metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Update smb_version to output host information

Open adfoster-r7 opened this issue 1 year ago • 10 comments

Summary

When we run smb_version with Metasploit against a windows server 2016 domain controller, the output is:

[*] 192.168.123.13:445    - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-GCM) (signatures:required) (uptime:3m 46s) (guid:{3863d7d4-26ca-4913-8ff3-d4e27787e43d}) (authentication domain:ADF3)

This is missing the host information when smb 1 isn't enabled - which is output by other tools such as cme:

crackmapexec smb 192.168.123.13
SMB         192.168.123.13  445    DC3              [*] Windows 10.0 Build 14393 x64 (name:DC3) (domain:adf3.local) (signing:True) (SMBv1:False)

I would have expected the Windows 10.0 Build 14393 metadata to be present

I think the information should be extractable from the STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE response

Version 10.0 (Build 14393); NTLM Current Revision 15
    Major Version: 10
    Minor Version: 0
    Build Number: 14393
    NTLM Current Revision: 15

adfoster-r7 avatar Dec 21 '22 00:12 adfoster-r7

This output is some kind of ugly, maybe having a table output to avoid all the () or a csv put out could help clean it up as well.

#threadhijack

h00die avatar Dec 21 '22 00:12 h00die

Agreed! 😄 I wanted to keep the issue focused, so I left out the other thoughts I had - but I might as well add them here now 😄

The compression capabilities, encryption capabilities, and preferred dialect (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-GCM) ) - seem like details that wouldn't be useful to the average user - unless there's a cool exploit relies on knowing that information? 👀

I also found the color highlighting a bit awkward; my eye gravitates towards the green [+] as being a newly identified host - but it's actually just additional metadata which doesn't always get shown to the user. I think that makes it hard to quickly scan for information

image

adfoster-r7 avatar Dec 21 '22 00:12 adfoster-r7

Maybe those extra fields could be an optional print like verbose print vs normal?

h00die avatar Dec 21 '22 01:12 h00die

That's a good idea :+1:

Looks the full details for Kerberos authentication aren't output either

i.e. metasploit's output only has (authentication domain:ADF3) vs cme (name:DC3) (domain:adf3.local)

adfoster-r7 avatar Dec 21 '22 02:12 adfoster-r7

unless there's a cool exploit relies on knowing that information?

Those were pretty useful for checking for SMBGhost when that first came out.

smcintyre-r7 avatar Jan 05 '23 20:01 smcintyre-r7

At the moment the code:

simple = connect(false, versions: versions)

Receives an array of versions and whichever is supported will be used, (REMOVED: as this is not correct: "there is "no way" to know if SMBv1 is enabled, if others are supported as there is a fall-back option in SMB")

A setup that supports only v1 can be created using docker-compose:

version: "3"

services:
  sambav1:
    image: dperson/samba:latest
    container_name: samba
    restart: unless-stopped
    command: '-g "ntlm auth = yes" -g "server min protocol = NT1" -S -s "Files;/mnt/files;yes;yes"'
    ports:
      - 139:139
      - 445:445
    environment:
      - TZ=PST8PDT
    volumes:
      - files:/mnt/files

volumes:
  files:

nrathaus avatar Apr 24 '24 10:04 nrathaus

nmap of the target:

$ nmap -sV 172.24.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-24 13:14 IDT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 172.24.0.2
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
Service Info: Host: 2EDCAC7FF253

nrathaus avatar Apr 24 '24 10:04 nrathaus 

$ nmap --script "default"  172.24.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-24 13:16 IDT
Nmap scan report for 172.24.0.2
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-04-24T10:16:45
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

nrathaus avatar Apr 24 '24 10:04 nrathaus

Comparing output to CME:

$ python3 cme/crackmapexec.py  smb 172.24.0.2
SMB         172.24.0.2      445    8D00168A1AFD     [*] Windows 6.1 (name:8D00168A1AFD) (domain:) (signing:False) (SMBv1:True)

nrathaus avatar Apr 24 '24 10:04 nrathaus

Running it again with this docker-compose:

version: "3"

services:
  sambav1:
    image: dperson/samba:latest
    container_name: samba
    restart: unless-stopped
    command: '-s "Files;/mnt/files;yes;yes"'
    ports:
      - 139:139
      - 445:445
    environment:
      - TZ=PST8PDT
    volumes:
      - files:/mnt/files

volumes:
  files:

Returns:

$ python3 cme/crackmapexec.py  smb 172.24.0.2
SMB         172.24.0.2      445    15388C8549F5     [*] Windows 6.1 Build 0 (name:15388C8549F5) (domain:) (signing:False) (SMBv1:False)

nrathaus avatar Apr 24 '24 10:04 nrathaus