Minor SMB/Kerberos improvements (#4749)

Author: gpotter2

scapy/fields.py

@@ -2783,6 +2783,12 @@ def __init__(self, name, default, enum):
         super(LEIntEnumField, self).__init__(name, default, enum, "<I")
 
 
+class XLEIntEnumField(LEIntEnumField):
+    def _i2repr(self, pkt, x):
+        # type: (Optional[Packet], Any) -> str
+        return lhex(x)
+
+
 class XShortEnumField(ShortEnumField):
     def _i2repr(self, pkt, x):
         # type: (Optional[Packet], Any) -> str

scapy/layers/kerberos.py

@@ -111,6 +111,7 @@
     StrFixedLenEnumField,
     XByteField,
     XLEIntField,
+    XLEIntEnumField,
     XLEShortField,
     XStrFixedLenField,
     XStrLenField,
@@ -139,6 +140,7 @@
 )
 from scapy.layers.inet import TCP, UDP
 from scapy.layers.smb import _NV_VERSION
+from scapy.layers.smb2 import STATUS_ERREF
 from scapy.layers.x509 import X509_AlgorithmIdentifier
 
 # Typing imports
@@ -1874,7 +1876,7 @@ def m2i(self, pkt, s):
             try:
                 return KERB_ERROR_DATA(val[0].val, _underlayer=pkt), val[1]
             except BER_Decoding_Error:
-                if pkt.errorCode.val in [18]:
+                if pkt.errorCode.val in [18, 12]:
                     # Some types can also happen in FAST sessions
                     # 18: KDC_ERR_CLIENT_REVOKED
                     return MethodData(val[0].val, _underlayer=pkt), val[1]
@@ -2015,7 +2017,7 @@ def getSPN(self):
 
 class KERB_EXT_ERROR(Packet):
     fields_desc = [
-        XLEIntField("status", 0),
+        XLEIntEnumField("status", 0, STATUS_ERREF),
         XLEIntField("reserved", 0),
         XLEIntField("flags", 0x00000001),
     ]

scapy/layers/smb2.py

@@ -120,6 +120,7 @@
     0xC0000064: "STATUS_NO_SUCH_USER",
     0xC000006D: "STATUS_LOGON_FAILURE",
     0xC000006E: "STATUS_ACCOUNT_RESTRICTION",
+    0xC0000070: "STATUS_INVALID_WORKSTATION",
     0xC0000071: "STATUS_PASSWORD_EXPIRED",
     0xC0000072: "STATUS_ACCOUNT_DISABLED",
     0xC000009A: "STATUS_INSUFFICIENT_RESOURCES",

scapy/layers/smbclient.py

@@ -72,15 +72,15 @@
     DirectTCP,
     FileAllInformation,
     FileIdBothDirectoryInformation,
-    SMB_DIALECTS,
+    SECURITY_DESCRIPTOR,
+    SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2,
+    SMB2_CREATE_REQUEST_LEASE,
+    SMB2_CREATE_REQUEST_LEASE_V2,
     SMB2_Change_Notify_Request,
     SMB2_Change_Notify_Response,
     SMB2_Close_Request,
     SMB2_Close_Response,
     SMB2_Create_Context,
-    SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2,
-    SMB2_CREATE_REQUEST_LEASE_V2,
-    SMB2_CREATE_REQUEST_LEASE,
     SMB2_Create_Request,
     SMB2_Create_Response,
     SMB2_ENCRYPTION_CIPHERS,
@@ -111,6 +111,7 @@
     SMB2_Write_Request,
     SMB2_Write_Response,
     SMBStreamSocket,
+    SMB_DIALECTS,
     SRVSVC_SHARE_TYPES,
     STATUS_ERREF,
 )
@@ -1822,6 +1823,96 @@ def backup(self):
             print("Backup Intent: On")
             self.extra_create_options.append("FILE_OPEN_FOR_BACKUP_INTENT")
 
+    @CLIUtil.addcommand(spaces=True)
+    def watch(self, folder):
+        """
+        Watch file changes in folder (recursively)
+        """
+        if self._require_share():
+            return
+        # Get pwd of the ls
+        fpath = self.pwd / folder
+        self.smbsock.set_TID(self.current_tree)
+        # Open file
+        fileId = self.smbsock.create_request(
+            self.normalize_path(fpath),
+            type="folder",
+            extra_create_options=self.extra_create_options,
+        )
+        print("Watching '%s'" % fpath)
+        # Watch for changes
+        try:
+            while True:
+                changes = self.smbsock.changenotify(fileId)
+                for chg in changes:
+                    print(chg.sprintf("%.time%: %Action% %FileName%"))
+        except KeyboardInterrupt:
+            pass
+        # Close the file
+        self.smbsock.close_request(fileId)
+        print("Cancelled.")
+
+    @CLIUtil.addcommand(spaces=True)
+    def getsd(self, file):
+        """
+        Get the Security Descriptor
+        """
+        if self._require_share():
+            return
+        fpath = self.pwd / file
+        self.smbsock.set_TID(self.current_tree)
+        # Open file
+        fileId = self.smbsock.create_request(
+            self.normalize_path(fpath),
+            type="",
+            mode="",
+            extra_desired_access=["READ_CONTROL", "ACCESS_SYSTEM_SECURITY"],
+        )
+        # Get the file size
+        info = self.smbsock.query_info(
+            FileId=fileId,
+            InfoType="SMB2_0_INFO_SECURITY",
+            FileInfoClass=0,
+            AdditionalInformation=(
+                0x00000001
+                | 0x00000002
+                | 0x00000004
+                | 0x00000008
+                | 0x00000010
+                | 0x00000020
+                | 0x00000040
+                | 0x00010000
+            ),
+        )
+        self.smbsock.close_request(fileId)
+        return info
+
+    @CLIUtil.addcomplete(getsd)
+    def getsd_complete(self, file):
+        """
+        Auto-complete getsd
+        """
+        if self._require_share(silent=True):
+            return []
+        return self._fs_complete(file)
+
+    @CLIUtil.addoutput(getsd)
+    def getsd_output(self, results):
+        """
+        Print the output of 'getsd'
+        """
+        sd = SECURITY_DESCRIPTOR(results)
+        print("Owner:", sd.OwnerSid.summary())
+        print("Group:", sd.GroupSid.summary())
+        if getattr(sd, "DACL", None):
+            print("DACL:")
+            for ace in sd.DACL.Aces:
+                print(" - ", ace.toSDDL())
+        if getattr(sd, "SACL", None):
+            print("SACL:")
+            for ace in sd.SACL.Aces:
+                print(" - ", ace.toSDDL())
+
 
 if __name__ == "__main__":
     from scapy.utils import AutoArgparse