smb_enumshares: Allow for SMB1 ruby_smb#21345
Conversation
71d2d8e to
694570f
Compare
ec26a5c to
0ca161b
Compare
|
FYI I also had a similar PR about this issue |
56b0104 to
4a0e361
Compare
87ea25f to
dde64fc
Compare
There was a problem hiding this comment.
I think with the overlap in changes to RubySMB, we just need the gem bumped. If the original issue was that the module wouldn't work when targeting metasploitable2, I'm able to reproduce that with commit 57fee32 from yesterday / RubySMB 3.3.17. It fails with Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it....
Bumping RubySMB to 3.3.19 locally though allows the module with the exact same options to work.
msf auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting Required Description
---- --------------- -------- -----------
HIGHLIGHT_NAME_PATTERN username|password|user|pass|Groups.xml yes PCRE regex of resource names to highlight
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
MaxDepth 999 yes Max number of subdirectories to spider
Share no Show only the specified share
ShowFiles false yes Show detailed information when spidering
SpiderProfiles true no Spider only user profiles when share is a disk share
SpiderShares false no Spider shares recursively
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.159.136 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 192.168.159.136:139 - Unix (Unknown)
[+] 192.168.159.136:139 - print$ - (DISK) Printer Drivers
[+] 192.168.159.136:139 - tmp - (DISK) oh noes!
[+] 192.168.159.136:139 - opt - (DISK)
[+] 192.168.159.136:139 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 192.168.159.136:139 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 192.168.159.136: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > pry
[*] Starting Pry shell...
[*] You are in the "auxiliary/scanner/smb/smb_enumshares" module object
[1] pry(#<Msf::Modules::Auxiliary__Scanner__Smb__Smb_enumshares::MetasploitModule>)> RubySMB::VERSION
=> "3.3.20"
[2] pry(#<Msf::Modules::Auxiliary__Scanner__Smb__Smb_enumshares::MetasploitModule>)>
You'll notice it says 3.3.20 which hasn't been released. That's just because I pointed the Gemfile to my local changes. Should get the same results bumping it from 3.3.17->3.3.19 which is published.
I went back to test this based on the comment here and here.
@g0tmi1k if you can confirm that we just need the gem bumped to resolve the issue you previously noticed, then we should be able to turn this into a simple change from bundle update --conservative ruby_smb.
|
Hey @smcintyre-r7 - thanks for getting back to me. Hers my results: Git Master && ruby_smb 3.3.17Fails $ git status
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean
$ gem list | grep ruby_smb
ruby_smb (3.3.17)
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;
use smb_enumshares;
run'
[...]
[*] Using auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10: - Connecting to the server...
[-] 10.0.0.10: - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >Git Master && ruby_smb 3.3.19Works! $ vim metasploit-framework.gemspec
$ git diff
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 219b877157..03e3924dc4 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -151,7 +151,7 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'net-ssh'
spec.add_runtime_dependency 'ed25519' # Adds ed25519 keys for net-ssh
spec.add_runtime_dependency 'bcrypt_pbkdf'
- spec.add_runtime_dependency 'ruby_smb', '~> 3.3.17'
+ spec.add_runtime_dependency 'ruby_smb', '~> 3.3.19'
spec.add_runtime_dependency 'net-imap' # Used in Postgres auth for its SASL stringprep implementation
spec.add_runtime_dependency 'date', '3.4.1' # Temporarily pinned until 3.5 can be tested
spec.add_runtime_dependency 'net-ldap'
$ bundle update ruby_smb
[...]
Installing ruby_smb 3.3.19 (was 3.3.17)
[...]
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;
use smb_enumshares;
run'
[...]
[*] Using auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] 10.0.0.10: - Connecting to the server...
[*] 10.0.0.10: - Unix (Unknown)
[+] 10.0.0.10: - print$ - (DISK) Printer Drivers
[+] 10.0.0.10: - tmp - (DISK) oh noes!
[+] 10.0.0.10: - opt - (DISK)
[+] 10.0.0.10: - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10: - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >I did a force push - drop all the rex items, and left in all the verbose stuff. |
b661986 to
7432648
Compare
smcintyre-r7
left a comment
There was a problem hiding this comment.
I amended the last commit to fix the gem bump. With that in place, the tests are passing.
In this example 192.168.159.136 is metasploit2 (the original fail condition) and 192.168.159.10 (Server 2019 with SMB1/2/3)
msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.136 SMBUser= SMBPass=
[*] 192.168.159.136:139 - Unix (Unknown)
[+] 192.168.159.136:139 - print$ - (DISK) Printer Drivers
[+] 192.168.159.136:139 - tmp - (DISK) oh noes!
[+] 192.168.159.136:139 - opt - (DISK)
[+] 192.168.159.136:139 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 192.168.159.136:139 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 192.168.159.136: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.10 SMBUser= SMBPass=
[-] 192.168.159.10:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[-] 192.168.159.10:445 - Error when trying to enumerate shares - STATUS_ACCESS_DENIED
[*] 192.168.159.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > run RHOSTS=192.168.159.10 SMBUser=aliddle SMBPass=Password1!
[-] 192.168.159.10:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 192.168.159.10:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 192.168.159.10:445 - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 192.168.159.10:445 - ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] 192.168.159.10:445 - C$ - (DISK|SPECIAL) Default share
[+] 192.168.159.10:445 - CertEnroll - (DISK) Active Directory Certificate Services share
[+] 192.168.159.10:445 - IPC$ - (IPC|SPECIAL) Remote IPC
[+] 192.168.159.10:445 - NETLOGON - (DISK) Logon server share
[+] 192.168.159.10:445 - Public - (DISK)
[+] 192.168.159.10:445 - SYSVOL - (DISK) Logon server share
[+] 192.168.159.10:445 - Users - (DISK)
[*] 192.168.159.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >
Release NotesThis fixes an issue in the |
|
Thanks @smcintyre-r7 ! |
Target is metasploitable 2 VM.
This PR covers:
Before
After