infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check for accessible named pipe on vuln targets 

```
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.0.2:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.2:445       - Checking for accessible named pipes
[+] 192.168.0.2:445       - Found accessible named pipe: netlogon
[+] 192.168.0.2:445       - Found accessible named pipe: lsarpc
[+] 192.168.0.2:445       - Found accessible named pipe: samr
[+] 192.168.0.2:445       - Found accessible named pipe: browser
[+] 192.168.0.2:445       - Found accessible named pipe: atsvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
GSoC/Meterpreter_Web_Console
Auxilus 2018-02-24 03:20:34 +05:30 committed by GitHub
parent 2e568aa660
commit 9bae6246b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/auxiliary/scanner/smb/smb_ms17_010.rb
View File

@ -90,6 +90,43 @@ class MetasploitModule < Msf::Auxiliary
end end
print_good("Host is likely VULNERABLE to MS17-010! - #{os}") print_good("Host is likely VULNERABLE to MS17-010! - #{os}")
# Detect accessible named pipes
print_status("Checking for accessible named pipes")
target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
target_pipes.each do |pipe|
pipe_name = "#{pipe}"
pipe_handle = self.simple.create_pipe(pipe_name, 'o')
print_good("Found accessible named pipe: #{pipe}")
end
report_vuln( report_vuln(
host: ip, host: ip,
name: self.name, name: self.name,