Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

metasploit fails conecting to impacket smbserver #12

Closed
GoogleCodeExporter opened this issue Mar 27, 2015 · 6 comments
Closed

metasploit fails conecting to impacket smbserver #12

GoogleCodeExporter opened this issue Mar 27, 2015 · 6 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

the problem seems to be that metasploit advertises extended security 
capabilities in the protocol negotiation packet, but not in the session setup 
packet. impacket relies on the negotiation packet to determine capabilities, 
and throws an exception trying to parse the non-existent security blob.

This patch resolves the issue by consulting the setup packet instead of the 
cached negotiation packet:

===================================================================
--- impacket/smbserver.py   (revision 706)
+++ impacket/smbserver.py   (working copy)
@@ -2049,8 +2049,10 @@

         respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)

-        if connData['_dialects_parameters']['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
-            # Extended security. Here we deal with all SPNEGO stuff
+        #if connData['_dialects_parameters']['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
+        sessionSetupParameters = 
smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])
+        if sessionSetupParameters['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
+        # Extended security. Here we deal with all SPNEGO stuff
             respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters()
             respData       = smb.SMBSessionSetupAndX_Extended_Response_Data()
             sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])

Original issue reported on code.google.com by bryanbu...@gmail.com on 6 Sep 2012 at 12:59
@GoogleCodeExporter
Copy link
Author 

Hey Bryan:

Thanks for the report.. I'll take a look it at.. 

Any specific MSF module you're using for testing this? ( I assume all of them 
uses the same SMB client library, but just in case..)

cheers,
beto

Original comment by bet...@gmail.com on 6 Sep 2012 at 1:28

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Original comment by bet...@gmail.com on 6 Sep 2012 at 3:02

  • Changed state: Accepted
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Okey.. I think it's fixed.. please verify...

I tested it with smb_login and smb_enumshares.

Actually metasploit, as you say,DOES send extended security in the neg packet 
but not on the session_setup one.. Against a Windows 7 MSF does send it in both 
packets. There must be something the in my negproto answer that confuses msf 
(or something i'm returning not compliant with the protocol).  

I haven't applied your fix tho.. main problem is you can't cast the data to 
SMBSessionSetupAndX_Extended_Parameters if you're not sure whether or not the 
client sent that. SMBSessionSetupAndX_Extended_Parameters and 
SMBSessionSetupAndX_Parameters have different sizes. That would break clients 
trying to connect with standard security, under some circumstances.

What I did is what [MS-SMB] recommends, which is still reading the Flags2 at 
this stage to decide whether it's extended security or not.

One important note tho.. smbServer still does NOT support NTLMv2 authentication 
using under standard security (this is what MSF does), it does under extended 
security although right now we're granting access to everybody. So if you think 
about checking usernames it won't work yet.  

thanks again for the report Bryan..

cheers,
beto

Original comment by bet...@gmail.com on 6 Sep 2012 at 3:38

  • Changed state: Fixed
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Forgot to say...

fixed in http://code.google.com/p/impacket/source/detail?r=710

Original comment by bet...@gmail.com on 6 Sep 2012 at 3:39

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Confirmed it has been fixed, thanks for the quick turnaround!

Original comment by bryanbu...@gmail.com on 6 Sep 2012 at 3:47

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Great :)

Check http://code.google.com/p/impacket/source/detail?r=711, I found out what 
was wrong there too.. Now it's more compliant with [MS-SMB] and [MS-CIFS].

Cheers,
beto

Original comment by bet...@gmail.com on 6 Sep 2012 at 4:03

  • Added labels: ****
  • Removed labels: ****

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter