metasploit-framework/modules/auxiliary/scanner/smb/pipe_auditor.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::SMB::Client
  include Msf::Exploit::Remote::SMB::Client::Authenticated

  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'SMB Session Pipe Auditor',
      'Description' => 'Determine what named pipes are accessible over SMB',
      'Author'      => 'hdm',
      'License'     => MSF_LICENSE
    )

    deregister_options('RPORT')
  end

  @@target_pipes = [
    'netlogon',
    'lsarpc',
    'samr',
    'browser',
    'atsvc',
    'DAV RPC SERVICE',
    'epmapper',
    'eventlog',
    'InitShutdown',
    'keysvc',
    'lsass',
    'LSM_API_service',
    'ntsvcs',
    'plugplay',
    'protected_storage',
    'router',
    'SapiServerPipeS-1-5-5-0-70123',
    'scerpc',
    'srvsvc',
    'tapsrv',
    'trkwks',
    'W32TIME_ALT',
    'wkssvc',
    'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
    'db2remotecmd'
  ]

  # Fingerprint a single host
  def run_host(ip)

    pass = []

    [[139, false], [445, true]].each do |info|

    datastore['RPORT'] = info[0]
    datastore['SMBDirect'] = info[1]

    begin
      connect()
      smb_login()
      @@target_pipes.each do |pipe|
        begin
          fid = smb_create("\\#{pipe}")
          #print_status("Opened pipe \\#{pipe}")
          pass.push(pipe)
        rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
          #print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code)
        end
      end

      disconnect()

      break
    rescue ::Exception => e
      #print_line($!.to_s)
      #print_line($!.backtrace.join("\n"))
    end
    end

    if(pass.length > 0)
      print_status("#{ip} - Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
      # Add Report
      report_note(
        :host	=> ip,
        :proto => 'tcp',
        :sname	=> 'smb',
        :port	=> rport,
        :type	=> 'Pipes Founded',
        :data	=> "Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}"
      )
    end
  end


end