-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve fingerprinting of SMB endpoints via native_lm + recog #8452
Conversation
Anything we should still be holding for here @jhart-r7 ? |
@busterb yes -- as mentioned in the current description, there are several modules that rely on the SMB fingerprinting that is being changed here. We need to be sure that these continue to function and that we aren't missing out on any possible improvements to these module as a side effect of the improved fingerprinting. I believe some of the affected modules are very important from a Pro perspective and am wary of breaking a key module. There is also the necessary updates to metasploit_data_models in rapid7/metasploit_data_models#170 |
I've had this in my fork for months, hasn't run over my dog or set my house on fire (yet). |
Is this still delayed? What needs to happen? |
@bwatters-r7 there is a dependent PR rapid7/metasploit_data_models#170 that needs to get reviewed and landed, and then someone needs to review and land this PR. |
Sorry @jhart-r7 , looks like we haven't been able make progress on this. To help our PR queue reflect stuff that is in flight, I am closing this and adding the |
This is a WIP for #8451. I have not fully tested it and realize there may be important fingerprinting bits in other modules that may break because of this or the particulars of how this fingerprinting is supposed to work. Posting here to get feedback and get assistance from others.
The idea here is to update
smb_fingerprint
to account for fingerprints first from native_os and then from native_lm, and merge them together, taking what comes from native_os in the event of conflicts.This utilizes the recog native_lm fingerprints (https://github.com/rapid7/recog/blob/master/xml/smb_native_lm.xml) to attempt to obtain more complete/accurate fingerprints when necessary in relevant smb modules:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_enumshares.rb#L157
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_uninit_cred.rb#L155
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_version.rb#L56
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/ca_arcserve_342.rb#L60
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms08_067_netapi.rb#L860
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb#L426
This will require updates to MDM (rapid7/metasploit_data_models#170)