From 15e534fbbfabcc6f234a4545ae093f56525da01b Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Fri, 7 Jul 2017 18:05:59 +0200
Subject: [PATCH] smbv1 check

---
 CHANGES     |  1 +
 hydra-smb.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/CHANGES b/CHANGES
index 5dd7266..37f5b4d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ Changelog for hydra
 -------------------
 
 Release 8.6-dev
+* smb module now checks if SMBv1 is supported by the server
 * http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch)
 * Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting)
 * Added new command line option:
diff --git a/hydra-smb.c b/hydra-smb.c
index 48f7d7e..afc8ec6 100644
--- a/hydra-smb.c
+++ b/hydra-smb.c
@@ -1437,7 +1437,66 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
   // return codes:
   //   0 all OK
   //   -1  error, hydra will exit, so print a good error message here
+  time_t ctime;
+  int ready = 0, sock = hydra_connect_tcp(ip, port);
+  unsigned char buf[] = {
+    0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42,
+    0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02,
+    0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
+    0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
+    0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
+    0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
+    0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
+    0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
+    0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
+    0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
+    0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
+    0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
+    0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
+    0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44,
+    0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
+    0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41,
+    0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00,
+    0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02,
+    0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
+    0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e,
+    0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31,
+    0x32, 0x00  };
 
+  
+  if (sock < 0) {
+    fprintf(stderr, "[ERROR] could not connect to target smb://%s:%d/\n", hostname, port);
+    return -1;
+  }
+  
+  if (send(sock, buf, sizeof(buf), 0) < 0) {
+    fprintf(stderr, "[ERROR] unable to send to target smb://%s:%d/\n", hostname, port);
+    return -1;
+  }
+
+  ctime = time(NULL);
+  do {
+    usleepn(300);
+  } while ((ready = hydra_data_ready(sock)) <= 0 && ctime + 5 < time(NULL));
+  
+  if (ready <= 0) {
+    fprintf(stderr, "[ERROR] no reply from target smb://%s:%d/\n", hostname, port);
+    return -1;
+  }
+  
+  if ((ready = recv(sock, buf, sizeof(buf), 0)) < 40) {
+    fprintf(stderr, "[ERROR] invalid reply from target smb://%s:%d/\n", hostname, port);
+    return -1;
+  }
+  
+  if (buf[37] == buf[38] && buf[38] == 0xff) {
+    fprintf(stderr, "[ERROR] target smb://%s:%d/ does not support SMBv1\n", hostname, port);
+    return -1;
+  }
+  
   return 0;
 }