If you like this project, consider sponsoring it on GitHub! Sponsors
Fully asynchronous SMB library written in pure python. Python 3.7+ ONLY
Too many to list here, please check the examples.
| Kirbi | CCACHE | AES/RC4/DES keys | NT hash | Password | Certificate | Certificate (PFX/PEM) | Certstore (Windows) | |
|---|---|---|---|---|---|---|---|---|
| Supported | Y | Y | Y | Y | Y | Y | Y | Y |
| LM hash | NT hash | Password | |
|---|---|---|---|
| Supported | N | Y | Y |
Only on Windows.
This auth method uses the current user context. If you are NT/SYSTEM then it will use the machine account credentials.
| NTLM | Kerberos | |
|---|---|---|
| Supported | Y | Y |
| Certificate (PFX) | Certstore (Windows) | |
|---|---|---|
| Supported | Y | Y (using current user) |
This library also supports QUIC connection to Azure hosts
| Protocol | Supproted |
|---|---|
| UDP | N |
| TCP | Y |
| QUIC | Y |
Supports Socks4 and Socks5 natively. Socks5 currently not supporting authentication.
Bear in mind, that proxy support doesnt always play well with all auth methods, see this table below.
| SOCKS4 | SOCKS4A | SOCKS5 | |
|---|---|---|---|
| NTLM | Y | Y | Y |
| Kerberos | N (incompatible) | Y | Y |
| SSPI | Y (only local users) | Y (only local users) | Y (only local users) |
| NEGOEX | Y | Y | Y |
I managed to condense all information needed to specify an SMB connection into an URL format.
It looks like this:
dialect-network+authmethod://user:secret@target:port/?param1=value1¶m2=value2
dialect fomat: smbX/smbXXX
Where version: 2 for any SBM2 3 for any SMB3 dialects, or specific 3 character code like 200 or 201 or 300...
network format: tcp or quic (leave empty for TCP)
authmethod format: auth-type
Where auth: ntlm or kerberos or sspi or negext
Where type: password or nt or aes or rc4 or kirbi ...
user format: DOMAIN\username
Where DOMAIN: your domain
Where username: your username
secret format: Depends on the authmethod's type value
target format: IP address or hostname of the target
port format: integer describing the port
The following parameters are used (the user victim is trying to log in to the domain controller):
Username: victim
Domain: TEST
Passowrd: Passw0rd!1
DC IP address: 10.10.10.2
DC hostname: win2019ad
Socks4 proxy serer: 127.0.0.1
Socks4 proxy port : 9050
smb+ntlm-password://TEST\victim:[email protected]
smb+ntlm-nt://TEST\victim:[email protected]
smb+sspi-ntlm://10.10.10.2
smb+kerberos-password://TEST\victim:[email protected]/?dc=10.10.10.2
smb+kerberos-nt://TEST\victim:[email protected]/?dc=10.10.10.2
smb2+kerberos-pfx://user.pfx:[email protected]/?dc=10.10.10.2
smb2+kerberos-pem://cert.pem:[email protected]/?dc=10.10.10.2
smb2+kerberos-pem://cert.pem:[email protected]/?dc=10.10.10.2
smb+sspi-kerberos://win2019ad.test.corp
smb+ntlm-password://TEST\victim:[email protected]/?proxyhost=127.0.0.1&proxyport=9050
smb+ntlm-password://TEST\victim:[email protected]/?timeout=60
smb+negoex-pfx://certificate.pfx:[email protected]/
Example 12 - Negoex certstore auth using certificate from the current user's certstore (Windows only). (eg. Azure P2P auth)
smb+negoex-certstore://<subject CN of the certificate to use>@10.10.10.2/
- DCERPC: in progress, lot of features working already
- VSS mountpoint operations
- a lot of other things
This project is heavily based on the Impacket orignally by @agsolino.
The DCERPC strucutre definitions and DCERPC parsing in this project is almost identical to the Impacket project.
NEGOEX protocol implementation was based on AzureADJoinedMachinePTC created by @rubin_mor
Certificate request functionality was based on certi created by @zer1t0
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent