Goliath Cleanup in preparation for merge to master
parent
4f6b1de9a3
commit
68d72cbfa7
4
Gemfile
4
Gemfile
|
@ -3,10 +3,6 @@ source 'https://rubygems.org'
|
||||||
# spec.add_runtime_dependency '<name>', [<version requirements>]
|
# spec.add_runtime_dependency '<name>', [<version requirements>]
|
||||||
gemspec name: 'metasploit-framework'
|
gemspec name: 'metasploit-framework'
|
||||||
|
|
||||||
|
|
||||||
gem 'thin'
|
|
||||||
gem 'sinatra'
|
|
||||||
|
|
||||||
# separate from test as simplecov is not run on travis-ci
|
# separate from test as simplecov is not run on travis-ci
|
||||||
group :coverage do
|
group :coverage do
|
||||||
# code coverage for tests
|
# code coverage for tests
|
||||||
|
|
|
@ -62,8 +62,10 @@ PATH
|
||||||
ruby_smb (= 0.0.18)
|
ruby_smb (= 0.0.18)
|
||||||
rubyntlm
|
rubyntlm
|
||||||
rubyzip
|
rubyzip
|
||||||
|
sinatra
|
||||||
sqlite3
|
sqlite3
|
||||||
sshkey
|
sshkey
|
||||||
|
thin
|
||||||
tzinfo
|
tzinfo
|
||||||
tzinfo-data
|
tzinfo-data
|
||||||
windows_error
|
windows_error
|
||||||
|
@ -378,6 +380,7 @@ PLATFORMS
|
||||||
DEPENDENCIES
|
DEPENDENCIES
|
||||||
factory_girl_rails
|
factory_girl_rails
|
||||||
fivemat
|
fivemat
|
||||||
|
google-protobuf (= 3.5.1)
|
||||||
metasploit-aggregator
|
metasploit-aggregator
|
||||||
metasploit-framework!
|
metasploit-framework!
|
||||||
octokit
|
octokit
|
||||||
|
@ -387,8 +390,6 @@ DEPENDENCIES
|
||||||
rspec-rails
|
rspec-rails
|
||||||
rspec-rerun
|
rspec-rerun
|
||||||
simplecov
|
simplecov
|
||||||
sinatra
|
|
||||||
thin
|
|
||||||
timecop
|
timecop
|
||||||
yard
|
yard
|
||||||
|
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.
|
|
||||||
|
|
||||||
NOTE: This module assumes that login attempts that take a long time (>1 sec) to
|
|
||||||
return are using a valid domain username. This methodology does not work when
|
|
||||||
passing a full email address (user@domain.com). Full email addresses will not
|
|
||||||
be saved as potentially valid usernames unless we get a successful login.
|
|
||||||
|
|
||||||
## Verification Steps
|
|
||||||
|
|
||||||
1. Do: ```use auxiliary/scanner/http/owa_login```
|
|
||||||
2. Do: ```set RHOSTS [IP]```
|
|
||||||
3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
|
|
||||||
4. Do: ```run```
|
|
||||||
|
|
||||||
## Scenarios
|
|
||||||
|
|
||||||
```
|
|
||||||
msf5 auxiliary(scanner/http/owa_login) > run
|
|
||||||
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Testing version OWA_2013
|
|
||||||
[+] Found target domain: HOSTINGCLOUDAPP
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : password
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.267791 'HOSTINGCLOUDAPP\administrator' : 'password': SAVING TO CREDS
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : password1
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.273841 'HOSTINGCLOUDAPP\administrator' : 'password1': SAVING TO CREDS
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : fido
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.22
|
|
||||||
[+] server type: EXCH2016MBX01
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.270796 'HOSTINGCLOUDAPP\administrator' : 'fido': SAVING TO CREDS
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : password
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.22
|
|
||||||
[+] server type: EXCH2016MBX01
|
|
||||||
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.046935 'HOSTINGCLOUDAPP\johndoe' : 'password' (HTTP redirect with reason 2)
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : password1
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.073391 'HOSTINGCLOUDAPP\johndoe' : 'password1' (HTTP redirect with reason 2)
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : fido
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.038717 'HOSTINGCLOUDAPP\johndoe' : 'fido' (HTTP redirect with reason 2)
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : password
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.289186 'HOSTINGCLOUDAPP\bob' : 'password': SAVING TO CREDS
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : password1
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.270616 'HOSTINGCLOUDAPP\bob' : 'password1': SAVING TO CREDS
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : fido
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
|
|
||||||
[+] server type: EXCH2016MBX02
|
|
||||||
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.275251 'HOSTINGCLOUDAPP\bob' : 'fido': SAVING TO CREDS
|
|
||||||
[*] Auxiliary module execution completed
|
|
||||||
|
|
||||||
```
|
|
|
@ -44,11 +44,7 @@ class Metasploit::Framework::Command::Base
|
||||||
#
|
#
|
||||||
# @return (see parsed_options)
|
# @return (see parsed_options)
|
||||||
def self.require_environment!
|
def self.require_environment!
|
||||||
# TODO: Look into removing Rails.application (save ~20mb)
|
|
||||||
# return self.parsed_options if ( self.parsed_options.options.database.remote_process)
|
|
||||||
|
|
||||||
parsed_options = self.parsed_options
|
parsed_options = self.parsed_options
|
||||||
|
|
||||||
# RAILS_ENV must be set before requiring 'config/application.rb'
|
# RAILS_ENV must be set before requiring 'config/application.rb'
|
||||||
parsed_options.environment!
|
parsed_options.environment!
|
||||||
ARGV.replace(parsed_options.positional)
|
ARGV.replace(parsed_options.positional)
|
||||||
|
@ -83,9 +79,7 @@ class Metasploit::Framework::Command::Base
|
||||||
|
|
||||||
def self.start
|
def self.start
|
||||||
parsed_options = require_environment!
|
parsed_options = require_environment!
|
||||||
is_db_remote = false # parsed_options.options.database.remote_process
|
new(application: Rails.application, parsed_options: parsed_options).start
|
||||||
application = is_db_remote ? nil : Rails.application
|
|
||||||
new(application: application, parsed_options: parsed_options).start
|
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -12,28 +12,20 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
#is_remote_db = opts.delete(:is_remote_database)
|
|
||||||
allowed_module_paths = []
|
allowed_module_paths = []
|
||||||
|
extract_engine_module_paths(Rails.application).each do |path|
|
||||||
#if (!is_remote_db)
|
allowed_module_paths << path
|
||||||
extract_engine_module_paths(Rails.application).each do |path|
|
end
|
||||||
allowed_module_paths << path
|
|
||||||
end
|
|
||||||
#else
|
|
||||||
# allowed_module_paths << "/home/chlee/rapid7/metasploit-framework/modules"
|
|
||||||
#end
|
|
||||||
|
|
||||||
if Msf::Config.user_module_directory
|
if Msf::Config.user_module_directory
|
||||||
allowed_module_paths << Msf::Config.user_module_directory
|
allowed_module_paths << Msf::Config.user_module_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
#unless (is_remote_db)
|
::Rails::Engine.subclasses.map(&:instance).each do |engine|
|
||||||
::Rails::Engine.subclasses.map(&:instance).each do |engine|
|
extract_engine_module_paths(engine).each do |path|
|
||||||
extract_engine_module_paths(engine).each do |path|
|
allowed_module_paths << path
|
||||||
allowed_module_paths << path
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
# end
|
end
|
||||||
|
|
||||||
# If additional module paths have been defined globally, then load them.
|
# If additional module paths have been defined globally, then load them.
|
||||||
# They should be separated by semi-colons.
|
# They should be separated by semi-colons.
|
||||||
|
|
|
@ -94,7 +94,6 @@ class Msf::DBManager
|
||||||
include Msf::DBManager::Web
|
include Msf::DBManager::Web
|
||||||
include Msf::DBManager::Workspace
|
include Msf::DBManager::Workspace
|
||||||
|
|
||||||
|
|
||||||
# Provides :framework and other accessors
|
# Provides :framework and other accessors
|
||||||
include Msf::Framework::Offspring
|
include Msf::Framework::Offspring
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ class SessionManager < Hash
|
||||||
|
|
||||||
include Framework::Offspring
|
include Framework::Offspring
|
||||||
|
|
||||||
LAST_SEEN_INTERVAL = 60 * 2.5
|
LAST_SEEN_INTERVAL = 60 * 2.5
|
||||||
SCHEDULER_THREAD_COUNT = 5
|
SCHEDULER_THREAD_COUNT = 5
|
||||||
|
|
||||||
def initialize(framework)
|
def initialize(framework)
|
||||||
|
@ -113,16 +113,14 @@ class SessionManager < Hash
|
||||||
|
|
||||||
last_seen_timer = Time.now.utc
|
last_seen_timer = Time.now.utc
|
||||||
|
|
||||||
if framework.db.active
|
::ActiveRecord::Base.connection_pool.with_connection do
|
||||||
::ActiveRecord::Base.connection_pool.with_connection do
|
values.each do |s|
|
||||||
values.each do |s|
|
# Update the database entry on a regular basis, marking alive threads
|
||||||
# Update the database entry on a regular basis, marking alive threads
|
# as recently seen. This notifies other framework instances that this
|
||||||
# as recently seen. This notifies other framework instances that this
|
# session is being maintained.
|
||||||
# session is being maintained.
|
if s.db_record
|
||||||
if s.db_record
|
s.db_record.last_seen = Time.now.utc
|
||||||
s.db_record.last_seen = Time.now.utc
|
s.db_record.save
|
||||||
s.db_record.save
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -122,7 +122,7 @@ class Driver < Msf::Ui::Driver
|
||||||
enstack_dispatcher(dispatcher)
|
enstack_dispatcher(dispatcher)
|
||||||
end
|
end
|
||||||
|
|
||||||
if (framework.db.active)
|
if framework.db && framework.db.active
|
||||||
require 'msf/ui/console/command_dispatcher/db'
|
require 'msf/ui/console/command_dispatcher/db'
|
||||||
enstack_dispatcher(CommandDispatcher::Db)
|
enstack_dispatcher(CommandDispatcher::Db)
|
||||||
require 'msf/ui/console/command_dispatcher/creds'
|
require 'msf/ui/console/command_dispatcher/creds'
|
||||||
|
@ -195,7 +195,7 @@ class Driver < Msf::Ui::Driver
|
||||||
self.framework.init_module_paths(module_paths: opts['ModulePath'])
|
self.framework.init_module_paths(module_paths: opts['ModulePath'])
|
||||||
end
|
end
|
||||||
|
|
||||||
if framework.db.active && framework.db.is_local? && !opts['DeferModuleLoads']
|
if framework.db && framework.db.active && framework.db.is_local? && !opts['DeferModuleLoads']
|
||||||
framework.threads.spawn("ModuleCacheRebuild", true) do
|
framework.threads.spawn("ModuleCacheRebuild", true) do
|
||||||
framework.modules.refresh_cache_from_module_files
|
framework.modules.refresh_cache_from_module_files
|
||||||
end
|
end
|
||||||
|
|
|
@ -100,6 +100,9 @@ Gem::Specification.new do |spec|
|
||||||
spec.add_runtime_dependency 'redcarpet'
|
spec.add_runtime_dependency 'redcarpet'
|
||||||
# Needed for Microsoft patch finding tool (msu_finder)
|
# Needed for Microsoft patch finding tool (msu_finder)
|
||||||
spec.add_runtime_dependency 'patch_finder'
|
spec.add_runtime_dependency 'patch_finder'
|
||||||
|
# Required for msfdb_ws (Metasploit data base as a webservice)
|
||||||
|
spec.add_runtime_dependency 'thin'
|
||||||
|
spec.add_runtime_dependency 'sinatra'
|
||||||
# TimeZone info
|
# TimeZone info
|
||||||
spec.add_runtime_dependency 'tzinfo-data'
|
spec.add_runtime_dependency 'tzinfo-data'
|
||||||
# Gem for dealing with SSHKeys
|
# Gem for dealing with SSHKeys
|
||||||
|
|
|
@ -254,18 +254,14 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
else
|
else
|
||||||
# Login didn't work. no point in going on, however, check if valid domain account by response time.
|
# Login didn't work. no point in going on, however, check if valid domain account by response time.
|
||||||
if elapsed_time <= 1
|
if elapsed_time <= 1
|
||||||
# This timing trick doesn't work when an email address is passed, only usernames.
|
report_cred(
|
||||||
# Don't save it as potentially valid in this case.
|
ip: res.peerinfo['addr'],
|
||||||
unless user =~ /@\w+\.\w+/
|
port: datastore['RPORT'],
|
||||||
report_cred(
|
service_name: 'owa',
|
||||||
ip: res.peerinfo['addr'],
|
user: user
|
||||||
port: datastore['RPORT'],
|
)
|
||||||
service_name: 'owa',
|
print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
|
||||||
user: user
|
return :Skip_pass
|
||||||
)
|
|
||||||
print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
|
|
||||||
return :Skip_pass
|
|
||||||
end
|
|
||||||
else
|
else
|
||||||
vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
|
vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
|
||||||
return :Skip_pass
|
return :Skip_pass
|
||||||
|
|
Loading…
Reference in New Issue