SMB Login Check Scanner - Metasploit


This page contains detailed information about how to use the auxiliary/scanner/smb/smb_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview


Name: SMB Login Check Scanner
Module: auxiliary/scanner/smb/smb_login
Source code: modules/auxiliary/scanner/smb/smb_login.rb
Disclosure date: -
Last modification time: 2021-08-31 17:10:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-1999-0506

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Module Ranking and Traits


Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage


This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > show options
    ... show and set options ...
msf auxiliary(smb_login) > set RHOSTS ip-range
msf auxiliary(smb_login) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(smb_login) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(smb_login) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(smb_login) > set RHOSTS file:/tmp/ip_list.txt

Required Options


  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base


The smb_login module is used to bruteforce SMB remotely. SMB credentials are extra valuable because they are system credentials, and you can probably reuse some of them to log in to more machines.

Vulnerable Application


To use smb_login, make sure you are able to connect to a SMB service that supports SMBv1.

Verification Steps


The following demonstrates a basic scenario of using the built-in wordlists to brute-force SMB:

msf > use auxiliary/scanner/smb/smb_login 
msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
RHOSTS => 192.168.1.80
msf auxiliary(smb_login) > set USER_FILE /Users/wchen/rapid7/msf/data/wordlists/unix_users.txt
USER_FILE => /Users/wchen/rapid7/msf/data/wordlists/unix_users.txt
msf auxiliary(smb_login) > set PASS_FILE /Users/wchen/rapid7/msf/data/wordlists/unix_passwords.txt
PASS_FILE => /Users/wchen/rapid7/msf/data/wordlists/unix_passwords.txt
msf auxiliary(smb_login) > run

[+] 192.168.1.80:445      - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) > 

If you have a database connected, you should also see this credential logged:

msf auxiliary(smb_login) > creds
Credentials
===========

host          origin        service        public  private  realm  private_type
----          ------        -------        ------  -------  -----  ------------
192.168.1.80  192.168.1.80  445/tcp (smb)  root    monkey          Password

msf auxiliary(smb_login) 

Options


By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will also need to supply user names and passwords. The following options are available to support different credential formats:

The USER_FILE option

If you happen to manage all the found user names in a separate file, then this option would be suitable for that. One per line.

An example of setting USER_FILE:

set USER_FILE [path to file]

The PASS_FILE option

If you happen to manage all the found passwords in a separate file, then this option would be suitable for that. One per line.

set PASS_FILE [path to file]

The USERPASS_FILE option

If each user should be using a specific password in your file, then you can use this option. One username/password per line:

set USERPASS_FILE [path to file]

The DB_ALL_CREDS option

This option allows you to reuse all the user names and passwords collected by the database:

set DB_ALL_CREDS true

The DB_ALL_PASS option

This option allows you to reuse all the passwords collected by the database.

set DB_ALL_PASS true

The DB_ALL_USERS option

This option allows you to reuse all the user names collected by the database.

set DB_ALL_USERS true

The SMBUser option

If you are testing a specific user, use this option.

set SMBUser [user name]

The SMBPass option

If you are testing a specific password, use this option.

set SMBPass [password]

Note: If an account has been successfully brute-forced, that account will not be tried again.

Additionally, if you wish to disable automatic detection of all-access systems, you can change the following option:

The DETECT_ANY_AUTH option

This option enables detection of systems accepting any authentication. A bogus login will be attempted.

set DETECT_ANY_AUTH false

Go back to menu.

Msfconsole Usage


Here is how the scanner/smb/smb_login auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/smb/smb_login

msf6 auxiliary(scanner/smb/smb_login) > show info

       Name: SMB Login Check Scanner
     Module: auxiliary/scanner/smb/smb_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  tebo <[email protected]>
  Ben Campbell <[email protected]>
  Brandon McCann "zeknox" <[email protected]>
  Tom Sellers <[email protected]>

Check supported:
  No

Basic options:
  Name               Current Setting  Required  Description
  ----               ---------------  --------  -----------
  ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
  BLANK_PASSWORDS    false            no        Try blank passwords for all users
  BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
  DB_ALL_PASS        false            no        Add all passwords in the current database to the list
  DB_ALL_USERS       false            no        Add all users in the current database to the list
  DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
  DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
  PASS_FILE                           no        File containing passwords, one per line
  PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
  Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
  RECORD_GUEST       false            no        Record guest-privileged random logins to the database
  RHOSTS                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT              445              yes       The SMB service port (TCP)
  SMBDomain          .                no        The Windows domain to use for authentication
  SMBPass                             no        The password for the specified username
  SMBUser                             no        The username to authenticate as
  STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
  THREADS            1                yes       The number of concurrent threads (max one per host)
  USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS       false            no        Try the username as the password for all users
  USER_FILE                           no        File containing usernames, one per line
  VERBOSE            true             yes       Whether to print output for all attempts

Description:
  This module will test a SMB login on a range of machines and report 
  successful logins. If you have loaded a database plugin and 
  connected to a database this module will record successful logins 
  and hosts so you can track your access.

References:
  https://nvd.nist.gov/vuln/detail/CVE-1999-0506

Module Options


This is a complete list of options available in the scanner/smb/smb_login auxiliary module:

msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

Advanced Options


Here is a complete list of advanced options supported by the scanner/smb/smb_login auxiliary module:

msf6 auxiliary(scanner/smb/smb_login) > show advanced

Module advanced options (auxiliary/scanner/smb/smb_login):

   Name                    Current Setting    Required  Description
   ----                    ---------------    --------  -----------
   CHOST                                      no        The local client address
   CPORT                                      no        The local client port
   ConnectTimeout          10                 yes       Maximum number of seconds to establish a TCP connection
   DCERPC::ReadTimeout     10                 yes       The number of seconds to wait for DCERPC responses
   MaxGuessesPerService    0                  no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser       0                  no        Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.
                                                        2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
   MaxMinutesPerService    0                  no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   NTLM::SendLM            true               yes       Always send the LANMAN response (except when NTLMv2_session is specified)
   NTLM::SendNTLM          true               yes       Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
   NTLM::SendSPN           true               yes       Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
   NTLM::UseLMKey          false              yes       Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
   NTLM::UseNTLM2_session  true               yes       Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
   NTLM::UseNTLMv2         true               yes       Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
   REMOVE_PASS_FILE        false              yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE    false              yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE        false              yes       Automatically delete the USER_FILE on module completion
   SMB::AlwaysEncrypt      true               yes       Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
   SMB::ChunkSize          500                yes       The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
   SMB::Native_LM          Windows 2000 5.0   yes       The Native LM to send during authentication
   SMB::Native_OS          Windows 2000 2195  yes       The Native OS to send during authentication
   SMB::ProtocolVersion    1,2,3              yes       One or a list of coma-separated SMB protocol versions to negotiate (e.g. "1" or "1,2" or "2,3,1")
   SMB::VerifySignature    false              yes       Enforces client-side verification of server response signatures
   SMBDirect               true               no        The target port is a raw SMB service (not NetBIOS)
   SMBName                 *SMBSERVER         yes       The NetBIOS hostname (required for port 139 connections)
   SSL                     false              no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                  no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER               no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto               yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress            true               yes       Display progress messages during a scan
   ShowProgressPercent     10                 yes       The interval in percent that progress should be shown
   TRANSITION_DELAY        0                  no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE                                  no        Specify the workspace for this module

Auxiliary Actions


This is a list of all auxiliary actions that the scanner/smb/smb_login module can do:

msf6 auxiliary(scanner/smb/smb_login) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options


Here is the full list of possible evasion options supported by the scanner/smb/smb_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/smb/smb_login) > show evasion

Module evasion options:

   Name                             Current Setting  Required  Description
   ----                             ---------------  --------  -----------
   DCERPC::fake_bind_multi          true             no        Use multi-context bind calls
   DCERPC::fake_bind_multi_append   0                no        Set the number of UUIDs to append the target
   DCERPC::fake_bind_multi_prepend  0                no        Set the number of UUIDs to prepend before the target
   DCERPC::max_frag_size            4096             yes       Set the DCERPC packet fragmentation size
   DCERPC::smb_pipeio               rw               no        Use a different delivery method for accessing named pipes (Accepted: rw, trans)
   SMB::obscure_trans_pipe_level    0                yes       Obscure PIPE string in TransNamedPipe (level 0-3)
   SMB::pad_data_level              0                yes       Place extra padding between headers and data (level 0-3)
   SMB::pad_file_level              0                yes       Obscure path names used in open/create (level 0-3)
   SMB::pipe_evasion                false            yes       Enable segmented read/writes for SMB Pipes
   SMB::pipe_read_max_size          1024             yes       Maximum buffer size for pipe reads
   SMB::pipe_read_min_size          1                yes       Minimum buffer size for pipe reads
   SMB::pipe_write_max_size         1024             yes       Maximum buffer size for pipe writes
   SMB::pipe_write_min_size         1                yes       Minimum buffer size for pipe writes
   TCP::max_send_size               0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay                  0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages


This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

This system accepts authentication with random credentials, brute force is ineffective.


Here is a relevant code snippet related to the "This system accepts authentication with random credentials, brute force is ineffective." error message:

89:	      bogus_result = @scanner.attempt_bogus_login(domain)
90:	      if bogus_result.success?
91:	        if bogus_result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
92:	          print_status("This system allows guest sessions with random credentials")
93:	        else
94:	          print_error("This system accepts authentication with random credentials, brute force is ineffective.")
95:	          return
96:	        end
97:	      else
98:	        vprint_status('This system does not accept authentication with random credentials, proceeding with brute force')
99:	      end

This system does not accept authentication with random credentials, proceeding with brute force


Here is a relevant code snippet related to the "This system does not accept authentication with random credentials, proceeding with brute force" error message:

93:	        else
94:	          print_error("This system accepts authentication with random credentials, brute force is ineffective.")
95:	          return
96:	        end
97:	      else
98:	        vprint_status('This system does not accept authentication with random credentials, proceeding with brute force')
99:	      end
100:	    end
101:	
102:	    cred_collection = build_credential_collection(
103:	      realm: domain,

Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', aborting.


Here is a relevant code snippet related to the "Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', aborting." error message:

110:	
111:	    @scanner.scan! do |result|
112:	      case result.status
113:	      when Metasploit::Model::Login::Status::LOCKED_OUT
114:	        if datastore['ABORT_ON_LOCKOUT']
115:	          print_error("Account lockout detected on '#{result.credential.public}', aborting.")
116:	          return
117:	        else
118:	          print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119:	        end
120:	

Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', skipping this user.


Here is a relevant code snippet related to the "Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', skipping this user." error message:

113:	      when Metasploit::Model::Login::Status::LOCKED_OUT
114:	        if datastore['ABORT_ON_LOCKOUT']
115:	          print_error("Account lockout detected on '#{result.credential.public}', aborting.")
116:	          return
117:	        else
118:	          print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119:	        end
120:	
121:	      when Metasploit::Model::Login::Status::DENIED_ACCESS
122:	        print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
123:	        report_creds(ip, rport, result)

Correct credentials, but unable to login: '<RESULT.CREDENTIAL>', <RESULT.PROOF>


Here is a relevant code snippet related to the "Correct credentials, but unable to login: '<RESULT.CREDENTIAL>', <RESULT.PROOF>" error message:

117:	        else
118:	          print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119:	        end
120:	
121:	      when Metasploit::Model::Login::Status::DENIED_ACCESS
122:	        print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
123:	        report_creds(ip, rport, result)
124:	        :next_user
125:	      when Metasploit::Model::Login::Status::SUCCESSFUL
126:	        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' #{result.access_level}"
127:	        report_creds(ip, rport, result)

Could not connect


Here is a relevant code snippet related to the "Could not connect" error message:

126:	        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' #{result.access_level}"
127:	        report_creds(ip, rport, result)
128:	        :next_user
129:	      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
130:	        if datastore['VERBOSE']
131:	          print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
132:	        end
133:	        invalidate_login(
134:	            address: ip,
135:	            port: rport,
136:	            protocol: 'tcp',

Failed: '<RESULT.CREDENTIAL>', <RESULT.PROOF>


Here is a relevant code snippet related to the "Failed: '<RESULT.CREDENTIAL>', <RESULT.PROOF>" error message:

142:	            status: result.status
143:	        )
144:	        :abort
145:	      when Metasploit::Model::Login::Status::INCORRECT
146:	        if datastore['VERBOSE']
147:	          print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}', #{result.proof}"
148:	        end
149:	        invalidate_login(
150:	          address: ip,
151:	          port: rport,
152:	          protocol: 'tcp',

Go back to menu.


References


See Also


Check also the following modules related to this module:

Related Nessus plugins:

Authors


  • tebo <tebo[at]attackresearch.com>
  • Ben Campbell
  • Brandon McCann "zeknox" <bmccann[at]accuvant.com>
  • Tom Sellers <tom[at]fadedcode.net>

Version


This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.