53 lines
1.8 KiB
Python
53 lines
1.8 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from nxc.protocols.smb.remotefile import RemoteFile
|
|
from impacket import nt_errors
|
|
from impacket.smb3structs import FILE_READ_DATA
|
|
from impacket.smbconnection import SessionError
|
|
|
|
|
|
class NXCModule:
|
|
"""
|
|
Enumerate whether the WebClient service is running on the target by looking for the
|
|
DAV RPC Service pipe. This technique was first suggested by Lee Christensen (@tifkin_)
|
|
|
|
Module by Tobias Neitzel (@qtc_de)
|
|
"""
|
|
|
|
name = "webdav"
|
|
description = "Checks whether the WebClient service is running on the target"
|
|
supported_protocols = ["smb"]
|
|
opsec_safe = True
|
|
multiple_hosts = True
|
|
|
|
def options(self, context, module_options):
|
|
"""
|
|
MSG Info message when the WebClient service is running. '{}' is replaced by the target.
|
|
"""
|
|
self.output = "WebClient Service enabled on: {}"
|
|
|
|
if "MSG" in module_options:
|
|
self.output = module_options["MSG"]
|
|
|
|
def on_login(self, context, connection):
|
|
"""
|
|
Check whether the 'DAV RPC Service' pipe exists within the 'IPC$' share. This indicates
|
|
that the WebClient service is running on the target.
|
|
"""
|
|
try:
|
|
remote_file = RemoteFile(connection.conn, "DAV RPC Service", "IPC$", access=FILE_READ_DATA)
|
|
|
|
remote_file.open()
|
|
remote_file.close()
|
|
|
|
context.log.highlight(self.output.format(connection.conn.getRemoteHost()))
|
|
|
|
except SessionError as e:
|
|
if e.getErrorCode() == nt_errors.STATUS_OBJECT_NAME_NOT_FOUND:
|
|
pass
|
|
elif e.getErrorCode() in nt_errors.ERROR_MESSAGES:
|
|
context.log.fail(f"Error enumerating WebDAV: {e.getErrorString()[0]}", color="magenta")
|
|
else:
|
|
raise e
|