scapy.layers.smbclient

SMB 1 / 2 Client Automaton

Note

You will find more complete documentation for this layer over at SMB

class scapy.layers.smbclient.SMB_Client(self, debug: int = 0, store: int = 0, session: Any = None, **kargs: Any)

Bases: Automaton

SMB client automaton

Parameters:

• sock – the SMBStreamSocket to use

• ssp – the SSP to use

All other options (in caps) are optional, and SMB specific:

Parameters:

• REQUIRE_SIGNATURE – set ‘Require Signature’

• REQUIRE_ENCRYPTION – set ‘Requite Encryption’

• MIN_DIALECT – minimum SMB dialect. Defaults to 0x0202 (2.0.2)

• MAX_DIALECT – maximum SMB dialect. Defaults to 0x0311 (3.1.1)

• DIALECTS – list of supported SMB2 dialects. Constructed from MIN_DIALECT, MAX_DIALECT otherwise.

AUTHENTICATED(*args: ATMT, **kargs: Any) → NewStateRequested

AUTH_FAILED(*args: ATMT, **kargs: Any) → NewStateRequested

BEGIN(*args: ATMT, **kargs: Any) → NewStateRequested

NEGOTIATED(*args: ATMT, **kargs: Any) → NewStateRequested

NEGO_FAILED(*args: ATMT, **kargs: Any) → NewStateRequested

SENT_NEGOTIATE(*args: ATMT, **kargs: Any) → NewStateRequested

SENT_SESSION_REQUEST(*args: ATMT, **kargs: Any) → NewStateRequested

SMB2_NEGOTIATE(*args: ATMT, **kargs: Any) → NewStateRequested

SOCKET_BIND(*args: ATMT, **kargs: Any) → NewStateRequested

SOCKET_MODE_SMB(*args: ATMT, **kargs: Any) → NewStateRequested

actions: Dict[str, List[_StateWrapper]] = {'authenticated_post_actions': [], 'continue_smb2': [], 'incoming_data_received_smb': [<function SMB_Client.receive_data_smb>], 'outgoing_data_received_smb': [<function SMB_Client.send_data>], 'receive_negotiate_response': [], 'receive_session_setup_response': [], 'send_negotiate': [<function SMB_Client.on_negotiate>], 'send_negotiate_smb2': [<function SMB_Client.on_negotiate_smb2>], 'should_retry_without_blob': [], 'should_send_session_setup_request': [<function SMB_Client.send_setup_session_request>], 'start_smb_socket': []}

authenticated_post_actions()

cls

alias of DirectTCP

conditions: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [<function SMB_Client.authenticated_post_actions>], 'AUTH_FAILED': [], 'BEGIN': [<function SMB_Client.continue_smb2>, <function SMB_Client.send_negotiate>], 'NEGOTIATED': [<function SMB_Client.should_retry_without_blob>, <function SMB_Client.should_send_session_setup_request>], 'NEGO_FAILED': [], 'SENT_NEGOTIATE': [], 'SENT_SESSION_REQUEST': [], 'SMB2_NEGOTIATE': [<function SMB_Client.send_negotiate_smb2>], 'SOCKET_BIND': [<function SMB_Client.start_smb_socket>], 'SOCKET_MODE_SMB': []}

continue_smb2()

eofs: Dict[str, _StateWrapper] = {}

classmethod from_tcpsock(sock, **kwargs)

incoming_data_received_smb(pkt)

initial_states: List[_StateWrapper] = [<function ATMT.state.<locals>.deco.<locals>._state_wrapper>]

ioevents: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [], 'AUTH_FAILED': [], 'BEGIN': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'SENT_NEGOTIATE': [], 'SENT_SESSION_REQUEST': [], 'SMB2_NEGOTIATE': [], 'SOCKET_BIND': [], 'SOCKET_MODE_SMB': [<function SMB_Client.outgoing_data_received_smb>]}

ionames: List[str] = ['smbpipe']

iosupersockets: List[SuperSocket] = [<function SMB_Client.outgoing_data_received_smb>]

on_negotiate()

on_negotiate_smb2()

outgoing_data_received_smb(fd)

port = 445

receive_data_smb(pkt)

receive_negotiate_response(pkt)

receive_session_setup_response(pkt)

recv_conditions: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [], 'AUTH_FAILED': [], 'BEGIN': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'SENT_NEGOTIATE': [<function SMB_Client.receive_negotiate_response>], 'SENT_SESSION_REQUEST': [<function SMB_Client.receive_session_setup_response>], 'SMB2_NEGOTIATE': [], 'SOCKET_BIND': [], 'SOCKET_MODE_SMB': [<function SMB_Client.incoming_data_received_smb>]}

send(pkt)

send_data(d)

send_negotiate()

send_negotiate_smb2()

send_setup_session_request(ssp_tuple)

property session

should_retry_without_blob(ssp_tuple)

should_send_session_setup_request(ssp_tuple)

smblink = <scapy.automaton._ATMT_to_supersocket object>

start_smb_socket()

states: Dict[str, _StateWrapper] = {'AUTHENTICATED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'AUTH_FAILED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'BEGIN': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'NEGOTIATED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'NEGO_FAILED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SENT_NEGOTIATE': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SENT_SESSION_REQUEST': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SMB2_NEGOTIATE': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SOCKET_BIND': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SOCKET_MODE_SMB': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>}

stop_state: _StateWrapper | None = None

timeout: Dict[str, _TimerList] = {'AUTHENTICATED': [], 'AUTH_FAILED': [], 'BEGIN': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'SENT_NEGOTIATE': [], 'SENT_SESSION_REQUEST': [], 'SMB2_NEGOTIATE': [], 'SOCKET_BIND': [], 'SOCKET_MODE_SMB': []}

update_smbheader(pkt)

Called when receiving a SMB2 packet to update the current smb_header

class scapy.layers.smbclient.SMB_RPC_SOCKET(smbsock, use_ioctl=True, timeout=3)

Bases: ObjectPipe, SMB_SOCKET

Extends SMB_SOCKET (which is a wrapper over SMB_Client.smblink) to send DCE/RPC messages (bind, reqs, etc.)

This is usable as a normal SuperSocket (sr1, etc.) and performs the wrapping of the DCE/RPC messages into SMB2_Write/Read packets.

close()

close_pipe()

open_pipe(name)

send(x, is_sr1=True)

class scapy.layers.smbclient.SMB_SOCKET(smbsock, use_ioctl=True, timeout=3)

Bases: SuperSocket

Mid-level wrapper over SMB_Client.smblink that provides some basic SMB client functions, such as tree connect, directory query, etc.

changenotify(FileId)

Register change notify

close_request(FileId)

Close the FileId

create_request(name, mode='r', type='pipe', extra_create_options=[], extra_desired_access=[])

Open a file/pipe by its name

Parameters:

name – the name of the file or named pipe. e.g. ‘srvsvc’

classmethod from_tcpsock(sock, **kwargs)

Wraps the tcp socket in a SMB_Client.smblink first, then into the SMB_SOCKET/SMB_RPC_SOCKET

get_TID()

Get the current TID from the underlying socket

ioctl(CtlCode, Flags='SMB2_0_IOCTL_IS_FSCTL', Input=None)

Perform an IOCTL

query_directory(FileId, FileName='*')

Query the Directory with FileId

query_info(FileId, InfoType, FileInfoClass, AdditionalInformation=0)

Query the Info

read_request(FileId, Length, Offset=0)

Read request

property session

set_TID(TID)

Set the TID (Tree ID). This can be called before sending a packet

tree_connect(name)

Send a TreeConnect request

tree_disconnect()

Send a TreeDisconnect request

write_request(Data, FileId, Offset=0)

Write request

class scapy.layers.smbclient.smbclient(target: str, UPN: str = None, password: str = None, guest: bool = False, kerberos_required: bool = False, HashNt: bytes = None, HashAes256Sha96: bytes = None, HashAes128Sha96: bytes = None, use_krb5ccname: bool = False, use_winssp: bool = False, port: int = 445, timeout: int = 5, debug: int = 0, ssp=None, ST=None, KEY=None, cli=True, REQUIRE_ENCRYPTION=False, **kwargs)

Bases: CLIUtil

A simple SMB client CLI powered by Scapy

Parameters:

• target – can be a hostname, the IPv4 or the IPv6 to connect to

• UPN – the upn to use (DOMAIN/USER, DOMAINUSER, USER@DOMAIN or USER)

• guest – use guest mode (over NTLM)

• ssp – if provided, use this SSP for auth.

• kerberos_required – require kerberos

• port – the TCP port. default 445

• password – if provided, used for auth

• HashNt – if provided, used for auth (NTLM)

• HashAes256Sha96 – if provided, used for auth (Kerberos)

• HashAes128Sha96 – if provided, used for auth (Kerberos)

• use_krb5ccname – (bool) if true, the KRB5CCNAME environment variable will be used if available.

• use_winssp – (bool) (only works on Windows). Use implicit authentication through WinSSP.

• ST – if provided, the service ticket to use (Kerberos)

• KEY – if provided, the session key associated to the ticket (Kerberos)

• cli – CLI mode (default True). False to use for scripting

Some additional SMB parameters are available under help(SMB_Client). Some of them include the following:

Parameters:

REQUIRE_ENCRYPTION – requires encryption.

backup()

Turn on or off backup intent

cat(file)

Print a file

cat_complete(file)

Auto-complete cat

cat_output(result)

Print the output of ‘cat’

cd(folder)

Change the remote current directory

cd_complete(folder)

Auto-complete cd

cd_output(result)

Print the output of ‘cd’

close()

collapse_path(path)

commands: Dict[str, Callable[[...], Any]] = {'backup': <function smbclient.backup>, 'cat': <function smbclient.cat>, 'cd': <function smbclient.cd>, 'get': <function smbclient.get>, 'getsd': <function smbclient.getsd>, 'lcd': <function smbclient.lcd>, 'lls': <function smbclient.lls>, 'ls': <function smbclient.ls>, 'put': <function smbclient.put>, 'rm': <function smbclient.rm>, 'server': <function smbclient.server>, 'shares': <function smbclient.shares>, 'tree': <function smbclient.tree>, 'use': <function smbclient.use>, 'watch': <function smbclient.watch>}

commands_complete: Dict[str, Callable[[...], List[str]]] = {'cat': <function smbclient.cat_complete>, 'cd': <function smbclient.cd_complete>, 'get': <function smbclient.get_complete>, 'getsd': <function smbclient.getsd_complete>, 'lcd': <function smbclient.lcd_complete>, 'ls': <function smbclient.ls_complete>, 'put': <function smbclient.put_complete>, 'rm': <function smbclient.rm_complete>, 'server': <function smbclient.server_complete>, 'use': <function smbclient.use_complete>}

commands_output: Dict[str, Callable[[...], str]] = {'cat': <function smbclient.cat_output>, 'cd': <function smbclient.cd_output>, 'get': <function smbclient.get_output>, 'getsd': <function smbclient.getsd_output>, 'lcd': <function smbclient.lcd_output>, 'lls': <function smbclient.lls_output>, 'ls': <function smbclient.ls_output>, 'server': <function smbclient.server_output>, 'shares': <function smbclient.shares_output>, 'tree': <function smbclient.tree_output>}

get(file, _dest=None, _verb=True, *, r=False)

Retrieve a file -r: recursively download a directory

get_complete(file)

Auto-complete get

get_output(info)

Print the output of ‘get’

getsd(file)

Get the Security Descriptor

getsd_complete(file)

Auto-complete getsd

getsd_output(results)

Print the output of ‘getsd’

lcd(folder)

Change the local current directory

lcd_complete(folder)

Auto-complete lcd

lcd_output(result)

Print the output of ‘lcd’

lls()

List the files in the local directory

lls_output(results)

Print the output of ‘lls’

ls(parent=None)

List the files in the remote directory -t: sort by timestamp -S: sort by size -r: reverse while sorting

ls_complete(folder)

Auto-complete ls

ls_output(results, *, t=False, S=False, r=False)

Print the output of ‘ls’

normalize_path(path)

Normalize path for CIFS usage

ps1()

put(file)

Upload a file

put_complete(folder)

Auto-complete put

rm(file)

Delete a file

rm_complete(file)

Auto-complete rm

server(command)

Get information about the remote server

server_complete(line)

Auto-complete server

server_output(result)

Print the output of ‘server’

shares()

List the shares available

shares_output(results)

Print the output of ‘shares’

tree(regx: str = None, max_depth=None)

Show the tree of files from the current directory

tree_output(result)

Print the output of ‘tree’

use(share)

Open a share

use_complete(share)

Auto-complete ‘use’

watch(folder)

Watch file changes in folder (recursively)