Class: Metasploit::Framework::LoginScanner::SMB

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket, Tcp::Client
Defined in:
lib/metasploit/framework/login_scanner/smb.rb

Overview

This is the LoginScanner class for dealing with the Server Messaging Block protocol.

Defined Under Namespace

Modules: AccessLevels, StatusCodes

Constant Summary collapse

CAN_GET_SESSION =
true
DEFAULT_REALM =
'WORKSTATION'.freeze
LIKELY_PORTS =
[ 445 ].freeze
LIKELY_SERVICE_NAMES =
[ 'smb' ].freeze
PRIVATE_TYPES =
%i[password ntlm_hash].freeze
REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary collapse

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary collapse

Methods included from Tcp::Client

#chost, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#dispatcherRubySMB::Dispatcher::Socket

Returns:

  • (RubySMB::Dispatcher::Socket)


53
54
55
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 53

def dispatcher
  @dispatcher
end

#kerberos_authenticator_factoryFunc<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB

Returns A factory method for creating a kerberos authenticator.

Returns:



58
59
60
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 58

def kerberos_authenticator_factory
  @kerberos_authenticator_factory
end

#use_client_as_proofObject

Returns the value of attribute use_client_as_proof.



62
63
64
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 62

def use_client_as_proof
  @use_client_as_proof
end

Instance Method Details

#attempt_bogus_login(domain) ⇒ Result

If login is successful and Result#access_level is not set then arbitrary credentials are accepted. If it is set to Guest, then arbitrary credentials are accepted, but given Guest permissions.

Parameters:

  • domain (String)

    Domain to authenticate against. Use an empty string for local accounts.

Returns:



72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 72

def (domain)
  if defined?(@attempt_bogus_login)
    return @attempt_bogus_login
  end

  cred = Credential.new(
    public: Rex::Text.rand_text_alpha(8),
    private: Rex::Text.rand_text_alpha(8),
    realm: domain
  )
  @attempt_bogus_login = (cred)
end

#attempt_login(credential) ⇒ Object



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 86

def (credential)
  begin
    connect
  rescue ::Rex::ConnectionError => e
    result = Result.new(
      credential: credential,
      status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
      proof: e,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'smb'
    )
    return result
  end
  proof = nil

  begin
    realm = (credential.realm || '').dup.force_encoding('UTF-8')
    username = (credential.public || '').dup.force_encoding('UTF-8')
    password = (credential.private || '').dup.force_encoding('UTF-8')
    client = RubySMB::Client.new(dispatcher, username: username, password: password, domain: realm)

    if kerberos_authenticator_factory
      client.extend(Msf::Exploit::Remote::SMB::Client::KerberosAuthentication)
      client.kerberos_authenticator = kerberos_authenticator_factory.call(username, password, realm)
    end

    status_code = client.

    if status_code == WindowsError::NTStatus::STATUS_SUCCESS
      # Windows SMB will return an error code during Session
      # Setup, but nix Samba requires a Tree Connect. Try admin$
      # first, since that will tell us if this user has local
      # admin access. Fall back to IPC$ which should be accessible
      # to any user with valid creds.
      begin
        tree = client.tree_connect("\\\\#{host}\\admin$")
        # Check to make sure we can write a file to this dir
        if tree.permissions.add_file == 1
          access_level = AccessLevels::ADMINISTRATOR
        end
      rescue StandardError => _e
        client.tree_connect("\\\\#{host}\\IPC$")
      end
    end

    case status_code
    when WindowsError::NTStatus::STATUS_SUCCESS, WindowsError::NTStatus::STATUS_PASSWORD_MUST_CHANGE, WindowsError::NTStatus::STATUS_PASSWORD_EXPIRED
      status = Metasploit::Model::Login::Status::SUCCESSFUL
      # This module no long owns the socket, return it as proof so the calling context can perform additional operations
      # Additionally assign values to nil to avoid closing the socket etc automatically
      if use_client_as_proof
        proof = client
        client = nil
        self.sock = nil
        self.dispatcher = nil
      end
    when WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT
      status = Metasploit::Model::Login::Status::LOCKED_OUT
    when WindowsError::NTStatus::STATUS_LOGON_FAILURE, WindowsError::NTStatus::STATUS_ACCESS_DENIED
      status = Metasploit::Model::Login::Status::INCORRECT
    when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
      status = Metasploit::Model::Login::Status::DENIED_ACCESS
    else
      status = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError, Errno::EINVAL, RubySMB::Error::NetBiosSessionService, RubySMB::Error::NegotiationFailure, RubySMB::Error::CommunicationError  => e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  rescue RubySMB::Error::UnexpectedStatusCode => _e
    status = Metasploit::Model::Login::Status::INCORRECT
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
    status = Metasploit::Framework::LoginScanner::Kerberos.(e)
    proof = e
  rescue RubySMB::Error::RubySMBError => _e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  ensure
    client.disconnect! if client
  end

  if status == Metasploit::Model::Login::Status::SUCCESSFUL && credential.public.empty?
    access_level ||= AccessLevels::GUEST
  end

  result = Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
  result.host = host
  result.port = port
  result.protocol = 'tcp'
  result.service_name = 'smb'
  result
end

#connectObject



180
181
182
183
184
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 180

def connect
  disconnect
  self.sock = super
  self.dispatcher = RubySMB::Dispatcher::Socket.new(sock)
end

#set_sane_defaultsObject



186
187
188
189
190
# File 'lib/metasploit/framework/login_scanner/smb.rb', line 186

def set_sane_defaults
  self.connection_timeout = 10 if connection_timeout.nil?
  self.max_send_size = 0 if max_send_size.nil?
  self.send_delay = 0 if send_delay.nil?
end