The SMB Fuzzer fuzzes the Server Message Block Protocol that enables file sharing, printing and IPC between Unix and Windows systems.
The SMB Fuzzer requires the rustup tool chain. If not already installed, just follow the Rust Installation Guide.
Listed here are the current dependencies:
- Rust 1.50.0
- Cargo 1.50.0
- bitflags 1.2.1
- hex 0.4.3
- rand 0.8.3
The current user API is very limited. To execute the SMB Fuzzer, enter the following command within the root directory of the project:
cargo run -- [message] [strategy] [state]
!Note that the flags have to be in the order given by the placeholders above! This will later be changed.
e.g. to execute the Predefined fuzzing strategy for the negotiate message in the initial state, run the following command:
cargo run -- --negotiate --predefined -init_state
The specific flags can be shown by running
cargo run -- -h / --help
NOTE!! Currently only certain messages can be fuzzed in certain state. Which messages can be fuzzed in which state is shown below.
State | Messages |
---|---|
Initial | Negotiate, Echo |
Negotiate | Session Setup Negotiate, Echo |
Session Setup Negotiate | Session Setup Authenticate, Echo |
Session Setup Authenticate | Tree Connect, Echo |
Tree Connect | Create, Echo |
Create | Query Info, Close, Echo |
Close | Create, Echo |
Below is a complete presentation of all currently available flags.
Message | Flag |
---|---|
Negotiate | -n / --negotiate / --Negotiate |
Session Setup Negotiate | -sn / --session_setup_neg / --Session_setup_neg |
Session Setup Authenticate | -sa / --session_setup_auth / --Session_setup_auth |
Tree Connect | -t / --tree_connect / --Tree_connect |
Create | -cr / --create / --Create |
Query Info | -q / --query_info / --Query_info |
Close | -cl / --close / --Close |
Echo | -e / --echo / --Echo |
Strategy | Flag |
---|---|
Predefined | -pre / --predefined / --Predefined |
Random Fields | -rf / --random_fields / --Random_fields |
Completely Random | -cran / --completely_random / --Completely_random |
State | Flag |
---|---|
Initial | -init_state |
Negotiate | -neg_state |
Session Setup Negotiate | -session_setup_neg_state |
Session Setup Authenticate | -session_setup_auth_state |
Tree Connect | -tree_state |
Create | -create_state |
Close | -close_state |
The target is a samba server with the following configuration of the /etc/samba/smb.conf:
[global]
workgroup = WORKGROUP
lanman auth = no
ntlm auth = no
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated/ssuccessfully* .
pam password change = yes
map to guest = bad user
[share]
comment = Pi share folder
path = /share
browseable = yes
writeable = yes
create mask = 0777
directory mask = 0777
public = yes
guest ok = yes