SMBv1 (SMBv2 not yet done)

99cbcd76 · Robert David Graham · dd57883e · 99cbcd76 · 99cbcd76 · 99cbcd76
Commit 99cbcd76 authored 6 years ago by Robert David Graham
--- a/src/masscan-app.c
+++ b/src/masscan-app.c
@@ -21,6 +21,7 @@ masscan_app_to_string(enum ApplicationProtocol proto)
    case PROTO_SNMP: return "snmp";
    case PROTO_NBTSTAT: return "nbtstat";
    case PROTO_SSL3:    return "ssl";
+    case PROTO_SMB:     return "smb";
    case PROTO_SMTP:    return "smtp";
    case PROTO_POP3:    return "pop";
    case PROTO_IMAP4:   return "imap";
@@ -61,6 +62,7 @@ masscan_string_to_app(const char *str)
        {"ssh2",    PROTO_SSH2},
        {"nbtstat", PROTO_NBTSTAT},
        {"ssl",     PROTO_SSL3},
+        {"smb",     PROTO_SMB},
        {"pop",     PROTO_POP3},
        {"imap",    PROTO_IMAP4},
        {"x509",    PROTO_X509_CERT},

--- a/src/masscan-app.h
+++ b/src/masscan-app.h
@@ -16,6 +16,7 @@ enum ApplicationProtocol {
    PROTO_SNMP,             /* simple network management protocol, udp/161 */
    PROTO_NBTSTAT,          /* netbios, udp/137 */
    PROTO_SSL3,
+    PROTO_SMB,              /* SMB tcp/139 and tcp/445 */
    PROTO_SMTP,
    PROTO_POP3,
    PROTO_IMAP4,

--- a/src/proto-banner1.c
+++ b/src/proto-banner1.c
@@ -8,6 +8,7 @@
 #include "proto-banner1.h"
 #include "proto-http.h"
 #include "proto-ssl.h"
+#include "proto-smb.h"
 #include "proto-ssh.h"
 #include "proto-ftp.h"
 #include "proto-smtp.h"
@@ -24,6 +25,16 @@


 struct Patterns patterns[] = {
+    {"\x00\x00" "**" "\xff" "SMB", 8, PROTO_SMB, SMACK_ANCHOR_BEGIN | SMACK_WILDCARDS},
+    {"\x00\x00" "**" "\xfe" "SMB", 8, PROTO_SMB, SMACK_ANCHOR_BEGIN | SMACK_WILDCARDS},
+    
+    {"\x83\x00\x00\x01\x80", 5, PROTO_SMB, SMACK_ANCHOR_BEGIN}, /* Not listening on called name */
+    {"\x83\x00\x00\x01\x81", 5, PROTO_SMB, SMACK_ANCHOR_BEGIN}, /* Not listening for calling name */
+    {"\x83\x00\x00\x01\x82", 5, PROTO_SMB, SMACK_ANCHOR_BEGIN}, /* Called name not present */
+    {"\x83\x00\x00\x01\x83", 5, PROTO_SMB, SMACK_ANCHOR_BEGIN}, /* Called name present, but insufficient resources */
+    {"\x83\x00\x00\x01\x8f", 5, PROTO_SMB, SMACK_ANCHOR_BEGIN}, /* Unspecified error */
+
+    /* ...the remainder can be in any order */
    {"SSH-1.",      6, PROTO_SSH1, SMACK_ANCHOR_BEGIN},
    {"SSH-2.",      6, PROTO_SSH2, SMACK_ANCHOR_BEGIN},
    {"HTTP/1.",     7, PROTO_HTTP, SMACK_ANCHOR_BEGIN},
@@ -31,6 +42,7 @@ struct Patterns patterns[] = {
    {"220 ",        4, PROTO_FTP, SMACK_ANCHOR_BEGIN, 1},
    {"+OK ",        4, PROTO_POP3, SMACK_ANCHOR_BEGIN},
    {"* OK ",       5, PROTO_IMAP4, SMACK_ANCHOR_BEGIN},
+    {"521 ",        4, PROTO_SMTP, SMACK_ANCHOR_BEGIN},
    {"\x16\x03\x00",3, PROTO_SSL3, SMACK_ANCHOR_BEGIN},
    {"\x16\x03\x01",3, PROTO_SSL3, SMACK_ANCHOR_BEGIN},
    {"\x16\x03\x02",3, PROTO_SSL3, SMACK_ANCHOR_BEGIN},
@@ -197,6 +209,15 @@ banner1_parse(
                        banout,
                        more);
        break;
+    case PROTO_SMB:
+        banner_smb1.parse(
+                        banner1,
+                        banner1->http_fields,
+                        tcb_state,
+                        px, length,
+                        banout,
+                        more);
+        break;
    case PROTO_VNC_RFB:
        banner_vnc.parse(    banner1,
                             banner1->http_fields,
@@ -265,10 +286,14 @@ banner1_create(void)
    banner_smtp.init(b);
    banner_ssh.init(b);
    banner_ssl.init(b);
+    banner_smb0.init(b);
+    banner_smb1.init(b);
    banner_vnc.init(b);

    b->tcp_payloads[80] = &banner_http;
    b->tcp_payloads[8080] = &banner_http;
+    b->tcp_payloads[139] = (void*)&banner_smb0;
+    b->tcp_payloads[445] = (void*)&banner_smb1;
    
    b->tcp_payloads[443] = (void*)&banner_ssl;   /* HTTP/s */
    b->tcp_payloads[465] = (void*)&banner_ssl;   /* SMTP/s */
@@ -450,6 +475,12 @@ banner1_selftest()
            return 1;
        }
        
+        x = banner_smb1.selftest();
+        if (x) {
+            fprintf(stderr, "SMB banner: selftest failed\n");
+            return 1;
+        }
+        
        x = banner_http.selftest();
        if (x) {
            fprintf(stderr, "HTTP banner: selftest failed\n");

--- a/src/proto-banner1.h
+++ b/src/proto-banner1.h
@@ -135,6 +135,48 @@ struct MEMCACHEDSTUFF {
    unsigned match;
 };

+struct Smb72_Negotiate {
+    uint16_t DialectIndex;
+    uint16_t SecurityMode;
+    uint64_t SystemTime;
+    uint32_t Capabilities;
+    uint16_t ServerTimeZone;
+    uint8_t  ChallengeLength;
+    uint8_t  ChallengeOffset;
+};
+
+struct SMBSTUFF {
+    unsigned char nbt_type;
+    unsigned char nbt_flags;
+    unsigned length;
+    unsigned nbt_err;
+    
+    struct {
+        unsigned char   command;
+        unsigned        status;
+        unsigned char   flags1;
+        unsigned short  flags2;
+        unsigned        pid;
+        unsigned char   signature[8];
+        unsigned short  tid;
+        unsigned short  uid;
+        unsigned short  mid;
+        unsigned short  param_length;
+        unsigned short  param_offset;
+        unsigned short  byte_count;
+        unsigned short  byte_offset;
+        unsigned short  byte_state;
+        unsigned short  unicode_char;
+    } smb1;
+    union {
+        struct Smb72_Negotiate negotiate;
+    } parms1;
+    
+    union {
+        
+    } pkt;
+};
+
 struct ProtocolState {
    unsigned state;
    unsigned remaining;
@@ -151,6 +193,7 @@ struct ProtocolState {
        struct SMTPSTUFF smtp;
        struct POP3STUFF pop3;
        struct MEMCACHEDSTUFF memcached;
+        struct SMBSTUFF smb;
    } sub;
 };


--- a/src/proto-smb.c
+++ b/src/proto-smb.c
--- a/src/proto-smb.h
+++ b/src/proto-smb.h
+#ifndef PROTO_SMB_H
+#define PROTO_SMB_H
+#include "proto-banner1.h"
+
+extern struct ProtocolParserStream banner_smb0;
+extern struct ProtocolParserStream banner_smb1;
+
+#endif
--- a/xcode4/masscan.xcodeproj/project.pbxproj
+++ b/xcode4/masscan.xcodeproj/project.pbxproj
@@ -89,6 +89,7 @@
 		11C936C31EDCE77F0023D32E /* in-filter.c in Sources */ = {isa = PBXBuildFile; fileRef = 11C936BF1EDCE77F0023D32E /* in-filter.c */; };
 		11C936C41EDCE77F0023D32E /* in-report.c in Sources */ = {isa = PBXBuildFile; fileRef = 11C936C11EDCE77F0023D32E /* in-report.c */; };
 		11C936C71EDCE8B40023D32E /* rawsock-pcap.c in Sources */ = {isa = PBXBuildFile; fileRef = 11C936C51EDCE8B40023D32E /* rawsock-pcap.c */; };
+		11DE129620ABC2650041135D /* proto-smb.c in Sources */ = {isa = PBXBuildFile; fileRef = 11DE129520ABC2650041135D /* proto-smb.c */; };
 		11E76DB41889BC5200061F45 /* pixie-backtrace.c in Sources */ = {isa = PBXBuildFile; fileRef = 11E76DB21889BC5200061F45 /* pixie-backtrace.c */; };
 		11F9375419F1A54200C1947F /* script-sslv3.c in Sources */ = {isa = PBXBuildFile; fileRef = 11F9375319F1A54200C1947F /* script-sslv3.c */; };
 		11F9375719F1AD5000C1947F /* script-heartbleed.c in Sources */ = {isa = PBXBuildFile; fileRef = 11F9375619F1AD5000C1947F /* script-heartbleed.c */; };
@@ -261,6 +262,8 @@
 		11C936C21EDCE77F0023D32E /* in-report.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "in-report.h"; sourceTree = "<group>"; };
 		11C936C51EDCE8B40023D32E /* rawsock-pcap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "rawsock-pcap.c"; sourceTree = "<group>"; };
 		11C936C61EDCE8B40023D32E /* rawsock-pcap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "rawsock-pcap.h"; sourceTree = "<group>"; };
+		11DE129420ABC2650041135D /* proto-smb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "proto-smb.h"; sourceTree = "<group>"; };
+		11DE129520ABC2650041135D /* proto-smb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "proto-smb.c"; sourceTree = "<group>"; };
 		11E76DB21889BC5200061F45 /* pixie-backtrace.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "pixie-backtrace.c"; sourceTree = "<group>"; };
 		11E76DB31889BC5200061F45 /* pixie-backtrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "pixie-backtrace.h"; sourceTree = "<group>"; };
 		11F9375319F1A54200C1947F /* script-sslv3.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "script-sslv3.c"; sourceTree = "<group>"; };
@@ -388,6 +391,8 @@
 		11B360CA1F9016C00020F3A3 /* proto */ = {
 			isa = PBXGroup;
 			children = (
+				11DE129420ABC2650041135D /* proto-smb.h */,
+				11DE129520ABC2650041135D /* proto-smb.c */,
 				119AB2042051FFED008E4DDD /* proto-memcached.c */,
 				119AB2052051FFED008E4DDD /* proto-memcached.h */,
 				11A921AC17DBCC7E00DDFD32 /* proto-arp.c */,
@@ -604,6 +609,7 @@
 				11A921F817DBCC7E00DDFD32 /* syn-cookie.c in Sources */,
 				11A921F917DBCC7E00DDFD32 /* templ-pkt.c in Sources */,
 				11A921FA17DBCC7E00DDFD32 /* xring.c in Sources */,
+				11DE129620ABC2650041135D /* proto-smb.c in Sources */,
 				11B2DD9E17DE4DD8007FC363 /* templ-payloads.c in Sources */,
 				11AC80ED17E0DAD4001BCE3A /* proto-http.c in Sources */,
 				11AC80EE17E0DAD4001BCE3A /* proto-icmp.c in Sources */,