-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SeeRM:#1233] - Upgrade smb_enumshares to show directories & files #2094
Conversation
[SeeRM:rapid7#1233] - This is an upgrade based on ringt's code in PR rapid7#2017. As a pentester, it's useful to obtain additional information such as device type, access rights, folders, and files, etc when doing a share enumeration. I have also enhanced exception handling to avoid shutting errors up, which is better for debugging purposes.
Useful information on how to setup SMB share on Win XP/Vista... requires some manual config: |
Target is a Windows 7 SP1 x86 domain attached english install: master:
This pull request:
Not sure why it's not working, looking into that, but it a couple of things:
|
Login failure? Interesting. Both modules do a connect() and then smb_login()... that's where it fails? The difference is when LoginError is raised, the original one will do a next right away. The new one will make sure to do a disconnect, and then move on to the next port. I'll have to setup a Win 7 box and test this tomorrow. |
OK, problem fixed. So it's probably normal to see the LoginError, but the original one will switch to srvsvc_netshareenum, which is how it gets shares on Win 7. The fix is to add back that same behavior. |
Processing! |
Running a weird test agains Win 7 SP1 (no domain, just shared a folder) I get this result:
The Backtrace associated to the exception:
|
OK... nil res... hmmm. |
OK, I'm done committing stuff. Let's go back to testing again. |
Incidentally, correct syntax on the commit message is [SeeRM #1233] with or without brackets, and definitely without the colon. That's why your commit didn't show up on Redmine. |
I typically do that with FixRM too and it works when the PR is pushed, like this: |
On windows 7 SP1 after switching on all the public access settings xD I get this (just set rhosts and run). Notice the error: "[-] Login Failed: The server refused our NetBIOS session request"
When using the smb_enumshares from master any error arises (maybe because was hidden?):
Sorry for the lack of details, just doing dumb testing.... let me know if I you want me to share any information about my test. |
Juan, the original one actually hits a LoginError too. However, instead of telling you about it, it quietly runs "next", that's why you're not seeing it. By default, it'll probably always try twice on Win 7 because port 139 will always refuse your session request. |
Just finished running against my test network with some Win XPs, Vista, Win 7 and Win2k3. Didn't hit errors. Also tried multiple threads and USE_SRVSVC_ONLY, all worked fine. |
Test on Windows XPSP3, guest access allowed:
Test on Windows 7 SP1, guest access allowed:
Test on Windows 2003 SP2, Spanish, Domain, sharing file names with spanish characters
and the same, but with Basic information :
Looks good for me, since there have not been other complains, landing! |
So this is supposed to only work < Vista even with good authentication? |
I guess should work also >Vista, isn't it? |
Starting with Win 7, when the module sends a netshareenum request, Win 7 will throw a STATUS_NOT_SUPPORTED (0xC00000BB) back to you. So the module falls back to SRVSVC to at least get basic info like what shares it has, comments, etc. With bad authentication, you won't get any info except for a STATUS_LOGON_FAILURE error. |
All I'm saying is that this:
(With the READ/WRITE status), is incredibly more useful and succinct for me than a listing of files only on "old" systems. Ultimately if I just had:
That second line makes me happy. |
[SeeRM:#1233] - This is an upgrade based on ringt's code in PR #2017. As a pentester, it's useful to obtain additional information such as device type, access rights, folders, and files, etc when doing a share enumeration. I have also enhanced exception handling to avoid shutting errors up, which is better for debugging purposes.
Module has been tested on Win XP and Windows Server 2003.