Skip to content

MS-CIFS 2.2.4.64.2 vs MS-SMB 2.2.4.9.2 (WC: 34, 42 & 50)#295

Merged
smcintyre-r7 merged 1 commit into
rapid7:masterfrom
g0tmi1k:wc
Apr 22, 2026
Merged

MS-CIFS 2.2.4.64.2 vs MS-SMB 2.2.4.9.2 (WC: 34, 42 & 50)#295
smcintyre-r7 merged 1 commit into
rapid7:masterfrom
g0tmi1k:wc

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented Apr 21, 2026

This came about due to https://github.com/rapid7/metasploit-framework/pull/21345/changes/BASE..e6ae2314cec27286542a830eb813877d1b88c4cc#r3118623808

As a result, no longer have to use rex on smb1 (target is Metasploitable 2)

Before

msf > use auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 10.0.0.10:139 - Connecting using SMB v1 via ruby_smb
[-] 10.0.0.10:139 - Invalid packet received when trying to enumerate shares - The response seems to be an SMB1 NtCreateAndxResponse but an error occurs while parsing it. It is probably missing the required extended information.
[*] 10.0.0.10:445 - Connecting using SMB v1/2/3 via rex
[+] 10.0.0.10:445 - print$ - (DISK) Printer Drivers
[+] 10.0.0.10:445 - tmp - (DISK) oh noes!
[+] 10.0.0.10:445 - opt - (DISK)
[+] 10.0.0.10:445 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10:445 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

After

msf > use auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) > options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name                    Current Setting                         Required  Description
   ----                    ---------------                         --------  -----------
   HIGHLIGHT_NAME_PATTERN  username|password|user|pass|Groups.xml  yes       PCRE regex of resource names to highlight
   LogSpider               3                                       no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
   MaxDepth                999                                     yes       Max number of subdirectories to spider
   Share                                                           no        Show only the specified share
   ShowFiles               false                                   yes       Show detailed information when spidering
   SpiderProfiles          true                                    no        Spider only user profiles when share is a disk share
   SpiderShares            false                                   no        Spider shares recursively


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.0.0.10        no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 10.0.0.10:139 - Connecting using SMB v1 via ruby_smb
[+] 10.0.0.10:139 - print$ - (DISK) Printer Drivers
[+] 10.0.0.10:139 - tmp - (DISK) oh noes!
[+] 10.0.0.10:139 - opt - (DISK)
[+] 10.0.0.10:139 - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10:139 - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

@smcintyre-r7 smcintyre-r7 self-assigned this Apr 21, 2026
@smcintyre-r7
Copy link
Copy Markdown
Contributor

smcintyre-r7 commented Apr 21, 2026

Changes look good to me, thanks for making them. I'll give this a test tomorrow. One question though, is in the before/after of the PR description, I see you're running the module against metasploitable and that with these changes the error about a bad packet should be omitted. My question is, when I test this, are these the only changes I need, or do I need to load your changes from 21345 in framework too?

@g0tmi1k
Copy link
Copy Markdown
Contributor Author

g0tmi1k commented Apr 22, 2026

The above test was with both PRs in place - below is JUST this PR.

[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: OYGIkFxA.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > git branch -v
[*] exec: git branch -v

* master         9efc727462 automatic module_metadata_base.json update
  smb_enumshares e6ae2314ce smb_enumshares: Allow for SMB1 ruby_smb & rex backends
msf >
msf > use auxiliary/scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) >
msf auxiliary(scanner/smb/smb_enumshares) > options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name                    Current Setting                         Required  Description
   ----                    ---------------                         --------  -----------
   HIGHLIGHT_NAME_PATTERN  username|password|user|pass|Groups.xml  yes       PCRE regex of resource names to highlight
   LogSpider               3                                       no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
   MaxDepth                999                                     yes       Max number of subdirectories to spider
   Share                                                           no        Show only the specified share
   ShowFiles               false                                   yes       Show detailed information when spidering
   SpiderProfiles          true                                    no        Spider only user profiles when share is a disk share
   SpiderShares            false                                   no        Spider shares recursively


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.0.0.10        no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/smb/smb_enumshares) >
msf auxiliary(scanner/smb/smb_enumshares) > run
[*] 10.0.0.10: - Connecting to the server...
[+] 10.0.0.10: - print$ - (DISK) Printer Drivers
[+] 10.0.0.10: - tmp - (DISK) oh noes!
[+] 10.0.0.10: - opt - (DISK)
[+] 10.0.0.10: - IPC$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 10.0.0.10: - ADMIN$ - (IPC) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] 10.0.0.10: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) >

@smcintyre-r7
Copy link
Copy Markdown
Contributor

smcintyre-r7 commented Apr 22, 2026

I gave this a test without the framework changes. With a metasploitable 2 target, it fixes the error in the smb_enumshares module. With a Windows 2019 server target that has SMB1 enabled, the module fails both before and after the change.

I'll go ahead and merge this because it at least fixes the metasploitable 2 target.

@github-project-automation github-project-automation Bot moved this from Todo to In Progress in Metasploit Kanban Apr 22, 2026
@smcintyre-r7 smcintyre-r7 merged commit 11401ab into rapid7:master Apr 22, 2026
14 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban Apr 22, 2026
@g0tmi1k g0tmi1k deleted the wc branch April 22, 2026 18:24
@g0tmi1k
Copy link
Copy Markdown
Contributor Author

g0tmi1k commented Apr 22, 2026

Thanks @smcintyre-r7!
Its on my todo list to re-build my (Windows) test lab at some point ;)

@g0tmi1k g0tmi1k mentioned this pull request May 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels

bug

Projects

Metasploit Kanban
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@g0tmi1k @smcintyre-r7