Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pipe auditing mixin now ensures named pipes start with a backslash #11860

Merged
merged 8 commits into from
May 23, 2019
Merged

Pipe auditing mixin now ensures named pipes start with a backslash #11860

merged 8 commits into from
May 23, 2019

Conversation

NoodleOfDeath
Copy link
Contributor

@NoodleOfDeath NoodleOfDeath commented May 20, 2019
edited by wvu
Loading

The named_pipes.txt wordlist provided by the metasploit framework contains pipe names that are not prefixed with a backslash. The auxiliary/scanner/smb/pipe_auditor module does not seem to work properly for some Samba protocol versions (namely protocol 3) unless each pipe name is prefixed with a backslash. I updated lib/exploit/smb/client/pipe_auditor.rb to check for the missing backslash and to prepend it if missing.

Verifications

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/smb/pipe_auditor
  • Verify the thing does what it should
    Running with default named_pipes.txt does not work without fix and does with fix
  • Document (nothing to document or no existing documents to add to)

Fixes #9618 and fixes #11870.

@NoodleOfDeath NoodleOfDeath changed the title smb client now preprends named pipes with missing backslash during ch… smb client now preprends named pipes with missing backslash May 20, 2019
@bcoles bcoles mentioned this pull request May 20, 2019
Closed
4 tasks
@NoodleOfDeath @bcoles
Update lib/msf/core/exploit/smb/client/pipe_auditor.rb
4d9ae52 
Co-Authored-By: bcoles <bcoles@gmail.com>
@wvu
Copy link
Contributor

wvu commented May 20, 2019

I'm actually really curious why we didn't need this before, so I'll investigate that in a bit, but I intend to land this regardless. Thanks!

@wvu
Copy link
Contributor

wvu commented May 21, 2019
edited
Loading

Can you post your output and Windows version?

It is working for me on master against Windows Server 2008 R2:

msf5 auxiliary(scanner/smb/pipe_auditor) > git status
[*] exec: git status

On branch master
Your branch is up to date with 'upstream/master'.

nothing to commit, working tree clean
msf5 auxiliary(scanner/smb/pipe_auditor) > options

Module options (auxiliary/scanner/smb/pipe_auditor):

   Name         Current Setting                                              Required  Description
   ----         ---------------                                              --------  -----------
   NAMED_PIPES  /rapid7/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       192.168.56.103                                               yes       The target address range or CIDR identifier
   SMBDomain    .                                                            no        The Windows domain to use for authentication
   SMBPass      trustno1!                                                    no        The password for the specified username
   SMBUser      Administrator                                                no        The username to authenticate as
   THREADS      1                                                            yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/pipe_auditor) > cat /rapid7/metasploit-framework/data/wordlists/named_pipes.txt
[*] exec: cat /rapid7/metasploit-framework/data/wordlists/named_pipes.txt

netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[*] 192.168.56.103:445    - Connected to named pipe: netlogon
[*] 192.168.56.103:445    - Connected to named pipe: lsarpc
[*] 192.168.56.103:445    - Connected to named pipe: samr
[-] 192.168.56.103:445    - Inaccessible named pipe: browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.103:445    - Connected to named pipe: atsvc
[-] 192.168.56.103:445    - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.103:445    - Connected to named pipe: epmapper
[*] 192.168.56.103:445    - Connected to named pipe: eventlog
[*] 192.168.56.103:445    - Connected to named pipe: InitShutdown
[*] 192.168.56.103:445    - Connected to named pipe: keysvc
[*] 192.168.56.103:445    - Connected to named pipe: lsass
[*] 192.168.56.103:445    - Connected to named pipe: LSM_API_service
[*] 192.168.56.103:445    - Connected to named pipe: ntsvcs
[*] 192.168.56.103:445    - Connected to named pipe: plugplay
[*] 192.168.56.103:445    - Connected to named pipe: protected_storage
[-] 192.168.56.103:445    - Inaccessible named pipe: router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.103:445    - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.103:445    - Connected to named pipe: scerpc
[*] 192.168.56.103:445    - Connected to named pipe: srvsvc
[-] 192.168.56.103:445    - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.103:445    - Connected to named pipe: trkwks
[*] 192.168.56.103:445    - Connected to named pipe: W32TIME_ALT
[*] 192.168.56.103:445    - Connected to named pipe: wkssvc
[-] 192.168.56.103:445    - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.56.103:445    - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[+] 192.168.56.103:445    - Pipes: \netlogon, \lsarpc, \samr, \atsvc, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \LSM_API_service, \ntsvcs, \plugplay, \protected_storage, \scerpc, \srvsvc, \trkwks, \W32TIME_ALT, \wkssvc
[*] 192.168.56.103:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) >

Are you sure the target has SMBv1 enabled? I don't think this code was updated to use RubySMB yet, so SMBv2 does not work.

msf5 auxiliary(scanner/smb/pipe_auditor) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[*] 192.168.56.101:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) >

wvu@kharak:~$ nmap -Pn -n -v -p 445 --script smb-protocols 192.168.56.101,103
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-21 14:30 CDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Initiating Connect Scan at 14:30
Scanning 2 hosts [1 port/host]
Discovered open port 445/tcp on 192.168.56.103
Discovered open port 445/tcp on 192.168.56.101
Completed Connect Scan at 14:30, 0.00s elapsed (2 total ports)
NSE: Script scanning 2 hosts.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.05s elapsed
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols:
|   dialects:
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Nmap scan report for 192.168.56.103
Host is up (0.00042s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|_    2.10

NSE: Script Post-scanning.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.27 seconds
wvu@kharak:~$

I'm still inclined to land your PR, but if it's broken in the pipe auditing mixin, it could be broken in many other places.

@wvu wvu changed the title smb client now preprends named pipes with missing backslash Pipe auditing mixin now ensures named pipes start with a backslash May 21, 2019
@NoodleOfDeath
Copy link
Contributor Author

NoodleOfDeath commented May 22, 2019
edited
Loading

Master still does not work on my target, but with the fix it does. I have no idea why because I am currently taking the PWK course and still have not rooted the machine (I'm a noob). Below I reproduce both scenarios and include all of the logs (and if it helps I post the complete nmap scan on the target as well). My guess, is the issue is related to the target running Linux.

Without Fix

msf5 > git status
[*] exec: git status

On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
msf5 > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > options

Module options (auxiliary/scanner/smb/pipe_auditor):

   Name         Current Setting                                                         Required  Description
   ----         ---------------                                                         --------  -----------
   NAMED_PIPES  /root/OneDrive/git/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                               yes       The target address range or CIDR identifier
   SMBDomain    .                                                                       no        The Windows domain to use for authentication
   SMBPass                                                                              no        The password for the specified username
   SMBUser                                                                              no        The username to authenticate as
   THREADS      1                                                                       yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/pipe_auditor) > cat /root/OneDrive/git/metasploit-framework/data/wordlists/named_pipes.txt
[*] exec: cat /root/OneDrive/git/metasploit-framework/data/wordlists/named_pipes.txt

netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd
msf5 auxiliary(scanner/smb/pipe_auditor) > setg RHOSTS 10.11.1.136
RHOSTS => 10.11.1.136
msf5 auxiliary(scanner/smb/pipe_auditor) > setg VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[-] 10.11.1.136:139       - Inaccessible named pipe: netlogon - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: samr - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: eventlog - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: lsass - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: netlogon - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: samr - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: eventlog - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: lsass - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: trkwks - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:445       - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SMBProtocol Nmap Scan of Target (see Complete Nmap Scan)

root@KaliNoodle:~/labs/133# nmap -Pn -n -v -p 445 --script smb-protocols 10.11.1.136
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-22 13:14 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating ARP Ping Scan at 13:14
Scanning 10.11.1.136 [1 port]
Completed ARP Ping Scan at 13:14, 0.15s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:14
Scanning 10.11.1.136 [1 port]
Discovered open port 445/tcp on 10.11.1.136
Completed SYN Stealth Scan at 13:14, 0.27s elapsed (1 total ports)
NSE: Script scanning 10.11.1.136.
Initiating NSE at 13:14
Completed NSE at 13:14, 3.95s elapsed
Nmap scan report for 10.11.1.136
Host is up (0.12s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:50:56:93:37:2B (VMware)

Host script results:
| smb-protocols: 
|   dialects: 
|_    NT LM 0.12 (SMBv1) [dangerous, but default]

NSE: Script Post-scanning.
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

With Fix

msf5 auxiliary(scanner/smb/pipe_auditor) > git checkout smb/client/pipe_auditor
[*] exec: git checkout smb/client/pipe_auditor

Switched to branch 'smb/client/pipe_auditor'
Your branch is up to date with 'origin/smb/client/pipe_auditor'.
msf5 auxiliary(scanner/smb/pipe_auditor) > 
[2]+  Stopped                 ./msfconsole
root@KaliNoodle:~/git/metasploit-framework# ./msfconsole
msf5 > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > setg RHOSTS 10.11.1.136
RHOSTS => 10.11.1.136
msf5 auxiliary(scanner/smb/pipe_auditor) > setg VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[*] 10.11.1.136:139       - Connected to named pipe: \netlogon
[*] 10.11.1.136:139       - Connected to named pipe: \lsarpc
[*] 10.11.1.136:139       - Connected to named pipe: \samr
[-] 10.11.1.136:139       - Inaccessible named pipe: \browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:139       - Connected to named pipe: \eventlog
[-] 10.11.1.136:139       - Inaccessible named pipe: \InitShutdown - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:139       - Connected to named pipe: \lsass
[-] 10.11.1.136:139       - Inaccessible named pipe: \LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:139       - Connected to named pipe: \ntsvcs
[-] 10.11.1.136:139       - Inaccessible named pipe: \plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:139       - Connected to named pipe: \srvsvc
[-] 10.11.1.136:139       - Inaccessible named pipe: \tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \trkwks - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \W32TIME_ALT - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 10.11.1.136:139       - Connected to named pipe: \wkssvc
[-] 10.11.1.136:139       - Inaccessible named pipe: \PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 10.11.1.136:139       - Inaccessible named pipe: \db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[+] 10.11.1.136:139       - Pipes: \\netlogon, \\lsarpc, \\samr, \\eventlog, \\lsass, \\ntsvcs, \\srvsvc, \\wkssvc
[*] 10.11.1.136:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) >

Complete Nmap Scan

root@KaliNoodle:~/labs/133# nmap -vv -A 10.11.1.136
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-22 12:02 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
Initiating ARP Ping Scan at 12:02
Scanning 10.11.1.136 [1 port]
Completed ARP Ping Scan at 12:02, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:02
Completed Parallel DNS resolution of 1 host. at 12:02, 0.13s elapsed
Initiating SYN Stealth Scan at 12:02
Scanning 10.11.1.136 [1000 ports]
Discovered open port 22/tcp on 10.11.1.136
Discovered open port 139/tcp on 10.11.1.136
Discovered open port 113/tcp on 10.11.1.136
Discovered open port 445/tcp on 10.11.1.136
Completed SYN Stealth Scan at 12:02, 1.76s elapsed (1000 total ports)
Initiating Service scan at 12:02
Scanning 4 services on 10.11.1.136
Completed Service scan at 12:02, 11.45s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.11.1.136
Retrying OS detection (try #2) against 10.11.1.136
Retrying OS detection (try #3) against 10.11.1.136
Retrying OS detection (try #4) against 10.11.1.136
Retrying OS detection (try #5) against 10.11.1.136
NSE: Script scanning 10.11.1.136.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 4.70s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
Nmap scan report for 10.11.1.136
Host is up, received arp-response (0.092s latency).
Scanned at 2019-03-22 12:02:18 EDT for 33s
Not shown: 996 closed ports
Reason: 996 resets
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 4.3p2 Debian 9 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey: 
|   1024 88:23:98:0d:9d:8a:20:59:35:b8:14:12:14:d5:d0:44 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALy8V1YxM59YxGMOF/qY2N7jOCfS9RykmqkvNcTrtXRqmaCN45wrEH8OIwq6jNUR378dOB1SI8KgSU1pJCtwsTGFAGmijkO4X9JZGokngMy+oBuy+hMw7kkDOQ3B/oQd+MBHUZfpKxOzFwt21kWxOnSlVIjtWCETJq9CohtGyZ9zAAAAFQD8MciO6/346fanxvqmcZr+TtQEzwAAAIEApD0/kDro/xT0xJYl8W5sXRJ+gagaivAYAETOHJGPLR6Z7ACJz5wQVD9EeN5TPGFe6utlhF7EcA6o3bpL+J+JMO2Vfi5LDoL/409DbDPAQAWVxdRWluZ+ocJig9mv4WjQp7+z7bO58jF9I2SJ7BGAwL9wpm72UUUPpVlAcZKJVHMAAACAZ8CAjc3F8PIDGPxFtbtBuRNSehvVq7eoWIVRWXk502EwB9QszHxx7kyqyxc8Nnt9obaEMHDTAtcZACfWk059pjpMDHqczz0eaF4WvStQpgEw3jOihRznDzRyqz4HGuh3pmhMsWHrVSz+CnnxuQTQU7CuxFPsvQR+pmKN93MKQgo=
|   2048 6b:5d:04:71:76:78:56:96:56:92:a8:02:30:73:ee:fa (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA10OWcx61a5eqZIopAJGgzTYwysjjNFbLKDEypxIIb80V5O7M5bmNWYvm39VTMYsjUT4yRFF0IV5BhuMUtd4jqsSewJPGh6JWyE0NjuVLIeSxH7cmvn4EtLoSY4GA1CDzRs+0eMCIKYWpGyFRn1bDxRYJQYutVaG7af7dg0fItkgn0JUdpxMSlPXrffcL2CMwufsxCx6iJwmw8TzJYPaREzM69AfRXjoyQmjUVyEKbLpCLq/yYCjSJ2CEENnZCqWEiPhtZwOCwpGl9ZYerQ1PF3xmqKKGisYLxtFeeDVQyyqEM5mOVkBLY9GVHZVkRClkCcI2phrslp4gRKHl6Diqxw==
113/tcp open  ident       syn-ack ttl 64
|_auth-owners: identd
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: LOCAL)
|_auth-owners: root
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.0.24 (workgroup: LOCAL)
|_auth-owners: root
MAC Address: 00:50:56:93:37:2B (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/22%OT=22%CT=1%CU=35384%PV=Y%DS=1%DC=D%G=Y%M=005056%T
OS:M=5C95072B%P=x86_64-pc-linux-gnu)SEQ(SP=CB%GCD=1%ISR=CE%TI=Z%II=I%TS=8)O
OS:PS(O1=M529ST11NW6%O2=M529ST11NW6%O3=M529NNT11NW6%O4=M529ST11NW6%O5=M529S
OS:T11NW6%O6=M529ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)E
OS:CN(R=Y%DF=Y%T=40%W=16D0%O=M529NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.043 days (since Fri Mar 22 11:00:49 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 2h49m42s, median: 0s
| nbstat: NetBIOS name: SUFFERANCE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   SUFFERANCE<00>       Flags: <unique><active>
|   SUFFERANCE<03>       Flags: <unique><active>
|   SUFFERANCE<20>       Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   THINC.LOCAL<1d>      Flags: <unique><active>
|   THINC.LOCAL<1e>      Flags: <group><active>
|   THINC.LOCAL<00>      Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 63352/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 4396/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 18594/udp): CLEAN (Failed to receive data)
|   Check 4 (port 37051/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.24)
|   NetBIOS computer name: 
|   Workgroup: THINC.LOCAL\x00
|_  System time: 2019-03-22T12:02:46-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT      ADDRESS
1   91.60 ms 10.11.1.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.81 seconds
           Raw packets sent: 1294 (61.770KB) | Rcvd: 1066 (46.234KB)

@NoodleOfDeath
Copy link
Contributor Author

NoodleOfDeath commented May 22, 2019
edited
Loading

Oddly enough, it does work on a Windows target using both the master and my fix. I guess a duplicate backslash does not deter the name detection but a lack thereof can be unpredictable:

On master

root@KaliNoodle:~/git/metasploit-framework# git checkout master
Switched to branch 'master'
Your branch is up to date with 'origin/master'.
root@KaliNoodle:~/git/metasploit-framework# ./msfconsole
msf5 > setg RHOSTS 10.11.1.5
RHOSTS => 10.11.1.5
msf5 > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[+] 10.11.1.5:445         - Pipes: \netlogon, \lsarpc, \samr, \browser, \epmapper, \srvsvc, \trkwks, \wkssvc
[*] 10.11.1.5:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

On my branch fix

root@KaliNoodle:~/git/metasploit-framework#  git checkout smb/client/pipe_auditor
Switched to branch 'smb/client/pipe_auditor'
Your branch is up to date with 'origin/smb/client/pipe_auditor'
root@KaliNoodle:~/git/metasploit-framework# ./msfconsole
msf5 > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > setg RHOSTS 10.11.1.5
RHOSTS => 10.11.1.5
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[+] 10.11.1.5:445         - Pipes: \\netlogon, \\lsarpc, \\samr, \\browser, \\epmapper, \\srvsvc, \\trkwks, \\wkssvc
[*] 10.11.1.5:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@wvu
Copy link
Contributor

wvu commented May 22, 2019
edited
Loading

Damn, sounds like you found a bug in our implementation when interacting with Samba. I'll test against Samba and report back, hopefully with a reason why it fails.

@wvu wvu mentioned this pull request May 22, 2019
Closed
@wvu
Copy link
Contributor

wvu commented May 22, 2019

Testing Samba 4.x, not your 3.x as supposedly identified by Nmap:

msf5 auxiliary(scanner/smb/pipe_auditor) > run

[*] 172.28.128.3:139      - Connected to named pipe: netlogon
[*] 172.28.128.3:139      - Connected to named pipe: lsarpc
[*] 172.28.128.3:139      - Connected to named pipe: samr
[-] 172.28.128.3:139      - Inaccessible named pipe: browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 172.28.128.3:139      - Connected to named pipe: eventlog
[*] 172.28.128.3:139      - Connected to named pipe: InitShutdown
[-] 172.28.128.3:139      - Inaccessible named pipe: keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: lsass - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 172.28.128.3:139      - Connected to named pipe: ntsvcs
[-] 172.28.128.3:139      - Inaccessible named pipe: plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 172.28.128.3:139      - Connected to named pipe: srvsvc
[-] 172.28.128.3:139      - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: trkwks - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 172.28.128.3:139      - Connected to named pipe: wkssvc
[-] 172.28.128.3:139      - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 172.28.128.3:139      - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[+] 172.28.128.3:139      - Pipes: netlogon, lsarpc, samr, eventlog, InitShutdown, ntsvcs, srvsvc, wkssvc
[*] 172.28.128.3:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) > previous
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 172.28.128.3:445      - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 172.28.128.3:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) >

@wvu
Copy link
Contributor

wvu commented May 22, 2019

Metasploitable 2's Samba 3.0.20 tested:

msf5 auxiliary(scanner/smb/pipe_auditor) > run

[-] 192.168.56.104:139    - Inaccessible named pipe: netlogon - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: samr - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: eventlog - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: lsass - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: trkwks - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) > previous
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.56.104:445    - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.56.104:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) >

@wvu
Copy link
Contributor

wvu commented May 22, 2019

So it's probably not OffSec trying to mess with you for using Metasploit. ;)

This appears to be a Samba 3.x issue. I'll dig deeper in a bit.

@wvu
Copy link
Contributor

wvu commented May 22, 2019

Working with patch:

msf5 auxiliary(scanner/smb/pipe_auditor) > run

[*] 192.168.56.104:139    - Connected to named pipe: \netlogon
[*] 192.168.56.104:139    - Connected to named pipe: \lsarpc
[*] 192.168.56.104:139    - Connected to named pipe: \samr
[-] 192.168.56.104:139    - Inaccessible named pipe: \browser - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \atsvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \DAV RPC SERVICE - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \epmapper - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:139    - Connected to named pipe: \eventlog
[-] 192.168.56.104:139    - Inaccessible named pipe: \InitShutdown - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \keysvc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:139    - Connected to named pipe: \lsass
[-] 192.168.56.104:139    - Inaccessible named pipe: \LSM_API_service - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:139    - Connected to named pipe: \ntsvcs
[-] 192.168.56.104:139    - Inaccessible named pipe: \plugplay - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \protected_storage - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \router - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \scerpc - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:139    - Connected to named pipe: \srvsvc
[-] 192.168.56.104:139    - Inaccessible named pipe: \tapsrv - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \trkwks - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \W32TIME_ALT - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 192.168.56.104:139    - Connected to named pipe: \wkssvc
[-] 192.168.56.104:139    - Inaccessible named pipe: \PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[-] 192.168.56.104:139    - Inaccessible named pipe: \db2remotecmd - The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[+] 192.168.56.104:139    - Pipes: \netlogon, \lsarpc, \samr, \eventlog, \lsass, \ntsvcs, \srvsvc, \wkssvc
[*] 192.168.56.104:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) >

@NoodleOfDeath
Copy link
Contributor Author

That’s very strange. I wonder why Samba 3.x is different from all of the other versions. 🤔

Also thanks for showing me more into the process of documenting and making pull requests. This is my very first one actually

NoodleOfDeath
NoodleOfDeath commented May 23, 2019
View reviewed changes
Copy link
Contributor Author

@NoodleOfDeath NoodleOfDeath left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any style preference on using single vs double quoted strings? I’m referring specifically to lines 45 and 46 of lib/msg/core/exploit/smb/client/pipe_auditor.rb

@wvu
Copy link
Contributor

wvu commented May 23, 2019

@NoodleOfDeath:

https://github.com/samba-team/samba/blob/samba-3.0.20/source/smbd/pipes.c#L31-L115
https://github.com/samba-team/samba/blob/samba-3.0.20/source/rpc_parse/parse_rpc.c#L194-L216
https://github.com/samba-team/samba/blob/samba-3.0.20/source/include/smb.h#L175-L192

@wvu
Copy link
Contributor

wvu commented May 23, 2019
edited
Loading

I used to prefer double-quoted strings all the time, but then I switched to single-quoted strings if I didn't need interpolation. It's more predictable. But the most important thing is to be consistent.

https://github.com/rubocop-hq/ruby-style-guide#consistent-string-literals

@wvu
Copy link
Contributor

wvu commented May 23, 2019

@NoodleOfDeath:

https://github.com/samba-team/samba/blob/samba-4.3.11/source3/smbd/pipes.c#L85-L166

@wvu
Copy link
Contributor

wvu commented May 23, 2019

You can see how backslash handling between 3.x and 4.x is different. 3.x is more stringent, and 4.x does more normalization.

@NoodleOfDeath
Copy link
Contributor Author

That’s why I asked. I am the same way; I only use double quotes if absolutely necessary. Thanks for the references, too

@wvu
Copy link
Contributor

wvu commented May 23, 2019

@NoodleOfDeath:

samba-team/samba@abf566c

💥

@wvu wvu merged commit 0febc73 into rapid7:master May 23, 2019
wvu added a commit that referenced this pull request May 23, 2019
@wvu
Land #11860, pipe_auditor backslash normalization
49c91c5
msjenkins-r7 pushed a commit that referenced this pull request May 23, 2019
@wvu @msjenkins-r7
Land #11860, pipe_auditor backslash normalization
4f39130
@wvu
Copy link
Contributor

wvu commented May 23, 2019

Release Notes

This adds normalization to the pipe_auditor mixin (used by the module) to prefix named pipe names with a backslash. Samba 3.x doesn't perform any normalization on the pipe name, thus requiring the backslash. Samba 4.x and Windows are unaffected.

@wvu
Copy link
Contributor

wvu commented May 23, 2019

@NoodleOfDeath: Awesome collab. Thanks for this!

wvu added a commit to wvu/metasploit-framework that referenced this pull request May 23, 2019
@wvu
Fix rapid7#11860, my fingers don't work
6007ae6
@NoodleOfDeath NoodleOfDeath deleted the smb/client/pipe_auditor branch May 23, 2019 12:45
@NoodleOfDeath NoodleOfDeath restored the smb/client/pipe_auditor branch May 23, 2019 12:45
@NoodleOfDeath NoodleOfDeath deleted the smb/client/pipe_auditor branch May 23, 2019 12:46
@gdavidson-r7 gdavidson-r7 added the rn-fix release notes fix label May 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@wvu wvu wvu left review comments

Assignees

@wvu wvu

Labels
bug library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Opening named pipes against Samba 3.x requires a prefixed backslash
4 participants
@NoodleOfDeath @wvu @bcoles @gdavidson-r7