metasploit-framework/modules/auxiliary/scanner/dcerpc/management.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class MetasploitModule < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::DCERPC

  include Msf::Auxiliary::Report

  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'Remote Management Interface Discovery',
      'Description' => %q{
        This module can be used to obtain information from the Remote
        Management Interface DCERPC service.
      },
      'Author'      => 'hdm',
      'License'     => MSF_LICENSE
    )

    deregister_options('RHOST')

    register_options(
      [
        Opt::RPORT(135)
      ], self.class)
  end

  # Obtain information about a single host
  def run_host(ip)
    begin

      ids = dcerpc_mgmt_inq_if_ids(rport)
      return if not ids
      ids.each do |id|
        print_status("UUID #{id[0]} v#{id[1]}")

        reportdata = ""

        stats = dcerpc_mgmt_inq_if_stats(rport)
        if stats
          print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", "))
          reportdata << "stats: " + stats.map{|i| "0x%.8x" % i}.join(", ") + " "
        end

        live  = dcerpc_mgmt_is_server_listening(rport)
        if live
          print_status("\t listening: %.8x" % live)
          #reportdata << "listening: %.8x" % live + " "
        end

        dead  = dcerpc_mgmt_stop_server_listening(rport)
        if dead
          print_status("\t killed: %.8x" % dead)
          #reportdata << "killed: %.8x" % dead + " "
        end

        princ = dcerpc_mgmt_inq_princ_name(rport)
        if princ
          print_status("\t name: #{princ.unpack("H*")[0]}")
          #reportdata << "name: #{princ.unpack("H*")[0]}"
        end

        # Add Report
        report_note(
          :host   => ip,
          :proto  => 'tcp',
          :port   => datastore['RPORT'],
          :type   => "DCERPC UUID #{id[0]} v#{id[1]}",
          :data   => reportdata
        )

      end

    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Error: #{e}")
    end
  end

end