Advertisement
Guest User

Untitled

a guest
Apr 19th, 2019
2,661
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.38 KB | None | 0 0
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. """ smb4av.py
  4.  
  5. smb4av uses NamedPipe calls to determine
  6. the running AntiVirus of the target.
  7.  
  8. Credits: @EquationGroup @ShadowBrokers
  9.  
  10. Author: marpie (marpie@a12d404.net)
  11.  
  12. TODO:
  13.  
  14. * Symantec Endpoint Protection 14.0
  15. * Symantec Endpoint Protection Cloud 22.14
  16. * McAfee Endpoint Security 10.5
  17. * Trend Micro Office Scan 12.0
  18. * Kaspersky Lab Endpoint Security 11.0
  19. * Kaspersky Lab Small Office Security 5 & 6
  20. * Sophos Endpoint Security and Control 10.8
  21. * F-Secure PSB Computer Protection 18.4 & 18.5
  22. * Carbon Black Defense 3.2
  23. * Avast Antivirus Business 18.2 & 18.4
  24. * Bitdefender Endpoint Security 6.2 & 6.6
  25. * Bitdefender Endpoint Security Elite 6.2 & 6.6
  26. * G Data AntiVirus Business 14.1
  27. * Palo Alto Networks Traps 5.0
  28. * Seqrite Endpoint Security 17.00
  29.  
  30.  
  31. Last Update: 20180907
  32. Created: 20180905
  33.  
  34. """
  35. import argparse
  36. import json
  37. import sys
  38.  
  39. try:
  40. from impacket.dcerpc.v5 import transport, srvs
  41. from impacket.smbconnection import *
  42. from impacket.nt_errors import ERROR_MESSAGES
  43. except ModuleNotFoundError:
  44. sys.stderr.write("[E] Impacket is required!\n")
  45. sys.exit(1)
  46.  
  47. # Version Information
  48. __version__ = "0.0.1"
  49. __program__ = "smb4av v" + __version__
  50. __author__ = "marpie"
  51. __email__ = "marpie+smb4av@a12d404.net"
  52. __license__ = "BSD License"
  53. __copyright__ = "Copyright 2018, a12d404.net"
  54. __status__ = "Prototype" # ("Prototype", "Development", "Testing", "Production")
  55.  
  56. #SCRIPT_PATH = os.path.dirname( os.path.realpath( __file__ ) )
  57.  
  58. KNOWN_PIPES = (
  59. # Format:
  60. # category, pipe_name, description
  61.  
  62. # Windows Operating System Pipes
  63. ('os', 'browser', 'OS Pipe: computer browser',),
  64. ('os', 'lsarpc', 'OS Pipe: lsass rpc',),
  65. ('os', 'spoolss', 'OS Pipe: print spooler',),
  66. ('os', 'MsFteWds', 'OS Pipe: Search Indexer',),
  67. ('os', 'LSM_API_service', 'OS Pipe: Terminal Server Services',),
  68. ('os', 'netdfs', 'OS Pipe: DFS',),
  69. ('os', 'winreg', 'OS Pipe: Remote Registry',),
  70. ('os', 'scerpc', 'OS Pipe: Security Configuration Editor',),
  71. # AV Products
  72. # source: Equation Group
  73. ('av', '360OnAccessGet', '360 Safe',),
  74. ('av', '360OnAccessSet', '360 Safe',),
  75. ('av', '__fships_hook_server__', 'FSecure 2010',),
  76. ('av', '__fships_injector__', 'FSecure 2010',),
  77. ('av', '_pspuser_3620_AVGIDSMONITOR.EXE_9fde9445-f261-4985-a056-fb033d1a64cd', 'AVG IS 9.0.646',),
  78. ('av', '_pspuser_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9eafb262f2a4', 'AVG IS 8.5',),
  79. ('av', 'acsipc_server', 'Outpost Security Suite Pro',), # does not need to be 2009 v6.5, could also be 8.1, etc.
  80. ('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
  81. ('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
  82. ('av', 'aswUpdSv', 'alwil Avast professional 4.8 Avast Internet Security v5.0',),
  83. ('av', 'aswUpdSv', 'Avast pro 4.8 or Avast IS v5.0',),
  84. ('av', 'AveSvc_EngineDienst200705311802', 'avira antivirus personal edition premium v7.06, avira premium security suite v7',),
  85. ('av', 'AveSvc_EngineService2008', 'Avira premium security suite v8',),
  86. ('av', 'AVG-CHJW-0B47172B-B945-42f8-AA88-8D4F98F660DB', 'AVG IS 9.0.646',),
  87. ('av', 'AVG-CHJW-C81C2B71-E0F0-44cb-B6A7-15999D0F539A', 'AVG IS 9.0.646',),
  88. ('av', 'AVG7B14C58C-E30D-11DB-B553-F88A56D89593', 'AVG IS 8.5',),
  89. ('av', 'AvgFw.WDCommunicationPipe', 'AVG IS 9.0.646',),
  90. ('av', 'AvgFw.WDCommunicationPipe1', 'AVG IS 9.0.646',),
  91. ('av', 'AvgFw.WDCommunicationPipe2', 'AVG IS 9.0.646',),
  92. ('av', 'AvgFwS8.WDCommunicationPipe', 'AVG IS 8.5-9.0',),
  93. ('av', 'AvgFwS8.WDCommunicationPipe1', 'AVG IS 8.5',),
  94. ('av', 'AvgFwS8.WDCommunicationPipe2', 'AVG IS 8.5',),
  95. ('av', 'AvgTrayPipeName000176', 'AVG IS 8.5',),
  96. ('av', 'AvgTrayPipeName0001761', 'AVG IS 8.5',),
  97. ('av', 'AvgTrayPipeName0001762', 'AVG IS 8.5',),
  98. ('av', 'AvgTrayPipeName000840', 'AVG IS 9.0.646',),
  99. ('av', 'AvgTrayPipeName0008401', 'AVG IS 9.0.646',),
  100. ('av', 'AvgTrayPipeName0008402', 'AVG IS 9.0.646',),
  101. ('av', 'avguard01', 'avira premium sec suite v8',),
  102. ('av', 'AvgUIPipeName002788', 'AVG IS 9.0.646',),
  103. ('av', 'AvgUIPipeName0027881', 'AVG IS 9.0.646',),
  104. ('av', 'AvgUIPipeName0027882', 'AVG IS 9.0.646',),
  105. ('av', 'AVSCAN_REP_000000000000c883', 'avira premium sec suite v8',),
  106. ('av', 'AVWebCatServer0', 'avira premium sec suite v8',),
  107. ('av', 'AVWebGuardServer', 'avira premium sec suite v8',),
  108. ('av', 'AVWebProtServer0', 'avira premium sec suite v8',),
  109. ('av', 'bdantiphishing', 'BitDefender 2010 v13',),
  110. ('av', 'bdantiphishing', 'BitDefender TotalSec 2010 v13.0.11',),
  111. ('av', 'bdantispam', 'BitDefender TotalSec 2010 v13.0.11',),
  112. ('av', 'EXTREG', 'BitDefender TotalSec 2010 v13.0.11',),
  113. ('av', 'Global\\PNMIPC_SH_IPT-WebProxy', 'Panda IS 2010 v15',),
  114. ('av', 'LIVESRV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
  115. ('av', 'MIDASCOMM_SERVER', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
  116. ('av', 'nai_vseconsole01', 'McAfee 8.7i',),
  117. ('av', 'nai_vseconsole01', 'McAfee 8.7i',),
  118. ('av', 'NP2970625197SRV', 'TrendMicro IS 2010 v17.50',),
  119. ('av', 'pavfnlpc', 'Panda IS 2010 v15',),
  120. ('av', 'pavfnlpc', 'Panda IS 2010 v15',),
  121. ('av', 'PavTPU\\TPK_Event_1504', 'Panda IS 2010 v15',),
  122. ('av', 'rcn_18871562230061', 'FSecure 2010',),
  123. ('av', 'rcn_47843719166', 'FSecure 2010',),
  124. ('av', 'rcn_49140823412', 'FSecure 2010',),
  125. ('av', 'rcn_491711751329', 'FSecure 2010',),
  126. ('av', 'rcn_50406860721', 'FSecure 2010',),
  127. ('av', 'rcn_507341306237', 'FSecure 2010',),
  128. ('av', 'rcn_51109653602', 'FSecure 2010',),
  129. ('av', 'rcn_520781201855', 'FSecure 2010',),
  130. ('av', 'rcn_520932065562', 'FSecure 2010',),
  131. ('av', 'rcn_520932267096', 'FSecure 2010',),
  132. ('av', 'rcn_522811486723', 'FSecure 2010',),
  133. ('av', 'rcn_530461792332', 'FSecure 2010',),
  134. ('av', 'rcn_53156781683', 'FSecure 2010',),
  135. ('av', 'rcn_564531165073', 'FSecure 2010',),
  136. ('av', 'rcn_580461750377', 'FSecure 2010',),
  137. ('av', 'rcn_621562061643', 'FSecure 2010',),
  138. ('av', 'rcn_637501693024', 'FSecure 2010',),
  139. ('av', 'rcn_63750782962', 'FSecure 2010',),
  140. ('av', 'rcn_647032361703', 'FSecure 2010',),
  141. ('av', 'rcn_655781047893', 'FSecure 2010',),
  142. ('av', 'rcn_655931694327', 'FSecure 2010',),
  143. ('av', 'rcn_662811357824', 'FSecure 2010',),
  144. ('av', 'rcn_67953938451', 'FSecure 2010',),
  145. ('av', 'rcn_682651449794', 'FSecure 2010',),
  146. ('av', 'rcn_685151921711', 'FSecure 2010',),
  147. ('av', 'SERVERPIPENAME', 'Avira premium sec suite v8',),
  148. ('av', 'Sophos@BOPSv3', 'Sophos 9.0',),
  149. ('av', 'Symantec Core LC', 'Norton IS 2008',),
  150. ('av', 'Symantec_{586D4B8E-3DBB-4E4O-9A7E-4670F760FAC4}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4; Norton IS 2009; Norton IS 2010; Norton 360 v4',),
  151. ('av', 'Symantec_{EF903280-DA47-4C1B-99F8-EC15E7900956}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4',),
  152. ('av', 'Symantec_{F9698F61-2E57-469B-B29B-1EFB17827356}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton Internet Security 2010',),
  153. ('av', 'VSSERV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
  154. # Other Producs
  155. ('driver', 'EnhCallerService', 'Synaptics Touchpad',),
  156. ('pim', 'PBEQOwnNotes', 'QOwnNotes Note Taking Application',),
  157. ('cloud_storage', 'TresoritGui2', 'Tresorit for Windows',),
  158. ('dev', 'VSCode Crash Service', 'Visual Studio Code',),
  159. ('hypervisor', 'vmware-usbarbpipe', 'VMWare Host',),
  160. ('remote_admin', 'PlughNTCommand', 'Timbuktu Pro',),
  161. ('security_firewall', 'TinyWallController', 'TinyWall',),
  162. ('system_management', 'OVSystem', 'HP OpenView Network Node Manager',),
  163. ('system_management', 'SUPipeServer', 'Lenovo System Update',),
  164. ('vpn', 'IPEFSYSPCPIPE', 'iPass Mobile Client',),
  165. ('sandbox', 'cuckoo', 'Cuckoo Sandbox',),
  166. ('webserver', 'Powershell-Proxy-NamedPipe', 'Microsoft Exchange (IIS Process - MSExchangePowerShellAppPool)',),
  167. )
  168.  
  169. class PipeCheck(transport.DCERPCTransport):
  170. """Implementation of ncacn_np protocol sequence - not really^^"""
  171.  
  172. def __init__(self, remoteName, dstport=445, username='', password='', domain='', lmhash='', nthash='',
  173. aesKey='', TGT=None, TGS=None, remote_host='', doKerberos=False, kdcHost=None):
  174. transport.DCERPCTransport.__init__(self, remoteName, dstport)
  175. self.__tid = 0
  176. self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
  177. self._doKerberos = doKerberos
  178. self._kdcHost = kdcHost
  179.  
  180. if remote_host != '':
  181. self.setRemoteHost(remote_host)
  182.  
  183. self.__prefDialect = None
  184. self.__smb_connection = None
  185.  
  186. def connect(self):
  187. # Check if we have a smb connection already setup
  188. if not self.__smb_connection:
  189. self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
  190. preferredDialect=self.__prefDialect)
  191. if self._doKerberos is False:
  192. self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
  193. else:
  194. self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
  195. self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
  196. TGS=self._TGS)
  197. self.__tid = self.__smb_connection.connectTree('IPC$')
  198. return 1
  199.  
  200. def check_pipe(self, pipe_name):
  201. result = 0
  202. if pipe_name[0] != '\\':
  203. pipe_name = '\\' + pipe_name
  204. hFile = None
  205. try:
  206. hFile = self.__smb_connection.openFile(self.__tid, pipe_name)
  207. except SessionError as e:
  208. result = e.getErrorCode()
  209. if hFile:
  210. try:
  211. self.__smb_connection.closeFile(self.__tid, hFile)
  212. except:
  213. # TODO
  214. raise
  215. return result
  216.  
  217. def disconnect(self):
  218. self.__smb_connection.disconnectTree(self.__tid)
  219. self.__smb_connection.logoff()
  220. self.__smb_connection.close()
  221. self.__smb_connection = None
  222.  
  223. class Result(object):
  224. def __init__(self, hostname, category, pipe, description, status):
  225. self.hostname = hostname
  226. self.category = category
  227. self.pipe = pipe
  228. self.description = description
  229. self.status = status
  230. self.status_text = self.__status_text()
  231.  
  232. def __str__(self):
  233. return json.dumps(self.__dict__)
  234.  
  235. def __status_text(self):
  236. status_text = ""
  237. if self.status == 0xC0000034:
  238. # STATUS_OBJECT_NAME_NOT_FOUND
  239. status_text = "NOT FOUND"
  240. elif (self.status == 0x00000000):
  241. # STATUS_SUCCESS / STATUS_ACCESS_DENIED
  242. status_text = "FOUND"
  243. elif (self.status == 0xC0000022):
  244. status_text = "ACCESS DENIED"
  245. else:
  246. status_text = error_to_str(self.status)
  247. return status_text
  248.  
  249. def output(s):
  250. sys.stderr.write(s + "\n")
  251.  
  252. def error_to_str(code):
  253. try:
  254. return ERROR_MESSAGES[code]
  255. except KeyError:
  256. return ("UNKNOWN", "Unknown Error Code ({})".format(hex(code)))
  257.  
  258. def check_host(host, domain, username, password):
  259. pc = PipeCheck(host, domain=domain, username=username, password=password)
  260. pc.connect()
  261. try:
  262. for category, pipe_name, description in KNOWN_PIPES:
  263. status = pc.check_pipe(pipe_name)
  264. yield Result(host, category, pipe_name, description, status)
  265. finally:
  266. pc.disconnect()
  267.  
  268. # Main
  269. def main(argv):
  270. parser = argparse.ArgumentParser(description='Identify software remotely by NamedPipes.')
  271. parser.add_argument('hosts', metavar='IP', type=str, nargs='+', help='Host/IP to query.')
  272. parser.add_argument('--domain', dest='domain', default='', help='Domain')
  273. parser.add_argument('--username', dest='username', default='', help='Username')
  274. parser.add_argument('--password', dest='password', default='', help='Password')
  275. args = parser.parse_args()
  276.  
  277. for host in args.hosts:
  278. output("[*] Host: {}".format(host))
  279. for result in check_host(host, args.domain, args.username, args.password):
  280. print(str(result))
  281.  
  282. return True
  283.  
  284.  
  285. if __name__ == "__main__":
  286. import sys
  287. output( __doc__ )
  288. sys.exit( not main( sys.argv ) )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement