smb

package
v0.0.59 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 1, 2025 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

Package smb provides SMB penetration testing functionality including secdump operations This file contains utility functions adapted from github.com/jfjallid/go-secdump

Original copyright notice: MIT License Copyright (c) 2023 Jonas Fjällid

Index

Constants

View Source 
const (
	RegNone                     = 0
	RegSZ                       = 1
	RegExpandSZ                 = 2
	RegBinary                   = 3
	RegDword                    = 4
	RegDwordLittleEndian        = 4
	RegDwordBigEndian           = 5
	RegLink                     = 6
	RegMultiSZ                  = 7
	RegResourceList             = 8
	RegFullResourceDescriptor   = 9
	RegResourceRequirementsList = 10
	RegQword                    = 11
	RegQwordLittleEndian        = 11
)

Registry data type constants

View Source 
const (
	WinUnknown      byte = 0x00
	WinXP           byte = 0x05
	WinVista        byte = 0x06
	Win7            byte = 0x07
	Win8            byte = 0x08
	Win81           byte = 0x09
	Win10           byte = 0x0A
	Win11           byte = 0x0B
	WinServer2003   byte = 0x10
	WinServer2008   byte = 0x11
	WinServer2008R2 byte = 0x12
	WinServer2012   byte = 0x13
	WinServer2012R2 byte = 0x14
	WinServer2016   byte = 0x15
	WinServer2019   byte = 0x16
	WinServer2022   byte = 0x17
)

Windows OS version constants (byte values for crypto operations)

Variables

View Source 
var (
	S1         = []byte("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\x00")
	S2         = []byte("0123456789012345678901234567890123456789\x00")
	S3         = []byte("NTPASSWORD\x00")
	BootKey    []byte
	LSAKey     []byte
	NLKMKey    []byte
	VistaStyle bool
)

Global variables for cryptographic operations

View Source 
var WindowsBuildMapping = map[string]string{

	"20348": "Windows Server 2022",
	"19041": "Windows Server 2022 (Insider)",
	"17763": "Windows Server 2019",
	"14393": "Windows Server 2016",
	"10586": "Windows Server 2016 (Technical Preview)",
	"9600":  "Windows Server 2012 R2",
	"9200":  "Windows Server 2012",
	"7601":  "Windows Server 2008 R2 SP1 / Windows 7 SP1",
	"6002":  "Windows Server 2008 SP2 / Windows Vista SP2",
	"6001":  "Windows Server 2008 SP1 / Windows Vista SP1",
	"6000":  "Windows Server 2008 / Windows Vista",

	"22631": "Windows 11 23H2",
	"22621": "Windows 11 22H2",
	"22000": "Windows 11 21H2",

	"19045": "Windows 10 22H2",
	"19044": "Windows 10 21H2",
	"19043": "Windows 10 21H1",
	"19042": "Windows 10 20H2",
	"18363": "Windows 10 1909",
	"18362": "Windows 10 1903",
	"17134": "Windows 10 1803",
	"16299": "Windows 10 1709",
	"15063": "Windows 10 1703",
	"10240": "Windows 10 RTM",

	"9431": "Windows 8.1 Update 1",

	"7600": "Windows 7 RTM",
}

WindowsBuildMapping maps Windows build numbers to human-readable versions

Functions

func BackupRegistryKey added in v0.0.51 

func BackupRegistryKey(rc *RegistryConnection, key *RegistryKey) ([]byte, error)

BackupRegistryKey creates a backup of a registry key and its subkeys

func BytesToHex added in v0.0.51 

func BytesToHex(data []byte) string

BytesToHex converts bytes to hex string

func BytesToUint32LE added in v0.0.51 

func BytesToUint32LE(data []byte) uint32

BytesToUint32LE converts little-endian bytes to uint32

func BytesToUint64LE added in v0.0.51 

func BytesToUint64LE(data []byte) uint64

BytesToUint64LE converts little-endian bytes to uint64

func CalcMachineAESKeys added in v0.0.51 

func CalcMachineAESKeys(hostname, domain string, hexPass []byte) ([]byte, []byte, error)

CalcMachineAESKeys calculates AES keys for machine account (go-secdump compatible)

func CalculateNTHash added in v0.0.51 

func CalculateNTHash(password string) string

CalculateNTHash calculates NT hash from password

func CheckRegistryKeyAccess added in v0.0.51 

func CheckRegistryKeyAccess(rc *RegistryConnection, key *RegistryKey, accessMask uint32) (bool, error)

CheckRegistryKeyAccess checks if we have specific access to a registry key

func CleanupString added in v0.0.51 

func CleanupString(s string) string

CleanupString removes null bytes and trims whitespace

func CompareBytes added in v0.0.51 

func CompareBytes(a, b []byte) bool

CompareBytes compares two byte slices

func DecryptAES added in v0.0.51 

func DecryptAES(key, ciphertext, iv []byte) ([]byte, error)

DecryptAES decrypts data using AES with CBC mode (go-secdump compatible)

func DecryptAESHash added in v0.0.51 

func DecryptAESHash(data, iv, syskey []byte, rid uint32) ([]byte, error)

DecryptAESHash decrypts AES-encrypted NT hash using go-secdump's exact implementation

func DecryptAESSysKey added in v0.0.51 

func DecryptAESSysKey(bootKey, encSysKey, sysKeyIV []byte) ([]byte, error)

DecryptAESSysKey decrypts system key using AES

func DecryptDES added in v0.0.51 

func DecryptDES(key, ciphertext []byte) ([]byte, error)

DecryptDES decrypts data using DES

func DecryptRC4 added in v0.0.51 

func DecryptRC4(key, ciphertext []byte) ([]byte, error)

DecryptRC4 decrypts data using RC4

func DecryptRC4Hash added in v0.0.51 

func DecryptRC4Hash(data, syskey []byte, rid uint32) ([]byte, error)

DecryptRC4Hash decrypts RC4-encrypted NT hash using go-secdump's exact implementation

func DecryptRC4SysKey added in v0.0.51 

func DecryptRC4SysKey(bootKey, encSysKey, sysKeyIV []byte) ([]byte, error)

DecryptRC4SysKey decrypts system key using RC4

func DumpLSASecrets added in v0.0.51 

func DumpLSASecrets(ctx context.Context, rpccon *msrrp.RPCCon, hKey []byte, modifyDacl bool) ([]*smbfern.LsaSecret, []string, error)

DumpLSASecrets performs LSA secrets dumping from registry

func DumpSAM added in v0.0.51 

func DumpSAM(ctx context.Context, rpccon *msrrp.RPCCon, hKey []byte, modifyDacl bool) ([]*smbfern.SamSecret, []string, error)

DumpSAM performs SAM dumping from registry

func EncryptAES added in v0.0.51 

func EncryptAES(key, plaintext, iv []byte) ([]byte, error)

EncryptAES encrypts data using AES with CBC mode

func EncryptDES added in v0.0.51 

func EncryptDES(key, plaintext []byte) ([]byte, error)

EncryptDES encrypts data using DES

func EncryptRC4 added in v0.0.51 

func EncryptRC4(key, plaintext []byte) ([]byte, error)

EncryptRC4 encrypts data using RC4

func ExtractStringFromRegistryData added in v0.0.51 

func ExtractStringFromRegistryData(data []byte, dataType uint32) (string, error)

ExtractStringFromRegistryData extracts a string from registry data based on type

func ExtractUserRID added in v0.0.51 

func ExtractUserRID(keyName string) (uint32, error)

ExtractUserRID extracts RID from registry key name

func GetBootKey added in v0.0.51 

func GetBootKey(rpccon *msrrp.RPCCon, base []byte) ([]byte, error)

GetBootKey extracts the system boot key from registry

func GetCachedHashes added in v0.0.51 

func GetCachedHashes(rpccon *msrrp.RPCCon, base []byte, modifyDacl bool) (result []string, err error)

func GetHostnameAndDomain added in v0.0.51 

func GetHostnameAndDomain(rpccon *msrrp.RPCCon, base []byte) (hostname, domain string, err error)

func GetLSASecretKey added in v0.0.51 

func GetLSASecretKey(rpccon *msrrp.RPCCon, base []byte, modifyDacl bool) (result []byte, err error)

func GetNetBIOSDomain added in v0.0.51 

func GetNetBIOSDomain(rpccon *msrrp.RPCCon, base []byte) (string, error)

GetNetBIOSDomain retrieves the NetBIOS domain name from registry

func GetOSVersion added in v0.0.51 

func GetOSVersion(currentBuild int, currentVersion float64, server bool) byte

GetOSVersion determines Windows OS version byte constant from build and version info

func GetOSVersionBuild added in v0.0.51 

func GetOSVersionBuild(rpccon *msrrp.RPCCon, base []byte) (build int, version float64, server bool, err error)

GetOSVersionBuild determines Windows OS version and build

func GetRegistryHiveHandle added in v0.0.51 

func GetRegistryHiveHandle(hive string) (interface{}, error)

GetRegistryHiveHandle gets a handle to a registry hive

func GetRegistryKeySecurityDescriptor added in v0.0.51 

func GetRegistryKeySecurityDescriptor(rc *RegistryConnection, key *RegistryKey) ([]byte, error)

GetRegistryKeySecurityDescriptor retrieves security information for a registry key

func GetSysKey added in v0.0.51 

func GetSysKey(rpccon *msrrp.RPCCon, base []byte, modifyDacl bool) ([]byte, error)

GetSysKey extracts the system key from SAM registry

func HexToBytes added in v0.0.51 

func HexToBytes(hexStr string) ([]byte, error)

HexToBytes converts hex string to bytes

func IsPrintableString added in v0.0.51 

func IsPrintableString(data []byte) bool

IsPrintableString checks if a byte array represents a printable string

func IsValidNTHash added in v0.0.51 

func IsValidNTHash(hash string) bool

IsValidNTHash checks if a hash looks like a valid NT hash

func IsValidRegistryKeyName added in v0.0.51 

func IsValidRegistryKeyName(name string) bool

IsValidRegistryKeyName checks if a string is a valid registry key name

func IsValidRegistryValueName added in v0.0.51 

func IsValidRegistryValueName(name string) bool

IsValidRegistryValueName checks if a string is a valid registry value name

func IsWin10After1607 added in v0.0.51 

func IsWin10After1607(build int, version float64) (bool, error)

IsWin10After1607 checks if Windows version is Windows 10 Anniversary Update or later

func MD5Hash added in v0.0.51 

func MD5Hash(data []byte) []byte

MD5Hash calculates MD5 hash

func MapProtocolVersionToEnum added in v0.0.51 

func MapProtocolVersionToEnum(version string) (commonprotocolfern.SmbVersion, bool)

MapProtocolVersionToEnum maps protocol version strings to Fern enum values This function is shared between enumerate and pentest modules

func NormalizeRegistryPath added in v0.0.51 

func NormalizeRegistryPath(path string) string

NormalizeRegistryPath normalizes a registry key path

func PBKDF2Derive added in v0.0.51 

func PBKDF2Derive(password, salt []byte, iterations, keyLength int, hashFunc func() hash.Hash) []byte

PBKDF2Derive derives a key using PBKDF2

func PadPKCS7 added in v0.0.51 

func PadPKCS7(data []byte, blockSize int) []byte

PadPKCS7 adds PKCS#7 padding to data

func ParseRegistryValue added in v0.0.51 

func ParseRegistryValue(data []byte) ([]byte, error)

ParseRegistryValue parses a registry value from raw bytes

func ROL added in v0.0.51 

func ROL(value uint32, shift uint) uint32

ROL performs rotate left operation

func ROR added in v0.0.51 

func ROR(value uint32, shift uint) uint32

ROR performs rotate right operation

func RestoreRegistryKey added in v0.0.51 

func RestoreRegistryKey(rc *RegistryConnection, keyPath string, backupData []byte) error

RestoreRegistryKey restores a registry key from backup data

func SHA1Hash added in v0.0.51 

func SHA1Hash(data []byte) []byte

SHA1Hash calculates SHA-1 hash

func SHA256 added in v0.0.51 

func SHA256(key, value []byte, rounds int) []byte

SHA256 performs SHA-256 hash with multiple rounds

func SHA256Hash added in v0.0.51 

func SHA256Hash(data []byte) []byte

SHA256Hash calculates SHA-256 hash

func SplitRegistryPath added in v0.0.51 

func SplitRegistryPath(path string) (hive, key string)

SplitRegistryPath splits a registry path into hive and key components

func StringToUTF16LE added in v0.0.51 

func StringToUTF16LE(s string) []byte

StringToUTF16LE converts string to UTF-16LE bytes

func StringToUTF16LEBytes added in v0.0.51 

func StringToUTF16LEBytes(s string) []byte

StringToUTF16LEBytes converts string to UTF-16LE bytes

func UTF16LEBytesToString added in v0.0.51 

func UTF16LEBytesToString(data []byte) (string, error)

UTF16LEBytesToString converts UTF-16LE bytes to string

func Uint32LEToBytes added in v0.0.51 

func Uint32LEToBytes(value uint32) []byte

Uint32LEToBytes converts uint32 to little-endian bytes

func Uint64LEToBytes added in v0.0.51 

func Uint64LEToBytes(value uint64) []byte

Uint64LEToBytes converts uint64 to little-endian bytes

func UnpadPKCS7 added in v0.0.51 

func UnpadPKCS7(data []byte) ([]byte, error)

UnpadPKCS7 removes PKCS#7 padding from data

func XORBytes added in v0.0.51 

func XORBytes(a, b []byte) []byte

XORBytes performs XOR operation on two byte slices

Types

type CachedCredential added in v0.0.51 

type CachedCredential struct {
	Domain    string
	Username  string
	Hash      string
	LastLogin string
}

CachedCredential represents a cached domain credential (DCC2)

func GetCachedCredentials added in v0.0.51 

func GetCachedCredentials(ctx context.Context, rpccon *msrrp.RPCCon, base []byte, modifyDacl bool) ([]CachedCredential, error)

GetCachedCredentials extracts cached domain credentials (DCC2) from the SECURITY\Cache registry

type Client 

type Client struct {
	Host           string
	Port           int
	Username       string
	Password       string
	Domain         string
	UseAnonymous   bool
	UseNullSession bool
	Timeout        time.Duration
	// contains filtered or unexported fields
}

Client represents a unified SMB client that provides base functionality for both enumeration and pentest operations

func NewClient 

func NewClient(host string, port int) *Client

NewClient creates a new SMB client with the given configuration

func (*Client) Close 

func (c *Client) Close() error

Close closes the SMB connection

func (*Client) Connect 

func (c *Client) Connect() error

Connect establishes connection to SMB server and performs authentication

func (*Client) ConnectWithContext 

func (c *Client) ConnectWithContext(ctx context.Context) error

ConnectWithContext establishes connection to SMB server and performs authentication with context

func (*Client) EnumerateShares 

func (c *Client) EnumerateShares() ([]*ShareInfo, error)

EnumerateShares lists available shares using TreeConnect testing

func (*Client) EnumerateSharesWithContext 

func (c *Client) EnumerateSharesWithContext(ctx context.Context) ([]*ShareInfo, error)

EnumerateSharesWithContext lists available shares using TreeConnect testing with context

func (*Client) ExtractServerInfoFromChallenge added in v0.0.51 

func (c *Client) ExtractServerInfoFromChallenge(ctx context.Context) (*ServerInfo, error)

ExtractServerInfoFromChallenge attempts to extract server information from NTLM challenge This works even when authentication fails, as the challenge contains server metadata

func (*Client) GetDomainFromServerInfo added in v0.0.51 

func (c *Client) GetDomainFromServerInfo(ctx context.Context) string

GetDomainFromServerInfo extracts domain information from server info for authentication

func (*Client) GetSMBSession added in v0.0.51 

func (c *Client) GetSMBSession() (*gosmb.Connection, error)

GetSMBSession returns the underlying go-smb connection for DCE/RPC operations

func (*Client) GetServerInfo 

func (c *Client) GetServerInfo() *ServerInfo

GetServerInfo returns extracted server information

func (*Client) IsAuthenticated 

func (c *Client) IsAuthenticated() bool

IsAuthenticated returns true if client is authenticated to SMB server

func (*Client) IsConnected 

func (c *Client) IsConnected() bool

IsConnected returns true if client is connected to SMB server

func (*Client) SetAnonymous 

func (c *Client) SetAnonymous()

SetAnonymous configures client for anonymous authentication

func (*Client) SetCredentials 

func (c *Client) SetCredentials(username, password, domain string)

SetCredentials sets username and password for authentication

func (*Client) SetNullSession 

func (c *Client) SetNullSession()

SetNullSession configures client for null session authentication

func (*Client) TestCredentials 

func (c *Client) TestCredentials(username, password, domain string) (bool, string, error)

TestCredentials tests if the provided credentials are valid

type ConnectionResult added in v0.0.51 

type ConnectionResult struct {
	Client     *Client
	ServerInfo *ServerInfo
	Success    bool
	Error      error
}

ConnectionResult holds the result of a connection test

func TestConnectionMethod added in v0.0.51 

func TestConnectionMethod(ctx context.Context, host string, port int, setupFunc func(*Client), methodName, target string) *ConnectionResult

TestConnectionMethod tests a specific SMB connection method and extracts server info This helper reduces duplication in connection testing patterns

type LSASecret added in v0.0.51 

type LSASecret struct {
	Name        string
	Secret      string
	Description string
}

LSASecret represents an LSA secret extracted from the registry

func ExtractLSASecrets added in v0.0.51 

func ExtractLSASecrets(session *gosmb.Connection) ([]LSASecret, error)

ExtractLSASecrets extracts LSA secrets from the SECURITY registry hive

type PrintableLSASecret added in v0.0.51 

type PrintableLSASecret struct {
	// contains filtered or unexported fields
}

func GetLSASecrets added in v0.0.51 

func GetLSASecrets(rpccon *msrrp.RPCCon, base []byte, history, modifyDacl bool) (secrets []PrintableLSASecret, err error)

GetLSASecrets extracts LSA secrets from the Windows registry. Code inspired/partially stolen from Impacket's Secretsdump

type RegistryConnection added in v0.0.51 

type RegistryConnection struct {
	Session *gosmb.Connection
	Handle  interface{} // DCE/RPC handle for registry operations
}

RegistryConnection represents a connection to remote registry service

func ConnectToRegistry added in v0.0.51 

func ConnectToRegistry(session *gosmb.Connection) (*RegistryConnection, error)

ConnectToRegistry establishes a connection to the remote registry service

func (*RegistryConnection) CloseRegistryKey added in v0.0.51 

func (rc *RegistryConnection) CloseRegistryKey(key *RegistryKey) error

CloseRegistryKey closes an open registry key

func (*RegistryConnection) Disconnect added in v0.0.51 

func (rc *RegistryConnection) Disconnect() error

Disconnect closes the registry connection

func (*RegistryConnection) EnumerateSubKeys added in v0.0.51 

func (rc *RegistryConnection) EnumerateSubKeys(key *RegistryKey) ([]string, error)

EnumerateSubKeys lists all subkeys under the given registry key

func (*RegistryConnection) EnumerateValues added in v0.0.51 

func (rc *RegistryConnection) EnumerateValues(key *RegistryKey) ([]RegistryValue, error)

EnumerateValues lists all values under the given registry key

func (*RegistryConnection) OpenRegistryKey added in v0.0.51 

func (rc *RegistryConnection) OpenRegistryKey(keyPath string) (*RegistryKey, error)

OpenRegistryKey opens a registry key for reading

func (*RegistryConnection) ReadRegistryValue added in v0.0.51 

func (rc *RegistryConnection) ReadRegistryValue(key *RegistryKey, valueName string) (*RegistryValue, error)

ReadRegistryValue reads a value from an open registry key

type RegistryKey added in v0.0.51 

type RegistryKey struct {
	Name     string
	SubKeys  []string
	Values   []RegistryValue
	Class    string
	Modified int64
}

RegistryKey represents a registry key with subkeys and values

type RegistryValue added in v0.0.51 

type RegistryValue struct {
	Name string
	Type uint32
	Data []byte
}

RegistryValue represents a registry value with type and data

type SAMAccount added in v0.0.51 

type SAMAccount struct {
	Username string
	RID      uint32
	NTHash   string
	LMHash   string
}

SAMAccount represents a local user account extracted from SAM

type ServerInfo 

type ServerInfo struct {
	ServerName        string
	Domain            string
	NetBIOSDomainName string
	OSVersion         string
	RawOSVersion      string
	ServerType        string
	Capabilities      []string
	SigningRequired   bool
	SupportedVersions []string
}

ServerInfo contains basic server information extracted from SMB connection

type ShareInfo 

type ShareInfo struct {
	Name            string
	Type            string
	Accessible      bool
	Access          string
	AnonymousAccess bool
	GuestAccess     bool
	Hidden          bool
	Comment         string
}

ShareInfo represents SMB share information

type UserCreds added in v0.0.51 

type UserCreds struct {
	Username string
	RID      uint32
	Data     []byte
	IV       []byte
	AES      bool
}

UserCreds represents user credential data from SAM

func GetNTHash added in v0.0.51 

func GetNTHash(rpccon *msrrp.RPCCon, base []byte, rids []string, modifyDacl bool) ([]UserCreds, error)

GetNTHash extracts NT hashes from SAM registry

type WindowsOSInfo added in v0.0.51 

type WindowsOSInfo struct {
	MajorVersion uint32
	MinorVersion uint32
	BuildNumber  uint32
	ProductName  string
}

WindowsOSInfo represents Windows OS version information

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.