smb

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2026 License: BSD-3-Clause, GPL-3.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SMB1 header signature
	SMB1Signature = "\xFFSMB"
	// SMB2/3 header signature
	SMB2Signature = "\xFESMB"
)

SMB protocol constants

View Source 
const (
	SMB1_COM_CREATE_DIRECTORY       = 0x00
	SMB1_COM_DELETE_DIRECTORY       = 0x01
	SMB1_COM_OPEN                   = 0x02
	SMB1_COM_CREATE                 = 0x03
	SMB1_COM_CLOSE                  = 0x04
	SMB1_COM_FLUSH                  = 0x05
	SMB1_COM_DELETE                 = 0x06
	SMB1_COM_RENAME                 = 0x07
	SMB1_COM_QUERY_INFORMATION      = 0x08
	SMB1_COM_SET_INFORMATION        = 0x09
	SMB1_COM_READ                   = 0x0A
	SMB1_COM_WRITE                  = 0x0B
	SMB1_COM_LOCK_BYTE_RANGE        = 0x0C
	SMB1_COM_UNLOCK_BYTE_RANGE      = 0x0D
	SMB1_COM_CREATE_TEMPORARY       = 0x0E
	SMB1_COM_CREATE_NEW             = 0x0F
	SMB1_COM_CHECK_DIRECTORY        = 0x10
	SMB1_COM_PROCESS_EXIT           = 0x11
	SMB1_COM_SEEK                   = 0x12
	SMB1_COM_LOCK_AND_READ          = 0x13
	SMB1_COM_WRITE_AND_UNLOCK       = 0x14
	SMB1_COM_READ_RAW               = 0x1A
	SMB1_COM_READ_MPX               = 0x1B
	SMB1_COM_READ_MPX_SECONDARY     = 0x1C
	SMB1_COM_WRITE_RAW              = 0x1D
	SMB1_COM_WRITE_MPX              = 0x1E
	SMB1_COM_WRITE_MPX_SECONDARY    = 0x1F
	SMB1_COM_WRITE_COMPLETE         = 0x20
	SMB1_COM_QUERY_SERVER           = 0x21
	SMB1_COM_SET_INFORMATION2       = 0x22
	SMB1_COM_QUERY_INFORMATION2     = 0x23
	SMB1_COM_LOCKING_ANDX           = 0x24
	SMB1_COM_TRANSACTION            = 0x25
	SMB1_COM_TRANSACTION_SECONDARY  = 0x26
	SMB1_COM_IOCTL                  = 0x27
	SMB1_COM_IOCTL_SECONDARY        = 0x28
	SMB1_COM_COPY                   = 0x29
	SMB1_COM_MOVE                   = 0x2A
	SMB1_COM_ECHO                   = 0x2B
	SMB1_COM_WRITE_AND_CLOSE        = 0x2C
	SMB1_COM_OPEN_ANDX              = 0x2D
	SMB1_COM_READ_ANDX              = 0x2E
	SMB1_COM_WRITE_ANDX             = 0x2F
	SMB1_COM_NEW_FILE_SIZE          = 0x30
	SMB1_COM_CLOSE_AND_TREE_DISC    = 0x31
	SMB1_COM_TRANSACTION2           = 0x32
	SMB1_COM_TRANSACTION2_SECONDARY = 0x33
	SMB1_COM_FIND_CLOSE2            = 0x34
	SMB1_COM_FIND_NOTIFY_CLOSE      = 0x35
	SMB1_COM_TREE_CONNECT           = 0x70
	SMB1_COM_TREE_DISCONNECT        = 0x71
	SMB1_COM_NEGOTIATE              = 0x72
	SMB1_COM_SESSION_SETUP_ANDX     = 0x73
	SMB1_COM_LOGOFF_ANDX            = 0x74
	SMB1_COM_TREE_CONNECT_ANDX      = 0x75
	SMB1_COM_SECURITY_PACKAGE_ANDX  = 0x7E
	SMB1_COM_QUERY_INFORMATION_DISK = 0x80
	SMB1_COM_SEARCH                 = 0x81
	SMB1_COM_FIND                   = 0x82
	SMB1_COM_FIND_UNIQUE            = 0x83
	SMB1_COM_FIND_CLOSE             = 0x84
	SMB1_COM_NT_TRANSACT            = 0xA0
	SMB1_COM_NT_TRANSACT_SECONDARY  = 0xA1
	SMB1_COM_NT_CREATE_ANDX         = 0xA2
	SMB1_COM_NT_CANCEL              = 0xA4
	SMB1_COM_NT_RENAME              = 0xA5
	SMB1_COM_OPEN_PRINT_FILE        = 0xC0
	SMB1_COM_WRITE_PRINT_FILE       = 0xC1
	SMB1_COM_CLOSE_PRINT_FILE       = 0xC2
	SMB1_COM_GET_PRINT_QUEUE        = 0xC3
	SMB1_COM_READ_BULK              = 0xD8
	SMB1_COM_WRITE_BULK             = 0xD9
	SMB1_COM_WRITE_BULK_DATA        = 0xDA
)

SMB1 command codes

View Source 
const (
	SMB2_NEGOTIATE       = 0x0000
	SMB2_SESSION_SETUP   = 0x0001
	SMB2_LOGOFF          = 0x0002
	SMB2_TREE_CONNECT    = 0x0003
	SMB2_TREE_DISCONNECT = 0x0004
	SMB2_CREATE          = 0x0005
	SMB2_CLOSE           = 0x0006
	SMB2_FLUSH           = 0x0007
	SMB2_READ            = 0x0008
	SMB2_WRITE           = 0x0009
	SMB2_LOCK            = 0x000A
	SMB2_IOCTL           = 0x000B
	SMB2_CANCEL          = 0x000C
	SMB2_ECHO            = 0x000D
	SMB2_QUERY_DIRECTORY = 0x000E
	SMB2_CHANGE_NOTIFY   = 0x000F
	SMB2_QUERY_INFO      = 0x0010
	SMB2_SET_INFO        = 0x0011
	SMB2_OPLOCK_BREAK    = 0x0012
)

SMB2 command codes

View Source 
const (
	SMB2_FLAGS_SERVER_TO_REDIR    = 0x00000001 // Response flag
	SMB2_FLAGS_ASYNC_COMMAND      = 0x00000002
	SMB2_FLAGS_RELATED_OPERATIONS = 0x00000004
	SMB2_FLAGS_SIGNED             = 0x00000008
	SMB2_FLAGS_PRIORITY_MASK      = 0x00000070
	SMB2_FLAGS_DFS_OPERATIONS     = 0x10000000
	SMB2_FLAGS_REPLAY_OPERATION   = 0x20000000
)

SMB2 flags

View Source 
const (
	MsvAvEOL             = 0x0000
	MsvAvNbComputerName  = 0x0001
	MsvAvNbDomainName    = 0x0002
	MsvAvDnsComputerName = 0x0003
	MsvAvDnsDomainName   = 0x0004
	MsvAvDnsTreeName     = 0x0005
	MsvAvFlags           = 0x0006
	MsvAvTimestamp       = 0x0007
	MsvAvSingleHost      = 0x0008
	MsvAvTargetName      = 0x0009
	MsvAvChannelBindings = 0x000A
)

NTLMTargetInfo attribute types (AV_PAIR)

Variables

View Source 
var Decoder = &decoder.StreamDecoder{
	Type:        types.Type_NC_SMB,
	Name:        "SMB",
	Description: "Server Message Block protocol - Windows file sharing",
	PostInit: func(sd *decoder.StreamDecoder) error {
		var err error
		smbLog, _, err = logging.InitZapLogger(
			decoderconfig.Instance.Out,
			"smb",
			decoderconfig.Instance.Debug,
		)
		if err != nil {
			return err
		}

		startSMBCleanup()
		return nil
	},
	CanDecode: func(client, server []byte) bool {

		return bytes.Contains(server, []byte(SMB1Signature)) ||
			bytes.Contains(server, []byte(SMB2Signature)) ||
			bytes.Contains(client, []byte(SMB1Signature)) ||
			bytes.Contains(client, []byte(SMB2Signature))
	},
	DeInit: func(sd *decoder.StreamDecoder) error {
		return smbLog.Sync()
	},
	Factory: &smbReader{},
	Typ:     core.TCP,
}

Decoder for SMB protocol analysis

Functions

This section is empty.

Types

type SMBFileExtractor 

type SMBFileExtractor struct{}

SMBFileExtractor implements file extraction for SMB file share operations

func (*SMBFileExtractor) DescribeFile 

func (s *SMBFileExtractor) DescribeFile(handle *file.FileHandle) string

DescribeFile returns a human-readable description of the SMB file transfer

func (*SMBFileExtractor) ExtractFile 

func (s *SMBFileExtractor) ExtractFile(conv *core.ConversationInfo, data []byte, metadata file.FileMetadata) error

ExtractFile performs SMB file extraction

func (*SMBFileExtractor) GetFileHandle 

func (s *SMBFileExtractor) GetFileHandle(conv *core.ConversationInfo, isOrigin bool, depth int) string

GetFileHandle generates a unique identifier for an SMB file transfer

func (*SMBFileExtractor) ProtocolName 

func (s *SMBFileExtractor) ProtocolName() string

ProtocolName returns the protocol name

type SMBFileHandle 

type SMBFileHandle struct {
	FileID      uint64
	Filename    string
	ShareName   string
	SessionID   uint64
	TreeID      uint32
	CreatedAt   time.Time
	AccessMask  uint32
	IsDirectory bool
}

SMBFileHandle tracks open file handles in SMB sessions

type SMBFileTracker 

type SMBFileTracker struct {
	// contains filtered or unexported fields
}

SMBFileTracker tracks file handles across SMB sessions

func (*SMBFileTracker) CleanupExpiredHandles 

func (t *SMBFileTracker) CleanupExpiredHandles()

CleanupExpiredHandles removes stale file handles

func (*SMBFileTracker) GetFileHandle 

func (t *SMBFileTracker) GetFileHandle(fileID uint64) (*SMBFileHandle, bool)

GetFileHandle retrieves file information by fileID

func (*SMBFileTracker) RemoveFileHandle 

func (t *SMBFileTracker) RemoveFileHandle(fileID uint64)

RemoveFileHandle removes a file handle (on CLOSE)

func (*SMBFileTracker) TrackFileHandle 

func (t *SMBFileTracker) TrackFileHandle(fileID uint64, filename, shareName string, sessionID uint64, treeID uint32)

TrackFileHandle records a file handle from SMB CREATE response

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.