Disable NTLMv2 Session for Windows 2000 servers
git-svn-id: file:///home/svn/framework3/trunk@12984 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
846172fa1a
commit
346018c321
|
|
@ -22,7 +22,7 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
|
||||
class OpenFile
|
||||
attr_accessor :name, :tree_id, :file_id, :mode, :client, :chunk_size
|
||||
|
||||
|
||||
def initialize(client, name, tree_id, file_id)
|
||||
self.client = client
|
||||
self.name = name
|
||||
|
|
@ -30,7 +30,7 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
self.file_id = file_id
|
||||
self.chunk_size = 48000
|
||||
end
|
||||
|
||||
|
||||
def delete
|
||||
begin
|
||||
self.close
|
||||
|
|
@ -38,14 +38,14 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
end
|
||||
self.client.delete(self.name, self.tree_id)
|
||||
end
|
||||
|
||||
|
||||
# Close this open file
|
||||
def close
|
||||
self.client.close(self.file_id, self.tree_id)
|
||||
end
|
||||
|
||||
|
||||
# Read data from the file
|
||||
def read(length = nil, offset = 0)
|
||||
def read(length = nil, offset = 0)
|
||||
if (length == nil)
|
||||
data = ''
|
||||
fptr = offset
|
||||
|
|
@ -60,11 +60,11 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
break
|
||||
end
|
||||
fptr += ok['Payload'].v['DataLenLow']
|
||||
|
||||
|
||||
begin
|
||||
ok = self.client.read(self.file_id, fptr, self.chunk_size)
|
||||
rescue XCEPT::ErrorCode => e
|
||||
case e.error_code
|
||||
case e.error_code
|
||||
when 0x00050001
|
||||
# Novell fires off an access denied error on EOF
|
||||
ok = nil
|
||||
|
|
@ -90,49 +90,49 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
end
|
||||
|
||||
# Write data to the file
|
||||
def write(data, offset = 0)
|
||||
def write(data, offset = 0)
|
||||
# Track our offset into the remote file
|
||||
fptr = offset
|
||||
|
||||
|
||||
# Duplicate the data so we can use slice!
|
||||
data = data.dup
|
||||
|
||||
|
||||
# Take our first chunk of bytes
|
||||
chunk = data.slice!(0, self.chunk_size)
|
||||
|
||||
|
||||
# Keep writing data until we run out
|
||||
while (chunk.length > 0)
|
||||
ok = self.client.write(self.file_id, fptr, chunk)
|
||||
cl = ok['Payload'].v['CountLow']
|
||||
|
||||
|
||||
# Partial write, push the failed data back into the queue
|
||||
if (cl != chunk.length)
|
||||
data = chunk.slice(cl - 1, chunk.length - cl) + data
|
||||
end
|
||||
|
||||
|
||||
# Increment our painter and grab the next chunk
|
||||
fptr += cl
|
||||
chunk = data.slice!(0, self.chunk_size)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
class OpenPipe < OpenFile
|
||||
|
||||
|
||||
# Valid modes are: 'trans' and 'rw'
|
||||
attr_accessor :mode
|
||||
|
||||
|
||||
def initialize(*args)
|
||||
super(*args)
|
||||
self.mode = 'rw'
|
||||
@buff = ''
|
||||
end
|
||||
|
||||
|
||||
def read_buffer(length, offset=0)
|
||||
length ||= @buff.length
|
||||
@buff.slice!(0, length)
|
||||
end
|
||||
|
||||
|
||||
def read(length = nil, offset = 0)
|
||||
case self.mode
|
||||
when 'trans'
|
||||
|
|
@ -143,10 +143,10 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
raise ArgumentError
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def write(data, offset = 0)
|
||||
case self.mode
|
||||
|
||||
|
||||
when 'trans'
|
||||
write_trans(data, offset)
|
||||
when 'rw'
|
||||
|
|
@ -155,7 +155,7 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
raise ArgumentError
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def write_trans(data, offset=0)
|
||||
ack = self.client.trans_named_pipe(self.file_id, data)
|
||||
doff = ack['Payload'].v['DataOffset']
|
||||
|
|
@ -163,7 +163,7 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
@buff << ack.to_s[4+doff, dlen]
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
# Public accessors
|
||||
attr_accessor :last_error
|
||||
|
|
@ -178,26 +178,33 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
self.client = Rex::Proto::SMB::Client.new(socket)
|
||||
self.shares = { }
|
||||
end
|
||||
|
||||
|
||||
def login( name = '', user = '', pass = '', domain = '',
|
||||
verify_signature = false, usentlmv2 = false, usentlm2_session = true,
|
||||
verify_signature = false, usentlmv2 = false, usentlm2_session = true,
|
||||
send_lm = true, use_lanman_key = false, send_ntlm = true,
|
||||
native_os = 'Windows 2000 2195', native_lm = 'Windows 2000 5.0', spnopt = {})
|
||||
|
||||
begin
|
||||
|
||||
|
||||
if (self.direct != true)
|
||||
self.client.session_request(name)
|
||||
end
|
||||
self.client.native_os = native_os
|
||||
self.client.native_os = native_os
|
||||
self.client.native_lm = native_lm
|
||||
self.client.verify_signature = verify_signature
|
||||
self.client.use_ntlmv2 = usentlmv2
|
||||
self.client.usentlm2_session = usentlm2_session
|
||||
self.client.send_lm = send_lm
|
||||
self.client.use_lanman_key = use_lanman_key
|
||||
self.client.send_ntlm = send_ntlm
|
||||
self.client.send_ntlm = send_ntlm
|
||||
|
||||
self.client.negotiate
|
||||
|
||||
# Disable NTLMv2 Session for Windows 2000 (breaks authentication)
|
||||
if self.client.native_lm =~ /Windows 2000 5\.0/ and usentlm2_session
|
||||
self.client.usentlm2_session = false
|
||||
end
|
||||
|
||||
self.client.spnopt = spnopt
|
||||
|
||||
ok = self.client.session_setup(user, pass, domain)
|
||||
|
|
@ -212,7 +219,7 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
end
|
||||
raise n
|
||||
end
|
||||
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
|
|
@ -220,11 +227,11 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
def login_split_start_ntlm1(name = '')
|
||||
|
||||
begin
|
||||
|
||||
|
||||
if (self.direct != true)
|
||||
self.client.session_request(name)
|
||||
end
|
||||
|
||||
|
||||
# Disable extended security
|
||||
self.client.negotiate(false)
|
||||
rescue ::Interrupt
|
||||
|
|
@ -238,11 +245,11 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
end
|
||||
raise n
|
||||
end
|
||||
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
|
||||
begin
|
||||
ok = self.client.session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt)
|
||||
|
|
@ -257,34 +264,34 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
end
|
||||
raise n
|
||||
end
|
||||
|
||||
return true
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
def connect(share)
|
||||
ok = self.client.tree_connect(share)
|
||||
tree_id = ok['Payload']['SMB'].v['TreeID']
|
||||
self.shares[share] = tree_id
|
||||
self.last_share = share
|
||||
end
|
||||
|
||||
|
||||
def disconnect(share)
|
||||
ok = self.client.tree_disconnect(self.shares[share])
|
||||
self.shares.delete(share)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def open(path, perm, chunk_size = 48000)
|
||||
|
||||
def open(path, perm, chunk_size = 48000)
|
||||
mode = UTILS.open_mode_to_mode(perm)
|
||||
access = UTILS.open_mode_to_access(perm)
|
||||
|
||||
|
||||
ok = self.client.open(path, mode, access)
|
||||
file_id = ok['Payload'].v['FileID']
|
||||
fh = OpenFile.new(self.client, path, self.client.last_tree_id, file_id)
|
||||
fh.chunk_size = chunk_size
|
||||
fh
|
||||
end
|
||||
|
||||
|
||||
def delete(*args)
|
||||
self.client.delete(*args)
|
||||
end
|
||||
|
|
@ -292,15 +299,16 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
|
|||
def create_pipe(path, perm = 'c')
|
||||
disposition = UTILS.create_mode_to_disposition(perm)
|
||||
ok = self.client.create_pipe(path, disposition)
|
||||
file_id = ok['Payload'].v['FileID']
|
||||
file_id = ok['Payload'].v['FileID']
|
||||
fh = OpenPipe.new(self.client, path, self.client.last_tree_id, file_id)
|
||||
end
|
||||
|
||||
def trans_pipe(fid, data, no_response = nil)
|
||||
client.trans_named_pipe(fid, data, no_response)
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -31,8 +31,6 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def run
|
||||
print_status(datastore.inspect)
|
||||
|
||||
case session.type
|
||||
when "shell"
|
||||
get_env_shell
|
||||
|
|
|
|||
Loading…
Reference in New Issue