Update SAMR computer and ICPR cert to support SMB sessions

[adfoster-r7]

Update SAMR computer and ICPR cert to support SMB sessions

Verification

Open session

msf6 auxiliary(scanner/smb/smb_login) > run 192.168.123.13 username=administrator password=p4$$w0rd8 createsession=true smb::alwaysencrypt=true

[*] 192.168.123.13:445    - 192.168.123.13:445 - Starting SMB login bruteforce
[+] 192.168.123.13:445    - 192.168.123.13:445 - Success: '.\administrator:p4$$w0rd8' Administrator
[!] 192.168.123.13:445    - No active DB -- Credential data will not be saved!
[*] SMB session 1 opened (192.168.123.1:52649 -> 192.168.123.13:445) at 2024-03-01 12:06:45 +0000
[*] 192.168.123.13:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Run SAMR module

msf6 auxiliary(admin/dcerpc/samr_computer) > rerun session=-1 action=LOOKUP_COMPUTER COMPUTER_NAME=DESKTOP-A1N30IDK$
[*] Reloading module...
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST

[*] Using existing session 1
[*] Connecting to Security Account Manager (SAM) Remote Protocol
[*] Binding to \samr...
[+] Bound to \samr
[*] Using automatically identified domain: ADF3
[+] Found ADF3\DESKTOP-A1N30IDK$ (SID: S-1-5-21-1266190811-2419310613-1856291569-3106)
[*] Auxiliary module execution completed

Run ICPR module

msf6 auxiliary(admin/dcerpc/icpr_cert) > run session=-1 ca=adf3-DC3-CA

[*] Using existing session 3
[*] Connecting to ICertPassage (ICPR) Remote Protocol
[*] Binding to \cert...
[+] Bound to \cert
[*] Requesting a certificate for user  - digest algorithm: SHA256 - template: User
[+] The requested certificate was issued.
[*] Certificate Email: administrator@adf3.local
[*] Certificate UPN: Administrator@adf3.local
[!] No active DB -- Credential data will not be saved!
[*] Certificate stored at: /Users/user/.msf4/loot/20240301124630_default_unknown_windows.ad.cs_667674.pfx
[*] Auxiliary module execution completed

[adfoster-r7]

Not a blocker for me; but it looks like the current request_ceritificate/connect_ipc method doesn't perform IPC cleanup if it opens up a new connection

metasploit-framework/lib/msf/core/exploit/remote/ms_samr.rb

Line 165 in 401cdca

def connect_ipc

In ruby_smb's examples there are other places that aren't cleaned up correctly

It also looks like as part of tree_connect there's an array of @tree_connects:

https://github.com/rapid7/ruby_smb/blob/f29b6811854fb6bf20a5d9069c7205c89601983d/lib/ruby_smb/client.rb#L614

But the caching doesn't get cleaned up when you later call tree.disconnect!:

https://github.com/rapid7/ruby_smb/blob/f29b6811854fb6bf20a5d9069c7205c89601983d/lib/ruby_smb/smb1/tree.rb#L43

It also looks like there's two ways to disconnect trees, via the tree instance, or via the client instance. Neither cleanup the @tree_connects instance

https://github.com/rapid7/ruby_smb/blob/f29b6811854fb6bf20a5d9069c7205c89601983d/lib/ruby_smb/client/utils.rb#L69-L71

Nothing actionable from this, just documenting my findings

[dwelch-r7]

Release Notes

Update SAMR computer and ICPR cert to support SMB sessions