diff --git a/documentation/modules/auxiliary/scanner/imap/imap_version.md b/documentation/modules/auxiliary/scanner/imap/imap_version.md new file mode 100644 index 0000000000..e8848616f2 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/imap/imap_version.md @@ -0,0 +1,59 @@ +## Description + +This module identifies the version of IMAP in use by the server, as well as some of the login options. +Any IMAP sever should return this information. + +## Vulnerable Application + +### Install Dovecot on Kali Linux: + +With this install, we'll only install IMAP for dovecot, as the other protocols are not required. However, this is unrealistic +in a production environment. + +1. ```sudo apt-get install dovecot-imapd``` +2. ```/etc/init.d/dovecot start``` + +## Verification Steps + + 1. Do: `use auxiliary/scanner/imap/imap_version` + 2. Do: `set rhosts [ips]` + 3. Do: `run` + +## Options + + **IMAPPASS** + + A password for an IMAP account. + + **IMAPUSER** + + A username for an IMAP account. + +## Scenarios + +### Dovecot 2.3.2 (582970113) on Kali + + ``` + msf5 > use auxiliary/scanner/imap/imap_version + msf5 auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216 + rhosts => 10.168.202.216 + msf5 auxiliary(scanner/imap/imap_version) > run + + [+] 10.168.202.216:143 - 10.168.202.216:143 IMAP * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.\x0d\x0a + [*] 10.168.202.216:143 - Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + ``` +## Confirming + +### [nmap](https://nmap.org/nsedoc/scripts/imap-capabilities.html) + +``` +# nmap -p 143 -sV -script=imap-capabilities 10.168.202.216 +Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 18:43 EDT +Nmap scan report for 10.168.202.216 +Host is up (0.000044s latency). + +PORT STATE SERVICE VERSION +143/tcp open imap Dovecot imapd +|_imap-capabilities: LITERAL+ more AUTH=PLAINA0001 IDLE have LOGIN-REFERRALS ENABLE OK Pre-login listed capabilities post-login ID STARTTLS IMAP4rev1 SASL-IR +``` diff --git a/documentation/modules/auxiliary/scanner/pop3/pop3_version.md b/documentation/modules/auxiliary/scanner/pop3/pop3_version.md new file mode 100644 index 0000000000..1283ff5e9c --- /dev/null +++ b/documentation/modules/auxiliary/scanner/pop3/pop3_version.md @@ -0,0 +1,34 @@ +## Description + +This module identifies the version of POP3 in use by the server based on the server's banner. +Any POP3 sever should return this information. + +## Vulnerable Application + +### Install Dovecot on Kali Linux: + +With this install, we'll only install POP3 for dovecot, as the other protocols are not required. However, this is unrealistic +in a production environment. + +1. ```sudo apt-get install dovecot-pop3d``` +2. ```/etc/init.d/dovecot start``` + +## Verification Steps + + 1. Do: `use auxiliary/scanner/pop3/pop3_version` + 2. Do: `set rhosts [ips]` + 3. Do: `run` + +## Scenarios + +### Dovecot 2.3.2 (582970113) on Kali + + ``` + msf5 auxiliary(scanner/pop3/pop3_version) > use auxiliary/scanner/pop3/pop3_version + msf5 auxiliary(scanner/pop3/pop3_version) > set rhosts 10.168.202.216 + msf5 auxiliary(scanner/pop3/pop3_version) > run + + [+] 10.168.202.216:110 - 10.168.202.216:110 POP3 +OK Dovecot (Debian) ready.\x0d\x0a + [*] 10.168.202.216:110 - Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + ``` diff --git a/documentation/modules/auxiliary/scanner/rsync/modules_list.md b/documentation/modules/auxiliary/scanner/rsync/modules_list.md new file mode 100644 index 0000000000..6ab23df945 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rsync/modules_list.md @@ -0,0 +1,118 @@ +## Description + +An rsync module is essentially a directory share. These modules can optionally be protected by a password. This module connects to and +negotiates with an rsync server, lists the available modules and, optionally, determines if the module requires a password to access. + +## Vulnerable Application + +### Configuring rsync on Kali Linux: + +Rsync is installed by default on Kali, however we need to configure some modules for the scanner to find. Step three will +create the secrets files which we'll use to test the authentication mechanism. Much of this is based on the guide from +[atlantic.net](https://www.atlantic.net/cloud-hosting/how-to-setup-rsync-daemon-linux-server/). + +1. ```mkdir /home/public_rsync2; mkdir /home/public_rsync3; mkdir /home/public_rsync``` +2. Create the configuration file: + + ``` + echo -n "[read only files] + path = /home/public_rsync + comment = Files are read only + read only = true + timeout = 300 + + [writable] + path = /home/public_rsync2 + comment = Files can be written to + read only = false + timeout = 300 + + [authenticated] + path = /home/public_rsync3 + comment = Files require authentication + read only = true + timeout = 300 + auth users = rsync1,rsync2 + secrets file = /etc/rsyncd.secrets + " > /etc/rsyncd.conf + ``` + +3. ```echo -n "rsync1:9$AZv2%5D29S740k +rsync2:Xyb#vbfUQR0og0$6 +rsync3:VU&A1We5DEa8M6^8" > /etc/rsyncd.secrets``` +4. ```chmod 600 /etc/rsyncd.secrets``` +5. ```rsync --daemon``` + +## Verification Steps + + 1. Do: `use auxiliary/scanner/rsync/modules_list` + 2. Do: `set rhosts [ips]` + 3. Do: `run` + +## Options + + **TEST_AUTHENTICATION** + + Connect to each share and test if authentication is required. + + **VERBOSE** + + When set to `false`, each module will be listed. When set to `true` each module will be listed, then a summary + table will also be printed including if authentication is required, and any module comments. `false` is the default value. + +## Scenarios + +### rsyncd on Kali (using above config) + +With verbose set to `false`: + + ``` + msf5 > use auxiliary/scanner/rsync/modules_list + msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 + rhosts => 10.168.202.216 + msf5 auxiliary(scanner/rsync/modules_list) > run + + [+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated + ``` + +With verbose set to `true`: + + ``` + msf5 > use auxiliary/scanner/rsync/modules_list + msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 + rhosts => 10.168.202.216 + msf5 auxiliary(scanner/rsync/modules_list) > set verbose true + verbose => true + msf5 auxiliary(scanner/rsync/modules_list) > run + + [+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated + + rsync modules for 10.168.202.216:873 + ======================================= + + Name Comment Authentication + ---- ------- -------------- + authenticated Files require authentication required + read only files Files are read only not required + writable Files can be written to not required + + ``` + +## Confirming + +### [nmap](https://nmap.org/nsedoc/scripts/rsync-list-modules.html) + +``` +# nmap -p 873 -sV -script=rsync-list-modules 10.168.202.216 +Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-12 16:32 EDT +Nmap scan report for 10.168.202.216 +Host is up (0.000045s latency). + +PORT STATE SERVICE VERSION +873/tcp open rsync (protocol version 31) +| rsync-list-modules: +| read only files Files are read only +| writable Files can be written to +|_ authenticated Files require authentication + +``` diff --git a/documentation/modules/auxiliary/scanner/smtp/smtp_version.md b/documentation/modules/auxiliary/scanner/smtp/smtp_version.md new file mode 100644 index 0000000000..f20d26d2e8 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/smtp/smtp_version.md @@ -0,0 +1,35 @@ +## Description + +This module grabs the banner from an SMTP server. + +## Vulnerable Application + +### Postfix on Kali Linux: + +This is mainly based on the instructions from [digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-16-04). +In this case, we don't need to configure all the users and set up the server fully, just enough to display a banner. + + +1. ```apt-get install postfix``` + 1. Select `Internet Site` + 2. Select OK, the default is fine +2. ```systemctl restart postfix``` + +## Verification Steps + + 1. Do: `use auxiliary/scanner/smtp/smtp_version` + 2. Do: `set rhosts [ips]` + 3. Do: `run` + +## Scenarios + +### Postfix 3.3.0-1+b1 (Ubuntu package number) on Kali (using above config) + + ``` + msf5 > use auxiliary/scanner/smtp/smtp_version + msf5 auxiliary(scanner/smtp/smtp_version) > set rhosts 10.168.202.216 + rhosts => 10.168.202.216 + msf5 auxiliary(scanner/smtp/smtp_version) > run + + [+] 10.168.202.216:25 - 10.168.202.216:25 SMTP 220 rageKali.ragegroup ESMTP Postfix (Debian/GNU)\x0d\x0a + ```