Class: Metasploit::Framework::LoginScanner::SMB

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::SMB

Includes:

Base, RexSocket, Tcp::Client

Defined in:

lib/metasploit/framework/login_scanner/smb.rb

Overview

This is the LoginScanner class for dealing with the Server Messaging Block protocol.

Defined Under Namespace

Modules: AccessLevels, StatusCodes

Constant Summary

CAN_GET_SESSION =

true

DEFAULT_REALM =

'WORKSTATION'.freeze

LIKELY_PORTS =

[ 445 ].freeze

LIKELY_SERVICE_NAMES =

[ 'smb' ].freeze

PRIVATE_TYPES =

%i[password ntlm_hash].freeze

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary

• #dispatcher ⇒ RubySMB::Dispatcher::Socket
• #kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB

  A factory method for creating a kerberos authenticator.

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary

• #attempt_bogus_login(domain) ⇒ Result

  If login is successul and Result#access_level is not set then arbitrary credentials are accepted.

• #attempt_login(credential) ⇒ Object
• #connect ⇒ Object
• #set_sane_defaults ⇒ Object

Methods included from Tcp::Client

#chost, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#dispatcher ⇒ RubySMB::Dispatcher::Socket

Returns:

• (RubySMB::Dispatcher::Socket)

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 53

def dispatcher
  @dispatcher
end

#kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB

Returns A factory method for creating a kerberos authenticator.

Returns:

• (Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB) —

  A factory method for creating a kerberos authenticator

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 58

def kerberos_authenticator_factory
  @kerberos_authenticator_factory
end

Instance Method Details

#attempt_bogus_login(domain) ⇒ Result

If login is successul and Result#access_level is not set then arbitrary credentials are accepted. If it is set to Guest, then arbitrary credentials are accepted, but given Guest permissions.

Parameters:

• domain (String) —

  Domain to authenticate against. Use an empty string for local accounts.

Returns:

• (Result)

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 68

def attempt_bogus_login(domain)
  if defined?(@attempt_bogus_login)
    return @attempt_bogus_login
  end

  cred = Credential.new(
    public: Rex::Text.rand_text_alpha(8),
    private: Rex::Text.rand_text_alpha(8),
    realm: domain
  )
  @attempt_bogus_login = attempt_login(cred)
end

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 82

def attempt_login(credential)
  begin
    connect
  rescue ::Rex::ConnectionError => e
    result = Result.new(
      credential: credential,
      status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
      proof: e,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'smb'
    )
    return result
  end
  proof = nil

  begin
    realm = (credential.realm || '').dup.force_encoding('UTF-8')
    username = (credential.public || '').dup.force_encoding('UTF-8')
    password = (credential.private || '').dup.force_encoding('UTF-8')
    client = RubySMB::Client.new(dispatcher, username: username, password: password, domain: realm)

    if kerberos_authenticator_factory
      client.extend(Msf::Exploit::Remote::SMB::Client::KerberosAuthentication)
      client.kerberos_authenticator = kerberos_authenticator_factory.call(username, password, realm)
    end

    status_code = client.login

    if status_code == WindowsError::NTStatus::STATUS_SUCCESS
      # Windows SMB will return an error code during Session
      # Setup, but nix Samba requires a Tree Connect. Try admin$
      # first, since that will tell us if this user has local
      # admin access. Fall back to IPC$ which should be accessible
      # to any user with valid creds.
      begin
        tree = client.tree_connect("\\\\#{host}\\admin$")
        # Check to make sure we can write a file to this dir
        if tree.permissions.add_file == 1
          access_level = AccessLevels::ADMINISTRATOR
        end
      rescue StandardError => _e
        client.tree_connect("\\\\#{host}\\IPC$")
      end
    end

    case status_code
    when WindowsError::NTStatus::STATUS_SUCCESS, WindowsError::NTStatus::STATUS_PASSWORD_MUST_CHANGE, WindowsError::NTStatus::STATUS_PASSWORD_EXPIRED
      status = Metasploit::Model::Login::Status::SUCCESSFUL
    when WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT
      status = Metasploit::Model::Login::Status::LOCKED_OUT
    when WindowsError::NTStatus::STATUS_LOGON_FAILURE, WindowsError::NTStatus::STATUS_ACCESS_DENIED
      status = Metasploit::Model::Login::Status::INCORRECT
    when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
      status = Metasploit::Model::Login::Status::DENIED_ACCESS
    else
      status = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError, Errno::EINVAL, RubySMB::Error::NetBiosSessionService, RubySMB::Error::NegotiationFailure, RubySMB::Error::CommunicationError  => e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  rescue RubySMB::Error::UnexpectedStatusCode => _e
    status = Metasploit::Model::Login::Status::INCORRECT
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
    status = Metasploit::Framework::LoginScanner::Kerberos.login_status_for_kerberos_error(e)
    proof = e
  rescue RubySMB::Error::RubySMBError => _e
    status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    proof = e
  ensure
    client.disconnect! if client
  end

  if status == Metasploit::Model::Login::Status::SUCCESSFUL && credential.public.empty?
    access_level ||= AccessLevels::GUEST
  end

  result = Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
  result.host = host
  result.port = port
  result.protocol = 'tcp'
  result.service_name = 'smb'
  result
end

#connect ⇒ Object

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 168

def connect
  disconnect
  self.sock = super
  self.dispatcher = RubySMB::Dispatcher::Socket.new(sock)
end

#set_sane_defaults ⇒ Object

# File 'lib/metasploit/framework/login_scanner/smb.rb', line 174

def set_sane_defaults
  self.connection_timeout = 10 if connection_timeout.nil?
  self.max_send_size = 0 if max_send_size.nil?
  self.send_delay = 0 if send_delay.nil?
end