altered check_dir_file.rb so that it can check for the presence of a lis... #2999

Merged
merged 3 commits into from Aug 4, 2014

4 participants

@j0hnf

Altered so modules/auxilary/admin/smb/check_dir_file.rb so that it can take a list of files/dirs in the RPATH argument allowing for multiple files to be checked for across multiple hosts (basically tweaked so that I can use it to check for indicators of compromise more effectively).

@j0hnf j0hnf altered check_dir_file.rb so that it can check for the presence of a …
…list of files/directories supplied using file:/ format rather than being limited to just the one file, handy for checking for indicators of compromise
4b247e2
@wvu-r7 wvu-r7 commented on an outdated diff Feb 17, 2014
modules/auxiliary/admin/smb/check_dir_file.rb
+ rescue ::Rex::HostUnreachable
+ vprint_error("Host #{rhost} offline.")
+ rescue ::Rex::Proto::SMB::Exceptions::LoginError
+ vprint_error("Host #{rhost} login error.")
+ rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+ if e.get_error(e.error_code) == "STATUS_FILE_IS_A_DIRECTORY"
@wvu-r7
wvu-r7 added a note Feb 17, 2014

Might want to replace all this with a case statement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@mubix mubix commented on an outdated diff Feb 19, 2014
modules/auxiliary/admin/smb/check_dir_file.rb
@@ -42,7 +43,10 @@ def initialize
register_options([
OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
- OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
+ OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share']),
+ OptString.new('SMBUser', [false, 'Username to connect with']),
@mubix
mubix added a note Feb 19, 2014

These shouldn't be added manually, just include:

include Msf::Exploit::Remote::SMB::Authenticated
@mubix
mubix added a note Feb 19, 2014

After line 13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@mubix

@j0hnf can you provide a sample run? How do you provide a multi-line variable?

@j0hnf

@mubix
multiline file: set RPATH file:/path/to/file.txt
single file: set RPATH boot.ini

not missed something obvious and re-invented the wheel have I?

@j0hnf
msf auxiliary(check_dir_file) > show options

Module options (auxiliary/admin/smb/check_dir_file):

   Name       Current Setting     Required  Description
   ----       ---------------     --------  -----------
   RHOSTS     10.0.5.0/24         yes       The target address range or CIDR identifier
   RPATH      file:/tmp/test.txt  yes       The name of the remote file/directory relative to the share
   RPORT      445                 yes       Set the SMB service port
   SMBDomain  MYDOMAIN            no        The Windows domain to use for authentication
   SMBPass    password            no        The password for the specified username
   SMBUser    Administrator       no        The username to authenticate as
   THREADS    128                 yes       The number of concurrent threads

msf auxiliary(check_dir_file) > exploit

[-] Host 10.0.5.1 unable to connect - connection refused
[+] Directory FOUND: \\10.0.5.40\C$\WINDOWS

[+] File FOUND: \\10.0.5.40\C$\boot.ini

[+] Directory FOUND: \\10.0.5.40\C$\TEMP

[+] File FOUND: \\10.0.5.40\C$\Program Files\Internet Explorer\iexplore.exe

[*] Scanned 080 of 256 hosts (031% complete)
[*] Scanned 109 of 256 hosts (042% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 187 of 256 hosts (073% complete)
[*] Scanned 188 of 256 hosts (073% complete)
[*] Scanned 199 of 256 hosts (077% complete)
[*] Scanned 200 of 256 hosts (078% complete)
[*] Scanned 207 of 256 hosts (080% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(check_dir_file) >
@mubix

awesome, didn't realize "each_line" would do a file read based on "file:/" and read a straight string.

💥 mind blown

@wchen-r7 wchen-r7 commented on the diff Mar 13, 2014
modules/auxiliary/admin/smb/check_dir_file.rb
@@ -41,8 +43,7 @@ def initialize
)
register_options([
- OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),

Why did you deregister SMBSHARE when your code is using it??

@j0hnf
j0hnf added a note Jun 16, 2014

Thanks, wchen-r7, have added that back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7

Indeed, the SMBSHARE looks like used:

msf auxiliary(check_dir_file) > run

[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0)
[-] Call stack:
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/rex/proto/smb/client.rb:215:in `smb_recv_parse'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/rex/proto/smb/client.rb:1070:in `tree_connect'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/rex/proto/smb/simpleclient.rb:131:in `connect'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/modules/auxiliary/admin/smb/check_dir_file.rb:60:in `run_host'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:104:in `block (2 levels) in run'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `call'
[-]   /Users/jvazquez/Projects/Code/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed

@j0hnf do you mind to finish review? thanks!

@todb-r7 todb-r7 added the module label May 30, 2014
@j0hnf

SMBSHARE has returned (oops, my bad!), hopefully all good, apologies for the delay.

@jvazquez-r7 jvazquez-r7 merged commit 1a82a20 into rapid7:master Aug 4, 2014

1 check passed

Details continuous-integration/travis-ci The Travis CI build passed
@jvazquez-r7 jvazquez-r7 added a commit that referenced this pull request Aug 4, 2014
@jvazquez-r7 jvazquez-r7 Land #2999, @j0hnf's modifiction to check_dir_file to handle file: ed97751
@jvazquez-r7

Landed, thanks @j0hnf ! Did some clean up, see final landing here: ed97751

Test:

msf auxiliary(check_dir_file) > show options

Module options (auxiliary/admin/smb/check_dir_file):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     172.16.158.180   yes       The target address range or CIDR identifier
   RPATH      boot.ini         yes       The name of the remote file/directory relative to the share
   RPORT      445              yes       Set the SMB service port
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass    test             no        The password for the specified username
   SMBSHARE   C$               yes       The name of an accessible share on the server
   SMBUser    Administrator    no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(check_dir_file) > reload
[*] Reloading module...
msf auxiliary(check_dir_file) > run

[-] Host 172.16.158.180 unable to connect to share C$
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(check_dir_file) > set SMBSHARE C
SMBSHARE => C
msf auxiliary(check_dir_file) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(check_dir_file) > set VERBOSE true
VERBOSE => true
msf auxiliary(check_dir_file) > run

[*] Connecting to the server...
[*] Mounting the remote share \\172.16.158.180\C'...
[*] Checking for file/folder boot.ini...
[-] Host 172.16.158.180 reports access denied.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(check_dir_file) > set RPATH WINDOWS
RPATH => WINDOWS
msf auxiliary(check_dir_file) > run

[*] Connecting to the server...
[*] Mounting the remote share \\172.16.158.180\C'...
[*] Checking for file/folder WINDOWS...
[+] Directory FOUND: \\172.16.158.180\C\WINDOWS
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(check_dir_file) > set RPATH file:/tmp/test.txt
RPATH => file:/tmp/test.txt
msf auxiliary(check_dir_file) > run

[*] Connecting to the server...
[*] Mounting the remote share \\172.16.158.180\C'...
[*] Checking for file/folder boot.ini
tools
WINDOWS
eula.1036
eula.1036.txt
...
[-] Host 172.16.158.180 reports access denied.
[+] Directory FOUND: \\172.16.158.180\C\tools
[+] Directory FOUND: \\172.16.158.180\C\WINDOWS
[-] Object \\172.16.158.180\C\eula.1036 NOT found!
[+] File FOUND: \\172.16.158.180\C\eula.1036.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment