Skip to content
/ aiosmb Public

Fully asynchronous SMB library written in pure python

License

Notifications You must be signed in to change notification settings

skelsec/aiosmb

Repository files navigation

Supported Python versions Twitter

🚩 Sponsors

If you like this project, consider purchasing licenses of OctoPwn, our full pentesting suite that runs in your browser!
For notifications on new builds/releases and other info, hop on to our Discord

aiosmb

Fully asynchronous SMB library written in pure python. Python 3.8+ ONLY

🚩 Runs in the browser

This project, alongside with many other pentester tools runs in the browser with the power of OctoPwn!
Check out the community version at OctoPwn - Live

Features

Too many to list here, please check the examples.

Authentication

Kerberos

Kirbi CCACHE AES/RC4/DES keys NT hash Password Certificate Certificate (PFX/PEM) Certstore (Windows)
Supported Y Y Y Y Y Y Y Y

NTLM

LM hash NT hash Password
Supported N Y Y

SSPI

Only on Windows.
This auth method uses the current user context. If you are NT/SYSTEM then it will use the machine account credentials.

NTLM Kerberos
Supported Y Y

NEGOEX

Certificate (PFX) Certstore (Windows)
Supported Y Y (using current user)

Connection

This library also supports QUIC connection to Azure hosts

Protocol Supproted
UDP N
TCP Y
QUIC Y

Proxy

Supports Socks4 and Socks5 natively. Socks5 currently not supporting authentication.
Bear in mind, that proxy support doesnt always play well with all auth methods, see this table below.

SOCKS4 SOCKS4A SOCKS5
NTLM Y Y Y
Kerberos N (incompatible) Y Y
SSPI Y (only local users) Y (only local users) Y (only local users)
NEGOEX Y Y Y

Connection url

I managed to condense all information needed to specify an SMB connection into an URL format.
It looks like this:

dialect-network+authmethod://user:secret@target:port/?param1=value1&param2=value2

dialect fomat: smbX/smbXXX
Where version: 2 for any SBM2 3 for any SMB3 dialects, or specific 3 character code like 200 or 201 or 300...

network format: tcp or quic (leave empty for TCP)

authmethod format: auth-type
Where auth: ntlm or kerberos or sspi or negext Where type: password or nt or aes or rc4 or kirbi ...

user format: DOMAIN\username
Where DOMAIN: your domain
Where username: your username

secret format: Depends on the authmethod's type value
target format: IP address or hostname of the target
port format: integer describing the port

Example

The following parameters are used (the user victim is trying to log in to the domain controller): Username: victim
Domain: TEST
Passowrd: Passw0rd!1
DC IP address: 10.10.10.2
DC hostname: win2019ad
Socks4 proxy serer: 127.0.0.1 Socks4 proxy port : 9050

Example 1 - NTLM with password

smb+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2

Example 2 - NTLM with NT hash

smb+ntlm-nt://TEST\victim:f8963568a1ec62a3161d9d6449baba93@10.10.10.2

Example 3 - NTLM using the SSPI in Windows

smb+sspi-ntlm://10.10.10.2

Example 4 - KERBEROS with password

smb+kerberos-password://TEST\victim:Passw0rd!1@10.10.10.2/?dc=10.10.10.2

Example 5 - KERBEROS with NT hash

smb+kerberos-nt://TEST\victim:f8963568a1ec62a3161d9d6449baba93@win2019ad.test.corp/?dc=10.10.10.2

Example 6 - KERBEROS with PFX certificate

smb2+kerberos-pfx://user.pfx:password@win2019ad.test.corp/?dc=10.10.10.2

Example 7 - KERBEROS with PEM certificate

smb2+kerberos-pem://cert.pem:key.pem@win2019ad.test.corp/?dc=10.10.10.2

Example 7 - KERBEROS with certificate from windows certificate store

smb2+kerberos-pem://cert.pem:key.pem@win2019ad.test.corp/?dc=10.10.10.2

Example 8 - KERBEROS using the SSPI in Windows

smb+sspi-kerberos://win2019ad.test.corp

Example 9 - Socks proxy and NTLM with password

smb+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2/?proxyhost=127.0.0.1&proxyport=9050

Example 10 - NTLM with password with timeout higher than normal (60s)

smb+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2/?timeout=60

Example 11 - Negoex certificate auth using PFX file. (eg. Azure P2P auth)

smb+negoex-pfx://certificate.pfx:certpass@10.10.10.2/

Example 12 - Negoex certstore auth using certificate from the current user's certstore (Windows only). (eg. Azure P2P auth)

smb+negoex-certstore://<subject CN of the certificate to use>@10.10.10.2/

TODO

  • DCERPC: in progress, lot of features working already
  • VSS mountpoint operations
  • a lot of other things

Kudos

This project is heavily based on the Impacket orignally by @agsolino.
The DCERPC strucutre definitions and DCERPC parsing in this project is almost identical to the Impacket project.
NEGOEX protocol implementation was based on AzureADJoinedMachinePTC created by @rubin_mor
Certificate request functionality was based on certi created by @zer1t0

About

Fully asynchronous SMB library written in pure python

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages