5iddlZddlZddlZddlZddlZddlmZddlmZddl Tddl m Z ddl m Z ddlmZddlmZmZdd lmZdd lmZdd lmZdd lmZmZmZdd lmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'ddl(Tddl)Tddl*Tddl+Tddl,Tddl-m.Z.ddl/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6ddl7Tddl8m9Z9ddl8m:Z:ddl;mZ>ddl?m@Z@ddlAmBZBddlCmDZEddlCmFZGddlHmIZIGddejJZKGddZLGdd ZMGd!d"ZNGd#d$ZOd%ZPeQd&krCdd'lRmSZSejTd(d)ZUeSjVeUZWejXePeWdSdS)*N) Coroutine)logger)*)NetBIOSPacketizer) SMBCommand)NTStatus) SMBHeaderSMBHeaderFlags2Enum) SMBMessage)SMBSecurityMode)SMB_COM_NEGOTIATE_REQ) SMB2Message SMB2TransformSMB2Compression) SMB2ContextType SMB2PreauthIntegrityCapabilitiesSMB2HashAlgorithm SMB2CipherSMB2CompressionTypeSMB2CompressionFlagsSMB2EncryptionCapabilitiesSMB2CompressionCapabilitiesSMB2SigningAlgorithmSMB2SigningCapabilities) FileInfoClass) FileFullDirectoryInformationList)FileAttributes)SECURITY_DESCRIPTOR)SE_OBJECT_TYPE)hmac)hashlib)AESMODE_CCMMODE_GCM)AES_CMAC)KDF_CounterMode)compress) decompress) UniClientceZdZdZdZdZdZdS)SMBConnectionStatus NEGOTIATING SESSIONSETUPRUNNINGCLOSEDN)__name__ __module__ __qualname__r,r-r.r/G/home/kali/Ninja/venv/lib/python3.11/site-packages/aiosmb/connection.pyr+r+-s"  r4r+c*eZdZdZedZdS) TreeEntrycd|_d|_d|_d|_d|_d|_d|_d|_d|_dSN) share_nametree_id session_idnumber_of_usersis_DFSis_CA is_scaleoutencryptmaximal_accessselfs r5__init__zTreeEntry.__init__4sJ$/$,$/$$+$*$$,$r4ct}||_|jj|_|jj|_d|_tj |j j v|_ tj |j j v|_tj|j j v|_t"j|j jv|_|j j|_|SN)r7r:headerTreeIdr; SessionIdr<r=TreeCapabilitiesSMB2_SHARE_CAP_DFScommand Capabilitiesr>&SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITYr?SMB2_SHARE_CAP_SCALEOUTr@ ShareFlagsSMB2_SHAREFLAG_ENCRYPT_DATArA MaximalAccessrB)replyr:tes r5from_tree_replyzTreeEntry.from_tree_reply?s{{""-|""*,("-"1U]5OO")  D Hb b"(#;u}?YY".59QQ"*m1" )r4N)r0r1r2rE staticmethodrWr3r4r5r7r73s>      ,    r4r7c*eZdZdZedZdS) FileHandlecd|_d|_d|_d|_d|_d|_d|_tjd|_ dSrG) file_idr; oplock_level is_durable is_resilientlast_disconnect_time file_nameasyncio SemaphoreoplockrCs r5rEzFileHandle.__init__NsL$,$,$$/$"$$.!!$$$+++r4ct}|jj|_||_||_d|_d|_d|_||_ |S)NFr) rZrNFileIdr\r;r]r^r_r`ra)rUr;rar]fhs r5from_create_replyzFileHandle.from_create_replyXsG||"}#"*"* "/"-"/"", )r4N)r0r1r2rErXrhr3r4r5rZrZMs>%%%   ,    r4rZc4eZdZd dZdZdZdZdZdZd S) SMBPendingMsgdcZ||_||_||_||_||_d|_dSr9) message_id max_renewaltimeoutOutstandingResponsesOutstandingResponsesEvent pending_task)rDrnrqrrrpros r5rEzSMBPendingMsg.__init__es6$/ $$,2$#<$ $r4cKtjdd{V|td{VdS)Nrk)rbsleep_SMBPendingMsg__destroy_messageSMBPendingTimeoutrCs r5__pending_waiterzSMBPendingMsg.__pending_waiterms[ d 02233333333333r4cKd|f|j|j<|j|jvr$|j|jdSr9)rqrnrrset)rDproblems r5__destroy_messagezSMBPendingMsg.__destroy_messageqsJ04g$DO, _666!$/266888&r4c2K|j|j|jB|xjdzc_|jdkr'|t d{Vt j||_dS)NrHr)rscancelrorvSMBPendingMaxRenewalrb create_task_SMBPendingMsg__pending_waiterrCs r5updatezSMBPendingMsg.updatews " !q !  !5!7!7 8 88888888)$*?*?*A*ABB$r4c`Ktj||_dSr9)rbrrrsrCs r5runzSMBPendingMsg.runs+)$*?*?*A*ABB$r4cNK|j|jdSdSr9)rsr~rCs r5stopzSMBPendingMsg.stops2 "#"r4N)rkrl) r0r1r2rErrvrrrr3r4r5rjrjdsy444   C C CCCCr4rjceZdZdZd5dededefdZdZd Zd Z d Z d Z d Z dZ dZdZdZdZdefdZd6dZd6dZdeeeeffdZdefdZdedefdZdefdZd7defdZde fd Z!e"j#e$j%ddfd!e&d"e"fd#Z'd8d%Z(d9d&Z)e*j+e,j-d$d$d'fd(Z.d)d$e,j/dd$fd*Z0de1j2d+fd,Z3e4j5fd-Z6d.Z7d/Z8d0Z9d1Z:d2Z;d3Zt~j@|_Ad|_Bd|_Cd|_Dd|_E tjGg|_Ed|_HtjJg|_Kd|_LtjN|_Od|_PdS)NTFris@)Qrgssapioriginal_gssapicopydeepcopyrpreferred_dialectssupported_dialectssettingsnetwork_connectionnetbios_transport incoming_taskkeepalive_taskkeepalive_timeoutconnection_closed_evtlogin_oksupress_keepalive activity_atselected_dialectsigning_requiredencryption_requiredr+r,statusrrOutstandingRequestsrq pending_tablemessageIdToOplockTreeConnectTable_idTreeConnectTable_shareFileHandleTableSequenceWindowMaxTransactSize MaxReadSize MaxWriteSize ServerGuidRequireSigning ServerNameGUIDrandom ClientGUIDSupportsFileLeasingSupportsMultiCreditSupportsDirectoryLeasingSupportsMultiChannelSupportsPersistentHandlesSupportsEncryptionClientCapabilitiesServerCapabilitiesNegotiateSecurityModeNONEClientSecurityModeSMB2_NEGOTIATE_SIGNING_ENABLEDSMB2_NEGOTIATE_SIGNING_REQUIREDServerSecurityModerK SessionKey SigningKeyApplicationKey EncryptionKey DecryptionKeyCompressAllRequestsrSHA_512PreauthIntegrityHashIdPreauthIntegrityHashValue CompressionIdCipherIdCompressionIdsrLZNT1SupportsChainedCompressionr AES_128_CCMsupported_encryptionssupported_signaturesr!sha512 preauth_ctxsession_closed)rDrrrrs r5rEzSMBConnection.__init__s$+$+$-//4$+ !K:$$- $$$$$#$$- $$$$"$#/$+#%$ $ $$$ $ "$$$8< 8S8_44em$04 0G0ST[,,Ya$26+2J2Vdk..\d$$/$$/KKMM$/#$"$"'$#$#($ !$$$16$ u__2QTiUJJ4$$.$/$/$$$#$!2 9$#-$ $$-$5-344$)$! * 67$"$^$ $r4c K|Sr9r3rCs r5 __aenter__zSMBConnection.__aenter__s +r4cfKtj|dd{VdS)Nrp)rbwait_for terminate)rDexc_typeexc tracebacks r5 __aexit__zSMBConnection.__aexit__s>))Q777777777777r4cr|jtjtjtjfvr|jS|jSr9)rNegotiateDialectsSMB300SMB302SMB311rrrCs r5get_session_keyzSMBConnection.get_session_keys4 07:K:RUfUmnnn   r4c |j}||}n#tjd}YnxYw|j(|t j|jvt j|jvdSdS)N) ntlm_datasigning_enabledr) rget_extra_infoto_dictr print_excrrrr)rDrs r5rzSMBConnection.get_extra_infos{))++9!!##I 999 (-LPTPgg.NRVRii   s /2A cZ K |j23d{V}tj|_|/t |j|jnd|ddkrtd|dz|ddkrtj |}|j j tjkr^t|jt"|j jddd }||j|d d |j j}n|j j tjkr\t|jt.|j jdd }||j|d d |j j}ntd |j j z|ddkrt1j |}|j jt4jkr|j j|jkrt=jd|j jt@j!krE|jd|j j"}|tG|j|j j"dz }|}n0td|j jj$ztd|ddkrtKj |}|ddkrtMj |}|j j'tPj)kr|j j*|j+vr)|j+|j j*,t[|j j*|j.|j/|jj0|jj1|j2|j j*<|j2|j j*3d{V|j j*|j2vrA|j2|j j*4d{V|j2|j j*=||f|j.|j j*<|j j*|j/vr+|j/|j j*5Y[6n#tlj7$rYt=jdtdz|j/D]:}dtdf|j.|<|j/|5;|8d{VdSt=j9dYnxYwt=jdtdz|j/D]:}dtdf|j.|<|j/|5;|8d{VdS#t=jdtdz|j/D]:}dtdf|j.|<|j/|5;|8d{VwxYw)z Waits from SMB message bytes from the transport in_queue, and fills the connection table. This function started automatically when calling connect. Pls don't touch it. NzUnknown targetrzUnknown SMB packet type %s  segment_size4 z7Common encryption algo is %s but it is not implemented!zFServer is using a different compression algo than whats agreed upon...z5Server used %s compression, but it is not implementedz=Server sent chained compression, but its not implemented here)rproz1__handle_smb_in got error from transport layer %szConnection closed__handle_smb_in):rreaddatetimeutcnowrSMBConnectionTerminatedrget_hostname_or_ip Exceptionr from_bytesrIEncryptionAlgorithmrrr"rr#Noncedecryptdata Signature AES_128_GCMr$rFlagsrrCompressionAlgorithmrrdebugrrOffsetlznt1_decompressnamerr StatusrPENDING MessageIdrreleaserjrqrrPendingTimeoutPendingMaxRenewalrrrrzrbCancelledErrorr exception)rDmsg_datamsgctxuncompressed_datamids r5rzSMBConnection.__handle_smb_insM T05577FFFFFFFX(//11D "t{G^4;#A#A#C#C#Cdt u uu{S 1HQK? @ @@{d  #H - -S &**@@@ "Hcj.>ss.CRT U U UcSXx2 8LMMhh * (J,B B B "Hcj.>ss.C D DcSXx2 8LMMhh ORUR\Rpp q qq{d  %h / /S 0555  (D,> > > |\]]]  (,?,E E E8$6SZ%6$67,SXcj6G6H6H-IJJJ#xx NQTQ[QpQuu v vv U V VV{d  !( + +S{d   * *S  zH,,,  666 SZ12::<<<0=cj>RTXTmospNZ^ZeZtBFBMB_1`1`1`T ,-  cj2 3 7 7 9 99999999  zt111  cj2 3 8 8 : :::::::: CJ0 17:HoDcj23 zt=== #CJ$89==????M87P       <CiPcFdFddeee,..s&*I6I,J,J%KDc""3'++----   ' %&&&&& <CiPcFdFddeee,..s&*I6I,J,J%KDc""3'++----     <CiPcFdFddeee,..s&*I6I,J,J%KDc""3'++----   s5Q:Q8QQ:9V(:T# V( T#!V((BX*cK |d{V\}}|||d{V\}}|||d{V\}}||tj||_d|_dS#t$r(}| d{Vd|fcYd}~Sd}~wwxYw)a This is the normal starting function. Performs establishment of the TCP connection, then the negotiation and finally the session setup. If this function returns without an exception, then I'm happy. Also it means that you have a working and active session to the server. NTTNF) connect negotiate session_setuprbr keepaliverrr disconnectrD_erres r5loginzSMBConnection.logints,,.. 61c o I.."" " " " " " "61c o I$$&& & & & & & &61c o I ,T^^-=-=>>44= *     (??????sBB C %CC C cK d|jjvrtd|d{V\}}|||d{V\}}|||dd{V\}}|||jdf|d{VS#t$r(}d|fcYd}~|d{VSd}~wwxYw#|d{VwxYw)Nz2NTLMSSP - Microsoft NTLM Security Support Providerz6Fake authentication is only supported via NTLM packageT) fake_auth)rauthentication_contextsrrrrrrrs r5 fake_loginzSMBConnection.fake_logins{:$+Beee L M MM,,.. 61c o I.."" " " " " " "61c o I$$$66 6 6 6 6 6 661c o I + $ $ & & ,     '>>>>>      s0BB;; C-C(C- C0(C--C00D cK ||_|d{V\}}||d}d}|dd{V\}}}t|tr1t j|jjv}t j |jjv}nEt|tr0tj |jjv}tj |jjv}||||||df|d{VS#t$r+}dddd|fcYd}~|d{VSd}~wwxYw#|d{VwxYw)z Checks if the remote end supports a given protocol. On success it returns True and the reply from the server (for checking SMB3 capabilities) NT) protocol_testF)rrr isinstancerrrrN SecurityModerr r %NEGOTIATE_SECURITY_SIGNATURES_ENABLED&NEGOTIATE_SECURITY_SIGNATURES_REQUIREDrr) rDprotocolr r!sign_ensign_reqresrplyr"s r5r)zSMBConnection.protocol_tests %4,,.. 61c o I 78...>>>>>>>>>3c{##c#BdlF__G$D HaaHH4$$cCt|G``GEIbbH o I w$ ,    %%% tT1 $$$$$$   %   s0C!D D5 D0D5D80D55D88EcK tj|_t|j}t |j|}|d{V|_tj | |_ dS#t$r(}| d{Vd|fcYd}~Sd}~wwxYw)zh Establishes socket connection to the remote endpoint. Also starts the internal reading procedures. NrF)rbEventrrrr)rrrr_SMBConnection__handle_smb_inrrr)rD packetizerclientr"s r5rzSMBConnection.connects  ' 4!$"233: dk: . .6#)>>#3#33333334+D,@,@,B,BCC4 *     (??????sB B CB>8C>Cc^K|jtjkrdStj|_|j|j|j9|jd{Vtjdd{V|j |j dSdS)z Tears down the socket connecting as well as the reading cycle. Doesn't do any cleanup! For proper cleanup call the terminate function. Nr) rr+r/rr~rcloserbrurrCs r5rzSMBConnection.disconnects  ['... 6#*$+ # ( & & ( (((((((( q   $%$r4cFK d}|jjdkrdS|jjdkrt|jjdz |} tj|d{Vt j|jz j|kr<|j dur3tj | |j d{V#tj $rYdSt$r9}tjd|d{VYd}~dSd}~wwxYw) zR Sends an echo message every X seconds to the server to keep the channel open rNrHTFrz/Keepalive failed! Server probably disconnected!)rrpmaxrbrurrrsecondsrrechorrrrrr)rD sleep_timer"s r5rzSMBConnection.keepalivese: kA F aT[(1,j99JK - # ########  ""T%55>KKPTPfjoPoPo  DIIKK43I J J JJJJJJJJK      66  <ABBB   s#C B4C D  D '.DD rctj}||j|z||_dSr9)r!rrrdigest)rDrrs r5update_integrityzSMBConnection.update_integritys?#**T +h 6777#&::<<$   r4c K d}tj|jvr>t}tj|_tj|_ d|_ tj |_ t}|dur dg|_n ddg|_t!||}||d{V\}}||||d{V\}}}||t'|t r-|dur|jjdkrd|dfSd|dfSt-d |jj tjkrt-d |jtj=t1}|j|_d|_|j|_d |jD|_t=d |jDrt>j |_tj!|jvr|j"#tIj%|j&g|j'K|xjt>j zc_|j"#tQj)|j'|j*1|j"#tWj)|j*|j,7|j"#t[j.|j,|j/ta}tbj2|_d|_3ti||}||d{V\}}||||d{V\}}}||t'|t rt-d |5||jj tjkrR|jj tj6krt-d |jj zt-d|jj z|jj7|jvrtq|jj7|_9|jj|_:tvj<|jjv|_=|j>durd|_=t>j |jjvrd|_?tjA|_B|jj"D]W} | jCtjEkrd|_?| jFd|_B| jCtjGkr| jHd|_IXtjKdd|j9zt|jM|jjM|_Mt|jN|jjN|_Nt|jO|jjO|_O|jjP|_Pt>jQ|jjv|_Rt>jS|jjv|_Tt>jU|jjv|_V|jj|_W|jj|_XtjZ|_[|jN|j\j]_^|durd|dfSdS#t,$r} |durYd} ~ dSd| fcYd} ~ Sd} ~ wwxYw)zj Initiates protocol negotiation. First we send an SMB_COM_NEGOTIATE_REQ with our supported dialects NrTz NT LM 0.12z SMB 2.???z SMB 2.002Fz7Server replied with SMBv1 message, doesnt support SMBv2zz+SMBConnection.negotiate..2sMMM'gMMMr4c3(K|] }|tvVdSr9)SMB2_NEGOTIATE_DIALTECTS_3rFs r5 z*SMBConnection.negotiate..6s( W WG'/ / W W W W W Wr4zDnegotiate_1 dialect probably not suppported by the server. reply: %sznegotiate_1 reply: %srHzServer selected dialect: %sr)FNN)_rWILDCARDrr rSMB_COM_NEGOTIATECommandrSUCCESSr rr SMB_FLAGS2_UNICODEFlags2r Dialectsr sendSMBrecvSMBr*rN DialectIndexrrI NEGOTIATE_REQrr+rOr ClientGuidallNegotiateCapabilities ENCRYPTIONrNegotiateContextListappendr constructrrr from_enc_listrrrrfrom_comp_listrSMB2Header_SYNC SMB2Command NEGOTIATE CreditReqrrB NOT_SUPPORTEDDialectRevisionSMBUnsupportedDialectSelectedrrrrrrrrrr ContextTyperENCRYPTION_CAPABILITIESCiphersCOMPRESSION_CAPABILITIESCompressionAlgorithmsrrlogminrrrr MULTI_CHANNELrLEASINGr LARGE_MTUrrrr+r-rrr6 buffer_size) rDr)r2rIrNrrnr! rply_datanegctxr"s r5rzSMBConnection.negotiatesl _ 4 D$;;; [[F 2FN&FMFL)G$"999  ''%/ "#  !- 2== !(( . !   , !((+   & !((!0  &   6 *6>6 VW % %3<<,,,,,,,,?:s o I $ Z 8 88888884C o Iz""O M N NN### kH,,, {X333 [^b^i^pp q qq ,t{/AA B BB l"$*AAA ' ) ))<74!\640OSWS_Sll4 kT!D&$,*CCC#D*DM2::v _DDD $T^A&T] _EEE 6q9T :a.1FFGGGd2DL4PQQ4$*DL,DEE44,dl.GHH4\,4?4BdlF__43;t|?XX43=AZZ4!\64!\64$14;484D4%1t t  * t       (??????s1DY YT/Y Y" YYY"Y"c0 K d}tj}d}|tjkrD|dkr=t} |j||j|jd{V\|_}}|||dkr|jj|jjj dSnV#t$rI}t| ddkrtt||d}~wwxYwd|_tj|_|jdurtj|_d|_d|_d|_t/} t0j| _d| _t9| |} || d{V\} }|||| d{V\} } }|||jdkr| j j|_| j j!tj"tjfvrnc| j j!tj"kr|#| | j$j}| j j!}|dz}|tjkr|dk=| j j!tj"kr|j||j d{V\|_}}|||j%durd |_&|j'dd |_(|j&r5|j)tTj+tTj,tTj-fvr |j)tTj-krt]|j(d |j/d |_0t]|j(d|j/d |_1t]|j(d|j/d |_2t]|j(d|j/d |_3npt]|j(ddd |_0t]|j(ddd |_1t]|j(ddd |_2t]|j(ddd |_3thj5|_6ntod| j j!dS#t$r}d |fcYd}~Sd}~wwxYw)Nrr)spnrTrPreauthrH)rvFrsSMBSigningKeys SMBAppKeysSMBC2SCipherKeysSMBS2CCipherKeys SMB2AESCMACsSmbSignsSMB2APPsSmbRpcs SMB2AESCCMs ServerIn s ServerOutz.session_setup (authentication probably failed))8rMORE_PROCESSING_REQUIREDSESSION_SETUP_REQr authenticaterto_target_stringBufferselected_authentication_context ntlmChallengerstrfindSMBKerberosPreauthFailedrrrr+rrrOChannelPreviousSessionIdrarb SESSION_SETUPrOrdr rTrUrKrIr rPrBrNis_guestrrrrrrrrr&rrrrrr+r.r SMBException)rDr%authdatarmaxiterrNr1r!r"rIrrnr2rss r5rzSMBConnection.session_setupsZ8  -6 7 84 4 41!!G '+{'?'?dkNjNjNlNluyvA'?(B(B"B"B"B"B"B"BW^S#  iT  4 @T[EpE~FKj  A I"$$ $SVV , ,, g GM0OG {d16WGGO#$G   F!/FNF VW % %C LL--------OJ  Y!%j!9!9999999D)S  Y ~k+T^ {("2H4U!VVV  {X--- 9%%%|"H [ F qLGe 84 4 41h kH,,,&*k&>&>xT[MiMiMkMk&>&l&l l l l l l lGNC  Y {%%"Tk1133CRC8DO  h!6;L;SVgVnrCrJ;K"K"K !2!999,T_>RTXTrtwxxdo,T_>NPTPnpsttd,T_>TVZVtvyzzd,T_>TVZVtvyzzd,T_>PR`beffdo,T_nm]`aad,T_>OQacfggd,T_>OQacfggd%-DKK GI[ \ \\ *  (??????sC6Q=A/B-,Q=- D7AC;;DM;Q== RR RRreturnc K ||jvr%|j|d{V|j|\}}|||jt jkr2|jtj kr|xj |j j dz z c_ |j j tjkr||jvr|j|=n|j|||dfS#t"$r}dd|fcYd}~Sd}~wwxYw)zo Returns an SMB message from the outstandingresponse dict, OR waits until the expected message_id appears. NrH)rqrrwaitpoprr+r,rrSMB202rrI CreditCharger rr clearr)rDrnrrr"s r5rUzSMBConnection.recvSMBs8111  ( 4 9 9 ; ;;;;;;;;,00<<=3 k N k(444  1 888 SZ4q89 j8+++T333 ' 3":.44666 x   a-sC%C** D4C>8D>Drc|jtjtjfvr|jr|jjtjz |j_tj |j| tj }|dd|j_dSdS|jrE| }t#|j|t%|}||j_dSdS)Nr)rrrSMB210rrIrSMB2HeaderFlagSMB2_FLAGS_SIGNEDr newto_bytesr!sha256rArrr%len)rDrrAr signatures r5 sign_messagezSMBConnection.sign_message!s 079J9QRRR o'z'.*JJCJ Xdos||~~w~ F F M M O OF!#2#;CJ''  o%||~~H(CMMBBI$CJ%%r4c@|jtjkrtd}t }|dz|_t||_|j|_ |j |_ t|j t|d}|||dd\}|_n|jtjkrtd}t }|dz|_t||_|j|_ |j |_ t|j t$|}|||dd\}|_t'||S) Nrsrrrrrs)rrrosurandomSMB2Header_TRANSFORMrrOriginalMessageSizerrKr"rr#rArrrr$r)rDrnoncehdrrenc_datas r5encrypt_messagezSMBConnection.encrypt_message5sI ]j,,, ::b>>5   3 $39 ]]3!]3>3= T 5r B B B3 [[3<<>>"R%3HII8S]] } ... ::b>>5   3 $39 ]]3!]3>3= T 5 1 13 [[3<<>>"R%3HII8S] sH % %%r4c|}|jdur|jtjkr|}n<|jtjkrt |}ntd|jzt}t||_ |j|_ tj|_ d|_t||Std)NFz6Common compression type is %s but its not implemented!rz$Chained compression not implemented!)rrrrrrlznt1_compressr SMB2Header_COMPRESSION_TRANSFORMrOriginalCompressedSegmentSizerrrrr)rDrrcompressed_datacomp_hdrs r5compress_messagezSMBConnection.compress_message_s \\^^( $-- /444OO 1777$X..OO LtOaa b bb.008,/MM8)#'#58 (-8>8? (O 4 44 9 : ::r4NcK tj|_|jtjkrt |trd}|xjdz c_ngd|j _ d|j _ |j|j _ |j}|xjdz c_| |tj|j|<|j|d{V|dfS|j jt*jur!|j|j _ |xjdz c_|j|j _|j j s d|j _ |jtjkr d|j _ |j j }||j|j|<|j|j||}|jdur|||j dur/|j(|!|}n'| |tj|j|<|j|d{V|dfS#tD$r}d|fcYd}~Sd}~wwxYw)zp Sends an SMB message to teh remote endpoint. msg: SMB2Message or SMBMessage Returns: MessageId integer rrHNT)#rrrrr+r,r*r rrIrrdr rBrrbr4rrrwriterOrbCANCELrKr-rdrrrrrrrrr)rDrrgrnr"s r5rTzSMBConnection.sendSMBts 6'..004 k(444#z"" +Z A SZSZ /SZ%Z A 3<<>>***18D":.  ! ' '  7 77777777 t  j 222.CJ1.3: * ! CJ k(555CJ $:n)+D:& $);)G    $ $C t##c $&&4+=+I   s||~~ . .CC #,,..)))07 4!*- & &s||~~ 6 66666666 d   '>>>>>>s%DJ-FJ-- K7K:KKr:cK |jdks|jtjkrt |t dt }||_d|_t}tj |_ t||}||d{V\}}||||d{V\}}}|||jjt$jkr=t(||} | |j|jj<| |j|<| dfS|jjt$jkrt5|jjt$jkr!d|_t9dt$jt9d|jj#t $r} d| fcYd} ~ Sd} ~ wwxYw)ze share_name MUST be in "\\server\share" format! Server can be NetBIOS name OR IP4 OR IP6 OR FQDN TNzShare name is None!rzsession delted)rrr+r/rrTREE_CONNECT_REQPathrrarb TREE_CONNECTrOr rTrUrIr rrPr7rWrrJrBAD_NETWORK_NAMESMBIncorrectShareNameUSER_SESSION_DELETEDr) rDr:rNrIrrnr!r2r rVr"s r5 tree_connectzSMBConnection.tree_connects) T!!T[4G4N%N%N ! # ## ) * **   77<7=   6 -6> FG $ $3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,  " "4 4 4B35DT[/0.0D + t8O h777  ! !! h;;;D ')F G GG r4;- . ..  '>>>>>>s%D%F'*A=F'' F?1F:4F?:F? file_attrsimpresonation_levelc @K |jdks|jtjkrt ||jvrt d|zt} | | _|| _ || _ || _ || _ || _ || _|| _| | _t#} t$j| _|| _t-| | }||d{V\}}||||d{V\}}}|||jjt6jkrTt:|||| }||j|j <| dkr|j!j"|j!dfS|j!j"dfS|jjt6j#kr,tId|jjj%z|jjtId|jjj%z|jj#t $r}| dkr dd|fcYd}~Sd|fcYd}~Sd}~wwxYw)NTUnknown Tree ID! %s%s)&rrr+r/rrr CREATE_REQRequestedOplockLevelImpersonationLevel DesiredAccessr ShareAccessCreateDisposition CreateOptionsName CreateContextrarbCREATErOrJr rTrUrIr rrPrZrhrr\rNrf ACCESS_DENIEDrr )rDr; file_pathdesired_access share_modecreate_optionscreate_dispositionrrr]create_contexts return_replyrNrIrrnr!r2r rgr"s r5createzSMBConnection.createsQ1 T!!T[4G4N%N%N ! # ## T--- )G3 4 44 \\7#/7!47,7 *7(7%77"077<*7   6 '6>6= FG $ $3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,  % %dGY M MB')D$t L t 33 <  $$ h444 tdk055t{7I J JJ tdk055t{7I J JJ d q= '>>>>>>s7E0G55 G5A2G55 H? H HHHHrcK |jdks|jtjkrt ||jvrt d|z||jvrt d|z|j|j4d{Vt}tj |_ ||_ |jtjkr|jdkrd|dz dzz|_nt'd|}t)}||_||_||_d|_d|_t5||}|||j|d{V\}} | | ||d{V\} } } | | | jjt>j kr+| j!j"| j!j#dfcdddd{VS| jjt>j$kr dddd{Vd S| jjt>j%kr!| j!j"ddfcdddd{VStMd | jj#1d{VswxYwYdS#t $r} dd| fcYd} ~ Sd} ~ wwxYw) a Will issue one read command only then waits for reply. To read a whole file you must use a filereader logic! returns the data bytes and the remaining data length IMPORTANT: remaning data length is dependent on the length of the requested chunk (length param) not on the actual file length. to get the remaining length for the actual file you must set the length parameter to the correct file size! If and EOF happens the function returns an empty byte array and the remaining data is set to 0 TrUnknown File ID! %sNrHrrg)r4rNzSMB READ Error!)'rrr+r/rrrrrdrarbREADrOrJrrrrrrnREAD_REQLengthrrf MinimumCountRemainingBytesr rTrUrIr rrPrNr~ DataRemaining END_OF_FILEBUFFER_OVERFLOWr) rDr;r\offsetlengthrIrNrrnr!r2r r"s r5rzSMBConnection.reads4 T!!T[4G4N%N%N ! # ## T--- )G3 4 44 T))) )G3 4 44"7+2(?(?(?(?(?(?(?(?   F!&FNFM   1 888T=UY]=]=]&1*!66V%VjjGGNGNGNGG VW % %C LL43G3PLQQQQQQQQOJ  Yj11111111LD!S  Y {X--- L !;T A=(?(?(?(?(?(?(?(?(?(?(?(?(?(?@  x3 3 3 C(?(?(?(?(?(?(?(?(?(?(?(?(?(?F  x7 7 7 L D (K(?(?(?(?(?(?(?(?(?(?(?(?(?(?P )4;+= > >>Q(?(?(?(?(?(?(?(?(?(?(?(?(?(?(?(?T  a-saA>>>>>sIAI I rc|K |jdks|jtjkrt ||jvrt d|z||jvrt d|zt}||_ ||_ ||_ ||_ ||_ ||_t} t j| _|| _t)| |} || d{V\} } | | || d{V\} }} | | | jjt2jkr|t6jkr,t;j| jjt@j!dfS|t6j"kr>|tj#kr tIj| jjdfS| jjdfS|t6j%kr| jjdfS|t6j&kr| jjdfS| jjdfStOd| jj#t $r}d|fcYd}~Sd}~wwxYw)a Queires the file or directory for specific information. The information returned is depending on the input parameters, check the documentation on msdn for a better understanding. The resturned data can by raw bytes or an actual object, depending on wther your info is implemented in the library. Sorry there are a TON of classes to deal with :( IMPORTANT: in case you are requesting big amounts of data, the result will arrive in chunks. You will need to invoke this function until None is returned to get the full data!!! TrrN) object_typer)(rrr+r/rrrrQUERY_INFO_REQInfoTyperAdditionalInformationrrfrrarb QUERY_INFOrOrJr rTrUrIr rrP QueryInfoTypeSECURITYrrrNrSE_FILE_OBJECTFILEFileFullDirectoryInformationr FILESYSTEMQUOTAr)rDr;r\ info_typeinformation_classadditional_informationflagsdata_inrNrIrrnr!r2r r"s r5 query_infozSMBConnection.query_infose: T!!T[4G4N%N%N ! # ## T--- )G3 4 44 T))) )G3 4 44   77,7#97 7=7>7<   6 +6>6= FG $ $3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,M***  *4<+<.Jg h h hjn nn m( ( (]GGG - 89J K KT QQ\  $$ m. . . L t ## m) ) ) L t ## L t ## r4;- . ..  '>>>>>>sBE,H#1?H#1 H#?H#H#; H# H## H;-H60H;6H;rcK |jdks|jtjkrt ||jvrt d|z||jvrt d|zt}||_ d|_ |dkr|xj tj zc_ ||_ ||_||_t!} t"j| _|| _t+| |} || d{V\} } | | || d{V\} }} | | | jjt4jkr>|t8jkr t=j| j j!dfS| j j!dfS| jjt4j"krdSt d| jjz#t $r}d|fcYd}~Sd}~wwxYw)z IMPORTANT: in case you are requesting big amounts of data, the result will arrive in chunks. You will need to invoke this function until None is returned to get the full data!!! TrrrN)NNzquery_directory reply: %s)#rrr+r/rrrrQUERY_DIRECTORY_REQFileInformationClassrQueryDirectoryFlagSMB2_INDEX_SPECIFIED FileIndexrfFileNamerarbQUERY_DIRECTORYrOrJrrTrUrIr rrPrrrrrNr NO_MORE_FILES)rDr;r\search_pattern resume_indexr maxBufferSizerrNrIrrnr!r2r r"s r5query_directoryzSMBConnection.query_directorys  - T!!T[4G4N%N%N ! # ## T--- )G3 4 44 T))) )G3 4 44! " "7#477=a MM'<$7   6 06>6= VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,MFFF , 7 8I J JD PP L t ## h444 : /$+2DD E EE  '>>>>>>s0E9G> G G(G GGGGrDcK |jdks|jtjkrt t }||_||_||_||_ ||_ t}tj |_||_t!||} || d{V\} } | | || d{V\} } } | | | jj dfS#t($r}d|fcYd}~Sd}~wwxYw)NT)rrr+r/r IOCTL_REQCtlCoderfrr~MaxOutputResponserarbIOCTLrOrJrrTrUrNr)rDr;r\ctlcoderrrrNrIrrnr!r2r r"s r5ioctlzSMBConnection.ioctls3 T!!T[4G4N%N%N ! # ## [[77?7>7=7>07   6 &6>6= VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I , t ##  '>>>>>>sC'C,, D6C?9D?Dc"K |jdks|jtjkrt t }||_||_t}tj |_ ||_ t||}||d{V\}}||||d{V\} } }||| jjt$jkr||jvr|j|=dS#t*$r} d| fcYd} ~ Sd} ~ wwxYw)z{ Closes the file/directory/pipe/whatever based on file_id. It will automatically remove all traces of the file handle. TNr)rrr+r/r CLOSE_REQrrfrarbCLOSErOrJrrTrUrIr rrPrr) rDr;r\rrNrIrrnr!r2r r"s r5r9zSMBConnection.close"s@ T!!T[4G4N%N%N ! # ## [[77=7>   6 &6>6= VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,$&&& g & *  '>>>>>>sC0C66 DD D DcK |jdks|jtjkrt t }||_t}tj |_ ||_ t||}| |d{V\}}||||d{V\}} }||dS#t$r} d| fcYd} ~ Sd} ~ wwxYw)zK Flushes all cached data that may be on the server for the given file. TNr)rrr+r/r FLUSH_REQrfrarbFLUSHrOrJrrTrUr) rDr;r\rNrIrrnr!r2r r"s r5flushzSMBConnection.flushBs  T!!T[4G4N%N%N ! # ## [[77>   6 &6>6= VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I *  '>>>>>>sB>C CCCCcK |jdks|jtjkrt t }t }tj|_ t||}| |d{V\}}||| |d{V\}}}||dS#t$r}d|fcYd}~Sd}~wwxYw)z Logs off from the server, effectively terminates the session. The underlying connection will still be active, so please either clean it up manually or dont touch this function For proper closing of the connection use the terminate function TNr)rrr+r/r LOGOFF_REQrarbLOGOFFrOrrTrUr rDrNrIrrnr!r2r r"s r5logoffzSMBConnection.logoff\s  T!!T[4G4N%N%N ! # ## \\7   6 '6> VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I *  '>>>>>>sB0B66 CC C Cc2K |jdks|jtjkrt t }t }tj|_ t||}| |d{V\}}||| |d{V\}}}|||j jtjkrdSdt#d|j jjz|j jfS#t&$r}d|fcYd}~Sd}~wwxYw)zi Issues an ECHO request to the server. Server will reply with and ECHO response, if it's still alive TNrr)rrr+r/rECHO_REQrarbECHOrOrrTrUrIr rrPrr rrs r5r>zSMBConnection.echovs7 T!!T[4G4N%N%N ! # ## ZZ7   6 %6> VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,, : dT[%7%<PQQ QQ  '>>>>>>s$C C>-C>> DD DDcK |jdks|jtjkrt t }t }tj|_ ||_ t||}| |d{V\}}||| |d{V\}}}|||jjt jkrvg} |j|j} |jD]=} |j| j|kr%| |j| j>| D] } |j| = |j|=|j| =dS#t2$r} d| fcYd} ~ Sd} ~ wwxYw)zL Disconnects from tree, removes all file entries associated to the tree TNr)rrr+r/rTREE_DISCONNECT_REQrarbTREE_DISCONNECTrOrJrrTrUrIr rrPrr:rr;r]r\rr)rDr;rNrIrrnr!r2r  del_file_idsr:fer\r"s r5tree_disconnectzSMBConnection.tree_disconnects! T!!T[4G4N%N%N ! # ## " "7   6 06>6= VW % %3<<,,,,,,,,?:s o I Z00000000<4C o I kH,,,L)'2=J"<< R (G33$.r2:;;;'' g & &  ) #J/ *  '>>>>>>sEE E%E E% E%cK |jdks|jtjkrt t }t }tj|_ t||}||j _ | |d{V\}}||||d{V\}}}||dS#t$r}d|fcYd}~Sd}~wwxYw)z6 Issues a CANCEL command for the given message_id TNr)rrr+r/r CANCEL_REQrarbrrOrrIr rTrUr) rDrnrNrIrr!r2r r"s r5r~zSMBConnection.cancels T!!T[4G4N%N%N ! # ## \\7   6 '6> VW % %3$3:<<,,,,,,,,?:s o I Z00000000<4C o I *  '>>>>>>sB.compress_callbacksp llnn8#H--?.008,/MM8)#6#<8 (-8>8? (O 4 44r4z[################################### TESTING compression ###################################zY################################### SPLOIT SPLOIT SPLOIT ################################)compression_cbg?rF) rr'r>rrarbrrOrrTrbrrU)rDr(rNrIrrnr!r2s r5ghostingzSMBConnection.ghostings$ 5 5 5efff cddd JJ'   &$&.FG$$#,,s=N,OOOOOOOO/*c j!9!9SIII I I I I I I4 $ %%s #/CC)TF)Fr9)rr)r)>r0r1r2__doc__ SMBTargetboolrErrrrr5r#r'r)rrrbytesrBrrrrrrUrrrrrrTrrr Impersonation OplockLevelSMB2_OPLOCK_LEVEL_NONErrrrrrrFileStandardInformationrrr IOCTLREQFlagsIS_IOCTLr  CloseFlagrr9rrr>rr~rr*r3r4r5rrsee9edeRVeeeeN888 (ZZZz8(:      .*0U0000 ddddL[[[[| +ui2O(P8 %K % % % %('&E'&m'&'&'&'&T;O;;;;*<<[<<<<~-----^qCqQbmbDX\mr22xF2\n2222h>>>>B3333j;H:LbocHcdno{}BBBBHEHXYo|pZlpz{2222h:>}G]qv<2;@446%%%P2%%%B%%%%%r4rcfK|}|d{VdSr9)get_connectionr#)cuconns r5ctestr:s=  zz||r4__main__)SMBConnectionFactoryz5smb+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2)Yenumrbrrrtypingraiosmbraiosmb.commons.exceptionsaiosmb.transport.netbiosr!aiosmb.protocol.smb.command_codesraiosmb.wintypes.ntstatusraiosmb.protocol.smb.headerr r aiosmb.protocol.smb.messager aiosmb.protocol.smb.commonsr aiosmb.protocol.smb.commandsr aiosmb.protocol.smb2.messagerrr'aiosmb.protocol.smb2.commands.negotiaterrrrrrrrrraiosmb.protocol.smb2.commandsaiosmb.protocol.smb2.headers"aiosmb.protocol.smb2.command_codesaiosmb.protocol.common.aiosmb.wintypes.dtyp.constrcuted_security.guid-aiosmb.wintypes.fscc.structures.fileinfoclassrras/  ''''666666888888------EEEEEEEE222222777777>>>>>>TTTTTTTTTTLLLLLLLLLLLLLLLLLLLLLLLL,+++****0000$$$$<<<<GGGGGGiiiiii>>>>>>??????555555....7777777777######))))))HHHHHHLLLLLL------$)         4        .''''''''RKKKKKKKK\, zCCCCCC?$#C(( UU2YYr4