Smb login update #636

Merged
merged 2 commits into from Nov 14, 2012

Projects

None yet

5 participants

@Meatballs1
Collaborator

Fixed unset SMBDomain which caused false negatives with valid credentials (domain was being passed as Nil rather than "")

The module now responds with a print_status rather than an error if valid credentials are used but unable to login. This provides testers valuable feedback as to correct username password combinations. If physical access or RDP is available they may be able to utilise these credentials. They are stored in creds as inactive:
"STATUS_INVALID_LOGON_HOURS",
"STATUS_ACCOUNT_RESTRICTION",
"STATUS_ACCOUNT_EXPIRED",
"STATUS_ACCOUNT_DISABLED",
"STATUS_PASSWORD_EXPIRED",
"STATUS_PASSWORD_MUST_CHANGE"

Changed bogus domain to check per user rather than per host - local accounts in windows do not require the domain to be correct but domain logins will so this did not make sense to be set per host.

Moved away from smb_login to simple.login to allow parameters to be specified.
Removed the simple.connect() method which did not appear to be needed to check logins.

A lot of refactoring to stop datastore[] munging that was currently in place.

I still dont quite fathom the difference between bogus logins and guest logins, and I'm not sure how to configure a test environment to replicate these so I have (mostly) left them alone.

I have only tested on a limited scenario of a Win2k12 DC, would definitely need verification against earlier LM and linux services.

@jlee-r7 jlee-r7 and 1 other commented on an outdated diff Aug 1, 2012
modules/auxiliary/scanner/smb/smb_login.rb
- disconnect()
- datastore["SMBDomain"] = orig_domain
- return :skip_user # These reasons are sufficient to stop trying.
+ report_creds(domain,user,pass,true) if @accepts_guest_logins.select{ |g_host, g_creds| g_host == rhost and g_creds == [user,pass] }.empty?
@jlee-r7
jlee-r7 Aug 1, 2012

I would break this line up. Postfix conditionals are difficult to read, especially on long lines.

Also, i think array.select{...}.empty? is better written as array.find{...} which returns the first element for which the block is true (instead of all of them), or nil if none.

@Meatballs1
Meatballs1 Aug 1, 2012 collaborator

Original code, I might have time tomorrow or sometime next week, if not I've added you as a collaborator feel free to change it as you wish :)

@Meatballs1
Collaborator

Is the record_guest option desired anymore? I cant see any good reason why you would wish to record random logins in the database..?

@todb-r7
Collaborator
todb-r7 commented Sep 12, 2012

As @Meatballs1 says, this needs to be tested on a variety of platforms before we can commit. I'll wrangle up some targets for that as soon as I can, because these bug fixes look worthwhile.

@Meatballs1
Collaborator

I'd also like to look at adding some methods to auth_brute to count positive results and print number of positives other than just 'completed' at the end if the inheriting module wants to.

@todb-r7
Collaborator
todb-r7 commented Sep 21, 2012

Sorry for the delay, still trying to herd my SMB cats here. I do worry about this module more than most because I know that it's one of the most heavily used and relied-upon first steps for a lot of engagements.

I'd love to see tests with screens and/or pcaps against major versions of Samba (whatever shipped with major versions of Ubuntu and RedHat, to start), and major versions of Windows from XP (pre/post SP2) through Windows 8. On these, we'd need to know that known good domain/username:password logins still succeed, known bad ones fail, and ideally, we'd have tests for all the new conditions that @Meatballs1 is now accounting for (STATUS_ACCOUNT_EXPIRED, _DISABLED, etc.). Also the whole bogus_domain check needs to be revalidated across platforms.

I'm bugging Rapid7's QA folks to throw in on this as well to stand up some test systems, but in the meantime, I wonder if there's a way to distribute this kind of target testing? In fact, here we go:

https://github.com/rapid7/metasploit-pcaps

That's off the top of my head, not a lot of planning. Other ideas for confirming workingness are appreciated, since these tests aren't terribly repeatable, won't spot regressions, etc.

@dlee-r7 dlee-r7 was assigned Sep 21, 2012
@todb-r7
Collaborator
todb-r7 commented Sep 21, 2012

And. for what it's worth, commit 873782 over in metasploit-pcaps shows that w2k3, sp2, direct auth has no regressions.

@wchen-r7
Collaborator

No answers from QA after 23 days. I'm taking this.

@wchen-r7
Collaborator

msftidy Check:

$ tools/msftidy.rb modules/auxiliary/scanner/smb/smb_login.rb 
smb_login.rb:113 - [WARNING] Carriage return EOL
smb_login.rb:114 - [WARNING] Carriage return EOL
smb_login.rb:208 - [WARNING] Spaces at EOL

Test boxes deployed (Name of box - IP - Expected behavior)

Windows Server 2008 ....... 10.0.1.77 (Firewalled)
Windows Vista SP2 ......... 10.0.1.79 ('sinn3r' enabled)
Windows 7 ................. 10.0.1.7  (Administrator disabled)
Windows XP SP2 ............ 10.0.1.55 (Guest)
Windows XP SP3 ............ 10.0.1.6  (Guest)
Windows Server 2003 SP2 ... 10.0.1.8  (Administrator enabled)
Windows 2000 SP4 .......... 10.0.1.38 (Administrator enabled)
Ubuntu 11.04 .............. 10.0.1.5  (Guest)

Test Results:

[*] 10.0.1.5 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) Administrator :  [STATUS_SUCCESS]
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) lab :  [STATUS_SUCCESS]
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) Administrator : Administrator [STATUS_SUCCESS]
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) lab : lab [STATUS_SUCCESS]
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) Administrator : blah123 [STATUS_SUCCESS]
[*] 10.0.1.5:445| - GUEST LOGIN (Unix) lab : blah123 [STATUS_SUCCESS]
[*] 10.0.1.6 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) Administrator :  [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) lab :  [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) sinn3r :  [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) Administrator : Administrator [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) lab : lab [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) sinn3r : sinn3r [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) Administrator : blah123 [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) lab : blah123 [STATUS_SUCCESS]
[*] 10.0.1.6:445| - GUEST LOGIN (Windows 5.1) sinn3r : blah123 [STATUS_SUCCESS]
[*] 10.0.1.7 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.7:445| - FAILED LOGIN, VALID CREDENTIALS (Windows 7 Ultimate 7600) Administrator :  [STATUS_ACCOUNT_DISABLED]
[+] 10.0.1.7:445| - SUCCESSFUL LOGIN (Windows 7 Ultimate 7600) sinn3r : blah123 [STATUS_SUCCESS]
[*] 10.0.1.8 - This system allows guest sessions with any credentials, these instances will not be reported.
[+] 10.0.1.8:445| - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : blah123 [STATUS_SUCCESS]
[*] Scanned 026 of 256 hosts (010% complete)
[*] 10.0.1.38 - This system allows guest sessions with any credentials, these instances will not be reported.
[+] 10.0.1.38:445| - SUCCESSFUL LOGIN (Windows 5.0) Administrator : blah123 [STATUS_SUCCESS]
[*] Scanned 052 of 256 hosts (020% complete)
[*] 10.0.1.55 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] Scanned 077 of 256 hosts (030% complete)
[*] 10.0.1.79 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.79:445| - FAILED LOGIN, VALID CREDENTIALS (Windows Vista (TM) Business 6002 Service Pack 2) Administrator :  [STATUS_ACCOUNT_DISABLED]
[+] 10.0.1.79:445| - SUCCESSFUL LOGIN (Windows Vista (TM) Business 6002 Service Pack 2) sinn3r : blah123 [STATUS_SUCCESS]
[*] Scanned 103 of 256 hosts (040% complete)
...
[*] Auxiliary module execution completed

Test STATUS_ACCOUNT_DISABLED on Win 2k3:

msf  auxiliary(smb_login) > run

[*] 10.0.1.8 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.8:445| - FAILED LOGIN, VALID CREDENTIALS (Windows Server 2003 3790 Service Pack 2) lab : blah123 [STATUS_ACCOUNT_DISABLED]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Test STATUS_PASSWORD_MUST_CHANGE:

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.8 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.8:445| - FAILED LOGIN, VALID CREDENTIALS (Windows Server 2003 3790 Service Pack 2) lab : blah123 [STATUS_PASSWORD_MUST_CHANGE]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@wchen-r7
Collaborator

Overall, I didn't find anything bad except for some minor mistakes caught by msftidy.

@wchen-r7
Collaborator

Still needs testing for Ubuntu 8, 10, 11, 12, and maybe Samba on older OSXs.

@todb-r7
Collaborator
todb-r7 commented Oct 15, 2012

Thanks for covering this @wchen-r7 I'm way more confident that these changes won't screw over existing users of smb_login (which is nearly everyone on Metasploit Pro and Armitage)

@wchen-r7
Collaborator

Linux distros deployed:

Debian Linux 6.0 ... 10.0.1.12 ('root' open)
Fedora 14 .......... 10.0.1.89 (default)
Metasploitable2 .... 10.0.1.78 (default)
Ubuntu 12 .......... 10.0.1.88 (default)
Ubuntu 11.04 ....... Already tested

Note: Metasploitable2 is Ubuntu 8.04

Test Results:

msf  auxiliary(smb_login) > run

[*] 10.0.1.12 - This system allows guest sessions with any credentials, these instances will not be reported.
[+] 10.0.1.12:445| - SUCCESSFUL LOGIN (Unix) root : blah123 [STATUS_SUCCESS]
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] 10.0.1.78 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.88 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) root :  [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) msfadmin :  [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) root : root [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) msfadmin : msfadmin [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) root : blah123 [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) root : msfadmin [STATUS_SUCCESS]
[*] 10.0.1.88:445| - GUEST LOGIN (Unix) msfadmin : blah123 [STATUS_SUCCESS]
[*] Scanned 103 of 256 hosts (040% complete)
...
[*] Auxiliary module execution completed

Another example of attempting to login with a disabled account:

msf  auxiliary(smb_login) > run

[*] 10.0.1.12 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.12:445| - FAILED LOGIN, VALID CREDENTIALS (Unix) root : blah123 [STATUS_ACCOUNT_DISABLED]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@wchen-r7
Collaborator

False Positive Bug Caught

So against my Ubuntu 10.10 box, the original smb_login.rb (that's currently in the framework) returns the following results while trying to login as root:

msf  auxiliary(smb_login) > run

[*] 10.0.1.13:445 SMB - Starting SMB login bruteforce
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
[-] Call stack:
[-]   /msf/lib/rex/proto/smb/client.rb:215:in `smb_recv_parse'
[-]   /msf/lib/rex/proto/smb/client.rb:1069:in `tree_connect'
[-]   /msf/lib/rex/proto/smb/simpleclient.rb:275:in `connect'
[-]   /msf/lib/msf/core/exploit/smb.rb:152:in `smb_login'
[-]   /msf/modules/auxiliary/scanner/smb/smb_login.rb:137:in `accepts_bogus_logins?'
[-]   /msf/modules/auxiliary/scanner/smb/smb_login.rb:62:in `run_host'
[-]   /msf/lib/msf/core/auxiliary/scanner.rb:94:in `block in run'
[-]   /msf/lib/msf/core/thread_manager.rb:100:in `call'
[-]   /msf/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed

However, Meatballs1's smb_login.rb returns the following:

msf  auxiliary(smb_login) > run

[*] 10.0.1.13:445 SMB - Starting SMB login bruteforce
[*] 10.0.1.13 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] 10.0.1.13:445| - GUEST LOGIN (Unix) root :  [STATUS_SUCCESS]
[*] Username is case insensitive
[*] 10.0.1.13:445| - GUEST LOGIN (Unix) root : root [STATUS_SUCCESS]
[*] Username is case insensitive
[*] 10.0.1.13:445| - GUEST LOGIN (Unix) root : notavalidpass [STATUS_SUCCESS]
[*] Username is case insensitive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I double-checked the login with smbclient:

$ smbclient \\\\10.0.1.13\\IPC$ -U root
Password: 
Domain=[UBUNTU] OS=[Unix] Server=[Samba 3.5.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

And I'm sure that smb_login.rb shouldn't be able to login with a random password for 'root', so I think there's a bug somewhere... and probably a big one.

When I try to login with other users, however, I don't seem to have this problem.

My Ubuntu 10.10 smb.conf has the following settings:

  • restrict anonymous = 2 in global

  • all "guest ok" options are set to "no"

    $ pdbedit -L
    nobody:65534:nobody
    sinn3r:1000:sinn3r
    root@ubuntu:/home/sinn3r#

Please investigate.... this issue is currently a blocker.

@wchen-r7
Collaborator

The problem with the unnecessary exception with the original module is being addressed here:
#913

Note when that fix is merged, it might break this pull request. So please remember to merge and push again.

@Meatballs1
Collaborator

I tried not to fiddle with the 'guest' account checking much. I wonder if the following line is required for nix:

simple.connect("\#{datastore['RHOST']}\IPC$")

I commented it out because it appeared to make no difference for windows - it will return an error code in the login.

@Meatballs1
Collaborator

With regards to #913 I believe all of that exception checking is correctly refactored into check_login_status().

@Meatballs1
Collaborator

Without the simple.connect() call, simple.login does not receive an error code from samba in nix. I had a sneaking suspicion that this may have been the case when I took it out (hence the comment at the time). Windows rejects invalid credentials during the Session Setup and does not need the Tree Connect to verify credentials.

Also my logic for accepts_guest_logins() and accept_bogus_logins() was incorrect - should now report these correctly although I'm not sure how to configure a test scenario for bogus_logins.

smb client reports guest logins a bit weirdly:

    self.auth_user_id = ack['Payload']['SMB'].v['UserID']

    if (ack['Payload'].v['Action'] != 1 and user.length > 0)
        self.auth_user = user
    end

Where Action 0 = NOT GUEST LOGIN and 1 = GUEST LOGIN

So in my opinion it should just set something like 'guest_login' to true/false instead of inferring if it sets the auth_user or not. That change can wait for a future time!

@todb-r7 todb-r7 referenced this pull request in Meatballs1/metasploit-framework Nov 9, 2012
Merged

Merge and un-conflict #1

@Meatballs1
Collaborator

Loads and runs fine with merge - not done full testing

@wchen-r7
Collaborator

Target Machine: Windows Server 2003 SP2
Scenarios tested:

  • Login with a valid credential - pass
  • Login with a bad credential - pass
  • Option "User must change password at next logon" - pass
  • Option "Account is disabled" - pass

Log:

Note: "Old" means the original module that's currently in master. "New" means Meatball's version.

Login with a valid credential:

Old:

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56 - This system allows guest sessions with any credentials, these instances will not be reported.
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator :  (STATUS_LOGON_FAILURE)
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : Administrator (STATUS_LOGON_FAILURE)
[*] Auth-User: "Administrator"
[+] 10.0.1.56:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'Administrator' : 'goodpass'
[*] Auth-User: "administrator"
[+] 10.0.1.56:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'administrator' : 'goodpass'
[*] Username is case insensitive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

New:

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator :  [STATUS_LOGON_FAILURE]
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : Administrator [STATUS_LOGON_FAILURE]
[+] 10.0.1.56:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : goodpass [STATUS_SUCCESS]
[*] Username is case insensitive
[*] Domain is ignored
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Login with a bad credential:

Old:

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56 - This system allows guest sessions with any credentials, these instances will not be reported.
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator :  (STATUS_LOGON_FAILURE)
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : Administrator (STATUS_LOGON_FAILURE)
[-] 10.0.1.56:445 SMB - [3/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : bad (STATUS_LOGON_FAILURE)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

New:

[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator :  [STATUS_LOGON_FAILURE]
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : Administrator [STATUS_LOGON_FAILURE]
[-] 10.0.1.56:445 SMB - [3/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : bad [STATUS_LOGON_FAILURE]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Option "User must change password at next logon" enabled:

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) sinn3r :  [STATUS_LOGON_FAILURE]
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) sinn3r : sinn3r [STATUS_LOGON_FAILURE]
[*] 10.0.1.56:445|WORKGROUP - FAILED LOGIN, VALID CREDENTIALS (Windows Server 2003 3790 Service Pack 2) sinn3r : goodpass [STATUS_PASSWORD_MUST_CHANGE]
[*] Domain is ignored
[*] Username is case insensitive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Option "Account is disabled":

msf  auxiliary(smb_login) > rerun
[*] Reloading module...

[*] 10.0.1.56:445 SMB - Starting SMB login bruteforce
[-] 10.0.1.56:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) sinn3r :  [STATUS_LOGON_FAILURE]
[-] 10.0.1.56:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) sinn3r : sinn3r [STATUS_LOGON_FAILURE]
[*] 10.0.1.56:445|WORKGROUP - FAILED LOGIN, VALID CREDENTIALS (Windows Server 2003 3790 Service Pack 2) sinn3r : goodpass [STATUS_ACCOUNT_DISABLED]
[*] Domain is ignored
[*] Username is case insensitive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

So on both old and new on a default MetasploitableV2 installation:

[*] 192.168.145.152:445 is running Unix Samba 3.0.28a (language: Unknown) (name:METASPLOITABLE) (domain:METASPLOITABLE)
[*] 192.168.145.152:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.152:445|WORKGROUP - This system accepts authentication with any credentials, brute force is ineffective.

So, metasploitablev2 is pretty useless for testing Samba out of the box. :)

@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

Here's my tested SMB version:

[*] 192.168.145.233:445 is running Unix Samba 3.6.3 (language: Unknown) (name:MSBUILDER) (domain:MSBUILDER)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@Meatballs1 's fixes:

resource (/home/todb/rc/smb_test.rc)> use auxiliary/scanner/smb/smb_login
resource (/home/todb/rc/smb_test.rc)> setg BLANK_PASSWORDS false
BLANK_PASSWORDS => false
resource (/home/todb/rc/smb_test.rc)> setg USER_AS_PASS false
USER_AS_PASS => false
resource (/home/todb/rc/smb_test.rc)> set SMBUser gooduser
SMBUser => gooduser
resource (/home/todb/rc/smb_test.rc)> set SMBPass goodpass
SMBPass => goodpass
resource (/home/todb/rc/smb_test.rc)> run
[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[+] 192.168.145.233:445| - SUCCESSFUL LOGIN (Unix) gooduser : goodpass [STATUS_SUCCESS]
[*] Username is case insensitive
[*] Domain is ignored
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (/home/todb/rc/smb_test.rc)> set SMBUser baduser
SMBUser => baduser
resource (/home/todb/rc/smb_test.rc)> set SMBPass nonsense
SMBPass => nonsense
resource (/home/todb/rc/smb_test.rc)> run
[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.233:445 SMB - [1/1] - | - FAILED LOGIN (Unix) baduser : nonsense [STATUS_LOGON_FAILURE]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (/home/todb/rc/smb_test.rc)> set SMBUser nouser
SMBUser => nouser
resource (/home/todb/rc/smb_test.rc)> set SMBPass nonsense
SMBPass => nonsense
resource (/home/todb/rc/smb_test.rc)> run
[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.233:445 SMB - [1/1] - | - FAILED LOGIN (Unix) nouser : nonsense [STATUS_ACCESS_DENIED]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_login) > exit

Current (rapid7/master) version:

[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.233 - This system allows guest sessions with any credentials, these instances will not be reported.
[*] Auth-User: "gooduser"
[+] 192.168.145.233:445|WORKGROUP - SUCCESSFUL LOGIN (Unix) 'gooduser' : 'goodpass'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (/home/todb/rc/smb_test.rc)> set SMBUser baduser
SMBUser => baduser
resource (/home/todb/rc/smb_test.rc)> set SMBPass nonsense
SMBPass => nonsense
resource (/home/todb/rc/smb_test.rc)> run
[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.233 - This system allows guest sessions with any credentials, these instances will not be reported.
[-] 192.168.145.233:445 SMB - [1/1] - |WORKGROUP - FAILED LOGIN (Unix) baduser : nonsense (STATUS_LOGON_FAILURE)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (/home/todb/rc/smb_test.rc)> set SMBUser nouser
SMBUser => nouser
resource (/home/todb/rc/smb_test.rc)> set SMBPass nonsense
SMBPass => nonsense
resource (/home/todb/rc/smb_test.rc)> run
[*] 192.168.145.233:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.233 - This system allows guest sessions with any credentials, these instances will not be reported.
[-] 192.168.145.233:445|WORKGROUP - FAILED LOGIN (Unix) nouser : nonsense (STATUS_ACCESS_DENIED)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The only thing that jumps out at me is that I believe WORKGROUP should still be the default domain. People are likely counting on that right now, and if they want to change it, they can change it.

@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

Testing material:

setg rhosts 192.168.145.233
use auxiliary/scanner/smb/smb_version
run

use auxiliary/scanner/smb/smb_login
setg BLANK_PASSWORDS false
setg USER_AS_PASS false
set SMBUser gooduser
set SMBPass goodpass
run
set SMBUser baduser
set SMBPass nonsense
run
set SMBUser nouser
set SMBPass nonsense
run

The target is Ubuntu 12.04 64-bit with samba installed. smb.conf is default except for the changes mentioned earlier on this PR (guest ok = no, restrict anonymous =2, users configured appropriately via pbdedit)

@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

Oh in case it's not obvious, the linux test shows that everything's cool for run of the mill samba, results wise. The only worrisome thing I see now is the difference between current and new:

[-] 192.168.145.233:445|WORKGROUP - FAILED LOGIN (Unix) nouser : nonsense (STATUS_ACCESS_DENIED)
[-] 192.168.145.233:445 SMB - [1/1] - | - FAILED LOGIN (Unix) nouser : nonsense [STATUS_ACCESS_DENIED]

I see that @Meatballs1's version correctly says SMB, but incorrectly is not displaying the SMBDomain name, and is displaying some mysterious - | - bit.

@Meatballs1
Collaborator

I set the output format on ln192 to keep it declared in one place and just pass in a variable for %s in the case statement.

output_message = "#{smbhost} - %s (#{smb_peer_os}) #{user} : #{pass} [#{status}]"

Differences in smbhost.to_s should only come from difference between using smb_login() and simple.login() simple.connect() I believe it is probably due to calling:

ensure
disconnect()
end

Before declaring the output_message, whereas in smb_login no disconnect is called.

@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

So I think there's two things going on here:

  1. The status message is getting mangled by some mixin.
  2. The domains may or may not actually get tested in both old and new.

@Meatballs1 's last comment on output_message deals with (1). I will verify (2) one way or another after setting up some domain-specific creds to test. The use case, btw, is when USERPASS_FILE is set and contains entries like:

FOO/user1 pass1
BAR/user1 pass1

...and the expectation is that first should pass and the second should fail.

@todb-r7 todb-r7 referenced this pull request in Meatballs1/metasploit-framework Nov 12, 2012
Merged

Make domain part less stupid looking #2

@Meatballs1 Meatballs1 Merge pull request #2 from todb-r7/smb_login_update
Make domain part less stupid looking
cfd49fc
@todb-r7
Collaborator
todb-r7 commented Nov 12, 2012

The only thing remaining now is to test the domain savvy between old and new. If they are both equally broken or equally functional, then this should be landed.

@wchen-r7
Collaborator

Tested on Samba 3.5.11, seems to function properly comparing to old vs new.

@todb-r7
Collaborator
todb-r7 commented Nov 13, 2012

Looking very good!

New style

[*] 192.168.145.155:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.155:445 SMB - [1/3] - \\FOODOMAIN - FAILED LOGIN (Windows 7 Enterprise 7601 Service Pack 1) gooduser : goodpass [STATUS_LOGON_FAILURE]
[+] 192.168.145.155:445 \\GOODDOMAIN - SUCCESSFUL LOGIN (Windows 7 Enterprise 7601 Service Pack 1) gooduser : goodpass [STATUS_SUCCESS]
[*] Username is case insensitive
[-] 192.168.145.155:445 SMB - [3/3] - \\BARDOMAIN - FAILED LOGIN (Windows 7 Enterprise 7601 Service Pack 1) gooduser : goodpass [STATUS_LOGON_FAILURE]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Old style

msf  auxiliary(smb_login) > reload
[*] Reloading module...
rmsf  auxiliary(smb_login) > run

[*] 192.168.145.155:445 SMB - Starting SMB login bruteforce
[-] 192.168.145.155 - This system allows guest sessions with any credentials, these instances will not be reported.
[-] 192.168.145.155:445 SMB - [1/3] - |FOODOMAIN - FAILED LOGIN (Windows 7 Enterprise 7601 Service Pack 1) gooduser : goodpass (STATUS_LOGON_FAILURE)
[*] Auth-User: "gooduser"
[+] 192.168.145.155:445|GOODDOMAIN - SUCCESSFUL LOGIN (Windows 7 Enterprise 7601 Service Pack 1) 'gooduser' : 'goodpass'
[*] Auth-User: "gooduser"
[+] 192.168.145.155:445|gooddomain - SUCCESSFUL LOGIN (Windows 7 Enterprise 7601 Service Pack 1) 'gooduser' : 'goodpass'
[*] Username is case insensitive
[-] 192.168.145.155:445 SMB - [3/3] - |BARDOMAIN - FAILED LOGIN (Windows 7 Enterprise 7601 Service Pack 1) gooduser : goodpass (STATUS_LOGON_FAILURE)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@todb-r7
Collaborator
todb-r7 commented Nov 14, 2012

There's still a screwup with the done over left ratio there (good hits don't display properly) but that's common to both schemes. I'm not going to cry too much.

@todb-r7 todb-r7 merged commit 5c10bc1 into rapid7:master Nov 14, 2012

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment