|
|
@@ -1,7 +1,6 @@
|
|
|
package de.tudarmstadt.informatik.hostage.protocol;
|
|
|
|
|
|
import java.nio.ByteBuffer;
|
|
|
-import java.security.SecureRandom;
|
|
|
import java.util.ArrayList;
|
|
|
import java.util.Calendar;
|
|
|
import java.util.GregorianCalendar;
|
|
|
@@ -186,18 +185,6 @@ public class SMB implements Protocol {
|
|
|
timezoneBytes[0] = (byte) (timezone);
|
|
|
return timezoneBytes;
|
|
|
}
|
|
|
-
|
|
|
- /**
|
|
|
- * Generates a random byte[] of a specified size
|
|
|
- * @param size of the byte[]
|
|
|
- * @return random byte[]
|
|
|
- */
|
|
|
- private static byte[] randomBytes(int size) {
|
|
|
- byte[] bytes = new byte[size];
|
|
|
- SecureRandom rdm = new SecureRandom();
|
|
|
- rdm.nextBytes(bytes);
|
|
|
- return bytes;
|
|
|
- }
|
|
|
|
|
|
/**
|
|
|
* Denotes a SMB packet
|
|
|
@@ -206,7 +193,7 @@ public class SMB implements Protocol {
|
|
|
private static byte[] serverName = ProtocolSettings.getSmbName();
|
|
|
private static String[] serverVersion = ProtocolSettings.getSmbVersion();
|
|
|
private byte[] message = null;
|
|
|
- private static final byte[] serverGUID = randomBytes(16);
|
|
|
+ private static final byte[] serverGUID = HelperUtils.randomBytes(16);
|
|
|
private boolean authenticateNext = false;
|
|
|
//components of a SMB packet
|
|
|
private byte[] serverComp = new byte[4];
|
|
|
@@ -365,7 +352,7 @@ public class SMB implements Protocol {
|
|
|
if(!serverVersion[0].contains("Unix")) {
|
|
|
flags[3] = (byte) (flags[3] | 0x02);
|
|
|
}
|
|
|
- byte[] challenge = randomBytes(8);
|
|
|
+ byte[] challenge = HelperUtils.randomBytes(8);
|
|
|
byte[] reserved2 = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
|
|
|
byte[] targetInfoLength = {0x60, 0x00};
|
|
|
byte[] targetInfoMaxLength = {0x60, 0x00};
|
|
|
@@ -446,7 +433,7 @@ public class SMB implements Protocol {
|
|
|
byte[] andXCommand = {0x00, 0x00};
|
|
|
byte[] response = null;
|
|
|
//TODO
|
|
|
- if(str.contains("IPC$") || str.contains("DOCS")) {
|
|
|
+ if(str.contains("IPC$") || str.contains("C$")) {
|
|
|
wordCount = new byte[] {0x07};
|
|
|
andXCommand = new byte[] {(byte) 0xff};
|
|
|
byte[] reserved = {0x00};
|
|
|
@@ -462,7 +449,7 @@ public class SMB implements Protocol {
|
|
|
|
|
|
response = HelperUtils.concat(wordCount, andXCommand, reserved, andXOffset, optionalSupport, maxShareAccess,
|
|
|
guestMaxShareAccess, byteCount, service, extraParameters);
|
|
|
- } else if(str.contains("C$") || str.contains("ADMIN$")) {
|
|
|
+ } else if(str.contains("ADMIN$")) {
|
|
|
ntStat = new byte[] {0x22, 0x00, 0x00, (byte) 0xc0};
|
|
|
response = HelperUtils.concat(wordCount, andXCommand);
|
|
|
} else {
|
|
|
@@ -534,17 +521,17 @@ public class SMB implements Protocol {
|
|
|
} else if(transSub[0] == 0x00 && transSub[1] == 0x00) { //netShareEnumAll
|
|
|
byte[] wordCount = {0x0a};
|
|
|
byte[] totalParamCount = {0x00, 0x00};
|
|
|
- byte[] totalDataCount = {0x54, 0x01};
|
|
|
+ byte[] totalDataCount = {0x20, 0x01};
|
|
|
byte[] reserved = {0x00, 0x00};
|
|
|
byte[] paramCount = {0x00, 0x00};
|
|
|
byte[] paramOffset = {0x38, 0x00};
|
|
|
byte[] paramDisplace = {0x00, 0x00};
|
|
|
- byte[] dataCount = {0x54, 0x01};
|
|
|
+ byte[] dataCount = {0x20, 0x01};
|
|
|
byte[] dataOffset = {0x38, 0x00};
|
|
|
byte[] dataDisplace = {0x00, 0x00};
|
|
|
byte[] setupCount = {0x00};
|
|
|
byte[] reserved2 = {0x00};
|
|
|
- byte[] byteCount = new byte[2]/*= {0x55, 0x01}*/;
|
|
|
+ byte[] byteCount = new byte[2]/*= {0x21, 0x01}*/;
|
|
|
byte[] padding = {0x00};
|
|
|
|
|
|
byte[] dcerpc = new byte[24];
|
|
|
@@ -552,11 +539,10 @@ public class SMB implements Protocol {
|
|
|
byte[] levelPointer = {0x01, 0x00, 0x00, 0x00};
|
|
|
//TODO
|
|
|
byte[] ctr = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00};
|
|
|
- byte[] ctr1 = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00};
|
|
|
+ byte[] ctr1 = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x03, 0x00, 0x00, 0x00};
|
|
|
byte[] array1Pointer = {0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, (byte) 0x80, 0x0c, 0x00, 0x02, 0x00};
|
|
|
byte[] array2Pointer = {0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, (byte) 0x80, 0x14, 0x00, 0x02, 0x00};
|
|
|
- byte[] array3Pointer = {0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00};
|
|
|
- byte[] array4Pointer = {0x20, 0x00, 0x02, 0x00, 0x03, 0x00, 0x00, (byte) 0x80, 0x24, 0x00, 0x02, 0x00};
|
|
|
+ byte[] array3Pointer = {0x18, 0x00, 0x02, 0x00, 0x03, 0x00, 0x00, (byte) 0x80, 0x1c, 0x00, 0x02, 0x00};
|
|
|
byte[] array1 = {0x07, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x41, 0x00, 0x44, 0x00, 0x4d, 0x00,
|
|
|
0x49, 0x00, 0x4e, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6d, 0x00, 0x6f, 0x00, 0x74, 0x00,
|
|
|
@@ -564,21 +550,18 @@ public class SMB implements Protocol {
|
|
|
byte[] array2 = {0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x43, 0x00,
|
|
|
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x00,
|
|
|
0x00, 0x00, 0x44, 0x00, 0x65, 0x00, 0x66, 0x00, 0x61, 0x00, 0x75, 0x00, 0x6c, 0x00, 0x74, 0x00,
|
|
|
- 0x20, 0x00, 0x73, 0x00, 0x68, 0x00, 0x61, 0x00, 0x72, 0x00, 0x65, 0x00, 0x00, 0x00};
|
|
|
- byte[] array3 = {0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x63, 0x00,
|
|
|
- 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
|
|
|
- 0x00, 0x00, 0x00, 0x00};
|
|
|
- byte[] array4 = {0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00,
|
|
|
+ 0x20, 0x00, 0x73, 0x00, 0x68, 0x00, 0x61, 0x00, 0x72, 0x00, 0x65, 0x00};
|
|
|
+ byte[] array3 = {0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00,
|
|
|
0x00, 0x00, 0x49, 0x00, 0x50, 0x00, 0x43, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00,
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6d, 0x00,
|
|
|
0x6f, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x00, 0x49, 0x00, 0x50, 0x00, 0x43, 0x00, 0x00, 0x00};
|
|
|
- byte[] totalEntries = {0x00, 0x00, 0x04, 0x00, 0x00, 0x00};
|
|
|
- byte[] referentID = {0x28, 0x00, 0x02, 0x00};
|
|
|
+ byte[] totalEntries = {0x00, 0x00, 0x03, 0x00, 0x00, 0x00};
|
|
|
+ byte[] referentID = {0x20, 0x00, 0x02, 0x00};
|
|
|
byte[] resumeHandle = {0x00, 0x00, 0x00, 0x00};
|
|
|
byte[] windowsError = {0x00, 0x00, 0x00, 0x00};
|
|
|
int tmp = padding.length + dcerpc.length + levelPointer.length + ctr.length + ctr1.length
|
|
|
- + array1Pointer.length + array2Pointer.length + array3Pointer.length + array4Pointer.length + array1.length
|
|
|
- + array2.length + array3.length + array4.length + totalEntries.length + referentID.length + resumeHandle.length
|
|
|
+ + array1Pointer.length + array2Pointer.length + array3Pointer.length + array1.length
|
|
|
+ + array2.length + array3.length + totalEntries.length + referentID.length + resumeHandle.length
|
|
|
+ windowsError.length;
|
|
|
byte[] tmp2 = ByteBuffer.allocate(4).putInt(tmp).array();
|
|
|
byteCount = new byte[] {tmp2[3], tmp2[2]};
|
|
|
@@ -586,8 +569,8 @@ public class SMB implements Protocol {
|
|
|
|
|
|
response = HelperUtils.concat(wordCount, totalParamCount, totalDataCount, reserved, paramCount, paramOffset,
|
|
|
paramDisplace, dataCount, dataOffset, dataDisplace, setupCount, reserved2, byteCount, padding, dcerpc,
|
|
|
- levelPointer, ctr, ctr1, array1Pointer, array2Pointer, array3Pointer, array4Pointer,
|
|
|
- array1, array2, array3, array4, totalEntries, referentID, resumeHandle, windowsError);
|
|
|
+ levelPointer, ctr, ctr1, array1Pointer, array2Pointer, array3Pointer,
|
|
|
+ array1, array2, array3, totalEntries, referentID, resumeHandle, windowsError);
|
|
|
|
|
|
|
|
|
}
|
Wulf Pfeiffer