Flags2 ##---------------------------------------------------------#function get_header_flags2(header){ return get_word (blob:header, pos:10);}#---------------------------------------------------------## Function : get_header_dos_error_code ## Description : Extract DOS Error code ##---------------------------------------------------------#function get_header_dos_error_code(header){ return get_word (blob:header, pos:7);}#---------------------------------------------------------## Function : get_header_nt_error_code ## Description : Extract NT Error code ##---------------------------------------------------------#function get_header_nt_error_code(header){ return get_dword (blob:header, pos:5);}#---------------------------------------------------------## Function : get_header_command_code ## Description : Extract Command code ##---------------------------------------------------------#function get_header_command_code(header){ return get_byte (blob:header, pos:4);}#---------------------------------------------------------## Function : get_header_uid ## Description : Extract User ID ##---------------------------------------------------------#function get_header_uid(header){ return get_word (blob:header, pos:28);}#---------------------------------------------------------## Function : get_header_tid ## Description : Extract Tree ID ##---------------------------------------------------------#function get_header_tid(header){ return get_word (blob:header, pos:24);}#---------------------------------------------------------## Function : get_header_signature ## Description : Extract Signature ##---------------------------------------------------------#function get_header_signature(header){ return substr (header,14,21);}#---------------------------------------------------------## Function : get_smb_header ## Description : Extract SMB header from blob ##---------------------------------------------------------#function get_smb_header(smbblob){ if (strlen (smbblob) < SMB_HDR_SIZE) return NULL; return substr (smbblob, 0, SMB_HDR_SIZE - 1);}#---------------------------------------------------------## Function : get_smb_parameters ## Description : Extract SMB parameters from blob ##---------------------------------------------------------#function get_smb_parameters(smbblob){ local_var WordCount; if (strlen (smbblob) < SMB_HDR_SIZE + 1) return NULL; WordCount = get_byte (blob:smbblob, pos:SMB_HDR_SIZE); if (strlen (smbblob) < (SMB_HDR_SIZE + 1 + WordCount * 2)) return NULL; return substr (smbblob, SMB_HDR_SIZE + 1, SMB_HDR_SIZE + 1 + WordCount * 2);}#---------------------------------------------------------## Function : get_smb_data ## Description : Extract SMB data from blob ##---------------------------------------------------------#function get_smb_data(smbblob){ local_var WordCount, ByteCount, pos; if (strlen (smbblob) < SMB_HDR_SIZE + 1) return NULL; WordCount = get_byte (blob:smbblob, pos:SMB_HDR_SIZE); if (strlen (smbblob) < (SMB_HDR_SIZE + 1 + WordCount * 2 + 2)) return NULL; pos = SMB_HDR_SIZE + 1 + WordCount * 2; ByteCount = get_word (blob:smbblob, pos:pos); if (strlen (smbblob) < (pos + 2 + ByteCount)) return NULL; return substr (smbblob, pos + 2, pos + 2 + ByteCount - 1);}#---------------------------------------------------------## Function : smb_header ## Description : Generate header of SMB packet ##---------------------------------------------------------## ## SMB header structure ## ## struct { ## BYTE Protocol[4]; # "\xFFSMB" ## BYTE Command; ## DWORD Status; # Or BYTE ErrorClass; ## # BYTE Reserved; ## # WORD Error; ## BYTE Flags; ## WORD Flags2; ## WORD PidHigh; # 0 like noone know it ## BYTE Signature[8]; ## WORD Reserved; ## WORD Tid; # Tree ID ## WORD Pid; # Process ID ## WORD Uid; # User ID ## WORD Mid; # Multiplex ID ## } ## ##---------------------------------------------------------#function smb_header (Command, Status, Flags, Flags2){ local_var header, fl, fl2; if (!isnull (Flags)) fl = Flags; if (!isnull (Flags2)) fl2 = Flags2; header = '\xFFSMB'; header += raw_byte(b:Command); header += Status; header += raw_byte (b:session_get_flags() | fl); header += raw_word (w:session_get_flags2() | fl2); header += raw_word (w:0); header += raw_dword (d:session_get_sequencenumber()) + raw_dword (d:0); header += raw_word (w:0); header += raw_word (w:session_get_tid()); header += raw_word (w:session_get_pid()); header += raw_word (w:session_get_uid()); header += raw_word (w:session_get_mid()); return header;}function smb_check_success (data){ local_var header, flags2, code; # Some checks in the header first header = get_smb_header (smbblob:data); if (!header) return FALSE; flags2 = get_header_flags2 (header:header); if (flags2 & SMB_FLAGS2_32BIT_STATUS) { code = get_header_nt_error_code (header:header); if (code != STATUS_SUCCESS) return FALSE; } else {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -