48 lines
1.6 KiB
Python
48 lines
1.6 KiB
Python
|
from cme.protocols.smb.remotefile import RemoteFile
|
||
|
|
from impacket import nt_errors
|
||
|
|
from impacket.smb3structs import FILE_READ_DATA
|
||
|
|
from impacket.smbconnection import SessionError
|
||
|
|
|
||
|
|
class CMEModule:
|
||
|
|
'''
|
||
|
|
Enumerate whether the WebClient service is running on the target host by looking for the
|
||
|
|
DAV RPC Service pipe. This technique was first suggested by Lee Christensen (@tifkin_)
|
||
|
|
|
||
|
|
Module by Tobias Neitzel (@qtc_de)
|
||
|
|
'''
|
||
|
|
name = 'webdav'
|
||
|
|
description = 'Checks whether the WebClient service is running on the target host'
|
||
|
|
supported_protocols = ['smb']
|
||
|
|
opsec_safe= True
|
||
|
|
multiple_hosts = True
|
||
|
|
|
||
|
|
def options(self, context, module_options):
|
||
|
|
'''
|
||
|
|
MSG Info message to use when a host is vulnerable. '{}' is replaced by the target.
|
||
|
|
'''
|
||
|
|
self.output = 'WebClient Service enabled on: {}'
|
||
|
|
|
||
|
|
if 'MSG' in module_options:
|
||
|
|
self.output = module_options['MSG']
|
||
|
|
|
||
|
|
def on_login(self, context, connection):
|
||
|
|
'''
|
||
|
|
Check whether the 'DAV RPC Service' pipe exists within the 'IPC$' share. This indicates
|
||
|
|
that the WebClient service is running on the target host.
|
||
|
|
'''
|
||
|
|
try:
|
||
|
|
remote_file = RemoteFile(connection.conn, 'DAV RPC Service', 'IPC$', access=FILE_READ_DATA)
|
||
|
|
|
||
|
|
remote_file.open()
|
||
|
|
remote_file.close()
|
||
|
|
|
||
|
|
context.log.highlight(self.output.format(connection.conn.getRemoteHost()))
|
||
|
|
|
||
|
|
except SessionError as e:
|
||
|
|
|
||
|
|
if e.getErrorCode() == nt_errors.STATUS_OBJECT_NAME_NOT_FOUND:
|
||
|
|
pass
|
||
|
|
|
||
|
|
else:
|
||
|
|
raise e
|