Merge pull request #18 from clee-r7/goliath_cleanup

Goliath Cleanup in preparation for merge to master
GSoC/Meterpreter_Web_Console
Christopher Lee 2018-03-06 13:34:31 -06:00 committed by GitHub
commit a872c13d9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1994 additions and 2075 deletions

View File

@ -3,10 +3,6 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'
gem 'thin'
gem 'sinatra'
# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests

View File

@ -62,8 +62,10 @@ PATH
ruby_smb (= 0.0.18)
rubyntlm
rubyzip
sinatra
sqlite3
sshkey
thin
tzinfo
tzinfo-data
windows_error
@ -378,6 +380,7 @@ PLATFORMS
DEPENDENCIES
factory_girl_rails
fivemat
google-protobuf (= 3.5.1)
metasploit-aggregator
metasploit-framework!
octokit
@ -387,8 +390,6 @@ DEPENDENCIES
rspec-rails
rspec-rerun
simplecov
sinatra
thin
timecop
yard

View File

@ -1,60 +0,0 @@
This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.
NOTE: This module assumes that login attempts that take a long time (>1 sec) to
return are using a valid domain username. This methodology does not work when
passing a full email address (user@domain.com). Full email addresses will not
be saved as potentially valid usernames unless we get a successful login.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/owa_login```
2. Do: ```set RHOSTS [IP]```
3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
4. Do: ```run```
## Scenarios
```
msf5 auxiliary(scanner/http/owa_login) > run
[*] webmail.hostingcloudapp.com:443 OWA - Testing version OWA_2013
[+] Found target domain: HOSTINGCLOUDAPP
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : password
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.267791 'HOSTINGCLOUDAPP\administrator' : 'password': SAVING TO CREDS
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : password1
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.273841 'HOSTINGCLOUDAPP\administrator' : 'password1': SAVING TO CREDS
[*] webmail.hostingcloudapp.com:443 OWA - Trying administrator : fido
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.22
[+] server type: EXCH2016MBX01
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.270796 'HOSTINGCLOUDAPP\administrator' : 'fido': SAVING TO CREDS
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : password
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.22
[+] server type: EXCH2016MBX01
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.046935 'HOSTINGCLOUDAPP\johndoe' : 'password' (HTTP redirect with reason 2)
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : password1
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.073391 'HOSTINGCLOUDAPP\johndoe' : 'password1' (HTTP redirect with reason 2)
[*] webmail.hostingcloudapp.com:443 OWA - Trying johndoe : fido
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[-] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN. 2.038717 'HOSTINGCLOUDAPP\johndoe' : 'fido' (HTTP redirect with reason 2)
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : password
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.289186 'HOSTINGCLOUDAPP\bob' : 'password': SAVING TO CREDS
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : password1
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.270616 'HOSTINGCLOUDAPP\bob' : 'password1': SAVING TO CREDS
[*] webmail.hostingcloudapp.com:443 OWA - Trying bob : fido
[*] webmail.hostingcloudapp.com:443 OWA - Resolved hostname 'webmail.hostingcloudapp.com' to address 38.126.136.24
[+] server type: EXCH2016MBX02
[*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.275251 'HOSTINGCLOUDAPP\bob' : 'fido': SAVING TO CREDS
[*] Auxiliary module execution completed
```

View File

@ -44,11 +44,7 @@ class Metasploit::Framework::Command::Base
#
# @return (see parsed_options)
def self.require_environment!
# TODO: Look into removing Rails.application (save ~20mb)
# return self.parsed_options if ( self.parsed_options.options.database.remote_process)
parsed_options = self.parsed_options
# RAILS_ENV must be set before requiring 'config/application.rb'
parsed_options.environment!
ARGV.replace(parsed_options.positional)
@ -83,9 +79,7 @@ class Metasploit::Framework::Command::Base
def self.start
parsed_options = require_environment!
is_db_remote = false # parsed_options.options.database.remote_process
application = is_db_remote ? nil : Rails.application
new(application: application, parsed_options: parsed_options).start
new(application: Rails.application, parsed_options: parsed_options).start
end
#

View File

@ -12,28 +12,20 @@ module Msf
return
end
#is_remote_db = opts.delete(:is_remote_database)
allowed_module_paths = []
#if (!is_remote_db)
extract_engine_module_paths(Rails.application).each do |path|
allowed_module_paths << path
end
#else
# allowed_module_paths << "/home/chlee/rapid7/metasploit-framework/modules"
#end
extract_engine_module_paths(Rails.application).each do |path|
allowed_module_paths << path
end
if Msf::Config.user_module_directory
allowed_module_paths << Msf::Config.user_module_directory
end
#unless (is_remote_db)
::Rails::Engine.subclasses.map(&:instance).each do |engine|
extract_engine_module_paths(engine).each do |path|
allowed_module_paths << path
end
::Rails::Engine.subclasses.map(&:instance).each do |engine|
extract_engine_module_paths(engine).each do |path|
allowed_module_paths << path
end
# end
end
# If additional module paths have been defined globally, then load them.
# They should be separated by semi-colons.

View File

@ -94,7 +94,6 @@ class Msf::DBManager
include Msf::DBManager::Web
include Msf::DBManager::Workspace
# Provides :framework and other accessors
include Msf::Framework::Offspring

View File

@ -113,16 +113,14 @@ class SessionManager < Hash
last_seen_timer = Time.now.utc
if framework.db.active
::ActiveRecord::Base.connection_pool.with_connection do
values.each do |s|
# Update the database entry on a regular basis, marking alive threads
# as recently seen. This notifies other framework instances that this
# session is being maintained.
if s.db_record
s.db_record.last_seen = Time.now.utc
s.db_record.save
end
::ActiveRecord::Base.connection_pool.with_connection do
values.each do |s|
# Update the database entry on a regular basis, marking alive threads
# as recently seen. This notifies other framework instances that this
# session is being maintained.
if s.db_record
s.db_record.last_seen = Time.now.utc
s.db_record.save
end
end
end

File diff suppressed because it is too large Load Diff

View File

@ -122,7 +122,7 @@ class Driver < Msf::Ui::Driver
enstack_dispatcher(dispatcher)
end
if (framework.db.active)
if framework.db && framework.db.active
require 'msf/ui/console/command_dispatcher/db'
enstack_dispatcher(CommandDispatcher::Db)
require 'msf/ui/console/command_dispatcher/creds'
@ -195,7 +195,7 @@ class Driver < Msf::Ui::Driver
self.framework.init_module_paths(module_paths: opts['ModulePath'])
end
if framework.db.active && framework.db.is_local? && !opts['DeferModuleLoads']
if framework.db && framework.db.active && framework.db.is_local? && !opts['DeferModuleLoads']
framework.threads.spawn("ModuleCacheRebuild", true) do
framework.modules.refresh_cache_from_module_files
end

View File

@ -100,6 +100,9 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'redcarpet'
# Needed for Microsoft patch finding tool (msu_finder)
spec.add_runtime_dependency 'patch_finder'
# Required for msfdb_ws (Metasploit data base as a webservice)
spec.add_runtime_dependency 'thin'
spec.add_runtime_dependency 'sinatra'
# TimeZone info
spec.add_runtime_dependency 'tzinfo-data'
# Gem for dealing with SSHKeys

View File

@ -254,18 +254,14 @@ class MetasploitModule < Msf::Auxiliary
else
# Login didn't work. no point in going on, however, check if valid domain account by response time.
if elapsed_time <= 1
# This timing trick doesn't work when an email address is passed, only usernames.
# Don't save it as potentially valid in this case.
unless user =~ /@\w+\.\w+/
report_cred(
ip: res.peerinfo['addr'],
port: datastore['RPORT'],
service_name: 'owa',
user: user
)
print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
return :Skip_pass
end
report_cred(
ip: res.peerinfo['addr'],
port: datastore['RPORT'],
service_name: 'owa',
user: user
)
print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
return :Skip_pass
else
vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
return :Skip_pass