Land rapid7#8978, Add smb1 scanner

bwatters-r7 · bwatters-r7 · commit 66d6ac418ae6 · 2017-09-26T16:06:41.000-05:00
diff --git a/documentation/modules/auxiliary/scanner/smb/smb1.md b/documentation/modules/auxiliary/scanner/smb/smb1.md
@@ -0,0 +1,55 @@
+# Description
+This module scans for hosts that support the SMBv1 protocol.  It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
+```PC NETWORK PROGRAM 1.0
+LANMAN1.0
+Windows for Workgroups 3.1a
+LM1.2X002
+LANMAN2.1
+NT LM 0.12
+```
+If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
+If the SMB server does not support SMBv1 a RST will be sent.
+
+___
+# Usage
+
+The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
+
+#### A host that does support SMBv1.
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS x.x.x.x
+RHOSTS => x.x.x.x
+msf auxiliary(smb1) > run
+
+[+] x.x.x.x:445        - x.x.x.x supports SMBv1 dialect.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(smb1) > services -S x.x.x.x
+
+Services
+========
+
+host        port  proto  name  state  info
+----        ----  -----  ----  -----  ----
+x.x.x.x 445   tcp    smb1  open
+```
+
+#### A host that does not support SMBv1
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS y.y.y.y
+RHOSTS => y.y.y.y
+msf auxiliary(smb1) > run
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+___
+
+
+## Options
+
+The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation.  It can also be set using hosts from the database using ```hosts -R```.
diff --git a/modules/auxiliary/scanner/smb/smb1.rb b/modules/auxiliary/scanner/smb/smb1.rb
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  # Exploit mixins should go first
+  include Msf::Exploit::Remote::Tcp
+
+  # Scanner mixin should be near last
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  # Aliases for common classes
+  SIMPLE = Rex::Proto::SMB::SimpleClient
+  XCEPT  = Rex::Proto::SMB::Exceptions
+  CONST  = Rex::Proto::SMB::Constants
+
+  def initialize
+    super(
+      'Name'        => 'SMBv1 Protocol Detection',
+      'Description' => 'Detect systems that support the SMBv1 protocol',
+      'Author'      => 'Chance Johnson @loftwing',
+      'License'     => MSF_LICENSE
+    )
+
+    register_options([ Opt::RPORT(445) ])
+  end
+
+  # Modified from smb2 module by @hdm
+  # Fingerprint a single host
+  def run_host(ip)
+    begin
+      connect
+
+      # Only accept NT LM 0.12 dialect and WfW3.0
+      dialects = ['PC NETWORK PROGRAM 1.0',
+                  'LANMAN1.0',
+                  'Windows for Workgroups 3.1a',
+                  'LM1.2X002',
+                  'LANMAN2.1',
+                  'NT LM 0.12']
+      data     = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
+
+      pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
+      pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
+      pkt['Payload']['SMB'].v['Flags1'] = 0x08
+      pkt['Payload']['SMB'].v['Flags2'] = 0xc801
+      pkt['Payload'].v['Payload']       = data
+
+      pkt['Payload']['SMB'].v['ProcessID']     = rand(0x10000)
+      pkt['Payload']['SMB'].v['MultiplexID']   = rand(0x10000)
+
+      sock.put(pkt.to_s)
+      res = sock.get_once
+      # expecting \xff instead of \xfe
+      if res && res.index("\xffSMB")
+        print_good("#{ip} supports SMBv1 dialect.")
+        report_note(
+          host: ip,
+          proto: 'tcp',
+          sname: 'smb1',
+          port: rport,
+          type: "supports SMB 1"
+        )
+      end
+    rescue ::Rex::ConnectionError
+    rescue EOFError
+    rescue Errno::ECONNRESET
+    rescue ::Exception => e
+      print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}")
+    ensure
+      disconnect
+    end
+  end
+end
