Lucene search
+L

SMB Session Pipe Auditor

🗓️ 17 Jun 2010 14:03:53Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 28 Views

SMB Session Pipe Auditor module for auditing named pipes accessible over SM

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::SMB::Client
  include Msf::Exploit::Remote::SMB::Client::Authenticated
  include Msf::Exploit::Remote::SMB::Client::PipeAuditor

  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  include Msf::OptionalSession::SMB

  def initialize
    super(
      'Name'        => 'SMB Session Pipe Auditor',
      'Description' => 'Determine what named pipes are accessible over SMB',
      'Author'      => 'hdm',
      'License'     => MSF_LICENSE,
    )
  end

  def connect(*args, **kwargs)
    super(*args, **kwargs, direct: @smb_direct)
  end

  def rport
    @rport
  end

  # Fingerprint a single host
  def run_host(ip)

    pipes = []

    if session
      print_status("Using existing session #{session.sid}")
      @rport = datastore['RPORT'] = session.port
      self.simple = session.simple_client
      self.simple.connect("\\\\#{session.address}\\IPC$")
      report_pipes(ip, check_pipes)
    else
      if datastore['RPORT'].blank? || datastore['RPORT'] == 0
        smb_services = [
          { port: 445, direct: true },
          { port: 139, direct: false }
        ]
      else
        smb_services = [
          { port: datastore['RPORT'], direct: datastore['SMBDirect'] }
        ]
      end

      smb_services.each do |smb_service|
        @rport = smb_service[:port]
        @smb_direct = smb_service[:direct]

        begin
          connect
          smb_login
          pipes += check_pipes
          disconnect
          report_pipes(ip, pipes)
        rescue Rex::Proto::SMB::Exceptions::SimpleClientError, Rex::ConnectionError => e
          vprint_error("SMB client Error with RPORT=#{@rport} SMBDirect=#{@smb_direct}: #{e.to_s}")
        end

      end
    end

  end

  def check_pipes
    pipes = []
    check_named_pipes.each do |pipe_name, _|
      pipes.push(pipe_name)
    end
    pipes
  end

  def report_pipes(ip, pipes)
    if(pipes.length > 0)
      print_good("Pipes: #{pipes.join(", ")}")
      # Add Report
      report_note(
        :host	=> ip,
        :proto => 'tcp',
        :sname	=> 'smb',
        :port	=> rport,
        :type	=> 'Pipes Found',
        :data	=> "Pipes: #{pipes.join(", ")}"
      )
    end
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Dec 2024 08:52Current
7.4High risk
Vulners AI Score7.4
28