Skip to content

smb_enumshares: Allow for SMB1 ruby_smb#21345

Merged
smcintyre-r7 merged 2 commits into
rapid7:masterfrom
g0tmi1k:smb_enumshares
May 14, 2026
Merged

smb_enumshares: Allow for SMB1 ruby_smb#21345
smcintyre-r7 merged 2 commits into
rapid7:masterfrom
g0tmi1k:smb_enumshares

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

Target is metasploitable 2 VM.

This PR covers:

  • SMB1_PORT (139/TCP) - Default to using RubySMB, then fall back to Rex
    • Work was done on RubySMB, but isn't fully there to remove Rex completely
  • Disable Rex doing SMB2_3_PORT (445/TCP), as its not supported (@smcintyre-r7 request)
  • Be more verbose
  • Add Rex logic support

Before

msf auxiliary(scanner/smb/smb_enumshares) > options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name                    Current Setting                         Required  Description
   ----                    ---------------                         --------  -----------
   HIGHLIGHT_NAME_PATTERN  username|password|user|pass|Groups.xml  yes       PCRE regex of resource names to highlight
   LogSpider               3                                       no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
   MaxDepth                999                                     yes       Max number of subdirectories to spider
   Share                                                           no        Show only the specified share
   ShowFiles               false                                   yes       Show detailed information when spidering
   SpiderProfiles          true                                    no        Spider only user profiles when share is a disk share
   SpiderShares            true                                    no        Spider shares recursively


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.0.0.10        no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/smb/smb_enumshares) >
msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[-] 10.0.0.10: - Error: '10.0.0.10' 'NoMethodError' 'undefined method `empty?' for nil'
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[-] 10.0.0.10: - Error: '10.0.0.10' 'NoMethodError' 'undefined method `empty?' for nil'
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

After

msf auxiliary(scanner/smb/smb_enumshares) > reload
[*] Reloading module...
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) >
msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 10.0.0.10:139 - Connecting using SMB v1 via ruby_smb
[-] 10.0.0.10:139 - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10:445 - Connecting using SMB v1/2/3 via rex
[+] 10.0.0.10:445 - print$ - (DISK) Printer Drivers
[+] 10.0.0.10:445 - tmp - (DISK) oh noes!
[+] 10.0.0.10:445 - opt - (DISK)
[+] 10.0.0.10:445 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10:445 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[!] 10.0.0.10:445 - This is not available for this server (unable to use RubySMB)
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

Comment thread modules/auxiliary/scanner/smb/smb_enumshares.rb Outdated
@g0tmi1k g0tmi1k force-pushed the smb_enumshares branch 5 times, most recently from 71d2d8e to 694570f Compare April 23, 2026 12:00
Comment thread modules/auxiliary/scanner/smb/smb_enumshares.rb Outdated
@github-project-automation github-project-automation Bot moved this from Todo to Waiting on Contributor in Metasploit Kanban Apr 23, 2026
@g0tmi1k g0tmi1k force-pushed the smb_enumshares branch 3 times, most recently from ec26a5c to 0ca161b Compare April 23, 2026 17:32
@g0tmi1k g0tmi1k requested a review from smcintyre-r7 April 23, 2026 17:32
@Z6543

Z6543 commented Apr 25, 2026

Copy link
Copy Markdown

FYI I also had a similar PR about this issue
#21123

@g0tmi1k g0tmi1k force-pushed the smb_enumshares branch 2 times, most recently from 56b0104 to 4a0e361 Compare April 30, 2026 11:57
Comment thread modules/auxiliary/scanner/smb/smb_enumshares.rb Outdated
@g0tmi1k g0tmi1k requested a review from bwatters-r7 May 4, 2026 11:12
@g0tmi1k g0tmi1k force-pushed the smb_enumshares branch 2 times, most recently from 87ea25f to dde64fc Compare May 6, 2026 16:30
@smcintyre-r7 smcintyre-r7 self-assigned this May 7, 2026

@smcintyre-r7 smcintyre-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think with the overlap in changes to RubySMB, we just need the gem bumped. If the original issue was that the module wouldn't work when targeting metasploitable2, I'm able to reproduce that with commit 57fee32 from yesterday / RubySMB 3.3.17. It fails with Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it....

Bumping RubySMB to 3.3.19 locally though allows the module with the exact same options to work.

msf auxiliary(scanner/smb/smb_enumshares) > show options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name                    Current Setting                         Required  Description
   ----                    ---------------                         --------  -----------
   HIGHLIGHT_NAME_PATTERN  username|password|user|pass|Groups.xml  yes       PCRE regex of resource names to highlight
   LogSpider               3                                       no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
   MaxDepth                999                                     yes       Max number of subdirectories to spider
   Share                                                           no        Show only the specified share
   ShowFiles               false                                   yes       Show detailed information when spidering
   SpiderProfiles          true                                    no        Spider only user profiles when share is a disk share
   SpiderShares            false                                   no        Spider shares recursively


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.136  no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 192.168.159.136:139 - Unix  (Unknown)
[+] 192.168.159.136:139 - print$ - (DISK) Printer Drivers
[+] 192.168.159.136:139 - tmp - (DISK) oh noes!
[+] 192.168.159.136:139 - opt - (DISK)
[+] 192.168.159.136:139 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 192.168.159.136:139 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 192.168.159.136: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > pry
[*] Starting Pry shell...
[*] You are in the "auxiliary/scanner/smb/smb_enumshares" module object

[1] pry(#<Msf::Modules::Auxiliary__Scanner__Smb__Smb_enumshares::MetasploitModule>)> RubySMB::VERSION
=> "3.3.20"
[2] pry(#<Msf::Modules::Auxiliary__Scanner__Smb__Smb_enumshares::MetasploitModule>)>

You'll notice it says 3.3.20 which hasn't been released. That's just because I pointed the Gemfile to my local changes. Should get the same results bumping it from 3.3.17->3.3.19 which is published.

I went back to test this based on the comment here and here.

@g0tmi1k if you can confirm that we just need the gem bumped to resolve the issue you previously noticed, then we should be able to turn this into a simple change from bundle update --conservative ruby_smb.

@g0tmi1k

g0tmi1k commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

Hey @smcintyre-r7 - thanks for getting back to me.

Hers my results:

Git Master && ruby_smb 3.3.17

Fails

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
$ gem list | grep ruby_smb
ruby_smb (3.3.17)
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;
use smb_enumshares;
run'
[...]
[*] Using auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

Git Master && ruby_smb 3.3.19

Works!

$ vim metasploit-framework.gemspec
$ git diff
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 219b877157..03e3924dc4 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -151,7 +151,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'net-ssh'
   spec.add_runtime_dependency 'ed25519' # Adds ed25519 keys for net-ssh
   spec.add_runtime_dependency 'bcrypt_pbkdf'
-  spec.add_runtime_dependency 'ruby_smb', '~> 3.3.17'
+  spec.add_runtime_dependency 'ruby_smb', '~> 3.3.19'
   spec.add_runtime_dependency 'net-imap' # Used in Postgres auth for its SASL stringprep implementation
   spec.add_runtime_dependency 'date', '3.4.1' # Temporarily pinned until 3.5 can be tested
   spec.add_runtime_dependency 'net-ldap'
$ bundle update ruby_smb
[...]
Installing ruby_smb 3.3.19 (was 3.3.17)
[...]
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;
use smb_enumshares;
run'
[...]
[*] Using auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] 10.0.0.10: - Connecting to the server...
[*] 10.0.0.10: - Unix  (Unknown)
[+] 10.0.0.10: - print$ - (DISK) Printer Drivers
[+] 10.0.0.10: - tmp - (DISK) oh noes!
[+] 10.0.0.10: - opt - (DISK)
[+] 10.0.0.10: - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10: - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

I did a force push - drop all the rex items, and left in all the verbose stuff.
I had a go at trying to bump the gems too.

@g0tmi1k g0tmi1k requested a review from smcintyre-r7 May 14, 2026 12:52
@g0tmi1k g0tmi1k changed the title smb_enumshares: Allow for SMB1 ruby_smb & rex backends smb_enumshares: Allow for SMB1 ruby_smb May 14, 2026
Comment thread modules/auxiliary/scanner/smb/smb_enumshares.rb Outdated
@g0tmi1k g0tmi1k requested a review from smcintyre-r7 May 14, 2026 16:53

@smcintyre-r7 smcintyre-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I amended the last commit to fix the gem bump. With that in place, the tests are passing.

In this example 192.168.159.136 is metasploit2 (the original fail condition) and 192.168.159.10 (Server 2019 with SMB1/2/3)

msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.136 SMBUser= SMBPass=
[*] 192.168.159.136:139 - Unix  (Unknown)
[+] 192.168.159.136:139 - print$ - (DISK) Printer Drivers
[+] 192.168.159.136:139 - tmp - (DISK) oh noes!
[+] 192.168.159.136:139 - opt - (DISK) 
[+] 192.168.159.136:139 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 192.168.159.136:139 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 192.168.159.136: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.10 SMBUser= SMBPass=
[-] 192.168.159.10:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[-] 192.168.159.10:445 - Error when trying to enumerate shares - STATUS_ACCESS_DENIED
[*] 192.168.159.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.10 SMBUser=aliddle SMBPass=Password1!
[-] 192.168.159.10:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 192.168.159.10:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 192.168.159.10:445 - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 192.168.159.10:445 - ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] 192.168.159.10:445 - C$ - (DISK|SPECIAL) Default share
[+] 192.168.159.10:445 - CertEnroll - (DISK) Active Directory Certificate Services share
[+] 192.168.159.10:445 - IPC$ - (IPC|SPECIAL) Remote IPC
[+] 192.168.159.10:445 - NETLOGON - (DISK) Logon server share 
[+] 192.168.159.10:445 - Public - (DISK) 
[+] 192.168.159.10:445 - SYSVOL - (DISK) Logon server share 
[+] 192.168.159.10:445 - Users - (DISK) 
[*] 192.168.159.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > 

@github-project-automation github-project-automation Bot moved this from Waiting on Contributor to In Progress in Metasploit Kanban May 14, 2026
@smcintyre-r7 smcintyre-r7 merged commit 02e90eb into rapid7:master May 14, 2026
61 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban May 14, 2026
@smcintyre-r7

Copy link
Copy Markdown
Contributor

Release Notes

This fixes an issue in the smb_enumshares module that prevented it from working against certain SMB 1 targets such as Metasploitable 2.

@smcintyre-r7 smcintyre-r7 added module bug rn-fix release notes fix labels May 14, 2026
@g0tmi1k g0tmi1k deleted the smb_enumshares branch May 14, 2026 18:17
@g0tmi1k

g0tmi1k commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @smcintyre-r7 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug module rn-fix release notes fix

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

4 participants