Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- """ smb4av.py
- smb4av uses NamedPipe calls to determine
- the running AntiVirus of the target.
- Credits: @EquationGroup @ShadowBrokers
- Author: marpie (marpie@a12d404.net)
- TODO:
- * Symantec Endpoint Protection 14.0
- * Symantec Endpoint Protection Cloud 22.14
- * McAfee Endpoint Security 10.5
- * Trend Micro Office Scan 12.0
- * Kaspersky Lab Endpoint Security 11.0
- * Kaspersky Lab Small Office Security 5 & 6
- * Sophos Endpoint Security and Control 10.8
- * F-Secure PSB Computer Protection 18.4 & 18.5
- * Carbon Black Defense 3.2
- * Avast Antivirus Business 18.2 & 18.4
- * Bitdefender Endpoint Security 6.2 & 6.6
- * Bitdefender Endpoint Security Elite 6.2 & 6.6
- * G Data AntiVirus Business 14.1
- * Palo Alto Networks Traps 5.0
- * Seqrite Endpoint Security 17.00
- Last Update: 20180907
- Created: 20180905
- """
- import argparse
- import json
- import sys
- try:
- from impacket.dcerpc.v5 import transport, srvs
- from impacket.smbconnection import *
- from impacket.nt_errors import ERROR_MESSAGES
- except ModuleNotFoundError:
- sys.stderr.write("[E] Impacket is required!\n")
- sys.exit(1)
- # Version Information
- __version__ = "0.0.1"
- __program__ = "smb4av v" + __version__
- __author__ = "marpie"
- __email__ = "marpie+smb4av@a12d404.net"
- __license__ = "BSD License"
- __copyright__ = "Copyright 2018, a12d404.net"
- __status__ = "Prototype" # ("Prototype", "Development", "Testing", "Production")
- #SCRIPT_PATH = os.path.dirname( os.path.realpath( __file__ ) )
- KNOWN_PIPES = (
- # Format:
- # category, pipe_name, description
- # Windows Operating System Pipes
- ('os', 'browser', 'OS Pipe: computer browser',),
- ('os', 'lsarpc', 'OS Pipe: lsass rpc',),
- ('os', 'spoolss', 'OS Pipe: print spooler',),
- ('os', 'MsFteWds', 'OS Pipe: Search Indexer',),
- ('os', 'LSM_API_service', 'OS Pipe: Terminal Server Services',),
- ('os', 'netdfs', 'OS Pipe: DFS',),
- ('os', 'winreg', 'OS Pipe: Remote Registry',),
- ('os', 'scerpc', 'OS Pipe: Security Configuration Editor',),
- # AV Products
- # source: Equation Group
- ('av', '360OnAccessGet', '360 Safe',),
- ('av', '360OnAccessSet', '360 Safe',),
- ('av', '__fships_hook_server__', 'FSecure 2010',),
- ('av', '__fships_injector__', 'FSecure 2010',),
- ('av', '_pspuser_3620_AVGIDSMONITOR.EXE_9fde9445-f261-4985-a056-fb033d1a64cd', 'AVG IS 9.0.646',),
- ('av', '_pspuser_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9eafb262f2a4', 'AVG IS 8.5',),
- ('av', 'acsipc_server', 'Outpost Security Suite Pro',), # does not need to be 2009 v6.5, could also be 8.1, etc.
- ('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
- ('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
- ('av', 'aswUpdSv', 'alwil Avast professional 4.8 Avast Internet Security v5.0',),
- ('av', 'aswUpdSv', 'Avast pro 4.8 or Avast IS v5.0',),
- ('av', 'AveSvc_EngineDienst200705311802', 'avira antivirus personal edition premium v7.06, avira premium security suite v7',),
- ('av', 'AveSvc_EngineService2008', 'Avira premium security suite v8',),
- ('av', 'AVG-CHJW-0B47172B-B945-42f8-AA88-8D4F98F660DB', 'AVG IS 9.0.646',),
- ('av', 'AVG-CHJW-C81C2B71-E0F0-44cb-B6A7-15999D0F539A', 'AVG IS 9.0.646',),
- ('av', 'AVG7B14C58C-E30D-11DB-B553-F88A56D89593', 'AVG IS 8.5',),
- ('av', 'AvgFw.WDCommunicationPipe', 'AVG IS 9.0.646',),
- ('av', 'AvgFw.WDCommunicationPipe1', 'AVG IS 9.0.646',),
- ('av', 'AvgFw.WDCommunicationPipe2', 'AVG IS 9.0.646',),
- ('av', 'AvgFwS8.WDCommunicationPipe', 'AVG IS 8.5-9.0',),
- ('av', 'AvgFwS8.WDCommunicationPipe1', 'AVG IS 8.5',),
- ('av', 'AvgFwS8.WDCommunicationPipe2', 'AVG IS 8.5',),
- ('av', 'AvgTrayPipeName000176', 'AVG IS 8.5',),
- ('av', 'AvgTrayPipeName0001761', 'AVG IS 8.5',),
- ('av', 'AvgTrayPipeName0001762', 'AVG IS 8.5',),
- ('av', 'AvgTrayPipeName000840', 'AVG IS 9.0.646',),
- ('av', 'AvgTrayPipeName0008401', 'AVG IS 9.0.646',),
- ('av', 'AvgTrayPipeName0008402', 'AVG IS 9.0.646',),
- ('av', 'avguard01', 'avira premium sec suite v8',),
- ('av', 'AvgUIPipeName002788', 'AVG IS 9.0.646',),
- ('av', 'AvgUIPipeName0027881', 'AVG IS 9.0.646',),
- ('av', 'AvgUIPipeName0027882', 'AVG IS 9.0.646',),
- ('av', 'AVSCAN_REP_000000000000c883', 'avira premium sec suite v8',),
- ('av', 'AVWebCatServer0', 'avira premium sec suite v8',),
- ('av', 'AVWebGuardServer', 'avira premium sec suite v8',),
- ('av', 'AVWebProtServer0', 'avira premium sec suite v8',),
- ('av', 'bdantiphishing', 'BitDefender 2010 v13',),
- ('av', 'bdantiphishing', 'BitDefender TotalSec 2010 v13.0.11',),
- ('av', 'bdantispam', 'BitDefender TotalSec 2010 v13.0.11',),
- ('av', 'EXTREG', 'BitDefender TotalSec 2010 v13.0.11',),
- ('av', 'Global\\PNMIPC_SH_IPT-WebProxy', 'Panda IS 2010 v15',),
- ('av', 'LIVESRV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
- ('av', 'MIDASCOMM_SERVER', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
- ('av', 'nai_vseconsole01', 'McAfee 8.7i',),
- ('av', 'nai_vseconsole01', 'McAfee 8.7i',),
- ('av', 'NP2970625197SRV', 'TrendMicro IS 2010 v17.50',),
- ('av', 'pavfnlpc', 'Panda IS 2010 v15',),
- ('av', 'pavfnlpc', 'Panda IS 2010 v15',),
- ('av', 'PavTPU\\TPK_Event_1504', 'Panda IS 2010 v15',),
- ('av', 'rcn_18871562230061', 'FSecure 2010',),
- ('av', 'rcn_47843719166', 'FSecure 2010',),
- ('av', 'rcn_49140823412', 'FSecure 2010',),
- ('av', 'rcn_491711751329', 'FSecure 2010',),
- ('av', 'rcn_50406860721', 'FSecure 2010',),
- ('av', 'rcn_507341306237', 'FSecure 2010',),
- ('av', 'rcn_51109653602', 'FSecure 2010',),
- ('av', 'rcn_520781201855', 'FSecure 2010',),
- ('av', 'rcn_520932065562', 'FSecure 2010',),
- ('av', 'rcn_520932267096', 'FSecure 2010',),
- ('av', 'rcn_522811486723', 'FSecure 2010',),
- ('av', 'rcn_530461792332', 'FSecure 2010',),
- ('av', 'rcn_53156781683', 'FSecure 2010',),
- ('av', 'rcn_564531165073', 'FSecure 2010',),
- ('av', 'rcn_580461750377', 'FSecure 2010',),
- ('av', 'rcn_621562061643', 'FSecure 2010',),
- ('av', 'rcn_637501693024', 'FSecure 2010',),
- ('av', 'rcn_63750782962', 'FSecure 2010',),
- ('av', 'rcn_647032361703', 'FSecure 2010',),
- ('av', 'rcn_655781047893', 'FSecure 2010',),
- ('av', 'rcn_655931694327', 'FSecure 2010',),
- ('av', 'rcn_662811357824', 'FSecure 2010',),
- ('av', 'rcn_67953938451', 'FSecure 2010',),
- ('av', 'rcn_682651449794', 'FSecure 2010',),
- ('av', 'rcn_685151921711', 'FSecure 2010',),
- ('av', 'SERVERPIPENAME', 'Avira premium sec suite v8',),
- ('av', 'Sophos@BOPSv3', 'Sophos 9.0',),
- ('av', 'Symantec Core LC', 'Norton IS 2008',),
- ('av', 'Symantec_{586D4B8E-3DBB-4E4O-9A7E-4670F760FAC4}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4; Norton IS 2009; Norton IS 2010; Norton 360 v4',),
- ('av', 'Symantec_{EF903280-DA47-4C1B-99F8-EC15E7900956}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4',),
- ('av', 'Symantec_{F9698F61-2E57-469B-B29B-1EFB17827356}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton Internet Security 2010',),
- ('av', 'VSSERV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
- # Other Producs
- ('driver', 'EnhCallerService', 'Synaptics Touchpad',),
- ('pim', 'PBEQOwnNotes', 'QOwnNotes Note Taking Application',),
- ('cloud_storage', 'TresoritGui2', 'Tresorit for Windows',),
- ('dev', 'VSCode Crash Service', 'Visual Studio Code',),
- ('hypervisor', 'vmware-usbarbpipe', 'VMWare Host',),
- ('remote_admin', 'PlughNTCommand', 'Timbuktu Pro',),
- ('security_firewall', 'TinyWallController', 'TinyWall',),
- ('system_management', 'OVSystem', 'HP OpenView Network Node Manager',),
- ('system_management', 'SUPipeServer', 'Lenovo System Update',),
- ('vpn', 'IPEFSYSPCPIPE', 'iPass Mobile Client',),
- ('sandbox', 'cuckoo', 'Cuckoo Sandbox',),
- ('webserver', 'Powershell-Proxy-NamedPipe', 'Microsoft Exchange (IIS Process - MSExchangePowerShellAppPool)',),
- )
- class PipeCheck(transport.DCERPCTransport):
- """Implementation of ncacn_np protocol sequence - not really^^"""
- def __init__(self, remoteName, dstport=445, username='', password='', domain='', lmhash='', nthash='',
- aesKey='', TGT=None, TGS=None, remote_host='', doKerberos=False, kdcHost=None):
- transport.DCERPCTransport.__init__(self, remoteName, dstport)
- self.__tid = 0
- self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
- self._doKerberos = doKerberos
- self._kdcHost = kdcHost
- if remote_host != '':
- self.setRemoteHost(remote_host)
- self.__prefDialect = None
- self.__smb_connection = None
- def connect(self):
- # Check if we have a smb connection already setup
- if not self.__smb_connection:
- self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
- preferredDialect=self.__prefDialect)
- if self._doKerberos is False:
- self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
- else:
- self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
- self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
- TGS=self._TGS)
- self.__tid = self.__smb_connection.connectTree('IPC$')
- return 1
- def check_pipe(self, pipe_name):
- result = 0
- if pipe_name[0] != '\\':
- pipe_name = '\\' + pipe_name
- hFile = None
- try:
- hFile = self.__smb_connection.openFile(self.__tid, pipe_name)
- except SessionError as e:
- result = e.getErrorCode()
- if hFile:
- try:
- self.__smb_connection.closeFile(self.__tid, hFile)
- except:
- # TODO
- raise
- return result
- def disconnect(self):
- self.__smb_connection.disconnectTree(self.__tid)
- self.__smb_connection.logoff()
- self.__smb_connection.close()
- self.__smb_connection = None
- class Result(object):
- def __init__(self, hostname, category, pipe, description, status):
- self.hostname = hostname
- self.category = category
- self.pipe = pipe
- self.description = description
- self.status = status
- self.status_text = self.__status_text()
- def __str__(self):
- return json.dumps(self.__dict__)
- def __status_text(self):
- status_text = ""
- if self.status == 0xC0000034:
- # STATUS_OBJECT_NAME_NOT_FOUND
- status_text = "NOT FOUND"
- elif (self.status == 0x00000000):
- # STATUS_SUCCESS / STATUS_ACCESS_DENIED
- status_text = "FOUND"
- elif (self.status == 0xC0000022):
- status_text = "ACCESS DENIED"
- else:
- status_text = error_to_str(self.status)
- return status_text
- def output(s):
- sys.stderr.write(s + "\n")
- def error_to_str(code):
- try:
- return ERROR_MESSAGES[code]
- except KeyError:
- return ("UNKNOWN", "Unknown Error Code ({})".format(hex(code)))
- def check_host(host, domain, username, password):
- pc = PipeCheck(host, domain=domain, username=username, password=password)
- pc.connect()
- try:
- for category, pipe_name, description in KNOWN_PIPES:
- status = pc.check_pipe(pipe_name)
- yield Result(host, category, pipe_name, description, status)
- finally:
- pc.disconnect()
- # Main
- def main(argv):
- parser = argparse.ArgumentParser(description='Identify software remotely by NamedPipes.')
- parser.add_argument('hosts', metavar='IP', type=str, nargs='+', help='Host/IP to query.')
- parser.add_argument('--domain', dest='domain', default='', help='Domain')
- parser.add_argument('--username', dest='username', default='', help='Username')
- parser.add_argument('--password', dest='password', default='', help='Password')
- args = parser.parse_args()
- for host in args.hosts:
- output("[*] Host: {}".format(host))
- for result in check_host(host, args.domain, args.username, args.password):
- print(str(result))
- return True
- if __name__ == "__main__":
- import sys
- output( __doc__ )
- sys.exit( not main( sys.argv ) )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement