Merge pull request rapid7#102 from rapid7/feature/MSP-9707/smb-bruteforce-refactor

Feature/msp 9707/smb bruteforce refactor

MSP-9707 #land

Author: trosen-r7

Gemfile.local.example

@@ -27,8 +27,6 @@ end
 
 # Create a custom group
 group :local do
-  # Use pry to help view and interact with objects in the framework
-  gem 'pry', '~> 0.9'
   # Use pry-debugger to step through code during development
   gem 'pry-debugger', '~> 0.2'
   # Add the lab gem so that the 'lab' plugin will work again

lib/metasploit/framework/login_scanner/smb.rb

@@ -17,6 +17,19 @@ class SMB
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::LoginScanner::NTLM
 
+        # Constants to be used in {Result#access_level}
+        module AccessLevels
+          # Administrative access. For SMB, this is defined as being
+          # able to successfully Tree Connect to the `ADMIN$` share.
+          # This definition is not without its problems, but suffices to
+          # conclude that such a user will most likely be able to use
+          # psexec.
+          ADMINISTRATOR = "Administrator"
+          # Guest access means our creds were accepted but the logon
+          # session is not associated with a real user account.
+          GUEST = "Guest"
+        end
+
         CAN_GET_SESSION      = true
         DEFAULT_REALM        = 'WORKSTATION'
         LIKELY_PORTS         = [ 139, 445 ]
@@ -100,6 +113,27 @@ module StatusCodes
                   allow_nil: true
 
 
+        # If login is successul and {Result#access_level} is not set
+        # then arbitrary credentials are accepted. If it is set to
+        # Guest, then arbitrary credentials are accepted, but given
+        # Guest permissions.
+        #
+        # @param domain [String] Domain to authenticate against. Use an
+        #   empty string for local accounts.
+        # @return [Result]
+        def attempt_bogus_login(domain)
+          if defined?(@result_for_bogus)
+            return @result_for_bogus
+          end
+          cred = Credential.new(
+            public: Rex::Text.rand_text_alpha(8),
+            private: Rex::Text.rand_text_alpha(8),
+            realm: domain
+          )
+          @result_for_bogus = attempt_login(cred)
+        end
+
+
         # (see Base#attempt_login)
         def attempt_login(credential)
 
@@ -121,7 +155,7 @@ def attempt_login(credential)
 
           begin
             # TODO: OMG
-            ok = simple.login(
+            simple.login(
               smb_name,
               credential.public,
               credential.private,
@@ -140,16 +174,29 @@ def attempt_login(credential)
               }
             )
 
-            simple.connect("\\\\#{smb_name}\\IPC$")
-            status = ok ? :success : :failed
-          rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+            # Windows SMB will return an error code during Session
+            # Setup, but nix Samba requires a Tree Connect. Try admin$
+            # first, since that will tell us if this user has local
+            # admin access. Fall back to IPC$ which should be accessible
+            # to any user with valid creds.
+            begin
+              simple.connect("\\\\#{host}\\admin$")
+              access_level = AccessLevels::ADMINISTRATOR
+              simple.disconnect("\\\\#{host}\\admin$")
+            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
+              simple.connect("\\\\#{host}\\IPC$")
+            end
+
+            # If we made it this far without raising, we have a valid
+            # login
+            status = :success
+          rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
             status = case e.get_error(e.error_code)
                      when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
                        :correct
                      when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
                        :failed
                      else
-                       puts e.backtrace.join
                        :failed
                      end
 
@@ -161,7 +208,11 @@ def attempt_login(credential)
             status = :connection_error
           end
 
-          Result.new(credential: credential, status: status, proof: proof)
+          if status == :success && simple.client.auth_user.nil?
+            access_level ||= AccessLevels::GUEST
+          end
+
+          Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
         end
 
         def connect
@@ -206,6 +257,7 @@ def set_sane_defaults
           self.smb_name = self.host if self.smb_name.nil?
 
         end
+
       end
     end
   end

lib/rex/proto/smb/exceptions.rb

@@ -736,6 +736,10 @@ def initialize(*args)
     super(*args)
   end
 
+  def error_name
+    get_error(error_code)
+  end
+
   # returns an error string if it exists, otherwise just the error code
   def get_error(error)
     string = ''
@@ -807,7 +811,7 @@ def to_s
 class ErrorCode < InvalidPacket
   def to_s
     'The server responded with error: ' +
-    self.get_error(self.error_code) +
+    self.error_name +
     " (Command=#{self.command} WordCount=#{self.word_count})"
   end
 end