Land #10296, a few aux module docs
parent
f6a7f19e2b
commit
3ffcc658e6
|
@ -0,0 +1,59 @@
|
|||
## Description
|
||||
|
||||
This module identifies the version of IMAP in use by the server, as well as some of the login options.
|
||||
Any IMAP sever should return this information.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Install Dovecot on Kali Linux:
|
||||
|
||||
With this install, we'll only install IMAP for dovecot, as the other protocols are not required. However, this is unrealistic
|
||||
in a production environment.
|
||||
|
||||
1. ```sudo apt-get install dovecot-imapd```
|
||||
2. ```/etc/init.d/dovecot start```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/imap/imap_version`
|
||||
2. Do: `set rhosts [ips]`
|
||||
3. Do: `run`
|
||||
|
||||
## Options
|
||||
|
||||
**IMAPPASS**
|
||||
|
||||
A password for an IMAP account.
|
||||
|
||||
**IMAPUSER**
|
||||
|
||||
A username for an IMAP account.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Dovecot 2.3.2 (582970113) on Kali
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/imap/imap_version
|
||||
msf5 auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216
|
||||
rhosts => 10.168.202.216
|
||||
msf5 auxiliary(scanner/imap/imap_version) > run
|
||||
|
||||
[+] 10.168.202.216:143 - 10.168.202.216:143 IMAP * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.\x0d\x0a
|
||||
[*] 10.168.202.216:143 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
## Confirming
|
||||
|
||||
### [nmap](https://nmap.org/nsedoc/scripts/imap-capabilities.html)
|
||||
|
||||
```
|
||||
# nmap -p 143 -sV -script=imap-capabilities 10.168.202.216
|
||||
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 18:43 EDT
|
||||
Nmap scan report for 10.168.202.216
|
||||
Host is up (0.000044s latency).
|
||||
|
||||
PORT STATE SERVICE VERSION
|
||||
143/tcp open imap Dovecot imapd
|
||||
|_imap-capabilities: LITERAL+ more AUTH=PLAINA0001 IDLE have LOGIN-REFERRALS ENABLE OK Pre-login listed capabilities post-login ID STARTTLS IMAP4rev1 SASL-IR
|
||||
```
|
|
@ -0,0 +1,34 @@
|
|||
## Description
|
||||
|
||||
This module identifies the version of POP3 in use by the server based on the server's banner.
|
||||
Any POP3 sever should return this information.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Install Dovecot on Kali Linux:
|
||||
|
||||
With this install, we'll only install POP3 for dovecot, as the other protocols are not required. However, this is unrealistic
|
||||
in a production environment.
|
||||
|
||||
1. ```sudo apt-get install dovecot-pop3d```
|
||||
2. ```/etc/init.d/dovecot start```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/pop3/pop3_version`
|
||||
2. Do: `set rhosts [ips]`
|
||||
3. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Dovecot 2.3.2 (582970113) on Kali
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/pop3/pop3_version) > use auxiliary/scanner/pop3/pop3_version
|
||||
msf5 auxiliary(scanner/pop3/pop3_version) > set rhosts 10.168.202.216
|
||||
msf5 auxiliary(scanner/pop3/pop3_version) > run
|
||||
|
||||
[+] 10.168.202.216:110 - 10.168.202.216:110 POP3 +OK Dovecot (Debian) ready.\x0d\x0a
|
||||
[*] 10.168.202.216:110 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,118 @@
|
|||
## Description
|
||||
|
||||
An rsync module is essentially a directory share. These modules can optionally be protected by a password. This module connects to and
|
||||
negotiates with an rsync server, lists the available modules and, optionally, determines if the module requires a password to access.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Configuring rsync on Kali Linux:
|
||||
|
||||
Rsync is installed by default on Kali, however we need to configure some modules for the scanner to find. Step three will
|
||||
create the secrets files which we'll use to test the authentication mechanism. Much of this is based on the guide from
|
||||
[atlantic.net](https://www.atlantic.net/cloud-hosting/how-to-setup-rsync-daemon-linux-server/).
|
||||
|
||||
1. ```mkdir /home/public_rsync2; mkdir /home/public_rsync3; mkdir /home/public_rsync```
|
||||
2. Create the configuration file:
|
||||
|
||||
```
|
||||
echo -n "[read only files]
|
||||
path = /home/public_rsync
|
||||
comment = Files are read only
|
||||
read only = true
|
||||
timeout = 300
|
||||
|
||||
[writable]
|
||||
path = /home/public_rsync2
|
||||
comment = Files can be written to
|
||||
read only = false
|
||||
timeout = 300
|
||||
|
||||
[authenticated]
|
||||
path = /home/public_rsync3
|
||||
comment = Files require authentication
|
||||
read only = true
|
||||
timeout = 300
|
||||
auth users = rsync1,rsync2
|
||||
secrets file = /etc/rsyncd.secrets
|
||||
" > /etc/rsyncd.conf
|
||||
```
|
||||
|
||||
3. ```echo -n "rsync1:9$AZv2%5D29S740k
|
||||
rsync2:Xyb#vbfUQR0og0$6
|
||||
rsync3:VU&A1We5DEa8M6^8" > /etc/rsyncd.secrets```
|
||||
4. ```chmod 600 /etc/rsyncd.secrets```
|
||||
5. ```rsync --daemon```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/rsync/modules_list`
|
||||
2. Do: `set rhosts [ips]`
|
||||
3. Do: `run`
|
||||
|
||||
## Options
|
||||
|
||||
**TEST_AUTHENTICATION**
|
||||
|
||||
Connect to each share and test if authentication is required.
|
||||
|
||||
**VERBOSE**
|
||||
|
||||
When set to `false`, each module will be listed. When set to `true` each module will be listed, then a summary
|
||||
table will also be printed including if authentication is required, and any module comments. `false` is the default value.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### rsyncd on Kali (using above config)
|
||||
|
||||
With verbose set to `false`:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/rsync/modules_list
|
||||
msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216
|
||||
rhosts => 10.168.202.216
|
||||
msf5 auxiliary(scanner/rsync/modules_list) > run
|
||||
|
||||
[+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated
|
||||
```
|
||||
|
||||
With verbose set to `true`:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/rsync/modules_list
|
||||
msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216
|
||||
rhosts => 10.168.202.216
|
||||
msf5 auxiliary(scanner/rsync/modules_list) > set verbose true
|
||||
verbose => true
|
||||
msf5 auxiliary(scanner/rsync/modules_list) > run
|
||||
|
||||
[+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated
|
||||
|
||||
rsync modules for 10.168.202.216:873
|
||||
=======================================
|
||||
|
||||
Name Comment Authentication
|
||||
---- ------- --------------
|
||||
authenticated Files require authentication required
|
||||
read only files Files are read only not required
|
||||
writable Files can be written to not required
|
||||
|
||||
```
|
||||
|
||||
## Confirming
|
||||
|
||||
### [nmap](https://nmap.org/nsedoc/scripts/rsync-list-modules.html)
|
||||
|
||||
```
|
||||
# nmap -p 873 -sV -script=rsync-list-modules 10.168.202.216
|
||||
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-12 16:32 EDT
|
||||
Nmap scan report for 10.168.202.216
|
||||
Host is up (0.000045s latency).
|
||||
|
||||
PORT STATE SERVICE VERSION
|
||||
873/tcp open rsync (protocol version 31)
|
||||
| rsync-list-modules:
|
||||
| read only files Files are read only
|
||||
| writable Files can be written to
|
||||
|_ authenticated Files require authentication
|
||||
|
||||
```
|
|
@ -0,0 +1,35 @@
|
|||
## Description
|
||||
|
||||
This module grabs the banner from an SMTP server.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Postfix on Kali Linux:
|
||||
|
||||
This is mainly based on the instructions from [digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-16-04).
|
||||
In this case, we don't need to configure all the users and set up the server fully, just enough to display a banner.
|
||||
|
||||
|
||||
1. ```apt-get install postfix```
|
||||
1. Select `Internet Site`
|
||||
2. Select OK, the default is fine
|
||||
2. ```systemctl restart postfix```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/smtp/smtp_version`
|
||||
2. Do: `set rhosts [ips]`
|
||||
3. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Postfix 3.3.0-1+b1 (Ubuntu package number) on Kali (using above config)
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/smtp/smtp_version
|
||||
msf5 auxiliary(scanner/smtp/smtp_version) > set rhosts 10.168.202.216
|
||||
rhosts => 10.168.202.216
|
||||
msf5 auxiliary(scanner/smtp/smtp_version) > run
|
||||
|
||||
[+] 10.168.202.216:25 - 10.168.202.216:25 SMTP 220 rageKali.ragegroup ESMTP Postfix (Debian/GNU)\x0d\x0a
|
||||
```
|
Loading…
Reference in New Issue