New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the scanner/smb/impacket/dcomexec module #9816

Merged
merged 1 commit into from May 16, 2018

Conversation

Projects
None yet
7 participants
@zeroSteiner
Copy link
Contributor

zeroSteiner commented Apr 4, 2018

This adds Impacket's dcomexec as an external module. The basic options were kept and carried over to the module version. One of the settings that's noteworthy is the OBJECT, in my testing I had better luck with the MMC20 setting so that is the default value instead of what the original script used. The different settings are noted in the markdown documentation. This information was carried over from the original tool.

There's an _msf_impacket.py module in the new directory. It adds a RemoteShell class that can be used by future modules (such as wmiexec.py). Additionally there's a pre_run_hook that this module and future modules can use. Currently it only sets up logging, but it could be used in the future to easily shim in new behavior for other impacket modules as well.

Verification

List the steps needed to make sure this thing works

  • Install Impacket v0.9.17 from GitHub. The impacket package must be in Python's module path, so import impacket works from any directory.
  • Install pycrypto v2.7 (the experimental release). Impacket requires this specific version.
  • Start msfconsole
  • Do: use auxiliary/scanner/smb/impacket/dcomexec
  • Set: COMMAND, RHOSTS, SMBUser, SMBPass
  • Do: run, see the command result (if OUTPUT is enabled)

Example Output

metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 

Module options (auxiliary/scanner/smb/impacket/dcomexec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMAND    ipconfig         yes       The command to execute
   OBJECT     MMC20            yes       The DCOM object to use for execution (Accepted: ShellWindows, ShellBrowserWindow, MMC20)
   OUTPUT     true             yes       Get the output of the executed command
   RHOSTS     192.168.90.11    yes       The target address range or CIDR identifier
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    wakawaka         yes       The password for the specified username
   SMBUser    spencer          yes       The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > run

[*] [2018.04.04-17:07:51] Running for 192.168.90.11...
[*] [2018.04.04-17:07:51] 192.168.90.11 - SMBv3.0 dialect used
[*] [2018.04.04-17:07:51] 192.168.90.11 - Target system is 192.168.90.11 and isFDQN is False
[*] [2018.04.04-17:07:51] 192.168.90.11 - StringBinding: Windows8VM[55339]
[*] [2018.04.04-17:07:51] 192.168.90.11 - StringBinding: 10.0.3.15[55339]
[*] [2018.04.04-17:07:51] 192.168.90.11 - StringBinding: 192.168.90.11[55339]
[*] [2018.04.04-17:07:51] 192.168.90.11 - StringBinding chosen: ncacn_ip_tcp:192.168.90.11[55339]
[*] [2018.04.04-17:07:52] 
Windows IP Configuration


Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . : foo.lan
   Link-local IPv6 Address . . . . . : fe80::9ceb:820e:7c6b:def9%17
   IPv4 Address. . . . . . . . . . . : 10.0.3.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.3.2

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.90.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.foo.lan:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : foo.lan

Tunnel adapter isatap.{70FE2ED7-E141-40A9-9CAF-E8556F6A4E80}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

[*] [2018.04.04-17:07:52] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@zeroSteiner zeroSteiner added the module label Apr 4, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Apr 5, 2018

Does it make sense to include 'impacket' in the module path? We don't normally include other libraries that are used in the module path.

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Apr 5, 2018

I guess the other place that it would make sense to include it would be at lib/msf/core/modules/external/python.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Apr 6, 2018

After some thought, this is OK for now.

#!/usr/bin/env python
# Copyright (c) 2003-2018 CORE Security Technologies
#
# This software is provided under under a slightly modified version

This comment has been minimized.

@s0m3gai

s0m3gai Apr 7, 2018

Hmm... just being pedantic, but if it's this license, it appears to be a modified Apache 1.1 license, which clause 3 might not yet be satisfied...

Also, cool addition!

@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Apr 7, 2018

This is a lot neater than the binary wrapper. Thanks boss. Still, imho, we should really have full stack proto support in Rex...

@jrobles-r7 jrobles-r7 merged commit 0a3bcf5 into rapid7:master May 16, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request May 16, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented May 16, 2018

Verified on Windows 7 and Windows 10.
MMC20 object with OUTPUT enabled works.
ShellWindows and ShellBrowserWindow with the OUTPUT disabled works. With OUTPUT enabled the console waits for file retrieval but the file doesn't appear to exist in these cases.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented May 16, 2018

Release Notes

The auxiliary/scanner/smb/impacket/dcomexec module has been added to framework. The module provides code execution capabilities through DCOM.

msjenkins-r7 added a commit that referenced this pull request May 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment