NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

GhostSPN SMB module

Open YOLOP0wn opened this issue 3 months ago • 3 comments

Module to scan SMB for GhostSPN vulnerability (CVE-2025-58726) based on build number (code taken from ntlm_reflection module).

I am not sure if there is a more accurate way to scan for it, but for the moment it does the job.

ghostspn

YOLOP0wn avatar Oct 31 '25 03:10 YOLOP0wn

Thanks for the PR!

Perhaps we should combine modules that identify CVEs by querying the version numbers into one module.

NeffIsBack avatar Oct 31 '25 10:10 NeffIsBack

Yes i think it would be better (to reduce number of smb connection). How many modules currently check for version ? Only ntlm_reflection and ghostspn ?

Btw, I was hesitating between making an LDAP module to search for ghost SPNs instead of this SMB one. But with LDAP, the workflow would have been heavier (dump all SPNs, check for ghost ones, then check the target system version). So I think it’s better to check for the target vulnerability first, and if it’s vulnerable, then check for ghost SPNs.

YOLOP0wn avatar Oct 31 '25 22:10 YOLOP0wn

Yes i think it would be better (to reduce number of smb connection). How many modules currently check for version ? Only ntlm_reflection and ghostspn ?

I think so yes.

Btw, I was hesitating between making an LDAP module to search for ghost SPNs instead of this SMB one. But with LDAP, the workflow would have been heavier (dump all SPNs, check for ghost ones, then check the target system version). So I think it’s better to check for the target vulnerability first, and if it’s vulnerable, then check for ghost SPNs.

Sounds good :) Ghost SPNs without vulnerable systems are not really useful anyways, so probably best to check for the vuln first.

NeffIsBack avatar Nov 02 '25 12:11 NeffIsBack