Commit Graph

4651 Commits (1963318e70d1c436d0b39241a53f1fce48a1ef0a)

Author SHA1 Message Date
Jon Hart 06e45e8253 Clean up TLS fragment building 2014-06-09 08:39:30 -07:00
Christian Mehlmauer 099003708c
Land #3422, SAP Bruterforcer datastore cleanup 2014-06-08 08:42:27 +02:00
Brandon Perry 4367e8ef0c Update mongodb_js_inject_collection_enum.rb
Fix some logic bugs that caused incorrect results.
2014-06-07 21:03:28 -05:00
Brandon Perry dc89621d5c Update mongodb_js_inject_collection_enum.rb
No need to make extra requests. Off by one.
2014-06-07 20:09:00 -05:00
Brandon Perry 2663af986b Update mongodb_js_inject_collection_enum.rb
This adds a bit more error handling, and better decision making in regards to false responses.
2014-06-07 19:58:12 -05:00
Jon Hart a7a1a2bf3b Move dtls_fragment_overflow.rb under ssl where it belongs 2014-06-07 12:56:34 -07:00
Brandon Perry 4071fb332b Create mongodb_js_inject_collection_enum.rb
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7

https://gist.github.com/brandonprry/c2de8ac2be825007c4de
2014-06-07 11:20:34 -05:00
Jon Hart 8637a1fff1 OpenSSL DTLS CVE-2014-0195 POC 2014-06-06 19:24:47 -07:00
Meatballs fe20e6e1c4
Merge remote-tracking branch 'upstream/master' into soap_brute_fix
Conflicts:
	modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
2014-06-07 02:44:16 +01:00
Meatballs 8624ddfc3e
Clean up SAP SOAP RFC Brute Login
Honour the user supplied settings
Abort a host on connection error
Check a 200 response for some appropriate data
Let datastore validation handle things like options being present
Be more verbose if needed
Use the HTTPClient more appropriately
2014-06-07 02:34:49 +01:00
Meatballs b997c2ac1f
Further tidies 2014-06-07 02:00:35 +01:00
Meatballs 0e3549ebc4
mc brute tidy 2014-06-03 17:27:46 +01:00
Tod Beardsley b7dc89f569
I prefer "bruteforce" to "brute force" for search
Just makes it easier to search for, since it's an industry term of art.
2014-06-02 13:09:46 -05:00
William Vu 8bd4e8d30a
Land #3406, indeces_enum -> indices_enum 2014-06-02 11:06:33 -05:00
RageLtMan 74400549a1 Resolve undefined method `get_cookies'
Anemone::Page is not a Rex HTTP request/response, and uses the
:cookies method to return an array of cookies.
This resolves the method naming error, though it does break with
Rex naming convention since Anemone still uses a lot non-Rex
methods for working with pages/traffic.
2014-05-30 14:39:51 -04:00
jvazquez-r7 4a1fea7abb
Land #2948, @juushya's PocketPAD login bruteforce module 2014-05-30 11:47:16 -05:00
jvazquez-r7 b0bdfa7680 Clean up code 2014-05-30 11:44:42 -05:00
jvazquez-r7 fb59221189
Land #2494, @juushya's etherpadduo login module 2014-05-30 11:35:28 -05:00
jvazquez-r7 d92a7adc68 change module filename 2014-05-30 11:31:49 -05:00
jvazquez-r7 40a103967e Minor code cleanup 2014-05-30 11:28:37 -05:00
jvazquez-r7 6f330ea190 Add deprecation information 2014-05-29 17:38:01 -05:00
jvazquez-r7 aea0379451 Fix typos 2014-05-29 12:37:51 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00
William Vu 785b53820e
Land #3399, print_error instead of print_status 2014-05-28 14:53:00 -05:00
joev c89cd24621 Rewire some snmp modules to use print_error instead of print_status. 2014-05-28 13:31:00 -05:00
Tod Beardsley 4b5c62ba8d
Dress up CAPWAP DoS desc a little. 2014-05-28 12:19:17 -05:00
jvazquez-r7 55ef5dd484
Land #3115, @silascutler's module for elasticsearch indeces enumeration 2014-05-27 11:28:34 -05:00
jvazquez-r7 2271afc1a5 Change module filename 2014-05-27 11:25:39 -05:00
jvazquez-r7 3de8beb5fd Clean code 2014-05-27 11:22:40 -05:00
jvazquez-r7 69e8286838 Fix title 2014-05-27 10:29:32 -05:00
jvazquez-r7 1316365c2f Fix description 2014-05-27 10:22:39 -05:00
jvazquez-r7 abe1d6ffc7
Land #3190, @Karmanovskii's module to fingerprint MyBB database 2014-05-27 10:20:24 -05:00
jvazquez-r7 86221de10e Fix message 2014-05-27 10:18:27 -05:00
jvazquez-r7 b96c2dd0ca Change module filename 2014-05-27 10:15:39 -05:00
jvazquez-r7 1d8c46155b Do last code cleaning 2014-05-27 10:14:55 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Karmanovskii eacf70af83 Update mybb_get_type_db.rb
26.05.2014  23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
jvazquez-r7 217a14e4d7
Land #3366, @jholgui's module for CVE-2013-4074 2014-05-25 18:53:30 -05:00
jvazquez-r7 33ba134147 Clean msftidy warnings and metadata 2014-05-25 18:52:01 -05:00
jvazquez-r7 d3c17d8e3e Delete wireshark_capwap_dos 2014-05-25 18:39:53 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
JoseMi 9f166b87f6 Changed the description 2014-05-24 18:58:36 +01:00
JoseMi 71e2d19040 Adapted to auxiliary modules structure 2014-05-24 18:53:10 +01:00
Tod Beardsley 1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
See the discussion on f7bfab5a26, PR #3386
2014-05-23 17:10:27 -05:00
Tod Beardsley 9f78bec457
Use normalize_uri (@wchen-r7)
Instead of editing the datastore['PATH'], use normalize_uri.

Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
Tod Beardsley f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
Tod Beardsley 7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
Tod Beardsley f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
Tod Beardsley fa353e6bd9
Add CVE, IBM ref for SameTime modules 2014-05-22 11:34:04 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Karmanovskii e26dee5e22 Update mybb_get_type_db.rb
19/05/2014
I deleted      -     #return Exploit::CheckCode::Unknown  # necessary ????
2014-05-19 21:32:30 +04:00
William Vu a30d6b1f2d
Quick cleanup for sap_icm_urlscan 2014-05-19 09:21:26 -05:00
William Vu dc0e649a10
Clean up case statement 2014-05-19 09:21:07 -05:00
William Vu bc64e47698
Land #3370, cleanup for sap_icm_urlscan 2014-05-19 09:16:18 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
Meatballs 6b1e4c3a9d
Show loot and error code 2014-05-19 11:17:58 +01:00
Meatballs 848227e18a
401 should be a valid url 2014-05-19 10:59:38 +01:00
Meatballs 5d96f54410
Be verbose about 307 2014-05-19 10:52:06 +01:00
Meatballs 88b7dc3def
re-add content length 2014-05-19 10:46:47 +01:00
Meatballs e59f104195
Use unless 2014-05-19 10:41:01 +01:00
William Vu a97d9ed54f
Land #3148, check_urlprefixes for sap_icm_urlscan 2014-05-17 16:10:52 -05:00
sappirate dd1a47f31f Modified sap_icm_urlscan to check for authentication of custom URLs
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii 06912ac2b6 Update mybb_get_type_db.rb
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi 21cf0a162c Added module to crash capwap dissector in wireshark tool 2014-05-17 11:31:43 +01:00
Christian Mehlmauer 488c3e6b93
Land #3358, @jvazquez-r7 Advantech WebAccess 7.1 SQLI module 2014-05-16 21:26:41 +02:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
Tod Beardsley 3c1363b990
Add new SNMP enumeration modules 2014-05-16 08:32:46 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
William Vu f9982752f3
Land #3362, ax rank for aux/dos mods 2014-05-14 15:20:07 -05:00
Tod Beardsley dc57e31be1
Aux modules don't respect Rank anyway 2014-05-14 15:03:10 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
Karmanovskii cbb84e854c Update mybb_get_type_db.rb
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
William Vu 92a9519fd9
Remove EOL spaces 2014-05-09 18:34:12 -05:00
jvazquez-r7 8c55858eae
Land #3309, @arnaudsoullie's changes for modblusclient 2014-05-08 10:45:19 -05:00
jvazquez-r7 25f13eac37 Clean a little response parsing 2014-05-08 10:44:53 -05:00
Arnaud SOULLIE 1f3466a3a3 Added Modbus error handling.
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
jvazquez-r7 b81f94a229
Land #3336, @todb-r7's CVEs addition 2014-05-05 13:43:04 -05:00
Tod Beardsley c6affcd6d3
Fix caps, description on F5 module
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu 353a50cdd0
Land #3316, Content-Length fix for http_ntlmrelay 2014-05-05 13:38:36 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
William Vu a8915f0ed8
Land #3310, OpenSSH timing attack improvements 2014-05-04 19:47:51 -05:00
Tom Sellers a47b883083 Remove redundant simple.connect
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
Tom Sellers b2eeaef475 Add admin check to smb_login
The attached updates changes smb_login to detect if the newly discovered user is an administrator.  It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656.
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773.

Specifically it:

 - Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
 - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
 - Dealt with the issue in PR #2656 where the username was prefixed with a '\'


Verification

Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting

To validate that the remote domain ignores domain value use the following command from a windows system:

net use \\<hostip>\admin$ /user:<random_value>\<username>   <password>
2014-05-02 06:16:21 -05:00
Christian Mehlmauer f7d8a5e3a3 rework the openssl_heartbleed module 2014-05-01 21:43:58 +02:00
jvazquez-r7 d3045814a2 Add print_status messages 2014-05-01 11:05:55 -05:00
jvazquez-r7 cc2e680724 Refactor 2014-05-01 11:04:29 -05:00
jvazquez-r7 28e9057113 Refactor make_payload 2014-05-01 10:23:33 -05:00
jvazquez-r7 bd124c85cb Use metadata format for actions 2014-05-01 09:52:55 -05:00
William Vu 7777202045
Deconflict #3310 and correct the description 2014-04-30 12:02:57 -05:00
jvazquez-r7 9cd6c5ef2b
Land #3297, @Th4nat0s's F6 backends disclosure module 2014-04-30 09:31:37 -05:00
jvazquez-r7 4e80e1c239 Clean up pull request code 2014-04-30 09:31:07 -05:00
Tod Beardsley a5983b5f57
Light touchup on FP checker 2014-04-29 16:14:41 +01:00
Tod Beardsley 88efeea378
Add a false positive check 2014-04-29 16:07:42 +01:00
Arnaud SOULLIE e386855e0e Add ACTIONS descriptions 2014-04-29 16:55:05 +02:00
Tod Beardsley 4d76128937
Merge upstream and deconflict #3310 whitespace 2014-04-29 15:32:32 +01:00
Arnaud SOULLIE 04f2632972 Implement jvazquez-r7 comments 2014-04-29 16:09:47 +02:00
Rich Lundeen 60b9f855b4 Bug with HTTP POST requests (content type sent twice) 2014-04-28 18:44:02 -07:00
jvazquez-r7 4caf03b92f
Land #3301, @nodeofgithub's patch for sercomm module 2014-04-28 17:19:47 -05:00
Thanat0s 70314494ca test nil of port & host 2014-04-28 23:33:01 +02:00
Thanat0s fe3f7fd76a Obey to reviewer.. code fix 2014-04-28 23:26:29 +02:00
Tod Beardsley a6edd94c7f
Just fix refs and desc for release 2014-04-28 19:47:15 +01:00
Tod Beardsley a7e110be9e
Add a peer method, elaborate desc and prints 2014-04-28 19:41:44 +01:00
sinn3r 829b9ff4ff
Land #3308 - Fix smb_login using error_reason 2014-04-28 12:33:24 -05:00
Arnaud SOULLIE a0add34a7d Removed warning message and changed default unit number to 1 2014-04-28 15:47:10 +02:00
Pedro Laguna ab913a533e Update oracle_demantra_file_retrieval.rb
Fixed typo
2014-04-28 14:36:48 +01:00
Arnaud SOULLIE a2ccbf9833 Add read/write capabilities to modbusclient 2014-04-28 15:29:55 +02:00
Zinterax fb39e422aa Fix smb_login calling nonexistent method
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:

Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>

This changes uses the built in method get_error to return an error code.

[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
Thanat0s 2396d497d8 move scanner to gather 2014-04-28 12:57:54 +02:00
Thanat0s 3bfa8ea707 Pass msftidy 2014-04-28 12:53:49 +02:00
Thanat0s f34cfefb8f Change hash to array 2014-04-28 12:52:46 +02:00
Thanat0s 6610977e86 add cookie.match and alway return 2014-04-28 12:39:32 +02:00
Thanat0s d5fe8471ed unless id 2014-04-28 12:16:49 +02:00
Thanat0s 328acc44fa Start cleaning as requested 2014-04-28 11:32:46 +02:00
nodeofgithub b80d366bb7 Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00
William Vu c2bb26590c
Land #3250, version handling for Heartbleed server 2014-04-25 00:17:26 -05:00
Ramon de C Valle fd232b1acd Use the protocol version from the handshake
I used the protocol version from the record layer thinking I was using
the protocol version from the handshake. This commit fix this and uses
the protocol version from the handshake instead of from the record layer
as in https://gist.github.com/rcvalle/10335282, which is how it should
have been initially.

Thanks to @wvu-r7 for finding this out!
2014-04-25 01:48:17 -03:00
Christian Mehlmauer ef815ca992
Land #3288, Postgres support for Heartbleed scanner 2014-04-24 18:03:13 +02:00
Spencer McIntyre 9ccb9397e3
Land #3264, throttl and csv output support for module 2014-04-23 19:00:28 -04:00
Spencer McIntyre e2b92a824f Change white space for authors in dns_reverse_lookup 2014-04-23 18:56:27 -04:00
William Vu 15bd92dd50
Fix OpenSSH timing attack module 2014-04-23 10:10:37 -05:00
William Vu 0a108acea3
Fix missing comma
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
William Vu 6d7fde4302
Land #3157, OpenSSH user enumeration timing attack 2014-04-23 10:01:10 -05:00
William Vu 1a2899d57b
Fix up whitespace 'n' stuff 2014-04-23 10:00:34 -05:00
Thanat0s 457c48b89b Error on sleep 2014-04-23 11:38:23 +02:00
Jonathan Claudius d70aa4cdbb Fix MSFTidy complaints 2014-04-22 22:07:25 -04:00
Jonathan Claudius b3cabaaa28 Clean up some formatting concerns 2014-04-22 21:58:14 -04:00
Jonathan Claudius f71ad111da Change return values from nil to false 2014-04-22 21:48:16 -04:00
Jonathan Claudius 3d793fc6f1 Add default VPN group fall back 2014-04-22 21:45:04 -04:00
Jonathan Claudius 4d9ece2f9a Add hyphens and digits to group regex 2014-04-22 21:34:08 -04:00
kenkeiras 96f042110f return is not needed when it's the last lifunction line 2014-04-22 22:33:47 +02:00
kenkeiras c9d8da991a Use Rex.sleep instead of select 2014-04-22 22:33:19 +02:00
kenkeiras d2a558dc85 Removed unused code 2014-04-22 22:33:02 +02:00
Wiesław Kielas 8f6567967d Heartbleed PostgreSQL TLS support improvements 2014-04-22 17:36:06 +02:00
Wiesław Kielas fbe392a896 Add PostgreSQL TLS support to the Heartbleed scanner 2014-04-21 23:27:40 +02:00
Tod Beardsley e514ff3607
Description and print_status fixes for release
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
William Vu 1faf069130
Land #3284, deprecated module cleanup 2014-04-20 23:10:55 -05:00
James Lee ee413ac385
Remove previously deprecated modules 2014-04-20 22:15:44 -05:00
kenkeiras b8e0187647 Use OptPath for file path options 2014-04-18 21:56:17 +02:00
kenkeiras fb0af8a799 Remove unnecesary ssh_socket variable 2014-04-18 21:50:54 +02:00
kenkeiras c875bdadf5 Change THRESHOLD into a datastore option 2014-04-18 21:18:48 +02:00
kenkeiras 8a3329c891 Password made pseudo-random instead of a bunnch of A's 2014-04-18 21:10:34 +02:00
kenkeiras 47ff820a83 Remove unnecesary 'RHOST' deregister 2014-04-18 21:06:46 +02:00
kenkeiras cc2d4f9ed7 Remove unnecesary @good_credentials 2014-04-18 21:03:22 +02:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
jvazquez-r7 c4d4af031c
Land #3276, @todb-r7's "make msftidy happy"'s fix 2014-04-18 09:54:52 -05:00
jvazquez-r7 5083143971
Land #3238, @Zinterax's timeout addition in openssl_heartbleed 2014-04-18 09:28:04 -05:00
Tod Beardsley 2a729c84f6
Fix disclosure date 2014-04-18 09:27:41 -05:00
jvazquez-r7 8a011ec9f6
Land #3197, @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880 2014-04-18 08:58:54 -05:00
jvazquez-r7 f3299e3ced Do minor code cleanup 2014-04-18 08:58:11 -05:00
jvazquez-r7 2366f77226 Clean timeout handling code 2014-04-18 08:16:28 -05:00
Zinterax e38f4cbfa0 Apply response_timeout to get_once, code cleanup
Add response_timeout to get_once

Change timeout output in establish_connect()

Add disconnect ater timeout output

Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
Zinterax fab091ca88 Fix Action => DUMP
Fix for when Action is set to DUMP. Modifed the check to use action.name.

Console output:

msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
Zinterax 1cf1616341 Rebase. Add timeout option support
Rebase to account for the KEYS merge.

Modify bleed() to work with timeout option.

Modify establish_connect() to work with timeout option.

Modify loot_and_report() to work with timeout option.

---Test Console Output---

Client Hello Timeout:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched Apache:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnerable Server:

msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
Zinterax 021ac53911 remove me 2014-04-18 07:03:36 -04:00
Jonathan Claudius 01d843f78f Handle certificate auth nuances 2014-04-17 20:24:19 -04:00
Jonathan Claudius 6daae961cb Add parameterized requests for detection/enumeration 2014-04-17 19:40:27 -04:00
Tod Beardsley 845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
Whoops.
2014-04-17 17:47:47 -05:00
Tod Beardsley 2aa2cb17f3
Reimplement a check. 2014-04-17 17:10:54 -05:00
Tod Beardsley d40ab039e4
Clean up whitespace. Protip: use commit hooks 2014-04-17 16:28:07 -05:00
Tod Beardsley c34d548e50
First, undo #3252. Sorry about that.
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
Jeff Jarmoc e3daf6daf7 Singular 'TLS_CALLBACK' option 2014-04-17 15:51:37 -05:00
Jeff Jarmoc 6c832e22d6 rename scan to loot_and_report 2014-04-17 15:47:57 -05:00
Jeff Jarmoc c12eae66b3 Error and return if public key wasn't retrieved. 2014-04-17 15:44:40 -05:00
Jeff Jarmoc 578002e016 KEYS action gets it's own function 2014-04-17 15:39:05 -05:00
Tod Beardsley 5b0b5d9476
Land #3252, check() functionality for Heartbleed 2014-04-17 15:34:35 -05:00
Tod Beardsley a2d6c58374
Changing << to + per @jlee-r7 2014-04-17 15:34:13 -05:00
Jeff Jarmoc 9f30976b83 Heartbleed RSA Keydump
Flattened, merge conflicts resolved, etc.
2014-04-17 14:30:47 -05:00
Jonathan Claudius 7ddd93cf5d Add redirect support to #is_app_ssl_vpn? 2014-04-17 12:06:29 -04:00
Jonathan Claudius 0c5fb8c0c2 Fix bug in group enumeration regex 2014-04-17 10:31:05 -04:00
Christian Mehlmauer 71a650fe6e
Land #3259, XMPP Hostname autodetect by @TomSellers 2014-04-17 08:54:15 +02:00
Tom Sellers 1f452aab48 Code cleanup
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
Tom Sellers 9e2285619e Additional cleanup
Whitespace cleanup
2014-04-17 10:46:33 -05:00
Jonathan Claudius f53e7f84b8 Adds Cisco SSL VPN Bruteforce Aux Mod 2014-04-16 22:47:58 -04:00
Tom Sellers ee0d30a1f3 Whitespace fix
Removing extra line feeds
2014-04-16 17:27:39 -05:00
Tom Sellers 92eab6c54b Attribution addition
Per comment from Firefart
2014-04-16 17:26:09 -05:00
Tom Sellers 1f3ec46b8a Heartbleed - Add autodetection of XMPP hostname (round 2)
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.

This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
sinn3r 7a4e12976c
First little bit at Bug 8498
[FixRM #8489] rhost/rport modification
2014-04-15 18:20:16 -05:00
sinn3r d7513b0eb2 Handle nil properly when no results are found 2014-04-15 18:19:29 -05:00
Tod Beardsley 9db01770ec
Add custom rhost/rport, remove editorializing desc
Verification:

````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````

...etc.
2014-04-14 21:46:05 -05:00
Tod Beardsley 40a359f312 Include a vhost for Shodan or else it complains
Works now. The rhost option was not keeping the custom vhost option.

````
msf auxiliary(shodan_search) > rexploit
[*] Reloading module...

[*] Total: 13443 on 269 pages. Showing: 1
[*] Country Statistics:
[*] United States (US): 2006
[*] Germany (DE): 1787
[*] Korea, Republic of (KR): 1061
[*]     Italy (IT): 916
[*] Hungary (HU): 604
[*] Collecting data, please WaitUntilAuthEmptyt...

IP Results
==========
````
2014-04-14 21:23:27 -05:00
Tod Beardsley 1436f68955
Fix shodan to not muck with datastore 2014-04-14 21:21:11 -05:00
Tod Beardsley 9035d1523d
Update wol.rb to specify rhost/rport directly
- [ ] Fire up tcpdump on the listening interface
 - [ ] Run the module and see the pcap:

listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
Tom Sellers 0360d1177f Heartbleed - Add autodetection of XMPP hostname
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server.  This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS.  The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
Thanat0s 07ed8d832a Update db 2014-04-15 02:48:55 +02:00
David Chan 1a73206034 Add detection for GnuTLS with with multiple records 2014-04-14 17:09:25 -07:00
Thanat0s fecdbd1781 F5 bigip cookie module 2014-04-15 01:11:17 +02:00
Thanat0s 176204d62d With implemented remarks 2014-04-14 21:11:04 +02:00
Tom Sellers 634a03a852 Update to openssl_heartbleed to deal with SMTP RFC
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response  '550 esmtp: protocol deviation'

Reference:
   http://www.symantec.com/business/support/index?page=content&id=TECH96829
   http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00