Module: Msf::Exploit::Remote::MsSamr

Includes:
SMB::Client::Ipc
Included in:
Account
Defined in:
lib/msf/core/exploit/remote/ms_samr.rb

Defined Under Namespace

Modules: Account Classes: MsSamrAuthenticationError, MsSamrBadConfigError, MsSamrConnectionError, MsSamrError, MsSamrNotFoundError, MsSamrUnexpectedReplyError, MsSamrUnknownError, SamrConnection

Constant Summary

Constants included from SMB::Client

SMB::Client::CONST, SMB::Client::DCERPCClient, SMB::Client::DCERPCPacket, SMB::Client::DCERPCResponse, SMB::Client::DCERPCUUID, SMB::Client::NDR, SMB::Client::SIMPLE, SMB::Client::XCEPT

Instance Attribute Summary

Attributes included from SMB::Client

#simple

Attributes included from Tcp

#sock

Class Method Summary collapse

Methods included from SMB::Client::Ipc

connect_ipc, disconnect_ipc

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from SMB::Client::Authenticated

#initialize

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#initialize, #kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from SMB::Client

#connect, #domain, #domain_username_split, #initialize, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #initialize, #lhost, #lport, #peer, #print_prefix, #proxies, #replicant, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Class Method Details

.connect_samr(tree) ⇒ Object

[View source]

25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/msf/core/exploit/remote/ms_samr.rb', line 25

def connect_samr(tree)
  begin
    vprint_status('Connecting to Security Account Manager (SAM) Remote Protocol')
    samr = tree.open_file(filename: 'samr', write: true, read: true)

    vprint_status('Binding to \\samr...')
    samr.bind(endpoint: RubySMB::Dcerpc::Samr)
    vprint_good('Bound to \\samr')
    server_handle = samr.samr_connect
  rescue RubySMB::Dcerpc::Error::FaultError => e
    elog(e.message, error: e)
    raise MsSamrUnexpectedReplyError, "Connection failed (DCERPC fault: #{e.status_name})"
  end

  if domain.blank? || domain == '.'
    all_domains = samr.samr_enumerate_domains_in_sam_server(server_handle: server_handle).map(&:to_s).map(&:encode)
    all_domains.delete('Builtin')
    if all_domains.empty?
      raise MsSamrNotFoundError, 'No domains were found on the SAM server.'
    elsif all_domains.length > 1
      print_status("Enumerated domains: #{all_domains.join(', ')}")
      raise MsSamrBadConfigError, 'The SAM server has more than one domain, the target must be specified.'
    end

    domain_name = all_domains.first
    print_status("Using automatically identified domain: #{domain_name}")
  else
    domain_name = domain
  end

  domain_sid = samr.samr_lookup_domain(server_handle: server_handle, name: domain_name)
  domain_handle = samr.samr_open_domain(server_handle: server_handle, domain_id: domain_sid)

  SamrConnection.new(samr, server_handle, domain_handle, domain_name)

rescue RubySMB::Dcerpc::Error::DcerpcError => e
  elog(e.message, error: e)
  raise MsSamrUnexpectedReplyError, e.message
rescue RubySMB::Error::RubySMBError
  elog(e.message, error: e)
  raise MsSamrUnknownError, e.message
end