scapy.layers.smbserver

SMB 2 Server Automaton

This provides a [MS-SMB2] server that can: - serve files - host a DCE/RPC server

This is a Scapy Automaton that is supposedly easily extendable.

Note

You will find more complete documentation for this layer over at SMB

class scapy.layers.smbserver.SMBShare(name, path='.', type=None, remark='', encryptdata=False)

Bases: object

A class used to define a share, used by SMB_Server

Parameters:

• name – the share name

• path – the path the the folder hosted by the share

• type – (optional) share type per [MS-SRVS] sect 2.2.2.4

• remark – (optional) a description of the share

• encryptdata – (optional) whether encryption should be used for this share. This only applies to SMB 3.1.1.

class scapy.layers.smbserver.SMB_DCERPC_Server(*args, **kwargs)

Bases: DCERPC_Server

DCE/RPC server than handles the minimum RPCs for SMB to work:

dcerpc_commands = {<class 'scapy.layers.msrpce.raw.ms_srvs.NetrServerGetInfo_Request'>: <function SMB_DCERPC_Server.netr_server_getinfo>, <class 'scapy.layers.msrpce.raw.ms_srvs.NetrShareEnum_Request'>: <function SMB_DCERPC_Server.netr_share_enum>, <class 'scapy.layers.msrpce.raw.ms_srvs.NetrShareGetInfo_Request'>: <function SMB_DCERPC_Server.netr_share_getinfo>, <class 'scapy.layers.msrpce.raw.ms_wkst.NetrWkstaGetInfo_Request'>: <function SMB_DCERPC_Server.netr_wksta_getinfo>}

netr_server_getinfo(req)

NetrServerGetInfo [MS-WKST] “retrieves current configuration information for CIFS and SMB Version 1.0 servers.”

netr_share_enum(req)

NetrShareEnum [MS-SRVS] “retrieves information about each shared resource on a server.”

netr_share_getinfo(req)

NetrShareGetInfo [MS-SRVS] “retrieves information about a particular shared resource on a server.”

netr_wksta_getinfo(req)

NetrWkstaGetInfo [MS-SRVS] “returns information about the configuration of a workstation.”

class scapy.layers.smbserver.SMB_Server(self, debug: int = 0, store: int = 0, **kargs: Any)

Bases: Automaton

SMB server automaton

Parameters:

• shares – the shares to serve. By default, share nothing. Note that IPC$ is appended.

• ssp – the SSP to use

All other options (in caps) are optional, and SMB specific:

Parameters:

• ANONYMOUS_LOGIN – mark the clients as anonymous

• GUEST_LOGIN – mark the clients as guest

• REQUIRE_SIGNATURE – set ‘Require Signature’

• REQUIRE_ENCRYPTION – globally require encryption. You could also make it share-specific on 3.1.1.

• MAX_DIALECT – maximum SMB dialect. Defaults to 0x0311 (3.1.1)

• TREE_SHARE_FLAGS – flags to announce on Tree_Connect_Response

• TREE_CAPABILITIES – capabilities to announce on Tree_Connect_Response

• TREE_MAXIMAL_ACCESS – maximal access to announce on Tree_Connect_Response

• FILE_MAXIMAL_ACCESS – maximal access to announce in MxAc Create Context

AUTHENTICATED(*args: ATMT, **kargs: Any) → NewStateRequested

BEGIN(*args: ATMT, **kargs: Any) → NewStateRequested

END(*args: ATMT, **kargs: Any) → NewStateRequested

LAST_HANDLE = <SMB2_FILEID  Persistent=0xffffffffffffffff Volatile=0xffffffffffffffff |>

NEGOTIATED(*args: ATMT, **kargs: Any) → NewStateRequested

NEGO_FAILED(*args: ATMT, **kargs: Any) → NewStateRequested

PIPES_TABLE = {'NETLOGON': <SMB2_FILEID  Persistent=0x4000000014 Volatile=0x4000000003 |>, 'srvsvc': <SMB2_FILEID  Persistent=0x4000000012 Volatile=0x4000000001 |>, 'wkssvc': <SMB2_FILEID  Persistent=0x4000000013 Volatile=0x4000000002 |>}

RECEIVED_SETUP_ANDX_REQUEST(*args: ATMT, **kargs: Any) → NewStateRequested

SERVING(*args: ATMT, **kargs: Any) → NewStateRequested

actions: Dict[str, List[_StateWrapper]] = {'is_smb1_tree': [], 'receive_cancel_request': [<function SMB_Server.send_notify_cancel_response>], 'receive_change_notify_info': [<function SMB_Server.send_change_notify_info_response>], 'receive_close_request': [<function SMB_Server.send_close_response>], 'receive_create_file': [<function SMB_Server.send_create_file_response>], 'receive_echo_request': [<function SMB_Server.send_echo_reply>], 'receive_ioctl': [<function SMB_Server.send_ioctl_response>], 'receive_logoff_request': [<function SMB_Server.send_logoff_response>], 'receive_query_directory_info': [<function SMB_Server.send_query_directory_response>], 'receive_query_info': [<function SMB_Server.send_query_info_response>], 'receive_read_request': [<function SMB_Server.send_read_response>], 'receive_set_info_request': [<function SMB_Server.send_set_info_response>], 'receive_setup_andx_request': [<function SMB_Server.on_setup_andx_request>], 'receive_setup_andx_request_in_serving': [], 'receive_tree_connect': [<function SMB_Server.send_tree_connect_response>], 'receive_tree_disconnect_request': [<function SMB_Server.send_tree_disconnect_response>], 'receive_write_request': [<function SMB_Server.send_write_response>], 'received_negotiate': [<function SMB_Server.on_negotiate>], 'received_negotiate_smb2': [<function SMB_Server.on_negotiate_smb2>], 'received_negotiate_smb2_begin': [<function SMB_Server.on_negotiate_smb2_begin>], 'should_serve': [], 'wait_for_next_request': []}

breakpoints: Set[_StateWrapper]

conditions: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [<function SMB_Server.should_serve>], 'BEGIN': [], 'END': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'RECEIVED_SETUP_ANDX_REQUEST': [<function SMB_Server.wait_for_next_request>], 'SERVING': []}

current_smb_time()

current_tree()

Return the current tree name

eofs: Dict[str, _StateWrapper] = {}

get_file_id(pkt)

Return the FileId attribute of pkt, accounting for compounded requests.

initial_states: List[_StateWrapper] = [<function ATMT.state.<locals>.deco.<locals>._state_wrapper>]

intercepted_packet: None | Packet

interception_points: Set[_StateWrapper]

ioevents: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [], 'BEGIN': [], 'END': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'RECEIVED_SETUP_ANDX_REQUEST': [], 'SERVING': []}

ionames: List[str] = []

iosupersockets: List[SuperSocket] = []

is_smb1_tree(pkt)

listen_sock: SuperSocket | None

lookup_file(fname, durable_handle=None, create=False, createOptions=None)

Lookup the file and build it’s SMB2_FILEID

lookup_folder(handle, filter, offset, cls)

Lookup a folder handle

make_file_id(fname)

Generate deterministic FileId based on the fname

on_negotiate(pkt)

on_negotiate_smb2(pkt)

on_negotiate_smb2_begin(pkt)

on_setup_andx_request(pkt, ssp_blob)

packets: PacketList

pkt_cls

alias of DirectTCP

receive_cancel_request(pkt)

receive_change_notify_info(pkt)

receive_close_request(pkt)

receive_create_file(pkt)

receive_echo_request(pkt)

receive_ioctl(pkt)

receive_logoff_request(pkt)

receive_query_directory_info(pkt)

receive_query_info(pkt)

receive_read_request(pkt)

receive_set_info_request(pkt)

receive_setup_andx_request(pkt)

receive_setup_andx_request_in_serving(pkt)

receive_tree_connect(pkt)

receive_tree_disconnect_request(pkt)

receive_write_request(pkt)

received_negotiate(pkt)

received_negotiate_smb2(pkt)

received_negotiate_smb2_begin(pkt)

recv_conditions: Dict[str, List[_StateWrapper]] = {'AUTHENTICATED': [], 'BEGIN': [<function SMB_Server.received_negotiate>, <function SMB_Server.received_negotiate_smb2_begin>], 'END': [], 'NEGOTIATED': [<function SMB_Server.received_negotiate_smb2>, <function SMB_Server.receive_setup_andx_request>], 'NEGO_FAILED': [], 'RECEIVED_SETUP_ANDX_REQUEST': [], 'SERVING': [<function SMB_Server.receive_logoff_request>, <function SMB_Server.receive_setup_andx_request_in_serving>, <function SMB_Server.is_smb1_tree>, <function SMB_Server.receive_tree_connect>, <function SMB_Server.receive_ioctl>, <function SMB_Server.receive_create_file>, <function SMB_Server.receive_change_notify_info>, <function SMB_Server.receive_query_directory_info>, <function SMB_Server.receive_query_info>, <function SMB_Server.receive_set_info_request>, <function SMB_Server.receive_write_request>, <function SMB_Server.receive_read_request>, <function SMB_Server.receive_close_request>, <function SMB_Server.receive_tree_disconnect_request>, <function SMB_Server.receive_cancel_request>, <function SMB_Server.receive_echo_request>]}

root_path()

Return the root path of the current tree

send(pkt)

send_change_notify_info_response(pkt)

send_close_response(pkt)

send_create_file_response(pkt)

Handle CreateFile request

See [MS-SMB2] 3.3.5.9 ()

send_echo_reply(pkt)

send_ioctl_response(pkt)

send_logoff_response(pkt)

send_notify_cancel_response(pkt)

send_query_directory_response(pkt)

send_query_info_response(pkt)

send_read_response(pkt)

send_set_info_response(pkt)

send_sock: SuperSocket | None

send_tree_connect_response(pkt, tree_name)

send_tree_disconnect_response(pkt)

send_write_response(pkt)

property session

set_compounded_handle(handle)

Mark a handle as the current one being compounded.

should_serve()

socketcls

alias of SMBStreamSocket

states: Dict[str, _StateWrapper] = {'AUTHENTICATED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'BEGIN': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'END': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'NEGOTIATED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'NEGO_FAILED': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'RECEIVED_SETUP_ANDX_REQUEST': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>, 'SERVING': <function ATMT.state.<locals>.deco.<locals>._state_wrapper>}

stop_state: _StateWrapper | None = None

threadid: int | None

timeout: Dict[str, _TimerList] = {'AUTHENTICATED': [], 'BEGIN': [], 'END': [], 'NEGOTIATED': [], 'NEGO_FAILED': [], 'RECEIVED_SETUP_ANDX_REQUEST': [], 'SERVING': []}

update_smbheader(pkt)

Called when receiving a SMB2 packet to update the current smb_header

vprint(s='')

Verbose print (if enabled)

wait_for_next_request()

class scapy.layers.smbserver.smbserver(shares=None, iface: str = None, port: int = 445, verb: int = 2, readonly: bool = True, ssp=None, **kwargs)

Bases: object

Spawns a simple smbserver

smbserver parameters:

param shares:

the list of shares to announce. Note that IPC$ is appended. By default, a ‘Scapy’ share on ‘./’

param port:

(optional) the port to bind on, default 445

param iface:

(optional) the interface to bind on, default conf.iface

param readonly:

(optional) whether the server is read-only or not. default True

param ssp:

(optional) the SSP to use. See the examples below. Default NTLM with guest

Many more SMB-specific parameters are available in help(SMB_Server)

close()

Close the smbserver if started in background mode (bg=True)