Win10 doesn't support SMB1 functionality in lib/rex/proto/smb/simpleclient.rb
#9890
Closed
1 of 4 tasks
lib/rex/proto/smb/simpleclient.rb
#9890
Windows 10 appears to completely ignore our attempts to connect with our existing
Rex::Proto::SMB
login()
method. In fact, it will immediately respond with a TCP RST if we try to use something like thewindows/x64/meterpreter_bind_named_pipe
payload.This problem is likely present in other new versions of Windows, but I have not tested it.
Steps to reproduce
meterpreter_bind_named_pipe
payload:Deploy the above payload on a Windows 10 x64 target (fully patched, in my case).
Configure a handler for
meterpreter_bind_named_pipe
:Expected behavior
The payload should connect successfully, or at least progress past SMB Session Negotiation.
Current behavior
The SMB session is aborted by the target when it realizes that SMB2 isn't possible. Surprisingly, there is no response packet indicating an error. The TCP connection is just forcibly reset.
See below for a side-by-side comparison of current vs expected behavior. Left is Metasploit's
simpleclient::login()
. Right is known-good OS X SMB implementation:We get a traceback in the case of either error, but because of over-zealous exception handling, we get back a 'login failed' error, but not enough information to know why:
Modifying
metasploit-framework/lib/msf/core/handler/bind_named_pipe.rb:317
to not catch every exception gives us a more helpful traceback:System stuff
Metasploit version
I installed Metasploit with:
OS
Mac OS X 10.13.4 (fully patched) against a Windows 10 x64 target.
The text was updated successfully, but these errors were encountered: