RFC: SMB3 Server Support

[smcintyre-r7]

Problem

Metasploit version 6 introduced SMB v3 support for client connections. This notably leaves a gap in the server support for this newer version of the protocol.

Solution

Expand on Metasploit Framework SMB Server support to enable presenting SMBv2 and SMBv3 services.

The exploit/windows/smb/smb_relay module should be updated as necessary to support version 3.

Further Considerations

Most modules leveraging SMB connections in the framework are initiating client connections to SMB servers to perform various tasks such as PSExec, bruteforcing accounts, etc. For the value of a version 3 compatible SMB server to be fully realized, Metasploit would likely need to expand on its relaying capability. Using SMB relay attacks is a reliable vector on modern networks as the vulnerability is not easily remediated.

[adfoster-r7]

Just noting a passing comment that was made; This might be useful to implement fully standalone within ruby_smb directly - so that it can be used in isolation without needing Metasploit.

[adfoster-r7]

Additional note: I haven't verified this fully, but this work might impact auxiliary/server/capture/smb too 👍

[smcintyre-r7]

Yeah I agree. That would be useful for both testing and quickly sharing files. I started that in the examples/file_server.rb script. If we wanted an entry for Metasploit's tools/ directory, I could extract the CLI logic into the RubySMB library so we could avoid maintaining to CLI scripts.

[sempervictus]

There's an old PR i started way back which implemented pieces of NTLMSSPV3 and authenticated DCERPC handles in general, which might have some handy bits for this. Its client code mostly superceded by rubysmb, but the cracked out RC4 key embedded into the signature thing is written out there (IIRC with comments) for reuse.

Definitely want to see more protocol support, especially the binary ones which are harder to write clients and servers for than some HTTPAPI "protocol" :).

[cdelafuente-r7]

Thanks for heads up @sempervictus ! I'm working on improving DCERPC capabilities within RubySMB and this includes adding authentication/encryption. Your PR will definitely be helpful!

[smcintyre-r7]

It's worth mentioning that this work has begun in earnest with the initial implementation providing negotiation and session setup support for SMB versions 1 through 3.1.1. Nothing works after that, but the plumbing is sufficient for authentication-related attacks like capturing challenge-response pairs as well as relaying (I hope 🤞 ).

[smcintyre-r7]

The work has continued in rapid7/ruby_smb#181 which adds a read-only file server for SMB versions 2 and 3. Next on the list is to add SMB 1 support to the read-only file server at which point we should be able to integrate it into Metasploit, replacing the existing one that's limited to SMB 1.