Skip to content

Fixes and improvements from MSF code review #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 19, 2020
Merged

Fixes and improvements from MSF code review #156

merged 5 commits into from
Jun 19, 2020

Conversation

cdelafuente-r7
Copy link
Contributor

This is related to the comments left in rapid7/metasploit-framework#13417:

  • Fix issues with Mac OS X SMB server
    • Set the unicode flag on the Negotiate SMB Header request
    • Check if the Socket is closed before calling IO.select
    • Improve Socket#recv_packet exception handling
  • Improvements related to the Windows 8 errors:
    • Change :encryption_required parameter name to a more meaningful name according
      to the context: :session_encrypt_data and :tree_connect_encrypt_data.
    • #can_be_encrypted? now returns false with SMB1 packet.
    • Improve exception handling in recv_encrypt in case an encryption
      error occurs on the server (this will help in detecting the unpatched Win8 bug).
    • Only enable session encryption if the server supports it. This only applies
      if session_encrypt_data was originally set (forced). If it is not set, session
      encryption will stay disabled even if the server supports encryption.

Verification Steps

Follow the instructions in rapid7/metasploit-framework#13417 to setup the targets.

On Mac OS X, you can enable file sharing in System Preferences > Sharing > File Sharing.

Mac OS X testing with MSF

These changes are needed: rapid7/metasploit-framework#13417
I set up a local share and a new test account for smb file sharing.

set RHOSTS 127.0.0.1
set SMBUser smbtest
set SMBPass 123456
set SMB::ProtocolVersion 1,2,3

msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 127.0.0.1:139         - Error: '127.0.0.1' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (127.0.0.1:139).'
[!] 127.0.0.1:445         - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 127.0.0.1:445         - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 127.0.0.1:445         - Administrators Public Folder - (DISK)
[+] 127.0.0.1:445         - IPC$ - (IPC)
[+] 127.0.0.1:445         - smbtests Public Folder - (DISK)
[+] 127.0.0.1:445         - tmp - (DISK)
[+] 127.0.0.1:445         - smbtest - (DISK)
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 8 testing with MSF

These changes are needed: rapid7/metasploit-framework#13417
I set up a local share and a new test account for smb file sharing on a remote unpatched Windows 8 (fresh installation).

set RHOSTS 172.16.60.131
set SMBUser smbtest
set SMBPass 123456
set SMB::ProtocolVersion 1,2,3
set SMB::AlwaysEncrypt true

msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 172.16.60.131:139     - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[-] 172.16.60.131:445     - Error: '172.16.60.131' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: An error occurred reading from the Socket Connection reset by peer. The server supports encryption but was not able to handle the encrypted request.'
[*] 172.16.60.131:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Make sure the error message is this one:

'RubySMB::Error::EncryptionError' 'Communication error with the remote host: An error occurred reading from the Socket Connection reset by peer. The server supports encryption but was not able to handle the encrypted request.

@cdelafuente-r7 cdelafuente-r7 changed the title Fixes and improvements from code review in MSF Fixes and improvements from MSF code review Jun 17, 2020
@coveralls
Copy link

coveralls commented Jun 17, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.01%) to 97.666% when pulling d12caf8 on cdelafuente-r7:fix_some_bugs into 73cd615 on rapid7:master.

@cdelafuente-r7
Fix issues with Mac OS X SMB server
54865de 
- Set the unicode flag on the Negotiate SMB Header request
- Check if the Socket is closed before calling IO.select
- Improve Socket#recv_packet exception handling
@cdelafuente-r7
Update related to Win8 errors
8c381b1 
- Change :encryption_required parameter name to a more meaningful name according
  to the context: :session_encrypt_data and :tree_connect_encrypt_data.
- #can_be_encrypted? now returns false with SMB1 packet.
- Improve exception handling in #recv_encrypt in case an encryption
  error occurs on the server (this will help in detecting the unpatched Win8 bug).
- Only enable session encryption if the server supports it. This only applies
  if session_encrypt_data was originally set (forced). If it is not set, session
  encryption will stay disabled even if the server supports encryption.
@cdelafuente-r7
Update specs
fec10fc
@cdelafuente-r7 cdelafuente-r7 mentioned this pull request Jun 17, 2020
Merged
@cdelafuente-r7
More fixes
7f099de 
- Remove the `OEM` flag when initializing the `Net::NTLM::Client`.
  Unicode is the default now and `Net::NTLM::Client` does not handle OEM
  string correctly.
- Improve error message when an SMB1 `NtCreateAndxResponse` is received
  without extended information
@cdelafuente-r7
Update specs
d12caf8
@smcintyre-r7 smcintyre-r7 self-assigned this Jun 18, 2020
@smcintyre-r7
Copy link
Contributor

I've finished testing this and I'm going to land it in a moment. I was able to reproduce the original issue and verify the patch for both bugs. Nice work @cdelafuente-r7 !

Windows 8.1

Before 
msf5 auxiliary(scanner/smb/smb_enumshares) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.159.38:139    - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[-] 192.168.159.38:445    - Error: '192.168.159.38' 'RubySMB::Error::CommunicationError' 'An error occurred reading from the Socket Connection reset by peer'
[*] 192.168.159.38:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
After 
msf5 auxiliary(scanner/smb/smb_enumshares) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.159.38:139    - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[-] 192.168.159.38:445    - Error: '192.168.159.38' 'RubySMB::Error::EncryptionError' 'Communication error with the remote host: An error occurred reading from the Socket Connection reset by peer. The server supports encryption but was not able to handle the encrypted request.'
[*] 192.168.159.38:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

OS X 10.14

Note that in addition to enabling file sharing via System Preferences > Sharing > File Sharing, it is necessary to go to navigate to Options and:

  1. Enable "Share files and folders using SMB"
  2. Enable the account you're going to authenticate with under "Window File Sharing"
Before 
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 10.7.9.227:139        - Error: '10.7.9.227' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (10.7.9.227:139).'
[-] 10.7.9.227:445        - Login Failed: NBSS Header is missing
[*] 10.7.9.227:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
After 
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 10.7.9.227:139        - Error: '10.7.9.227' 'Rex::ConnectionRefused' 'The connection was refused by the remote host (10.7.9.227:139).'
[!] 10.7.9.227:445        - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 10.7.9.227:445        - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 10.7.9.227:445        - Admin's Public Folder - (DISK) 
[+] 10.7.9.227:445        - IPC$ - (IPC) 
[+] 10.7.9.227:445        - Macintosh HD - (DISK) 
[+] 10.7.9.227:445        - smbtest - (DISK) 
[+] 10.7.9.227:445        - admin - (DISK) 
[*] 10.7.9.227:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@smcintyre-r7 smcintyre-r7 merged commit 98f58ed into rapid7:master Jun 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cdelafuente-r7 @coveralls @smcintyre-r7