From 7b47c8fe4edcb53b035465985d92500b96fb1a84 Mon Sep 17 00:00:00 2001
From: ThePirateWhoSmellsOfSunflowers
 <ThePirateWhoSmellsOfSunflowers@users.noreply.github.com>
Date: Tue, 13 Oct 2020 11:47:33 +0200
Subject: [PATCH 1/6] fix custom challenge in python3

---
 settings.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/settings.py b/settings.py
index 1314f11..8176a63 100644
--- a/settings.py
+++ b/settings.py
@@ -210,12 +210,16 @@ class Settings:
 			print(utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1))
 			sys.exit(-1)
 
-		self.Challenge = ""
+		self.Challenge = b''
 		if self.NumChal.lower() == 'random':
 			pass
-		else: 
-			for i in range(0, len(self.NumChal),2):
-				self.Challenge += self.NumChal[i:i+2].decode("hex")
+		else:
+			if self.PY2OR3 == 'PY2':
+				for i in range(0, len(self.NumChal),2):
+					self.Challenge += self.NumChal[i:i+2].decode("hex")
+			else:
+					self.Challenge += bytes.fromhex(self.NumChal)
+
 
 		# Set up logging
 		logging.basicConfig(filename=self.SessionLogFile, level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')

From f581d4dd0e7aa709367636c17b32e7956d6909b5 Mon Sep 17 00:00:00 2001
From: ThePirateWhoSmellsOfSunflowers
 <ThePirateWhoSmellsOfSunflowers@users.noreply.github.com>
Date: Tue, 13 Oct 2020 13:08:45 +0200
Subject: [PATCH 2/6] small fix

---
 settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings.py b/settings.py
index 8176a63..03457fc 100644
--- a/settings.py
+++ b/settings.py
@@ -218,7 +218,7 @@ class Settings:
 				for i in range(0, len(self.NumChal),2):
 					self.Challenge += self.NumChal[i:i+2].decode("hex")
 			else:
-					self.Challenge += bytes.fromhex(self.NumChal)
+					self.Challenge = bytes.fromhex(self.NumChal)
 
 
 		# Set up logging

From d2e5642d58a70a182fa319f9245a3c32442b1f72 Mon Sep 17 00:00:00 2001
From: lgandx <laurent.gaffie@gmail.com>
Date: Thu, 31 Dec 2020 01:13:27 -0300
Subject: [PATCH 3/6] Added SMB2 support for RunFinger and various other
 checks.

---
 tools/RunFinger.py        | 221 ++++++++++++++++++++++++++++----------
 tools/RunFingerPackets.py | 206 +++++++++++++++++++++++++++++++++++
 2 files changed, 371 insertions(+), 56 deletions(-)

diff --git a/tools/RunFinger.py b/tools/RunFinger.py
index 33669f9..d13dabb 100755
--- a/tools/RunFinger.py
+++ b/tools/RunFinger.py
@@ -19,14 +19,16 @@ import datetime
 import multiprocessing
 from socket import *
 from odict import OrderedDict
+import errno
 import optparse
 from RunFingerPackets import *
-__version__ = "1.0"
+__version__ = "1.2"
 
 parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0])
 
 parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
-parser.add_option('-g','--grep', action="store_true", dest="grep_output", default=False, help="Output in grepable format")
+#Way better to have grepable output by default...
+#parser.add_option('-g','--grep', action="store_true", dest="grep_output", default=False, help="Output in grepable format")
 options, args = parser.parse_args()
 
 if options.TARGET is None:
@@ -36,6 +38,7 @@ if options.TARGET is None:
 
 Timeout = 2
 Host = options.TARGET
+SMB1 = "Enabled"
 
 class Packet():
     fields = OrderedDict([
@@ -80,14 +83,67 @@ def longueur(payload):
     length = StructWithLenPython2or3(">i", len(''.join(payload)))
     return length
 
+def ParseNegotiateSMB2Ans(data):
+	if data[4:8] == b"\xfeSMB":
+		return True
+	else:
+		return False 
+
+def WorkstationFingerPrint(data):
+	return {
+ 		b"\x04\x00"    :"Windows 95",
+		b"\x04\x0A"    :"Windows 98",
+		b"\x04\x5A"    :"Windows ME",
+ 		b"\x05\x00"    :"Windows 2000",
+ 		b"\x05\x01"    :"Windows XP",
+ 		b"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
+ 		b"\x06\x00"    :"Windows Vista/Server 2008",
+ 		b"\x06\x01"    :"Windows 7/Server 2008R2",
+ 		b"\x06\x02"    :"Windows 8/Server 2012",
+ 		b"\x06\x03"    :"Windows 8.1/Server 2012R2",
+		b"\x0A\x00"    :"Windows 10/Server 2016/2019 (check build)",
+ 	}.get(data, 'Other than Microsoft')
+
+def GetOsBuildNumber(data):
+	ProductBuild =  struct.unpack("<h",data)[0]
+	return ProductBuild 
+
+def ParseSMBNTLM2Exchange(data, host, bootime):  #Parse SMB NTLMSSP Response
+	data = data.encode('latin-1')
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	TargetNameLen = struct.unpack('<H',data[SSPIStart+12:SSPIStart+14])[0]
+	TargetNameOffset = struct.unpack('<L',data[SSPIStart+16:SSPIStart+20])[0]
+	Domain       = SSPIString[TargetNameOffset:TargetNameOffset+TargetNameLen].decode('UTF-16LE')
+
+	AvPairsLen        = struct.unpack('<H',data[SSPIStart+40:SSPIStart+42])[0]
+	AvPairsOffset     = struct.unpack('<L',data[SSPIStart+44:SSPIStart+48])[0]
+	#AvPairs          = SSPIString[AvPairsOffset:AvPairsOffset+AvPairsLen].decode('UTF-16LE')
+	WindowsVers       = WorkstationFingerPrint(data[SSPIStart+48:SSPIStart+50])
+	WindowsBuildVers  = GetOsBuildNumber(data[SSPIStart+50:SSPIStart+52])
+	DomainGrab((host, 445))
+	print(("[SMB2]:['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime: '{}', RDP:'{}', SMB1:'{}']".format(host, WindowsVers, str(WindowsBuildVers), Domain, Bootime, IsRDPOn((host,3389)),SMB1)))
+
 def GetBootTime(data):
-    try:
-        Filetime = int(struct.unpack('<q',data)[0])
-        t = divmod(Filetime - 116444736000000000, 10000000)
-        time = datetime.datetime.fromtimestamp(t[0])
-        return time, time.strftime('%Y-%m-%d %H:%M:%S')
-    except:
-        pass
+	data = data.encode('latin-1')
+	Filetime = int(struct.unpack('<q',data)[0])
+	if Filetime == 0:  # server may not disclose this info
+		return 0, "Unknown"
+	t = divmod(Filetime - 116444736000000000, 10000000)
+	time = datetime.datetime.fromtimestamp(t[0])
+	return time, time.strftime('%Y-%m-%d %H:%M:%S')
+
+
+def IsDCVuln(t, host):
+	if t[0] == 0:
+		return ("Unknown")
+	Date = datetime.datetime(2014, 11, 17, 0, 30)
+	if t[0] < Date:
+		return("This system may be vulnerable to MS14-068")
+	Date = datetime.datetime(2017, 3, 14, 0, 30)
+	if t[0] < Date:
+		return("This system may be vulnerable to MS17-010")
+	return("Last restart: "+t[1])
 
 #####################
 
@@ -117,36 +173,38 @@ def OsNameClientVersion(data):
 
 def GetHostnameAndDomainName(data):
     try:
-        Time = GetBootTime(data[60:68])
         data = NetworkRecvBufferPython2or3(data)
         DomainJoined, Hostname = tuple([e.replace("\x00", "") for e in data[81:].split('\x00\x00\x00')[:2]])
         #If max length domain name, there won't be a \x00\x00\x00 delineator to split on
         if Hostname == '':
             DomainJoined = data[81:110].decode('latin-1')
             Hostname = data[113:].decode('latin-1')
-        return Hostname, DomainJoined, Time
+        return Hostname, DomainJoined
     except:
+        pass
         return "Could not get Hostname.", "Could not get Domain joined"
 
 def DomainGrab(Host):
-    s = socket(AF_INET, SOCK_STREAM)
-    try:
-        s.settimeout(Timeout)
-        s.connect(Host)
-    except:
-        pass
-    try:
-        h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
-        n = SMBNegoDataLanMan()
-        packet0 = str(h)+str(n)
-        buffer0 = longueur(packet0)+packet0
-        s.send(NetworkSendBufferPython2or3(buffer0))
-        data = s.recv(2048)
-        s.close()
-        if data[8:10] == b'\x72\x00':
-            return GetHostnameAndDomainName(data)
-    except:
-        pass
+	global SMB1
+	try:
+		s = socket(AF_INET, SOCK_STREAM)
+		s.settimeout(0.7)
+		s.connect(Host)
+		h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
+		n = SMBNegoDataLanMan()
+		packet0 = str(h)+str(n)
+		buffer0 = longueur(packet0)+packet0
+		s.send(NetworkSendBufferPython2or3(buffer0))
+		data = s.recv(2048)
+		s.close()
+		if data[8:10] == b'\x72\x00':
+			return GetHostnameAndDomainName(data)
+	except IOError as e:
+		if e.errno == errno.ECONNRESET:
+			SMB1 = "Disabled"
+			return False
+		else:
+			return False
 
 def SmbFinger(Host):
     s = socket(AF_INET, SOCK_STREAM)
@@ -218,41 +276,89 @@ def check_smb_null_session(host):
         else:
             return False
     except Exception:
-        pass
         return False
 
+##################
+#SMB2 part:
+
+def ConnectAndChoseSMB(host):
+	try:
+		s = socket(AF_INET, SOCK_STREAM)
+		s.settimeout(0.7)
+		s.connect(host)
+	except:
+		return None
+	h = SMBHeader(cmd="\x72",flag1="\x00")
+	n = SMBNego(Data = SMB2NegoData())
+	n.calculate()
+	packet0 = str(h)+str(n)
+	buffer0 = longueur(packet0)+packet0
+	s.send(NetworkSendBufferPython2or3(buffer0))
+	data = s.recv(4096)
+	if ParseNegotiateSMB2Ans(data):
+		try:
+			while True:
+				s.send(NetworkSendBufferPython2or3(handle(data.decode('latin-1'), host)))
+				data = s.recv(4096)
+				if not data:
+					break
+		except Exception:
+			pass
+	else:
+		return False
+
+def handle(data, host):
+	if data[28] == "\x00":
+		a =  SMBv2Head()
+		a.calculate()
+		b = SMBv2Negotiate()
+		b.calculate()
+		packet0 =str(a)+str(b)
+		buffer0 = longueur(packet0)+packet0
+		return buffer0
+
+	if data[28] == "\x01":
+		global Bootime
+		Bootime = IsDCVuln(GetBootTime(data[116:124]), host[0])
+		a =  SMBv2Head(SMBv2Command="\x01\x00",CommandSequence= "\x02\x00\x00\x00\x00\x00\x00\x00")
+		a.calculate()
+		b = SMBv2Session1()
+		b.calculate()
+		packet0 =str(a)+str(b)
+		buffer0 = longueur(packet0)+packet0
+		return buffer0
+
+	if data[28] == "\x02":
+		ParseSMBNTLM2Exchange(data, host[0], Bootime) 
+
 ##################
 #run it
 def ShowResults(Host):
-    try:
-        Hostname, DomainJoined, Time = DomainGrab((Host, 445))
-        Signing, OsVer, LanManClient = SmbFinger((Host, 445))
-        NullSess = check_smb_null_session((Host, 445))
-        print(("Retrieving information for %s..."%(Host)))
-        print(("SMB signing: %s"%(Signing)))
-        print(("Null Sessions Allowed: %s"%(NullSess)))
-        print(("Server Time: %s"%(Time[1])))
-        print(("OS version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)))
-        print(("Machine Hostname: '%s'\nThis machine is part of the '%s' domain"%(Hostname, DomainJoined)))
-        print(("RDP port open: '%s'\n"%(IsRDPOn((Host,3389)))))
-    except:
-        pass
+	if ConnectAndChoseSMB((Host,445)) == False:
+		try:
+			Hostname, DomainJoined = DomainGrab((Host, 445))
+			Signing, OsVer, LanManClient = SmbFinger((Host, 445))
+			NullSess = check_smb_null_session((Host, 445))
+			print(("Retrieving information for %s..."%(Host)))
+			print(("SMB signing: %s"%(Signing)))
+			print(("Null Sessions Allowed: %s"%(NullSess)))
+			print(("OS version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)))
+			print(("Machine Hostname: '%s'\nThis machine is part of the '%s' domain"%(Hostname, DomainJoined)))
+			print(("RDP port open: '%s'\n"%(IsRDPOn((Host,3389)))))
+		except:
+			return False
+
 
 def ShowSmallResults(Host):
-    s = socket(AF_INET, SOCK_STREAM)
-    try:
-        s.settimeout(Timeout)
-        s.connect((Host, 445))
-    except:
-        return False
+	if ConnectAndChoseSMB((Host,445)) == False:
+		try:
+			Hostname, DomainJoined = DomainGrab((Host, 445))
+			Signing, OsVer, LanManClient = SmbFinger((Host, 445))
+			NullSess = check_smb_null_session((Host, 445))
+			print(("[SMB1]:['{}', Os:'{}', Domain:'{}', Signing:'{}', Null Session: '{}', RDP:'{}']".format(Host, OsVer, DomainJoined, Signing, NullSess,IsRDPOn((Host,3389)))))
+		except:
+			return False
 
-    try:
-        Hostname, DomainJoined, Time = DomainGrab((Host, 445))
-        Signing, OsVer, LanManClient = SmbFinger((Host, 445))
-        NullSess = check_smb_null_session((Host, 445))
-        print(("['{}', Os:'{}', Domain:'{}', Signing:'{}', Time:'{}', Null Session: '{}', RDP:'{}']".format(Host, OsVer, DomainJoined, Signing, Time[1],NullSess,IsRDPOn((Host,3389)))))
-    except Exception as err:
-        pass
 
 def IsRDPOn(Host):
     s = socket(AF_INET, SOCK_STREAM)
@@ -274,10 +380,13 @@ def RunFinger(Host):
         mask = int(mask)
         net = atod(net)
         threads = []
+        """
         if options.grep_output:
             func = ShowSmallResults
         else:
             func = ShowResults
+        """
+        func = ShowSmallResults
         for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
             p = multiprocessing.Process(target=func, args=((host),))
             threads.append(p)
diff --git a/tools/RunFingerPackets.py b/tools/RunFingerPackets.py
index e5ce645..a112ef6 100644
--- a/tools/RunFingerPackets.py
+++ b/tools/RunFingerPackets.py
@@ -16,6 +16,20 @@ def StructWithLenPython2or3(endian,data):
     #Python3...
     else:
         return struct.pack(endian, data).decode('latin-1')
+
+
+def NetworkSendBufferPython2or3(data):
+	if PY2OR3 == "PY2":
+		return str(data)
+	else:
+		return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+	if PY2OR3 == "PY2":
+		return str(data)
+	else:
+		return str(data.decode('latin-1'))
+
 class Packet():
     fields = OrderedDict([
     ])
@@ -416,3 +430,195 @@ class SMBTransRAPData(Packet):
         ##Bcc Buff Len
         BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
         self.fields["Bcc"] = StructWithLenPython2or3("<i", len(BccComplete))[:2]
+
+######################FindSMBTime.py##########################
+class SMBHeaderReq(Packet):
+    fields = OrderedDict([
+        ("Proto", "\xff\x53\x4d\x42"),
+        ("Cmd", "\x72"),
+        ("Error-Code", "\x00\x00\x00\x00" ),
+        ("Flag1", "\x10"),
+        ("Flag2", "\x00\x00"),
+        ("Pidhigh", "\x00\x00"),
+        ("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Reserved", "\x00\x00"),
+        ("TID", "\x00\x00"),
+        ("PID", "\xff\xfe"),
+        ("UID", "\x00\x00"),
+        ("MID", "\x00\x00"),
+    ])
+
+class SMB2NegoReq(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
+
+class SMB2NegoDataReq(Packet):
+    fields = OrderedDict([
+        ("StrType","\x02" ),
+        ("dialect", "NT LM 0.12\x00"),
+        ("StrType1","\x02"),
+        ("dialect1", "SMB 2.002\x00"),
+        ("StrType2","\x02"),
+        ("dialect2", "SMB 2.???\x00"),
+    ])
+
+##################################################################
+# SMB2 Finger                                                    #
+##################################################################
+
+class SMB2NegoData(Packet):
+    fields = OrderedDict([
+        ("separator1","\x02" ),
+        ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("separator2","\x02"),
+        ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+        ("separator3","\x02"),
+        ("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
+        ("separator4","\x02"),
+        ("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
+        ("separator5","\x02"),
+        ("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
+        ("separator6","\x02"),
+        ("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
+        ("separator7","\x02"),
+        ("dialect7", "\x53\x4d\x42\x20\x32\x2e\x30\x30\x32\x00"),
+        ("separator8","\x02"),
+        ("dialect8", "\x53\x4d\x42\x20\x32\x2e\x3f\x3f\x3f\x00"),
+    ])
+
+
+class SMBv2Head(Packet):
+    fields = OrderedDict([
+        ("Server", "\xfe\x53\x4d\x42"),
+        ("HeadLen", "\x40\x00"), 
+        ("CreditCharge", "\x00\x00"),
+        ("NTStatus","\x00\x00\x00\x00"),
+        ("SMBv2Command","\x00\x00"),
+        ("CreditRequested","\x00\x00"),
+        ("Flags","\x00\x00\x00\x00"),
+        ("ChainOffset","\x00\x00\x00\x00"),
+        ("CommandSequence","\x01\x00\x00\x00\x00\x00\x00\x00"),
+        ("ProcessID","\xff\xfe\x00\x00"),
+        ("TreeID","\x00\x00\x00\x00"),
+        ("SessionID","\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Signature","\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ])
+
+    def calculate(self): 
+        data1 = str(self.fields["Server"])+str(self.fields["HeadLen"])+str(self.fields["CreditCharge"])+str(self.fields["NTStatus"])+str(self.fields["SMBv2Command"])+str(self.fields["CreditRequested"])+str(self.fields["Flags"])+str(self.fields["ChainOffset"])+str(self.fields["CommandSequence"])+str(self.fields["ProcessID"])+str(self.fields["TreeID"])+str(self.fields["SessionID"])+str(self.fields["Signature"])
+
+        self.fields["HeadLen"] = StructWithLenPython2or3("<h", len(data1))
+
+class SMBv2Negotiate(Packet):
+    fields = OrderedDict([
+        ("Len", "\x24\x00"), 
+        ("DialectCount", "\x02\x00"), 
+        ("SecurityMode", "\x01\x00"),
+        ("Reserved","\x00\x00"),
+        ("Capabilities","\x00\x00\x00\x00"),
+        ("ClientGUID","\xd5\xa1\x5f\x6e\x9a\x75\xe1\x11\x87\x82\x00\x01\x4a\xf1\x18\xee"),
+        ("ClientStartTime","\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Dialect1","\x02\x02"),
+        ("Dialect2","\x10\x02"),
+        ])
+
+    def calculate(self): 
+        data1 = str(self.fields["Len"])+str(self.fields["DialectCount"])+str(self.fields["SecurityMode"])+str(self.fields["Reserved"])+str(self.fields["Capabilities"])+str(self.fields["ClientGUID"])+str(self.fields["ClientStartTime"])
+
+        self.fields["Len"] = StructWithLenPython2or3("<h", len(data1))
+
+class SMBv2Session1(Packet):
+    fields = OrderedDict([
+        ("Len", "\x19\x00"),
+        ("VCNumber", "\x00"), 
+        ("SecurityMode", "\x01"),
+        ("Capabilities","\x01\x00\x00\x00"),
+        ("Channel","\x00\x00\x00\x00"),
+        ("SecurityBufferOffset","\x58\x00"),
+        ("SecurityBufferLen","\x4a\x00"),
+        ("PreviousSessionId","\x00\x00\x00\x00\x00\x00\x00\x00"),
+
+        ("ApplicationHeaderTag","\x60"),
+        ("ApplicationHeaderLen","\x48"),
+        ("AsnSecMechType","\x06"),
+        ("AsnSecMechLen","\x06"),
+        ("AsnSecMechStr","\x2b\x06\x01\x05\x05\x02"),
+        ("ChoosedTag","\xa0"),
+        ("ChoosedTagStrLen","\x3e"),
+        ("NegTokenInitSeqHeadTag","\x30"),
+        ("NegTokenInitSeqHeadLen","\x3c"),
+        ("NegTokenInitSeqHeadTag1","\xA0"),
+        ("NegTokenInitSeqHeadLen1","\x0e"),
+        ("NegTokenInitSeqNLMPTag","\x30"),
+        ("NegTokenInitSeqNLMPLen","\x0c"),
+        ("NegTokenInitSeqNLMPTag1","\x06"),
+        ("NegTokenInitSeqNLMPTag1Len","\x0a"),
+        ("NegTokenInitSeqNLMPTag1Str","\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+        ("NegTokenInitSeqNLMPTag2","\xa2"),
+        ("NegTokenInitSeqNLMPTag2Len","\xa2"),
+        ("NegTokenInitSeqNLMPTag2Octet","\x04"),
+        ("NegTokenInitSeqNLMPTag2OctetLen","\x28"),
+        ("NegTokenInitSeqMechSignature","\x4E\x54\x4c\x4d\x53\x53\x50\x00"),
+        ("NegTokenInitSeqMechMessageType","\x01\x00\x00\x00"), 
+        ("NegTokenInitSeqMechMessageFlags","\x97\x82\x08\xe2"), 
+        ("NegTokenInitSeqMechMessageDomainNameLen","\x00\x00"),
+        ("NegTokenInitSeqMechMessageDomainNameMaxLen","\x00\x00"),
+        ("NegTokenInitSeqMechMessageDomainNameBuffOffset","\x00\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageWorkstationNameLen","\x00\x00"),
+        ("NegTokenInitSeqMechMessageWorkstationNameMaxLen","\x00\x00"),
+        ("NegTokenInitSeqMechMessageWorkstationNameBuffOffset","\x00\x00\x00\x00"),
+
+        ("NegTokenInitSeqMechMessageVersionHigh","\x06"),
+        ("NegTokenInitSeqMechMessageVersionLow","\x01"),
+        ("NegTokenInitSeqMechMessageVersionBuilt","\xB1\x1D"),
+        ("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
+        ])
+
+    def calculate(self): 
+        
+
+        data1 = str(self.fields["Len"])+str(self.fields["VCNumber"])+str(self.fields["SecurityMode"])+str(self.fields["Capabilities"])+str(self.fields["Channel"])+str(self.fields["SecurityBufferOffset"])+str(self.fields["SecurityBufferLen"])+str(self.fields["PreviousSessionId"])
+
+        data2 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data3 = str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data4 = str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data5 = str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data6 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data7 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        data8 = str(self.fields["NegTokenInitSeqMechSignature"])+str(self.fields["NegTokenInitSeqMechMessageType"])+str(self.fields["NegTokenInitSeqMechMessageFlags"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageDomainNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameMaxLen"])+str(self.fields["NegTokenInitSeqMechMessageWorkstationNameBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        #Buff Offset
+        self.fields["SecurityBufferOffset"] = StructWithLenPython2or3("<h", len(data1)+64)
+        ##Buff Len
+        self.fields["SecurityBufferLen"] = StructWithLenPython2or3("<h", len(data2))
+        ##App Header
+        self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3("<B", len(data3))
+        ##Asn Field 1
+        self.fields["AsnSecMechLen"] = StructWithLenPython2or3("<B", len(str(self.fields["AsnSecMechStr"])))
+        ##Asn Field 1
+        self.fields["ChoosedTagStrLen"] = StructWithLenPython2or3("<B", len(data4))
+        ##SpNegoTokenLen
+        self.fields["NegTokenInitSeqHeadLen"] = StructWithLenPython2or3("<B", len(data5))
+        ##NegoTokenInitcodecs.decode(RandomStr,'hex')
+        self.fields["NegTokenInitSeqHeadLen1"] = StructWithLenPython2or3("<B", len(str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"]))) 
+        ## Tag0 Len
+        self.fields["NegTokenInitSeqNLMPLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
+        ## Tag0 Str Len
+        self.fields["NegTokenInitSeqNLMPTag1Len"] = StructWithLenPython2or3("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
+        ## Tag2 Len
+        self.fields["NegTokenInitSeqNLMPTag2Len"] = StructWithLenPython2or3("<B", len(data7))
+        ## Tag3 Len
+        self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = StructWithLenPython2or3("<B", len(data8))

From e24792d7743dbf3a5c5ffac92113e36e5d682e42 Mon Sep 17 00:00:00 2001
From: lgandx <laurent.gaffie@gmail.com>
Date: Thu, 31 Dec 2020 01:27:43 -0300
Subject: [PATCH 4/6] Added SMB2 support for RunFinger and various other
 checks.

---
 packets.py                | 36 ------------------------------------
 tools/RunFingerPackets.py |  2 +-
 2 files changed, 1 insertion(+), 37 deletions(-)

diff --git a/packets.py b/packets.py
index f27bc4a..9939af0 100644
--- a/packets.py
+++ b/packets.py
@@ -1611,42 +1611,6 @@ class SMB2Session2Data(Packet):
     ])
 
 
-######################FindSMBTime.py##########################
-class SMBHeaderReq(Packet):
-    fields = OrderedDict([
-        ("Proto", "\xff\x53\x4d\x42"),
-        ("Cmd", "\x72"),
-        ("Error-Code", "\x00\x00\x00\x00" ),
-        ("Flag1", "\x10"),
-        ("Flag2", "\x00\x00"),
-        ("Pidhigh", "\x00\x00"),
-        ("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
-        ("Reserved", "\x00\x00"),
-        ("TID", "\x00\x00"),
-        ("PID", "\xff\xfe"),
-        ("UID", "\x00\x00"),
-        ("MID", "\x00\x00"),
-    ])
-
-class SMB2NegoReq(Packet):
-    fields = OrderedDict([
-        ("Wordcount", "\x00"),
-        ("Bcc", "\x62\x00"),
-        ("Data", "")
-    ])
-    
-    def calculate(self):
-        self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
-
-class SMB2NegoDataReq(Packet):
-    fields = OrderedDict([
-        ("StrType","\x02" ),
-        ("dialect", "NT LM 0.12\x00"),
-        ("StrType1","\x02"),
-        ("dialect1", "SMB 2.002\x00"),
-        ("StrType2","\x02"),
-        ("dialect2", "SMB 2.???\x00"),
-    ])
 ###################RDP Packets################################
 class TPKT(Packet):
     fields = OrderedDict([
diff --git a/tools/RunFingerPackets.py b/tools/RunFingerPackets.py
index 651849b..a112ef6 100644
--- a/tools/RunFingerPackets.py
+++ b/tools/RunFingerPackets.py
@@ -11,7 +11,7 @@ else:
 
 def StructWithLenPython2or3(endian,data):
     #Python2...
-    if PY2OR3 == "PY2":
+    if PY2OR3 is "PY2":
         return struct.pack(endian, data)
     #Python3...
     else:

From a78dfdf3c7c0bb6f023c7b77291aecef4a6495ba Mon Sep 17 00:00:00 2001
From: lgandx <laurent.gaffie@gmail.com>
Date: Thu, 31 Dec 2020 08:52:18 -0300
Subject: [PATCH 5/6] minor bugfix

---
 tools/RunFinger.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/tools/RunFinger.py b/tools/RunFinger.py
index d13dabb..e7897e8 100755
--- a/tools/RunFinger.py
+++ b/tools/RunFinger.py
@@ -392,9 +392,7 @@ def RunFinger(Host):
             threads.append(p)
             p.start()
     else:
-        if options.grep_output:
-            ShowSmallResults(Host)
-        else:
-            ShowResults(Host)
+        ShowSmallResults(Host)
+
 
 RunFinger(Host)

From 24e7b7c667c3c9feb1cd3a25b16bd8d9c2df5ec6 Mon Sep 17 00:00:00 2001
From: lgandx <laurent.gaffie@gmail.com>
Date: Thu, 31 Dec 2020 09:39:15 -0300
Subject: [PATCH 6/6] Added support for SMB2 signing

---
 tools/RunFinger.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/tools/RunFinger.py b/tools/RunFinger.py
index e7897e8..745f2f0 100755
--- a/tools/RunFinger.py
+++ b/tools/RunFinger.py
@@ -39,6 +39,7 @@ if options.TARGET is None:
 Timeout = 2
 Host = options.TARGET
 SMB1 = "Enabled"
+SMB2signing = "False"
 
 class Packet():
     fields = OrderedDict([
@@ -89,6 +90,13 @@ def ParseNegotiateSMB2Ans(data):
 	else:
 		return False 
 
+def SMB2SigningMandatory(data):
+	global SMB2signing
+	if data[70] == "\x03":
+		SMB2signing = "True"
+	else:
+		SMB2signing = "False"
+
 def WorkstationFingerPrint(data):
 	return {
  		b"\x04\x00"    :"Windows 95",
@@ -108,7 +116,7 @@ def GetOsBuildNumber(data):
 	ProductBuild =  struct.unpack("<h",data)[0]
 	return ProductBuild 
 
-def ParseSMBNTLM2Exchange(data, host, bootime):  #Parse SMB NTLMSSP Response
+def ParseSMBNTLM2Exchange(data, host, bootime, signing):  #Parse SMB NTLMSSP Response
 	data = data.encode('latin-1')
 	SSPIStart  = data.find(b'NTLMSSP')
 	SSPIString = data[SSPIStart:]
@@ -122,7 +130,7 @@ def ParseSMBNTLM2Exchange(data, host, bootime):  #Parse SMB NTLMSSP Response
 	WindowsVers       = WorkstationFingerPrint(data[SSPIStart+48:SSPIStart+50])
 	WindowsBuildVers  = GetOsBuildNumber(data[SSPIStart+50:SSPIStart+52])
 	DomainGrab((host, 445))
-	print(("[SMB2]:['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime: '{}', RDP:'{}', SMB1:'{}']".format(host, WindowsVers, str(WindowsBuildVers), Domain, Bootime, IsRDPOn((host,3389)),SMB1)))
+	print(("[SMB2]:['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime: '{}', Signing:'{}', RDP:'{}', SMB1:'{}']".format(host, WindowsVers, str(WindowsBuildVers), Domain, Bootime, signing, IsRDPOn((host,3389)),SMB1)))
 
 def GetBootTime(data):
 	data = data.encode('latin-1')
@@ -319,6 +327,7 @@ def handle(data, host):
 
 	if data[28] == "\x01":
 		global Bootime
+		SMB2SigningMandatory(data)
 		Bootime = IsDCVuln(GetBootTime(data[116:124]), host[0])
 		a =  SMBv2Head(SMBv2Command="\x01\x00",CommandSequence= "\x02\x00\x00\x00\x00\x00\x00\x00")
 		a.calculate()
@@ -329,7 +338,7 @@ def handle(data, host):
 		return buffer0
 
 	if data[28] == "\x02":
-		ParseSMBNTLM2Exchange(data, host[0], Bootime) 
+		ParseSMBNTLM2Exchange(data, host[0], Bootime, SMB2signing) 
 
 ##################
 #run it