Added --filter-pipe-name to filter on SMB named pipes names, fixes #46

Release 2.4

Author: p0dalirius

README.md

@@ -19,7 +19,7 @@
     + [x] Random UNC paths generation to avoid caching failed attempts (all modes)
     + [x] Configurable delay between attempts with `--delay`
  - Options:
-    + [x] Filter by method name with `--filter-method-name` or by protocol name with `--filter-protocol-name` (all modes) 
+    + [x] Filter by method name with `--filter-method-name`, by protocol name with `--filter-protocol-name` or by pipe name with `--filter-pipe-name`(all modes)
     + [x] Target a single machine `--target` or a list of targets from a file with `--targets-file`
     + [x] Specify IP address OR interface to listen on for incoming authentications. (modes [scan](./documentation/Scan-mode.md) and [fuzz](./documentation/Fuzz-mode.md))
  - Exporting results

coercer/__main__.py

@@ -18,7 +18,7 @@
 from coercer.network.smb import try_login
 
 
-VERSION = "2.3-blackhat-edition"
+VERSION = "2.4-blackhat-edition"
 
 banner = """       ______
       / ____/___  ___  _____________  _____
@@ -48,9 +48,10 @@ def parseArgs():
     mode_scan_advanced_config.add_argument("--smb-port", default=445, type=int, help="SMB port (default: 445)")
     mode_scan_advanced_config.add_argument("--auth-type", default=None, type=str, help="Desired authentication type ('smb' or 'http').")
     # Filters
-    mode_scan_filters = mode_scan.add_argument_group("Filtering methods")
+    mode_scan_filters = mode_scan.add_argument_group("Filtering")
     mode_scan_filters.add_argument("--filter-method-name", default=None, type=str, help="")
     mode_scan_filters.add_argument("--filter-protocol-name", default=None, type=str, help="")
+    mode_scan_filters.add_argument("--filter-pipe-name", default=None, type=str, help="")
     # Credentials
     mode_scan_credentials = mode_scan.add_argument_group("Credentials")
     mode_scan_credentials.add_argument("-u", "--username", default="", help="Username to authenticate to the remote machine.")
@@ -82,9 +83,10 @@ def parseArgs():
     mode_fuzz_advanced_config.add_argument("--smb-port", default=445, type=int, help="SMB port (default: 445)")
     mode_fuzz_advanced_config.add_argument("--auth-type", default=None, type=str, help="Desired authentication type ('smb' or 'http').")
     # Filters
-    mode_fuzz_filters = mode_fuzz.add_argument_group("Filtering methods")
+    mode_fuzz_filters = mode_fuzz.add_argument_group("Filtering")
     mode_fuzz_filters.add_argument("--filter-method-name", default=None, type=str, help="")
     mode_fuzz_filters.add_argument("--filter-protocol-name", default=None, type=str, help="")
+    mode_fuzz_filters.add_argument("--filter-pipe-name", default=None, type=str, help="")
     # Credentials
     mode_fuzz_credentials = mode_fuzz.add_argument_group("Credentials")
     mode_fuzz_credentials.add_argument("--only-known-exploit-paths", action="store_true", default=False, help="Only test known exploit paths for each functions")
@@ -114,9 +116,10 @@ def parseArgs():
     mode_coerce_advanced_config.add_argument("--always-continue", default=False, action="store_true", help="Always continue to coerce")
     mode_coerce_advanced_config.add_argument("--auth-type", default=None, type=str, help="Desired authentication type ('smb' or 'http').")
     # Filters
-    mode_coerce_filters = mode_coerce.add_argument_group("Filtering methods")
+    mode_coerce_filters = mode_coerce.add_argument_group("Filtering")
     mode_coerce_filters.add_argument("--filter-method-name", default=None, type=str, help="")
     mode_coerce_filters.add_argument("--filter-protocol-name", default=None, type=str, help="")
+    mode_coerce_filters.add_argument("--filter-pipe-name", default=None, type=str, help="")
     # Credentials
     mode_coerce_credentials = mode_coerce.add_argument_group("Credentials")
     mode_coerce_credentials.add_argument("-u", "--username", default="", help="Username to authenticate to the machine.")

coercer/core/MethodFilter.py coercer/core/Filter.pycoercer/core/MethodFilter.py renamed to coercer/core/Filter.py

@@ -1,22 +1,23 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
-# File name          : MethodFilter.py
+# File name          : Filter.py
 # Author             : Podalirius (@podalirius_)
 # Date created       : 15 Sep 2022
 
-class MethodFilter(object):
+class Filter(object):
     """
-    Documentation for class MethodFilter
+    Documentation for class Filter
     """
 
-    def __init__(self, filter_method_name=None, filter_protocol_name=None):
-        super(MethodFilter, self).__init__()
+    def __init__(self, filter_method_name=None, filter_protocol_name=None, filter_pipe_name=None):
+        super(Filter, self).__init__()
         self.filter_method_name = filter_method_name
         self.filter_protocol_name = filter_protocol_name
+        self.filter_pipe_name = filter_pipe_name
 
-    def matches_filter(self, instance):
+    def method_matches_filter(self, instance):
         """
-        Function matches_filter
+        Function method_matches_filter
 
         Parameters:
             ?:instance
@@ -38,4 +39,22 @@ def matches_filter(self, instance):
             else:
                 outcome = outcome and False
         return outcome
-    
+
+    def pipe_matches_filter(self, pipe_name):
+        """
+        Function pipe_matches_filter
+
+        Parameters:
+            ?:pipe_name
+
+        Return:
+            bool:outcome
+        """
+        outcome = True
+        #
+        if self.filter_pipe_name is not None:
+            if self.filter_pipe_name in pipe_name:
+                outcome = outcome and True
+            else:
+                outcome = outcome and False
+        return outcome

coercer/core/modes/coerce.py

@@ -6,7 +6,7 @@
 
 
 import time
-from coercer.core.MethodFilter import MethodFilter
+from coercer.core.Filter import Filter
 from coercer.core.utils import generate_exploit_path_from_template
 from coercer.network.DCERPCSession import DCERPCSession
 from coercer.structures.TestResult import TestResult
@@ -17,9 +17,10 @@
 def action_coerce(target, available_methods, options, credentials, reporter):
     reporter.verbose = True
 
-    method_filter = MethodFilter(
+    filter = Filter(
         filter_method_name=options.filter_method_name,
-        filter_protocol_name=options.filter_protocol_name
+        filter_protocol_name=options.filter_protocol_name,
+        filter_pipe_name=options.filter_pipe_name
     )
 
     # Preparing tasks ==============================================================================================================
@@ -30,7 +31,7 @@ def action_coerce(target, available_methods, options, credentials, reporter):
             for method in sorted(available_methods[method_type][category].keys()):
                 instance = available_methods[method_type][category][method]["class"]
 
-                if method_filter.matches_filter(instance):
+                if filter.method_matches_filter(instance):
                     for access_type, access_methods in instance.access.items():
                         if access_type not in tasks.keys():
                             tasks[access_type] = {}
@@ -39,17 +40,18 @@ def action_coerce(target, available_methods, options, credentials, reporter):
                         if access_type == "ncan_np":
                             for access_method in access_methods:
                                 namedpipe, uuid, version = access_method["namedpipe"], access_method["uuid"], access_method["version"]
-                                if namedpipe not in tasks[access_type].keys():
-                                    tasks[access_type][namedpipe] = {}
+                                if filter.pipe_matches_filter(namedpipe):
+                                    if namedpipe not in tasks[access_type].keys():
+                                        tasks[access_type][namedpipe] = {}
 
-                                if uuid not in tasks[access_type][namedpipe].keys():
-                                    tasks[access_type][namedpipe][uuid] = {}
+                                    if uuid not in tasks[access_type][namedpipe].keys():
+                                        tasks[access_type][namedpipe][uuid] = {}
 
-                                if version not in tasks[access_type][namedpipe][uuid].keys():
-                                    tasks[access_type][namedpipe][uuid][version] = []
+                                    if version not in tasks[access_type][namedpipe][uuid].keys():
+                                        tasks[access_type][namedpipe][uuid][version] = []
 
-                                if instance not in tasks[access_type][namedpipe][uuid][version]:
-                                    tasks[access_type][namedpipe][uuid][version].append(instance)
+                                    if instance not in tasks[access_type][namedpipe][uuid][version]:
+                                        tasks[access_type][namedpipe][uuid][version].append(instance)
 
     # Executing tasks =======================================================================================================================
 

coercer/core/modes/fuzz.py

@@ -6,7 +6,7 @@
 
 
 import time
-from coercer.core.MethodFilter import MethodFilter
+from coercer.core.Filter import Filter
 from coercer.core.utils import generate_exploit_templates, generate_exploit_path_from_template
 from coercer.network.DCERPCSession import DCERPCSession
 from coercer.structures.TestResult import TestResult
@@ -16,9 +16,10 @@
 
 
 def action_fuzz(target, available_methods, options, credentials, reporter):
-    method_filter = MethodFilter(
+    filter = Filter(
         filter_method_name=options.filter_method_name,
-        filter_protocol_name=options.filter_protocol_name
+        filter_protocol_name=options.filter_protocol_name,
+        filter_pipe_name=options.filter_pipe_name
     )
 
     http_listen_port = 0
@@ -48,9 +49,25 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
             r'\PIPE\W32TIME_ALT',
             r'\PIPE\wkssvc'
         ]
-        # \PIPE\Winsock2\CatalogChangeListener-71c-0
+        if options.verbose:
+            print("[debug] Using integrated list of %d SMB named pipes." % len(named_pipe_of_remote_machine))
     else:
         named_pipe_of_remote_machine = list_remote_pipes(target, credentials)
+        if options.verbose:
+            print("[debug] Found %d SMB named pipes on the remote machine." % len(named_pipe_of_remote_machine))
+
+    kept_pipes_after_filters = []
+    for pipe in named_pipe_of_remote_machine:
+        if filter.pipe_matches_filter(pipe):
+            kept_pipes_after_filters.append(pipe)
+    if len(kept_pipes_after_filters) == 0 and not credentials.is_anonymous():
+        print("[!] No SMB named pipes matching filter --filter-pipe-name '%s' were found on the remote machine." % options.filter_pipe_name)
+        return None
+    elif len(kept_pipes_after_filters) == 0 and credentials.is_anonymous():
+        print("[!] No SMB named pipes matching filter --filter-pipe-name '%s' were found in the list of known named pipes." % options.filter_pipe_name)
+        return None
+    else:
+        named_pipe_of_remote_machine = kept_pipes_after_filters
 
     # Preparing tasks ==============================================================================================================
 
@@ -60,7 +77,7 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
             for method in sorted(available_methods[method_type][category].keys()):
                 instance = available_methods[method_type][category][method]["class"]
 
-                if method_filter.matches_filter(instance):
+                if filter.method_matches_filter(instance):
                     for access_type, access_methods in instance.access.items():
                         if access_type not in tasks.keys():
                             tasks[access_type] = {}
@@ -69,6 +86,7 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
                         if access_type == "ncan_np":
                             for access_method in access_methods:
                                 namedpipe, uuid, version = access_method["namedpipe"], access_method["uuid"], access_method["version"]
+                                # if filter.pipe_matches_filter(namedpipe):
                                 if uuid not in tasks[access_type].keys():
                                     tasks[access_type][uuid] = {}
 
@@ -108,6 +126,7 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
                                     continue
                                 if listener_type == "http":
                                     http_listen_port = get_next_http_listener_port(current_value=http_listen_port, listen_ip=listening_ip, options=options)
+
                                 exploitpath = generate_exploit_path_from_template(
                                     template=exploitpath,
                                     listener=listening_ip,

coercer/core/modes/scan.py

@@ -6,7 +6,7 @@
 
 
 import time
-from coercer.core.MethodFilter import MethodFilter
+from coercer.core.Filter import Filter
 from coercer.core.utils import generate_exploit_path_from_template
 from coercer.network.DCERPCSession import DCERPCSession
 from coercer.structures.TestResult import TestResult
@@ -18,9 +18,10 @@
 def action_scan(target, available_methods, options, credentials, reporter):
     http_listen_port = 0
 
-    method_filter = MethodFilter(
+    filter = Filter(
         filter_method_name=options.filter_method_name,
-        filter_protocol_name=options.filter_protocol_name
+        filter_protocol_name=options.filter_protocol_name,
+        filter_pipe_name=options.filter_pipe_name
     )
 
     # Preparing tasks ==============================================================================================================
@@ -31,7 +32,7 @@ def action_scan(target, available_methods, options, credentials, reporter):
             for method in sorted(available_methods[method_type][category].keys()):
                 instance = available_methods[method_type][category][method]["class"]
 
-                if method_filter.matches_filter(instance):
+                if filter.method_matches_filter(instance):
                     for access_type, access_methods in instance.access.items():
                         if access_type not in tasks.keys():
                             tasks[access_type] = {}
@@ -40,17 +41,18 @@ def action_scan(target, available_methods, options, credentials, reporter):
                         if access_type == "ncan_np":
                             for access_method in access_methods:
                                 namedpipe, uuid, version = access_method["namedpipe"], access_method["uuid"], access_method["version"]
-                                if namedpipe not in tasks[access_type].keys():
-                                    tasks[access_type][namedpipe] = {}
+                                if filter.pipe_matches_filter(namedpipe):
+                                    if namedpipe not in tasks[access_type].keys():
+                                        tasks[access_type][namedpipe] = {}
 
-                                if uuid not in tasks[access_type][namedpipe].keys():
-                                    tasks[access_type][namedpipe][uuid] = {}
+                                    if uuid not in tasks[access_type][namedpipe].keys():
+                                        tasks[access_type][namedpipe][uuid] = {}
 
-                                if version not in tasks[access_type][namedpipe][uuid].keys():
-                                    tasks[access_type][namedpipe][uuid][version] = []
+                                    if version not in tasks[access_type][namedpipe][uuid].keys():
+                                        tasks[access_type][namedpipe][uuid][version] = []
 
-                                if instance not in tasks[access_type][namedpipe][uuid][version]:
-                                    tasks[access_type][namedpipe][uuid][version].append(instance)
+                                    if instance not in tasks[access_type][namedpipe][uuid][version]:
+                                        tasks[access_type][namedpipe][uuid][version].append(instance)
 
     # Executing tasks =======================================================================================================================
 
@@ -78,6 +80,7 @@ def action_scan(target, available_methods, options, credentials, reporter):
                                     continue
                                 if listener_type == "http":
                                     http_listen_port = get_next_http_listener_port(current_value=http_listen_port, listen_ip=listening_ip, options=options)
+
                                 exploitpath = generate_exploit_path_from_template(
                                     template=exploitpath,
                                     listener=listening_ip,

coercer/network/Listener.py

@@ -75,7 +75,7 @@ def start_http(self, control_structure, http_port=80):
                 s.listen(5)
                 conn, address = s.accept()
                 data = conn.recv(2048)
-                print("\n",data,"\n")
+                # print("\n",data,"\n")
                 if b'HTTP' in data:
                     control_structure["result"] = TestResult.HTTP_AUTH_RECEIVED
             except Exception as e:

documentation/coercer/core.html

@@ -29,7 +29,7 @@
 
         <h2>Submodules</h2>
         <ul>
-                <li><a href="core/MethodFilter.html">MethodFilter</a></li>
+                <li><a href="core/Filter.html">Filter</a></li>
                 <li><a href="core/Reporter.html">Reporter</a></li>
                 <li><a href="core/loader.html">loader</a></li>
                 <li><a href="core/modes.html">modes</a></li>