initial push of all stuff :)

[oweals/thc-archive.git] / Tools / THCsmbgetOS.c

/*\r
* This is a little smb OS-detection tool which gets workgroup, smbserver and OS\r
* works for all tested samba versions on different platforms \r
* like: macosx,aix,solaris,linux,bsd and all Windows platforms !\r
* below you can see some sample outputs:\r
* \r
* Windows 2003 gives me:\r
* Remote OS:\r
* ----------\r
* WINDOMAIN1\r
* Windows Server 2003 5.2\r
* Windows Server 2003 3790\r
* \r
* Windows NT gives me:\r
* Remote OS:\r
* ----------\r
* WINDOMAIN2\r
* NT LAN Manager 4.0\r
* Windows NT 4.0\r
* \r
* Windows 2k gives me:\r
* Remote OS:\r
* ----------\r
* WINDOMAIN3\r
* Windows 2000 LAN Manager\r
* Windows 5.0\r
* \r
* Windows XP gives me:\r
* Remote OS:\r
* ----------\r
* WINDOMAIN4\r
* Windows 2000 LAN Manager\r
* Windows 5.1\r
* \r
* Samba gives me:\r
* Remote OS:\r
* ----------\r
* SAMBADOMAIN1\r
* Samba 2.0.7\r
* Unix\r
*\r
* COMPILE:\r
*       cl THCsmbgetOS.c\r
*\r
* RUN:\r
*       C:\ccode\THCsmbgetOS>THCsmbgetOS.exe gnpctx01\r
*\r
* -------------------------------------------------------\r
*  THCsmbgetOS v0.1 - gets group, server and os via SMB\r
*      by Johnny Cyberpunk (jcyberpunk@thc.org)\r
* -------------------------------------------------------\r
*\r
* [*] Connecting Port 139....\r
* [*] Sending session request....\r
* [*] Sending negotiation request....\r
* [*] Sending setup account request....\r
* [*] Successful....\r
*\r
* Remote OS:\r
* ----------\r
* MYNTDOMAIN\r
* Windows Server 2003 5.2\r
* Windows Server 2003 3790\r
*\r
* Enjoy,\r
*\r
* http://www.thc.org\r
*/\r
\r
#include <stdio.h>\r
#include <stdlib.h>\r
#include <string.h>\r
#include <winsock2.h>\r
\r
#pragma comment(lib, "ws2_32.lib")\r
\r
char sessionrequest[] =\r
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"\r
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"\r
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"\r
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"\r
"\x41\x43\x41\x43\x41\x41\x41\x00";\r
\r
char negotiate[] =\r
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"\r
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"\r
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"\r
"\x31\x32\x00";\r
\r
char setupaccount[] =\r
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x00\x00\x00"\r
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"\r
"\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff\xff\x02\x00\x5c\x02\x00"\r
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0b"\r
"\x00\x00\x00\x4a\x43\00\x41\x54\x54\x48\x43\x00";\r
\r
int main(int argc, char *argv[])\r
{  \r
  unsigned short smbport=139;\r
  unsigned char *infobuf;\r
  unsigned int sock,addr,i;\r
  int rc;\r
  struct sockaddr_in smbtcp;\r
  struct hostent * hp;\r
  WSADATA wsaData;\r
  unsigned int zeroc=0;\r
\r
  printf("\n-------------------------------------------------------\n");\r
  printf(" THCsmbgetOS v0.1 - gets group, server and os via SMB\n");\r
  printf("       by Johnny Cyberpunk (jcyberpunk@thc.org)\n");\r
  printf("-------------------------------------------------------\n");\r
  \r
  if(argc<2)\r
  {\r
   printf("gimme host or ip\n");\r
   exit(-1);\r
  }\r
 \r
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)\r
  {\r
   printf("WSAStartup failed !\n");\r
   exit(-1);\r
  }\r
  \r
  hp = gethostbyname(argv[1]);\r
\r
  if (!hp){\r
   addr = inet_addr(argv[1]);\r
  }\r
  if ((!hp)  && (addr == INADDR_NONE) )\r
  {\r
   printf("Unable to resolve %s\n",argv[1]);\r
   exit(-1);\r
  }\r
\r
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r
  if (!sock)\r
  { \r
   printf("socket() error...\n");\r
   exit(-1);\r
  }\r
  \r
  if (hp != NULL)\r
   memcpy(&(smbtcp.sin_addr),hp->h_addr,hp->h_length);\r
  else\r
   smbtcp.sin_addr.s_addr = addr;\r
\r
  if (hp)\r
   smbtcp.sin_family = hp->h_addrtype;\r
  else\r
   smbtcp.sin_family = AF_INET;\r
\r
  smbtcp.sin_port=htons(smbport);\r
 \r
  infobuf=malloc(256);\r
  memset(infobuf,0,256);\r
\r
  printf("\n[*] Connecting Port 139....\n");\r
 \r
  rc=connect(sock, (struct sockaddr *) &smbtcp, sizeof (struct sockaddr_in));\r
  if(rc==0)\r
  {\r
    printf("[*] Sending session request....\n");\r
    send(sock,sessionrequest,sizeof(sessionrequest)-1,0);\r
    Sleep(500);\r
    rc=recv(sock,infobuf,256,0);\r
    if(rc<0)\r
    {\r
        printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
        return (-1);\r
    }\r
    memset(infobuf,0,256);\r
    printf("[*] Sending negotiation request....\n");\r
    send(sock,negotiate,sizeof(negotiate)-1,0);\r
    Sleep(500);\r
    rc=recv(sock,infobuf,256,0);\r
    if(rc<0)\r
    {\r
     printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
     return (-2);\r
    }\r
    memset(infobuf,0,256);\r
    printf("[*] Sending setup account request....\n");\r
    send(sock,setupaccount,sizeof(setupaccount)-1,0);\r
    Sleep(500);\r
    rc=recv(sock,infobuf,256,0);\r
    if(rc<0)\r
    {\r
     printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
     return (-3);\r
    }\r
    else if (rc==0)\r
    {\r
     printf("[*] Successful....\n");    \r
     printf("\nRemote OS:\n");\r
     printf("----------");\r
     printf("\nI got back a null buffer ! WINXP sometimes does it\n");\r
    } \r
    else\r
    {\r
     printf("[*] Successful....\n");    \r
     printf("\nRemote OS:\n");\r
     printf("----------");\r
     i=rc;\r
     while ((--i>0)&&(zeroc<4)) \r
     {\r
      if (infobuf[i]==0x00)\r
      {\r
       printf("%s\n",(char *)&(infobuf[i+1]));\r
       zeroc++;\r
      }\r
     }\r
    }\r
    \r
    printf("\n\n");\r
  }\r
  else\r
   printf("can't connect to smb port 139!\n");\r
  \r
  shutdown(sock,1);\r
  closesocket(sock);\r
  free(infobuf);\r
  exit(0);\r
}\r