2 * This is a little smb OS-detection tool which gets workgroup, smbserver and OS
\r
3 * works for all tested samba versions on different platforms
\r
4 * like: macosx,aix,solaris,linux,bsd and all Windows platforms !
\r
5 * below you can see some sample outputs:
\r
7 * Windows 2003 gives me:
\r
11 * Windows Server 2003 5.2
\r
12 * Windows Server 2003 3790
\r
14 * Windows NT gives me:
\r
18 * NT LAN Manager 4.0
\r
21 * Windows 2k gives me:
\r
25 * Windows 2000 LAN Manager
\r
28 * Windows XP gives me:
\r
32 * Windows 2000 LAN Manager
\r
46 * C:\ccode\THCsmbgetOS>THCsmbgetOS.exe gnpctx01
\r
48 * -------------------------------------------------------
\r
49 * THCsmbgetOS v0.1 - gets group, server and os via SMB
\r
50 * by Johnny Cyberpunk (jcyberpunk@thc.org)
\r
51 * -------------------------------------------------------
\r
53 * [*] Connecting Port 139....
\r
54 * [*] Sending session request....
\r
55 * [*] Sending negotiation request....
\r
56 * [*] Sending setup account request....
\r
57 * [*] Successful....
\r
62 * Windows Server 2003 5.2
\r
63 * Windows Server 2003 3790
\r
67 * http://www.thc.org
\r
73 #include <winsock2.h>
\r
75 #pragma comment(lib, "ws2_32.lib")
\r
77 char sessionrequest[] =
\r
78 "\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
\r
79 "\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
\r
80 "\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
\r
81 "\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
\r
82 "\x41\x43\x41\x43\x41\x41\x41\x00";
\r
85 "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
\r
86 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
\r
87 "\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
\r
90 char setupaccount[] =
\r
91 "\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x00\x00\x00"
\r
92 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
\r
93 "\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff\xff\x02\x00\x5c\x02\x00"
\r
94 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0b"
\r
95 "\x00\x00\x00\x4a\x43\00\x41\x54\x54\x48\x43\x00";
\r
97 int main(int argc, char *argv[])
\r
99 unsigned short smbport=139;
\r
100 unsigned char *infobuf;
\r
101 unsigned int sock,addr,i;
\r
103 struct sockaddr_in smbtcp;
\r
104 struct hostent * hp;
\r
106 unsigned int zeroc=0;
\r
108 printf("\n-------------------------------------------------------\n");
\r
109 printf(" THCsmbgetOS v0.1 - gets group, server and os via SMB\n");
\r
110 printf(" by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
\r
111 printf("-------------------------------------------------------\n");
\r
115 printf("gimme host or ip\n");
\r
119 if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
\r
121 printf("WSAStartup failed !\n");
\r
125 hp = gethostbyname(argv[1]);
\r
128 addr = inet_addr(argv[1]);
\r
130 if ((!hp) && (addr == INADDR_NONE) )
\r
132 printf("Unable to resolve %s\n",argv[1]);
\r
136 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
\r
139 printf("socket() error...\n");
\r
144 memcpy(&(smbtcp.sin_addr),hp->h_addr,hp->h_length);
\r
146 smbtcp.sin_addr.s_addr = addr;
\r
149 smbtcp.sin_family = hp->h_addrtype;
\r
151 smbtcp.sin_family = AF_INET;
\r
153 smbtcp.sin_port=htons(smbport);
\r
155 infobuf=malloc(256);
\r
156 memset(infobuf,0,256);
\r
158 printf("\n[*] Connecting Port 139....\n");
\r
160 rc=connect(sock, (struct sockaddr *) &smbtcp, sizeof (struct sockaddr_in));
\r
163 printf("[*] Sending session request....\n");
\r
164 send(sock,sessionrequest,sizeof(sessionrequest)-1,0);
\r
166 rc=recv(sock,infobuf,256,0);
\r
169 printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
\r
172 memset(infobuf,0,256);
\r
173 printf("[*] Sending negotiation request....\n");
\r
174 send(sock,negotiate,sizeof(negotiate)-1,0);
\r
176 rc=recv(sock,infobuf,256,0);
\r
179 printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
\r
182 memset(infobuf,0,256);
\r
183 printf("[*] Sending setup account request....\n");
\r
184 send(sock,setupaccount,sizeof(setupaccount)-1,0);
\r
186 rc=recv(sock,infobuf,256,0);
\r
189 printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
\r
194 printf("[*] Successful....\n");
\r
195 printf("\nRemote OS:\n");
\r
196 printf("----------");
\r
197 printf("\nI got back a null buffer ! WINXP sometimes does it\n");
\r
201 printf("[*] Successful....\n");
\r
202 printf("\nRemote OS:\n");
\r
203 printf("----------");
\r
205 while ((--i>0)&&(zeroc<4))
\r
207 if (infobuf[i]==0x00)
\r
209 printf("%s\n",(char *)&(infobuf[i+1]));
\r
218 printf("can't connect to smb port 139!\n");
\r