Metasploit mailing list archives
MS08-067 / SMB Version / Language Detection
From: hdm at metasploit.com (H D Moore)
Date: Mon, 3 Nov 2008 04:17:28 -0500
Hello, First off, thanks to everyone who sent in new exploit targets for the MS08-067 module. I am still behind on integrating them all, but we should be able to support more non-english locale's off the bat in the future. I spent some time on the auxiiary/scanner/smb/version module this weekend. This module is designed to sweep a network (RHOSTS) and tell you the operating system and service pack of every machine with port 139 or 445 open. This is tricky to do without credentials, especially in the case of service pack changes on Windows XP. The latest version of this module can almost always tell the difference between XP SP0/SP1 and XP SP2/SP3 and it does a much better job of detecting SP2 vs SP3 when possible. Additionally, I added matches for all of the new Windows 2008 and Vista versions floating around. The biggest change, however, is support for remote language pack detection. I finally gave up on my previous idea and implemented the method outline by Immunity Inc. The good news is that it works really well for 2000 and XP targets, the bad news is now it needs alot more testing across a much wider range of languages. Eventually, all of the code in this module will be converted into an API call that SMB exploits can use to autotarget the right OS, SP, and language. I currently have signatures for the following language packs: English, Spanish , Italian , French , German , Portugese - Brazilian , Portguese , Hungarian , Finnish , Dutch , Swedish , Polish , Turkish , Japanese , Chinese - Traditional , Chinese - Traditional / Taiwan , Korean , Russian What I need help with is testing -- I am pretty sure the Chinese language packs are mixed up (Chinese - Traditional may be Simplified). When using this module against an XP or 2000 system that is not in the signature array, it will print out a big block of text. This block represents the output of the EnumPrinters() call and combined with the name of the actual language pack, can be used to write a new signature. To get started, update your framework. Unix users should 'svn update' inside a checked out copy of the 3.2-testing tree. Windows users should switch[2] their tree to 3.2-testing and use the Online Update feature. Once updated, open a console (Control+O in MSFGUI, msfconsole on Unix) and run the following commands against any network where you know the language pack of the installed machines and you have the legal right to do security testing against it. $ msfconsole msf> use auxiliary/scanner/smb/version msf auxiliary(version) > set THREADS 256 msf auxiliary(version) > set RHOSTS A.B.C.0/24 msf auxiliary(version) > run If any machines print out a fingerprint block, send them via email to msfdev[at]metasploit.com, along with the known language pack of that machine. Feel free to remove the IP address listed for privacy. If you are trying to figure out which of the *many* targets to use for MS08-067, this module is also a great way to sort that out. Keep in mind that when the OS is listed as "Windows XP Service Pack 2+", it doesn't know whether it is 2 or 3. The ms08-067 module has been enhanced with a 'check()' method, so you can now verify that your target is unpatched before running the exploit. A scanner version of this has been added and can be used to sweep your local subnet for unpatched systems. This module is called: auxiliary/scanner/smb/ms08_067_netapi Credit for the technique used by the scanner module and the check method in the exploit should be given to Bernardo Damele A. G. Have fun, -HD 1.http://immunityinc.com/downloads/Remote_Language_Detection_in_Immunity_CANVAS.odt 2.http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN
Current thread:
- MS08-067 / SMB Version / Language Detection H D Moore (Nov 03)
- MS08-067 / SMB Version / Language Detection HaJin (Nov 03)
- MS08-067 / SMB Version / Language Detection Thomas Werth (Nov 03)
- MS08-067 / SMB Version / Language Detection MaXe (Nov 03)
- MS08-067 / SMB Version / Language Detection think.pink at gmx.de (Nov 03)
- MS08-067 / SMB Version / Language Detection Thomas Werth (Nov 03)
- MS08-067 / SMB Version / Language Detection Matteo Cantoni (Nov 03)
- MS08-067 / SMB Version / Language Detection think.pink at gmx.de (Nov 03)
- MS08-067 / SMB Version / Language Detection HaJin (Nov 03)