From 092650e24c221bcfe357fdd379cd34925c14cdd3 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 18 Feb 2007 01:17:45 +0000 Subject: [PATCH] ADding some of my DCERPC/SMB tools git-svn-id: file:///home/svn/framework3/trunk@4421 4d416f70-5f16-0410-b530-b9f4589650da --- modules/auxiliary/scanner/smb/pipe_auditor.rb | 109 +++++++++ .../scanner/smb/pipe_dcerpc_auditor.rb | 224 ++++++++++++++++++ 2 files changed, 333 insertions(+) create mode 100644 modules/auxiliary/scanner/smb/pipe_auditor.rb create mode 100644 modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb diff --git a/modules/auxiliary/scanner/smb/pipe_auditor.rb b/modules/auxiliary/scanner/smb/pipe_auditor.rb new file mode 100644 index 0000000000..f2a1f34947 --- /dev/null +++ b/modules/auxiliary/scanner/smb/pipe_auditor.rb @@ -0,0 +1,109 @@ +## +# $Id:$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' + +module Msf + +class Auxiliary::Scanner::Smb::Pipe_Auditor < Msf::Auxiliary + + # Exploit mixins should be called first + include Exploit::Remote::SMB + + # Scanner mixin should be near last + include Auxiliary::Scanner + + def initialize + super( + 'Name' => 'SMB Session Pipe Auditor', + 'Version' => '$Revision: 3624 $', + 'Description' => 'Determine what named pipes are accessible over SMB', + 'Author' => 'hdm', + 'License' => MSF_LICENSE + ) + + deregister_options('RPORT') + end + + @@target_pipes = [ + 'netlogon', + 'lsarpc', + 'samr', + 'browser', + 'atsvc', + 'DAV RPC SERVICE', + 'epmapper', + 'eventlog', + 'InitShutdown', + 'keysvc', + 'lsass', + 'LSM_API_service', + 'ntsvcs', + 'plugplay', + 'protected_storage', + 'router', + 'SapiServerPipeS-1-5-5-0-70123', + 'scerpc', + 'srvsvc', + 'tapsrv', + 'trkwks', + 'W32TIME_ALT', + 'wkssvc', + 'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER' + ] + + + # Overload the RPORT setting + def rport + @target_port + end + + # Fingerprint a single host + def run_host(ip) + + pass = [] + + [[139, false], [445, true]].each do |info| + + @target_port = info[0] + datastore['SMBDirect'] = info[1] + + begin + connect() + smb_login() + @@target_pipes.each do |pipe| + begin + fid = smb_create("\\#{pipe}") + # print_status("Opened pipe \\#{pipe}") + pass.push(pipe) + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e + # print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code) + end + end + + disconnect() + + break + rescue ::Exception => e + print_line($!.to_s) + print_line($!.backtrace.join("\n")) + end + end + + if(pass.length > 0) + print_status("Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}") + end + end + + +end +end diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb new file mode 100644 index 0000000000..a0b062298b --- /dev/null +++ b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb @@ -0,0 +1,224 @@ +## +# $Id:$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' + +module Msf + +class Auxiliary::Scanner::Smb::Pipe_DCERPC_Auditor < Msf::Auxiliary + + # Exploit mixins should be called first + include Exploit::Remote::SMB + include Exploit::Remote::DCERPC + + # Scanner mixin should be near last + include Auxiliary::Scanner + + def initialize + super( + 'Name' => 'SMB Session Pipe DCERPC Auditor', + 'Version' => '$Revision: 3624 $', + 'Description' => 'Determine what DCERPC services are accessible over a SMB pipe', + 'Author' => 'hdm', + 'License' => MSF_LICENSE + ) + + deregister_options('RPORT', 'RHOST') + register_options( + [ + OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']), + ], self.class) + end + + + @@target_uuids = [ + [ '00000131-0000-0000-c000-000000000046', '0' ], + [ '00000134-0000-0000-c000-000000000046', '0' ], + [ '00000143-0000-0000-c000-000000000046', '0' ], + [ '06bba54a-be05-49f9-b0a0-30f790261023', '1' ], + [ '0767a036-0d22-48aa-ba69-b619480f38cb', '1' ], + [ '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1' ], + [ '0b6edbfa-4a24-4fc6-8a23-942b1eca65d1', '1' ], + [ '0d72a7d4-6148-11d1-b4aa-00c04fb66ea0', '1' ], + [ '0da5a86c-12c2-4943-30ab-7f74a813d853', '1' ], + [ '0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde', '1' ], + [ '1088a980-eae5-11d0-8d9b-00a02453c337', '1' ], + [ '10f24e8e-0fa6-11d2-a910-00c04f990f3b', '1' ], + [ '12345678-1234-abcd-ef00-0123456789ab', '1' ], + [ '12345778-1234-abcd-ef00-0123456789ac', '1' ], + [ '12b81e99-f207-4a4c-85d3-77b42f76fd14', '1' ], + [ '12e65dd8-887f-41ef-91bf-8d816c42c2e7', '1' ], + [ '1453c42c-0fa6-11d2-a910-00c04f990f3b', '1' ], + [ '1544f5e0-613c-11d1-93df-00c04fd7bd09', '1' ], + [ '16e0cf3a-a604-11d0-96b1-00a0c91ece30', '1' ], + [ '17fdd703-1827-4e34-79d4-24a55c53bb37', '1' ], + [ '18f70770-8e64-11cf-9af1-0020af6e72f4', '0' ], + [ '1bddb2a6-c0c3-41be-8703-ddbdf4f0e80a', '1' ], + [ '1be617c0-31a5-11cf-a7d8-00805f48a135', '3' ], + [ '1ff70682-0a51-30e8-076d-740be8cee98b', '1' ], + [ '201ef99a-7fa0-444c-9399-19ba84f12a1a', '1' ], + [ '2465e9e0-a873-11d0-930b-00a0c90ab17c', '3' ], + [ '25952c5d-7976-4aa1-a3cb-c35f7ae79d1b', '1' ], + [ '266f33b4-c7c1-4bd1-8f52-ddb8f2214ea9', '1' ], + [ '2eb08e3e-639f-4fba-97b1-14f878961076', '1' ], + [ '2f59a331-bf7d-48cb-9e5c-7c090d76e8b8', '1' ], + [ '2f5f3220-c126-1076-b549-074d078619da', '1.2' ], + [ '2f5f6520-ca46-1067-b319-00dd010662da', '1' ], + [ '2f5f6521-cb55-1059-b446-00df0bce31db', '1' ], + [ '2fb92682-6599-42dc-ae13-bd2ca89bd11c', '1' ], + [ '300f3532-38cc-11d0-a3f0-0020af6b0add', '1.2' ], + [ '326731e3-c1c0-4a69-ae20-7d9044a4ea5c', '1' ], + [ '342cfd40-3c6c-11ce-a893-08002b2e9c6d', '0' ], + [ '3473dd4d-2e88-4006-9cba-22570909dd10', '5' ], + [ '367abb81-9844-35f1-ad32-98f038001003', '2' ], + [ '369ce4f0-0fdc-11d3-bde8-00c04f8eee78', '1' ], + [ '378e52b0-c0a9-11cf-822d-00aa0051e40f', '1' ], + [ '38a94e72-a9bc-11d2-8faf-00c04fa378ff', '1' ], + [ '3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5', '1' ], + [ '3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6', '1' ], + [ '3f31c91e-2545-4b7b-9311-9529e8bffef6', '1' ], + [ '3f99b900-4d87-101b-99b7-aa0004007f07', '1' ], + [ '3faf4738-3a21-4307-b46c-fdda9bb8c0d5', '1' ], + [ '41208ee0-e970-11d1-9b9e-00e02c064c39', '1' ], + [ '45776b01-5956-4485-9f80-f428f7d60129', '2' ], + [ '45f52c28-7f9f-101a-b52b-08002b2efabe', '1' ], + [ '469d6ec0-0d87-11ce-b13f-00aa003bac6c', '16' ], + [ '4a452661-8290-4b36-8fbe-7f4093a94978', '1' ], + [ '4b112204-0e19-11d3-b42b-0000f81feb9f', '1' ], + [ '4b324fc8-1670-01d3-1278-5a47bf6ee188', '0' ], + [ '4da1c422-943d-11d1-acae-00c04fc2aa3f', '1' ], + [ '4f82f460-0e21-11cf-909e-00805f48a135', '4' ], + [ '4fc742e0-4a10-11cf-8273-00aa004ae673', '3' ], + [ '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5' ], + [ '57674cd0-5200-11ce-a897-08002b2e9c6d', '1' ], + [ '5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc', '1' ], + [ '5b5b3580-b0e0-11d1-b92d-0060081e87f0', '1' ], + [ '5b821720-f63b-11d0-aad2-00c04fc324db', '1' ], + [ '5ca4a760-ebb1-11cf-8611-00a0245420ed', '1' ], + [ '5f54ce7d-5b79-4175-8584-cb65313a0e98', '1' ], + [ '621dff68-3c39-4c6c-aae3-e68e2c6503ad', '1' ], + [ '629b9f66-556c-11d1-8dd2-00aa004abd5e', '3' ], + [ '63fbe424-2029-11d1-8db8-00aa004abd5e', '1' ], + [ '654976df-1498-4056-a15e-cb4e87584bd8', '1' ], + [ '65a93890-fab9-43a3-b2a5-1e330ac28f11', '2' ], + [ '68dcd486-669e-11d1-ab0c-00c04fc2dcd2', '2' ], + [ '69510fa1-2f99-4eeb-a4ff-af259f0f9749', '1' ], + [ '6bffd098-a112-3610-9833-012892020162', '0' ], + [ '6bffd098-a112-3610-9833-46c3f874532d', '1' ], + [ '76d12b80-3467-11d3-91ff-0090272f9ea3', '1' ], + [ '76f226c3-ec14-4325-8a99-6a46348418af', '1' ], + [ '7ea70bcf-48af-4f6a-8968-6a440754d5fa', '1' ], + [ '7f9d11bf-7fb9-436b-a812-b2d50c5d4c03', '1' ], + [ '811109bf-a4e1-11d1-ab54-00a0c91e9b45', '1' ], + [ '8174bb16-571b-4c38-8386-1102b449044a', '1' ], + [ '82ad4280-036b-11cf-972c-00aa006887b0', '2' ], + [ '83d72bf0-0d89-11ce-b13f-00aa003bac6c', '6' ], + [ '83da7c00-e84f-11d2-9807-00c04f8ec850', '2' ], + [ '86d35949-83c9-4044-b424-db363231fd0c', '1' ], + [ '894de0c0-0d55-11d3-a322-00c04fa321a1', '1' ], + [ '89742ace-a9ed-11cf-9c0c-08002be7ae86', '2' ], + [ '8c7daf44-b6dc-11d1-9a4c-0020af6e7c57', '1' ], + [ '8cfb5d70-31a4-11cf-a7d8-00805f48a135', '3' ], + [ '8d0ffe72-d252-11d0-bf8f-00c04fd9126b', '1' ], + [ '8f09f000-b7ed-11ce-bbd2-00001a181cad', '0' ], + [ '8fb6d884-2388-11d0-8c35-00c04fda2795', '4.1' ], + [ '906b0ce0-c70b-1067-b317-00dd010662da', '1' ], + [ '91ae6020-9e3c-11cf-8d7c-00aa00c091be', '0' ], + [ '93149ca2-973b-11d1-8c39-00c04fb984f9', '0' ], + [ '95958c94-a424-4055-b62b-b7f4d5c47770', '1' ], + [ '99e64010-b032-11d0-97a4-00c04fd6551d', '3' ], + [ '9b8699ae-0e44-47b1-8e7f-86a461d7ecdc', '0' ], + [ '9e8ee830-4459-11ce-979b-00aa005ffebe', '2' ], + [ 'a002b3a0-c9b7-11d1-ae88-0080c75e4ec1', '1' ], + [ 'a00c021c-2be2-11d2-b678-0000f87a8f8e', '1' ], + [ 'a2d47257-12f7-4beb-8981-0ebfa935c407', '1' ], + [ 'a398e520-d59a-4bdd-aa7a-3c1e0303a511', '1' ], + [ 'a4f1db00-ca47-1067-b31e-00dd010662da', '1' ], + [ 'a4f1db00-ca47-1067-b31f-00dd010662da', '0' ], + [ 'a4f1db00-ca47-1067-b31f-00dd010662da', '0.81' ], + [ 'aa411582-9bdf-48fb-b42b-faa1eee33949', '1' ], + [ 'ae33069b-a2a8-46ee-a235-ddfd339be281', '1' ], + [ 'b58aa02e-2884-4e97-8176-4ee06d794184', '1' ], + [ 'c33b9f46-2088-4dbc-97e3-6125f127661c', '1' ], + [ 'c681d488-d850-11d0-8c52-00c04fd90f7e', '1' ], + [ 'c8cb7687-e6d3-11d2-a958-00c04f682e16', '1' ], + [ 'c9378ff1-16f7-11d0-a0b2-00aa0061426a', '1' ], + [ 'c9ac6db5-82b7-4e55-ae8a-e464ed7b4277', '1' ], + [ 'd049b186-814f-11d1-9a3c-00c04fc9b232', '1.1' ], + [ 'd335b8f6-cb31-11d0-b0f9-006097ba4e54', '1.5' ], + [ 'd3fbb514-0e3b-11cb-8fad-08002b1d29c3', '1' ], + [ 'd6d70ef0-0e3b-11cb-acc3-08002b1d29c3', '1' ], + [ 'd6d70ef0-0e3b-11cb-acc3-08002b1d29c4', '1' ], + [ 'd95afe70-a6d5-4259-822e-2c84da1ddb0d', '1' ], + [ 'dd490425-5325-4565-b774-7e27d6c09c24', '1' ], + [ 'e67ab081-9844-3521-9d32-834f038001c0', '1' ], + [ 'ea0a3165-4834-11d2-a6f8-00c04fa346cc', '4' ], + [ 'ecec0d70-a603-11d0-96b1-00a0c91ece30', '1' ], + [ 'f50aac00-c7f3-428e-a022-a6b71bfb9d43', '1' ], + [ 'f5cc59b4-4264-101a-8c59-08002b2f8426', '1.1' ], + [ 'f5cc5a18-4264-101a-8c59-08002b2f8426', '56' ], + [ 'f5cc5a7c-4264-101a-8c59-08002b2f8426', '21' ], + [ 'f6beaff7-1e19-4fbb-9f8f-b89e2018337c', '1' ], + [ 'f930c514-1215-11d3-99a5-00a0c9b61b04', '1' ], + [ 'fd7a0523-dc70-43dd-9b2e-9c5ed48225b1', '1' ], + [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1' ] +] + + + # Overload the RPORT setting + def rport + @target_port + end + + # Fingerprint a single host + def run_host(ip) + + [[139, false], [445, true]].each do |info| + + @target_port = info[0] + datastore['SMBDirect'] = info[1] + + begin + connect() + smb_login() + + @@target_uuids.each do |uuid| + + handle = dcerpc_handle( + uuid[0], uuid[1], + 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] + ) + + begin + dcerpc_bind(handle) + print_line("UUID #{uuid[0]} #{uuid[1].to_f.to_s} OPEN VIA #{datastore['SMBPIPE']}") + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e + # print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) + rescue ::Exception => e + # print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") + end + end + + disconnect() + + return + rescue ::Exception + print_line($!.to_s) + print_line($!.backtrace.join("\n")) + end + end + end + + +end +end +