dissect.target.loaders.smb

Module Contents

Classes

SmbLoader	Use remote SMB servers as targets.
SmbRegistry	Provides registry access for Windows targets.
SmbRegistryHive	Base class for registry hives.
SmbRegistryKey	Base class for registry keys.
SmbRegistryValue	Base class for registry values.

Attributes

HAS_IMPACKET

dissect.target.loaders.smb.HAS_IMPACKET = True

class dissect.target.loaders.smb.SmbLoader(path: pathlib.Path, parsed_path: urllib.parse.ParseResult | None = None)

Bases: dissect.target.loader.Loader

Use remote SMB servers as targets.

This loader maps SMB shares from a remote SMB server as filesystems. It makes use of Impacket’s SMBConnection class to connect to the remote server and enumerate all available shares. The shares are then mapped as filesystems in the target. You can use the following examples to connect to a guest.

Connect as guest (you’re probably not going to get very far with this one):

smb://10.10.128.3

Connect as administrator using NTLM password authentication:

smb://administrator:Dissect123!@10.10.128.3

Connect as administrator using NTLM pass-the-hash authentication:

smb://administrator@10.10.128.3?hash=3c19c73ccd2bbcb84c592321caa4b1be

Connect using a Kerberos authentication:

smb://administrator@infected.dissect.lab?kerberos=true&ip=10.10.128.3&ticket=administrator.ccache&dc=dc01.dissect.lab&dc-ip=10.10.10.10

You can also use the following environment variables instead:

• SMB_TARGET_IP

• SMB_TARGET_HOST

• SMB_DOMAIN

• SMB_USERNAME

• SMB_PASSWORD

• SMB_KERBEROS_TICKET (or KRB5CCNAME)

• SMB_KERBEROS_DC

• SMB_KERBEROS_DC_IP

• SMB_KERBEROS_AES_KEY

When using environment variables, you can invoke this loader using an empty smb:// URI.

MACHINE_NAME = 'DISSECT-TARGET'

EMPTY_NT = '31d6cfe0d16ae931b73c59d7e0c089c0'

EMPTY_LM = 'aad3b435b51404eeaad3b435b51404ee'

static detect(path: pathlib.Path) → bool

This loader can only be activated with the URI-scheme smb://<ip>.

map(target: dissect.target.target.Target) → None

Map all target filesystems (network shares) from the SMB connection.

class dissect.target.loaders.smb.SmbRegistry(target: dissect.target.target.Target, conn: impacket.smbconnection.SMBConnection)

Bases: dissect.target.plugins.os.windows.registry.RegistryPlugin

Provides registry access for Windows targets.

Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.

Internal functions only.

__register__ = False

Determines whether this plugin will be registered.

conn

check_compatible() → bool

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

__del__() → None

class dissect.target.loaders.smb.SmbRegistryHive(winreg: impacket.dcerpc.v5.rpcrt.DCERPC_v5, name: str, handle: int)

Bases: dissect.target.helpers.regutil.RegistryHive

Base class for registry hives.

winreg

name

handle

key(key: str) → SmbRegistryKey

Retrieve a registry key from a specific path.

Parameters:

key – A path to a registry key within this hive.

Raises:

RegistryKeyNotFoundError – If the registry key could not be found.

class dissect.target.loaders.smb.SmbRegistryKey(hive: SmbRegistryHive, path: str)

Bases: dissect.target.helpers.regutil.RegistryKey

Base class for registry keys.

Parameters:

hive – The registry hive to which this registry key belongs.

hive: SmbRegistryHive

property handle: int

property name: str

Returns the name of this key.

property path: str

Returns the path of this key.

property timestamp: datetime.datetime

Returns the last modified timestamp of this key.

subkey(subkey: str) → SmbRegistryKey

Returns a specific subkey from this key.

Parameters:

subkey – The name of the subkey to retrieve.

Raises:

RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[SmbRegistryKey]

Returns a list of subkeys from this key.

values() → list[SmbRegistryValue]

Returns a list of all the values from this key.

class dissect.target.loaders.smb.SmbRegistryValue(hive: str, name: str, data: bytes, type: int)

Bases: dissect.target.helpers.regutil.RegistryValue

Base class for registry values.

Parameters:

hive – The registry hive to which this registry value belongs.

property name: str

Returns the name of this value.

property value: dissect.target.helpers.regutil.ValueType

Returns the value of this value.

property type: str

Returns the type of this value.

Reference:

• https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types