More of a question than an issue - smb vuln scripts don't all run by default? How can I add it as a preference?
1mut1ny opened this issue · comments
Working on a box recently autorecon nmap scripts showed the box was vulnerable to following exploits (excluding a 2009 one):
# Nmap 7.92 scan initiated Fri Jul 22 20:06:20 2022 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/Boxes/Internal/results/192.168.248.40/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/kali/Boxes/Internal/results/192.168.248.40/scans/tcp445/xml/tcp_445_smb_nmap.xml 192.168.248.40
Nmap scan report for 192.168.248.40
Host is up, received user-set (0.020s latency).
Scanned at 2022-07-22 20:06:20 UTC for 41s
PORT STATE SERVICE REASON VERSION
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2
Host script results:
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used: <blank>
| \\192.168.248.40\ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.248.40\C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.248.40\IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: READ
| \\192.168.248.40\PUBLIC:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access: <none>
| smb2-security-mode:
| 2.0.2:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb-print-text: false
| smb-os-discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: internal
| NetBIOS computer name: INTERNAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-07-22T13:06:27-07:00
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:bf:23:d3 (VMware)
| Names:
| INTERNAL<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| INTERNAL<20> Flags: <unique><active>
| Statistics:
| 00 50 56 bf 23 d3 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 2184
| smb2-time:
| date: 2022-07-22T20:06:28
|_ start_date: 2021-09-22T02:21:01
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
|_ 2.0.2
| smb2-capabilities:
| 2.0.2:
|_ Distributed File System
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 22 20:07:01 2022 -- 1 IP address (1 host up) scanned in 41.23 seconds
Running nmap script for smb vulns discovered another one:
Two questions - firstly would autorecon with its standard implementation be expected to capture the second result, and if not, what's the best way to include the second command into my configuration so it gets run in the future? (I'm OK with risks of DOSing the target).
- AutoRecon in its standard implementation tries to be "safe". If you look at the script argument given to Nmap:
--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)
Any script marked with brute, broadcast, dos, external, or fuzzer are not run. Several of the smb-vuln-* scripts are marked as "dos" since they can crash systems.
- If you look at the SMB Vulnerabilities plugin: https://github.com/Tib3rius/AutoRecon/blob/main/autorecon/default-plugins/smb-vuln.py
You'll see that it is tagged as "unsafe" and not "default", so it won't run by default. If you want this specific plugin to run, you will have to specify the following tags argument:
--tags=default,smb-vulnerabilities
This will tell AutoRecon to run all default plugins (as usual), and also the smb-vulnerabilities plugin. Alternatively if you are using a config file, you can add the following to the top of the file:
tags = 'default,smb-vulnerabilities'
That's great, thanks for the detailed explanation.
So the solution doesn't seem to be working as I had expected for this. The first line of my config.toml file (the one in my home directory looks like this:
tags = 'default,smb-vulnerabilities'
# Configure regular AutoRecon options at the top of this file.
And my nmap smb results from autorecon look like this:
# Nmap 7.92 scan initiated Tue Aug 30 14:14:24 2022 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/Boxes/Internal/results/192.168.80.40/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/kali/Boxes/Internal/results/192.168.80.40/scans/tcp445/xml/tcp_445_smb_nmap.xml 192.168.80.40
Nmap scan report for 192.168.80.40
Host is up, received user-set (0.080s latency).
Scanned at 2022-08-30 14:14:25 UTC for 91s
PORT STATE SERVICE REASON VERSION
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used: <blank>
| \\192.168.80.40\ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.80.40\C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.80.40\IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: READ
| \\192.168.80.40\PUBLIC:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access: <none>
| smb-os-discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: internal
| NetBIOS computer name: INTERNAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-08-30T07:14:33-07:00
|_smb-print-text: false
| smb2-security-mode:
| 2.0.2:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ba:0a:70 (VMware)
| Names:
| INTERNAL<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| INTERNAL<20> Flags: <unique><active>
| Statistics:
| 00 50 56 ba 0a 70 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-08-30T14:14:32
|_ start_date: 2022-02-15T16:09:41
| smb2-capabilities:
| 2.0.2:
|_ Distributed File System
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
|_ 2.0.2
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 2184
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 30 14:15:56 2022 -- 1 IP address (1 host up) scanned in 91.71 seconds
This is still missing my 2009 smb vuln which I can pick up by manually scanning:
─$ nmap -script=smb-vuln\* -p445 192.168.80.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-30 14:30 UTC
Nmap scan report for 192.168.80.40
Host is up (0.085s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
Nmap done: 1 IP address (1 host up) scanned in 60.68 seconds
I also wasn't able to locate the smb-vuln.py file locally that you referred to. The closest thing I could find in default-plugins directory was: /usr/local/lib/python3.9/dist-packages/autorecon/default-plugins/smb.py
I think there's multiple things happening here, one of which is an oversight of mine where I don't think the SMB Vuln plugin got updated with newer scripts. It runs the individual checks separately you see, but having thought about it, it should just run them all in the same scan. I'll issue a patch to the plugin to resolve this.
The other thing is that you seem to be running an outdated version of AutoRecon. The plugin files changed quite a while ago so that every plugin has it's own file, rather than grouped files like smb.py. You should upgrade AutoRecon using the instructions in the README. Also the plugins are actually copied to ~/.config/AutoRecon/plugins when AutoRecon first runs. After updating you should remove the ~/.config/AutoRecon directory manually so plugin files can get updated.