mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-09-14 05:56:46 +08:00
8f54702c02
经Linus式架构审计,发现并修复插件系统中的具体问题: ## 核心修复 ### 1. 消除local插件GetPorts()方法冗余 - 删除21个local插件中无意义的GetPorts()方法 - 简化local.Plugin接口:移除端口概念 - 理由:本地插件不涉及网络,端口概念完全多余 ### 2. 消除web插件GetPorts()方法冗余 - 删除2个web插件中无用的GetPorts()方法 - 简化web.WebPlugin接口:专注智能HTTP检测 - 理由:Web插件使用动态HTTP检测,预定义端口无价值 ### 3. 统一插件命名规范 - 统一所有插件接口使用Name()方法(符合Go惯例) - 消除GetName()与Name()不一致问题 - 简化适配器:不再需要方法名转换 ## 技术改进 接口精简: - local插件:GetName() + GetPorts() → Name() - web插件:GetName() + GetPorts() → Name() - services插件:GetName() → Name()(保留GetPorts(),业务必需) 代码减少: - 删除23个无用GetPorts()方法 - 重命名52个Name()方法 - 简化3个插件接口定义 ## 影响范围 修改文件:55个插件文件 代码变更:-155行 +61行(净减少94行) 功能影响:零破坏性,保持所有业务逻辑不变 这是基于业务需求分析的精准重构,消除真正多余的部分, 保持系统架构合理性和向后兼容性。
609 lines
17 KiB
Go
609 lines
17 KiB
Go
package services
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"net"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/shadow1ng/fscan/common"
|
|
)
|
|
|
|
// SMBInfoPlugin SMB协议信息收集插件 - 收集操作系统和NTLM信息
|
|
type SMBInfoPlugin struct {
|
|
name string
|
|
ports []int
|
|
}
|
|
|
|
// NewSMBInfoPlugin 创建SMBInfo插件
|
|
func NewSMBInfoPlugin() *SMBInfoPlugin {
|
|
return &SMBInfoPlugin{
|
|
name: "smbinfo",
|
|
ports: []int{139, 445}, // SMB端口
|
|
}
|
|
}
|
|
|
|
// GetName 实现Plugin接口
|
|
func (p *SMBInfoPlugin) Name() string {
|
|
return p.name
|
|
}
|
|
|
|
// GetPorts 实现Plugin接口
|
|
func (p *SMBInfoPlugin) GetPorts() []int {
|
|
return p.ports
|
|
}
|
|
|
|
// Scan 执行SMBInfo扫描 - SMB信息收集
|
|
func (p *SMBInfoPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
|
|
|
// 检查端口
|
|
if info.Ports != "445" && info.Ports != "139" {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "smbinfo",
|
|
Error: fmt.Errorf("SMBInfo插件仅支持139和445端口"),
|
|
}
|
|
}
|
|
|
|
// 建立连接
|
|
conn, err := net.DialTimeout("tcp", target, time.Duration(common.Timeout)*time.Second)
|
|
if err != nil {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "smbinfo",
|
|
Error: fmt.Errorf("连接失败: %v", err),
|
|
}
|
|
}
|
|
defer conn.Close()
|
|
|
|
conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
|
|
|
// 执行SMB信息收集
|
|
smbInfo, err := p.collectSMBInfo(conn, target)
|
|
if err != nil {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "smbinfo",
|
|
Error: err,
|
|
}
|
|
}
|
|
|
|
// 记录SMB信息发现
|
|
if smbInfo.Valid {
|
|
msg := fmt.Sprintf("SMBInfo %s", target)
|
|
if smbInfo.OSVersion != "" {
|
|
msg += fmt.Sprintf(" [%s]", smbInfo.OSVersion)
|
|
}
|
|
if smbInfo.ComputerName != "" {
|
|
msg += fmt.Sprintf(" %s", smbInfo.ComputerName)
|
|
}
|
|
msg += fmt.Sprintf(" %s", smbInfo.Protocol)
|
|
common.LogSuccess(msg)
|
|
}
|
|
|
|
return &ScanResult{
|
|
Success: smbInfo.Valid,
|
|
Service: "smbinfo",
|
|
Banner: smbInfo.Summary(),
|
|
}
|
|
}
|
|
|
|
|
|
// SMBInfo SMB信息结构
|
|
type SMBInfo struct {
|
|
Valid bool
|
|
Protocol string // SMB1 或 SMB2
|
|
ComputerName string
|
|
DomainName string
|
|
OSVersion string
|
|
NativeOS string
|
|
NativeLM string
|
|
NTLMFlags []string
|
|
}
|
|
|
|
// Summary 返回SMB信息摘要
|
|
func (si *SMBInfo) Summary() string {
|
|
if !si.Valid {
|
|
return "SMB信息收集失败"
|
|
}
|
|
|
|
var parts []string
|
|
parts = append(parts, si.Protocol)
|
|
|
|
if si.OSVersion != "" {
|
|
parts = append(parts, si.OSVersion)
|
|
}
|
|
|
|
if si.ComputerName != "" {
|
|
parts = append(parts, si.ComputerName)
|
|
}
|
|
|
|
return strings.Join(parts, " ")
|
|
}
|
|
|
|
// SMB协议数据包定义
|
|
var (
|
|
smbv1Negotiate1 = []byte{
|
|
0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,
|
|
0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02,
|
|
0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F,
|
|
0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,
|
|
0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30,
|
|
0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54,
|
|
0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00,
|
|
}
|
|
|
|
smbv1SessionSetup = []byte{
|
|
0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
|
|
0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60,
|
|
0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30,
|
|
0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04,
|
|
0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08,
|
|
0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,
|
|
0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,
|
|
0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00,
|
|
0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
|
|
0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,
|
|
0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,
|
|
0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
|
|
0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
|
|
0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
}
|
|
|
|
smbv2Negotiate1 = []byte{
|
|
0x00, 0x00, 0x00, 0x45, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00,
|
|
0x00, 0x00, 0x00, 0x18, 0x01, 0x48, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
|
|
0xAC, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x02,
|
|
0x4E, 0x54, 0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32,
|
|
0x00, 0x02, 0x53, 0x4D, 0x42, 0x20, 0x32, 0x2E, 0x30, 0x30,
|
|
0x32, 0x00, 0x02, 0x53, 0x4D, 0x42, 0x20, 0x32, 0x2E, 0x3F,
|
|
0x3F, 0x3F, 0x00,
|
|
}
|
|
|
|
smbv2SessionSetup1 = []byte{
|
|
0x00, 0x00, 0x00, 0x68, 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00,
|
|
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
|
|
0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x10, 0x02,
|
|
}
|
|
)
|
|
|
|
// collectSMBInfo 收集SMB信息
|
|
func (p *SMBInfoPlugin) collectSMBInfo(conn net.Conn, target string) (*SMBInfo, error) {
|
|
// 首先尝试SMBv1协商
|
|
_, err := conn.Write(smbv1Negotiate1)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("发送SMBv1协商包失败: %v", err)
|
|
}
|
|
|
|
// 读取SMBv1协商响应
|
|
r1, err := p.readBytes(conn)
|
|
if err != nil {
|
|
common.LogDebug(fmt.Sprintf("读取SMBv1协商响应失败: %v", err))
|
|
}
|
|
|
|
// 检查是否支持SMBv1
|
|
if len(r1) > 0 {
|
|
// SMBv1路径
|
|
return p.handleSMBv1(conn, target)
|
|
} else {
|
|
// SMBv2路径
|
|
return p.handleSMBv2(target)
|
|
}
|
|
}
|
|
|
|
// handleSMBv1 处理SMBv1协议信息收集
|
|
func (p *SMBInfoPlugin) handleSMBv1(conn net.Conn, target string) (*SMBInfo, error) {
|
|
// 发送Session Setup请求
|
|
_, err := conn.Write(smbv1SessionSetup)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("发送SMBv1 Session Setup失败: %v", err)
|
|
}
|
|
|
|
ret, err := p.readBytes(conn)
|
|
if err != nil || len(ret) < 45 {
|
|
return nil, fmt.Errorf("读取SMBv1 Session Setup响应失败: %v", err)
|
|
}
|
|
|
|
info := &SMBInfo{
|
|
Valid: true,
|
|
Protocol: "SMBv1",
|
|
}
|
|
|
|
// 解析blob信息
|
|
blobLength := p.bytesToUint16(ret[43:45])
|
|
blobCount := p.bytesToUint16(ret[45:47])
|
|
|
|
if int(blobCount) > len(ret) {
|
|
return info, nil
|
|
}
|
|
|
|
gssNative := ret[47:]
|
|
offNTLM := bytes.Index(gssNative, []byte("NTLMSSP"))
|
|
if offNTLM == -1 {
|
|
return info, nil
|
|
}
|
|
|
|
// 提取native OS和LM信息
|
|
native := gssNative[int(blobLength):blobCount]
|
|
ss := strings.Split(string(native), "\x00\x00")
|
|
|
|
if len(ss) > 0 {
|
|
info.NativeOS = p.trimName(ss[0])
|
|
}
|
|
if len(ss) > 1 {
|
|
info.NativeLM = p.trimName(ss[1])
|
|
}
|
|
|
|
// 解析NTLM信息
|
|
bs := gssNative[offNTLM:blobLength]
|
|
p.parseNTLMChallenge(bs, info)
|
|
|
|
return info, nil
|
|
}
|
|
|
|
// handleSMBv2 处理SMBv2协议信息收集
|
|
func (p *SMBInfoPlugin) handleSMBv2(target string) (*SMBInfo, error) {
|
|
// 重新建立连接处理SMBv2
|
|
conn2, err := net.DialTimeout("tcp", target, time.Duration(common.Timeout)*time.Second)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("SMBv2连接失败: %v", err)
|
|
}
|
|
defer conn2.Close()
|
|
|
|
conn2.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
|
|
|
// 发送SMBv2协商包
|
|
_, err = conn2.Write(smbv2Negotiate1)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("发送SMBv2协商包失败: %v", err)
|
|
}
|
|
|
|
r2, err := p.readBytes(conn2)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("读取SMBv2协商响应失败: %v", err)
|
|
}
|
|
|
|
// 构建NTLM数据包
|
|
var ntlmData []byte
|
|
if len(r2) > 70 && hex.EncodeToString(r2[70:71]) == "03" {
|
|
flags := []byte{0x15, 0x82, 0x08, 0xa0}
|
|
ntlmData = p.getNTLMSSPData(flags)
|
|
} else {
|
|
flags := []byte{0x05, 0x80, 0x08, 0xa0}
|
|
ntlmData = p.getNTLMSSPData(flags)
|
|
}
|
|
|
|
// 发送Session Setup
|
|
_, err = conn2.Write(smbv2SessionSetup1)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("发送SMBv2 Session Setup失败: %v", err)
|
|
}
|
|
|
|
_, err = p.readBytes(conn2)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("读取SMBv2 Session Setup响应失败: %v", err)
|
|
}
|
|
|
|
// 发送NTLM协商包
|
|
_, err = conn2.Write(ntlmData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("发送SMBv2 NTLM包失败: %v", err)
|
|
}
|
|
|
|
ret, err := p.readBytes(conn2)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("读取SMBv2 NTLM响应失败: %v", err)
|
|
}
|
|
|
|
ntlmOff := bytes.Index(ret, []byte("NTLMSSP"))
|
|
if ntlmOff == -1 {
|
|
return &SMBInfo{Valid: true, Protocol: "SMBv2"}, nil
|
|
}
|
|
|
|
info := &SMBInfo{
|
|
Valid: true,
|
|
Protocol: "SMBv2",
|
|
}
|
|
|
|
p.parseNTLMChallenge(ret[ntlmOff:], info)
|
|
return info, nil
|
|
}
|
|
|
|
// readBytes 从连接读取NetBIOS消息
|
|
func (p *SMBInfoPlugin) readBytes(conn net.Conn) ([]byte, error) {
|
|
// 读取NetBIOS头部(4字节)
|
|
headerBuf := make([]byte, 4)
|
|
n, err := conn.Read(headerBuf)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if n != 4 {
|
|
return nil, fmt.Errorf("NetBIOS头部长度不足: %d", n)
|
|
}
|
|
|
|
// 解析消息长度(大端序)
|
|
messageLength := int(headerBuf[0])<<24 | int(headerBuf[1])<<16 | int(headerBuf[2])<<8 | int(headerBuf[3])
|
|
|
|
// 防止过大的消息
|
|
if messageLength > 1024*1024 {
|
|
return nil, fmt.Errorf("消息长度过大: %d", messageLength)
|
|
}
|
|
|
|
if messageLength == 0 {
|
|
return headerBuf, nil
|
|
}
|
|
|
|
// 读取消息体
|
|
messageBuf := make([]byte, messageLength)
|
|
totalRead := 0
|
|
for totalRead < messageLength {
|
|
n, err := conn.Read(messageBuf[totalRead:])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
totalRead += n
|
|
}
|
|
|
|
// 返回完整消息
|
|
result := make([]byte, 0, 4+messageLength)
|
|
result = append(result, headerBuf...)
|
|
result = append(result, messageBuf...)
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// parseNTLMChallenge 解析NTLM Challenge消息
|
|
func (p *SMBInfoPlugin) parseNTLMChallenge(data []byte, info *SMBInfo) {
|
|
if len(data) < 32 {
|
|
return
|
|
}
|
|
|
|
// 检查NTLM签名
|
|
if !bytes.Equal(data[0:8], []byte("NTLMSSP\x00")) {
|
|
return
|
|
}
|
|
|
|
// 检查消息类型
|
|
if len(data) < 12 {
|
|
return
|
|
}
|
|
messageType := p.bytesToUint32(data[8:12])
|
|
if messageType != 2 {
|
|
return
|
|
}
|
|
|
|
// 解析Target Name
|
|
if len(data) >= 20 {
|
|
targetLength := p.bytesToUint16(data[12:14])
|
|
targetOffset := p.bytesToUint32(data[16:20])
|
|
|
|
if targetLength > 0 && int(targetOffset) < len(data) && int(targetOffset+uint32(targetLength)) <= len(data) {
|
|
targetName := p.parseUnicodeString(data[targetOffset : targetOffset+uint32(targetLength)])
|
|
if targetName != "" {
|
|
info.DomainName = targetName
|
|
}
|
|
}
|
|
}
|
|
|
|
// 解析Flags
|
|
if len(data) >= 24 {
|
|
flags := p.bytesToUint32(data[20:24])
|
|
info.NTLMFlags = p.parseNTLMFlags(flags)
|
|
}
|
|
|
|
// 解析Target Info (AV_PAIR结构)
|
|
if len(data) >= 52 {
|
|
targetInfoLength := p.bytesToUint16(data[40:42])
|
|
targetInfoOffset := p.bytesToUint32(data[44:48])
|
|
|
|
if targetInfoLength > 0 && int(targetInfoOffset) < len(data) &&
|
|
int(targetInfoOffset+uint32(targetInfoLength)) <= len(data) {
|
|
targetInfoData := data[targetInfoOffset : targetInfoOffset+uint32(targetInfoLength)]
|
|
p.parseTargetInfo(targetInfoData, info)
|
|
}
|
|
}
|
|
|
|
// 解析OS版本信息
|
|
if len(data) >= 56 {
|
|
flags := p.bytesToUint32(data[20:24])
|
|
// NTLMSSP_NEGOTIATE_VERSION = 0x02000000
|
|
if flags&0x02000000 != 0 && len(data) >= 56 {
|
|
p.parseOSVersion(data[48:56], info)
|
|
}
|
|
}
|
|
}
|
|
|
|
// parseTargetInfo 解析Target Information
|
|
func (p *SMBInfoPlugin) parseTargetInfo(data []byte, info *SMBInfo) {
|
|
offset := 0
|
|
|
|
for offset+4 <= len(data) {
|
|
avId := p.bytesToUint16(data[offset : offset+2])
|
|
avLen := p.bytesToUint16(data[offset+2 : offset+4])
|
|
|
|
if avId == 0x0000 { // MsvAvEOL
|
|
break
|
|
}
|
|
|
|
if offset+4+int(avLen) > len(data) {
|
|
break
|
|
}
|
|
|
|
value := data[offset+4 : offset+4+int(avLen)]
|
|
|
|
switch avId {
|
|
case 0x0001: // MsvAvNbComputerName
|
|
computerName := p.parseUnicodeString(value)
|
|
if computerName != "" {
|
|
info.ComputerName = computerName
|
|
}
|
|
case 0x0002: // MsvAvNbDomainName
|
|
if info.DomainName == "" {
|
|
domainName := p.parseUnicodeString(value)
|
|
if domainName != "" {
|
|
info.DomainName = domainName
|
|
}
|
|
}
|
|
case 0x0003: // MsvAvDnsComputerName
|
|
if info.ComputerName == "" {
|
|
dnsComputerName := p.parseUnicodeString(value)
|
|
if dnsComputerName != "" {
|
|
info.ComputerName = dnsComputerName
|
|
}
|
|
}
|
|
}
|
|
|
|
offset += 4 + int(avLen)
|
|
}
|
|
}
|
|
|
|
// parseOSVersion 解析操作系统版本
|
|
func (p *SMBInfoPlugin) parseOSVersion(data []byte, info *SMBInfo) {
|
|
if len(data) < 8 {
|
|
return
|
|
}
|
|
|
|
majorVersion := data[0]
|
|
minorVersion := data[1]
|
|
buildNumber := p.bytesToUint16(data[2:4])
|
|
|
|
// Windows版本映射
|
|
var osName string
|
|
switch {
|
|
case majorVersion == 10 && minorVersion == 0:
|
|
if buildNumber >= 22000 {
|
|
osName = "Windows 11"
|
|
} else {
|
|
osName = "Windows 10"
|
|
}
|
|
case majorVersion == 6 && minorVersion == 3:
|
|
osName = "Windows 8.1/Server 2012 R2"
|
|
case majorVersion == 6 && minorVersion == 2:
|
|
osName = "Windows 8/Server 2012"
|
|
case majorVersion == 6 && minorVersion == 1:
|
|
osName = "Windows 7/Server 2008 R2"
|
|
case majorVersion == 6 && minorVersion == 0:
|
|
osName = "Windows Vista/Server 2008"
|
|
case majorVersion == 5 && minorVersion == 2:
|
|
osName = "Windows XP x64/Server 2003"
|
|
case majorVersion == 5 && minorVersion == 1:
|
|
osName = "Windows XP"
|
|
case majorVersion == 5 && minorVersion == 0:
|
|
osName = "Windows 2000"
|
|
default:
|
|
osName = fmt.Sprintf("Windows %d.%d", majorVersion, minorVersion)
|
|
}
|
|
|
|
info.OSVersion = fmt.Sprintf("%s (Build %d)", osName, buildNumber)
|
|
}
|
|
|
|
// 辅助函数
|
|
func (p *SMBInfoPlugin) bytesToUint16(b []byte) uint16 {
|
|
if len(b) < 2 {
|
|
return 0
|
|
}
|
|
return uint16(b[0]) | uint16(b[1])<<8
|
|
}
|
|
|
|
func (p *SMBInfoPlugin) bytesToUint32(b []byte) uint32 {
|
|
if len(b) < 4 {
|
|
return 0
|
|
}
|
|
return uint32(b[0]) | uint32(b[1])<<8 | uint32(b[2])<<16 | uint32(b[3])<<24
|
|
}
|
|
|
|
func (p *SMBInfoPlugin) trimName(s string) string {
|
|
return strings.Trim(strings.TrimSpace(s), "\x00")
|
|
}
|
|
|
|
func (p *SMBInfoPlugin) parseUnicodeString(data []byte) string {
|
|
if len(data)%2 != 0 {
|
|
return ""
|
|
}
|
|
|
|
var runes []rune
|
|
for i := 0; i < len(data); i += 2 {
|
|
if i+1 >= len(data) {
|
|
break
|
|
}
|
|
// UTF-16LE: 低字节在前
|
|
r := uint16(data[i]) | uint16(data[i+1])<<8
|
|
if r == 0 {
|
|
break
|
|
}
|
|
runes = append(runes, rune(r))
|
|
}
|
|
return string(runes)
|
|
}
|
|
|
|
func (p *SMBInfoPlugin) parseNTLMFlags(flags uint32) []string {
|
|
flagNames := map[uint32]string{
|
|
0x00000001: "NEGOTIATE_UNICODE",
|
|
0x00000002: "NEGOTIATE_OEM",
|
|
0x00000004: "REQUEST_TARGET",
|
|
0x00000010: "NEGOTIATE_SIGN",
|
|
0x00000020: "NEGOTIATE_SEAL",
|
|
0x00000200: "NEGOTIATE_NTLM",
|
|
0x00080000: "NEGOTIATE_EXTENDED_SESSIONSECURITY",
|
|
0x02000000: "NEGOTIATE_VERSION",
|
|
0x20000000: "NEGOTIATE_128",
|
|
0x80000000: "NEGOTIATE_56",
|
|
}
|
|
|
|
var activeFlags []string
|
|
for flag, name := range flagNames {
|
|
if flags&flag != 0 {
|
|
activeFlags = append(activeFlags, name)
|
|
}
|
|
}
|
|
|
|
return activeFlags
|
|
}
|
|
|
|
func (p *SMBInfoPlugin) getNTLMSSPData(flags []byte) []byte {
|
|
return []byte{
|
|
0x00, 0x00, 0x00, 0x9A, 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00,
|
|
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x00,
|
|
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x58, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x60, 0x40, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05,
|
|
0x05, 0x02, 0xA0, 0x36, 0x30, 0x34, 0xA0, 0x0E, 0x30, 0x0C,
|
|
0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02,
|
|
0x02, 0x0A, 0xA2, 0x22, 0x04, 0x20, 0x4E, 0x54, 0x4C, 0x4D,
|
|
0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
flags[0], flags[1], flags[2], flags[3],
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
}
|
|
}
|
|
|
|
// init 自动注册插件
|
|
func init() {
|
|
// 使用高效注册方式:直接传递端口信息,避免实例创建
|
|
RegisterPluginWithPorts("smbinfo", func() Plugin {
|
|
return NewSMBInfoPlugin()
|
|
}, []int{139, 445})
|
|
} |