infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #8372, rservice documentation

bug/bundler_fix
Brent Cook 2017-05-14 19:31:55 -05:00
parent f39e378496 fb236df18f
commit 8be51bb56b
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
3 changed files with 187 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
documentation/modules/auxiliary/scanner/rservices/rexec_login.md Normal file
View File

@ -0,0 +1,62 @@
## Vulnerable Application
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
The following was done on Kali linux:
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
2. Start the service: `service openbsd-inetd start`
## Verification Steps
1. Install and configure rexec
2. Start msfconsole
3. Do: `use auxiliary/scanner/rservices/rexec_login`
4. Do: `set rhosts`
5. Set any other credentials that will need to be set
6. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/rservices/rexec_login
msf auxiliary(rexec_login) > set username test
username => test
msf auxiliary(rexec_login) > set password 'test'
password => test
msf auxiliary(rexec_login) > run
[*] 127.0.0.1:512 - 127.0.0.1:512 - Starting rexec sweep
[+] 127.0.0.1:512 - 127.0.0.1:512, rexec 'test' : 'test'
[!] 127.0.0.1:512 - *** auxiliary/scanner/rservices/rexec_login is still calling the deprecated report_auth_info method! This needs to be updated!
[!] 127.0.0.1:512 - *** For detailed information about LoginScanners and the Credentials objects see:
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] 127.0.0.1:512 - *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5376
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5377
[*] Command shell session 2 opened (127.0.0.1:37489 -> 127.0.0.1:512) at 2017-04-27 20:56:54 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing [rexec-brute](https://nmap.org/nsedoc/scripts/rexec-brute.html)
```
nmap -p 512 --script rexec-brute 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 21:23 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000037s latency).
PORT STATE SERVICE
512/tcp open exec
| rexec-brute:
| Accounts:
| test:test - Valid credentials
|_ Statistics: Performed 7085940 guesses in 629 seconds, average tps: 9231.6
```

68
documentation/modules/auxiliary/scanner/rservices/rlogin_login.md Normal file
View File

@ -0,0 +1,68 @@
## Vulnerable Application
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
The following was done on Kali linux:
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
2. Start the service: `service openbsd-inetd start`
## Verification Steps
1. Install and configure rexec
2. Start msfconsole
3. Do: `use auxiliary/scanner/rservices/rlogin_login`
4. Do: `set rhosts`
5. Set any other credentials that will need to be set
6. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/rservices/rlogin_login
msf auxiliary(rlogin_login) > set rhosts 10.1.2.3
rhosts => 10.1.2.3
msf auxiliary(rlogin_login) > set password test
password => test
msf auxiliary(rlogin_login) > set username test
username => test
msf auxiliary(rlogin_login) > run
[*] 10.1.2.3:513 - 10.1.2.3:513 - Starting rlogin sweep
[*] 10.1.2.3:513 - 10.1.2.3:513 - Attempting: 'test':"test" from 'root'
[*] 10.1.2.3:513 - 10.1.2.3:513 - Prompt: Password:
[*] 10.1.2.3:513 - 10.1.2.3:513 - Result: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
[+] 10.1.2.3:513 - 10.1.2.3:513, rlogin 'test' successful with password "test"
[!] 10.1.2.3:513 - *** auxiliary/scanner/rservices/rlogin_login is still calling the deprecated report_auth_info method! This needs to be updated!
[!] 10.1.2.3:513 - *** For detailed information about LoginScanners and the Credentials objects see:
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] 10.1.2.3:513 - *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5376
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5377
[*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:513) at 2017-05-11 20:04:24 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing [rlogin-brute](https://nmap.org/nsedoc/scripts/rlogin-brute.html)
```
nmap -p 513 --script rlogin-brute 10.1.2.3
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 20:07 EDT
Nmap scan report for test (10.1.2.3)
Host is up (0.000039s latency).
PORT STATE SERVICE
513/tcp open login
| rlogin-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 6662201 guesses in 609 seconds, average tps: 10491.0
Nmap done: 1 IP address (1 host up) scanned in 608.75 seconds
```

57
documentation/modules/auxiliary/scanner/rservices/rsh_login.md Normal file
View File

@ -0,0 +1,57 @@
## Vulnerable Application
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
`rsh` relies on host names as a security mechanism. Utilizing `+` can wildcard so any computer can connect. In the following
config, we'll utilize that wildcarded setting to simplify our exploitation. **This is a glaring security issue!!!**
However, there are exceptions to this in proprietary Unix systems which may include other mechanisms such as Kerberos
([AIX](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.cmds4/rsh.htm))
If you encounter `Host address mismatch for `..., you may need to adjust your `/etc/hosts` file accordingly.
The following was done on Kali linux:
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
2. ```echo "+" > ~/.rhosts```
3. Start the service: `service openbsd-inetd start`
## Verification Steps
1. Install and configure rexec
2. Start msfconsole
3. Do: `use auxiliary/scanner/rservices/rsh_login`
4. Do: `set rhosts`
5. Set any other credentials that will need to be set
6. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/rservices/rsh_login
msf auxiliary(rsh_login) > set rhosts 10.1.2.3
rhosts => 10.1.2.3
msf auxiliary(rsh_login) > set username root
username => root
msf auxiliary(rsh_login) > run
[*] 10.1.2.3:514 - 10.1.2.3:514 - Starting rsh sweep
[*] 10.1.2.3:514 - 10.1.2.3:514 - Attempting rsh with username 'root' from 'root'
[+] 10.1.2.3:514 - 10.1.2.3:514, rsh 'root' from 'root' with no password.
[!] 10.1.2.3:514 - *** auxiliary/scanner/rservices/rsh_login is still calling the deprecated report_auth_info method! This needs to be updated!
[!] 10.1.2.3:514 - *** For detailed information about LoginScanners and the Credentials objects see:
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] 10.1.2.3:514 - *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5376
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5377
[*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:514) at 2017-05-11 19:56:46 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming
At the time of writing this, there was no `nmap` script equivalent. Most modern systems have also replaced `rsh` with `ssh`.