Module: Msf::Exploit::Remote::SMB

Includes:
Exploit::Remote::NTLM::Client, Tcp
Included in:
Authenticated
Defined in:
lib/msf/core/exploit/smb.rb

Overview

This mixin provides utility methods for interacting with a SMB/CIFS service on a remote machine. These methods may generally be useful in the context of exploitation. This mixin extends the Tcp exploit mixin. Only one SMB service can be accessed at a time using this class.

Defined Under Namespace

Modules: Authenticated, Psexec

Constant Summary collapse

SIMPLE =
Rex::Proto::SMB::SimpleClient
XCEPT =
Rex::Proto::SMB::Exceptions
CONST =
Rex::Proto::SMB::Constants
DCERPCPacket =

Alias over the Rex DCERPC protocol modules

Rex::Proto::DCERPC::Packet
DCERPCClient =
Rex::Proto::DCERPC::Client
DCERPCResponse =
Rex::Proto::DCERPC::Response
DCERPCUUID =
Rex::Proto::DCERPC::UUID
NDR =
Rex::Encoder::NDR

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#simpleRex::Proto::SMB::SimpleClient


675
676
677
# File 'lib/msf/core/exploit/smb.rb', line 675

def simple
  @simple
end

Instance Method Details

#connect(global = true) ⇒ Object

Override Tcp#connect to setup an SMB connection and configure evasion options

Also populates #simple.


85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# File 'lib/msf/core/exploit/smb.rb', line 85

def connect(global=true)

  disconnect() if global

  s = super(global)
  self.sock = s if global

  # Disable direct SMB when SMBDirect has not been set
  # and the destination port is configured as 139
  direct = smb_direct
  if(datastore.default?('SMBDirect') and rport.to_i == 139)
    direct = false
  end

  c = SIMPLE.new(s, direct)

  # setup pipe evasion foo
  if datastore['SMB::pipe_evasion']
    # XXX - insert code to change the instance of the read/write functions to do segmentation
  end

  if (datastore['SMB::pad_data_level'])
    c.client.evasion_opts['pad_data'] = datastore['SMB::pad_data_level']
  end

  if (datastore['SMB::pad_file_level'])
    c.client.evasion_opts['pad_file'] = datastore['SMB::pad_file_level']
  end

  if (datastore['SMB::obscure_trans_pipe_level'])
    c.client.evasion_opts['obscure_trans_pipe'] = datastore['SMB::obscure_trans_pipe_level']
  end

  self.simple = c if global
  c
end

#domainObject


183
184
185
# File 'lib/msf/core/exploit/smb.rb', line 183

def domain
  datastore['SMBDomain']
end

#domain_username_split(user) ⇒ Object

If the username contains a / slash, then split it as a domain/username. NOTE: this is predicated on forward slashes, and not Microsoft's backwards slash convention.


199
200
201
202
203
204
205
206
# File 'lib/msf/core/exploit/smb.rb', line 199

def domain_username_split(user)
  return user if(user.nil? || user.empty?)
  if !user[/\//] # Only /, not \!
    return [nil,user]
  else
    return user.split("/",2)
  end
end

#initialize(info = {}) ⇒ Object


35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/msf/core/exploit/smb.rb', line 35

def initialize(info = {})
  super

  register_evasion_options(
  [
    OptBool.new('SMB::pipe_evasion',     [ true, 'Enable segmented read/writes for SMB Pipes', false]),
    OptInt.new('SMB::pipe_write_min_size', [ true, 'Minimum buffer size for pipe writes',  1]),
    OptInt.new('SMB::pipe_write_max_size', [ true, 'Maximum buffer size for pipe writes', 1024]),
    OptInt.new('SMB::pipe_read_min_size',  [ true, 'Minimum buffer size for pipe reads',  1]),
    OptInt.new('SMB::pipe_read_max_size',  [ true, 'Maximum buffer size for pipe reads', 1024]),
    OptInt.new('SMB::pad_data_level',  [ true, 'Place extra padding between headers and data (level 0-3)', 0]),
    OptInt.new('SMB::pad_file_level',  [ true, 'Obscure path names used in open/create (level 0-3)', 0]),
    OptInt.new('SMB::obscure_trans_pipe_level',  [ true, 'Obscure PIPE string in TransNamedPipe (level 0-3)', 0]),

  ], Msf::Exploit::Remote::SMB)

  register_advanced_options(
  [
    OptBool.new('SMBDirect', [ true, 'The target port is a raw SMB service (not NetBIOS)', true ]),
    OptString.new('SMBUser', [ false, 'The username to authenticate as', '']),
    OptString.new('SMBPass', [ false, 'The password for the specified username', '']),
    OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.']),
    OptString.new('SMBName', [ true, 'The NetBIOS hostname (required for port 139 connections)', '*SMBSERVER']),
    OptBool.new('SMB::VerifySignature', [ true, "Enforces client-side verification of server response signatures", false]),
    OptInt.new('SMB::ChunkSize', [ true, 'The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing', 500]),
    #
    # Control the identified operating system of the client
    #
    OptString.new('SMB::Native_OS', [ true, 'The Native OS to send during authentication', 'Windows 2000 2195']),
    OptString.new('SMB::Native_LM', [ true, 'The Native LM to send during authentication', 'Windows 2000 5.0']),

  ], Msf::Exploit::Remote::SMB)

  register_options(
  [
    Opt::RHOST,
    OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
  ], Msf::Exploit::Remote::SMB)

  register_autofilter_ports([ 139, 445])
  register_autofilter_services(%W{ netbios-ssn microsoft-ds })
end

#smb_create(pipe) ⇒ Object

This method opens a handle to an IPC pipe


164
165
166
# File 'lib/msf/core/exploit/smb.rb', line 164

def smb_create(pipe)
  self.simple.create_pipe(pipe)
end

#smb_directObject


179
180
181
# File 'lib/msf/core/exploit/smb.rb', line 179

def smb_direct
  datastore['SMBDirect']
end

#smb_enumprinters(flags, name, level, blen) ⇒ Object

Calls the EnumPrinters() function of the spooler service


266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# File 'lib/msf/core/exploit/smb.rb', line 266

def smb_enumprinters(flags, name, level, blen)
  stub =
    NDR.long(flags) +
    (name ? NDR.uwstring(name) : NDR.long(0)) +
    NDR.long(level) +
    NDR.long(rand(0xffffffff)+1)+
    NDR.long(blen) +
    "\x00" * blen +
    NDR.long(blen)

  handle = dcerpc_handle(
    '12345678-1234-abcd-ef00-0123456789ab', '1.0',
    'ncacn_np', ["\\SPOOLSS"]
  )

  begin
    dcerpc_bind(handle)
    dcerpc.call(0x00, stub)
    return dcerpc.last_response.stub_data
  rescue ::Interrupt
    raise $!
  rescue ::Exception => e
    return nil
  end
end

#smb_enumprintprovidersObject

This method dumps the print provider strings from the spooler


293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
# File 'lib/msf/core/exploit/smb.rb', line 293

def smb_enumprintproviders
  resp = smb_enumprinters(8, nil, 1, 0)
  return nil if not resp
  rptr, tmp, blen = resp.unpack("V*")

  resp = smb_enumprinters(8, nil, 1, blen)
  return nil if not resp

  bcnt,pcnt,stat = resp[-12, 12].unpack("VVV")
  return nil if stat != 0
  return nil if pcnt == 0
  return nil if bcnt > blen
  return nil if pcnt < 3

  #
  # The correct way, which leads to invalid offsets :-(
  #
  #providers = []
  #
  #0.upto(pcnt-1) do |i|
  #	flags,desc_o,name_o,comm_o = resp[8 + (i*16), 16].unpack("VVVV")
  #
  #	#desc = read_unicode(resp,8+desc_o).gsub("\x00", '')
  #	#name = read_unicode(resp,8+name_o).gsub("\x00", '')
  #	#comm = read_unicode(resp,8+comm_o).gsub("\x00", '')
  #	#providers << [flags,desc,name,comm]
  #end
  #
  #providers

  return resp

end

#smb_file_exist?(file) ⇒ Boolean

Whether a remote file exists

Parameters:

  • file (String)

    Path to a file to remove, relative to the most-recently connected share

Returns:

  • (Boolean)

Raises:


222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
# File 'lib/msf/core/exploit/smb.rb', line 222

def smb_file_exist?(file)
  begin
    fd = simple.open(file, 'ro')
  rescue XCEPT::ErrorCode => e
    # If attempting to open the file results in a "*_NOT_FOUND" error,
    # then we can be sure the file is not there.
    #
    # Copy-pasted from smb/exceptions.rb to avoid the gymnastics
    # required to pull them out of a giant inverted hash
    #
    # 0xC0000034 => "STATUS_OBJECT_NAME_NOT_FOUND",
    # 0xC000003A => "STATUS_OBJECT_PATH_NOT_FOUND",
    # 0xC0000225 => "STATUS_NOT_FOUND",
    error_is_not_found = [ 0xC0000034, 0xC000003A, 0xC0000225 ].include?(e.error_code)
    # If the server returns some other error, then there was a
    # permissions problem or some other difficulty that we can't
    # really account for and hope the caller can deal with it.
    raise e unless error_is_not_found
    found = !error_is_not_found
  else
    # There was no exception, so we know the file is openable
    fd.close
    found = true
  end

  found
end

#smb_file_rm(file) ⇒ void

This method returns an undefined value.

Remove remote file

Parameters:

  • file (String)

    Path to a file to remove, relative to the most-recently connected share


254
255
256
257
# File 'lib/msf/core/exploit/smb.rb', line 254

def smb_file_rm(file)
  fd = smb_open(file, 'ro')
  fd.delete
end

#smb_fingerprintObject

This method performs an extensive set of fingerprinting operations


328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
# File 'lib/msf/core/exploit/smb.rb', line 328

def smb_fingerprint
  fprint = {}

  # Connect to the server if needed
  if(not self.simple)
    connect()
    ()
  end



  os = 'Unknown'
  sp = ''

  case smb_peer_os()
    when 'Windows NT 4.0'
      os = 'Windows NT 4.0'

    when 'Windows 5.0'
      os = 'Windows 2000'

    when 'Windows 5.1'
      os = 'Windows XP'

    when /Windows XP (\d+) Service Pack (\d+)/
      os = 'Windows XP'
      sp = 'Service Pack ' + $2

    when /Windows Server 2003 (\d+)$/
      os = 'Windows 2003'
      sp = 'No Service Pack'

    when /Windows Server 2003 (\d+) Service Pack (\d+)/
      os = 'Windows 2003'
      sp = 'Service Pack ' + $2

    when /Windows Server 2003 R2 (\d+) Service Pack (\d+)/
      os = 'Windows 2003 R2'
      sp = 'Service Pack ' + $2

    when /Windows Vista \(TM\) (\w+|\w+ \w+) (\d+) Service Pack (\d+)/
      os = 'Windows Vista ' + $1
      sp = 'Service Pack ' + $3

    when /Windows Vista \(TM\) (\w+|\w+ \w+) (\d+)/
      os = 'Windows Vista ' + $1
      sp = '(Build ' + $2 + ')'

    when /Windows Server \(R\) 2008 (([\-\w]+ ){1,4})(\d+) Service Pack (\d+)/
      os = 'Windows 2008 ' + $1.strip
      sp = 'Service Pack ' + $4

    when /Windows Server \(R\) 2008 (([\-\w]+ ){1,4})(\d+)/
      os = 'Windows 2008 ' + $1.strip
      sp = '(Build ' + $3 + ')'

    when /Windows \(R\) Storage Server 2008 (([\-\w]+ ){1,4})(\d+) Service Pack (\d+)/
      os = 'Windows 2008 Storage Server ' + $1.strip
      sp = 'Service Pack ' + $4

    when /Windows \(R\) Storage Server 2008 (([\-\w]+ ){1,4})(\d+)/
      os = 'Windows 2008 Storage Server ' + $1.strip
      sp = '(Build ' + $3 + ')'

    when /Windows 7 (([\-\w]+ ){1,4})(\d+)/
      os = 'Windows 7 ' + $1.strip
      sp = '(Build ' + $3 + ')'

    when /^(Windows.*) Service Pack (\d+)/
      os = $1.strip
      sp = 'Service Pack ' + $2

    when /^(Windows.*) (\d+)/
      os = $1.strip
      sp = '(Build ' + $2 + ')'

    when 'VxWorks'
      os = 'VxWorks'
      sp = smb_peer_lm()

    when 'Unix'
      os = 'Unix'
      sv = smb_peer_lm()
      case sv
        when /Samba\s+(.*)/i
          sp = 'Samba ' + $1
      end
  end


  if (os == 'Windows XP' and sp.length == 0)
    # SRVSVC was blocked in SP2
    begin
      smb_create("\\SRVSVC")
      sp = 'Service Pack 0 / 1'
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
      if (e.error_code == 0xc0000022)
        sp = 'Service Pack 2+'
      end
    end
  end

  if (os == 'Windows 2000' and sp.length == 0)
    # LLSRPC was blocked in a post-SP4 update
    begin
      smb_create("\\LLSRPC")
      sp = 'Service Pack 0 - 4'
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
      if (e.error_code == 0xc0000022)
        sp = 'Service Pack 4 with MS05-010+'
      end
    end
  end

  #
  # Perform granular XP SP checks if LSARPC is exposed
  #
  if (os == 'Windows XP')

    #
    # Service Pack 2 added a range(0,64000) to opnum 0x22 in SRVSVC
    # Credit to spoonm for first use of unbounded [out] buffers
    #
    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\BROWSER"]
    )

    begin
      dcerpc_bind(handle)

      stub =
        NDR.uwstring(Rex::Text.rand_text_alpha(rand(10)+1)) +
        NDR.wstring(Rex::Text.rand_text_alpha(rand(10)+1))  +
        NDR.long(64001) +
        NDR.long(0) +
        NDR.long(0)

      dcerpc.call(0x22, stub)
      sp = "Service Pack 0 / 1"

    rescue ::Interrupt
      raise $!
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
    rescue ::Rex::Proto::SMB::Exceptions::ReadPacket
    rescue ::Rex::Proto::DCERPC::Exceptions::Fault
      sp = "Service Pack 2+"
    rescue ::Exception
    end


    #
    # Service Pack 3 fixed information leaks via [unique][out] pointers
    # Call SRVSVC::NetRemoteTOD() to return [out] [ref] [unique]
    # Credit:
    #   Pointer leak is well known, but Immunity also covered in a paper
    #   Silent fix of pointer leak in SP3 and detection method by Rhys Kidd
    #
    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\BROWSER"]
    )

    begin
      dcerpc_bind(handle)

      stub = NDR.uwstring(Rex::Text.rand_text_alpha(rand(8)+1))
      resp = dcerpc.call(0x1c, stub)

      if(resp and resp[0,4] == "\x00\x00\x02\x00")
        sp = "Service Pack 3"
      else
        if(resp and sp =~ /Service Pack 2\+/)
          sp = "Service Pack 2"
        end
      end

    rescue ::Interrupt
      raise $!
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
    rescue ::Rex::Proto::SMB::Exceptions::ReadPacket
    rescue ::Exception
    end
  end


  #
  # Remote language detection via Print Providers
  # Credit: http://immunityinc.com/downloads/Remote_Language_Detection_in_Immunity_CANVAS.odt
  #

  lang = 'Unknown'

  sigs =
  {
    'English' =>
      [
        Rex::Text.to_unicode('Windows NT Remote Printers'),
        Rex::Text.to_unicode('LanMan Print Services')
      ],
    'Spanish' =>
      [
        Rex::Text.to_unicode('Impresoras remotas Windows NT'),
        Rex::Text.to_unicode('Impresoras remotas de Windows NT')
      ],
    'Italian' =>
      [
        Rex::Text.to_unicode('Stampanti remote di Windows NT'),
        Rex::Text.to_unicode('Servizi di stampa LanMan')
      ],
    'French' =>
      [
        Rex::Text.to_unicode('Imprimantes distantes NT'),
        Rex::Text.to_unicode('Imprimantes distantes pour Windows NT'),
        Rex::Text.to_unicode("Services d'impression LanMan")
      ],
    'German' =>
      [
        Rex::Text.to_unicode('Remotedrucker')
      ],
    'Portuguese - Brazilian' =>
      [
        Rex::Text.to_unicode('Impr. remotas Windows NT'),
        Rex::Text.to_unicode('Impressoras remotas do Windows NT')
      ],
    'Portuguese' =>
      [
        Rex::Text.to_unicode('Imp. remotas do Windows NT')
      ],
    'Hungarian' =>
      [
        Rex::Text.to_unicode("\x54\xe1\x76\x6f\x6c\x69\x20\x6e\x79\x6f\x6d\x74\x61\x74\xf3\x6b")
      ],
    'Finnish' =>
      [
        Rex::Text.to_unicode("\x45\x74\xe4\x74\x75\x6c\x6f\x73\x74\x69\x6d\x65\x74")
      ],
    'Dutch' =>
      [
        Rex::Text.to_unicode('Externe printers voor NT')
      ],
    'Danish' =>
      [
        Rex::Text.to_unicode('Fjernprintere')
      ],
    'Swedish' =>
      [
        Rex::Text.to_unicode("\x46\x6a\xe4\x72\x72\x73\x6b\x72\x69\x76\x61\x72\x65")
      ],
    'Polish' =>
      [
        Rex::Text.to_unicode('Zdalne drukarki')
      ],
    'Czech'   =>
      [
        Rex::Text.to_unicode("\x56\x7a\x64\xe1\x6c\x65\x6e\xe9\x20\x74\x69\x73\x6b\xe1\x72\x6e\x79")
      ],
    'Turkish' =>
      [
        "\x59\x00\x61\x00\x7a\x00\x31\x01\x63\x00\x31\x01\x6c\x00\x61\x00\x72\x00"
      ],
    'Japanese' =>
      [
        "\xea\x30\xe2\x30\xfc\x30\xc8\x30\x20\x00\xd7\x30\xea\x30\xf3\x30\xbf\x30"
      ],
    'Chinese - Traditional' =>
      [
        "\xdc\x8f\x0b\x7a\x53\x62\x70\x53\x3a\x67"
      ],
    'Chinese - Traditional / Taiwan' =>
      [
        "\x60\x90\xef\x7a\x70\x53\x68\x88\x5f\x6a",
      ],
    'Korean' =>
      [
        "\xd0\xc6\xa9\xac\x20\x00\x04\xd5\xb0\xb9\x30\xd1",
      ],
    'Russian' =>
      [
        "\x1f\x04\x40\x04\x38\x04\x3d\x04\x42\x04\x35\x04\x40\x04\x4b\x04\x20\x00\x43\x04\x34\x04\x30\x04\x3b\x04\x35\x04\x3d\x04\x3d\x04\x3e\x04\x33\x04\x3e\x04\x20\x00\x34\x04\x3e\x04\x41\x04\x42\x04\x43\x04\x3f\x04\x30\x04",
      ],

  }

  begin
    prov = smb_enumprintproviders()
    if(prov)
      sigs.each_key do |k|
        sigs[k].each do |s|
          if(prov.index(s))
            lang = k
            break
          end
          break if lang != 'Unknown'
        end
        break if lang != 'Unknown'
      end

      if(lang == 'Unknown')

        @fpcache ||= {}
        mhash = ::Digest::MD5.hexdigest(prov[4,prov.length-4])

        if(not @fpcache[mhash])

          buff = "\n"
          buff << "*** NEW FINGERPRINT: PLEASE SEND TO [ msfdev[at]metasploit.com ]\n"
          buff << " VERS: $Revision$\n"
          buff << " HOST: #{rhost}\n"
          buff << "   OS: #{os}\n"
          buff << "   SP: #{sp}\n"

          prov.unpack("H*")[0].scan(/.{64}|.*/).each do |line|
            next if line.length == 0
            buff << "   FP: #{line}\n"
          end

          prov.split(/\x00\x00+/n).each do |line|
            line.gsub!("\x00",'')
            line.strip!
            next if line.length < 6

            buff <<  "  TXT: #{line}\n"
          end

          buff << "*** END FINGERPRINT\n"

          print_line(buff)

          @fpcache[mhash] = true
        end

      end
    end
  rescue ::Interrupt
    raise $!
  rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
  end

  fprint['os']   = os
  fprint['sp']   = sp
  fprint['lang'] = lang

  fprint
end

#smb_hostnameObject


175
176
177
# File 'lib/msf/core/exploit/smb.rb', line 175

def smb_hostname
  datastore['SMBName'] || '*SMBSERVER'
end

#smb_loginvoid

This method returns an undefined value.

Establishes an SMB session over the default socket and connects to the IPC$ share.

You should call #connect before calling this


133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# File 'lib/msf/core/exploit/smb.rb', line 133

def 
  simple.(
    datastore['SMBName'],
    datastore['SMBUser'],
    datastore['SMBPass'],
    datastore['SMBDomain'],
    datastore['SMB::VerifySignature'],
    datastore['NTLM::UseNTLMv2'],
    datastore['NTLM::UseNTLM2_session'],
    datastore['NTLM::SendLM'],
    datastore['NTLM::UseLMKey'],
    datastore['NTLM::SendNTLM'],
    datastore['SMB::Native_OS'],
    datastore['SMB::Native_LM'],
    {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
  )
  simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
end

#smb_open(path, perm) ⇒ Object

the default chunk size of 48000 for OpenFile is not compatible when signing is enabled (and with some nt4 implementations) cause it looks like MS windows refuse to sign big packet and send STATUS_ACCESS_DENIED fd.chunk_size = 500 is better


171
172
173
# File 'lib/msf/core/exploit/smb.rb', line 171

def smb_open(path, perm)
  self.simple.open(path, perm, datastore['SMB::ChunkSize'])
end

#smb_peer_lmObject

This method returns the native lanman version of the peer


159
160
161
# File 'lib/msf/core/exploit/smb.rb', line 159

def smb_peer_lm
  self.simple.client.peer_native_lm
end

#smb_peer_osObject

This method returns the native operating system of the peer


154
155
156
# File 'lib/msf/core/exploit/smb.rb', line 154

def smb_peer_os
  self.simple.client.peer_native_os
end

#smbhostObject


187
188
189
190
191
192
193
# File 'lib/msf/core/exploit/smb.rb', line 187

def smbhost
  if domain == "."
    "#{rhost}:#{rport}"
  else
    "#{rhost}:#{rport}|#{domain}"
  end
end

#splitname(uname) ⇒ Object


208
209
210
211
212
213
214
215
# File 'lib/msf/core/exploit/smb.rb', line 208

def splitname(uname)
  if datastore["PRESERVE_DOMAINS"]
    d,u = domain_username_split(uname)
    return u
  else
    return uname
  end
end

#unicode(str) ⇒ Object

Convert a standard ASCII string to 16-bit Unicode


123
124
125
# File 'lib/msf/core/exploit/smb.rb', line 123

def unicode(str)
  Rex::Text.to_unicode(str)
end