From 2c9273eb2ca8d5080ff81273f602547fe649c259 Mon Sep 17 00:00:00 2001
From: lgandx <lgandx@github.com>
Date: Wed, 5 Feb 2014 22:09:50 -0500
Subject: [PATCH] Added: Analyze mode; Lanman Domain/SQL/Workstation passive
 discovery.

---
 RAPLANMANPackets.py | 160 +++++++++++++++++++++++++++++++++++
 Responder.py        | 202 +++++++++++++++++++++++++++++++++++---------
 2 files changed, 321 insertions(+), 41 deletions(-)
 create mode 100644 RAPLANMANPackets.py

diff --git a/RAPLANMANPackets.py b/RAPLANMANPackets.py
new file mode 100644
index 0000000..c0fb385
--- /dev/null
+++ b/RAPLANMANPackets.py
@@ -0,0 +1,160 @@
+import struct
+from odict import OrderedDict
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x08"),
+        ("flag2", "\x01\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x3c\x1b"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x00"),
+        ("bcc", "\x54\x00"),
+        ("separator1","\x02" ),
+        ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("separator2","\x02"),
+        ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+    ])
+    def calculate(self):
+        CalculateBCC = str(self.fields["separator1"])+str(self.fields["dialect1"])+str(self.fields["separator2"])+str(self.fields["dialect2"])
+        self.fields["bcc"] = struct.pack("<h",len(CalculateBCC))
+
+class SMBSessionData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0a"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00"),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\xff\xff"),
+        ("maxmpx", "\x02\x00"),
+        ("vcnum","\x01\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("PasswordLen","\x18\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("bcc","\x3b\x00"),
+        ("AccountPassword",""),
+        ("AccountName",""),
+        ("AccountNameTerminator","\x00"),
+        ("PrimaryDomain","WORKGROUP"),
+        ("PrimaryDomainTerminator","\x00"),
+        ("NativeOs","Unix"),
+        ("NativeOsTerminator","\x00"),
+        ("NativeLanman","Samba"),
+        ("NativeLanmanTerminator","\x00"),
+
+    ])
+    def calculate(self): 
+        CompleteBCC = str(self.fields["AccountPassword"])+str(self.fields["AccountName"])+str(self.fields["AccountNameTerminator"])+str(self.fields["PrimaryDomain"])+str(self.fields["PrimaryDomainTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLanman"])+str(self.fields["NativeLanmanTerminator"])
+        self.fields["bcc"] = struct.pack("<h", len(CompleteBCC))
+        self.fields["PasswordLen"] = struct.pack("<h", len(str(self.fields["AccountPassword"])))
+
+class SMBTreeConnectData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x04"),
+        ("AndXCommand", "\xff"),
+        ("Reserved","\x00" ),
+        ("Andxoffset", "\x00\x00"),
+        ("Flags","\x08\x00"),
+        ("PasswdLen", "\x01\x00"),
+        ("Bcc","\x1b\x00"),
+        ("Passwd", "\x00"),
+        ("Path",""),
+        ("PathTerminator","\x00"),
+        ("Service","?????"),
+        ("Terminator", "\x00"),
+
+    ])
+    def calculate(self): 
+        self.fields["PasswdLen"] = struct.pack("<h", len(str(self.fields["Passwd"])))[:2]
+        BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
+        self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
+
+class RAPNetServerEnum3Data(Packet):
+    fields = OrderedDict([
+        ("Command", "\xd7\x00"),
+        ("ParamDescriptor", "WrLehDzz"),
+        ("ParamDescriptorTerminator", "\x00"),
+        ("ReturnDescriptor","B16BBDz"),
+        ("ReturnDescriptorTerminator", "\x00"),
+        ("DetailLevel", "\x01\x00"),
+        ("RecvBuff","\xff\xff"),
+        ("ServerType", "\x00\x00\x00\x80"),
+        ("TargetDomain","SMB"),
+        ("RapTerminator","\x00"),
+        ("TargetName","ABCD"),
+        ("RapTerminator2","\x00"),
+    ])
+
+class SMBTransRAPData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x0e"),
+        ("TotalParamCount", "\x24\x00"),
+        ("TotalDataCount","\x00\x00" ),
+        ("MaxParamCount", "\x08\x00"),
+        ("MaxDataCount","\xff\xff"),
+        ("MaxSetupCount", "\x00"),
+        ("Reserved","\x00\x00"),
+        ("Flags", "\x00"),
+        ("Timeout","\x00\x00\x00\x00"),
+        ("Reserved1","\x00\x00"),
+        ("ParamCount","\x24\x00"),
+        ("ParamOffset", "\x5a\x00"),
+        ("DataCount", "\x00\x00"),
+        ("DataOffset", "\x7e\x00"),
+        ("SetupCount", "\x00"),
+        ("Reserved2", "\x00"),
+        ("Bcc", "\x3f\x00"),
+        ("Terminator", "\x00"),
+        ("PipeName", "\\PIPE\\LANMAN"),
+        ("PipeTerminator","\x00\x00"),
+        ("Data", ""),
+
+    ])
+    def calculate(self):
+        #Padding
+        if len(str(self.fields["Data"]))%2==0:
+           self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
+        else:
+           self.fields["PipeTerminator"] = "\x00\x00\x00"
+        ##Convert Path to Unicode first before any Len calc.
+        self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
+        ##Data Len
+        self.fields["TotalParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+        self.fields["ParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+        ##Packet len
+        FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
+
+        self.fields["ParamOffset"] = struct.pack("<i", len(FindRAPOffset)+32)[:2]
+        ##Bcc Buff Len
+        BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
+        self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
diff --git a/Responder.py b/Responder.py
index 4dd1fb7..b9e243c 100755
--- a/Responder.py
+++ b/Responder.py
@@ -265,13 +265,13 @@ class NBT_Ans(Packet):
 
 def NBT_NS_Role(data):
     Role = {
-        "\x41\x41\x00":"Workstation/Redirector Service",
-        "\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller if any, according to MSFT specs.)",
+        "\x41\x41\x00":"Workstation/Redirector Service.",
+        "\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller or a homegroup.)",
         "\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
-        "\x42\x4e\x00":"Local Master Browser",
+        "\x42\x4e\x00":"Local Master Browser.",
         "\x42\x4f\x00":"Browser Election Service.",
-        "\x43\x41\x00":"File Server Service",
-        "\x41\x42\x00":"Browser Service",
+        "\x43\x41\x00":"File Server Service.",
+        "\x41\x42\x00":"Browser Service.",
     }
 
     if data in Role:
@@ -283,10 +283,10 @@ def NBT_NS_Role(data):
 def Validate_NBT_NS(data,Wredirect):
     if Analyze(AnalyzeMode):
        return False
-    if NBT_NS_Role(data[43:46]) == "File Server Service":
+    if NBT_NS_Role(data[43:46]) == "File Server Service.":
        return True
     if Wredirect == "ON":
-       if NBT_NS_Role(data[43:46]) == "Workstation/Redirector Service":
+       if NBT_NS_Role(data[43:46]) == "Workstation/Redirector Service.":
           return True
     else:
        return False
@@ -380,45 +380,165 @@ class NB(BaseRequestHandler):
                        pass
 
 ##################################################################################
-#Browser Listener
+#Browser Listener and Lanman Finger
 ##################################################################################
-def BecomeBackup(data,Client):
-    DataOffset = struct.unpack('<H',data[139:141])[0]
-    BrowserPacket = data[82+DataOffset:]
-    if BrowserPacket[0] == "\x0b":
-       ServerName = BrowserPacket[1:]
-       if Is_Finger_On(Finger_On_Off):
-          try:
-              Finger = RunSmbFinger((self.client_address[0],445))
-              Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s.\nOs Version is: %s Client Version is: %s"%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]),Finger[0],Finger[1])
-              logger3.warning(Message)
-          except Exception:
-              Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s."%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]))
-              logger3.warning(Message)
-       else:
-           Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s."%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]))
-           if PrintLLMNRNBTNS(AnalyzeFilename,Message):
-              print Message
-           logger3.warning(Message)
+from RAPLANMANPackets import *
+
+def WorkstationFingerPrint(data):
+    Role = {
+        "\x04\x00"    :"Windows 95",
+        "\x04\x10"    :"Windows 98",
+        "\x04\x90"    :"Windows ME",
+        "\x05\x00"    :"Windows 2000",
+        "\x05\x00"    :"Windows XP",
+        "\x05\x02"    :"Windows 2003",
+        "\x06\x00"    :"Windows Vista/Server 2008",
+        "\x06\x01"    :"Windows 7/Server 2008R2",
+    }
+
+    if data in Role:
+        return Role[data]
     else:
+        return False
+
+def PrintServerName(data, entries):
+    if entries == 0:
+       pass
+    else:
+       entrieslen = 26*entries
+       chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries 
+       ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size) ]
+       l =[]
+       for x in ServerName:
+          if WorkstationFingerPrint(x[16:18]):
+             l.append(x[:16].replace('\x00', '')+'\n       [-]Os version is:%s'%(WorkstationFingerPrint(x[16:18])))
+          else:
+             l.append(x[:16].replace('\x00', ''))
+       
+       return l
+
+def ParsePacket(Payload):
+    PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
+    StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
+    if StatusCode == "\x00\x00":
+       EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
+       ParsedNames = PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
+       return ParsedNames
+    else:
+       return None
+
+def RAPThisDomain(Client,Domain):
+    try:
+       l =[]
+       for x in range(1):
+          PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
+          if PDC is not None:
+             l.append('[Analyze mode LANMAN]:')
+             l.append('[!]Domain detected on this network:')
+             for x in PDC:
+                 l.append('   -'+x)
+          SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
+          if SQL is not None:
+             l.append('[!]SQL Server detected on Domain %s:'%(Domain))
+             for x in SQL:
+                 l.append('   -'+x)
+          WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
+          if WKST is not None:
+             l.append('[!]Workstation Server detected on Domain %s:'%(Domain))
+             for x in WKST:
+                 l.append('   -'+x)
+          else:
+             pass
+          return '\n'.join(l)
+    except:
+       pass
+
+def RapFinger(Host,Domain, Type):
+    try:
+       s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+       s.connect((Host,445))  
+       s.settimeout(0.3) 
+       h = SMBHeader(cmd="\x72",mid="\x01\x00")
+       n = SMBNegoData()
+       n.calculate()
+       packet0 = str(h)+str(n)
+       buffer0 = longueur(packet0)+packet0
+       s.send(buffer0)
+       data = s.recv(1024) 
+       ##Session Setup AndX Request, Anonymous.
+       if data[8:10] == "\x72\x00":
+          head = SMBHeader(cmd="\x73",mid="\x02\x00")
+          t = SMBSessionData()
+          t.calculate()
+          final = t 
+          packet1 = str(head)+str(t)
+          buffer1 = longueur(packet1)+packet1  
+          s.send(buffer1)
+          data = s.recv(1024) 
+          ##Tree Connect IPC$.
+          if data[8:10] == "\x73\x00":
+             head = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+             t = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
+             t.calculate()
+             packet1 = str(head)+str(t)
+             buffer1 = longueur(packet1)+packet1  
+             s.send(buffer1)
+             data = s.recv(1024)
+             ##Rap ServerEnum, domain forests and PDC
+             if data[8:10] == "\x75\x00":
+                head = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+                t = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
+                t.calculate() 
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1  
+                s.send(buffer1)
+                data = s.recv(1024)
+                ##Rap ServerEnum, SQL servers
+                if data[8:10] == "\x25\x00":
+                   s.close()
+                   return ParsePacket(data)
+    except:
+       return None
+
+def BecomeBackup(data,Client):
+    try:
+       DataOffset = struct.unpack('<H',data[139:141])[0]
+       BrowserPacket = data[82+DataOffset:]
+       if BrowserPacket[0] == "\x0b":
+          ServerName = BrowserPacket[1:]
+          Domain = Decode_Name(data[49:81])
+          Name = Decode_Name(data[15:47])
+          Role = NBT_NS_Role(data[45:48])
+          Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)
+          if PrintLLMNRNBTNS(AnalyzeFilename,Message):
+             print Message
+          if AnalyzeMode:
+             Message1=RAPThisDomain(Client,Domain)
+             if PrintLLMNRNBTNS(AnalyzeFilename,Message1):
+                print Message1
+                logger3.warning(Message1)
+          logger3.warning(Message)
+    except:
        pass
 
 def ParseDatagramNBTNames(data,Client):
-    if Is_Finger_On(Finger_On_Off):
-       try:
-          Finger = RunSmbFinger((Client,445))
-          Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s\nOs Version is: %s Client Version is: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]),Finger[0],Finger[1])
+    try:
+       Domain = Decode_Name(data[49:81])
+       Name = Decode_Name(data[15:47])
+       Role1 = NBT_NS_Role(data[45:48])
+       Role2 = NBT_NS_Role(data[79:82])
+       Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2)
+       if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
+          if PrintLLMNRNBTNS(AnalyzeFilename,Message):
+             print Message
+          if AnalyzeMode:
+             Message1=RAPThisDomain(Client,Domain)
+             if PrintLLMNRNBTNS(AnalyzeFilename,Message1):
+                print Message1
+                logger3.warning(Message1)
           logger3.warning(Message)
-       except Exception:
-          Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]))
-          logger3.warning(Message)
-       if PrintLLMNRNBTNS(AnalyzeFilename,Message):
-          print Message
-    else:
-       Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]))
-       logger3.warning(Message)
-       if PrintLLMNRNBTNS(AnalyzeFilename,Message):
-          print Message
+    except:
+       pass
 
 class Browser(BaseRequestHandler):
 
@@ -430,7 +550,7 @@ class Browser(BaseRequestHandler):
               BecomeBackup(request,self.client_address[0])
            BecomeBackup(request,self.client_address[0])
         except Exception:
-           raise
+           pass
 ##################################################################################
 #SMB Server
 ##################################################################################