rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.29k stars 14.01k forks source link

smb_enumshares returns no results in comparison to smbclient #14355

Closed adfoster-r7 closed 1 year ago

adfoster-r7 commented 4 years ago

Steps to reproduce

Running against tryhackme's nerdherd room results in no shares output:

use smb_enumshares
run rhosts=10.10.34.174

Example:

msf6 > use smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.34.174

[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In case it's useful, version output:

run rhosts=10.10.34.174

[*] 10.10.34.174:445      - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{6472656e-6568-6472-0000-000000000000}) (authentication domain:NERDHERD)
[*] 10.10.34.174:445      -   Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Current behavior

There is no output:

msf6 > use smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.34.174

[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

For some of the other smb modules, there's more obvious logging that something's gone wrong:

msf6 auxiliary(scanner/smb/smb_enumusers) > run rhosts=10.10.34.174

Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Expected behavior

What should happen?

smbclient on kali works as expected:

smbclient -L //10.10.34.174/ -U "anonymous"%" "

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        nerdherd_classified Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (nerdherd server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Interestingly, although smbclient works, cme doesn't work:

docker run --rm -it --entrypoint '' byt3bl33d3r/crackmapexec /bin/bash
cme smb 10.10.34.174 --shares

Output:

root@2d72576240ec:/usr/src/crackmapexec# cme smb 10.10.34.174 --shares
SMB         10.10.34.174    445    NERDHERD         [*] Windows 6.1 (name:NERDHERD) (domain:) (signing:False) (SMBv1:True)
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 384, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "/usr/local/lib/python3.8/site-packages/impacket/smb.py", line 2764, in tree_connect_andx
    if smb.isValidAnswer(SMB.SMB_COM_TREE_CONNECT_ANDX):
  File "/usr/local/lib/python3.8/site-packages/impacket/smb.py", line 718, in isValidAnswer
    raise SessionError("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS, self)
impacket.smb.SessionError: SMB SessionError: class: ERRSRV, code: ERRbaduid(The UID is not known as a valid ID on this session.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 533, in shares
    for share in self.conn.listShares():
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 407, in listShares
    dce.connect()
  File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
    return self._transport.connect()
  File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/transport.py", line 411, in connect
    self.__tid = self.__smb_connection.connectTree('IPC$')
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 386, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 854, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 47, in __init__
    self.proto_flow()
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 86, in proto_flow
    self.call_cmd_args()
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 93, in call_cmd_args
    getattr(self, k)()
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 569, in shares
    error, desc = e.getErrorString()
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 1007, in getErrorString
    return nt_errors.ERROR_MESSAGES[self.error]
KeyError: 91
2020-11-05T17:06:58Z <Greenlet at 0x7fd3deccc480: smb(Namespace(aesKey=None, clear_obfscripts=False, con, <protocol.database object at 0x7fd3decc5be0>, '10.10.34.174')> failed with KeyError

Metasploit version

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] loglevel=3 [framework/database] default_db=local-https-data-service [framework/database/local-https-data-service] url=[Filtered] cert=[Filtered] skip_verify=[Filtered] api_token=[Filtered] [framework/features] wrapped_tables=true RHOST_HTTP_URL=true [framework/ui/console] ActiveModule=auxiliary/scanner/smb/smb_enumusers [scanner/smb/smb_enumusers] DCERPC::fake_bind_multi=false WORKSPACE= VERBOSE=false RHOSTS= SSL=false SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBUser= SMBPass= SMBDomain=. SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=true DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 THREADS=1 ShowProgress=true ShowProgressPercent=10 DB_ALL_USERS=false ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 2914 run rhosts=10.10.34.174 2915 log 2916 run 2917 run rhosts=10.10.34.174 2918 version 2919 use smb_version 2920 run rhosts=10.10.34.174 2921 use smb_enumshares 2922 run rhosts=10.10.34.174 2923 use smb_enumusers 2924 use 0 2925 run rhosts=10.10.34.174 2926 version 2927 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [11/05/2020 17:21:04] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [11/05/2020 17:21:04] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [11/05/2020 17:22:17] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [11/05/2020 17:22:17] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [11/05/2020 17:22:17] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [11/05/2020 17:22:17] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [11/05/2020 17:22:47] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [11/05/2020 17:22:47] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [11/05/2020 17:22:47] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [11/05/2020 17:22:47] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` No matching patterns were found in msf-ws.log. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/shell/bind_tcp. [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage bsdi/x86/shell have incompatible platforms: ["OSX"] - ["BSDi"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/patchupdllinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/vncinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/shell have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/peinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/meterpreter have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/upexec have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/vncinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/shell have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/peinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/meterpreter have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/patchupmeterpreter have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/dllinject have incompatible platforms: ["OSX"] - ["Windows"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage android/shell have incompatible platforms: ["OSX"] - ["Android"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage android/meterpreter have incompatible platforms: ["OSX"] - ["Android"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/aarch64/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/aarch64/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x86/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x86/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsle/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsle/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x64/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x64/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/armle/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/armle/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/shell have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage php/meterpreter have incompatible platforms: ["OSX"] - ["PHP"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage bsd/x86/shell have incompatible platforms: ["OSX"] - ["BSD"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/shell have incompatible platforms: ["OSX"] - ["Java"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/meterpreter have incompatible platforms: ["OSX"] - ["Java"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage multi/meterpreter have incompatible platforms: ["OSX"] - ["Multi"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage netware/shell have incompatible platforms: ["OSX"] - ["Netware"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage python/meterpreter have incompatible platforms: ["OSX"] - ["Python"] [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/isight have incompatible architectures: armle - x86 [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/bundleinject have incompatible architectures: armle - x86 [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/vforkshell have incompatible architectures: armle - x86 [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/ppc/shell have incompatible architectures: armle - ppc [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/meterpreter have incompatible architectures: armle - x64 [11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/dupandexecve have incompatible architectures: armle - x64 [11/05/2020 17:22:47] [d(1)] core: Module is compatible with [11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/execute/reverse_tcp. [11/05/2020 17:22:47] [d(1)] core: Module is compatible with [11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/shell/reverse_tcp. [11/05/2020 17:22:55] [i(2)] core: Reloading auxiliary module scanner/smb/smb_enumusers. Ambiguous module warnings are safe to ignore [11/05/2020 17:22:57] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [11/05/2020 17:22:57] [d(0)] core: Negotiated SMB version: SMB3 [11/05/2020 17:22:57] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [11/05/2020 17:22:57] [d(0)] core: Negotiated SMB version: SMB3 ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.0.15-dev-9076f2cc83 Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19] Install Root: /Users/adfoster/Documents/code/metasploit-framework Session Type: Connected to remote_data_service: (https://localhost:5443). Connection type: http. Install Method: Git Clone ```
adfoster-r7 commented 4 years ago

Also replicated with the thm anonymous room, possibly a regression in behavior:

6.0.2

msf5 > use smb_enumshares

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_enumshares                   normal  No     SMB Share Enumeration

[*] Using auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > use 0
msf5 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.4.153

[+] 10.10.4.153:139       - print$ - (DISK) Printer Drivers
[+] 10.10.4.153:139       - pics - (DISK) My SMB Share Directory for Pics
[+] 10.10.4.153:139       - IPC$ - (IPC) IPC Service (anonymous server (Samba
[+] 10.10.4.153:139       - Ubuntu))
[*] 10.10.4.153:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

6.0.3

msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.4.153

[*] 10.10.4.153:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > version
Framework: 6.0.3-dev-07acf7bd37
Console  : 6.0.3-dev-07acf7bd37
smcintyre-r7 commented 4 years ago

Seems like an issue with Samba 4.3.11 which you can easily install with Ubuntu 16.04.

cdelafuente-r7 commented 4 years ago

I could reproduce the issue against tryhackme's server but I couldn't with the same Samba version (4.3.11) on a local Ubuntu 16.04. Here are my notes:

Ubuntu 16.04

[!] 172.16.60.1:139 - peer_native_os is only available with SMB1 (current version: SMB3) [!] 172.16.60.1:139 - peer_native_lm is only available with SMB1 (current version: SMB3) [+] 172.16.60.1:139 - temp - (DISK) [+] 172.16.60.1:139 - IPC$ - (IPC) IPC Service (847f03d07c9d server (Samba [+] 172.16.60.1:139 - Ubuntu)) [+] 172.16.60.1:139 - smbuser - (DISK) Home directory of smbuser [] 172.16.60.1: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false SMB::AlwaysEncrypt => false msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 172.16.60.1:139 - peer_native_os is only available with SMB1 (current version: SMB3) [!] 172.16.60.1:139 - peer_native_lm is only available with SMB1 (current version: SMB3) [+] 172.16.60.1:139 - temp - (DISK) [+] 172.16.60.1:139 - IPC$ - (IPC) IPC Service (847f03d07c9d server (Samba [+] 172.16.60.1:139 - Ubuntu)) [+] 172.16.60.1:139 - smbuser - (DISK) Home directory of smbuser [] 172.16.60.1: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed


## TryHackMe
- Encryption seems to be broken on this Samba server and disabling it with `set SMB::AlwaysEncrypt false` gets rid of the encryption error:

Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.

output:

msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false SMB::AlwaysEncrypt => false msf6 auxiliary(scanner/smb/smb_enumshares) > run [-] 10.10.254.193:139 - Error: '10.10.254.193' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED' [-] 10.10.254.193:445 - Error: '10.10.254.193' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED' [] 10.10.254.193: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed

- The issue is now `TREE_CONNECT` returns `STATUS_ACCESS_DENIED` and I found that disabling signing fixed this. Even if the server sets the `Signing enabled` flag on the `NEGOTIATE` response packet (meaning it supports it), it fails verifying the signature on the `TREE_CONNECT` packet. The fix would be to change the `if` statement in RubySMB [smb3_sign](https://github.com/rapid7/ruby_smb/blob/master/lib/ruby_smb/client/signing.rb#L45), which forces the client to not always sign the `TREE_CONNECT` request:

if !session_key.empty? && signing_required ...

output:

msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 10.10.254.193:139 - peer_native_os is only available with SMB1 (current version: SMB3) [!] 10.10.254.193:139 - peer_native_lm is only available with SMB1 (current version: SMB3) [+] 10.10.254.193:139 - print$ - (DISK) Printer Drivers [+] 10.10.254.193:139 - nerdherd_classified - (DISK) Samba on Ubuntu [+] 10.10.254.193:139 - IPC$ - (IPC) IPC Service (nerdherd server (Samba [+] 10.10.254.193:139 - Ubuntu)) [] 10.10.254.193: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed

However, according to the [protocol](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/973630a8-8aa1-4398-89a8-13cf830f194d), SMB3 with 3.1.1 dialect (the one selected by the server) requires the `TREE_CONNECT` request to **always** be signed. So, not-signing the `TREE_CONNECT` request is likely to break on other SMB/Samba servers, since it does not follow the protocol. I don't think it is a good idea.
- A workaround would be to disable SMB3, since it looks like it is broken on this server:

msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false SMB::AlwaysEncrypt => false msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::ProtocolVersion 1,2 SMB::ProtocolVersion => 1,2 msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 10.10.254.193:139 - peer_native_os is only available with SMB1 (current version: SMB2) [!] 10.10.254.193:139 - peer_native_lm is only available with SMB1 (current version: SMB2) [+] 10.10.254.193:139 - print$ - (DISK) Printer Drivers [+] 10.10.254.193:139 - nerdherd_classified - (DISK) Samba on Ubuntu [+] 10.10.254.193:139 - IPC$ - (IPC) IPC Service (nerdherd server (Samba [+] 10.10.254.193:139 - Ubuntu)) [] 10.10.254.193: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed

adfoster-r7 commented 4 years ago

Just for posterity, I was able to replicate with docker, these are the steps I ran through:

Docker setup

Grabbing ubuntu 16.04 and installing docker:

docker run -it --rm -p 139:139 -p 445:445 ubuntu:16.04 /bin/bash
mkdir -p /tmp/foo
apt update
apt install -y samba

Verifying version is as expected:

$ samba --version
Version 4.3.11-Ubuntu

Adding the share:

cat << EOF >> /etc/samba/smb.conf
[foo_share]
    comment = Foo samba share
    path = /tmp/foo
    read only = no
    browsable = yes
EOF

Restart the service:

service smbd restart

Scanning with Metasploit

Now that docker is set up, and bound to the host's ports - I was able to replicate Christophe's and Spencer's findings when scanning with Metasploit:

use scanner/smb/smb_enumusers
run RHOST=127.0.0.1 smb::alwaysencrypt=false

Error: 127.0.0.1 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
Error: 127.0.0.1 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running without encryption:

run RHOST=127.0.0.1 smb::alwaysencrypt=false

Error: 127.0.0.1 RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
Error: 127.0.0.1 RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running with protocol version 1,2:

set SMB::ProtocolVersion 1,2
run RHOST=127.0.0.1 smb::alwaysencrypt=false

[!] 127.0.0.1:139         - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 127.0.0.1:139         - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 127.0.0.1:139         - print$ - (DISK) Printer Drivers
[+] 127.0.0.1:139         - foo_share - (DISK) Samba share
[+] 127.0.0.1:139         - IPC$ - (IPC) IPC Service (2b17d92ee88b server (Samba
[+] 127.0.0.1:139         - Ubuntu))
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using smbclient

Installing smbclient on a separate container works and targeting the host machine:

docker run -it --rm  ubuntu:16.04 /bin/bash
apt install -y smbclient
smbclient -L //docker.for.mac.host.internal/ -U "anonymous"%" "

Result:

root@757b88788c6e:/# smbclient -L //docker.for.mac.host.internal/ -U "anonymous"%" "
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    foo_share       Disk      Samba share
    IPC$            IPC       IPC Service (2b17d92ee88b server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

I'm assuming smbclient worked as it's not encrypted by default, as if I run with smbclient's encryption enabled it fails:

root@757b88788c6e:/# smbclient -e -L //docker.for.mac.host.internal/ -U "anonymous"%" "
WARNING: The "syslog" option is deprecated
NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!
session setup failed: NT_STATUS_ACCESS_DENIED

As everything is now pointing to this being an issue with the particular samba version; I wonder if there's any affordance we can add to Metasploit to help users know the steps they could run through to still try extract information out of the rhost

adfoster-r7 commented 4 years ago

Looks like it's the same results for ubuntu 20.04 LTS and samba 4.11.6 - January 28, 2020

gdynamics commented 4 years ago

I can confirm I have this same issue with msfconsole 6.0.17-dev. Unfortunately, I do not have 100% verifiable information about the remote machine's exact distro or Samba version, as I am running into this during a challenge.

cdelafuente-r7 commented 3 years ago

I spent some time to debug the smbd server and found what might cause this error. It turns out packet signing with anonymous user is not accepted/supported. Samba server generate the signing-key based on an empty session-key, whereas RubySMB uses a properly calculated session-key. At this point, I'm not sure who is wrong. Signing might be disabled for anonymous users, but I need to confirm that. I was able to make it work with any Samba version by using an authenticated session (with proper credentials). Signing works in this case.

cdelafuente-r7 commented 3 years ago

I did more tests with RubySMB directly, forcing SMBv3 with anonymous access.

ruby examples/net_share_enum_all.rb <ip> '' '' 3

Here are my findings:

Samba 4.11.6

Session Key Encryption Result
Calculated Enabled Failure (no response - connection closed)
Calculated Disabled Failure (STATUS_ACCESS_DENIED)
Empty Enabled Success
Empty Disabled Success

Windows 10 version 1909

Session Key Encryption Result
Calculated Enabled Success
Calculated Disabled Success
Empty Enabled Failure (no response - connection closed)
Empty Disabled Success

As we can see, the behavior is different. An empty session key will work with Samba, but it will fail with Windows if encryption is enabled.

cdelafuente-r7 commented 3 years ago

We can still force an empty session key when encryption is disabled, which will work with both platforms. But, with encryption enabled, it is another story.

pich4ya commented 3 years ago

workaround:

set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1
gwillcox-r7 commented 3 years ago

Ran into this issue myself when I accidentally tested the PrintNightmare module against a Samba SMB server on a Ubuntu 20.04 LTS host running Samba 4.6.2. Just in case this helps anyone. Error logs follow:

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > check
[-] 192.168.224.128:445 - Auxiliary failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[-] 192.168.224.128:445 - Call stack:
[-] 192.168.224.128:445 -   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/ruby_smb-2.0.10/lib/ruby_smb/client.rb:535:in `rescue in recv_packet'
[-] 192.168.224.128:445 -   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/ruby_smb-2.0.10/lib/ruby_smb/client.rb:531:in `recv_packet'
[-] 192.168.224.128:445 -   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/ruby_smb-2.0.10/lib/ruby_smb/client.rb:459:in `send_recv'
[-] 192.168.224.128:445 -   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/ruby_smb-2.0.10/lib/ruby_smb/client/tree_connect.rb:58:in `smb2_tree_connect'
[-] 192.168.224.128:445 -   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/ruby_smb-2.0.10/lib/ruby_smb/client.rb:564:in `tree_connect'
[-] 192.168.224.128:445 -   /home/gwillcox/git/metasploit-framework/lib/rex/proto/smb/simple_client.rb:168:in `connect'
[-] 192.168.224.128:445 -   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/smb/client.rb:168:in `smb_login'
[-] 192.168.224.128:445 -   /home/gwillcox/git/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb:298:in `check'
[-] 192.168.224.128:445 - Check failed: The state could not be determined.
smcintyre-r7 commented 1 year ago

I had completely forgotten about this but it turns out it's been fixed since 6.1.30 released on February 17th, 2022. More specifically it was fixed in commit bd0aba3cca929a476b07a57e33f6d7d8ed975409 which bumps RubySMB from 3.0.2 to 3.0.3. This bump included the changes from two PRs: rapid7/ruby_smb#190 and rapid7/ruby_smb#193.

Old and broken:

msf6 auxiliary(scanner/smb/smb_enumshares) > run

[*] 127.0.0.1:139         - Starting module
[*] 127.0.0.1:445         - Starting module
[-] 127.0.0.1:445         - RubySMB encountered an error: Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

New and fixed:

[*] 127.0.0.1:139         - Starting module
[*] 127.0.0.1:445         - Starting module
[!] 127.0.0.1:445         - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 127.0.0.1:445         - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 127.0.0.1:445         - print$ - (DISK) Printer Drivers
[+] 127.0.0.1:445         - foo_share - (DISK) Foo samba share
[+] 127.0.0.1:445         - IPC$ - (IPC|SPECIAL) IPC Service (1d9536797547 server (Samba, Ubuntu))
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution complete
adfoster-r7 commented 1 year ago

Can confirm broken on previous versions, and working on the latest release now - thanks! :+1: