See #RM8838. Handle null domain_sid properly

HD Moore · HD Moore · commit 3bc8d1fee972 · 2014-08-02T14:25:17.000-05:00
This switches to the local sid if the domain sid is null, even if
the ACTION is set to DOMAIN. This solves the issue identified in

```
[*] 192.168.0.4 PIPE(LSARPC) LOCAL(NAS - 5-21-2272853860-1115691317-1341221697) DOMAIN(WORKGROUP - )
[-] 192.168.0.4 No domain SID identified, falling back to the local SID...
[*] 192.168.0.4 USER=guest RID=501
[*] 192.168.0.4 GROUP=None RID=513
```
diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
@@ -21,14 +21,16 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'SMB Local User Enumeration (LookupSid)',
+      'Name'        => 'SMB SID User Enumeration (LookupSid)',
       'Description' => 'Determine what users exist via brute force SID lookups.
         This module can enumerate both local and domain accounts by setting
         ACTION to either LOCAL or DOMAIN',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE,
       'DefaultOptions' =>
         {
+          # Samba doesn't like this option, so we disable so we are compatible with
+          # both Windows and Samba for enumeration.
           'DCERPC::fake_bind_multi' => false
         },
       'Actions'     =>
@@ -49,6 +51,10 @@ def initialize
     deregister_options('RPORT', 'RHOST')
   end
 
+  # Constants used by this module
+  LSA_UUID     = '12345778-1234-abcd-ef00-0123456789ab'
+  LSA_VERS     = '0.0'
+  LSA_PIPES    = %W{ LSARPC NETLOGON SAMR BROWSER SRVSVC }
 
   # Locate an available SMB PIPE for the specified service
   def smb_find_dcerpc_pipe(uuid, vers, pipes)
@@ -128,11 +134,6 @@ def smb_parse_sid_lookup(data)
     [ uinfo[3], name ]
   end
 
-
-  @@lsa_uuid     = '12345778-1234-abcd-ef00-0123456789ab'
-  @@lsa_vers     = '0.0'
-  @@lsa_pipes    = %W{ LSARPC NETLOGON SAMR BROWSER SRVSVC }
-
   # Fingerprint a single host
   def run_host(ip)
 
@@ -145,7 +146,7 @@ def run_host(ip)
     lsa_handle = nil
     begin
       # find the lsarpc pipe
-      lsa_pipe = smb_find_dcerpc_pipe(@@lsa_uuid, @@lsa_vers, @@lsa_pipes)
+      lsa_pipe = smb_find_dcerpc_pipe(LSA_UUID, LSA_VERS, LSA_PIPES)
       break if not lsa_pipe
 
       # OpenPolicy2()
@@ -201,20 +202,27 @@ def run_host(ip)
       resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil
       domain_sid, domain_name = smb_parse_sid(resp)
 
-
       # Store SID, local domain name, joined domain name
       print_status("#{ip} PIPE(#{lsa_pipe}) LOCAL(#{host_name} - #{host_sid}) DOMAIN(#{domain_name} - #{domain_sid})")
 
-
       domain = {
         :name    => host_name,
         :txt_sid => host_sid,
         :users   => {},
         :groups  => {}
       }
 
-      target_sid = host_sid if action.name =~ /LOCAL/i
-      target_sid = domain_sid if action.name =~ /DOMAIN/i
+      target_sid = case action.name.upcase
+      when 'LOCAL'
+        host_sid
+      when 'DOMAIN'
+        # Fallthrough to the host SID if no domain SID was returned
+        unless domain_sid
+          print_error("#{ip} No domain SID identified, falling back to the local SID...")
+        end
+        domain_sid || host_sid
+      end
+
       # Brute force through a common RID range
       500.upto(datastore['MaxRID'].to_i) do |rid|
 
@@ -269,10 +277,9 @@ def run_host(ip)
       )
 
       print_status("#{ip} #{domain[:name].upcase} [#{domain[:users].keys.map{|k| domain[:users][k]}.join(", ")} ]")
-
-      # cleanup
       disconnect
       return
+
     rescue ::Timeout::Error
     rescue ::Interrupt
       raise $!
