Metasploit-framework: smb_enumshares returns no results in comparison to smbclient

Created on 5 Nov 2020  路  6Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

Running against tryhackme's nerdherd room results in no shares output:

use smb_enumshares
run rhosts=10.10.34.174

Example:

msf6 > use smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.34.174

[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In case it's useful, version output:

run rhosts=10.10.34.174

[*] 10.10.34.174:445      - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{6472656e-6568-6472-0000-000000000000}) (authentication domain:NERDHERD)
[*] 10.10.34.174:445      -   Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Current behavior

There is no output:

msf6 > use smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.34.174

[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

For some of the other smb modules, there's more obvious logging that something's gone wrong:

msf6 auxiliary(scanner/smb/smb_enumusers) > run rhosts=10.10.34.174

Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] 10.10.34.174:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Expected behavior

What should happen?

smbclient on kali works as expected:

smbclient -L //10.10.34.174/ -U "anonymous"%" "

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        nerdherd_classified Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (nerdherd server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Interestingly, although smbclient works, cme doesn't work:

docker run --rm -it --entrypoint '' byt3bl33d3r/crackmapexec /bin/bash
cme smb 10.10.34.174 --shares

Output:

root@2d72576240ec:/usr/src/crackmapexec# cme smb 10.10.34.174 --shares
SMB         10.10.34.174    445    NERDHERD         [*] Windows 6.1 (name:NERDHERD) (domain:) (signing:False) (SMBv1:True)
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 384, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "/usr/local/lib/python3.8/site-packages/impacket/smb.py", line 2764, in tree_connect_andx
    if smb.isValidAnswer(SMB.SMB_COM_TREE_CONNECT_ANDX):
  File "/usr/local/lib/python3.8/site-packages/impacket/smb.py", line 718, in isValidAnswer
    raise SessionError("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS, self)
impacket.smb.SessionError: SMB SessionError: class: ERRSRV, code: ERRbaduid(The UID is not known as a valid ID on this session.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 533, in shares
    for share in self.conn.listShares():
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 407, in listShares
    dce.connect()
  File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
    return self._transport.connect()
  File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/transport.py", line 411, in connect
    self.__tid = self.__smb_connection.connectTree('IPC$')
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 386, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 854, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 47, in __init__
    self.proto_flow()
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 86, in proto_flow
    self.call_cmd_args()
  File "/usr/local/lib/python3.8/site-packages/cme/connection.py", line 93, in call_cmd_args
    getattr(self, k)()
  File "/usr/local/lib/python3.8/site-packages/cme/protocols/smb.py", line 569, in shares
    error, desc = e.getErrorString()
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 1007, in getErrorString
    return nt_errors.ERROR_MESSAGES[self.error]
KeyError: 91
2020-11-05T17:06:58Z <Greenlet at 0x7fd3deccc480: smb(Namespace(aesKey=None, clear_obfscripts=False, con, <protocol.database object at 0x7fd3decc5be0>, '10.10.34.174')> failed with KeyError

Metasploit version

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:


Collapse

[framework/core]
loglevel=3

[framework/database]
default_db=local-https-data-service

[framework/database/local-https-data-service]
url=[Filtered]
cert=[Filtered]
skip_verify=[Filtered]
api_token=[Filtered]

[framework/features]
wrapped_tables=true
RHOST_HTTP_URL=true

[framework/ui/console]
ActiveModule=auxiliary/scanner/smb/smb_enumusers

[scanner/smb/smb_enumusers]
DCERPC::fake_bind_multi=false
WORKSPACE=
VERBOSE=false
RHOSTS=
SSL=false
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=.
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=true
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
THREADS=1
ShowProgress=true
ShowProgressPercent=10
DB_ALL_USERS=false

History

The following commands were ran during the session and before this issue occurred:


Collapse

2914   run rhosts=10.10.34.174
2915   log
2916   run
2917   run rhosts=10.10.34.174
2918   version
2919   use smb_version
2920   run rhosts=10.10.34.174
2921   use smb_enumshares
2922   run rhosts=10.10.34.174
2923   use smb_enumusers
2924   use 0
2925   run rhosts=10.10.34.174
2926   version
2927   debug

Framework Errors

The following framework errors occurred before the issue occurred:


Collapse

[11/05/2020 17:21:04] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[11/05/2020 17:21:04] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[11/05/2020 17:22:17] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[11/05/2020 17:22:17] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[11/05/2020 17:22:17] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[11/05/2020 17:22:17] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[11/05/2020 17:22:47] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[11/05/2020 17:22:47] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[11/05/2020 17:22:47] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[11/05/2020 17:22:47] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:


Collapse

No matching patterns were found in msf-ws.log.

Framework Logs

The following framework logs were recorded before the issue occurred:


Collapse

[11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/shell/bind_tcp.
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage bsdi/x86/shell have incompatible platforms: ["OSX"] - ["BSDi"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/patchupdllinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/vncinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/shell have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/peinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/meterpreter have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/upexec have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/vncinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/shell have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/peinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/x64/meterpreter have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/patchupmeterpreter have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage windows/dllinject have incompatible platforms: ["OSX"] - ["Windows"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage android/shell have incompatible platforms: ["OSX"] - ["Android"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage android/meterpreter have incompatible platforms: ["OSX"] - ["Android"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/aarch64/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/aarch64/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x86/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x86/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsle/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsle/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x64/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/x64/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/armle/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/armle/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/shell have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/meterpreter have incompatible platforms: ["OSX"] - ["Linux"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage php/meterpreter have incompatible platforms: ["OSX"] - ["PHP"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage bsd/x86/shell have incompatible platforms: ["OSX"] - ["BSD"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/shell have incompatible platforms: ["OSX"] - ["Java"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/meterpreter have incompatible platforms: ["OSX"] - ["Java"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage multi/meterpreter have incompatible platforms: ["OSX"] - ["Multi"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage netware/shell have incompatible platforms: ["OSX"] - ["Netware"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage python/meterpreter have incompatible platforms: ["OSX"] - ["Python"]
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/isight have incompatible architectures: armle - x86
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/bundleinject have incompatible architectures: armle - x86
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/vforkshell have incompatible architectures: armle - x86
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/ppc/shell have incompatible architectures: armle - ppc
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/meterpreter have incompatible architectures: armle - x64
[11/05/2020 17:22:47] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/dupandexecve have incompatible architectures: armle - x64
[11/05/2020 17:22:47] [d(1)] core: Module  is compatible with 
[11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/execute/reverse_tcp.
[11/05/2020 17:22:47] [d(1)] core: Module  is compatible with 
[11/05/2020 17:22:47] [d(2)] core: Built staged payload osx/armle/shell/reverse_tcp.
[11/05/2020 17:22:55] [i(2)] core: Reloading auxiliary module scanner/smb/smb_enumusers. Ambiguous module warnings are safe to ignore
[11/05/2020 17:22:57] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[11/05/2020 17:22:57] [d(0)] core: Negotiated SMB version: SMB3
[11/05/2020 17:22:57] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[11/05/2020 17:22:57] [d(0)] core: Negotiated SMB version: SMB3

Web Service Logs

The following web service logs were recorded before the issue occurred:


Collapse

Version/Install

The versions and install method of your Metasploit setup:


Collapse

Framework: 6.0.15-dev-9076f2cc83
Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19]
Install Root: /Users/adfoster/Documents/code/metasploit-framework
Session Type: Connected to remote_data_service: (https://localhost:5443). Connection type: http.
Install Method: Git Clone

bug confirmed rubysmb
Source
picture adfoster-r7

Most helpful comment

I can confirm I have this same issue with msfconsole 6.0.17-dev. Unfortunately, I do not have 100% verifiable information about the remote machine's exact distro or Samba version, as I am running into this during a challenge.

picture gdynamics on 26 Nov 2020
👍2

All 6 comments

Also replicated with the thm anonymous room, possibly a regression in behavior:

6.0.2

msf5 > use smb_enumshares

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_enumshares                   normal  No     SMB Share Enumeration


[*] Using auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > use 0
msf5 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.4.153

[+] 10.10.4.153:139       - print$ - (DISK) Printer Drivers
[+] 10.10.4.153:139       - pics - (DISK) My SMB Share Directory for Pics
[+] 10.10.4.153:139       - IPC$ - (IPC) IPC Service (anonymous server (Samba
[+] 10.10.4.153:139       - Ubuntu))
[*] 10.10.4.153:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

6.0.3

msf6 auxiliary(scanner/smb/smb_enumshares) > run rhosts=10.10.4.153

[*] 10.10.4.153:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > version
Framework: 6.0.3-dev-07acf7bd37
Console  : 6.0.3-dev-07acf7bd37
adfoster-r7 picture adfoster-r7 on 5 Nov 2020

Seems like an issue with Samba 4.3.11 which you can easily install with Ubuntu 16.04.

smcintyre-r7 picture smcintyre-r7 on 6 Nov 2020

I could reproduce the issue against tryhackme's server but I couldn't with the same Samba version (4.3.11) on a local Ubuntu 16.04. Here are my notes:

Ubuntu 16.04

  • Everything works fine, with or without encryption.
    output:
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt true
SMB::AlwaysEncrypt => true
msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 172.16.60.1:139       - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 172.16.60.1:139       - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 172.16.60.1:139       - temp - (DISK) 
[+] 172.16.60.1:139       - IPC$ - (IPC) IPC Service (847f03d07c9d server (Samba
[+] 172.16.60.1:139       - Ubuntu))
[+] 172.16.60.1:139       - smbuser - (DISK) Home directory of smbuser
[*] 172.16.60.1:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false
SMB::AlwaysEncrypt => false
msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 172.16.60.1:139       - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 172.16.60.1:139       - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 172.16.60.1:139       - temp - (DISK) 
[+] 172.16.60.1:139       - IPC$ - (IPC) IPC Service (847f03d07c9d server (Samba
[+] 172.16.60.1:139       - Ubuntu))
[+] 172.16.60.1:139       - smbuser - (DISK) Home directory of smbuser
[*] 172.16.60.1:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

TryHackMe

  • Encryption seems to be broken on this Samba server and disabling it with set SMB::AlwaysEncrypt false gets rid of the encryption error:
Error: 10.10.34.174 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.

output:

msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false
SMB::AlwaysEncrypt => false
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[-] 10.10.254.193:139     - Error: '10.10.254.193' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED'
[-] 10.10.254.193:445     - Error: '10.10.254.193' 'RubySMB::Error::UnexpectedStatusCode' 'The server responded with an unexpected status code: STATUS_ACCESS_DENIED'
[*] 10.10.254.193:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • The issue is now TREE_CONNECT returns STATUS_ACCESS_DENIED and I found that disabling signing fixed this. Even if the server sets the Signing enabled flag on the NEGOTIATE response packet (meaning it supports it), it fails verifying the signature on the TREE_CONNECT packet. The fix would be to change the if statement in RubySMB smb3_sign, which forces the client to not always sign the TREE_CONNECT request:
  if !session_key.empty? && signing_required
    ...

output:

msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 10.10.254.193:139     - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 10.10.254.193:139     - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 10.10.254.193:139     - print$ - (DISK) Printer Drivers
[+] 10.10.254.193:139     - nerdherd_classified - (DISK) Samba on Ubuntu
[+] 10.10.254.193:139     - IPC$ - (IPC) IPC Service (nerdherd server (Samba
[+] 10.10.254.193:139     - Ubuntu))
[*] 10.10.254.193:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

However, according to the protocol, SMB3 with 3.1.1 dialect (the one selected by the server) requires the TREE_CONNECT request to always be signed. So, not-signing the TREE_CONNECT request is likely to break on other SMB/Samba servers, since it does not follow the protocol. I don't think it is a good idea.

  • A workaround would be to disable SMB3, since it looks like it is broken on this server:
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::AlwaysEncrypt false
SMB::AlwaysEncrypt => false
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMB::ProtocolVersion 1,2
SMB::ProtocolVersion => 1,2
msf6 auxiliary(scanner/smb/smb_enumshares) > run

[!] 10.10.254.193:139     - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 10.10.254.193:139     - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 10.10.254.193:139     - print$ - (DISK) Printer Drivers
[+] 10.10.254.193:139     - nerdherd_classified - (DISK) Samba on Ubuntu
[+] 10.10.254.193:139     - IPC$ - (IPC) IPC Service (nerdherd server (Samba
[+] 10.10.254.193:139     - Ubuntu))
[*] 10.10.254.193:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
cdelafuente-r7 picture cdelafuente-r7 on 12 Nov 2020
🎉2

Just for posterity, I was able to replicate with docker, these are the steps I ran through:

Docker setup

Grabbing ubuntu 16.04 and installing docker:

docker run -it --rm -p 139:139 -p 445:445 ubuntu:16.04 /bin/bash
mkdir -p /tmp/foo
apt update
apt install -y samba

Verifying version is as expected:

$ samba --version
Version 4.3.11-Ubuntu

Adding the share:

cat << EOF >> /etc/samba/smb.conf
[foo_share]
    comment = Foo samba share
    path = /tmp/foo
    read only = no
    browsable = yes
EOF

Restart the service:

service smbd restart

Scanning with Metasploit

Now that docker is set up, and bound to the host's ports - I was able to replicate Christophe's and Spencer's findings when scanning with Metasploit:

use scanner/smb/smb_enumusers
run RHOST=127.0.0.1 smb::alwaysencrypt=false

Error: 127.0.0.1 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
Error: 127.0.0.1 RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running without encryption:

run RHOST=127.0.0.1 smb::alwaysencrypt=false

Error: 127.0.0.1 RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
Error: 127.0.0.1 RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running with protocol version 1,2:

set SMB::ProtocolVersion 1,2
run RHOST=127.0.0.1 smb::alwaysencrypt=false

[!] 127.0.0.1:139         - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 127.0.0.1:139         - peer_native_lm is only available with SMB1 (current version: SMB2)
[+] 127.0.0.1:139         - print$ - (DISK) Printer Drivers
[+] 127.0.0.1:139         - foo_share - (DISK) Samba share
[+] 127.0.0.1:139         - IPC$ - (IPC) IPC Service (2b17d92ee88b server (Samba
[+] 127.0.0.1:139         - Ubuntu))
[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using smbclient

Installing smbclient on a separate container works and targeting the host machine:

docker run -it --rm  ubuntu:16.04 /bin/bash
apt install -y smbclient
smbclient -L //docker.for.mac.host.internal/ -U "anonymous"%" "

Result:

root@757b88788c6e:/# smbclient -L //docker.for.mac.host.internal/ -U "anonymous"%" "
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    foo_share       Disk      Samba share
    IPC$            IPC       IPC Service (2b17d92ee88b server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

I'm assuming smbclient worked as it's not encrypted by default, as if I run with smbclient's encryption enabled it fails:

root@757b88788c6e:/# smbclient -e -L //docker.for.mac.host.internal/ -U "anonymous"%" "
WARNING: The "syslog" option is deprecated
NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!
session setup failed: NT_STATUS_ACCESS_DENIED

As everything is now pointing to this being an issue with the particular samba version; I wonder if there's any affordance we can add to Metasploit to help users know the steps they could run through to still try extract information out of the rhost

adfoster-r7 picture adfoster-r7 on 12 Nov 2020

Looks like it's the same results for ubuntu 20.04 LTS and samba 4.11.6 - January 28, 2020

adfoster-r7 picture adfoster-r7 on 13 Nov 2020

I can confirm I have this same issue with msfconsole 6.0.17-dev. Unfortunately, I do not have 100% verifiable information about the remote machine's exact distro or Samba version, as I am running into this during a challenge.

gdynamics picture gdynamics on 26 Nov 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bcoles picture bcoles  路  3Comments
BaconBombz picture BaconBombz  路  3Comments
adrianmihalko picture adrianmihalko  路  3Comments
ejholmes picture ejholmes  路  3Comments
notdodo picture notdodo  路  3Comments