Last active
November 29, 2018 05:59
-
-
Save xax007/18237bffc978d0a5a4c87aa718c5e8c4 to your computer and use it in GitHub Desktop.
Get smb server version via impacket when smbclient or other smb enumerate tools(eg. enum4linux) can not get it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Copyright (c) 2003-2018 CORE Security Technologies | |
# | |
# This software is provided under under a slightly modified version | |
# of the Apache Software License. See the accompanying LICENSE file | |
# for more information. | |
# | |
# Description: Mini shell using some of the SMB funcionality of the library | |
# | |
# Author: | |
# Alberto Solino (@agsolino) | |
# | |
# | |
# Reference for: | |
# SMB DCE/RPC | |
# | |
import sys | |
import logging | |
import argparse | |
from impacket.examples import logger | |
from impacket.examples.smbclient import MiniImpacketShell | |
from impacket import version | |
from impacket.smbconnection import SMBConnection | |
def main(): | |
# Init the example's logger theme | |
logger.init() | |
print version.BANNER | |
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.") | |
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>') | |
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell') | |
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') | |
group = parser.add_argument_group('authentication') | |
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') | |
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)') | |
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file ' | |
'(KRB5CCNAME) based on target parameters. If valid credentials ' | |
'cannot be found, it will use the ones specified in the command ' | |
'line') | |
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication ' | |
'(128 or 256 bits)') | |
group = parser.add_argument_group('connection') | |
group.add_argument('-dc-ip', action='store', metavar="ip address", | |
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in ' | |
'the target parameter') | |
group.add_argument('-target-ip', action='store', metavar="ip address", | |
help='IP Address of the target machine. If omitted it will use whatever was specified as target. ' | |
'This is useful when target is the NetBIOS name and you cannot resolve it') | |
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port", | |
help='Destination port to connect to SMB Server') | |
if len(sys.argv)==1: | |
parser.print_help() | |
sys.exit(1) | |
options = parser.parse_args() | |
if options.debug is True: | |
logging.getLogger().setLevel(logging.DEBUG) | |
else: | |
logging.getLogger().setLevel(logging.INFO) | |
import re | |
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match( | |
options.target).groups('') | |
#In case the password contains '@' | |
if '@' in address: | |
password = password + '@' + address.rpartition('@')[0] | |
address = address.rpartition('@')[2] | |
if options.target_ip is None: | |
options.target_ip = address | |
if domain is None: | |
domain = '' | |
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None: | |
from getpass import getpass | |
password = getpass("Password:") | |
if options.aesKey is not None: | |
options.k = True | |
if options.hashes is not None: | |
lmhash, nthash = options.hashes.split(':') | |
else: | |
lmhash = '' | |
nthash = '' | |
try: | |
smbClient = SMBConnection(address, options.target_ip, sess_port=int(options.port)) | |
if options.k is True: | |
smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip ) | |
else: | |
smbClient.login(username, password, domain, lmhash, nthash) | |
smb = smbClient.getSMBServer() | |
print "SMB Version:", smb.get_server_lanman() | |
# shell = MiniImpacketShell(smbClient) | |
# if options.file is not None: | |
# logging.info("Executing commands from %s" % options.file.name) | |
# for line in options.file.readlines(): | |
# if line[0] != '#': | |
# print "# %s" % line, | |
# shell.onecmd(line) | |
# else: | |
# print line, | |
# else: | |
# shell.cmdloop() | |
except Exception as e: | |
if logging.getLogger().level == logging.DEBUG: | |
import traceback | |
traceback.print_exc() | |
logging.error(str(e)) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage
python get_smb_version.py <your ip> -p <set 139 if 445 not work>
Output: