-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pipe auditing mixin now ensures named pipes start with a backslash #11860
Conversation
…eck named pipes enumeration
Co-Authored-By: bcoles <bcoles@gmail.com>
I'm actually really curious why we didn't need this before, so I'll investigate that in a bit, but I intend to land this regardless. Thanks! |
Can you post your output and Windows version? It is working for me on
Are you sure the target has SMBv1 enabled? I don't think this code was updated to use RubySMB yet, so SMBv2 does not work.
I'm still inclined to land your PR, but if it's broken in the pipe auditing mixin, it could be broken in many other places. |
Master still does not work on my target, but with the fix it does. I have no idea why because I am currently taking the PWK course and still have not rooted the machine (I'm a noob). Below I reproduce both scenarios and include all of the logs (and if it helps I post the complete nmap scan on the target as well). My guess, is the issue is related to the target running Linux. Without Fix
SMBProtocol Nmap Scan of Target (see Complete Nmap Scan)
With Fix
Complete Nmap Scan
|
Oddly enough, it does work on a Windows target using both the master and my fix. I guess a duplicate backslash does not deter the name detection but a lack thereof can be unpredictable: On master
On my branch fix
|
Damn, sounds like you found a bug in our implementation when interacting with Samba. I'll test against Samba and report back, hopefully with a reason why it fails. |
Testing Samba 4.x, not your 3.x as supposedly identified by Nmap:
|
Metasploitable 2's Samba 3.0.20 tested:
|
So it's probably not OffSec trying to mess with you for using Metasploit. ;) This appears to be a Samba 3.x issue. I'll dig deeper in a bit. |
Working with patch:
|
That’s very strange. I wonder why Samba 3.x is different from all of the other versions. 🤔 Also thanks for showing me more into the process of documenting and making pull requests. This is my very first one actually |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any style preference on using single vs double quoted strings? I’m referring specifically to lines 45 and 46 of lib/msg/core/exploit/smb/client/pipe_auditor.rb
I used to prefer double-quoted strings all the time, but then I switched to single-quoted strings if I didn't need interpolation. It's more predictable. But the most important thing is to be consistent. https://github.com/rubocop-hq/ruby-style-guide#consistent-string-literals |
You can see how backslash handling between 3.x and 4.x is different. 3.x is more stringent, and 4.x does more normalization. |
That’s why I asked. I am the same way; I only use double quotes if absolutely necessary. Thanks for the references, too |
Release NotesThis adds normalization to the |
@NoodleOfDeath: Awesome collab. Thanks for this! |
The
named_pipes.txt
wordlist provided by the metasploit framework contains pipe names that are not prefixed with a backslash. Theauxiliary/scanner/smb/pipe_auditor
module does not seem to work properly for some Samba protocol versions (namely protocol 3) unless each pipe name is prefixed with a backslash. I updatedlib/exploit/smb/client/pipe_auditor.rb
to check for the missing backslash and to prepend it if missing.Verifications
List the steps needed to make sure this thing works
msfconsole
use auxiliary/scanner/smb/pipe_auditor
Running with default named_pipes.txt does not work without fix and does with fix
Fixes #9618 and fixes #11870.