scapy SMB/CIFS decoding

Question

The Background I'm writing a Windows OS detection script using scapy. While I could use other tools like p0f, nmap with the SMB script, etc, this part of functionality is only one small piece of the whole, and so I am committed to the scapy route.

The Problem Being quite the novice with scapy, I am having some trouble figuring out the best practice for using the SMB decoder. So far I have:

def disp(pkt):
    print(pkt.getlayer(IP).src)
    if pkt.haslayer(Raw):
        print(SMBSession_Setup_AndX_Request(pkt.getlayer(Raw).load).NativeOS)

foo=sniff(prn=disp,filter="port 445",count=10)

As you can see, I am simply stuffing the 'Raw' layer through the SMBSession_Setup_AndX_Request() class, in the hope it'll do The Right Thing with the 'Raw' payload.

This does appear to be functional, but returns the "default" class setting for the NativeOS attribute of "Windows 4.0" (Well, it is on my version of scapy's smb.py), and sometimes treats me to a stack trace, depending on whether a Mac is on the network, doing CIFS. My blind asumption that I can just grab NativeOS and be done with it is surely ill-conceived.

The Question If my methodology is just plain wrong, what would be the correct approach to custom protocol decoding using scapy's sniff() method?

Many thanks for any advice,

sc.

Answer 1

Short answer is Scapy's implementation of SMB layers does not handle SMB "directly" over TCP (basically TCP/445) but only SMB over NetBios over TCP (basically TCP/139).

I don't think it would be really hard to change that, but you would have to dive into layers/smb.py for that (for example, to decide which SMB* layer has to be used, Scapy uses values from fields of the underlying NBTSession layer, which no longer exists in SMB over TCP).

Another option if you want to identify OS from Scapy without relying on SMB would be to use the p0f module. To try it:

>>> load_module('p0f')
>>> sniff(prn=prnp0f, store=False)