Penetration notes-2013-07-13 on the SMB version of the scan

SMB2 overflow, in fact, in the Metasploit inside there are two scanners can be used, the effect is similar, just a more detailed judgment, a mere rough judgment.

Welcome to the Metasploit Web console! _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_|| _(___/| || _/|_|\___/|_|\___) |_| =[Metasploit V3.4.2-dev [core:3.4 api:1.0] +----=[566 exploits-283 auxiliary +----=[payloads-27 encoders- 8 Nops =[svn r9834 updated 329 days ago (2010.07.14) warning:this copy of the Metasploit Framework is last updated 329 Days ago. We recommend the framework at least every. For information in updating your copy of Metasploit, please see:http://www.metasploit.com/redmine/projects/framework/ wiki/updating >> Search SMB [*] searching loaded modules for pattern ' SMB ' ...  Auxiliary ========= Name Rank Description-------------------admin/oracle/ora_ntlm_stealer normal Oracle SMB Relay Code Execution Admin/smb/samba_symlink_traversal Normal samba symlink Directory traversal DOS/WINDOWS/SMB/MS05_047_PNP Normal Microsoft Plug and Play Service Registry Overflow dos/windows/smb/ms06_035_mailslot normal Microsoft SRV. SYS mailslot Write corruption Dos/windows/smb/ms06_063_trans normal Microsoft SRV. SYS Pipe Transaction No Null dos/windows/smb/ms09_001_write normal Microsoft SRV. SYS writeandx Invalid dataoffset dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal Microsoft SRV2. SYS SMB Negotiate ProcessID Function Table dereference dos/windows/smb/ms09_050_smb2_session_logoff Normal Microsoft SRV2. SYS SMB2 Logoff Remote Kernel NULL Pointer dereference dos/windows/smb/ms10_006_negotiate_response_loop Normal Microsoft Windows 7/server R2 SMB Client Infinite Loop dos/windows/smb/rras_vls_null_deref normal Microsoft RRAS Interfaceadj Ustvlspointers NULL dereference dos/windows/smb/vista_negotiate_stop normal Microsoft vista SP0 SMB Negotiate Protocol do S fuzzers/smb/smb2_negotiate_corrupt normal SMB Negotiate SMB2 dialect corruption fuzzers/smb/smb_create_pipe normal SMB Create Pipe REquest fuzzer fuzzers/smb/smb_create_pipe_corrupt Normal SMB Create pipe Request corruption fuzzers/smb/smb_negotiate_ Corrupt normal SMB Negotiate dialect corruption fuzzers/smb/smb_ntlm1_login_corrupt normal SMB NTLMv1 login Request Corrup tion fuzzers/smb/smb_tree_connect normal smb tree connect Request fuzzer fuzzers/smb/smb_tree_connect_corrupt normal SMB Tree Connect Request corruption scanner/smb/pipe_auditor normal SMB Session pipe auditor Scanner/smb/pipe_dcerpc_auditor Normal SMB Session Pipe DCERPC Auditor scanner/smb/smb2 normal SMB 2.0 Protocol Detection scanner/smb/smb_enumshares Norma  L SMB Share Enumeration scanner/smb/smb_enumusers normal SMB User enumeration (SAM enumusers) Scanner/smb/smb_login Normal SMB Login Check Scanner scanner/smb/smb_lookupsid normal SMB Local User enumeration (LOOKUPSID) scanner/smb/smb_version n Ormal SMB Version Detection server/capture/smb normal authentication capture:smb exploits ======== Name Rank Description -------------------netware/Smb/lsass_cifs average Novell NetWare lsass cifs.  NLM Driver Stack Buffer Overflow WINDOWS/BROWSER/JAVA_WS_ARGINJECT_ALTJVM excellent Sun java Web Start Plugin Command Line Argument injection WINDOWS/BROWSER/MS10_022_IE_VBSCRIPT_WINHLP32 Great Internet Explorer Winhlp32.exe MsgBox Code Execution windows/fileformat/ursoft_w32dasm Good ursoft w32dasm disassembler Function Buffer Overflow windows/ Fileformat/vlc_smb_uri Great VideoLAN Client (VLC) Win32 smb://URI Buffer Overflow windows/smb/ms03_049_netapi Good Micro Soft Workstation Service netaddalternatecomputername Overflow windows/smb/ms04_007_killbill low Microsoft ASN.1 Library bitstring Heap Overflow windows/smb/ms04_011_lsass good Microsoft lsass Service dsrolerupgradedownlevelserver Overflow Windows/smb/ms04_031_netdde good Microsoft NetDDE Service Overflow windows/smb/ms05_039_pnp Good Microsoft Plug and Play S Ervice Overflow windows/smb/ms06_025_rasmans_reg Good Microsoft RRAS Service RASMAN Registry Overflow windows/smb/ms06_ 025_rras average Microsoft RRAS service Overflow WINDOWS/SMB/MS06_040_NETAPI great Microsoft Server Service Netpwpathcanoni Calize Overflow windows/smb/ms06_066_nwapi Good Microsoft Services ms06-066 nwapi32.dll windows/smb/ms06_066_nwwks Good Microsoft Services ms06-066 nwwks.dll windows/smb/ms06_070_wkssvc normal Microsoft Workstation Service Netpmanageipcconnect Overflow windows/smb/ms08_067_netapi Great Microsoft Server Service Relative Path Stack corruption w Indows/smb/ms09_050_smb2_negotiate_func_index Good Microsoft SRV2. SYS SMB Negotiate ProcessID Function Table dereference windows/smb/msdns_zonename great Microsoft DNS RPC Service EXTRACTQ Uotedchar () Overflow (SMB) windows/smb/netidentity_xtierrpcpipe great Novell netidentity Agent xtierrpcpipe Named Pipe Bu Ffer Overflow. Windows/smb/psexec excellent Microsoft Windows authenticated User Code execution Windows/smb/smb_relay Excellent Microsoft Windows SMB Relay Code execution Windows/smb/timbuktu_plughntcommand_bof Great Timbuktu <= 8.6.6plughntcommand Named Pipe Buffer Overflow>> Use AUXILIARY/SCANNER/SMB/SMB2 >> info NAME:SMB 2.0 Protocol Detection version:9550 license:metasploit F Ramework License (BSD) Rank:normal provided BY:HDM<HDM@metasploit. com>Basic options:name Current Setting Required Description--------------------------------------RHOSTS yes the tar Get address range or CIDR identifier Rport 445 yes the target Port THREADS 1 yes the number of concurrent THREADS descript Ion:detect systems that support the SMB 2.0 protocol >> set RHOSTS 172.16.1.0/24 RHOSTS = 172.16.1.0/24 >> ; Set THREADS THREADS = >> Info NAME:SMB 2.0 Protocol Detection version:9550 license:metasploit Framewo RK License (BSD) Rank:normal provided BY:HDM<HDM@metasploit. com> Basic options:name Current Setting Required Description--------------------------------------RHOSTS 172.16.1.0/24 y ES the target address range or CIDR identifier Rport 445 yes the target port THREADS yes the number of concurrent thre Ads Description:detect systems that support the SMB 2.0 protocol >> Run [*] 172.16.1.102 supports SMB 2 [dialect 25 5.2] and have been online for hours [*] 172.16.1.107 supports SMB 2 [dialect 255.2] and have been online for 2 hours [*] 172.16.1.110 supports SMB 2 [dialect 255.2] and have been online for 6 hours [*] Scanned 042 of the (016% complete) [ *] Scanned 055 of the 040 hosts (021% complete) [*] Scanned 084 of the (032% complete) [*] Scanned 104 of the "the" of the "the" % complete) [*] Scanned (050% complete) [*] Scanned 155 of the (060% complete) [*] Scanned 184 of 2 071% Complete [*] scanned 205 of the "080% complete" [*] scanned 235 of the (091% complete) [*] Sca nned (100% complete) [*] Auxiliary module execution completed >> back >> use auxiliary/scanner/smb/smb_version &GT;&G T  Info name:smb Version Detection version:9827 license:metasploit Framework License (BSD) Rank:normal provided BY:HDM<HDM@metasploit. com>Basic options:name Current Setting Required Description--------------------------------------RHOSTS yes the tar Get address range or CIDR identifier THREADS 1 yes the number of concurrent THREADS Description:display version Informati On about each system >> set RHOSTS 172.16.1.0/24 RHOSTS = 172.16.1.0/24 >> set THREADS THREADS = 1 XX >> info name:smb Version Detection version:9827 license:metasploit Framework License (BSD) rank:normal provid Ed BY:HDM<HDM@metasploit. com> Basic options:name Current Setting Required Description--------------------------------------RHOSTS 172.16.1.0/24 y ES the target address range or CIDR identifier THREADS yes the number of concurrent THREADS Description:display Versi On information about each system >> run [*] scanned 026 of the "010% complete" [*] scanned 061 of the (0 23% complete) [*] Scanned 087 of the "033% complete" [*] 172.16.1.107 is running Windows 7 Ultimate (Build 7600) (LA Nguage:unknown) (NAME:PC) (Domain:workgroup) [*] 172.16.1.110 is running Windows 7 Ultimate (Build 7600) (Language:unkno WN) (NAME:YANG*-PC) (Domain:workgroup) [*] 172.16.1.102 is running Windows 7 Ultimate (Build 7600) (Language:unknown) (NA me:wang*) (DOMAIN:YANGYANGWO) [*] 172.16.1.111 is running Windows XP Service Pack 3 (language:chinese-traditional) (Nam e:www-95a235b5556) (Domain:workgroup) [*] Scanned (043% complete) [*] Scanned 133 of the (051% comp lete) [*] scanned 168 of 065% (complete) [*] Scanned 181 of the "070% complete" [*] scanned 208 of the (081% complete) [*] S Canned 232 of the (090% complete) [*] Scanned (100%) [*] Auxiliary module Execution comple Ted

Penetration notes-2013-07-13 on the SMB version of the scan