Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
SMBv2 and v3 Client for Python.
SMB is a network file sharing protocol and has numerous iterations over the years. This library implements the SMBv2 and SMBv3 protocol based on the MS-SMB2 document.
This is definitely not feature complete as SMB is quite a complex protocol, see backlog for features that would be nice to have in this library.
To use Kerberos authentication on Linux, further dependencies are required, to install these dependencies run
# for Debian/Ubuntu/etc:
sudo apt-get install gcc python-dev libkrb5-dev
pip install smbprotocol[kerberos]
# for RHEL/CentOS/etc:
sudo yum install gcc python-devel krb5-devel krb5-workstation python-devel
pip install smbprotocol[kerberos]
Kerberos auth with Windows should just work out of the box with the pyspnego
library but on Linux, the
python-gssapi
library must be installed and smbprotocol
requires a particular GSSAPI extension to be available to
work. This extension should be installed on the majority of MIT or Heimdal Kerberos installs but that is not a
guarantee. To verify that Kerberos is available on Linux you can run the following check in a Python console:
try:
from gssapi.raw import inquire_sec_context_by_oid
print("python-gssapi extension is available")
except ImportError as exc:
print(f"python-gssapi extension is not available: {exc}")
If it isn't available, then either a newer version of the system's gssapi implementation needs to be setup and python-gssapi compiled against that newer version. In the absence of this extension, only NTLM auth is used.
To install smbprotocol, simply run
pip install smbprotocol
# To install with Kerberos support
pip install smbprotocol[kerberos]
This will download the required packages that are used in this package and get your Python environment ready to go.
One of the first steps as part of the SMB protocol is to negotiate the dialect used and other features that are available. Currently smbprotocol supports the following dialects;
2.0.0
: Added with Server 2008/Windows Vista2.1.0
: Added with Server 2008 R2/Windows 73.0.0
: Added with Server 2012/Windows 83.0.2
: Added with Server 2012 R2/Windows 8.13.1.1
: Added with Server 2016/Windows10Each dialect adds in more features to the protocol where some are minor but some are major. One major changes is in Dialect 3.x where it added message encryption. Message encryption is set to True by default and needs to be overridden when creating a Session object for the older dialects.
By default, the negotiation process will use the latest dialect that is supported by the server but this can be overridden if required. When this is done by the following code
import uuid
from smbprotocol.connection import Connection, Dialects
connection = Connection(uuid.uuid4(), "server", 445)
connection.connect(Dialects.SMB_3_0_2)
While you shouldn't want to downgrade to an earlier version, this does allow you to set a minimum dialect version if required.
There are 2 different APIs you can use with this library.
smbprotocol
: Low level interface that can do whatever you want but quite verbosesmbclient
: Higher level interface that implements the builtin os
and os.path
file system functions but for SMB supportThe examples
folder contains some examples of both the high and low level
interface but for everyday user's it is recommended to use smbclient
as it
is a lot simpler.
The higher level interface smbclient
is designed to make this library easier
for people to use for simple and common use cases. It is designed to replicate
the builtin os
and os.path
filesystem functions like os.open()
,
os.stat()
, and os.path.exists()
. It is also designed to handle connections
to a DFS target unlike smbprotocol
.
A connection made by smbclient
is kept in a pool and re-used for future
requests to the same server until the Python process exists. This makes
authentication simple and only required for the first call to the server. Any
DFS referrals are also cached in that Python process. This optimises any
future requests to that same DFS namespace.
The functions in smbclient
have a global config object that can be used to
set any connection defaults to use for any future connections. It can also be
used to specify any domain based DFS settings for more advanced setups. It is
recommended to use ClientConfig()
to set any global credentials like so:
import smbclient
smbclient.ClientConfig(username='user', password='password')
The ClientConfig
is a singleton and any future instanciations of that
object will just update the keys being set. You can set the following keys on
the ClientConfig
:
client_guid
: The client GUID to identify the client to the server on a new connectionusername
: The default username to use when creating a new SMB session if explicit credentials weren't setpassword
: The default password to use for authenticationdomain_controller
: The domain controller hostname. This is useful for environments with DFS servers as it is used to identify the DFS domain information automaticallyskip_dfs
: Whether to skip doing any DFS resolution, useful if there is a bug or you don't want to waste any roundtrip requesting referralsauth_protocol
: The authentication protocol to use; negotiate
(default), kerberos
, or ntlm
require_secure_negotiate
: Control whether the client validates the negotiation info when connecting to a share (default: True
).
As well as setting the default credentials on the ClientConfig
you can also
specify the credentials and other connection parameters on each smbclient
function or when registering a new server. These functions accept the
following kwargs:
username
: The username used to connect to the sharepassword
: The password used to connect to the shareport
: Override the default port (445
) to connect toencrypt
: Whether to force encryption on the connection, requires SMBv3 or newer on the remote server (default: False
)connection_timeout
: Override the connection timeout in seconds (default: 60
)If using Kerberos authentication and a Kerberos ticket has already set by
kinit
then smbclient
will automatically use those credentials without
having to be explicitly set. If no ticket has been retrieved or you wish to use
different credentials then set the default credentials on the ClientConfig
or specify username
and password
on the first request to the server.
For example I only need to set the credentials on the first request to create the directory and not for the subsequent file creation in that dir.
import smbclient
# Optional - specify the default credentials to use on the global config object
smbclient.ClientConfig(username='user', password='pass')
# Optional - register the credentials with a server (overrides ClientConfig for that server)
smbclient.register_session("server", username="user", password="pass")
smbclient.mkdir(r"\\server\share\directory", username="user", password="pass")
with smbclient.open_file(r"\\server\share\directory\file.txt", mode="w") as fd:
fd.write(u"file contents")
If you wish to reset the cache you can either start a new Python process or
call smbclient.reset_connection_cache()
to close all the connections that
have been cached by the client.
This library makes use of the builtin Python logging facilities. Log messages
are logged to the smbprotocol
named logger as well as smbprotocol.*
where
*
is each python script in the smbprotocol
directory.
These logs are really useful when debugging issues as they give you a more step by step snapshot of what it is doing and what may be going wrong. The debug side will also print out a human readable string of each SMB packet that is sent out from the client so it can get very verbose.
To this module, you need to install some pre-requisites first. This can be done by running;
# Install in current environment.
# Recommend to have virtual environment installed at .venv path.
pip install -r requirements-dev.txt
pip install -e .
From there to run the basic tests run;
python -m pytest -v --cov smbprotocol --cov-report term-missing
Before sending the code for review, besides making sure all the test pass, check that the code complies with the coding standards:
source ./build_helpers/lib.sh
lib::sanity::run
There are extra tests that only run when certain environment variables are set. To run these tests set the following variables;
SMB_USER
: The username to authenticate withSMB_PASSWORD
: The password to authenticate withSMB_SERVER
: The IP or hostname of the server to authenticate withSMB_PORT
: The port the SMB server is listening on, default is 445
SMB_SHARE
: The name of the share to connect to, a share with this name must exist as well as a share with the name$SMB_SHARE-encrypted
must also exist that forces encryptionFrom here running pytest
with these environment variables set will
activate the integration tests.
This requires either Windows 10 or Server 2016 as they support Dialect 3.1.1 which is required by the tests.
If you don't have access to a Windows host, you can use Docker to setup a Samba container and use that as part of the tests. To do so run the following bash commands;
source ./build_helpers/lib.sh
lib::setup::smb_server
This command will also set the required SMB_*
env vars used in testing.
Here is a list of features that I would like to incorporate, PRs are welcome if you want to implement them yourself;
FAQs
Interact with a server using the SMB 2/3 Protocol
We found that smbprotocol demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.