infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md

105 lines
2.9 KiB
Markdown
Raw Normal View History

updated docs
2018-03-25 18:53:30 +00:00
## Vulnerable Application
etcd is a distributed reliable key-value store, which when used in an open and default configuration gives
unauthenticated users access to the data stored via HTTP API.
### Centos 7.1
1. `yum install etcd`
2. `vi /etc/etcd/etcd.conf` replace (and uncomment) items with `localhost` for your IP.
3. `systemctl start etcd; systemctl enable etcd`
4. On Centos 7.1 you need to mod (or disable) the firewall: `systemctl stop firewalld`
5. Lastly, lets add a key-value for interest: `curl http://[IP]:2379/v2/keys/supersecret -XPUT -d value="password!"`
Add docker docs for etcd
2018-03-28 16:25:51 +00:00
### Docker
1. `docker run -p 2379:2379 miguelgrinberg/easy-etcd`
updated docs
2018-03-25 18:53:30 +00:00
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/scanner/etcd/open_key_scanner```
4. Do: ```set rhosts [IPs]```
5. Do: ```run```
6. You should get a JSON response, and the data saved to `loot`.
## Scenarios
### etcd 3.2.15 on CentOS 7.1
```
Add docker docs for etcd
2018-03-28 16:25:51 +00:00
msf5 > use auxiliary/scanner/etcd/open_key_scanner
jhart suggestions
2018-03-27 22:46:31 +00:00
msf5 auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
updated docs
2018-03-25 18:53:30 +00:00
msf5 auxiliary(scanner/etcd/open_key_scanner) > run
Add docker docs for etcd
2018-03-28 16:25:51 +00:00
[+] 2.2.2.2:2379
jhart suggestions
2018-03-27 22:46:31 +00:00
Version: {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}
Data: {
updated docs
2018-03-25 18:53:30 +00:00
"action": "get",
"node": {
"dir": true,
"nodes": [
{
"key": "/supersecret",
"value": "password",
"modifiedIndex": 6,
"createdIndex": 6
}
]
}
}
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
jhart suggestions
2018-03-27 22:46:31 +00:00
2.2.2.2 etcd.data etcd.keys text/plain etcd keys /root/.msf4/loot/20180325144351_default_2.2.2.2_etcd.data_425280.txt
updated docs
2018-03-25 18:53:30 +00:00
msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
jhart suggestions
2018-03-27 22:46:31 +00:00
2.2.2.2 2379 tcp etcd open {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}
updated docs
2018-03-25 18:53:30 +00:00
```
Add docker docs for etcd
2018-03-28 16:25:51 +00:00
### etcd in Docker
```
msf5 > use auxiliary/scanner/etcd/open_key_scanner
msf5 auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 auxiliary(scanner/etcd/open_key_scanner) > run
[+] 127.0.0.1:2379
Version: {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}
Data: {
"action": "get",
"node": {
"dir": true
}
}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/etcd/open_key_scanner) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
Use common path in etcd docs
2018-03-28 16:55:05 +00:00
127.0.0.1 etcd.data etcd.keys text/json etcd keys /root/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt
Add docker docs for etcd
2018-03-28 16:25:51 +00:00
msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
127.0.0.1 2379 tcp etcd open {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}
```