SMB Login Check Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/smb/smb_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SMB Login Check Scanner
Module: auxiliary/scanner/smb/smb_login
Source code: modules/auxiliary/scanner/smb/smb_login.rb
Disclosure date: -
Last modification time: 2021-08-31 17:10:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-1999-0506
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > show options
... show and set options ...
msf auxiliary(smb_login) > set RHOSTS ip-range
msf auxiliary(smb_login) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(smb_login) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(smb_login) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(smb_login) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
The smb_login module is used to bruteforce SMB remotely. SMB credentials are extra valuable because they are system credentials, and you can probably reuse some of them to log in to more machines.
Vulnerable Application
To use smb_login, make sure you are able to connect to a SMB service that supports SMBv1.
Verification Steps
The following demonstrates a basic scenario of using the built-in wordlists to brute-force SMB:
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
RHOSTS => 192.168.1.80
msf auxiliary(smb_login) > set USER_FILE /Users/wchen/rapid7/msf/data/wordlists/unix_users.txt
USER_FILE => /Users/wchen/rapid7/msf/data/wordlists/unix_users.txt
msf auxiliary(smb_login) > set PASS_FILE /Users/wchen/rapid7/msf/data/wordlists/unix_passwords.txt
PASS_FILE => /Users/wchen/rapid7/msf/data/wordlists/unix_passwords.txt
msf auxiliary(smb_login) > run
[+] 192.168.1.80:445 - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) >
If you have a database connected, you should also see this credential logged:
msf auxiliary(smb_login) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
192.168.1.80 192.168.1.80 445/tcp (smb) root monkey Password
msf auxiliary(smb_login)
Options
By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will also need to supply user names and passwords. The following options are available to support different credential formats:
The USER_FILE option
If you happen to manage all the found user names in a separate file, then this option would be suitable for that. One per line.
An example of setting USER_FILE:
set USER_FILE [path to file]
The PASS_FILE option
If you happen to manage all the found passwords in a separate file, then this option would be suitable for that. One per line.
set PASS_FILE [path to file]
The USERPASS_FILE option
If each user should be using a specific password in your file, then you can use this option. One username/password per line:
set USERPASS_FILE [path to file]
The DB_ALL_CREDS option
This option allows you to reuse all the user names and passwords collected by the database:
set DB_ALL_CREDS true
The DB_ALL_PASS option
This option allows you to reuse all the passwords collected by the database.
set DB_ALL_PASS true
The DB_ALL_USERS option
This option allows you to reuse all the user names collected by the database.
set DB_ALL_USERS true
The SMBUser option
If you are testing a specific user, use this option.
set SMBUser [user name]
The SMBPass option
If you are testing a specific password, use this option.
set SMBPass [password]
Note: If an account has been successfully brute-forced, that account will not be tried again.
Additionally, if you wish to disable automatic detection of all-access systems, you can change the following option:
The DETECT_ANY_AUTH option
This option enables detection of systems accepting any authentication. A bogus login will be attempted.
set DETECT_ANY_AUTH false
Go back to menu.
Msfconsole Usage
Here is how the scanner/smb/smb_login auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show info
Name: SMB Login Check Scanner
Module: auxiliary/scanner/smb/smb_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <[email protected]>
Ben Campbell <[email protected]>
Brandon McCann "zeknox" <[email protected]>
Tom Sellers <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0506
Module Options
This is a complete list of options available in the scanner/smb/smb_login auxiliary module:
msf6 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Advanced Options
Here is a complete list of advanced options supported by the scanner/smb/smb_login auxiliary module:
msf6 auxiliary(scanner/smb/smb_login) > show advanced
Module advanced options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses
MaxGuessesPerService 0 no Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
MaxGuessesPerUser 0 no Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.
2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
MaxMinutesPerService 0 no Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
REMOVE_PASS_FILE false yes Automatically delete the PASS_FILE on module completion
REMOVE_USERPASS_FILE false yes Automatically delete the USERPASS_FILE on module completion
REMOVE_USER_FILE false yes Automatically delete the USER_FILE on module completion
SMB::AlwaysEncrypt true yes Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication
SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication
SMB::ProtocolVersion 1,2,3 yes One or a list of coma-separated SMB protocol versions to negotiate (e.g. "1" or "1,2" or "2,3,1")
SMB::VerifySignature false yes Enforces client-side verification of server response signatures
SMBDirect true no The target port is a raw SMB service (not NetBIOS)
SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
TRANSITION_DELAY 0 no Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/smb/smb_login module can do:
msf6 auxiliary(scanner/smb/smb_login) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/smb/smb_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/smb/smb_login) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
DCERPC::fake_bind_multi true no Use multi-context bind calls
DCERPC::fake_bind_multi_append 0 no Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend 0 no Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size 4096 yes Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio rw no Use a different delivery method for accessing named pipes (Accepted: rw, trans)
SMB::obscure_trans_pipe_level 0 yes Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level 0 yes Place extra padding between headers and data (level 0-3)
SMB::pad_file_level 0 yes Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion false yes Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size 1024 yes Maximum buffer size for pipe reads
SMB::pipe_read_min_size 1 yes Minimum buffer size for pipe reads
SMB::pipe_write_max_size 1024 yes Maximum buffer size for pipe writes
SMB::pipe_write_min_size 1 yes Minimum buffer size for pipe writes
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- This system accepts authentication with random credentials, brute force is ineffective.
- This system does not accept authentication with random credentials, proceeding with brute force
- Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', aborting.
- Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', skipping this user.
- Correct credentials, but unable to login: '<RESULT.CREDENTIAL>', <RESULT.PROOF>
- Could not connect
- Failed: '<RESULT.CREDENTIAL>', <RESULT.PROOF>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
This system accepts authentication with random credentials, brute force is ineffective.
Here is a relevant code snippet related to the "This system accepts authentication with random credentials, brute force is ineffective." error message:
89: bogus_result = @scanner.attempt_bogus_login(domain)
90: if bogus_result.success?
91: if bogus_result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
92: print_status("This system allows guest sessions with random credentials")
93: else
94: print_error("This system accepts authentication with random credentials, brute force is ineffective.")
95: return
96: end
97: else
98: vprint_status('This system does not accept authentication with random credentials, proceeding with brute force')
99: end
This system does not accept authentication with random credentials, proceeding with brute force
Here is a relevant code snippet related to the "This system does not accept authentication with random credentials, proceeding with brute force" error message:
93: else
94: print_error("This system accepts authentication with random credentials, brute force is ineffective.")
95: return
96: end
97: else
98: vprint_status('This system does not accept authentication with random credentials, proceeding with brute force')
99: end
100: end
101:
102: cred_collection = build_credential_collection(
103: realm: domain,
Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', aborting.
Here is a relevant code snippet related to the "Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', aborting." error message:
110:
111: @scanner.scan! do |result|
112: case result.status
113: when Metasploit::Model::Login::Status::LOCKED_OUT
114: if datastore['ABORT_ON_LOCKOUT']
115: print_error("Account lockout detected on '#{result.credential.public}', aborting.")
116: return
117: else
118: print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119: end
120:
Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', skipping this user.
Here is a relevant code snippet related to the "Account lockout detected on '<RESULT.CREDENTIAL.PUBLIC>', skipping this user." error message:
113: when Metasploit::Model::Login::Status::LOCKED_OUT
114: if datastore['ABORT_ON_LOCKOUT']
115: print_error("Account lockout detected on '#{result.credential.public}', aborting.")
116: return
117: else
118: print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119: end
120:
121: when Metasploit::Model::Login::Status::DENIED_ACCESS
122: print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
123: report_creds(ip, rport, result)
Correct credentials, but unable to login: '<RESULT.CREDENTIAL>', <RESULT.PROOF>
Here is a relevant code snippet related to the "Correct credentials, but unable to login: '<RESULT.CREDENTIAL>', <RESULT.PROOF>" error message:
117: else
118: print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
119: end
120:
121: when Metasploit::Model::Login::Status::DENIED_ACCESS
122: print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
123: report_creds(ip, rport, result)
124: :next_user
125: when Metasploit::Model::Login::Status::SUCCESSFUL
126: print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' #{result.access_level}"
127: report_creds(ip, rport, result)
Could not connect
Here is a relevant code snippet related to the "Could not connect" error message:
126: print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' #{result.access_level}"
127: report_creds(ip, rport, result)
128: :next_user
129: when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
130: if datastore['VERBOSE']
131: print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
132: end
133: invalidate_login(
134: address: ip,
135: port: rport,
136: protocol: 'tcp',
Failed: '<RESULT.CREDENTIAL>', <RESULT.PROOF>
Here is a relevant code snippet related to the "Failed: '<RESULT.CREDENTIAL>', <RESULT.PROOF>" error message:
142: status: result.status
143: )
144: :abort
145: when Metasploit::Model::Login::Status::INCORRECT
146: if datastore['VERBOSE']
147: print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}', #{result.proof}"
148: end
149: invalidate_login(
150: address: ip,
151: port: rport,
152: protocol: 'tcp',
Go back to menu.
Related Pull Requests
- #13015 Merged Pull Request: Enable usage of usernames in cred collections
- #12022 Merged Pull Request: Deregister PASSWORD_SPRAY option for LoginScanner modules
- #11941 Merged Pull Request: Add module aliases
- #11523 Merged Pull Request: MSF5: Remove unneeded RHOST deregister in scanners
- #10925 Merged Pull Request: smb_login error/status message
- #10375 Merged Pull Request: Modify options for smb_login
- #9058 Merged Pull Request: Make smb_login scanner proxy-aware again
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8238 Merged Pull Request: Feature/ms 2636/smb2 login permissions check
- #7672 Merged Pull Request: Fix #7671, support LOCKED_OUT and DISABLED login status
- #7665 Merged Pull Request: prevent further lockouts in smb_login
- #7251 Merged Pull Request: Added code to assign CPORT value to the parent scanner object
- #7238 Merged Pull Request: Add DETECT_ANY_AUTH to smb_login
- #6950 Merged Pull Request: Fix #6948, avoid printing rhost:rport twice when using Msf::Exploit::Remote::SMB::Client
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6216 Merged Pull Request: Resolve 'duplicate key' warning for some modules
- #5995 Merged Pull Request: Use datastore advanced options on Metasploit::Framework::LoginScanner::SMB
- #4768 Merged Pull Request: Reorganize SMB mixins
- #4737 Merged Pull Request: Preserve Context in LoginScanner socket calls, fixes #4723
- #4364 Merged Pull Request: Modules should respect bruteforce_speed again
- #4057 Merged Pull Request: Re-eneable tcp evasions in some LoginScanners
References
See Also
Check also the following modules related to this module:
- auxiliary/scanner/mssql/mssql_login
- auxiliary/scanner/vnc/vnc_login
- auxiliary/scanner/smb/smb_enum_gpp
- auxiliary/scanner/smb/smb_enumshares
- auxiliary/scanner/smb/smb_enumusers
- auxiliary/scanner/smb/smb_enumusers_domain
- auxiliary/scanner/smb/smb_lookupsid
- auxiliary/scanner/smb/smb_ms17_010
- auxiliary/scanner/smb/smb_uninit_cred
- auxiliary/scanner/smb/smb_version
- auxiliary/scanner/smb/impacket/dcomexec
- auxiliary/scanner/smb/impacket/secretsdump
- auxiliary/scanner/smb/impacket/wmiexec
- auxiliary/scanner/smb/pipe_auditor
- auxiliary/scanner/smb/pipe_dcerpc_auditor
- auxiliary/scanner/smb/psexec_loggedin_users
- auxiliary/dos/smb/smb_loris
- auxiliary/fuzzers/smb/smb_create_pipe
- auxiliary/fuzzers/smb/smb_create_pipe_corrupt
- auxiliary/fuzzers/smb/smb_negotiate_corrupt
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/fuzzers/smb/smb_tree_connect
- auxiliary/fuzzers/smb/smb_tree_connect_corrupt
- exploit/windows/smb/smb_delivery
- exploit/windows/smb/smb_doublepulsar_rce
- exploit/windows/smb/smb_relay
- exploit/windows/smb/smb_rras_erraticgopher
- exploit/windows/smb/smb_shadow
- post/linux/busybox/smb_share_root
- auxiliary/scanner/sap/sap_smb_relay
- exploit/dialup/multi/login/manyargs
Related Nessus plugins:
Authors
- tebo <tebo[at]attackresearch.com>
- Ben Campbell
- Brandon McCann "zeknox" <bmccann[at]accuvant.com>
- Tom Sellers <tom[at]fadedcode.net>
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.