Revert "run smbv1 scan in runfinger"

2025-07-06 04:51:23 -07:00 · 2022-11-08 09:22:41 -03:00 · 2022-11-08 09:22:41 -03:00 · f39079da77
commit f39079da77
parent 8d25d04f13
1 changed files with 181 additions and 202 deletions
--- a/tools/RunFinger.py
+++ b/tools/RunFinger.py
@ -32,9 +32,7 @@ parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython

 parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
 parser.add_option('-f','--filename', action="store", help="Target file", dest="Filename", metavar="ips.txt", default=None)
-parser.add_option('-o','--outfile', action="store", help="Output file", dest="OutFilename", metavar="output.txt", default=None)
 parser.add_option('-t','--timeout', action="store", help="Timeout for all connections. Use this option to fine tune Runfinger.", dest="Timeout", type="float", metavar="0.9", default=2)
-parser.add_option('-s','--smbv1', action='store_true', help="Enable smbv1 scan", dest="Smbv1", default=False)

 options, args = parser.parse_args()

@ -46,11 +44,9 @@ if options.TARGET == None and options.Filename == None:
 Timeout = options.Timeout
 Host = options.TARGET
 Filename = options.Filename
-Outputfile = None if options.OutFilename==None else open(options.OutFilename,"w")
 SMB1 = "True"
 SMB2signing = "False"
 DB = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/RunFinger.db"
-SCAN_SMBV1 = options.Smbv1

 class Packet():
    fields = OrderedDict([
@ -163,17 +159,13 @@ def ParseSMBNTLM2Exchange(data, host, bootime, signing):  #Parse SMB NTLMSSP Res
 	#AvPairs          = SSPIString[AvPairsOffset:AvPairsOffset+AvPairsLen].decode('UTF-16LE')
 	WindowsVers       = WorkstationFingerPrint(data[SSPIStart+48:SSPIStart+50])
 	WindowsBuildVers  = GetOsBuildNumber(data[SSPIStart+50:SSPIStart+52])
-    Hostname, DomainJoined = DomainGrab((host, 445))
+	DomainGrab((host, 445))
 	RDP = IsServiceOn((host,3389))
 	SQL = IsServiceOn((host,1433))
-    outstr = (f"[SMB2]:['{host}', Os:'{WindowsVers}', Hostname:'{Hostname}' Build:'{str(WindowsBuildVers)}', Domain:'{Domain}', Bootime: '{Bootime}', Signing:'{signing}', RDP:'{RDP}', SMB1:'{SMB1}', MSSQL:'{SQL}']")
-    print(outstr)
-    if Outputfile != None:
-       Outputfile.write(outstr+"\n") # save result in file
+	print(("[SMB2]:['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime: '{}', Signing:'{}', RDP:'{}', SMB1:'{}', MSSQL:'{}']".format(host, WindowsVers, str(WindowsBuildVers), Domain, Bootime, signing, RDP,SMB1, SQL)))
 	SaveRunFingerToDb({
 				'Protocol': '[SMB2]',
 				'Host': host, 
-                'Hostname':Hostname,
 				'WindowsVersion': WindowsVers,
 				'OsVer': str(WindowsBuildVers),
 				'DomainJoined': Domain,
@ -336,20 +328,11 @@ def check_smb_null_session(host):
            s.send(NetworkSendBufferPython2or3(buffer0))
            data = s.recv(2048)
        if data[8:10] == b'\x75\x00':
-            h = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),mid="\xc0\x00")
-            n = SMBTransRAPData()
-            n.calculate()
-            packet0 = str(h)+str(n)
-            buffer0 = longueur(packet0)+packet0
-            s.send(NetworkSendBufferPython2or3(buffer0))
-            data = s.recv(2048)
-            if data[9:13] == b"\x05\x02\x00\xc0":
-                return ('True', 'True')
-            return ('True', 'False')
+            return 'True'
        else:
-            return ('False', 'False')
-    except Exception as e:
-        print(f"Test on null session and ms17 fail on {host[0]} Error: {e}", file=sys.stderr)
+            return 'False'
+    except Exception:
+        return False

 ##################
 #SMB2 part:
@ -407,18 +390,14 @@ def handle(data, host):

 ##################
 def ShowSmallResults(Host):
-    ConnectAndChoseSMB((Host,445))
-    if SCAN_SMBV1 and SMB1 == "True":
+	if ConnectAndChoseSMB((Host,445)) == False:
 		try:
 			Hostname, DomainJoined = DomainGrab((Host, 445))
 			Signing, OsVer, LanManClient = SmbFinger((Host, 445))
-            NullSess, ms17_10_ready = check_smb_null_session((Host, 445))
+			NullSess = check_smb_null_session((Host, 445))
 			RDP = IsServiceOn((Host,3389))
 			SQL = IsServiceOn((Host,1433))
-            outstr = f"[SMB1]:['{Host}', Hostname:'{Hostname}', Os:'{OsVer}', Domain:'{DomainJoined}', Null Session: '{NullSess}', Vulnerable to MS17-010: '{ms17_10_ready}', Lanman Client: '{LanManClient}', RDP:'{RDP}', MSSQL:'{SQL}']"
-            print(outstr)
-            if Outputfile != None:
-                Outputfile.write(outstr+"\n") # save result in file
+			print(("[SMB1]:['{}', Os:'{}', Domain:'{}', Signing:'{}', Null Session: '{}', RDP:'{}', MSSQL:'{}']".format(Host, OsVer, DomainJoined, Signing, NullSess,RDP, SQL)))
 			SaveRunFingerToDb({
 				'Protocol': '[SMB1]',
 				'Host': Host,