Skip to content

Instantly share code, notes, and snippets.

@marpie

marpie/smb4av.py

Created April 9, 2019 15:42
Show Gist options
  • Save marpie/c87fce07c39cd3b9efc174c633d8ca80 to your computer and use it in GitHub Desktop.
Save marpie/c87fce07c39cd3b9efc174c633d8ca80 to your computer and use it in GitHub Desktop.
Download ZIP
Determine the AV product by ncacn_np (Python port of EquationGroup - Namedpipetouch)
Raw
smb4av.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
""" smb4av.py
smb4av uses NamedPipe calls to determine
the running AntiVirus of the target.
Credits: @EquationGroup @ShadowBrokers
Author: marpie (marpie@a12d404.net)
TODO:
* Symantec Endpoint Protection 14.0
* Symantec Endpoint Protection Cloud 22.14
* McAfee Endpoint Security 10.5
* Trend Micro Office Scan 12.0
* Kaspersky Lab Endpoint Security 11.0
* Kaspersky Lab Small Office Security 5 & 6
* Sophos Endpoint Security and Control 10.8
* F-Secure PSB Computer Protection 18.4 & 18.5
* Carbon Black Defense 3.2
* Avast Antivirus Business 18.2 & 18.4
* Bitdefender Endpoint Security 6.2 & 6.6
* Bitdefender Endpoint Security Elite 6.2 & 6.6
* G Data AntiVirus Business 14.1
* Palo Alto Networks Traps 5.0
* Seqrite Endpoint Security 17.00
Last Update: 20180907
Created: 20180905
"""
import argparse
import json
import sys
try:
from impacket.dcerpc.v5 import transport, srvs
from impacket.smbconnection import *
from impacket.nt_errors import ERROR_MESSAGES
except ModuleNotFoundError:
sys.stderr.write("[E] Impacket is required!\n")
sys.exit(1)
# Version Information
__version__ = "0.0.1"
__program__ = "smb4av v" + __version__
__author__ = "marpie"
__email__ = "marpie+smb4av@a12d404.net"
__license__ = "BSD License"
__copyright__ = "Copyright 2018, a12d404.net"
__status__ = "Prototype" # ("Prototype", "Development", "Testing", "Production")
#SCRIPT_PATH = os.path.dirname( os.path.realpath( __file__ ) )
KNOWN_PIPES = (
# Format:
# category, pipe_name, description
# Windows Operating System Pipes
('os', 'browser', 'OS Pipe: computer browser',),
('os', 'lsarpc', 'OS Pipe: lsass rpc',),
('os', 'spoolss', 'OS Pipe: print spooler',),
('os', 'MsFteWds', 'OS Pipe: Search Indexer',),
('os', 'LSM_API_service', 'OS Pipe: Terminal Server Services',),
('os', 'netdfs', 'OS Pipe: DFS',),
('os', 'winreg', 'OS Pipe: Remote Registry',),
('os', 'scerpc', 'OS Pipe: Security Configuration Editor',),
# AV Products
# source: Equation Group
('av', '360OnAccessGet', '360 Safe',),
('av', '360OnAccessSet', '360 Safe',),
('av', '__fships_hook_server__', 'FSecure 2010',),
('av', '__fships_injector__', 'FSecure 2010',),
('av', '_pspuser_3620_AVGIDSMONITOR.EXE_9fde9445-f261-4985-a056-fb033d1a64cd', 'AVG IS 9.0.646',),
('av', '_pspuser_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9eafb262f2a4', 'AVG IS 8.5',),
('av', 'acsipc_server', 'Outpost Security Suite Pro',), # does not need to be 2009 v6.5, could also be 8.1, etc.
('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
('av', 'afwCallbackPipe2', 'Avast Internet Security 5.0',),
('av', 'aswUpdSv', 'alwil Avast professional 4.8 Avast Internet Security v5.0',),
('av', 'aswUpdSv', 'Avast pro 4.8 or Avast IS v5.0',),
('av', 'AveSvc_EngineDienst200705311802', 'avira antivirus personal edition premium v7.06, avira premium security suite v7',),
('av', 'AveSvc_EngineService2008', 'Avira premium security suite v8',),
('av', 'AVG-CHJW-0B47172B-B945-42f8-AA88-8D4F98F660DB', 'AVG IS 9.0.646',),
('av', 'AVG-CHJW-C81C2B71-E0F0-44cb-B6A7-15999D0F539A', 'AVG IS 9.0.646',),
('av', 'AVG7B14C58C-E30D-11DB-B553-F88A56D89593', 'AVG IS 8.5',),
('av', 'AvgFw.WDCommunicationPipe', 'AVG IS 9.0.646',),
('av', 'AvgFw.WDCommunicationPipe1', 'AVG IS 9.0.646',),
('av', 'AvgFw.WDCommunicationPipe2', 'AVG IS 9.0.646',),
('av', 'AvgFwS8.WDCommunicationPipe', 'AVG IS 8.5-9.0',),
('av', 'AvgFwS8.WDCommunicationPipe1', 'AVG IS 8.5',),
('av', 'AvgFwS8.WDCommunicationPipe2', 'AVG IS 8.5',),
('av', 'AvgTrayPipeName000176', 'AVG IS 8.5',),
('av', 'AvgTrayPipeName0001761', 'AVG IS 8.5',),
('av', 'AvgTrayPipeName0001762', 'AVG IS 8.5',),
('av', 'AvgTrayPipeName000840', 'AVG IS 9.0.646',),
('av', 'AvgTrayPipeName0008401', 'AVG IS 9.0.646',),
('av', 'AvgTrayPipeName0008402', 'AVG IS 9.0.646',),
('av', 'avguard01', 'avira premium sec suite v8',),
('av', 'AvgUIPipeName002788', 'AVG IS 9.0.646',),
('av', 'AvgUIPipeName0027881', 'AVG IS 9.0.646',),
('av', 'AvgUIPipeName0027882', 'AVG IS 9.0.646',),
('av', 'AVSCAN_REP_000000000000c883', 'avira premium sec suite v8',),
('av', 'AVWebCatServer0', 'avira premium sec suite v8',),
('av', 'AVWebGuardServer', 'avira premium sec suite v8',),
('av', 'AVWebProtServer0', 'avira premium sec suite v8',),
('av', 'bdantiphishing', 'BitDefender 2010 v13',),
('av', 'bdantiphishing', 'BitDefender TotalSec 2010 v13.0.11',),
('av', 'bdantispam', 'BitDefender TotalSec 2010 v13.0.11',),
('av', 'EXTREG', 'BitDefender TotalSec 2010 v13.0.11',),
('av', 'Global\\PNMIPC_SH_IPT-WebProxy', 'Panda IS 2010 v15',),
('av', 'LIVESRV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
('av', 'MIDASCOMM_SERVER', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
('av', 'nai_vseconsole01', 'McAfee 8.7i',),
('av', 'nai_vseconsole01', 'McAfee 8.7i',),
('av', 'NP2970625197SRV', 'TrendMicro IS 2010 v17.50',),
('av', 'pavfnlpc', 'Panda IS 2010 v15',),
('av', 'pavfnlpc', 'Panda IS 2010 v15',),
('av', 'PavTPU\\TPK_Event_1504', 'Panda IS 2010 v15',),
('av', 'rcn_18871562230061', 'FSecure 2010',),
('av', 'rcn_47843719166', 'FSecure 2010',),
('av', 'rcn_49140823412', 'FSecure 2010',),
('av', 'rcn_491711751329', 'FSecure 2010',),
('av', 'rcn_50406860721', 'FSecure 2010',),
('av', 'rcn_507341306237', 'FSecure 2010',),
('av', 'rcn_51109653602', 'FSecure 2010',),
('av', 'rcn_520781201855', 'FSecure 2010',),
('av', 'rcn_520932065562', 'FSecure 2010',),
('av', 'rcn_520932267096', 'FSecure 2010',),
('av', 'rcn_522811486723', 'FSecure 2010',),
('av', 'rcn_530461792332', 'FSecure 2010',),
('av', 'rcn_53156781683', 'FSecure 2010',),
('av', 'rcn_564531165073', 'FSecure 2010',),
('av', 'rcn_580461750377', 'FSecure 2010',),
('av', 'rcn_621562061643', 'FSecure 2010',),
('av', 'rcn_637501693024', 'FSecure 2010',),
('av', 'rcn_63750782962', 'FSecure 2010',),
('av', 'rcn_647032361703', 'FSecure 2010',),
('av', 'rcn_655781047893', 'FSecure 2010',),
('av', 'rcn_655931694327', 'FSecure 2010',),
('av', 'rcn_662811357824', 'FSecure 2010',),
('av', 'rcn_67953938451', 'FSecure 2010',),
('av', 'rcn_682651449794', 'FSecure 2010',),
('av', 'rcn_685151921711', 'FSecure 2010',),
('av', 'SERVERPIPENAME', 'Avira premium sec suite v8',),
('av', 'Sophos@BOPSv3', 'Sophos 9.0',),
('av', 'Symantec Core LC', 'Norton IS 2008',),
('av', 'Symantec_{586D4B8E-3DBB-4E4O-9A7E-4670F760FAC4}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4; Norton IS 2009; Norton IS 2010; Norton 360 v4',),
('av', 'Symantec_{EF903280-DA47-4C1B-99F8-EC15E7900956}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton360 v4',),
('av', 'Symantec_{F9698F61-2E57-469B-B29B-1EFB17827356}_{0C55C096-0F1D-4F28-AAA2-85EF591126E7}', 'Norton Internet Security 2010',),
('av', 'VSSERV', 'BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009',),
# Other Producs
('driver', 'EnhCallerService', 'Synaptics Touchpad',),
('pim', 'PBEQOwnNotes', 'QOwnNotes Note Taking Application',),
('cloud_storage', 'TresoritGui2', 'Tresorit for Windows',),
('dev', 'VSCode Crash Service', 'Visual Studio Code',),
('hypervisor', 'vmware-usbarbpipe', 'VMWare Host',),
('remote_admin', 'PlughNTCommand', 'Timbuktu Pro',),
('security_firewall', 'TinyWallController', 'TinyWall',),
('system_management', 'OVSystem', 'HP OpenView Network Node Manager',),
('system_management', 'SUPipeServer', 'Lenovo System Update',),
('vpn', 'IPEFSYSPCPIPE', 'iPass Mobile Client',),
('sandbox', 'cuckoo', 'Cuckoo Sandbox',),
('webserver', 'Powershell-Proxy-NamedPipe', 'Microsoft Exchange (IIS Process - MSExchangePowerShellAppPool)',),
)
class PipeCheck(transport.DCERPCTransport):
"""Implementation of ncacn_np protocol sequence - not really^^"""
def __init__(self, remoteName, dstport=445, username='', password='', domain='', lmhash='', nthash='',
aesKey='', TGT=None, TGS=None, remote_host='', doKerberos=False, kdcHost=None):
transport.DCERPCTransport.__init__(self, remoteName, dstport)
self.__tid = 0
self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
self._doKerberos = doKerberos
self._kdcHost = kdcHost
if remote_host != '':
self.setRemoteHost(remote_host)
self.__prefDialect = None
self.__smb_connection = None
def connect(self):
# Check if we have a smb connection already setup
if not self.__smb_connection:
self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
preferredDialect=self.__prefDialect)
if self._doKerberos is False:
self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
else:
self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
TGS=self._TGS)
self.__tid = self.__smb_connection.connectTree('IPC$')
return 1
def check_pipe(self, pipe_name):
result = 0
if pipe_name[0] != '\\':
pipe_name = '\\' + pipe_name
hFile = None
try:
hFile = self.__smb_connection.openFile(self.__tid, pipe_name)
except SessionError as e:
result = e.getErrorCode()
if hFile:
try:
self.__smb_connection.closeFile(self.__tid, hFile)
except:
# TODO
raise
return result
def disconnect(self):
self.__smb_connection.disconnectTree(self.__tid)
self.__smb_connection.logoff()
self.__smb_connection.close()
self.__smb_connection = None
class Result(object):
def __init__(self, hostname, category, pipe, description, status):
self.hostname = hostname
self.category = category
self.pipe = pipe
self.description = description
self.status = status
self.status_text = self.__status_text()
def __str__(self):
return json.dumps(self.__dict__)
def __status_text(self):
status_text = ""
if self.status == 0xC0000034:
# STATUS_OBJECT_NAME_NOT_FOUND
status_text = "NOT FOUND"
elif (self.status == 0x00000000):
# STATUS_SUCCESS / STATUS_ACCESS_DENIED
status_text = "FOUND"
elif (self.status == 0xC0000022):
status_text = "ACCESS DENIED"
else:
status_text = error_to_str(self.status)
return status_text
def output(s):
sys.stderr.write(s + "\n")
def error_to_str(code):
try:
return ERROR_MESSAGES[code]
except KeyError:
return ("UNKNOWN", "Unknown Error Code ({})".format(hex(code)))
def check_host(host, domain, username, password):
pc = PipeCheck(host, domain=domain, username=username, password=password)
pc.connect()
try:
for category, pipe_name, description in KNOWN_PIPES:
status = pc.check_pipe(pipe_name)
yield Result(host, category, pipe_name, description, status)
finally:
pc.disconnect()
# Main
def main(argv):
parser = argparse.ArgumentParser(description='Identify software remotely by NamedPipes.')
parser.add_argument('hosts', metavar='IP', type=str, nargs='+', help='Host/IP to query.')
parser.add_argument('--domain', dest='domain', default='', help='Domain')
parser.add_argument('--username', dest='username', default='', help='Username')
parser.add_argument('--password', dest='password', default='', help='Password')
args = parser.parse_args()
for host in args.hosts:
output("[*] Host: {}".format(host))
for result in check_host(host, args.domain, args.username, args.password):
print(str(result))
return True
if __name__ == "__main__":
import sys
output( __doc__ )
sys.exit( not main( sys.argv ) )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment