From 83ae5cb14dd2121412a72a3eeb14cd51c9b724f6 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Sun, 22 Jul 2018 20:50:22 -0400
Subject: [PATCH 1/2] fix backup_file.rb and add a few docs

---
 .../auxiliary/scanner/h323/h323_version.md    |  16 ++
 .../auxiliary/scanner/http/backup_file.md     |  45 ++++++
 .../auxiliary/scanner/http/enum_wayback.md    |  31 ++++
 .../auxiliary/scanner/http/joomla_pages.md    |  26 ++++
 .../auxiliary/scanner/http/joomla_plugins.md  | 143 ++++++++++++++++++
 .../auxiliary/scanner/http/joomla_version.md  |  41 +++++
 modules/auxiliary/scanner/http/backup_file.rb |   6 +-
 7 files changed, 305 insertions(+), 3 deletions(-)
 create mode 100644 documentation/modules/auxiliary/scanner/h323/h323_version.md
 create mode 100644 documentation/modules/auxiliary/scanner/http/backup_file.md
 create mode 100644 documentation/modules/auxiliary/scanner/http/enum_wayback.md
 create mode 100644 documentation/modules/auxiliary/scanner/http/joomla_pages.md
 create mode 100644 documentation/modules/auxiliary/scanner/http/joomla_plugins.md
 create mode 100644 documentation/modules/auxiliary/scanner/http/joomla_version.md

diff --git a/documentation/modules/auxiliary/scanner/h323/h323_version.md b/documentation/modules/auxiliary/scanner/h323/h323_version.md
new file mode 100644
index 0000000000..4bb89f6fb8
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/h323/h323_version.md
@@ -0,0 +1,16 @@
+## Intro
+
+This module scans for h.323 servers and determines the version and information about the server. 
+
+## Usage
+
+```
+msf5 auxiliary(scanner/sip/options) > use auxiliary/scanner/h323/h323_version 
+msf5 auxiliary(scanner/h323/h323_version) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf5 auxiliary(scanner/h323/h323_version) > run
+
+[+] 1.1.1.1:1720    - 1.1.1.1:1720 Protocol: 3  VendorID: 0x6100023c  VersionID: v.5.4  ProductID: Gateway  
+[*] 1.1.1.1:1720    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
diff --git a/documentation/modules/auxiliary/scanner/http/backup_file.md b/documentation/modules/auxiliary/scanner/http/backup_file.md
new file mode 100644
index 0000000000..340b2beb53
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/backup_file.md
@@ -0,0 +1,45 @@
+## Intro
+
+This module scans a web server for a file name with various backup type extensions.
+The list of extensions are:
+
+1. .backup
+2. .bak
+3. .copy
+4. .copia
+5. .old
+6. .orig
+7. .temp
+8. .txt
+9. ~
+
+## Usage
+
+In the basic config, you'll search for the extensions on `/index.asp`, which may not be very useful.
+In this scenario, we look for `/backup` instead.  On the web server, we've created the files `backup.old`,
+`backup.orig`, and `backup~`.
+
+```
+msf5 > use auxiliary/scanner/http/backup_file 
+msf5 auxiliary(scanner/http/backup_file) > set verbose true
+verbose => true
+msf5 auxiliary(scanner/http/backup_file) > set path /backup
+path => /backup
+msf5 auxiliary(scanner/http/backup_file) > set rhosts 192.168.2.39
+rhosts => 192.168.2.39
+msf5 auxiliary(scanner/http/backup_file) > run
+
+[*] NOT Found http://192.168.2.39:80/backup.backup
+[*] NOT Found http://192.168.2.39:80/backup.bak
+[*] NOT Found http://192.168.2.39:80/backup.copy
+[*] NOT Found http://192.168.2.39:80/backup.copia
+[+] Found http://192.168.2.39:80/backup.old
+[+] Found http://192.168.2.39:80/backup.orig
+[*] NOT Found http://192.168.2.39:80/backup.temp
+[*] NOT Found http://192.168.2.39:80/backup.txt
+[+] Found http://192.168.2.39:80/backup~
+[*] NOT Found http://192.168.2.39:80/.backup.swp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
\ No newline at end of file
diff --git a/documentation/modules/auxiliary/scanner/http/enum_wayback.md b/documentation/modules/auxiliary/scanner/http/enum_wayback.md
new file mode 100644
index 0000000000..dca8b6ae8b
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/enum_wayback.md
@@ -0,0 +1,31 @@
+## Intro
+
+This module pulls and parses the URLs stored by Archive.org for the purpose of replaying
+during a web assessment. Finding unlinked and old pages.  This module utilizes
+[Archive.org's Wayback Machine](https://archive.org/web/)'s [API](https://archive.org/help/wayback_api.php).
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/http/enum_wayback 
+msf5 auxiliary(scanner/http/enum_wayback) > set domain rapid7.com
+domain => rapid7.com
+msf5 auxiliary(scanner/http/enum_wayback) > run
+
+[*] Pulling urls from Archive.org
+[*] Located 43656 addresses for rapid7.com
+http://mailto:info@rapid7.com/
+http://mailto:sales@rapid7.com/
+http://mailto:sales@rapid7.com/robots.txt
+http://rapid7.com
+http://rapid7.com/
+http://rapid7.com/GlobalStyleSheet.css
+http://rapid7.com/WebResources/images/Background2.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/Downloads_u.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/Home_d.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/NeXpose_d.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/NeXpose_u.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/Support_d.gif
+http://rapid7.com/WebResources/images/GlobalNavigation/Support_u.gif
+...snip...
+```
\ No newline at end of file
diff --git a/documentation/modules/auxiliary/scanner/http/joomla_pages.md b/documentation/modules/auxiliary/scanner/http/joomla_pages.md
new file mode 100644
index 0000000000..5332dbb734
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/joomla_pages.md
@@ -0,0 +1,26 @@
+## Intro
+
+This module scans for Joomla Content Management System running on a web server for the following pages:
+
+ 1. `robots.txt`
+ 2. `administrator/index.php`
+ 3. `admin/`
+ 4. `index.php/using-joomla/extensions/components/users-component/registration-form`
+ 5. `index.php/component/users/?view=registration`
+ 6. `htaccess.txt`
+ 
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/http/joomla_pages 
+msf5 auxiliary(scanner/http/joomla_pages) > set rhosts 192.168.2.39
+rhosts => 192.168.2.39
+msf5 auxiliary(scanner/http/joomla_pages) > run
+
+[+] Page Found: /robots.txt
+[+] Page Found: /administrator/index.php
+[+] Page Found: /htaccess.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
diff --git a/documentation/modules/auxiliary/scanner/http/joomla_plugins.md b/documentation/modules/auxiliary/scanner/http/joomla_plugins.md
new file mode 100644
index 0000000000..17dcc67c11
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/joomla_plugins.md
@@ -0,0 +1,143 @@
+## Intro
+
+This module scans for Joomla Content Management System running on a web server for components/plugins.
+The list can be found in [data/wordlists/joomla.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/joomla.txt). 
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/http/joomla_plugins 
+msf5 auxiliary(scanner/http/joomla_plugins) > set rhosts 192.168.2.39
+rhosts => 192.168.2.39
+msf5 auxiliary(scanner/http/joomla_plugins) > run
+
+[+] Plugin: /?1.5.10-x 
+[+] Plugin: /?1.5.11-x-http_ref 
+[+] Plugin: /?1.5.11-x-php-s3lf 
+[+] Plugin: /?1.5.3-path-disclose 
+[+] Plugin: /?1.5.3-spam 
+[+] Plugin: /?1.5.8-x 
+[+] Plugin: /?1.5.9-x 
+[+] Plugin: /?j1012-fixate-session 
+[+] Plugin: /administrator/ 
+[+] Plugin: /administrator/components/ 
+[+] Plugin: /administrator/components/com_admin/ 
+[+] Plugin: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ 
+[+] Plugin: /administrator/index.php?option=com_searchlog&act=log 
+[+] Plugin: /components/com_banners/ 
+[+] Plugin: /components/com_content/ 
+[+] Page: /index.php?option=com_content
+[+] Plugin: /components/com_mailto/ 
+[+] Plugin: /components/com_search/ 
+[+] Page: /index.php?option=com_search
+[+] Plugin: /components/com_users/ 
+[+] Page: /index.php?option=com_users
+[+] Plugin: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&amp;type=css&v=1 
+[+] Vulnerability: Potential LFI
+[+] Plugin: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- 
+[+] Page: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+## Confirming using Joomscan
+
+The `-ec` flag is used to enumerate components/plugins.
+
+```
+# joomscan -u 192.168.2.39 -ec
+    ____  _____  _____  __  __  ___   ___    __    _  _ 
+   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
+  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
+  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
+			(1337.today)
+   
+    --=[OWASP JoomScan
+    +---++---==[Version : 0.0.5
+    +---++---==[Update Date : [2018/03/13]
+    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
+    --=[Code name : KLOT
+    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
+
+Processing http://192.168.2.39 ...
+
+...snip...
+
+[+] Enumeration component (com_ajax)
+[++] Name: com_ajax
+Location : http://192.168.2.39/components/com_ajax/
+Directory listing is enabled : http://192.168.2.39/components/com_ajax/
+
+
+[+] Enumeration component (com_banners)
+[++] Name: com_banners
+Location : http://192.168.2.39/components/com_banners/
+Directory listing is enabled : http://192.168.2.39/components/com_banners/
+
+
+[+] Enumeration component (com_contact)
+[++] Name: com_contact
+Location : http://192.168.2.39/components/com_contact/
+Directory listing is enabled : http://192.168.2.39/components/com_contact/
+
+
+[+] Enumeration component (com_content)
+[++] Name: com_content
+Location : http://192.168.2.39/components/com_content/
+Directory listing is enabled : http://192.168.2.39/components/com_content/
+
+
+[+] Enumeration component (com_contenthistory)
+[++] Name: com_contenthistory
+Location : http://192.168.2.39/components/com_contenthistory/
+Directory listing is enabled : http://192.168.2.39/components/com_contenthistory/
+
+
+[+] Enumeration component (com_fields)
+[++] Name: com_fields
+Location : http://192.168.2.39/components/com_fields/
+Directory listing is enabled : http://192.168.2.39/components/com_fields/
+
+
+[+] Enumeration component (com_finder)
+[++] Name: com_finder
+Location : http://192.168.2.39/components/com_finder/
+Directory listing is enabled : http://192.168.2.39/components/com_finder/
+
+
+[+] Enumeration component (com_mailto)
+[++] Name: com_mailto
+Location : http://192.168.2.39/components/com_mailto/
+Directory listing is enabled : http://192.168.2.39/components/com_mailto/
+Installed version : 3.1
+
+
+[+] Enumeration component (com_media)
+[++] Name: com_media
+Location : http://192.168.2.39/components/com_media/
+Directory listing is enabled : http://192.168.2.39/components/com_media/
+
+
+[+] Enumeration component (com_newsfeeds)
+[++] Name: com_newsfeeds
+Location : http://192.168.2.39/components/com_newsfeeds/
+Directory listing is enabled : http://192.168.2.39/components/com_newsfeeds/
+
+
+[+] Enumeration component (com_search)
+[++] Name: com_search
+Location : http://192.168.2.39/components/com_search/
+Directory listing is enabled : http://192.168.2.39/components/com_search/
+
+
+[+] Enumeration component (com_users)
+[++] Name: com_users
+Location : http://192.168.2.39/components/com_users/
+Directory listing is enabled : http://192.168.2.39/components/com_users/
+
+
+[+] Enumeration component (com_wrapper)
+[++] Name: com_wrapper
+Location : http://192.168.2.39/components/com_wrapper/
+Directory listing is enabled : http://192.168.2.39/components/com_wrapper/
+Installed version : 3.1
+```
\ No newline at end of file
diff --git a/documentation/modules/auxiliary/scanner/http/joomla_version.md b/documentation/modules/auxiliary/scanner/http/joomla_version.md
new file mode 100644
index 0000000000..7cae4ba1ad
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/joomla_version.md
@@ -0,0 +1,41 @@
+## Intro
+
+This module scans for Joomla Content Management System running on a web server.
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/http/joomla_version 
+msf5 auxiliary(scanner/http/joomla_version) > set rhosts 192.168.2.39
+rhosts => 192.168.2.39
+msf5 auxiliary(scanner/http/joomla_version) > run
+
+[*] Server: Apache/2.4.29 (Ubuntu)
+[+] Joomla version: 3.8.2
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Confirming using Joomscan
+
+```
+# joomscan -u 192.168.2.39
+    ____  _____  _____  __  __  ___   ___    __    _  _ 
+   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
+  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
+  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
+			(1337.today)
+   
+    --=[OWASP JoomScan
+    +---++---==[Version : 0.0.5
+    +---++---==[Update Date : [2018/03/13]
+    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
+    --=[Code name : KLOT
+    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
+
+Processing http://192.168.2.39 ...
+
+[+] Detecting Joomla Version
+[++] Joomla 3.8.2
+...snip...
+```
\ No newline at end of file
diff --git a/modules/auxiliary/scanner/http/backup_file.rb b/modules/auxiliary/scanner/http/backup_file.rb
index 5aab8d5101..6383acdadd 100644
--- a/modules/auxiliary/scanner/http/backup_file.rb
+++ b/modules/auxiliary/scanner/http/backup_file.rb
@@ -43,14 +43,14 @@ class MetasploitModule < Msf::Auxiliary
 
     bakextensions.each do |ext|
       file = normalize_uri(datastore['PATH'])+ext
-      check_for_file(file)
+      check_for_file(file, ip)
     end
     if datastore['PATH'] =~ %r#(.*)(/.+$)#
       file = $1 + $2.sub('/', '/.') + '.swp'
-      check_for_file(file)
+      check_for_file(file, ip)
     end
   end
-  def check_for_file(file)
+  def check_for_file(file, ip)
     begin
       res = send_request_cgi({
           'uri'  		=>  file,

From e1100572ace9d7fc7cdaf8989f7add28a395ab9c Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Sun, 22 Jul 2018 20:56:52 -0400
Subject: [PATCH 2/2] add afp docs

---
 .../auxiliary/scanner/afp/afp_server_info.md  | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 documentation/modules/auxiliary/scanner/afp/afp_server_info.md

diff --git a/documentation/modules/auxiliary/scanner/afp/afp_server_info.md b/documentation/modules/auxiliary/scanner/afp/afp_server_info.md
new file mode 100644
index 0000000000..d7ca835042
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/afp/afp_server_info.md
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
+Netatalk is a Linux implementation of AFP.
+
+The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+  
+  1. `sudo apt-get install netatalk`
+  2. edit `/etc/default/netatalk` and add the following lines:
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+  3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Install and configure afp (or netatalk in a Linux environment)
+  2. Start msfconsole
+  3. Do: `auxiliary/scanner/afp/afp_server_info`
+  4. Do: `run`
+
+## Scenarios
+
+  A run against the configuration from these docs
+
+  ```
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
+  rhosts => 1.1.1.1
+  msf5 auxiliary(scanner/afp/afp_server_info) > run
+  
+  [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
+  [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```