hdZddlZddlZddlZddlZddlZddlZddlmZm Z m Z ddl m Z ddl mZddlmZddlmZddlmZdd lmZmZmZmZmZdd lmZdd lmZmZdd l m!Z!m"Z"m#Z#dd l$m%Z%ddl&m'Z'm(Z(m)Z)ddl*m+Z+m,Z,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZambZbmcZcmdZdmeZemfZfmgZgmhZhmiZiddljmkZkGdde ZlGddeZmGdde emZnejojpGddeZqerdkrddlmsZseseqdSdS)z SMB 1 / 2 Client Automaton .. note:: You will find more complete documentation for this layer over at `SMB `_ N)ATMT Automaton ObjectPipe)Net)conf)Scapy_Exception) UTCTimeField) SuperSocket)CLIUtil pretty_list human_sizevalid_ip valid_ip6)RandUUID)NDRUnionfind_dcerpc_interface)GSS_S_COMPLETEGSS_S_CONTINUE_NEEDED GSS_C_FLAGS)Net6) KerberosSSPkrb_as_and_tgs _parse_upn)LPSHARE_ENUM_STRUCTNetrShareEnum_RequestNetrShareEnum_ResponseSHARE_INFO_1_CONTAINER)NTLMSSPMD4le) SMBNegotiate_Request'SMBNegotiate_Response_Extended_SecuritySMBNegotiate_Response_SecuritySMBSession_NullSMBSession_Setup_AndX_Request/SMBSession_Setup_AndX_Request_Extended_SecuritySMBSession_Setup_AndX_Response0SMBSession_Setup_AndX_Response_Extended_Security SMB_Dialect SMB_Header), DirectTCPFileAllInformationFileIdBothDirectoryInformation SMB_DIALECTSSMB2_Change_Notify_RequestSMB2_Change_Notify_ResponseSMB2_Close_RequestSMB2_Close_ResponseSMB2_Create_Context%SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2SMB2_CREATE_REQUEST_LEASE_V2SMB2_CREATE_REQUEST_LEASESMB2_Create_RequestSMB2_Create_ResponseSMB2_Encryption_CapabilitiesSMB2_ENCRYPTION_CIPHERSSMB2_Error_Response SMB2_HeaderSMB2_IOCTL_RequestSMB2_IOCTL_ResponseSMB2_Negotiate_ContextSMB2_Negotiate_Protocol_Request SMB2_Negotiate_Protocol_Response!SMB2_Netname_Negotiate_Context_ID#SMB2_Preauth_Integrity_CapabilitiesSMB2_Query_Directory_RequestSMB2_Query_Directory_ResponseSMB2_Query_Info_RequestSMB2_Query_Info_ResponseSMB2_Read_RequestSMB2_Read_ResponseSMB2_Session_Setup_RequestSMB2_Session_Setup_ResponseSMB2_SIGNING_ALGORITHMSSMB2_Signing_CapabilitiesSMB2_Tree_Connect_RequestSMB2_Tree_Connect_ResponseSMB2_Tree_Disconnect_RequestSMB2_Tree_Disconnect_ResponseSMB2_Write_RequestSMB2_Write_ResponseSMBStreamSocketSRVSVC_SHARE_TYPES STATUS_ERREF) SPNEGOSSPc eZdZdZdZeZd(dZedZ e dZ fdZ e jd d Ze jed Ze jed d Ze jedZe jdZe jdZe jedZe jedZe jedZe jd(dZdZe jed dZe jdZe jedZe jedZ e jddZ!e jd(dZ"e je"d dZ#e jdZ$e je$dZ%e jd Z&e je&d!Z'e je'd"Z(e j)e&d#d$%d&Z*e je*d'Z+xZ,S)) SMB_Clienta SMB client automaton :param sock: the SMBStreamSocket to use :param ssp: the SSP to use All other options (in caps) are optional, and SMB specific: :param REQUIRE_SIGNATURE: set 'Require Signature' :param MIN_DIALECT: minimum SMB dialect. Defaults to 0x0202 (2.0.2) :param MAX_DIALECT: maximum SMB dialect. Defaults to 0x0311 (3.1.1) :param DIALECTS: list of supported SMB2 dialects. Constructed from MIN_DIALECT, MAX_DIALECT otherwise. NcP|dd_|dd_|dd_|dd_|dd_|d d _d |vr|d _nR|d d |dd_tfddD_d_ d_ d_ t_d_d_d_d_|t)t+ddg}||d<t-jg|Ri|jrt3j_|j_|djrdnt=t?|j_ jj_!dS)NEXTENDED_SECURITYTUSE_SMB1FREQUIRE_SIGNATURERETRYrSMB2 SERVER_NAMEDIALECTS MIN_DIALECT MAX_DIALECTc6g|]}|k|jk|S)re).0xrcselfs Z/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/smbclient.py z'SMB_Client.__init__..s;K''A1A,A,A,A,A,A)rdirf)rrguestrnUPNHASHNTsock SECURITY_MODE)"popr[r\r]r^r_r`rbresortedIsGuest ErrorStatusNegotiateCapabilitiesr_fixGUIDSequenceWindowMaxTransactionSize MaxReadSize MaxWriteSizerVrr__init__is_atmt_socket threadingEventsmb_sock_readysessionsspintbool SecurityModeDialect)rkrurargskwargsrcs` @rlrzSMB_Client.__init__s<!',?!F!F :u55 !',?!G!GZZ++ JJvu-- !::mR88   "JJz22DMM **]F;;K%zz-@@D "EDM %)"JJOO%% $"# ;#"Cv          4"+/"3"3D  $*JJ ' ;AASc^^% %  ! $/ rnc F|jdt|tfi|SN)smblinkrSr*clsrurs rl from_tcpsockzSMB_Client.from_tcpsocks7s{  D) , ,     rnc|jjSr)rurrks rlrzSMB_Client.sessionsy  rnc|jjdkr@t|jtr%t |jj}|t urd|_n|ttttttfvr|tkr |jj}n|tkrt|jj}no|tkr2t#t|jj|jj}n2|tttfvr |jj}nt+dd|dz dzz|_nd|_|jdz|_|jd|_t3t4||S)Nrdrzimpossible casei)rr isinstancepayloadr;typer? CreditChargerGrQr<rCr.rELengthlenDatamaxInputMaxOutputResponseOutputBufferLength RuntimeError CreditRequestrMIDsuperrXsend)rkpkttypr __class__s rlrzSMB_Client.sendsr < & ( (Z [-Q-Q (s{*++C555#$  !"",*' +++ [/FF... !122FF... S[%6!7!79VWWFF0.+ ![;FF&'8999#$ u'<#<  $% # 01 4C %a(Z&&++C000rnr)initialcdSrrhrs rlBEGINzSMB_Client.BEGIN rnc|jr8ttdz |_|dS)N)PID)r_r*r; smb_headerSMB2_NEGOTIATErs rl continue_smb2zSMB_Client.continue_smb2sC 9 ('kkKF,C,C,CCDO%%'' ' ( (rn)prioc*|rSENT_NEGOTIATErs rlsend_negotiatezSMB_Client.send_negotiate!!###rncttdddddz |_|jr|jxjdz c_|jt dgd|jsd d gngzD z }|js|xjdzc_|tjd z d z|t_||dS)NzILONG_NAMES+EAS+NT_STATUS+UNICODE+SMB_SECURITY_SIGNATURE+EXTENDED_SECURITYrr)Flags2TIDPIDLowUIDrr[c.g|]}t|S)) DialectString)r(rirjs rlrmz+SMB_Client.on_negotiate..s3   !,,,   rn)zPC NETWORK PROGRAM 1.0z LANMAN1.0zWindows for Workgroups 3.1az LM1.2X002z LANMAN2.1z NT LM 0.12z SMB 2.002z SMB 2.???)DialectsSMB_SECURITY_SIGNATUREz,SMB_SECURITY_SIGNATURE_REQUIRED+IS_LONG_NAME) r*r)rr[rcopyr r\rrkrs rl on_negotiatezSMB_Client.on_negotiate s#$++ ; ) ) )    ! : O " "&9 9 " "o""$$';  6:]JK--L    ( ( (  % . JJ- -JJ  O "& '< = J #rncdSrrhrs rlrzSMB_Client.SENT_NEGOTIATE1rrncdSrrhrs rlrzSMB_Client.SMB2_NEGOTIATE5rrnc*|rrrs rlsend_negotiate_smb2zSMB_Client.send_negotiate_smb29rrnc|jt|j|jjz }|jdkr |j|_d gd|_ |jdkr(|xj dd gdzz c_ |jdkr|xj dz c_ |jdkrtt|jj g|jj z tt|jjg z tt#|j z tt'|jjg z g|_|j |_|||jt3|t4dS) N)rrro+)DFSLEASING LARGE_MTUrp) MULTI_CHANNELPERSISTENT_HANDLESDIRECTORY_LEASINGz +ENCRYPTIONrf)HashAlgorithmsSalt)Ciphers)NetName)SigningAlgorithms)rrr?rbrrrer~ ClientGUIDjoinr|r>rBPreauthIntegrityHashIdrr8CipherIdrAr`rLSigningAlgorithmIdNegotiateContexts CapabilitiesrcomputeSMBConnectionPreauthbytesr;rs rlon_negotiate_smb2zSMB_Client.on_negotiate_smb2=s o""$$'F]2( ( (    v % %"YCN%(XX   & & "  v % %  & &#11+  & &  v % %  & &- 7 & &  v % %'((5$(L$G#H* '((.!\23 '((3 ,'((+'+|'F&G#%C !. 5 # 00 #k" # #     rnct|vs t|vr |j}n#t$rd}YnwxYwt|vrU|jdzdkrGd|_t tddz |_d|_ | t|vr|j|j _ |j t|t|j|_|j|_|j|_|j j dkrl|jre|jD]]}|jdkr#t*|jd |j _0|jd kr"t0|jd |j _^||||t:|vr||jdS) N)rrrr)rrTrfr)r!r@ SecurityBlobAttributeErrorDialectRevisionrr*r;rr_rrrrrrrrNegotiateContextsCountr ContextTyper9rrrKrrupdate_smbheader NEGOTIATEDr" Challenge)rkrssp_blobngctxs rlreceive_negotiate_responsez%SMB_Client.receive_negotiate_response~s 4s : :/366 +!    1C77'$.$66'-#"+++ A0N0N0N"N  ))+++3s::+.+>DL(L<<c+.//(+D$.1.DD+(+(8D%|+v55#:T5%(%: " "E$0F::8O$)M!$49" 5 5"'!2f!>yIIIrncdSrrhrs rlrz"SMB_Client.SENT_SETUP_ANDX_REQUESTrrncR|\|j_}}|jr|tkrd|_|js|jrq|jr6|jtd|jj z }n,|jtdddz }||_ n.|jtdddd| z }| ||jr4|jt|t dSdS) Nrr)rrzJUNICODE+NT_SMBS+STATUS32+LEVEL_II_OPLOCKS+DYNAMIC_REAUTH+EXTENDED_SECURITYrn)ServerCapabilitiesNativeOS NativeLanManz)UNICODE+NT_SMBS+STATUS32+LEVEL_II_OPLOCKSs)r r r  OEMPasswordUnicodePassword)rrr_rrr[rrrIrr%rr$rcomputeSMBSessionPreauthrr;)rkrtokenrrs rlsend_setup_andx_requestz"SMB_Client.send_setup_andx_requestsa4=1  9 &;;;DN 9 . y o**,,/I!&!%!:000O((**E?"%%(  %C  /&&((+H#N & % ,,,C # 9  L 1 1c+&''       rncFt|vst|vs t|vrt|vr||jdkrl|jdkra|d|_|dtj |d|j r| |t|vs t|vr|j|j_|jdkr6t|vr|jjrd|_||jt*|vr2|jt1|t*||jt|vrdSt2|vr|jjd|j_|js||dd |jz|xjdzc_|dS) Nrl%SMB2_Header.Status%rz0SMB Session Setup Response: %SMB2_Header.Status%)lvlmsgTrz RETRY: %s)r#r'r&rStatussprintfr{debugr color_themeredr_rrJrr SessionFlagsIS_GUESTrz AUTHENTICATEDrr;rrrr:r clifailure SessionPreauthIntegrityHashValuer^ AUTH_FAILEDrs rlreceive_setup_andx_responsez&SMB_Client.receive_setup_andx_responses s " "?3FF-44#%%oo''' :??szZ77"{{+ABBD  JJ$((KK RSS     9 '  ! !# & & & = C C*c11), DO %zQ.#55#:J:S5#'DL(()9:::#%%L99c+.//ooc&6777 = D D D C ' ' L # . . 0 0 0<@DL 9: )&&((( JJ1+ ":J ; ; ; JJ!OJJ//## #( 'rn)finalc8|jdSrrsetrs rlr zSMB_Client.AUTH_FAILEDO !!!!!rnc|jj|jj|\|j_}}|tkrt d|j|jrd|j_dSdSr) rrrrrrcomputeSMBSessionKeyrz SMBSessionKey)rkrrstatuss rlrzSMB_Client.AUTHENTICATEDSs-1\-=-R-R L #X. . * F ^ # #OPP P ))+++ < .)-DL & & & . .rnc*|r) SOCKET_BINDrs rlauthenticated_post_actionsz%SMB_Client.authenticated_post_actionsbs   rnc8|jdSrr$rs rlr,zSMB_Client.SOCKET_BINDhr&rnc*|r)SOCKET_MODE_SMBrs rlstart_smb_socketzSMB_Client.start_smb_socketls""$$$rncdSrrhrs rlr0zSMB_Client.SOCKET_MODE_SMBprrncP||r)r0rrs rlincoming_data_received_smbz%SMB_Client.incoming_data_received_smbts"""$$66s;;;rnc$|tj}t|tr|jdkrdS|jdkrdS|||d|_|jj |dS)Nii r) r;rrr:rrrNTStatusoismbpiper)rkrresps rlreceive_data_smbzSMB_Client.receive_data_smbxs;' d/ 0 0 zZ''zZ'' c""" $:;;  T"""""rnr8r)nameas_supersocketct||r)r0rrecv)rkfds rloutgoing_data_received_smbz%SMB_Client.outgoing_data_received_smbs*""$$66rwwyyAAArncd||j|z dSr)rrr)rkds rl send_datazSMB_Client.send_datas- $/&&((1,-----rnr)-__name__ __module__ __qualname____doc__portr*rr classmethodrpropertyrrrstater conditionrractionrrrrrreceive_conditionrrrrrrr!r rr-r,r1r0r4r:ioeventr@rC __classcell__rs@rlrXrXxs   D C70707070r  [ !!X!*1*1*1*1*1XTZ   T^E((( T^E"""$$#"$T[  ##! #JTZ\\  \ TZ\\  \ T^N##$$$#$T[$%%> > &%> @TN++6161,+61pTZ\\\(   $T^JQ'''JJ('J TZ\\  \ T[/00))10)VT3447$7$547$rTZa"""TZ\\ . . .\ .T^M***!!+*! TZ\\""\"T^K  %%! %TZ\\  \ TO,,<<-,<T[+,, # #-, #T\/ )LLLBBMLBT[+,,..-,.....rnrXceZdZdZddZedZedZdZ dZ d Z d Z d d ggfd Z dZddZddZddZddZdZdS) SMB_SOCKETz Mid-level wrapper over SMB_Client.smblink that provides some basic SMB client functions, such as tree connect, directory query, etc. Trwc||_||_|jjj|st d|jjjr!td|jjjzdS)Ntimeoutz7The SMB handshake timed out ! (enable debug=1 for logs)zSMB Session Setup failed: %s)insrVatmtrwait TimeoutErrorr{rrksmbsock use_ioctlrVs rlrzSMB_SOCKET.__init__s x}+000AA I  8= $ !.1JJ   rnc ||dd|ddtj|fi|S)zu Wraps the tcp socket in a SMB_Client.smblink first, then into the SMB_SOCKET/SMB_RPC_SOCKET r]TrVrw)r]rVr\)rxrXrrs rlrzSMB_SOCKET.from_tcpsocksU sjjd33JJy!,,+D;;F;;    rnc$|jjjSr)rWrXrrs rlrzSMB_SOCKET.sessionsx}$$rnc2||jjj_dS)z[ Set the TID (Tree ID). This can be called before sending a packet NrWrXrr)rkrs rlset_TIDzSMB_SOCKET.set_TIDs (+  $$$rnc.|jjjjS)z@ Get the current TID from the underlying socket rars rlget_TIDzSMB_SOCKET.get_TIDsx}'++rnc |jtdd|jjjd|fgd|j}|stdt|vrtd|j z| S) z, Send a TreeConnect request Pathz\\\BufferFverboserVzTreeConnect timed out !zFailed TreeConnect ! %s) rWsr1rMrrServerHostnamerVrrNr6rd)rkr;r9s rl tree_connectzSMB_SOCKET.tree_connectsx|| %!L3BBB D    L    8677 7 %T 1 16FGG G||~~rnc|jtd|j}|st dt |vrt d|jzdS)z/ Send a TreeDisconnect request FrjzTreeDisconnect timed out !zFailed TreeDisconnect ! %sN)rWrlrOrVrrPr6)rkr9s rltree_disconnectzSMB_SOCKET.tree_disconnectsqx|| ( * *L    ;9:: : ( 4 49DMIJJ J 5 4rnrpipec 6g}g}d|vr,|d|ddgd|vr,|d|ddgd |vr|d g}g} g} d } |d kr+|d | dn|dvrdg} d|vr|gdd|vrd} |dd |vr*|d| d|dkr|dn|rtd|zd} |jjdkrd} n|jjdkr|dkrd} |jjdkr|dvr| t dt t t d!"t d#"t d$tt% gng|jjdkrW|dkrQ| t d$tt% g|r| ||r|||j td&d'|| d'| d'|d'|| | |( d|j)} | std*t | vrtd+| jz| t jS),zv Open a file/pipe by its name :param name: the name of the file or named pipe. e.g. 'srvsvc' rqFILE_SHARE_READFILE_READ_DATAFILE_READ_ATTRIBUTESwFILE_SHARE_WRITEFILE_WRITE_DATAFILE_WRITE_ATTRIBUTESrBFILE_SHARE_DELETE FILE_OPENfolderFILE_ATTRIBUTE_DIRECTORYFILE_DIRECTORY_FILE)filerrFILE_NON_DIRECTORY_FILE) FILE_READ_EA READ_CONTROL SYNCHRONIZEFILE_OVERWRITE_IF FILE_WRITE_EADELETEFILE_DELETE_ON_CLOSErFILE_ATTRIBUTE_NORMALzUnknown type: %srrpSMB2_OPLOCK_LEVEL_LEASEro)rr}sDH2Q) CreateGuid)NamersMxAc)rsQFidsRqLs)LeaseKey Impersonationr) ImpersonationLevel DesiredAccessCreateDisposition CreateOptions ShareAccessFileAttributesCreateContextsRequestedOplockLevelrrjzCreateRequest timed out !zFailed CreateRequest ! %s)appendextendrrrr2r3rr}r4r5rWrlr6rrVr7r6FileId)rkr;moderextra_create_optionsextra_desired_accessrrrrrrrr9s rlcreate_requestzSMB_SOCKET.create_requests8  $;;   0 1 1 1  "24J!K L L L $;;   1 2 2 2  "35L!M N N N $;;   2 3 3 3 ' 8    ! !"< = = =  !6 7 7 7 7 % % %67Md{{$$%T%T%TUUUd{{$7!$$_555d{{$$X...$$%;<<<v~~%%&=>>>  8/$677 7  < 6 ) )#< \ !V + +#< < 6 ) )d6H.H.H  ! !($B'/zz'8'8($($($98::??CTCTUUU#    0\ !V + +  ! !($6 @Q@QRRR     7  !5 6 6 6  7  !5 6 6 6x|| #2!hh}55"3!hh}55HH[11"xx77-%9   L   :899 9 t + +84=HII I()00rnct|}|j|d|j}|st dt |vrt d|jzdS)z" Close the FileId rrrjzCloseRequest timed out !zFailed CloseRequest ! %sN)r0rWrlrVrr1r6rkrrr9s rl close_requestzSMB_SOCKET.close_requestZso!///x||CDL|AA 9788 8 d * *7$-GHH H + *rnrc|jt|||d|j}|st dt |vrt d|jz|jS)z Read request )rrOffsetrrjzReadRequest timed out !zFailed ReadRequest ! %s)rWrlrGrVrrHr6r)rkrrrr9s rl read_requestzSMB_SOCKET.read_requestesx||     L   8677 7 T ) )6FGG Gyrnc|jt|||d|j}|st dt |vrt d|jz|jS)z Write request )rrrrrjzWriteRequest timed out !zFailed WriteRequest ! %s)rWrlrQrVrrRr6Count)rkrrrr9s rl write_requestzSMB_SOCKET.write_requestxsx||     L   9788 8 d * *7$-GHH Hzrn*cfg}d} td|||}|j|d|j}d}|st dt |vrnYt |vrt d|jzt|j }| d |j D|S) z1 Query the Directory with FileId SMB2_RESTART_SCANSTr,)FileInformationClassrFileNamerrrjzQueryDirectory timed out !zFailed QueryDirectory ! %scBg|]}|j|j|j|jfSrhrr EndOfFile LastWriteTimers rlrmz.SMB_SOCKET.query_directory..sA  (  rn) rCrWrlrVrr:rDr6r,Outputrfiles)rkrrresultsrrr9ress rlquery_directoryzSMB_SOCKET.query_directorys$ .%E! C 8<<Q <EEDE ? !=>>>"d**.d:: != !MNNN0==C NN!Y   ! 6rnct||d||}|j|d|j}|st dt |vrt d|jz|jS)z Query the Info r)InfoType FileInfoClassrrAdditionalInformationrrjzQueryInfo timed out !zFailed QueryInfo ! %s)rErWrlrVrrFr6r)rkrrrrrr9s rl query_infozSMB_SOCKET.query_infos&'$"7    x||CDL|AA 6455 5 #4 / /4t}DEE E{rnctdd|d}|j|dd}t|vrt d|jz|jS) z( Register change notify SMB2_WATCH_TREEri)rrrCompletionFilterrT)rkchainCCzFailed ChangeNotify ! %s)r.rWrlr/rr6rrs rl changenotifyzSMB_SOCKET.changenotifysh)#$#    x||CD|99 &d 2 27$-GHH H{rnNTrw)r)r)rDrErFrGrrIrrJrrbrdrnrprrrrrrrrhrnrlrSrSs@       [  %%X%+++,,, 4 K K K"  q1q1q1q1f I I I&&!!!!F$rnrSc<eZdZdZd dZdZdZfdZdZxZ S) SMB_RPC_SOCKETa Extends SMB_SOCKET (which is a wrapper over SMB_Client.smblink) to send DCE/RPC messages (bind, reqs, etc.) This is usable as a normal SuperSocket (sr1, etc.) and performs the wrapping of the DCE/RPC messages into SMB2_Write/Read packets. Trwcx||_tj|dt|||dS)NrrU)r]rrrSr[s rlrzSMB_RPC_SOCKET.__init__s>"D"2333D'7;;;;;rnc@||dd|_dS)Nrwrr)rr)r PipeFileId)rkr;s rl open_pipezSMB_RPC_SOCKET.open_pipes"--dF-KKrncH||jd|_dSr)rrrs rl close_pipezSMB_RPC_SOCKET.close_pipes# 4?+++rnc||jrt|jdd}t||_|j|d}t|vrtd|j zt|j }|j dkrD|jt|jd}||j z }|j dkDtt||d St!|j}t||_ |j|d}t"|vrtd |j z|jt|jd}t$|vrtd |j zt|j }|j dkrD|jt|jd}||j z }|j dkDtt||d S) z/ Internal ObjectPipe function. SMB2_0_IOCTL_IS_FSCTLFSCTL_PIPE_TRANSCEIVE)rrCtlCoder)rkz"Failed reading IOCTL_Response ! %sSTATUS_BUFFER_OVERFLOWrz!Failed sending WriteResponse ! %sz Failed reading ReadResponse ! %sN)r]r<rrrrWrlr=rr6rrGrrrrrQrRrH)rkrjrr9datars rlrzSMB_RPC_SOCKET.sends^ >5 3$-/C aCI8<<Q<//D"$.. !E !UVVV%%D-#;;;x||%# $  !-#;;; .$ ' ' , ,T 2 2 2 2 2%CQxxCH8<<Q<//D"$.. !Dt}!TUUU8<<!?  D "-- !Cdm!STTT##D-#;;;x||%# $  !-#;;; .$ ' ' , ,T 2 2 2 2 2rncbt|tj|dSr)rScloserrs rlrzSMB_RPC_SOCKET.close"s-rnr) rDrErFrGrrrrrrPrQs@rlrrs<<<< LLL:3:3:3:3:3xrnrceZdZdZ d=ded ed ed ed ed ededededefdZdZdZ d>dZ dZ dZ e jdZe jedZe jdZe jedZd?dZd@dZdZe jdd@d Ze jedddd!d"Ze jed#Ze jdd$Ze jed%Zd&Ze jed'Ze jd(Ze jed)Z e jdd*Z!e je!d+Z"e je!d,Z#d-Z$d.Z%d?d/Z&e jdd0dAdd1d2Z'e je'd3Z(e je'd4Z)e jdd0d5Z*e je*d6Z+e je*d7Z,e jdd8Z-e je-d9Z.e jdd:Z/e je/d;Z0e jd<Z1dS)B smbclienta A simple smbclient CLI :param target: can be a hostname, the IPv4 or the IPv6 to connect to :param UPN: the upn to use (DOMAIN/USER, DOMAIN\USER, USER@DOMAIN or USER) :param guest: use guest mode (over NTLM) :param ssp: if provided, use this SSP for auth. :param kerberos: if available, whether to use Kerberos or not :param kerberos_required: require kerberos :param port: the TCP port. default 445 :param password: (string) if provided, used for auth :param HashNt: (bytes) if provided, used for auth (NTLM) :param ST: if provided, the service ticket to use (Kerberos) :param KEY: if provided, the session key associated to the ticket (Kerberos) :param cli: CLI mode (default True). False to use for scripting NFTrYrrtargetrspasswordrqkerberoskerberos_requiredHashNtrHrVrc |r|d}d|vr:tj}t|s|}t t |}n9tj}t|s|}t t|}|s| s |s Jd| |s t|\}}|dkrd}n#t$rd}YnwxYw||| ddl m }|dd }g}|rj|rh| +t|d |z|| }||jj|j} } | r'|t%|| | | n#|rtd n|rtd|s7||t'|}|t)||t+|} nd} tj|tj}|tjtjd|tjtjd|tjtjd|tjtjd|| |||fg|_ | |_!|"d|tGj$|f| | d||_% tM|j%|_'tQj(} |j%j)j*+rn|j%j),sg|j%j)-d}t]|j%j)j/j/dtaj-|tc|tQj(|z | kr(|j%2tgdtQj4dn(#tj$r|j%2wxYwddl6m7}|8|j%dd|_9tutwj-|j'j<j=d|j'j<j=zdt}|j'j<j?|j%j)j@rdnddtjBd|_CtjDdE|_Fd|_Gi|_Hg|_I|r|J| dSdS)!N:z+Either UPN, ssp or guest must be provided !.Fr)promptz Password: T) is_passwordzcifs/%s)upnspnrr)rsSTKEYrz/Kerberos required but target isn't a hostname !zSKerberos required but domain not specified in the UPN, or target isn't a hostname !rrr r`)rrrz with status zThe SMB handshake timed out.g?) DCERPC_Client)ndr64verbzSMB %sz! authentication successful using z as GUESTraz !/)r)K _depchecksocketAF_INET6rstrrAF_INETrrrrprompt_toolkitrrtgsrepticket sessionkeyrrrrrV SOCK_STREAM setsockopt SOL_SOCKET SO_KEEPALIVE IPPROTO_TCP TCP_NODELAY TCP_KEEPIDLE TCP_KEEPINTVL settimeoutconnectrrV setdefaultrXrrurSr\timerXris_set isrunninggetrrKrUhexrrZsleep Exceptionscapy.layers.msrpce.rpcclientr from_smblink rpcclientprintr-rrreprrrzpathlibPureWindowsPathpwdrfresolvelocalpwd current_treels_cachesh_cacheloop)rkrrsrrqrrrrHrVrrrrclirhostnamefamilyrrealmrsspsr9ru_tr*rs rlrzsmbclient.__init__:s&   NN    &==_FV$$ "!f&&FF^FF## "!V%%FQcQUQQ$QQQQ ;0 %)#HAu||#(!%%%$HHH%>h&62:555555%vlEEEHz- # )H 4%-"'      +&*k&8$/B KCBCu$U$U$UVVVV*(M'$7 )A~(*>!&xKKC ? ? ?@@@oo}VV%788 )6+>BBB *F,>BBB *F,?DDD *F,@"EEE     fd^$$$$&! -000+         %di00DLB 9>07799y~//11!Y^//99F)!IN0666(,VS[[AAA9;;#g--IOO%%%&'EFFF 3!     IOO      @?????&33DIUQV3WW  L(0t|3;;T\)4555#y~5= 2==  *3// S))1133     # IIEI " " " " " # #s'C CC-D.P%Qc<d||jzS)Nz smb: \%s> )normalize_pathr rs rlps1z smbclient.ps1st2248<<<> >\\"?@@  E k22Z?I NNMM.1188::&*9i@@MM-007799      rncBtt|dgdS)z. Print the output of 'shares' ) ShareName ShareTypeCommentNrr rkrs rl shares_outputzsmbclient.shares_outputs& k'$I#JKKLLLLLrnc|j||_tjd|_|jdS)z Open a share rN)r\rnr rrr r clearrkr8s rlusez smbclient.use!sH !L55e<<*3// rncDfd|DS)z% Auto-complete 'use' cng|]1}|dr|ddk)|d2S)rzIPC$) startswith)rirjr8s rlrmz*smbclient.use_complete../sE   1Q4??5+A+A FGdfnnAaDnnnrn)r9rCs `rl use_completezsmbclient.use_complete*s6     ++--    rnc^|r tjn tj|}|r tjn tjd}|j}|ds|dr|}d}n.|jr |jjs|r|j}||fS)zG Parse a path. Returns the parent folder and file name rrrgra)rrrfr;endswithparent is_absolute)rkargremoteelteltpareltnames rl _parsepathzsmbclient._parsepath3s C&Bw&&glCHHEVE'))sKK( <<    T 2 2 FGG Z CJO s/@/@ ZFwrncd||\ |}n#t$rgcYSwxYwfd|DS)zN Return a listing of the remote files for completion purposes NcdSNTrh)rs rlz(smbclient._fs_complete..GsTrnrKcg|]t}|dr3|ddvK|d\t|dz uS)rrz..r)lowerrGrrirjcondrQrPs rlrmz*smbclient._fs_complete..Ns   ! '' 88  aD ++D1JJ, 1  ,++rn)rRlsr)rkrMr\rrQrPs ` @@rl _fs_completezsmbclient._fs_completeBs <!>D//#.. GG6G**EE   III           s9 AAc||d}t|dkr'|d|r |ddzgS|S)zN Return a directories of remote files for completion purposes c|jSr)r~rjs rlrVz)smbclient._dir_complete..^s 15rn)r\rrrg)r^rrG)rkrMrs rl _dir_completezsmbclient._dir_completeXsh## 55$   w<<1  !6!6s!;!; AJ%& &rn)spacesc|rdS|j}|||z}||}|jr||jvr |j|S|j|j|j|d|j}|j |}|j |||j|<|S)z List the files in the remote directory -t: sort by timestamp -S: sort by size -r: reverse while sorting Nr}rr) rr rr r\rbr rrrr)rkrKr fileIdrs rlr]z smbclient.lses      Fh   6MC!!#&& = &SDM11=% % T.///,, !%!:-    ,,V44 ""6***" c rn)tSrqctdddgdd|r|d|r|d |r |ddd }fd |D}tt|d gd dS)z* Print the output of 'ls' raNz. !urn)keyc|d S)Nrrhras rlrVz%smbclient.ls_output..rnrnc g|]~}|dddt|ddDt|dd|dfS)rrc3@K|]}|dVdS)FILE_ATTRIBUTE_N)r%)riys rl z1smbclient.ls_output...s/SS"344SSSSSSrnrrNrw)rrsplitr i2repr)rirjflds rlrmz'smbclient.ls_output..s    !SSc!A$iiooc>R>RSSSSS1Q4   41&&     rnr)sortBy)r sortrr )rkrrgrhrqrys @rl ls_outputzsmbclient.ls_outputs  $&;&;&;C     . LL__L - - -  . LL__L - - -  $dddmG         MN        rnc\|drgS||S)z" Auto-complete ls Trrrbrkr}s rl ls_completezsmbclient.ls_complete6   d  + + I!!&)))rnc|rdS|st|jS|xj|zc_||j|_|jdS)z5 Change the remote current directory N)rrr r#r rBrs rlcdz smbclient.cdst      F !tx==  F%%dh// rnc\|drgS||S)z" Auto-complete cd Tr~rrs rl cd_completezsmbclient.cd_completerrnc||d\|jz fddDS)zI Return a listing of local files for completion purposes F)rNcg|]b}|j@|Kt|jz cSrh)r;rZrGrr[s rlrmz+smbclient._lfs_complete..ss    ))'--//::  @DtAww      rnr)rRr r glob)rkrMr\rQrPs `@@rl _lfs_completezsmbclient._lfs_completes{//#e/<<'      ^^%%**3//    rnc,|rt|dSdS)z* Print the output of 'cd' Nrrkresults rl cd_outputzsmbclient.cd_output%   &MMMMM  rncPt|jdS)z7 List the files in the local directory r)listr rrs rlllsz smbclient.llss" DM&&s++,,,rncndd|DD}tt|dgdS)z+ Print the output of 'lls' c g|]K\}}|jt|jtjdtj|jfLS)z%Y-%m-%d %H:%M:%S)r;r st_sizerstrftime localtimest_mtime)rirjstats rlrmz(smbclient.lls_output..s^   4 4<(( 14>$-3P3PQQ    rnc3BK|]}||fVdSr)rrs rlrvz'smbclient.lls_output..s.;;aQM;;;;;;rn)rz File SizezLast Modification TimeNr>r?s rl lls_outputzsmbclient.lls_outputs_   <;7;;;      "U!V W W     rnc|st|jS|xj|zc_|j|_dS)z4 Change the local current directory N)rr r rs rllcdz smbclient.lcdsE  &t}%% %   --// rnc0||dS)z# Auto-complete lcd c*|Sris_dirras rlrVz(smbclient.lcd_complete..sAHHJJrnrrs rl lcd_completezsmbclient.lcd_completes !!&*>*>???rnc,|rt|dSdS)z+ Print the output of 'lcd' Nrrs rl lcd_outputzsmbclient.lcd_outputrrnc(|j|z }|j|j|j||ddg|jz}t|j|dd}|j j }d}|r[t|j j j|}||j|||||z }||z}|[|j||S) z8 Gets the file bytes from a remote host rFILE_SEQUENTIAL_ONLYreSMB2_0_INFO_FILEr+)rrrr)rr)r r\rbr rrrr+rStandardInformationrminrurXrwriterr) rkrr?fpathrfinfolengthoffset lengthReads rl _get_filezsmbclient._get_files> 4 T.///,,    & &&"'"(-  " L # #+2 $    )3 !TY^7@@J HH ))&F)SS    j F j F  ! ""6*** rnc|j|z }|j|j|j||dd|j}d} ||jj j }|sn!||j |||z }H|j ||S)z6 Send the file bytes to a remote host rrwrrrrT)rrr) r r\rbr rrrreadrurXrrr)rkfnamer?rrfrrs rl _send_filezsmbclient._send_file4s 5  T.///,,    & &!%!: -   7749>677D  dl001 F  ""6*** rnc &d}|s|||D]}|ddvr ||dz }||dz } |djr||||z }n||||dz }|rt ||#t$rG}|r;t tj |dt|Yd}~d}~wwxYw|S)z Internal recursive function to get a directory :param directory: the remote directory to get :param _root: locally, the directory to store any found files rrWrYrz->N) existsmkdirr]r~_getrrrrrrrr) rk directory_root_verbsizerjrNlocalexs rlrzsmbclient._getrRs5||~~  KKMMM ** G GAt{""1%FAaDLE GQ407DJJvu555DDDHHVU33A66D"&MMM G G GG$*..v66c"ggFFF G s%AB== D=D  D)rc globsupport)rqc|rdS|r=||\}}||||z |j|z |fSt j|j}| |j|z }|d5}|||} dddn #1swxYwY|| fS)zN Retrieve a file -r: recursively download a directory N)rrwb) rrRrr rrr;openr) rkr_destrrqdirpardirnamerr?rs rlrz smbclient.getqs      F  "ood33OFG mg-$  +D116E} -D!! 0R~~dB// 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0$; sB33B7:B7c btd|ddt|ddS)z+ Print the output of 'get' z Retrieved 'rz ' of size rN)rr )rkrs rl get_outputzsmbclient.get_outputs6 T!WWWja6I6I6IJKKKKKrnc\|drgS||S)z# Auto-complete get Tr~rr^rkrs rl get_completezsmbclient.get_complete6   d  + + I  &&&rnc|rdStj}||||S)z Print a file N)rioBytesIOrgetvalue)rkrbufs rlcatz smbclient.catsJ      Fjll tS!!!||~~rncLt|ddS)z+ Print the output of 'cat' backslashreplace)errorsN)rr6rs rl cat_outputzsmbclient.cat_outputs' fmm#5m6677777rnc\|drgS||S)z# Auto-complete cat Tr~rrs rl cat_completezsmbclient.cat_completerrncz|rdS|j|z }|rtdt j|j}|d5}|||}dddn #1swxYwY|j ||fS)z Upload a file Nzput on dir not implrb) rr rrrrfr;rrr rB)rkr local_filerr?rs rlputz smbclient.puts      F]T)      2233 3L&&+E&& 2"ub11 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 d{s2BBBc0||dS)z# Auto-complete put c,| Srrras rlrVz(smbclient.put_complete..s Nrnrrs rl put_completezsmbclient.put_completes !!&*B*BCCCrnc`|rdS|j|z }|j|j|j||dd|j}|j||j |j S)z Delete a file NrrBr) rr r\rbr rrrrr rBr;)rkrrrfs rlrmz smbclient.rms      F4 T.///,,    & &!%!: -   ""6*** zrnc\|drgS||S)z" Auto-complete rm Tr~rrs rl rm_completezsmbclient.rm_completerrncd|jvr+td|jddStd|jddS)z. Turn on or off backup intent FILE_OPEN_FOR_BACKUP_INTENTzBackup Intent: OffzBackup Intent: OnN)rrremoverrs rlbackupzsmbclient.backupsl )D,E E E & ' ' '  % , ,-J K K K K K % & & &  % , ,-J K K K K Krn) NNFTFNrYrrNNNT)F)TrrU)2rDrErFrGrrrrrrrr#rr addcommandr9 addoutputr@rD addcompleterHrRr^rbr]r|rrrrrrrrrrrrrrrrrrrrrrrrrhrnrlrr's("'    `#`#`#`# `#  `#  `# `#`#`#`#`#`#`#`#D=== JJJ ::: W###JWvMMM WW           ,   Wt$$$%$>Wr&+u     BW***Wt$$$  %$ W***    WrW--- Ws   Wt$$$00%$0W@@@ Ws$$$L<>Wt666U76.WsLLL W'''Wt666  76 Ws888 W'''Wt$$$%$"WDDD Wt$$$%$*W'''W L L L L Lrnr__main__) AutoArgparse)trGrrrrrrscapy.automatonrrrscapy.base_classesr scapy.configr scapy.errorr scapy.fieldsr scapy.supersocketr scapy.utilsr r r rrscapy.volatilerscapy.layers.dcerpcrrscapy.layers.gssapirrrscapy.layers.inet6rscapy.layers.kerberosrrrscapy.layers.msrpce.raw.ms_srvsrrrrscapy.layers.ntlmrrscapy.layers.smbr r!r"r#r$r%r&r'r(r)scapy.layers.smb2r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrDrErFrGrHrIrJrKrLrMrNrOrPrQrRrSrTrUscapy.layers.spnegorVrXrSrcommandsregisterrrDrrhrnrlrs   7777777777""""""''''''%%%%%%))))))$#####???????? $#####                          --------------------------------------------------------------------------------------------\*)))))U.U.U.U.U.U.U.U.p~~~~~~~~B SSSSSZSSSlO LO LO LO LO LO LO LO Ld z((((((Lrn