This article was written by Tan Kean Siong during his gsoc2010 project - improving dionaeas smb stack - I just fixed some typos and formatted it - Markus
The Metasploit Framework is one of the most popular open source penetration testing framework with the world's largest database of public, tested exploits. Metasploit was created in 2003 using the Perl scripting language, lateron the framework was rewritten in the Ruby programming language.
The usage of the framework is user-friendly and the exploitation can be done by the workflow of:
choosing the exploit
configuring the payload
execute the exploit.
This modularity, allowing all combinations of any exploit with any payload is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers, and payload writers, thus it emerge as the de facto vulnerability development framework in these days.
During the exploitation process, it is often required to know the exact version of the target’s operating system. Often exploits need to be customized to adapt to the particular OS environment, therefore knowing the remote operating system increase success rate of the attack.
Metasploit has includes comprehensive OS fingerprinting support for the Microsoft Windows operating system.
Metasploit can retrieve:
the version of the operating system
version of the service pack
and the installed network services.
Dionaea need to support these fingerprinting method, as malware may adapt this remote version fingerprinting in the future.
Metasploit has its own set of OS fingerprinting method based on SMB protocol. The fingerprinting operation can be found in metasploit /lib/msf/core/exploit/smb.rb.
The smb_fingerprint() function is the most interesting to us.
The OS version fingerprint process can be explained briefly as below:
The target’s operating system can be first observed from the SMB Sesssion Setup AndX Response. The NativeOS
field will indicated the OS
If the target’s OS
is “Windows XP”, “\\SRVSVC”
pipe will be tested Windows XP SP2+ will block the pipe and SP 0/1 will allow it.
If the target’s OS
is “Windows 2000”, “\\LLSRPC”
pipe will be tested. Windows 2000 'Service Pack 4 with MS05-010+' will return error and the 'Service Pack 0 - 4' will react to the pipe.
For Windows XP Service Pack version, the target can be further confirm:
with dcerpc call opnum 0x22 in SRVSVC (NetprNameCanonicalize):
SP 0/1 - will response it correct
SP2+ - dcerpc exception fault will happen
with dcerpc call opnum 0x1c in SRVSVC (NetrRemoteTOD)
SP3 - the first 4 bytes of the StubData is “\x00\x00\x02\x00”
SP2 - the first 4 bytes of the StubData is not ”\x00\x00\x02\x00”
The process can simplified in the figure as below:
The fingerprinting method has studied by refer to smb.rb (Revision 8941).
Further details please refer to lib/msf/core/exploit/smb.rb:142@r8941
To support Metasploit's fingerprinting, Dionaea got support for the dcerpc calls that are needed during the process such as NetprNameCanonicalize and NetrRemoteTOD in SRVSVC, EnumPrinter in SPOOLSS.
Currently, Dionaea can be configured to be a Windows XP SP 0/1, SP 2, or SP3. The language supported is English only. As default, Dionaea has configured as a legitimate Windows XP Service Pack 2, English version.
To set the Service Pack version, simply change the OS_TYPE value to 1, 2 or 3, as each represent:
1 = Windows XP Service Pack 0/1
2 = Windows XP Service Pack 2
3 = Windows XP Service Pack 3