|
| 1 | +## |
| 2 | +# This module requires Metasploit: https://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +class MetasploitModule < Msf::Auxiliary |
| 7 | + # Exploit mixins should go first |
| 8 | + include Msf::Exploit::Remote::Tcp |
| 9 | + |
| 10 | + # Scanner mixin should be near last |
| 11 | + include Msf::Auxiliary::Scanner |
| 12 | + include Msf::Auxiliary::Report |
| 13 | + |
| 14 | + # Aliases for common classes |
| 15 | + SIMPLE = Rex::Proto::SMB::SimpleClient |
| 16 | + XCEPT = Rex::Proto::SMB::Exceptions |
| 17 | + CONST = Rex::Proto::SMB::Constants |
| 18 | + |
| 19 | + def initialize |
| 20 | + super( |
| 21 | + 'Name' => 'SMBv1 Protocol Detection', |
| 22 | + 'Description' => 'Detect systems that support the SMBv1 protocol', |
| 23 | + 'Author' => 'Chance Johnson @loftwing', |
| 24 | + 'License' => MSF_LICENSE |
| 25 | + ) |
| 26 | + |
| 27 | + register_options([ Opt::RPORT(445) ]) |
| 28 | + end |
| 29 | + |
| 30 | + # Modified from smb2 module by @hdm |
| 31 | + # Fingerprint a single host |
| 32 | + def run_host(ip) |
| 33 | + begin |
| 34 | + connect |
| 35 | + |
| 36 | + # Only accept NT LM 0.12 dialect and WfW3.0 |
| 37 | + dialects = ['PC NETWORK PROGRAM 1.0', |
| 38 | + 'LANMAN1.0', |
| 39 | + 'Windows for Workgroups 3.1a', |
| 40 | + 'LM1.2X002', |
| 41 | + 'LANMAN2.1', |
| 42 | + 'NT LM 0.12'] |
| 43 | + data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') |
| 44 | + |
| 45 | + pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct |
| 46 | + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE |
| 47 | + pkt['Payload']['SMB'].v['Flags1'] = 0x08 |
| 48 | + pkt['Payload']['SMB'].v['Flags2'] = 0xc801 |
| 49 | + pkt['Payload'].v['Payload'] = data |
| 50 | + |
| 51 | + pkt['Payload']['SMB'].v['ProcessID'] = rand(0x10000) |
| 52 | + pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000) |
| 53 | + |
| 54 | + sock.put(pkt.to_s) |
| 55 | + res = sock.get_once |
| 56 | + # expecting \xff instead of \xfe |
| 57 | + if res && res.index("\xffSMB") |
| 58 | + print_good("#{ip} supports SMBv1 dialect.") |
| 59 | + report_note( |
| 60 | + host: ip, |
| 61 | + proto: 'tcp', |
| 62 | + sname: 'smb1', |
| 63 | + port: rport, |
| 64 | + type: "supports SMB 1" |
| 65 | + ) |
| 66 | + end |
| 67 | + rescue ::Rex::ConnectionError |
| 68 | + rescue EOFError |
| 69 | + rescue Errno::ECONNRESET |
| 70 | + rescue ::Exception => e |
| 71 | + print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}") |
| 72 | + ensure |
| 73 | + disconnect |
| 74 | + end |
| 75 | + end |
| 76 | +end |
0 commit comments