有朋友需要单exe版的smb_version,造了个轮子,在Win7和03上通过。
测试用的小工具,支持139和445端口。
有需求的自行二次修改吧~NTLMSSP challenge数据提取部分在很多地方都挺常用的。
代码:
using System; using System.Data; using System.Text; using System.Text.RegularExpressions; using System.Collections; using System.Collections.Generic; using System.Threading; using System.Diagnostics; using System.IO; using System.Security.Cryptography; using System.Net; using System.Net.Sockets; using System.Reflection; using System.Runtime; using System.Runtime.InteropServices; namespace Zcg.Tests { class smbver { static byte[] d1 ={ 0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F, 0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54, 0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00 }; static byte[] d2 ={ 0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60, 0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30, 0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04, 0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00 }; static byte[] d3={ 0x81,0x00,0x00,0x44,0x20,0x43,0x4b,0x46,0x44,0x45,0x4e,0x45,0x43,0x46,0x44,0x45 ,0x46,0x46,0x43,0x46,0x47,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43 ,0x41,0x43,0x41,0x43,0x41,0x00,0x20,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43 ,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43 ,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 }; static void Main(string[] args) { Console.WriteLine("SMB Version Detection tool 0.1"); Console.WriteLine("Part of GMH's fuck Tools, Code By zcgonvh.\r\n"); if (args.Length < 1) { Console.WriteLine("usage: smbver host [port]"); return; } string host = args[0]; int port = 445; try { port = int.Parse(args[1]); } catch { } try { byte[] buf = new byte[1024]; Socket sock = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); sock.Connect(host, port); if(port==139) { sock.Send(d3); sock.Receive(buf); } sock.Send(d1); sock.Receive(buf); sock.Send(d2); sock.Receive(buf); int len = BitConverter.ToInt16(buf, 43); string[] ss = Encoding.Unicode.GetString(buf, len + 47, buf.Length - len - 47).Split('\0'); Console.WriteLine("native os: " + ss[0]); Console.WriteLine("native lan manager: " + ss[1]); int off = 0; for (int i = 47; i < len - 7; i++) { if (buf[i] == 'N' && buf[i + 1] == 'T' && buf[i + 2] == 'L' && buf[i + 3] == 'M' && buf[i + 4] == 'S' && buf[i + 5] == 'S' && buf[i + 6] == 'P') { off = i; break; } } byte[] ntlm = new byte[len]; Array.Copy(buf, off, ntlm, 0, len); len = BitConverter.ToInt16(ntlm, 0xc); off = BitConverter.ToInt16(ntlm, 0x10); Console.WriteLine("negotiate target: " + Encoding.Unicode.GetString(ntlm, off, len)); Console.WriteLine("os major version: " + ntlm[off - 8]); Console.WriteLine("os minor version: " + ntlm[off - 7]); Console.WriteLine("os build number: " + BitConverter.ToInt16(ntlm, off - 6)); Console.WriteLine("ntlm current revision: " + ntlm[off - 1]); off += len; int type = BitConverter.ToInt16(ntlm, off); while (type != 0) { off += 2; len = BitConverter.ToInt16(ntlm, off); off += 2; switch (type) { case 1: { Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len)); break; } case 2: { Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len)); break; } case 3: { Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len)); break; } case 4: { Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len)); break; } case 5: { Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len)); break; } case 7: { Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off))); break; } default: { Console.Write("Unknown type {0}, data: ", type); for (int i = 0; i < len; i++) { Console.Write(ntlm[i + off].ToString("X2")); } Console.WriteLine(); break; } } off += len; type = BitConverter.ToInt16(ntlm, off); } } catch (Exception ex) { Console.WriteLine("err: " + ex); } } } }