1## This file is part of Scapy 2## See http://www.secdev.org/projects/scapy for more informations 3## Copyright (C) Philippe Biondi <phil@secdev.org> 4## This program is published under a GPLv2 license 5 6""" 7NetBIOS over TCP/IP 8 9[RFC 1001/1002] 10""" 11 12import struct 13from scapy.packet import * 14from scapy.fields import * 15from scapy.layers.inet import UDP,TCP 16from scapy.layers.l2 import SourceMACField 17 18class NetBIOS_DS(Packet): 19 name = "NetBIOS datagram service" 20 fields_desc = [ 21 ByteEnumField("type",17, {17:"direct_group"}), 22 ByteField("flags",0), 23 XShortField("id",0), 24 IPField("src","127.0.0.1"), 25 ShortField("sport",138), 26 ShortField("len",None), 27 ShortField("ofs",0), 28 NetBIOSNameField("srcname",""), 29 NetBIOSNameField("dstname",""), 30 ] 31 def post_build(self, p, pay): 32 p += pay 33 if self.len is None: 34 l = len(p)-14 35 p = p[:10]+struct.pack("!H", l)+p[12:] 36 return p 37 38# ShortField("length",0), 39# ShortField("Delimitor",0), 40# ByteField("command",0), 41# ByteField("data1",0), 42# ShortField("data2",0), 43# ShortField("XMIt",0), 44# ShortField("RSPCor",0), 45# StrFixedLenField("dest","",16), 46# StrFixedLenField("source","",16), 47# 48# ] 49# 50 51#NetBIOS 52 53 54# Name Query Request 55# Node Status Request 56class NBNSQueryRequest(Packet): 57 name="NBNS query request" 58 fields_desc = [ShortField("NAME_TRN_ID",0), 59 ShortField("FLAGS", 0x0110), 60 ShortField("QDCOUNT",1), 61 ShortField("ANCOUNT",0), 62 ShortField("NSCOUNT",0), 63 ShortField("ARCOUNT",0), 64 NetBIOSNameField("QUESTION_NAME","windows"), 65 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 66 ByteField("NULL",0), 67 ShortEnumField("QUESTION_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 68 ShortEnumField("QUESTION_CLASS",1,{1:"INTERNET"})] 69 70# Name Registration Request 71# Name Refresh Request 72# Name Release Request or Demand 73class NBNSRequest(Packet): 74 name="NBNS request" 75 fields_desc = [ShortField("NAME_TRN_ID",0), 76 ShortField("FLAGS", 0x2910), 77 ShortField("QDCOUNT",1), 78 ShortField("ANCOUNT",0), 79 ShortField("NSCOUNT",0), 80 ShortField("ARCOUNT",1), 81 NetBIOSNameField("QUESTION_NAME","windows"), 82 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 83 ByteField("NULL",0), 84 ShortEnumField("QUESTION_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 85 ShortEnumField("QUESTION_CLASS",1,{1:"INTERNET"}), 86 ShortEnumField("RR_NAME",0xC00C,{0xC00C:"Label String Pointer to QUESTION_NAME"}), 87 ShortEnumField("RR_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 88 ShortEnumField("RR_CLASS",1,{1:"INTERNET"}), 89 IntField("TTL", 0), 90 ShortField("RDLENGTH", 6), 91 BitEnumField("G",0,1,{0:"Unique name",1:"Group name"}), 92 BitEnumField("OWNER_NODE_TYPE",00,2,{0:"B node",1:"P node",2:"M node",3:"H node"}), 93 BitEnumField("UNUSED",0,13,{0:"Unused"}), 94 IPField("NB_ADDRESS", "127.0.0.1")] 95 96# Name Query Response 97# Name Registration Response 98class NBNSQueryResponse(Packet): 99 name="NBNS query response" 100 fields_desc = [ShortField("NAME_TRN_ID",0), 101 ShortField("FLAGS", 0x8500), 102 ShortField("QDCOUNT",0), 103 ShortField("ANCOUNT",1), 104 ShortField("NSCOUNT",0), 105 ShortField("ARCOUNT",0), 106 NetBIOSNameField("RR_NAME","windows"), 107 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 108 ByteField("NULL",0), 109 ShortEnumField("QUESTION_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 110 ShortEnumField("QUESTION_CLASS",1,{1:"INTERNET"}), 111 IntField("TTL", 0x493e0), 112 ShortField("RDLENGTH", 6), 113 ShortField("NB_FLAGS", 0), 114 IPField("NB_ADDRESS", "127.0.0.1")] 115 116# Name Query Response (negative) 117# Name Release Response 118class NBNSQueryResponseNegative(Packet): 119 name="NBNS query response (negative)" 120 fields_desc = [ShortField("NAME_TRN_ID",0), 121 ShortField("FLAGS", 0x8506), 122 ShortField("QDCOUNT",0), 123 ShortField("ANCOUNT",1), 124 ShortField("NSCOUNT",0), 125 ShortField("ARCOUNT",0), 126 NetBIOSNameField("RR_NAME","windows"), 127 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 128 ByteField("NULL",0), 129 ShortEnumField("RR_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 130 ShortEnumField("RR_CLASS",1,{1:"INTERNET"}), 131 IntField("TTL",0), 132 ShortField("RDLENGTH",6), 133 BitEnumField("G",0,1,{0:"Unique name",1:"Group name"}), 134 BitEnumField("OWNER_NODE_TYPE",00,2,{0:"B node",1:"P node",2:"M node",3:"H node"}), 135 BitEnumField("UNUSED",0,13,{0:"Unused"}), 136 IPField("NB_ADDRESS", "127.0.0.1")] 137 138# Node Status Response 139class NBNSNodeStatusResponse(Packet): 140 name="NBNS Node Status Response" 141 fields_desc = [ShortField("NAME_TRN_ID",0), 142 ShortField("FLAGS", 0x8500), 143 ShortField("QDCOUNT",0), 144 ShortField("ANCOUNT",1), 145 ShortField("NSCOUNT",0), 146 ShortField("ARCOUNT",0), 147 NetBIOSNameField("RR_NAME","windows"), 148 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 149 ByteField("NULL",0), 150 ShortEnumField("RR_TYPE",0x21, {0x20:"NB",0x21:"NBSTAT"}), 151 ShortEnumField("RR_CLASS",1,{1:"INTERNET"}), 152 IntField("TTL",0), 153 ShortField("RDLENGTH",83), 154 ByteField("NUM_NAMES",1)] 155 156# Service for Node Status Response 157class NBNSNodeStatusResponseService(Packet): 158 name="NBNS Node Status Response Service" 159 fields_desc = [StrFixedLenField("NETBIOS_NAME","WINDOWS ",15), 160 ByteEnumField("SUFFIX",0,{0:"workstation",0x03:"messenger service",0x20:"file server service",0x1b:"domain master browser",0x1c:"domain controller", 0x1e:"browser election service"}), 161 ByteField("NAME_FLAGS",0x4), 162 ByteEnumField("UNUSED",0,{0:"unused"})] 163 164# End of Node Status Response packet 165class NBNSNodeStatusResponseEnd(Packet): 166 name="NBNS Node Status Response" 167 fields_desc = [SourceMACField("MAC_ADDRESS"), 168 BitField("STATISTICS",0,57*8)] 169 170# Wait for Acknowledgement Response 171class NBNSWackResponse(Packet): 172 name="NBNS Wait for Acknowledgement Response" 173 fields_desc = [ShortField("NAME_TRN_ID",0), 174 ShortField("FLAGS", 0xBC07), 175 ShortField("QDCOUNT",0), 176 ShortField("ANCOUNT",1), 177 ShortField("NSCOUNT",0), 178 ShortField("ARCOUNT",0), 179 NetBIOSNameField("RR_NAME","windows"), 180 ShortEnumField("SUFFIX",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 181 ByteField("NULL",0), 182 ShortEnumField("RR_TYPE",0x20, {0x20:"NB",0x21:"NBSTAT"}), 183 ShortEnumField("RR_CLASS",1,{1:"INTERNET"}), 184 IntField("TTL", 2), 185 ShortField("RDLENGTH",2), 186 BitField("RDATA",10512,16)] #10512=0010100100010000 187 188class NBTDatagram(Packet): 189 name="NBT Datagram Packet" 190 fields_desc= [ByteField("Type", 0x10), 191 ByteField("Flags", 0x02), 192 ShortField("ID", 0), 193 IPField("SourceIP", "127.0.0.1"), 194 ShortField("SourcePort", 138), 195 ShortField("Length", 272), 196 ShortField("Offset", 0), 197 NetBIOSNameField("SourceName","windows"), 198 ShortEnumField("SUFFIX1",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 199 ByteField("NULL",0), 200 NetBIOSNameField("DestinationName","windows"), 201 ShortEnumField("SUFFIX2",0x4141,{0x4141:"workstation",0x4141+0x03:"messenger service",0x4141+0x200:"file server service",0x4141+0x10b:"domain master browser",0x4141+0x10c:"domain controller", 0x4141+0x10e:"browser election service"}), 202 ByteField("NULL",0)] 203 204 205class NBTSession(Packet): 206 name="NBT Session Packet" 207 fields_desc= [ByteEnumField("TYPE",0,{0x00:"Session Message",0x81:"Session Request",0x82:"Positive Session Response",0x83:"Negative Session Response",0x84:"Retarget Session Response",0x85:"Session Keepalive"}), 208 BitField("RESERVED",0x00,7), 209 BitField("LENGTH",0,17)] 210 211bind_layers( UDP, NBNSQueryRequest, dport=137) 212bind_layers( UDP, NBNSRequest, dport=137) 213bind_layers( UDP, NBNSQueryResponse, sport=137) 214bind_layers( UDP, NBNSQueryResponseNegative, sport=137) 215bind_layers( UDP, NBNSNodeStatusResponse, sport=137) 216bind_layers( NBNSNodeStatusResponse, NBNSNodeStatusResponseService, ) 217bind_layers( NBNSNodeStatusResponse, NBNSNodeStatusResponseService, ) 218bind_layers( NBNSNodeStatusResponseService, NBNSNodeStatusResponseService, ) 219bind_layers( NBNSNodeStatusResponseService, NBNSNodeStatusResponseEnd, ) 220bind_layers( UDP, NBNSWackResponse, sport=137) 221bind_layers( UDP, NBTDatagram, dport=138) 222bind_layers( TCP, NBTSession, dport=139) 223