New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Deployment Services Scanner #1420

Merged
merged 6 commits into from Oct 11, 2013

Conversation

Projects
None yet
5 participants
@Meatballs1
Contributor

Meatballs1 commented Jan 31, 2013

Windows Deployment Services can be configured with domain credentials for PXEBoot clients to perform unattended installation. These are not visible during a PXE deployment, (but can be observed in clear text by monitoring network traffic). They are exposed by a DCERPC service on the Windows Deployment Server and can be retrieved even when the Service is configured not to deploy to any hosts.

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
[*] Sending X64 Client Unattend request ...
[*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf4/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
[+] Retrived wds credentials for X64
[*] Sending X86 Client Unattend request ...
[*] Sending IA64 Client Unattend request ...

Windows Deployment Services
===========================

 Architecture  Type  Domain        Username  Password
 ------------  ----  ------        --------  --------
 X64           wds   Fabrikam.com  username  my_password

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This module adds:

  1. Scanner Module
  2. Windows Deployment Services DCERPC Protocol REX Library

Have had to make some small changes to DCERPC library to get the correct requests.

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Feb 22, 2013

Contributor

To test:

Windows 2008.

Add Role Windows Deployment Services
Select Windows Deployment Services in Server Manager

Servers
ServerName
Right click configure server
Skip through default settings in configuration (next next next)
Untick add images and finish.

Download and save first example Unattend.xml file to c:\RemoteInstall\WdsClientUnattend from
http://technet.microsoft.com/en-us/library/cc732280(v=ws.10).aspx#ex1

Right click on server

Properties
Client Tab
Enable unattended installation

Add unattend file to an architecture (or all 3):

notes marker

Hit OK.

Fire up module, run! :)

Contributor

Meatballs1 commented Feb 22, 2013

To test:

Windows 2008.

Add Role Windows Deployment Services
Select Windows Deployment Services in Server Manager

Servers
ServerName
Right click configure server
Skip through default settings in configuration (next next next)
Untick add images and finish.

Download and save first example Unattend.xml file to c:\RemoteInstall\WdsClientUnattend from
http://technet.microsoft.com/en-us/library/cc732280(v=ws.10).aspx#ex1

Right click on server

Properties
Client Tab
Enable unattended installation

Add unattend file to an architecture (or all 3):

notes marker

Hit OK.

Fire up module, run! :)

Show outdated Hide outdated lib/rex/proto/dcerpc/client.rb Outdated
Show outdated Hide outdated lib/rex/proto/dcerpc/wdscp/packet.rb Outdated
Show outdated Hide outdated lib/rex/proto/dcerpc/wdscp/packet.rb Outdated
Show outdated Hide outdated lib/rex/proto/dcerpc/wdscp/packet.rb Outdated
Show outdated Hide outdated lib/rex/proto/dcerpc/wdscp/packet.rb Outdated
Show outdated Hide outdated lib/rex/proto/dcerpc/wdscp/packet.rb Outdated

@todb-r7 todb-r7 referenced this pull request Sep 5, 2013

Merged

Retab/pr/1420 #25

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Oct 3, 2013

Contributor

/me prods @jlee-r7 what's up with this now?

Contributor

todb-r7 commented Oct 3, 2013

/me prods @jlee-r7 what's up with this now?

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Oct 10, 2013

Contributor

So, I think this has languished because: a) you're making changes to the DCERPC protocol library, and there isn't a particularly good way to validate any of that today, and b) nobody knows how to set up WDS quickly and easily.

I've tackled a) now by reading the code and nodding along sagely, as well as testing several modules in auxiliary/scanner/dceprc, auxiliary/admin/smb, and auxiliary/scanner/smb, all of which use the DCERPC libraries. I'm satisified that existing functionality isn't broken.

On to (b) and learning how to set up a WDS server.

Note to future self: Remember when we had to learn and remember all this IT foo to test individual modules? Isn't it great now that we have Chef scripts to build out targets for us, all supplied by module writers who considerately package up chef scripts to demonstrate their mad awesome modules? Yeah, these were dark times where modules hung around in a queue for 6 months...

Contributor

todb-r7 commented Oct 10, 2013

So, I think this has languished because: a) you're making changes to the DCERPC protocol library, and there isn't a particularly good way to validate any of that today, and b) nobody knows how to set up WDS quickly and easily.

I've tackled a) now by reading the code and nodding along sagely, as well as testing several modules in auxiliary/scanner/dceprc, auxiliary/admin/smb, and auxiliary/scanner/smb, all of which use the DCERPC libraries. I'm satisified that existing functionality isn't broken.

On to (b) and learning how to set up a WDS server.

Note to future self: Remember when we had to learn and remember all this IT foo to test individual modules? Isn't it great now that we have Chef scripts to build out targets for us, all supplied by module writers who considerately package up chef scripts to demonstrate their mad awesome modules? Yeah, these were dark times where modules hung around in a queue for 6 months...

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Oct 10, 2013

Contributor

@todb-r7 b) See my second comment!

Contributor

Meatballs1 commented Oct 10, 2013

@todb-r7 b) See my second comment!

@todb

This comment has been minimized.

Show comment
Hide comment
@todb

todb Oct 10, 2013

Contributor

Duh. I'll have this landed tomorrow, then. Thanks!

Contributor

todb commented Oct 10, 2013

Duh. I'll have this landed tomorrow, then. Thanks!

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Oct 10, 2013

Contributor

How about a Metasploit Test Cloud?

I will have to look into Chef one day...

Contributor

Meatballs1 commented Oct 10, 2013

How about a Metasploit Test Cloud?

I will have to look into Chef one day...

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Oct 11, 2013

Contributor

Okay, I promised I would get this today, and I'm ready to land, BUT...

I'm running into a problem with 32-bit Windows 2003 WDS. Your 64bit NDR transfer syntax is not cool there, obviously (71710533-beba-4937-8319-b5dbef9ccc36), but strangley, neither is the regular 32-bit NDR transfer encoding, 8a885d04-1ceb-11c9-9fe8-08002b104860.

I'm chasing this around now. Any hints?

If I can't get it to work for 32-bit, I'll note it in the description, and maybe some kind soul will fix up later.

Contributor

todb-r7 commented Oct 11, 2013

Okay, I promised I would get this today, and I'm ready to land, BUT...

I'm running into a problem with 32-bit Windows 2003 WDS. Your 64bit NDR transfer syntax is not cool there, obviously (71710533-beba-4937-8319-b5dbef9ccc36), but strangley, neither is the regular 32-bit NDR transfer encoding, 8a885d04-1ceb-11c9-9fe8-08002b104860.

I'm chasing this around now. Any hints?

If I can't get it to work for 32-bit, I'll note it in the description, and maybe some kind soul will fix up later.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Oct 11, 2013

Contributor

Ultimately, I just need a pcap of WDS actually delivering an unattended.xml from a 32-bit machine and i can extract the transfer encoding from there.

Contributor

todb-r7 commented Oct 11, 2013

Ultimately, I just need a pcap of WDS actually delivering an unattended.xml from a 32-bit machine and i can extract the transfer encoding from there.

@todb-r7 todb-r7 referenced this pull request Oct 11, 2013

Merged

Add RPORT to the list of DCERPC ports to check #2507

0 of 5 tasks complete

todb-r7 added a commit that referenced this pull request Oct 11, 2013

@todb-r7 todb-r7 merged commit 5dcb48a into rapid7:master Oct 11, 2013

1 check passed

default The Travis CI build passed
Details
@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Oct 11, 2013

Contributor

As threatened, this is landed without the 32-bit support. Feel free to PR something to enhance.

Contributor

todb-r7 commented Oct 11, 2013

As threatened, this is landed without the 32-bit support. Feel free to PR something to enhance.

@Meatballs1 Meatballs1 deleted the Meatballs1:wds_scanner_repull branch Oct 12, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment