infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10296, a few aux module docs

4.x
William Vu 2018-07-12 22:20:25 -05:00 committed by Metasploit
parent f6a7f19e2b
commit 3ffcc658e6
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
4 changed files with 246 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
documentation/modules/auxiliary/scanner/imap/imap_version.md Normal file
View File

@ -0,0 +1,59 @@
## Description
This module identifies the version of IMAP in use by the server, as well as some of the login options.
Any IMAP sever should return this information.
## Vulnerable Application
### Install Dovecot on Kali Linux:
With this install, we'll only install IMAP for dovecot, as the other protocols are not required. However, this is unrealistic
in a production environment.
1. ```sudo apt-get install dovecot-imapd```
2. ```/etc/init.d/dovecot start```
## Verification Steps
1. Do: `use auxiliary/scanner/imap/imap_version`
2. Do: `set rhosts [ips]`
3. Do: `run`
## Options
**IMAPPASS**
A password for an IMAP account.
**IMAPUSER**
A username for an IMAP account.
## Scenarios
### Dovecot 2.3.2 (582970113) on Kali
```
msf5 > use auxiliary/scanner/imap/imap_version
msf5 auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216
rhosts => 10.168.202.216
msf5 auxiliary(scanner/imap/imap_version) > run
[+] 10.168.202.216:143 - 10.168.202.216:143 IMAP * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.\x0d\x0a
[*] 10.168.202.216:143 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming
### [nmap](https://nmap.org/nsedoc/scripts/imap-capabilities.html)
```
# nmap -p 143 -sV -script=imap-capabilities 10.168.202.216
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 18:43 EDT
Nmap scan report for 10.168.202.216
Host is up (0.000044s latency).
PORT STATE SERVICE VERSION
143/tcp open imap Dovecot imapd
|_imap-capabilities: LITERAL+ more AUTH=PLAINA0001 IDLE have LOGIN-REFERRALS ENABLE OK Pre-login listed capabilities post-login ID STARTTLS IMAP4rev1 SASL-IR
```

34
documentation/modules/auxiliary/scanner/pop3/pop3_version.md Normal file
View File

@ -0,0 +1,34 @@
## Description
This module identifies the version of POP3 in use by the server based on the server's banner.
Any POP3 sever should return this information.
## Vulnerable Application
### Install Dovecot on Kali Linux:
With this install, we'll only install POP3 for dovecot, as the other protocols are not required. However, this is unrealistic
in a production environment.
1. ```sudo apt-get install dovecot-pop3d```
2. ```/etc/init.d/dovecot start```
## Verification Steps
1. Do: `use auxiliary/scanner/pop3/pop3_version`
2. Do: `set rhosts [ips]`
3. Do: `run`
## Scenarios
### Dovecot 2.3.2 (582970113) on Kali
```
msf5 auxiliary(scanner/pop3/pop3_version) > use auxiliary/scanner/pop3/pop3_version
msf5 auxiliary(scanner/pop3/pop3_version) > set rhosts 10.168.202.216
msf5 auxiliary(scanner/pop3/pop3_version) > run
[+] 10.168.202.216:110 - 10.168.202.216:110 POP3 +OK Dovecot (Debian) ready.\x0d\x0a
[*] 10.168.202.216:110 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

118
documentation/modules/auxiliary/scanner/rsync/modules_list.md Normal file
View File

@ -0,0 +1,118 @@
## Description
An rsync module is essentially a directory share. These modules can optionally be protected by a password. This module connects to and
negotiates with an rsync server, lists the available modules and, optionally, determines if the module requires a password to access.
## Vulnerable Application
### Configuring rsync on Kali Linux:
Rsync is installed by default on Kali, however we need to configure some modules for the scanner to find. Step three will
create the secrets files which we'll use to test the authentication mechanism. Much of this is based on the guide from
[atlantic.net](https://www.atlantic.net/cloud-hosting/how-to-setup-rsync-daemon-linux-server/).
1. ```mkdir /home/public_rsync2; mkdir /home/public_rsync3; mkdir /home/public_rsync```
2. Create the configuration file:
```
echo -n "[read only files]
path = /home/public_rsync
comment = Files are read only
read only = true
timeout = 300
[writable]
path = /home/public_rsync2
comment = Files can be written to
read only = false
timeout = 300
[authenticated]
path = /home/public_rsync3
comment = Files require authentication
read only = true
timeout = 300
auth users = rsync1,rsync2
secrets file = /etc/rsyncd.secrets
" > /etc/rsyncd.conf
```
3. ```echo -n "rsync1:9$AZv2%5D29S740k
rsync2:Xyb#vbfUQR0og0$6
rsync3:VU&A1We5DEa8M6^8" > /etc/rsyncd.secrets```
4. ```chmod 600 /etc/rsyncd.secrets```
5. ```rsync --daemon```
## Verification Steps
1. Do: `use auxiliary/scanner/rsync/modules_list`
2. Do: `set rhosts [ips]`
3. Do: `run`
## Options
**TEST_AUTHENTICATION**
Connect to each share and test if authentication is required.
**VERBOSE**
When set to `false`, each module will be listed. When set to `true` each module will be listed, then a summary
table will also be printed including if authentication is required, and any module comments. `false` is the default value.
## Scenarios
### rsyncd on Kali (using above config)
With verbose set to `false`:
```
msf5 > use auxiliary/scanner/rsync/modules_list
msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216
rhosts => 10.168.202.216
msf5 auxiliary(scanner/rsync/modules_list) > run
[+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated
```
With verbose set to `true`:
```
msf5 > use auxiliary/scanner/rsync/modules_list
msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216
rhosts => 10.168.202.216
msf5 auxiliary(scanner/rsync/modules_list) > set verbose true
verbose => true
msf5 auxiliary(scanner/rsync/modules_list) > run
[+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated
rsync modules for 10.168.202.216:873
=======================================
Name Comment Authentication
---- ------- --------------
authenticated Files require authentication required
read only files Files are read only not required
writable Files can be written to not required
```
## Confirming
### [nmap](https://nmap.org/nsedoc/scripts/rsync-list-modules.html)
```
# nmap -p 873 -sV -script=rsync-list-modules 10.168.202.216
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-12 16:32 EDT
Nmap scan report for 10.168.202.216
Host is up (0.000045s latency).
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
| rsync-list-modules:
| read only files Files are read only
| writable Files can be written to
|_ authenticated Files require authentication
```

35
documentation/modules/auxiliary/scanner/smtp/smtp_version.md Normal file
View File

@ -0,0 +1,35 @@
## Description
This module grabs the banner from an SMTP server.
## Vulnerable Application
### Postfix on Kali Linux:
This is mainly based on the instructions from [digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-16-04).
In this case, we don't need to configure all the users and set up the server fully, just enough to display a banner.
1. ```apt-get install postfix```
1. Select `Internet Site`
2. Select OK, the default is fine
2. ```systemctl restart postfix```
## Verification Steps
1. Do: `use auxiliary/scanner/smtp/smtp_version`
2. Do: `set rhosts [ips]`
3. Do: `run`
## Scenarios
### Postfix 3.3.0-1+b1 (Ubuntu package number) on Kali (using above config)
```
msf5 > use auxiliary/scanner/smtp/smtp_version
msf5 auxiliary(scanner/smtp/smtp_version) > set rhosts 10.168.202.216
rhosts => 10.168.202.216
msf5 auxiliary(scanner/smtp/smtp_version) > run
[+] 10.168.202.216:25 - 10.168.202.216:25 SMTP 220 rageKali.ragegroup ESMTP Postfix (Debian/GNU)\x0d\x0a
```