Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow settings the RPORT option for pipe_dcerpc_auditor #19529

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+62 −50
Open

Allow settings the RPORT option for pipe_dcerpc_auditor #19529

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29c0a10
allow settings the RPORT option for pipe_dcerpc_auditor
NtAlexio2 Oct 4, 2024
6983ec5
fix lintings in pipe_dcerpc_auditor
NtAlexio2 Oct 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 58 additions & 41 deletions modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,20 @@ def initialize
'License' => MSF_LICENSE,
)

deregister_options('RPORT')
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']),
])
end

def connect(*args, **kwargs)
super(*args, **kwargs, direct: @smb_direct)
end

def rport
@rport
end

@@target_uuids = [
[ '00000131-0000-0000-c000-000000000046', '0.0' ],
[ '00000134-0000-0000-c000-000000000046', '0.0' ],
Expand Down Expand Up @@ -253,59 +260,69 @@ def initialize

# Fingerprint a single host
def run_host(ip)
ports = [139, 445]

if session
print_status("Using existing session #{session.sid}")
client = session.client
@rport = datastore['RPORT'] = session.port
self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
ports = [simple.port]
self.simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too
end

ports.each do |port|
datastore['RPORT'] = port
check_uuids(ip)
else
if datastore['RPORT'].blank? || datastore['RPORT'] == 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RPORT is not registered here, so it could have a default already?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it has default value as you can see in the below, which is 445:


msf6 > use auxiliary/scanner/smb/pipe_dcerpc_auditor
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/smb/pipe_dcerpc_auditor) > options

Module options (auxiliary/scanner/smb/pipe_dcerpc_auditor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER)


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

smb_services = [
{ port: 445, direct: true },
{ port: 139, direct: false }
]
else
smb_services = [
{ port: datastore['RPORT'], direct: datastore['SMBDirect'] }
]
end

begin
unless session
connect()
smb_login()
smb_services.each do |smb_service|
@rport = smb_service[:port]
@smb_direct = smb_service[:direct]

begin
connect
smb_login
check_uuids(ip)
disconnect
rescue ::Exception
print_line($!.to_s)
end

@@target_uuids.each do |uuid|

handle = dcerpc_handle_target(
uuid[0], uuid[1],
'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address
)
end
end

begin
dcerpc_bind(handle)
print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}")
# Add Report
report_note(
:host => ip,
:proto => 'tcp',
:sname => 'smb',
:port => rport,
:type => "UUID #{uuid[0]} #{uuid[1]}",
:data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}"
)
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)
rescue StandardError => e
print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}")
end
end
end

disconnect()
def check_uuids(ip)
@@target_uuids.each do |uuid|

handle = dcerpc_handle_target(
uuid[0], uuid[1],
'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address
)

return
rescue ::Exception
print_line($!.to_s)
begin
dcerpc_bind(handle)
print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}")
# Add Report
report_note(
:host => ip,
:proto => 'tcp',
:sname => 'smb',
:port => rport,
:type => "UUID #{uuid[0]} #{uuid[1]}",
:data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}"
)
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)
rescue StandardError => e
print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}")
end
end
end


end
Loading