--- /dev/null
+/*\r
+* This is a little smb OS-detection tool which gets workgroup, smbserver and OS\r
+* works for all tested samba versions on different platforms \r
+* like: macosx,aix,solaris,linux,bsd and all Windows platforms !\r
+* below you can see some sample outputs:\r
+* \r
+* Windows 2003 gives me:\r
+* Remote OS:\r
+* ----------\r
+* WINDOMAIN1\r
+* Windows Server 2003 5.2\r
+* Windows Server 2003 3790\r
+* \r
+* Windows NT gives me:\r
+* Remote OS:\r
+* ----------\r
+* WINDOMAIN2\r
+* NT LAN Manager 4.0\r
+* Windows NT 4.0\r
+* \r
+* Windows 2k gives me:\r
+* Remote OS:\r
+* ----------\r
+* WINDOMAIN3\r
+* Windows 2000 LAN Manager\r
+* Windows 5.0\r
+* \r
+* Windows XP gives me:\r
+* Remote OS:\r
+* ----------\r
+* WINDOMAIN4\r
+* Windows 2000 LAN Manager\r
+* Windows 5.1\r
+* \r
+* Samba gives me:\r
+* Remote OS:\r
+* ----------\r
+* SAMBADOMAIN1\r
+* Samba 2.0.7\r
+* Unix\r
+*\r
+* COMPILE:\r
+* cl THCsmbgetOS.c\r
+*\r
+* RUN:\r
+* C:\ccode\THCsmbgetOS>THCsmbgetOS.exe gnpctx01\r
+*\r
+* -------------------------------------------------------\r
+* THCsmbgetOS v0.1 - gets group, server and os via SMB\r
+* by Johnny Cyberpunk (jcyberpunk@thc.org)\r
+* -------------------------------------------------------\r
+*\r
+* [*] Connecting Port 139....\r
+* [*] Sending session request....\r
+* [*] Sending negotiation request....\r
+* [*] Sending setup account request....\r
+* [*] Successful....\r
+*\r
+* Remote OS:\r
+* ----------\r
+* MYNTDOMAIN\r
+* Windows Server 2003 5.2\r
+* Windows Server 2003 3790\r
+*\r
+* Enjoy,\r
+*\r
+* http://www.thc.org\r
+*/\r
+\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <string.h>\r
+#include <winsock2.h>\r
+\r
+#pragma comment(lib, "ws2_32.lib")\r
+\r
+char sessionrequest[] =\r
+"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"\r
+"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"\r
+"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"\r
+"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"\r
+"\x41\x43\x41\x43\x41\x41\x41\x00";\r
+\r
+char negotiate[] =\r
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"\r
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"\r
+"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"\r
+"\x31\x32\x00";\r
+\r
+char setupaccount[] =\r
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x00\x00\x00"\r
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"\r
+"\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff\xff\x02\x00\x5c\x02\x00"\r
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0b"\r
+"\x00\x00\x00\x4a\x43\00\x41\x54\x54\x48\x43\x00";\r
+\r
+int main(int argc, char *argv[])\r
+{ \r
+ unsigned short smbport=139;\r
+ unsigned char *infobuf;\r
+ unsigned int sock,addr,i;\r
+ int rc;\r
+ struct sockaddr_in smbtcp;\r
+ struct hostent * hp;\r
+ WSADATA wsaData;\r
+ unsigned int zeroc=0;\r
+\r
+ printf("\n-------------------------------------------------------\n");\r
+ printf(" THCsmbgetOS v0.1 - gets group, server and os via SMB\n");\r
+ printf(" by Johnny Cyberpunk (jcyberpunk@thc.org)\n");\r
+ printf("-------------------------------------------------------\n");\r
+ \r
+ if(argc<2)\r
+ {\r
+ printf("gimme host or ip\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)\r
+ {\r
+ printf("WSAStartup failed !\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ hp = gethostbyname(argv[1]);\r
+\r
+ if (!hp){\r
+ addr = inet_addr(argv[1]);\r
+ }\r
+ if ((!hp) && (addr == INADDR_NONE) )\r
+ {\r
+ printf("Unable to resolve %s\n",argv[1]);\r
+ exit(-1);\r
+ }\r
+\r
+ sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r
+ if (!sock)\r
+ { \r
+ printf("socket() error...\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ if (hp != NULL)\r
+ memcpy(&(smbtcp.sin_addr),hp->h_addr,hp->h_length);\r
+ else\r
+ smbtcp.sin_addr.s_addr = addr;\r
+\r
+ if (hp)\r
+ smbtcp.sin_family = hp->h_addrtype;\r
+ else\r
+ smbtcp.sin_family = AF_INET;\r
+\r
+ smbtcp.sin_port=htons(smbport);\r
+ \r
+ infobuf=malloc(256);\r
+ memset(infobuf,0,256);\r
+\r
+ printf("\n[*] Connecting Port 139....\n");\r
+ \r
+ rc=connect(sock, (struct sockaddr *) &smbtcp, sizeof (struct sockaddr_in));\r
+ if(rc==0)\r
+ {\r
+ printf("[*] Sending session request....\n");\r
+ send(sock,sessionrequest,sizeof(sessionrequest)-1,0);\r
+ Sleep(500);\r
+ rc=recv(sock,infobuf,256,0);\r
+ if(rc<0)\r
+ {\r
+ printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
+ return (-1);\r
+ }\r
+ memset(infobuf,0,256);\r
+ printf("[*] Sending negotiation request....\n");\r
+ send(sock,negotiate,sizeof(negotiate)-1,0);\r
+ Sleep(500);\r
+ rc=recv(sock,infobuf,256,0);\r
+ if(rc<0)\r
+ {\r
+ printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
+ return (-2);\r
+ }\r
+ memset(infobuf,0,256);\r
+ printf("[*] Sending setup account request....\n");\r
+ send(sock,setupaccount,sizeof(setupaccount)-1,0);\r
+ Sleep(500);\r
+ rc=recv(sock,infobuf,256,0);\r
+ if(rc<0)\r
+ {\r
+ printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);\r
+ return (-3);\r
+ }\r
+ else if (rc==0)\r
+ {\r
+ printf("[*] Successful....\n"); \r
+ printf("\nRemote OS:\n");\r
+ printf("----------");\r
+ printf("\nI got back a null buffer ! WINXP sometimes does it\n");\r
+ } \r
+ else\r
+ {\r
+ printf("[*] Successful....\n"); \r
+ printf("\nRemote OS:\n");\r
+ printf("----------");\r
+ i=rc;\r
+ while ((--i>0)&&(zeroc<4)) \r
+ {\r
+ if (infobuf[i]==0x00)\r
+ {\r
+ printf("%s\n",(char *)&(infobuf[i+1]));\r
+ zeroc++;\r
+ }\r
+ }\r
+ }\r
+ \r
+ printf("\n\n");\r
+ }\r
+ else\r
+ printf("can't connect to smb port 139!\n");\r
+ \r
+ shutdown(sock,1);\r
+ closesocket(sock);\r
+ free(infobuf);\r
+ exit(0);\r
+}\r