infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Large refactor of code, plenty of bugs to iron out

unstable
Meatballs1 2012-07-22 03:55:08 +01:00
parent f9995665dc
commit 3c5651c654
3 changed files with 1214 additions and 1266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1602
lib/msf/core/exploit/smb.rb
View File

File diff suppressed because it is too large Load Diff

636
lib/rex/proto/smb/simpleclient.rb
View File

@ -1,317 +1,319 @@
# -*- coding: binary -*-
module Rex
module Proto
module SMB
class SimpleClient
require 'rex/text'
require 'rex/struct2'
require 'rex/proto/smb/constants'
require 'rex/proto/smb/exceptions'
require 'rex/proto/smb/evasions'
require 'rex/proto/smb/crypt'
require 'rex/proto/smb/utils'
require 'rex/proto/smb/client'
# Some short-hand class aliases
CONST = Rex::Proto::SMB::Constants
CRYPT = Rex::Proto::SMB::Crypt
UTILS = Rex::Proto::SMB::Utils
XCEPT = Rex::Proto::SMB::Exceptions
EVADE = Rex::Proto::SMB::Evasions
class OpenFile
attr_accessor :name, :tree_id, :file_id, :mode, :client, :chunk_size
def initialize(client, name, tree_id, file_id)
self.client = client
self.name = name
self.tree_id = tree_id
self.file_id = file_id
self.chunk_size = 48000
end
def delete
begin
self.close
rescue
end
self.client.delete(self.name, self.tree_id)
end
# Close this open file
def close
self.client.close(self.file_id, self.tree_id)
end
# Read data from the file
def read(length = nil, offset = 0)
if (length == nil)
data = ''
fptr = offset
ok = self.client.read(self.file_id, fptr, self.chunk_size)
while (ok and ok['Payload'].v['DataLenLow'] > 0)
buff = ok.to_s.slice(
ok['Payload'].v['DataOffset'] + 4,
ok['Payload'].v['DataLenLow']
)
data << buff
if ok['Payload'].v['Remaining'] == 0
break
end
fptr += ok['Payload'].v['DataLenLow']
begin
ok = self.client.read(self.file_id, fptr, self.chunk_size)
rescue XCEPT::ErrorCode => e
case e.error_code
when 0x00050001
# Novell fires off an access denied error on EOF
ok = nil
else
raise e
end
end
end
return data
else
ok = self.client.read(self.file_id, offset, length)
data = ok.to_s.slice(
ok['Payload'].v['DataOffset'] + 4,
ok['Payload'].v['DataLenLow']
)
return data
end
end
def << (data)
self.write(data)
end
# Write data to the file
def write(data, offset = 0)
# Track our offset into the remote file
fptr = offset
# Duplicate the data so we can use slice!
data = data.dup
# Take our first chunk of bytes
chunk = data.slice!(0, self.chunk_size)
# Keep writing data until we run out
while (chunk.length > 0)
ok = self.client.write(self.file_id, fptr, chunk)
cl = ok['Payload'].v['CountLow']
# Partial write, push the failed data back into the queue
if (cl != chunk.length)
data = chunk.slice(cl - 1, chunk.length - cl) + data
end
# Increment our painter and grab the next chunk
fptr += cl
chunk = data.slice!(0, self.chunk_size)
end
end
end
class OpenPipe < OpenFile
# Valid modes are: 'trans' and 'rw'
attr_accessor :mode
def initialize(*args)
super(*args)
self.mode = 'rw'
@buff = ''
end
def read_buffer(length, offset=0)
length ||= @buff.length
@buff.slice!(0, length)
end
def read(length = nil, offset = 0)
case self.mode
when 'trans'
read_buffer(length, offset)
when 'rw'
super(length, offset)
else
raise ArgumentError
end
end
def write(data, offset = 0)
case self.mode
when 'trans'
write_trans(data, offset)
when 'rw'
super(data, offset)
else
raise ArgumentError
end
end
def write_trans(data, offset=0)
ack = self.client.trans_named_pipe(self.file_id, data)
doff = ack['Payload'].v['DataOffset']
dlen = ack['Payload'].v['DataCount']
@buff << ack.to_s[4+doff, dlen]
end
end
# Public accessors
attr_accessor :last_error
# Private accessors
attr_accessor :socket, :client, :direct, :shares, :last_share
# Pass the socket object and a boolean indicating whether the socket is netbios or cifs
def initialize(socket, direct = false)
self.socket = socket
self.direct = direct
self.client = Rex::Proto::SMB::Client.new(socket)
self.shares = { }
end
def login( name = '', user = '', pass = '', domain = '',
verify_signature = false, usentlmv2 = false, usentlm2_session = true,
send_lm = true, use_lanman_key = false, send_ntlm = true,
native_os = 'Windows 2000 2195', native_lm = 'Windows 2000 5.0', spnopt = {})
begin
if (self.direct != true)
self.client.session_request(name)
end
self.client.native_os = native_os
self.client.native_lm = native_lm
self.client.verify_signature = verify_signature
self.client.use_ntlmv2 = usentlmv2
self.client.usentlm2_session = usentlm2_session
self.client.send_lm = send_lm
self.client.use_lanman_key = use_lanman_key
self.client.send_ntlm = send_ntlm
self.client.negotiate
# Disable NTLMv2 Session for Windows 2000 (breaks authentication on some systems)
# XXX: This in turn breaks SMB auth for Windows 2000 configured to enforce NTLMv2
# XXX: Tracked by ticket #4785#4785
if self.client.native_lm =~ /Windows 2000 5\.0/ and usentlm2_session
# self.client.usentlm2_session = false
end
self.client.spnopt = spnopt
ok = self.client.session_setup(user, pass, domain)
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
raise n
end
return true
end
def login_split_start_ntlm1(name = '')
begin
if (self.direct != true)
self.client.session_request(name)
end
# Disable extended security
self.client.negotiate(false)
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
raise n
end
return true
end
def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
begin
ok = self.client.session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt)
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
raise n
end
return true
end
def connect(share)
ok = self.client.tree_connect(share)
tree_id = ok['Payload']['SMB'].v['TreeID']
self.shares[share] = tree_id
self.last_share = share
end
def disconnect(share)
ok = self.client.tree_disconnect(self.shares[share])
self.shares.delete(share)
end
def open(path, perm, chunk_size = 48000)
mode = UTILS.open_mode_to_mode(perm)
access = UTILS.open_mode_to_access(perm)
ok = self.client.open(path, mode, access)
file_id = ok['Payload'].v['FileID']
fh = OpenFile.new(self.client, path, self.client.last_tree_id, file_id)
fh.chunk_size = chunk_size
fh
end
def delete(*args)
self.client.delete(*args)
end
def create_pipe(path, perm = 'c')
disposition = UTILS.create_mode_to_disposition(perm)
ok = self.client.create_pipe(path, disposition)
file_id = ok['Payload'].v['FileID']
fh = OpenPipe.new(self.client, path, self.client.last_tree_id, file_id)
end
def trans_pipe(fid, data, no_response = nil)
client.trans_named_pipe(fid, data, no_response)
end
end
end
end
end
# -*- coding: binary -*-
module Rex
module Proto
module SMB
class SimpleClient
require 'rex/text'
require 'rex/struct2'
require 'rex/proto/smb/constants'
require 'rex/proto/smb/exceptions'
require 'rex/proto/smb/evasions'
require 'rex/proto/smb/crypt'
require 'rex/proto/smb/utils'
require 'rex/proto/smb/client'
# Some short-hand class aliases
CONST = Rex::Proto::SMB::Constants
CRYPT = Rex::Proto::SMB::Crypt
UTILS = Rex::Proto::SMB::Utils
XCEPT = Rex::Proto::SMB::Exceptions
EVADE = Rex::Proto::SMB::Evasions
class OpenFile
attr_accessor :name, :tree_id, :file_id, :mode, :client, :chunk_size
def initialize(client, name, tree_id, file_id)
self.client = client
self.name = name
self.tree_id = tree_id
self.file_id = file_id
self.chunk_size = 48000
end
def delete
begin
self.close
rescue
end
self.client.delete(self.name, self.tree_id)
end
# Close this open file
def close
self.client.close(self.file_id, self.tree_id)
end
# Read data from the file
def read(length = nil, offset = 0)
if (length == nil)
data = ''
fptr = offset
ok = self.client.read(self.file_id, fptr, self.chunk_size)
while (ok and ok['Payload'].v['DataLenLow'] > 0)
buff = ok.to_s.slice(
ok['Payload'].v['DataOffset'] + 4,
ok['Payload'].v['DataLenLow']
)
data << buff
if ok['Payload'].v['Remaining'] == 0
break
end
fptr += ok['Payload'].v['DataLenLow']
begin
ok = self.client.read(self.file_id, fptr, self.chunk_size)
rescue XCEPT::ErrorCode => e
case e.error_code
when 0x00050001
# Novell fires off an access denied error on EOF
ok = nil
else
raise e
end
end
end
return data
else
ok = self.client.read(self.file_id, offset, length)
data = ok.to_s.slice(
ok['Payload'].v['DataOffset'] + 4,
ok['Payload'].v['DataLenLow']
)
return data
end
end
def << (data)
self.write(data)
end
# Write data to the file
def write(data, offset = 0)
# Track our offset into the remote file
fptr = offset
# Duplicate the data so we can use slice!
data = data.dup
# Take our first chunk of bytes
chunk = data.slice!(0, self.chunk_size)
# Keep writing data until we run out
while (chunk.length > 0)
ok = self.client.write(self.file_id, fptr, chunk)
cl = ok['Payload'].v['CountLow']
# Partial write, push the failed data back into the queue
if (cl != chunk.length)
data = chunk.slice(cl - 1, chunk.length - cl) + data
end
# Increment our painter and grab the next chunk
fptr += cl
chunk = data.slice!(0, self.chunk_size)
end
end
end
class OpenPipe < OpenFile
# Valid modes are: 'trans' and 'rw'
attr_accessor :mode
def initialize(*args)
super(*args)
self.mode = 'rw'
@buff = ''
end
def read_buffer(length, offset=0)
length ||= @buff.length
@buff.slice!(0, length)
end
def read(length = nil, offset = 0)
case self.mode
when 'trans'
read_buffer(length, offset)
when 'rw'
super(length, offset)
else
raise ArgumentError
end
end
def write(data, offset = 0)
case self.mode
when 'trans'
write_trans(data, offset)
when 'rw'
super(data, offset)
else
raise ArgumentError
end
end
def write_trans(data, offset=0)
ack = self.client.trans_named_pipe(self.file_id, data)
doff = ack['Payload'].v['DataOffset']
dlen = ack['Payload'].v['DataCount']
@buff << ack.to_s[4+doff, dlen]
end
end
# Public accessors
attr_accessor :last_error
# Private accessors
attr_accessor :socket, :client, :direct, :shares, :last_share
# Pass the socket object and a boolean indicating whether the socket is netbios or cifs
def initialize(socket, direct = false)
self.socket = socket
self.direct = direct
self.client = Rex::Proto::SMB::Client.new(socket)
self.shares = { }
end
def login( name = '', user = '', pass = '', domain = '',
verify_signature = false, usentlmv2 = false, usentlm2_session = true,
send_lm = true, use_lanman_key = false, send_ntlm = true,
native_os = 'Windows 2000 2195', native_lm = 'Windows 2000 5.0', spnopt = {})
begin
if (self.direct != true)
self.client.session_request(name)
end
self.client.native_os = native_os
self.client.native_lm = native_lm
self.client.verify_signature = verify_signature
self.client.use_ntlmv2 = usentlmv2
self.client.usentlm2_session = usentlm2_session
self.client.send_lm = send_lm
self.client.use_lanman_key = use_lanman_key
self.client.send_ntlm = send_ntlm
self.client.negotiate
# Disable NTLMv2 Session for Windows 2000 (breaks authentication on some systems)
# XXX: This in turn breaks SMB auth for Windows 2000 configured to enforce NTLMv2
# XXX: Tracked by ticket #4785#4785
if self.client.native_lm =~ /Windows 2000 5\.0/ and usentlm2_session
# self.client.usentlm2_session = false
end
self.client.spnopt = spnopt
if self.client.session_setup(user, pass, domain)['Payload']['SMB'].v['ErrorClass'] == 0
return "STATUS_SUCCESS"
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
end
return true
end
def login_split_start_ntlm1(name = '')
begin
if (self.direct != true)
self.client.session_request(name)
end
# Disable extended security
self.client.negotiate(false)
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
raise n
end
return true
end
def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
begin
ok = self.client.session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt)
rescue ::Interrupt
raise $!
rescue ::Exception => e
n = XCEPT::LoginError.new
n.source = e
if(e.respond_to?('error_code'))
n.error_code = e.error_code
n.error_reason = e.get_error(e.error_code)
end
raise n
end
return true
end
def connect(share)
ok = self.client.tree_connect(share)
tree_id = ok['Payload']['SMB'].v['TreeID']
self.shares[share] = tree_id
self.last_share = share
end
def disconnect(share)
ok = self.client.tree_disconnect(self.shares[share])
self.shares.delete(share)
end
def open(path, perm, chunk_size = 48000)
mode = UTILS.open_mode_to_mode(perm)
access = UTILS.open_mode_to_access(perm)
ok = self.client.open(path, mode, access)
file_id = ok['Payload'].v['FileID']
fh = OpenFile.new(self.client, path, self.client.last_tree_id, file_id)
fh.chunk_size = chunk_size
fh
end
def delete(*args)
self.client.delete(*args)
end
def create_pipe(path, perm = 'c')
disposition = UTILS.create_mode_to_disposition(perm)
ok = self.client.create_pipe(path, disposition)
file_id = ok['Payload'].v['FileID']
fh = OpenPipe.new(self.client, path, self.client.last_tree_id, file_id)
end
def trans_pipe(fid, data, no_response = nil)
client.trans_named_pipe(fid, data, no_response)
end
end
end
end
end

242
modules/auxiliary/scanner/smb/smb_login.rb
View File

@ -35,7 +35,8 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'tebo <tebo [at] attackresearch [dot] com>',
'References' =>
[
[ 'CVE', '1999-0506'] # Weak password
[ 'CVE', '1999-0506'], # Weak password
['URL', 'http://msdn.microsoft.com/en-us/library/cc704588(v=prot.10).aspx'] #SMB Login Status Codes
],
'License' => MSF_LICENSE
)
@ -43,6 +44,13 @@ class Metasploit3 < Msf::Auxiliary
@accepts_bogus_domains = []
@accepts_guest_logins = {}
@correct_credentials_status_codes = ["STATUS_INVALID_LOGON_HOURS",
"STATUS_ACCOUNT_LOCKED_OUT",
"STATUS_ACCOUNT_RESTRICTION",
"STATUS_ACCOUNT_EXPIRED",
"STATUS_ACCOUNT_DISABLED",
"STATUS_PASSWORD_EXPIRED",
"STATUS_PASSWORD_MUST_CHANGE"]
# These are normally advanced options, but for this module they have a
# more active role, so make them regular options.
@ -54,6 +62,7 @@ class Metasploit3 < Msf::Auxiliary
OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true]),
OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false]),
], self.class)
end
def run_host(ip)
@ -66,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
begin
if accepts_guest_logins?
print_error("#{ip} - This system allows guest sessions with any credentials, these instances will not be reported.")
print_status("#{ip} - This system allows guest sessions with any credentials, these instances will not be reported.")
end
end unless datastore['RECORD_GUEST']
@ -76,40 +85,39 @@ class Metasploit3 < Msf::Auxiliary
begin
each_user_pass do |user, pass|
result = try_user_pass(user, pass)
if result == :next_user
unless user == user.downcase
result = try_user_pass(user.downcase, pass)
if result == :next_user
print_status("Username is case insensitive")
user = user.downcase
end
end
report_creds(user,pass) if @accepts_guest_logins.select{ |g_host, g_creds| g_host == ip and g_creds == [user,pass] }.empty?
end
end
rescue ::Rex::ConnectionError
nil
end
end
def accepts_guest_logins?
guest = false
orig_user,orig_pass = datastore['SMBUser'],datastore['SMBPass']
datastore["SMBUser"] = Rex::Text.rand_text_alpha(8)
datastore["SMBPass"] = Rex::Text.rand_text_alpha(8)
# Connection problems are dealt with at a higher level
def check_login_status(domain, user, pass)
connect()
status_code = ""
begin
smb_login()
status_code = smb_login({:smbdomain => domain, :smbuser => user, :smbpass => pass})
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
status_code = e.get_error(e.error_code)
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
status_code = e.error_reason
ensure
disconnect()
end
return status_code
end
# No idea how this is different to accepts_bogus_logins?
def accepts_guest_logins?
guest = false
user = Rex::Text.rand_text_alpha(8)
pass = Rex::Text.rand_text_alpha(8)
check_login_status(datastore['SMBDomain'], user, pass) # This is better method than checking auth_user? == "STATUS_SUCCESS"
begin
guest = true
@accepts_guest_logins['rhost'] ||=[] unless @accepts_guest_logins.include?(rhost)
@accepts_guest_logins['rhost'] ||=[] unless @accepts_guest_logins.include?(rhost) #'rhost' should be rhost?
report_note(
:host => rhost,
:proto => 'tcp',
@ -119,50 +127,29 @@ class Metasploit3 < Msf::Auxiliary
:data => 'accepts guest login from any account',
:update => :unique_data
)
end unless(simple.client.auth_user)
disconnect()
datastore['SMBUser'],datastore['SMBPass'] = orig_user,orig_pass
end unless(simple.client.auth_user)
#simple.client.auth_user == 'guest'?
return guest
end
def accepts_bogus_logins?
orig_user,orig_pass = datastore['SMBUser'],datastore['SMBPass']
datastore["SMBUser"] = Rex::Text.rand_text_alpha(8)
datastore["SMBPass"] = Rex::Text.rand_text_alpha(8)
# Connection problems are dealt with at a higher level
connect()
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
end
disconnect()
datastore['SMBUser'],datastore['SMBPass'] = orig_user,orig_pass
return simple.client.auth_user ? true : false
user = Rex::Text.rand_text_alpha(8)
pass = Rex::Text.rand_text_alpha(8)
return check_login_status(datastore['SMBDomain'], user, pass) == "STATUS_SUCCESS"
#simple.client.auth_user == user?
end
def accepts_bogus_domains?(addr)
if @accepts_bogus_domains.include? addr
return true
end
orig_domain = datastore['SMBDomain']
datastore['SMBDomain'] = Rex::Text.rand_text_alpha(8)
domain = Rex::Text.rand_text_alpha(8)
connect()
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
end
disconnect()
datastore['SMBDomain'] = orig_domain
status = check_login_status(domain, datastore['SMBUser'], datastore['SMBPass'])
if simple.client.auth_user
if status == "STATUS_SUCCESS"
@accepts_bogus_domains << addr
return true
else
@ -171,128 +158,72 @@ class Metasploit3 < Msf::Auxiliary
end
def try_user_pass(user, pass)
# The SMB mixins require the datastores "SMBUser" and
# "SMBPass" to be populated.
datastore["SMBPass"] = pass
orig_domain = datastore["SMBDomain"]
print_status datastore["SMBDomain"]
# Note that unless PRESERVE_DOMAINS is true, we're more
# than happy to pass illegal usernames that contain
# slashes.
if datastore["PRESERVE_DOMAINS"]
d,u = domain_username_split(user)
datastore["SMBUser"] = u.to_s.gsub(/<BLANK>/i,"")
datastore["SMBDomain"] = d if d
user = u.to_s.gsub(/<BLANK>/i,"")
domain = d if d
else
datastore["SMBUser"] = user.to_s.gsub(/<BLANK>/i,"")
user = user.to_s.gsub(/<BLANK>/i,"")
domain = datastore['SMBDomain']
end
status = check_login_status(domain, user, pass)
# Connection problems are dealt with at a higher level
connect()
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
if e.get_error(e.error_code) == "STATUS_ACCESS_DENIED"
print_error("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{e.get_error(e.error_code)})")
disconnect()
datastore["SMBDomain"] = orig_domain
return :skip_user
case status
when 'STATUS_SUCCESS'
unless user == user.downcase
lower_status = check_login_status(domain, user.downcase, pass)
if lower_status == 'STATUS_SUCCESS'
print_status("Username is case insensitive")
user = user.downcase
end
end
if(simple.client.auth_user)
print_status("Auth-User: #{simple.client.auth_user.inspect}")
print_good("#{smbhost} - SUCCESSFUL LOGIN (#{smb_peer_os}) '#{user}' : '#{pass}'")
else
raise e
print_status("#{rhost} - GUEST LOGIN (#{smb_peer_os}) #{user} : #{pass}") # Why rhost not smbhost?
@accepts_guest_logins[rhost] = [user, pass] unless datastore['RECORD_GUEST']
end
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
case e.error_reason
when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
# Nothing interesting
vprint_error("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{e.error_reason})")
disconnect()
datastore["SMBDomain"] = orig_domain
return
when 'STATUS_ACCOUNT_DISABLED'
report_note(
:host => rhost,
:proto => 'tcp',
:sname => 'smb',
:port => datastore['RPORT'],
:type => 'smb.account.info',
:data => {:user => user, :status => "disabled"},
:update => :unique_data
)
when 'STATUS_PASSWORD_EXPIRED'
report_note(
:host => rhost,
:proto => 'tcp',
:sname => 'smb',
:port => datastore['RPORT'],
:type => 'smb.account.info',
:data => {:user => user, :status => "expired password"},
:update => :unique_data
)
when 'STATUS_ACCOUNT_LOCKED_OUT'
report_note(
:host => rhost,
:proto => 'tcp',
:sname => 'smb',
:port => datastore['RPORT'],
:type => 'smb.account.info',
:data => {:user => user, :status => "locked out"},
:update => :unique_data
)
end
print_error("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{e.error_reason})")
disconnect()
datastore["SMBDomain"] = orig_domain
return :skip_user # These reasons are sufficient to stop trying.
end
if(simple.client.auth_user)
print_status("Auth-User: #{simple.client.auth_user.inspect}")
print_good("#{smbhost} - SUCCESSFUL LOGIN (#{smb_peer_os}) '#{splitname(user)}' : '#{pass}'")
# SHould this check RECORD GUEST?
report_creds(domain,user,pass) if @accepts_guest_logins.select{ |g_host, g_creds| g_host == rhost and g_creds == [user,pass] }.empty?
when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
vprint_error("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{status})")
# These status only return if the correct login details are supplied
when *@correct_credentials_status_codes # not sure what @ is? static var?
note_creds(domain,user,pass,status)
print_good("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{status})")
else
print_status("#{rhost} - GUEST LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass}")
@accepts_guest_logins[rhost] = [user, pass] unless datastore['RECORD_GUEST']
print_error("#{smbhost} - FAILED LOGIN (#{smb_peer_os}) #{splitname(user)} : #{pass} (#{status})")
end
disconnect()
# If we get here then we've found the password for this user, move on
# to the next one.
datastore["SMBDomain"] = orig_domain
return :next_user
end
def note_creds(domain,user,pass,reason)
report_note(
:host => rhost,
:proto => 'tcp',
:sname => 'smb',
:port => datastore['RPORT'],
:type => 'smb.account.info',
:data => {:user => user, :pass => pass, :status => reason},
:update => :unique_data
)
end
def report_creds(user,pass)
def report_creds(domain,user,pass)
report_hash = {
:host => rhost,
:port => datastore['RPORT'],
:sname => 'smb',
:user => user,
:pass => pass,
:source_type => "user_supplied",
:active => true
}
if accepts_bogus_domains? rhost
if datastore["PRESERVE_DOMAINS"]
d,u = domain_username_split(user)
report_hash[:user] = u
else
report_hash[:user] = "#{datastore["SMBUser"]}"
end
else
if datastore["PRESERVE_DOMAINS"]
d,u = domain_username_split(user)
report_hash[:user] = "#{datastore["SMBDomain"]}/#{u}"
else
report_hash[:user] = "#{datastore["SMBDomain"]}/#{datastore["SMBUser"]}"
end
end
if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
report_hash.merge!({:type => 'smb_hash'})
@ -301,5 +232,4 @@ class Metasploit3 < Msf::Auxiliary
end
report_auth_info(report_hash)
end
end