Class: Metasploit::Framework::LoginScanner::SMB

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket, Tcp::Client
Defined in:
lib/metasploit/framework/login_scanner/smb.rb

Overview

This is the LoginScanner class for dealing with the Server Messaging Block protocol.

Defined Under Namespace

Modules: AccessLevels, StatusCodes

Constant Summary collapse

CAN_GET_SESSION = 
true
DEFAULT_REALM = 
'WORKSTATION'.freeze
LIKELY_PORTS = 
[ 445 ].freeze
LIKELY_SERVICE_NAMES = 
[ 'smb' ].freeze
PRIVATE_TYPES = 
%i[password ntlm_hash].freeze
REALM_KEY = 
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary collapse

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary collapse

Methods included from Tcp::Client

#chost, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#always_encryptObject

Returns the value of attribute always_encrypt.



55
56
57
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 55

def always_encrypt
  @always_encrypt
end

#dispatcherRubySMB::Dispatcher::Socket

Returns:

  • (RubySMB::Dispatcher::Socket) 


59
60
61
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 59

def dispatcher
  @dispatcher
end

#kerberos_authenticator_factoryFunc<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB

Returns A factory method for creating a kerberos authenticator.

Returns:



64
65
66
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 64

def kerberos_authenticator_factory
  @kerberos_authenticator_factory
end

#use_client_as_proofObject

Returns the value of attribute use_client_as_proof.



68
69
70
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 68

def use_client_as_proof
  @use_client_as_proof
end

#versionsObject

Returns the value of attribute versions.



52
53
54
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 52

def versions
  @versions
end

Instance Method Details

#attempt_bogus_login(domain) ⇒ Result

If login is successful and Result#access_level is not set then arbitrary credentials are accepted. If it is set to Guest, then arbitrary credentials are accepted, but given Guest permissions.

Parameters:

  • domain (String)

    Domain to authenticate against. Use an empty string for local accounts.

Returns:



78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 78

def (domain)
  if defined?(@attempt_bogus_login)
    return @attempt_bogus_login
  end

  cred = Credential.new(
    public: Rex::Text.rand_text_alpha(8),
    private: Rex::Text.rand_text_alpha(8),
    realm: domain
  )
  @attempt_bogus_login = (cred)
end

#attempt_login(credential) ⇒ Object 



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 92

def (credential)
  begin
    connect
  rescue ::Rex::ConnectionError => e
    result = Result.new(
      credential: credential,
      status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
      proof: e,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'smb'
    )
    return result
  end
  proof = nil

  begin
    realm = (credential.realm || '').dup.force_encoding('UTF-8')
    username = (credential.public || '').dup.force_encoding('UTF-8')
    password = (credential.private || '').dup.force_encoding('UTF-8')
    client = RubySMB::Client.new(
       dispatcher,
       username: username,
       password: password,
       domain: realm,
       smb1: versions.include?(1),
       smb2: versions.include?(2),
       smb3: versions.include?(3),
       always_encrypt: always_encrypt
    )

    if kerberos_authenticator_factory
      client.extend(Msf::Exploit::Remote::SMB::Client::KerberosAuthentication)
      client.kerberos_authenticator = kerberos_authenticator_factory.call(username, password, realm)
    end

    status_code = client.

    if status_code == WindowsError::NTStatus::STATUS_SUCCESS
      # Windows SMB will return an error code during Session
      # Setup, but nix Samba requires a Tree Connect. Try admin$
      # first, since that will tell us if this user has local
      # admin access. Fall back to IPC$ which should be accessible
      # to any user with valid creds.
      begin
        tree = client.tree_connect("\\\\#{host}\\admin$")
        # Check to make sure we can write a file to this dir
        if tree.permissions.add_file == 1
          access_level = AccessLevels::ADMINISTRATOR
        end
      rescue StandardError => _e
        client.tree_connect("\\\\#{host}\\IPC$")
      end
    end

    case status_code
    when WindowsError::NTStatus::STATUS_SUCCESS, WindowsError::NTStatus::STATUS_PASSWORD_MUST_CHANGE, WindowsError::NTStatus::STATUS_PASSWORD_EXPIRED
      status = Metasploit::Model::Login::Status::SUCCESSFUL
      # This module no long owns the socket, return it as proof so the calling context can perform additional operations
      # Additionally assign values to nil to avoid closing the socket etc automatically
      if use_client_as_proof
        proof = client
        connection = self.sock
        client = nil
        self.sock = nil
        self.dispatcher = nil
      end
    when WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT
      status = Metasploit::Model::Login::Status::LOCKED_OUT
    when WindowsError::NTStatus::STATUS_LOGON_FAILURE, WindowsError::NTStatus::STATUS_ACCESS_DENIED
      status = Metasploit::Model::Login::Status::INCORRECT
    when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
      status = Metasploit::Model::Login::Status::DENIED_ACCESS
    else
      status = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError, Errno::EINVAL, RubySMB::Error::NetBiosSessionService, RubySMB::Error::NegotiationFailure, RubySMB::Error::CommunicationError  => e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  rescue RubySMB::Error::UnexpectedStatusCode => _e
    status = Metasploit::Model::Login::Status::INCORRECT
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
    status = Metasploit::Framework::LoginScanner::Kerberos.(e)
    proof = e
  rescue RubySMB::Error::RubySMBError => _e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  ensure
    client.disconnect! if client
  end

  if status == Metasploit::Model::Login::Status::SUCCESSFUL && credential.public.empty?
    access_level ||= AccessLevels::GUEST
  end

  result = Result.new(credential: credential,
                      status: status,
                      proof: proof,
                      access_level: access_level,
                      connection: connection)
  result.host = host
  result.port = port
  result.protocol = 'tcp'
  result.service_name = 'smb'
  result
end

#connectObject 



200
201
202
203
204
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 200

def connect
  disconnect
  self.sock = super
  self.dispatcher = RubySMB::Dispatcher::Socket.new(sock)
end

#set_sane_defaultsObject 



206
207
208
209
210
211
212
 
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 206

def set_sane_defaults
  self.connection_timeout = 10 if connection_timeout.nil?
  self.max_send_size = 0 if max_send_size.nil?
  self.send_delay = 0 if send_delay.nil?
  self.always_encrypt = true if always_encrypt.nil?
  self.versions = ::Rex::Proto::SMB::SimpleClient::DEFAULT_VERSIONS if versions.nil?
end