metasploit-framework/modules/auxiliary/scanner/smb/pipe_auditor.rb

107 lines
2.2 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'SMB Session Pipe Auditor',
'Description' => 'Determine what named pipes are accessible over SMB',
'Author' => 'hdm',
'License' => MSF_LICENSE
)
deregister_options('RPORT')
end
@@target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
# Fingerprint a single host
def run_host(ip)
pass = []
[[139, false], [445, true]].each do |info|
datastore['RPORT'] = info[0]
datastore['SMBDirect'] = info[1]
begin
connect()
smb_login()
@@target_pipes.each do |pipe|
begin
fid = smb_create("\\#{pipe}")
# print_status("Opened pipe \\#{pipe}")
pass.push(pipe)
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
# print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code)
end
end
disconnect()
break
rescue ::Exception => e
# print_line($!.to_s)
# print_line($!.backtrace.join("\n"))
end
end
if(pass.length > 0)
print_status("#{ip} - Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
#Add Report
report_note(
:host => ip,
:proto => 'tcp',
:sname => 'smb',
:port => rport,
:type => 'Pipes Founded',
:data => "Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}"
)
end
end
end