Add a check method to the smb_relay module

zeroSteiner · zeroSteiner · commit 2e4bc2c6d5b1 · 2024-11-12T09:14:51.000-05:00
diff --git a/docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md b/docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
@@ -892,7 +892,7 @@ In the following example the AUTO mode is used to issue a certificate for the MS
 authenticated.
 
 ```msf
-msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
 msf6 auxiliary(server/relay/esc8) > run
 [*] Auxiliary module running as background job 1.
 msf6 auxiliary(server/relay/esc8) > 
diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb
@@ -201,7 +201,7 @@ def run_psexec(relay_connection)
     framework.threads.spawn(thread_name, false, new_mod_instance) do |mod_instance|
       mod_instance.exploit_smb_target
     rescue StandardError => e
-      print_error("Failed running psexec against target #{datastore['RHOST']} - #{e.class} #{e.message}")
+      print_error("Failed running psexec against target #{relay_connection.target.ip} - #{e.class} #{e.message}")
       elog(e)
       # ensure
       #   # Note: Don't cleanup explicitly, as the shared replicant state leads to payload handlers etc getting closed.
@@ -213,12 +213,31 @@ def run_psexec(relay_connection)
   def relay_targets
     Msf::Exploit::Remote::SMB::Relay::TargetList.new(
       :smb,
-      445,
+      rport,
       datastore['RHOSTS'],
       randomize_targets: datastore['RANDOMIZE_TARGETS']
     )
   end
 
+  def check_host(target_ip)
+    generic_message = 'Failed to connect and negotiate an SMB connection.'
+    begin
+      simple = connect(false, direct: true)
+      protocol = simple.client.negotiate
+    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError, Errno::ECONNRESET
+      return Exploit::CheckCode::Unknown(generic_message)
+    rescue ::Exception => e # rubocop:disable Lint/RescueException
+      elog(generic_message, error: e)
+      return Exploit::CheckCode::Unknown(generic_message)
+    end
+
+    if simple.signing_required
+      return Exploit::CheckCode::Safe('Signing is required by the target server.')
+    end
+
+    Exploit::CheckCode::Vulnerable('Signing is not required by the target server.')
+  end
+
   # Called after a successful connection to a relayed host is opened
   def exploit_smb_target
     # automatically select an SMB share unless one is explicitly specified
@@ -283,4 +302,7 @@ def session_setup(client)
     s
   end
 
+  def rport
+    445
+  end
 end
