Skip to content

Add RAP fallback to smb_enumshares for legacy SMB hosts#21123

Open
Z6543 wants to merge 1 commit into
rapid7:masterfrom
Z6543:smb-enumshares-rap-fallback
Open

Add RAP fallback to smb_enumshares for legacy SMB hosts#21123
Z6543 wants to merge 1 commit into
rapid7:masterfrom
Z6543:smb-enumshares-rap-fallback

Conversation

@Z6543

@Z6543 Z6543 commented Mar 16, 2026

Copy link
Copy Markdown

Depends on: rapid7/ruby_smb#294 (must be merged first)

Summary

  • Add RAP (Remote Administration Protocol) fallback to smb_enumshares when SRVSVC share enumeration fails, enabling share enumeration on Windows 95/98/ME and other legacy SMB hosts that don't support DCERPC
  • Map RAP integer share types (0=DISK, 1=PRINTER, etc.) to the string format the module expects, so filtering, spidering, and reporting work unchanged
  • Add direct: false to the SMB1 connect call on port 139 to ensure proper NetBIOS session setup

Verification

  • Against a modern SMB host: SRVSVC succeeds as before, RAP path is never reached
  • Against a legacy Win9x/ME host on port 139: SRVSVC fails with UnexpectedStatusCode/InvalidPacket, module falls back to RAP and enumerates shares successfully
  • Share option filtering works with both SRVSVC and RAP results

Depends on: rapid7/ruby_smb#294 (must be merged first)

@smcintyre-r7 smcintyre-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it needs to be updated now that the RubySMB changes have been merged. You'll want to:

  • Adjust the ruby_smb gem to pull in the latest version with your changes, use bundle update --conservative ruby_smb to get the latest version
  • Adjust your code here to use the net_share_enum method that was added, RAP_SHARE_TYPES and formatting the hash yourself shouldn't be necessary.

@github-project-automation github-project-automation Bot moved this from Todo to Waiting on Contributor in Metasploit Kanban May 7, 2026
@smcintyre-r7 smcintyre-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels May 7, 2026
@smcintyre-r7

Copy link
Copy Markdown
Contributor

This has conflicts that need to be resolved now that #21347 has been landed.

The smb_enumshares module uses DCERPC/SRVSVC (net_share_enum_all) to
enumerate shares. Windows 95/98/ME and other legacy SMB hosts do not
support DCERPC and cause the module to fail with no results.

Fall back to RAP (Remote Administration Protocol) net_share_enum over
\PIPE\LANMAN when SRVSVC raises UnexpectedStatusCode or InvalidPacket.
RAP is the only share-enumeration method these hosts support. ruby_smb's
net_share_enum returns share types pre-formatted as strings, so share
filtering, spidering, and reporting work unchanged.

Pass direct: false on the SMB1/port-139 connect so NetBIOS session
setup is used for legacy hosts.
@Z6543 Z6543 force-pushed the smb-enumshares-rap-fallback branch from 7737ebf to 88ead91 Compare July 3, 2026 13:43
@Z6543

Z6543 commented Jul 3, 2026

Copy link
Copy Markdown
Author

Sorry for dropping the ball on this, should be good now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Status: Waiting on Contributor

Development

Successfully merging this pull request may close these issues.

2 participants