CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/scripts/resource/smb_checks.rc
Views: 1904
<ruby>

#
# This resource scripts will check common security concerns on SMB for Windows.
# Specifically, this script will check for these things:
#
#   * MS08-067.
#   * MS17-010.
#   * SMB version 1.
#
# For extra validation, you may try the smb_validate.rc script.
#
# Author:
# sinn3r
#

@job_ids = []

def wait_until_jobs_done
    while true
        @job_ids.each do |job_id|
            current_job_ids = framework.jobs.keys.map { |e| e.to_i }
            sleep 1 if current_job_ids.include?(job_id)
        end

        return
    end
end

def check_ms17_010(host, serv)
    print_status("Checking MS17-010 on #{host.address}")
    mod = framework.modules.create('auxiliary/scanner/smb/smb_ms17_010')
    mod.datastore['RHOSTS'] = host.address
    mod.datastore['RPORT'] = serv.port
    mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output })
    print_status("MS17-010 job ID for target #{host.address} is: #{mod.job_id}")
    @job_ids << mod.job_id
end

def check_ms08_067_netapi(host, serv)
    print_status("Checking MS08-067 on #{host.address}")
    mod = framework.exploits.create('windows/smb/ms08_067_netapi')
    mod.datastore['RHOST'] = host.address
    begin
        check_code = mod.check_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output })
        if mod.job_id
            print_status("MS08-067 job ID for target #{host.address} is: #{mod.job_id}")
            @job_ids << mod.job_id
        end

        if check_code == Msf::Exploit::CheckCode::Vulnerable
            framework.db.report_vuln(
                workspace: mod.workspace,
                host: mod.rhost,
                name: mod.name,
                info: "This was flagged as vulnerable by the explicit check of #{mod.fullname}.",
                refs: mod.references
            )
        end
    rescue ::Exception => e
        print_error(e.message)
    end
end

def check_smbv1(host, serv)
    print_status("Checking SMBv1 on #{host.address}")
    mod = framework.modules.create('auxiliary/scanner/smb/smb1')
    mod.datastore['RHOSTS'] = host.address
    mod.datastore['RPORT'] = serv.port
    mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output })
    print_status("SMBv1 check job ID for target #{host.address} is: #{mod.job_id}")
    @job_ids << mod.job_id
end

def is_smb?(host, serv)
    return false unless serv.host
    return false if serv.state != Msf::ServiceState::Open
    return false if serv.port != 445
    true
end

def do_checks
    print_status("Number of hosts to check: #{framework.db.workspace.hosts.length}")
    framework.db.workspace.hosts.each do |host|
        host.services.each do |serv|
            next unless is_smb?(host, serv)
            print_status("Checking #{host.address}:#{serv.port} (#{serv.name})")
            check_smbv1(host, serv)
            check_ms17_010(host, serv)
            check_ms08_067_netapi(host, serv)
        end
    end
end

def setup
    run_single("setg verbose true")
end

def main
    print_status('Performing checks...')
    do_checks
    wait_until_jobs_done
end

setup
main

</ruby>