If the probe for SMB2 fails, close the connection and then try probing
for SMB1 as a backup.
Since there are more SMB2 servers in the wild, that is the first
attempt.
Send SMB1 header, and Negotiation Request message for SMB1.
This brings the zgrab2 smb1 scanner to parity with the zgrab smb1
scanner, with presence detection via smbv1_support.
We check the ProtocolID in the raw data response, for two reasons:
1. Even if the full unmarshal fails for the message, we will log
that it is an smbv1 server
2. We need to add more response types structs, because the format
is different for various SMB1 dialects.
The negotiation response v1 structure is for the SMB1 "NT LM 0.12"
dialect, and is essentially placeholder for now for future parsing.
TODO: Unmarshal into the appropriate message struct based on
SMB1 dialect, and parse dialect and capabilities, and return those
results.
These two functions are largely duplicates, and only differ in the
boolean option passed to LoggedNegotiateProtocol(). Combine the
functions, and just take that option in as an argument to pass along.
The smb library bounds checks for a message size that is too large, but
does not check for a message size that is way too small. Error out if
the message size is not at least as large as the ProtocolID 4-byte
preamble.
This fixes slice out of bound panics when checking the buffer for the
protID string for certain hosts.
Signed-off-by: Jeff Cody <jcody@censys.io>
This parses the capabilities flags for the server, masking off invalid
flags based on dialect.
While both the NegotiationLogs and SessionSetupLog contain capabilities
flags, we extract the flags from the NegotiationLogs to represent the
server, as it is explicitly stated in [MS-SMB2] that those are the ones
that represent the capabilities of the server.
This parses the SMB Version response, and the dialect, to determine the
full SMB version. This is done in accordance to "[MS-SMB2] - v20190430"
from Microsoft, Section 2.2.4.
Previous addition of GetTLSConfigForTarget (811eb38) did not modify
HTTP module to use SNI. This let to the very cryptic unknown-error:
remote error: internal error. Some servers give Fatal alerts when
they don't get an SNI extension. Discovered on a `Pagely-ARES/1.3.21`
Server
Some protocols may require more data than others. To accomodate those,
allow the BytesReadLimit to be changed by means of BaseFlags.
By setting BaseFlags.BytesReadLimit prior to calling .Open(), scanners
can override the default limit to one that is appropriate for the data
collected.