From 792b451f40a6a4160b44f48916c109c927a66248 Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 8 Nov 2018 21:23:27 -0500 Subject: [PATCH] capture server docs and updates --- .../modules/auxiliary/server/capture/ftp.md | 2 +- .../modules/auxiliary/server/capture/imap.rb | 174 ++++++++++++++++++ .../modules/auxiliary/server/capture/mysql.md | 72 ++++++++ .../auxiliary/server/capture/http_basic.rb | 2 +- modules/auxiliary/server/capture/imap.rb | 7 +- modules/auxiliary/server/capture/mysql.rb | 2 +- 6 files changed, 253 insertions(+), 6 deletions(-) create mode 100644 documentation/modules/auxiliary/server/capture/imap.rb create mode 100644 documentation/modules/auxiliary/server/capture/mysql.md diff --git a/documentation/modules/auxiliary/server/capture/ftp.md b/documentation/modules/auxiliary/server/capture/ftp.md index ad4c144457..901110dfc2 100644 --- a/documentation/modules/auxiliary/server/capture/ftp.md +++ b/documentation/modules/auxiliary/server/capture/ftp.md @@ -1,4 +1,4 @@ -This module creates a mock FTP server which accepts and credentials before throwing a `500` error. +This module creates a mock FTP server which accepts credentials before throwing a `500` error. ## Verification Steps diff --git a/documentation/modules/auxiliary/server/capture/imap.rb b/documentation/modules/auxiliary/server/capture/imap.rb new file mode 100644 index 0000000000..f4aeb5483d --- /dev/null +++ b/documentation/modules/auxiliary/server/capture/imap.rb @@ -0,0 +1,174 @@ +This module creates a mock IMAP server which accepts credentials. + +## Verification Steps + + 1. Start msfconsole + 2. Do: ```use auxiliary/server/capture/imap``` + 3. Do: ```run``` + +## Options + + **BANNER** + + The Banner which should be displayed. Default is `IMAP4`. + Some notable banners to emulate: + + * `Dovecot ready.` + * `IMAP 4 Server (IMail 9.23)` + * `mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-19 server ready` + * `Welcome to Binc IMAP v1.3.4 Copyright (C) 2002-2005 Andreas Aardal Hanssen at 2018-11-08 11:17:35 +1100` + * `The Microsoft Exchange IMAP4 service is ready.` + * `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.` + + **SSL** + + Boolean if SSL should be used, making this Secure IMAP. Secure IMAP is typically run on port 993. If `SSLCert` is not set, a certificate + will be automatically generated. Default is `False`. + + **SSLCert** + + File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically + generated. Default is ``. + +## Scenarios + +### IMAP Emulating Microsoft Exchange with Telnet Client + +Server: + +``` +msf5 > use auxiliary/server/capture/imap +msf5 auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready." +banner => The Microsoft Exchange IMAP4 service is ready. +msf5 auxiliary(server/capture/imap) > run +[*] Auxiliary module running as background job 0. +msf5 auxiliary(server/capture/imap) > +[*] Started service listener on 0.0.0.0:143 +[*] Server started. +[*] IMAP LOGIN 127.0.0.1:42972 metasploit@documentation.com / rapid7#1 +``` + +Client: + +``` +root@kali:~# telnet 127.0.0.1 143 +Trying 127.0.0.1... +Connected to 127.0.0.1. +Escape character is '^]'. +* OK The Microsoft Exchange IMAP4 service is ready. +01 LOGIN metasploit@documentation.com rapid7#1 +quit +Connection closed by foreign host. +``` + +### Secure IMAP with Self-Signed Certificate and Alpine client + +Server: + +``` +msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem + +Generating a RSA private key +.................................................................................................+++++ +...................+++++ +writing new private key to 'key.pem' +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]: +State or Province Name (full name) [Some-State]: +Locality Name (eg, city) []: +Organization Name (eg, company) [Internet Widgits Pty Ltd]: +Organizational Unit Name (eg, section) []: +Common Name (e.g. server FQDN or YOUR name) []: +Email Address []: +msf5 > cat key.pem certificate.pem > selfsigned.pem +[*] exec: cat key.pem certificate.pem > selfsigned.pem + +msf5 > cat /root/metasploit-framework/selfsigned.pem +[*] exec: cat /root/metasploit-framework/selfsigned.pem + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAXME8r2vEUH7B +Kelkt9iC4tTozOq0wJAjsACLCDcNoD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2ud +USBpOo8h9FEGtRrAAeSl7Z3XaBnuB7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddia +PEkE5G3jaCwOIqHk+c8Qk5b43HQbkj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5H +QhX7MYVNge8lQL/xJnBrjMDqIQqc41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+Qe +DVKtz8ZChLSqSwmz/5yFttRyZlDuXA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GY +pdMpLh7/AgMBAAECggEBALCtQKpdMCzqBdGijgP8u3ZToluDwlprtregco8/51iz +gf0VMXqsg8k96dc3laZyEKNackSlqfxf6npeRdeAenAkNrtjYYNS+c/Qs7Vhntc5 +6w6euJHG6g9+9E2LvIMarolx7LvAMbFXwq6+ig5dQ/Sm/DerZWiqbJ18ASDnUhjz +G1Y8/Idy4WutPZD/0JEQ+5VnHb+Mt3a7yYKhDsmUEzVh5xoWJab9dwfwCnoOb32T +oLOLLsqUbAK8ZiQ4MwkbGJ5kw8H24wVmI+7BbuRacW2tIIt6Z+vEoLdof0TsuJWo +87ZbCYYeTysIgBIdLNRiGGxz43SOqBBGh8sreyyACdECgYEA6Ubs1Klw3TViABke +1JqkWelZi6mtsyUHJt/eChjMzgg5vGVuYB/sCc+BObjETbfnvuV0Ub4cxbUCF3wL +qvrJNTd+yU7JJ7IP63B2lS3aNlAsLRb59SkjDYyym1OeUAHKkGp8oICSq96X3Xtu +KUZnDdh2UuoMzmEoAHoDoc+SC/cCgYEA0xmQ+qDJ4l3JRH/IPMPe9XD90WFJFhvF +GzGSM8qqpg6N2xhlzQiM6+I4EEh9iNnCOYmvw9leGNRpIjFjAhv5ntlG3LudAEpd +Ml/hhrfRB7KOopiqzK7oVCUv5f5rmvYdL4c2FC+VGxnhWUP6MARUHag/1DgszMs7 +wSlwcbKi8zkCgYBMvRc1khPdwSze6WSZ/dEo/rmFVykb8Idcw3Iwkh31fQE5N4jK +uFWWmJtjGKQDCQeEZckRBuBCLZxli1nvQhakmf/sSy2jEFFqWxG3W2EYUuFlZ9SM +UJ8GWw16SVSf7ybqwQ0EY6dcQJpmsq73hwBprpamCfZygcV9+qVtOnJJ2wKBgBKY +ZPH+6em70zfqfawEoQZD3sfr5vFAnvtHQZa4WpHoJEzReF44S5mXwtKEYDKG5BoH +a+k3o5dSVrSBXzRXXITGpPxatnjJFC6UzZv9YzdnXjMqeZkwKx0GbZK396id13JR +Wc0rZ9oMTJJ9b3N9Xh+Cq6S5EhE0Md5RFSuezcXZAoGBAJOMfjbwobOCYm6K8PyV +p89gbnDOj7FHCg2JPa9/dii6pBRHXeUfORp00GfN0oAjjJo14SmOw58zh1mF1VcA +BQhTK9TO4GXIEZDiYt9EmiH1VO58I8vUecBcbelirumGOP+dBiBy/C8YzFJRhAis +eAGSi8F+qcJaS3VDRGEC9zcK +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUMlkpAG2tXodgLSrIf/xOuA9z8PwwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDkwMTI3MTRaFw0xOTEx +MDkwMTI3MTRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAXME8r2vEUH7BKelkt9iC4tTozOq0wJAjsACLCDcN +oD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2udUSBpOo8h9FEGtRrAAeSl7Z3XaBnu +B7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddiaPEkE5G3jaCwOIqHk+c8Qk5b43HQb +kj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5HQhX7MYVNge8lQL/xJnBrjMDqIQqc +41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+QeDVKtz8ZChLSqSwmz/5yFttRyZlDu +XA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GYpdMpLh7/AgMBAAGjUzBRMB0GA1Ud +DgQWBBRezbFZBumaJ/MViZqqbllYrPomMzAfBgNVHSMEGDAWgBRezbFZBumaJ/MV +iZqqbllYrPomMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAd +Smkooa2nhdDdu3/uHX8vhDC0ns5qotgd0YKGkj/QyzNP+ruP1cyq/q67zand/Eq8 +gF+lHk+pX8GM0WvI7ypgrK956YCdmh3DULBFDu5RxVABFWrGedfNy6TKLTps0PXR +9mdB/HK0Msr6Mh/o5PkUhb1fx0T3NUwF1EFte7Nsq10Mq+hYVnEqDeEGMlb73frJ +729tCjNpFoLGdlgEcAEFelAujV0w4oj35CE2Fh3b+4wupDiulfgg9E7FtvS9xK0P +l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK +uBVlsY6F7EjTfWpxwyVP +-----END CERTIFICATE----- +msf5 > use auxiliary/server/capture/imap +msf5 auxiliary(server/capture/imap) > set ssl true +ssl => true +msf5 auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem +sslcert => /root/metasploit-framework/selfsigned.pem +msf5 auxiliary(server/capture/imap) > set srvport 993 +srvport => 993 +msf5 auxiliary(server/capture/imap) > run +[*] Auxiliary module running as background job 0. +msf5 auxiliary(server/capture/imap) > +[*] Started service listener on 0.0.0.0:993 +[*] Server started. +[+] IMAP LOGIN 127.0.0.1:59024 "johndoe" / "p455w0rd" +``` + +Clients: + +``` +root@kali:~# cat ~/.muttrc +set spoolfile="imaps://johndoe:p455w0rd@127.0.0.1/INBOX" +set folder="imaps://127.0.0.1/INBOX" +set record="=Sent" +set postponed="=Drafts" + +root@kali:~# mutt +``` + +The user is prompted about the invalid certificate, and the client gets stuck at "Logging in...", however +it doesn't matter since the credentials have already been sent. diff --git a/documentation/modules/auxiliary/server/capture/mysql.md b/documentation/modules/auxiliary/server/capture/mysql.md new file mode 100644 index 0000000000..2ccf3e942f --- /dev/null +++ b/documentation/modules/auxiliary/server/capture/mysql.md @@ -0,0 +1,72 @@ +This module creates a mock MySQL server which accepts credentials. Upon receiving a login attempt, an `ERROR 1045 (2800): Access denied` error is thrown. + +## Verification Steps + + 1. Start msfconsole + 2. Do: ```use auxiliary/server/capture/mysql``` + 3. Do: ```run``` + +## Options + + **CHALLENGE** + + The MySQL 16 byte challenge used in the authentication. Default is `112233445566778899AABBCCDDEEFF1122334455`. + + **JOHNPWFILE** + + Write a file containing a John the Ripper format for cracking the credentials. Default is ``. + + **CAINPWFILE** + + Write a file containing a Cain & Abel format for cracking the credentials. Default is ``. + + **SRVVERSION** + + The MySQL version to print in the login banner. Default is `5.5.16`. + + **SSL** + + Boolean if SSL should be used. Default is `False`. + + **SSLCert** + + File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically + generated. Default is ``. + +## Scenarios + +### MySQL with MySQL Client and JTR Cracking + +Server: + +``` +msf5 > use auxiliary/server/capture/mysql +msf5 auxiliary(server/capture/mysql) > set johnpwfile /tmp/mysql.logins +johnpwfile => /tmp/mysql.logins +msf5 auxiliary(server/capture/mysql) > run +[*] Auxiliary module running as background job 0. +msf5 auxiliary(server/capture/mysql) > +[*] Started service listener on 0.0.0.0:3306 +[*] Server started. +[+] 127.0.0.1:59604 - User: admin; Challenge: 112233445566778899aabbccddeeff1122334455; Response: 46677c2d9cac93da328c4321060c125db759925e +``` + +Client: + +``` +root@kali:~# mysql -u admin -ppassword1 -h 127.0.0.1 +ERROR 1045 (28000): Access denied for user 'admin'@'127.0.0.1' (using password: YES) +``` + +JTR: + +``` +root@kali:~# john /tmp/mysql.logins_mysqlna +Using default input encoding: UTF-8 +Loaded 1 password hashes with no different salts (mysqlna, MySQL Network Authentication [SHA1 32/64]) +Press 'q' or Ctrl-C to abort, almost any other key for status +password1 (admin) +1g 0:00:00:00 DONE 2/3 (2018-11-08 21:05) 20.00g/s 16800p/s 16800c/s 16800C/s password1 +Use the "--show" option to display all of the cracked passwords reliably +Session completed +``` diff --git a/modules/auxiliary/server/capture/http_basic.rb b/modules/auxiliary/server/capture/http_basic.rb index e8d40c56f3..c19c421274 100644 --- a/modules/auxiliary/server/capture/http_basic.rb +++ b/modules/auxiliary/server/capture/http_basic.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Auxiliary proof: req['Authorization'] ) - print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}") + print_good("HTTP Basic Auth LOGIN #{cli.peerhost} \"#{user}:#{pass}\" / #{req.resource}") if datastore['RedirectURL'] print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}") send_redirect(cli, datastore['RedirectURL']) diff --git a/modules/auxiliary/server/capture/imap.rb b/modules/auxiliary/server/capture/imap.rb index c8be382267..d11a86c695 100644 --- a/modules/auxiliary/server/capture/imap.rb +++ b/modules/auxiliary/server/capture/imap.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - OptPort.new('SRVPORT', [ true, "The local port to listen on.", 143 ]) + OptPort.new('SRVPORT', [ true, "The local port to listen on.", 143 ]), + OptString.new('BANNER', [ true, "The server banner", 'IMAP4']) ]) end @@ -44,7 +45,7 @@ class MetasploitModule < Msf::Auxiliary def on_client_connect(c) @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil} - c.put "* OK IMAP4\r\n" + c.put "* OK #{datastore['BANNER']}\r\n" end def on_client_data(c) @@ -76,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary @state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2) register_creds(@state[c][:ip], @state[c][:user], @state[c][:pass], 'imap') - print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") + print_good("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") return end diff --git a/modules/auxiliary/server/capture/mysql.rb b/modules/auxiliary/server/capture/mysql.rb index d047d967fc..e0b43351f8 100644 --- a/modules/auxiliary/server/capture/mysql.rb +++ b/modules/auxiliary/server/capture/mysql.rb @@ -58,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary end def mysql_send_greeting(c) - # http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Handshake_Initialization_Packet + # https://dev.mysql.com/doc/internals/en/connection-phase-packets.html length = 68 + @version.length packetno = 0