Module: Msf::Exploit::Remote::MsSamr

Includes:
SMB::Client::Ipc
Included in:
Account
Defined in:
lib/msf/core/exploit/remote/ms_samr.rb

Defined Under Namespace

Modules: Account Classes: MsSamrAuthenticationError, MsSamrBadConfigError, MsSamrConnectionError, MsSamrError, MsSamrNotFoundError, MsSamrUnexpectedReplyError, MsSamrUnknownError, SamrConnection

Constant Summary

Constants included from SMB::Client

SMB::Client::CONST, SMB::Client::DCERPCClient, SMB::Client::DCERPCPacket, SMB::Client::DCERPCResponse, SMB::Client::DCERPCUUID, SMB::Client::NDR, SMB::Client::SIMPLE, SMB::Client::XCEPT

Instance Attribute Summary

Attributes included from SMB::Client

#simple

Attributes included from Tcp

#sock

Class Method Summary collapse

Methods included from SMB::Client::Ipc

connect_ipc, disconnect_ipc

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from SMB::Client::Authenticated

#initialize

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#initialize, #kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from SMB::Client

#connect, #domain, #domain_username_split, #initialize, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #initialize, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Class Method Details

.connect_samr(tree) ⇒ Object



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/exploit/remote/ms_samr.rb', line 25

def connect_samr(tree)
  begin
    vprint_status('Connecting to Security Account Manager (SAM) Remote Protocol')
    samr = tree.open_file(filename: 'samr', write: true, read: true)

    vprint_status('Binding to \\samr...')
    samr.bind(endpoint: RubySMB::Dcerpc::Samr)
    vprint_good('Bound to \\samr')
    server_handle = samr.samr_connect
  rescue RubySMB::Dcerpc::Error::FaultError => e
    elog(e.message, error: e)
    raise MsSamrUnexpectedReplyError, "Connection failed (DCERPC fault: #{e.status_name})"
  end

  if domain.blank? || domain == '.'
    all_domains = samr.samr_enumerate_domains_in_sam_server(server_handle: server_handle).map(&:to_s).map(&:encode)
    all_domains.delete('Builtin')
    if all_domains.empty?
      raise MsSamrNotFoundError, 'No domains were found on the SAM server.'
    elsif all_domains.length > 1
      print_status("Enumerated domains: #{all_domains.join(', ')}")
      raise MsSamrBadConfigError, 'The SAM server has more than one domain, the target must be specified.'
    end

    domain_name = all_domains.first
    print_status("Using automatically identified domain: #{domain_name}")
  else
    domain_name = domain
  end

  domain_sid = samr.samr_lookup_domain(server_handle: server_handle, name: domain_name)
  domain_handle = samr.samr_open_domain(server_handle: server_handle, domain_id: domain_sid)

  SamrConnection.new(samr, server_handle, domain_handle, domain_name)

rescue RubySMB::Dcerpc::Error::DcerpcError => e
  elog(e.message, error: e)
  raise MsSamrUnexpectedReplyError, e.message
rescue RubySMB::Error::RubySMBError
  elog(e.message, error: e)
  raise MsSamrUnknownError, e.message
end