57c4ed51e9
fix mssql incremental modes
2014-06-23 15:37:37 -05:00
1cbc324774
fix up incremental modes
...
those incrmenetal rules don't exist
in all versions. All and Alnum are too long
for a 'fast-mode' crack. We wwill do Digits though
which does all digits 0-8 and gets us blank passwords
for free.
2014-06-23 15:36:17 -05:00
520c82d7fc
deal with blank password in ntlm
2014-06-23 15:32:50 -05:00
c5f2efda18
fixed up casing
2014-06-23 15:26:12 -05:00
b246e66eb8
successfully cracking ntlm hashes
...
still need to handle casing for lm
2014-06-23 14:40:32 -05:00
050091d0dd
Fuzz all 255 possible mode 7 request codes
2014-06-23 11:38:30 -07:00
57cc390681
fix how we save mssql hashes
...
since the 0x prefix is neccisary, just save the hash that way in the first place
2014-06-23 12:38:36 -05:00
c61f59d8a9
make sure to report the realm
2014-06-23 12:08:49 -05:00
dadd959c6a
refactor postgres hash cracking
...
refactored postgres_hashdump to report the creds
it logged in with. added a new jtr module for
dealing with postgres hashes instead of the
crappy old md5 one we had before
2014-06-23 12:02:39 -05:00
a0aca251f5
Land #3472 , releae fixes
2014-06-23 11:41:35 -05:00
0219c4974a
Release fixups, word choice, refs, etc.
2014-06-23 11:17:00 -05:00
40d1ec551e
Add WEP, PSK, and MGT
2014-06-21 23:15:20 -05:00
61f4c769eb
Land #3461 , Chromecast factory reset module
2014-06-21 17:43:31 -04:00
79bf80e6bf
Add generic error handling
...
Just in case a factory reset happens to fail.
2014-06-21 15:35:03 -05:00
469fae7058
Land #3465 , @hmoore-r7's module for SMC IPMI Port 49152 file exposure vulnerability
2014-06-20 17:22:28 -05:00
252d917bbb
Fix msftidy and favor && over and
2014-06-20 17:21:10 -05:00
8cfba5770a
missing require
2014-06-20 15:22:37 -05:00
d80f4d9e67
refactor jtr_mysql_fast and mysql_hashdump
...
have mysql_hashdump report the cred it logged in with
refactor jtr_mysql to use the new jtr cracker
2014-06-20 15:21:35 -05:00
669779defb
SMB cred creation refactor
2014-06-20 15:17:40 -05:00
35c0ef0c68
Merge branch 'feature/MSP-9716/mssql_crack' into staging/electro-release
2014-06-20 12:39:07 -05:00
a929a55404
fix show command parsing
...
this ius better than a regex and handles special charachters
in usernames and passwords far better than the previous way
2014-06-20 10:48:42 -05:00
93da4dc561
account for mssql12 format
...
mssql2012 and later uses a new format. some versions
of john support this and some do not yet
2014-06-19 16:11:14 -05:00
4453dcdc8e
some minor fixes
2014-06-19 15:45:24 -05:00
fa5fc724eb
Fix the disclosure date
2014-06-19 15:36:17 -05:00
f7fd17106a
Add the final cari.net URL
2014-06-19 15:33:06 -05:00
aca532b994
making egypt happy
...
it's a full time job
2014-06-19 15:07:33 -05:00
9421beedb3
Refactor http_login
2014-06-19 14:12:21 -05:00
6f03f6657f
Support only fuzzing specific mode 6 operations
2014-06-19 11:10:11 -07:00
0ff8708e6d
some minor fixes
2014-06-19 13:08:43 -05:00
53352924d2
Merge branch 'staging/electro-release' into feature/MSP-9716/mssql_crack
...
Conflicts:
Gemfile
2014-06-19 12:45:53 -05:00
20f7cde9cc
add incremental and single modes
...
make sure we run single mode and incremnetal modes
during our runs through these hashes.
2014-06-19 12:38:01 -05:00
bb120fd1e2
report access level on mssql_hashdump
...
if we know we have admin access on mssql hashdumop
we should report that on the Login object.
2014-06-19 12:20:42 -05:00
d3c77b345c
report cracked credentials
...
also makes mssql_hashdump report the credentials it logged in with
2014-06-19 12:16:49 -05:00
62f4054858
startring refactor on jtr_mssql
...
started work on the mssql hash cracker
fixed some minor bugs with the underlying mixin
crackers now runs. still have to have the cred objects created
2014-06-18 14:50:08 -05:00
190923e9a7
Merge pull request #79 from rapid7/feature/MSP-9699/axis2-refactor
...
Refactor axis_login
2014-06-18 11:43:23 -05:00
4c3cc793ba
fix missing .present?
2014-06-18 10:52:27 -05:00
58b016202b
Merge branch 'staging/electro-release' into feature/MSP-9709/ssh-pubkey
2014-06-18 10:50:29 -05:00
2b0bb608b1
Merge branch 'master' into staging/electro-release
2014-06-18 10:49:58 -05:00
075eec39e1
Add Chromecast factory reset module
2014-06-18 10:04:17 -05:00
c685e0d06e
Land #3444 , chromecast wifi enumeration
2014-06-17 22:09:58 -04:00
5f176a56cb
Fix typo
2014-06-17 17:16:46 -05:00
d114dd1da2
Fix bugs. :fail != :failed
2014-06-17 17:12:50 -05:00
d6de0da5a7
Refactor axis_login
2014-06-17 17:07:53 -05:00
1394ad1431
Break my double quote habit
...
Doesn't it feel better? C doesn't love me anymore.
2014-06-17 14:22:55 -05:00
8e1949f3c8
Added newline at EOF
2014-06-17 21:03:18 +02:00
8376b4aa2b
Map constants to readable values
...
Thanks, @zeroSteiner and @kernelsmith. :)
2014-06-17 13:10:08 -05:00
6237d56398
Refactor ssh_login_pubkey
...
* Fix a bug in LoginScanner::SSHKey (which was copy-pasted from SSH)
where the ssh_socket accessor was not being set because of a
shadowing local var
* Fix a bug in the db command dispatcher where an extra column was
added to the table, causing an unhandled exception when running the
creds command
* Add a big, ugly, untested class for imitating
Metasploit::Framework::CredentialCollection for ssh keys. This class
continues the current behavoir of silently ignoring files that are a)
encrypted or b) not private keys.
* Remove unnecessary proof gathering in the module (it's already
handled by the LoginScanner class)
2014-06-16 18:38:20 -05:00
1a82a20c09
re-added incorrectly removed SMBSHARE option
2014-06-16 20:10:11 +01:00
8fa81de3bb
Fuzz mode 7 more correctly. Cleanup.
...
Provide empty 188-byte payload for mode 7 messages, otherwise nothing
seems to response. Provide more useful defaults for versions/modes.
Allow control over what mode 7 stuff is fuzzed.
2014-06-16 11:56:27 -07:00
0352a5305c
When fuzzing mode 6 (control) and 7 (private) messages, print out each version tested since these tend to take a long time
2014-06-16 10:31:08 -07:00
28bf9f8d50
Correct order of mixins so RHOSTS works properly
2014-06-16 10:02:27 -07:00
9e5281d0c6
Mixin Msf::Auxiliary::Scanner, switch to run_host to fix DNS lookup issues
2014-06-16 09:58:20 -07:00
2aa26fa290
Minor spacing and word choice fixups
2014-06-16 11:40:21 -05:00
c7c0528e44
Fuzz NTP private messages too
2014-06-15 20:23:33 -07:00
5fe8814af6
Land #3330 adding admin check to smb_login
2014-06-15 14:42:26 -05:00
fa8c9bc4f3
Merge pull request #75 from rapid7/feature/MSP-9692/afp_login
...
MSP-9692 #land
2014-06-13 10:51:26 -05:00
f452652f54
Merge pull request #61 from rapid7/feature/MSP-9708/ssh-bruteforce
...
Functional steps updated and passing, along with specs. Proof being maintained seemed off, but it's not persisted, just used for setting platform.
MSP-9708 #land
2014-06-12 18:37:44 -05:00
d215b8e5b2
Merge pull request #47 from rapid7/feature/MSP-9712/winrm-bruteforce
...
45 merged, steps passing.
MSP-9712 #land
2014-06-12 16:04:17 -05:00
52d63f51bb
Merge pull request #50 from rapid7/feature/MSP-9705/postgres_login
...
Verily verified.
MSP-9705 #land
2014-06-12 15:49:39 -05:00
539f30e720
refactor afp_login
2014-06-12 14:16:05 -05:00
1ab379a0fe
Land #3448 , ident =! indent
2014-06-12 14:15:06 -05:00
e9783200f2
Land #3447 , fix variable typo
2014-06-12 14:07:34 -05:00
96e492f572
Merge branch 'master' into staging/electro-release
2014-06-12 14:02:27 -05:00
cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key)
2014-06-12 13:41:44 -05:00
a647246148
Use correct variable name
2014-06-12 19:38:41 +01:00
62a4991508
Land #3446 , some code cleanup from @todb-r7
2014-06-12 13:35:36 -05:00
3f5e50d18f
Aux modules don't have ranking.
...
msftidy should have defintely caught this. That it didn't catch on
Travis-CI concerns me. Need to research this.
2014-06-12 13:21:59 -05:00
1aa029dbed
Avoid double quotes in the initialize/elewhere
...
There is no need to have double quotes there for uninterpolated strings,
and every other module uses single quotes.
2014-06-12 13:20:59 -05:00
fe33444858
Merge pull request #58 from rapid7/feature/MSP-9693/db2_auth
...
Errors resolved, cred created
MSP-9693 #land
2014-06-12 12:49:54 -05:00
e85f829ee4
modules living inside scanner should include the Scanner mixin
2014-06-12 12:20:44 -05:00
fa4e835804
Fix up scanner mixin usage, actual test/bug fix
2014-06-12 11:52:34 -05:00
430b3d181e
Merge pull request #67 from rapid7/feature/MSP-9695/ftp_login
...
Access level string clarified, specs passing, valid looking cores with proper info
MSP-9695 #land
2014-06-12 11:33:18 -05:00
71a4f1ab33
Clarified RW access level
...
MSP-9695
2014-06-12 11:32:20 -05:00
67d4097e1d
Land #3271 , @claudijd's Cisco ASA SSL VPN Bruteforce Aux Module
2014-06-12 11:27:23 -05:00
487bf219f0
Rename to match the title
2014-06-12 11:23:34 -05:00
7650067b41
Fix metadata
2014-06-12 11:22:52 -05:00
e76c85c5d1
Fix usage of print_*
2014-06-12 11:13:45 -05:00
e4ff07dfa8
Merge branch 'staging/electro-release' into feature/MSP-9693/db2_auth
2014-06-12 10:52:06 -05:00
88f8b585a3
Merge branch 'staging/electro-release' into feature/MSP-9705/postgres_login
...
Conflicts:
Gemfile
Gemfile.lock
2014-06-12 10:47:02 -05:00
a5d88fd2ab
Space in arg list, because I don't hate feedom.
2014-06-12 10:29:14 -05:00
6bc37cca0c
Land #3430 , @brandonprry's generic MongoDB injection enum.
2014-06-11 21:41:23 -05:00
23f7fe45ed
Add Chromecast wifi enumeration module
2014-06-11 21:00:47 -05:00
c074ebda7b
refactor telnet_login
2014-06-11 17:46:42 -05:00
85bee6ea12
Update ftp_login.rb
2014-06-11 17:29:23 -05:00
cca91dd7c5
Update mongodb_js_inject_collection_enum.rb
...
some @jvennix-r7 fixes
2014-06-11 17:07:57 -05:00
83a2dc250d
make ftp guest attempts optional
2014-06-11 16:37:59 -05:00
c8e1fab6ec
Merge branch 'staging/electro-release' into feature/MSP-9708/ssh-bruteforce
...
Conflicts:
lib/metasploit/framework/credential.rb
2014-06-11 16:28:01 -05:00
b756395eaa
Merge branch 'staging/electro-release' into feature/MSP-9712/winrm-bruteforce
...
Conflicts:
lib/metasploit/framework/credential_collection.rb
spec/lib/metasploit/framework/credential_collection_spec.rb
2014-06-11 16:21:59 -05:00
1164cf5363
refactor ftp_login
...
uses new cred goodness
2014-06-11 16:21:55 -05:00
7ce9114a1e
Initial commit of an NTP fuzzer
2014-06-11 13:46:08 -07:00
87a9ee9a69
Merge pull request #59 from rapid7/feature/MSP-9697/tomcat_login
...
Feature/msp 9697/tomcat login
MSP-9697 #land
2014-06-11 15:35:09 -05:00
81019ed850
Supermicro work
2014-06-11 15:03:54 -05:00
6c0d668f0a
Merge pull request #55 from rapid7/feature/MSP-9701/msssql_login
...
Feature/msp 9701/msssql login
MSP-9701 #land
2014-06-11 13:48:59 -05:00
84aa0d42ed
Merge pull request #57 from rapid7/bug/MSP-10004/rubyzip
...
Trevor added a 0.4.1 tag right before this PR landed, making this unmergable. Pulled in staging/electro-release, specs passing.
2014-06-11 13:48:03 -05:00
1903542683
Merge branch 'staging/electro-release' into bug/MSP-10004/rubyzip
...
Conflicts:
Gemfile
Gemfile.lock
2014-06-11 13:42:26 -05:00
e8752f9c56
Point to correct creds version
2014-06-11 13:38:35 -05:00
651871bd7a
Resolve upstream conflict
2014-06-11 13:34:45 -05:00
9593422f9c
Merge branch 'master' into staging/electro-release
2014-06-11 10:23:56 -05:00
6ca5cf6c26
Add Chromecast YouTube remote control
2014-06-11 00:08:08 -05:00
fb8c1f4c4b
Refactor ssh_login to use LoginScanner stuffs
...
Also, Metasploit::Credential::Creation stuffs.
2014-06-10 17:30:06 -05:00
c06fd21fb1
refactor tomcat_mgr_login
...
uses the new Metasploit::Credential magic now
2014-06-10 15:59:00 -05:00
693c4aae66
make sure we capture realms
...
need to account for the possability of
realms in mssql_login
2014-06-10 14:41:45 -05:00
b05e7fb9ac
Fix require
...
MSP-10004
Change 'zip/zip' to 'zip' to match >= 1.0.0 rubyzip API.
2014-06-10 13:58:07 -05:00
74d376e387
refactor db2_auth module
...
you know what it is
2014-06-10 13:43:07 -05:00
4d923a4809
Update to Rubyzip 1.X API
...
MSP-10004
`require 'zip'` instead of `'zip/zip'` and rename all classes to remove
redundant Zip prefix inside the Zip namespace.
2014-06-10 13:41:42 -05:00
44540e6d00
Land #3437 , CSS Injection MITM scanner
2014-06-10 13:36:35 -05:00
4aa1fee398
Land #3326 , @FireFart's Heartbleed - server response parsing
2014-06-10 13:27:28 -05:00
0c89d6cdce
refactor mssql_login
...
now uses all the Metasploit::Credential goodness
2014-06-10 11:49:08 -05:00
15ceb1e826
put calls in right place it helps
2014-06-10 11:17:19 -05:00
63ec83ea90
missing public
...
missing the public in the invalidate_login call
now fixed
2014-06-10 11:12:17 -05:00
6362eac0b0
add invalidate_login call
2014-06-10 11:11:22 -05:00
e9d9806408
invalidate_login
...
added invalidate_login call
also made to_s on credential drop the @
if there is no realm present
2014-06-10 11:07:15 -05:00
dc590008a7
add invalidate_login call
...
add the new invalidate login call to make sure
we update the status on failed logins appropriately
2014-06-10 10:58:27 -05:00
521284253f
Be more clear about the vuln and impact
2014-06-10 10:29:23 -05:00
9b55f5143a
Add module for CVE-2014-0224
2014-06-09 17:38:11 -05:00
e629fdb47d
Report the realm, too
...
derp
2014-06-09 17:06:56 -05:00
32f87b985c
refactor mysql_login
...
refactor mysql_login to use the new
Metasploit::Credential apradigm
2014-06-09 14:20:58 -05:00
61fd962331
refactor vnc_login
...
refactor for new credential usage
2014-06-09 13:55:24 -05:00
4103f2295b
Missing comma
2014-06-09 13:44:46 -05:00
0e14d77dba
Minor fixup on DTLS module
2014-06-09 13:42:30 -05:00
0e611b5d64
Land #3429 , @jhart-r7's auxiliary module for CVE-2014-0195
2014-06-09 13:34:38 -05:00
ed5d83a41b
Add vulnerability discoverer
2014-06-09 13:25:33 -05:00
daf662b3c0
Do minor cleanup
2014-06-09 13:23:56 -05:00
a4e96d8f59
Merge branch 'master' into staging/electro-release
2014-06-09 13:07:22 -05:00
f8f5691eee
refactor postgres_login module
...
postgres_login now uses all the new components
such as Metasploit::Credential and the LoginScanner
class
2014-06-09 12:59:05 -05:00
1f33566033
Land #3432 , @Meatballs1 sap_soap_rfc_brute_login's clean up
2014-06-09 11:39:52 -05:00
b39b41e29f
Land #3371 , @Meatballs1 fix for sap_mgmt_con_getprocessparameter
2014-06-09 11:25:01 -05:00
06e45e8253
Clean up TLS fragment building
2014-06-09 08:39:30 -07:00
482aa2ea08
Merge branch 'master' into staging/electro-release
2014-06-09 10:27:22 -05:00
099003708c
Land #3422 , SAP Bruterforcer datastore cleanup
2014-06-08 08:42:27 +02:00
4367e8ef0c
Update mongodb_js_inject_collection_enum.rb
...
Fix some logic bugs that caused incorrect results.
2014-06-07 21:03:28 -05:00
dc89621d5c
Update mongodb_js_inject_collection_enum.rb
...
No need to make extra requests. Off by one.
2014-06-07 20:09:00 -05:00
2663af986b
Update mongodb_js_inject_collection_enum.rb
...
This adds a bit more error handling, and better decision making in regards to false responses.
2014-06-07 19:58:12 -05:00
a7a1a2bf3b
Move dtls_fragment_overflow.rb under ssl where it belongs
2014-06-07 12:56:34 -07:00
4071fb332b
Create mongodb_js_inject_collection_enum.rb
...
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7
https://gist.github.com/brandonprry/c2de8ac2be825007c4de
2014-06-07 11:20:34 -05:00
8637a1fff1
OpenSSL DTLS CVE-2014-0195 POC
2014-06-06 19:24:47 -07:00
fe20e6e1c4
Merge remote-tracking branch 'upstream/master' into soap_brute_fix
...
Conflicts:
modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
2014-06-07 02:44:16 +01:00
8624ddfc3e
Clean up SAP SOAP RFC Brute Login
...
Honour the user supplied settings
Abort a host on connection error
Check a 200 response for some appropriate data
Let datastore validation handle things like options being present
Be more verbose if needed
Use the HTTPClient more appropriately
2014-06-07 02:34:49 +01:00
b997c2ac1f
Further tidies
2014-06-07 02:00:35 +01:00
ff8e6d2c50
Merge pull request #45 from rapid7/feature/MSP-9988/credential-collection
...
Add a CredCollection class and refactor WinRM bruteforce module
2014-06-06 11:53:28 -05:00
2ee408e9db
Refactor winrm_login with Credentials
2014-06-05 14:26:29 -05:00
8b6e188ba8
Add support for realm in CredentialCollection
...
MSP-9988
2014-06-04 17:03:52 -05:00
4960503a59
fix jtr_format
...
use raw-md5 as that sort of works
2014-06-04 14:10:28 -05:00
30c35907bf
refactor psotgres_hashdump
...
refactor psotgres_hashdump to now save
hashes as Metasploit::Credential objects
2014-06-04 12:21:49 -05:00
d1f7f93e4b
refactor mysql_hashdump
...
mysql_hashdump now uses Metasploit::Credential to
save hashes.
2014-06-04 11:59:47 -05:00
201e6e9866
Merge branch 'feature/MSP-9750/MSSQL_hashdump' into feature/MSP-9751/mysql_hashdump
2014-06-04 11:58:58 -05:00
28bf29980e
Merge branch 'master' into staging/electro-release
2014-06-04 10:21:08 -05:00
d3949b3d6c
refactor mssql_hashdump
...
refactor mssql_hashdump to use Metasploit:Credential
2014-06-03 15:02:59 -05:00
0e3549ebc4
mc brute tidy
2014-06-03 17:27:46 +01:00
b7dc89f569
I prefer "bruteforce" to "brute force" for search
...
Just makes it easier to search for, since it's an industry term of art.
2014-06-02 13:09:46 -05:00
34004908bb
Merge branch 'master' into staging/electro-release
...
Conflicts:
.ruby-version
2014-06-02 11:10:33 -05:00
8bd4e8d30a
Land #3406 , indeces_enum -> indices_enum
2014-06-02 11:06:33 -05:00
74400549a1
Resolve undefined method `get_cookies'
...
Anemone::Page is not a Rex HTTP request/response, and uses the
:cookies method to return an array of cookies.
This resolves the method naming error, though it does break with
Rex naming convention since Anemone still uses a lot non-Rex
methods for working with pages/traffic.
2014-05-30 14:39:51 -04:00
4a1fea7abb
Land #2948 , @juushya's PocketPAD login bruteforce module
2014-05-30 11:47:16 -05:00
b0bdfa7680
Clean up code
2014-05-30 11:44:42 -05:00
fb59221189
Land #2494 , @juushya's etherpadduo login module
2014-05-30 11:35:28 -05:00
d92a7adc68
change module filename
2014-05-30 11:31:49 -05:00
40a103967e
Minor code cleanup
2014-05-30 11:28:37 -05:00
6f330ea190
Add deprecation information
2014-05-29 17:38:01 -05:00
aea0379451
Fix typos
2014-05-29 12:37:51 -05:00
696d2b7e6b
Merge branch 'master' into staging/electro-release
2014-05-29 12:30:32 -05:00
e669324366
Merge pull request #25 from rapid7/feature/MSP-9673/axis2-login-scanner
...
Add axis2 login scanner
2014-05-29 11:22:22 -05:00
53ab2aefaa
Land #3386 , a few datastore msftidy error fixes
2014-05-29 10:44:37 -05:00
8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings
2014-05-29 04:42:49 -05:00
3f86aebabf
Land #3398 , CAPWAP DoS description cleanup
2014-05-28 14:55:22 -05:00
785b53820e
Land #3399 , print_error instead of print_status
2014-05-28 14:53:00 -05:00
05e24326a6
Style compliance
2014-05-28 14:31:34 -05:00
c89cd24621
Rewire some snmp modules to use print_error instead of print_status.
2014-05-28 13:31:00 -05:00
4b5c62ba8d
Dress up CAPWAP DoS desc a little.
2014-05-28 12:19:17 -05:00
55ef5dd484
Land #3115 , @silascutler's module for elasticsearch indeces enumeration
2014-05-27 11:28:34 -05:00
2271afc1a5
Change module filename
2014-05-27 11:25:39 -05:00
3de8beb5fd
Clean code
2014-05-27 11:22:40 -05:00
69e8286838
Fix title
2014-05-27 10:29:32 -05:00
1316365c2f
Fix description
2014-05-27 10:22:39 -05:00
abe1d6ffc7
Land #3190 , @Karmanovskii's module to fingerprint MyBB database
2014-05-27 10:20:24 -05:00
86221de10e
Fix message
2014-05-27 10:18:27 -05:00
b96c2dd0ca
Change module filename
2014-05-27 10:15:39 -05:00
1d8c46155b
Do last code cleaning
2014-05-27 10:14:55 -05:00
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
eacf70af83
Update mybb_get_type_db.rb
...
26.05.2014 23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
217a14e4d7
Land #3366 , @jholgui's module for CVE-2013-4074
2014-05-25 18:53:30 -05:00
33ba134147
Clean msftidy warnings and metadata
2014-05-25 18:52:01 -05:00
d3c17d8e3e
Delete wireshark_capwap_dos
2014-05-25 18:39:53 -05:00
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
9f166b87f6
Changed the description
2014-05-24 18:58:36 +01:00
71e2d19040
Adapted to auxiliary modules structure
2014-05-24 18:53:10 +01:00
1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
...
See the discussion on f7bfab5a26#3386
2014-05-23 17:10:27 -05:00
9f78bec457
Use normalize_uri (@wchen-r7)
...
Instead of editing the datastore['PATH'], use normalize_uri.
Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
...
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
...
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
...
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
fa353e6bd9
Add CVE, IBM ref for SameTime modules
2014-05-22 11:34:04 -05:00
8a9c005f13
Add URL
2014-05-20 17:43:07 -05:00
e26dee5e22
Update mybb_get_type_db.rb
...
19/05/2014
I deleted - #return Exploit::CheckCode::Unknown # necessary ????
2014-05-19 21:32:30 +04:00
a30d6b1f2d
Quick cleanup for sap_icm_urlscan
2014-05-19 09:21:26 -05:00
dc0e649a10
Clean up case statement
2014-05-19 09:21:07 -05:00
bc64e47698
Land #3370 , cleanup for sap_icm_urlscan
2014-05-19 09:16:18 -05:00
0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
6b1e4c3a9d
Show loot and error code
2014-05-19 11:17:58 +01:00
848227e18a
401 should be a valid url
2014-05-19 10:59:38 +01:00
5d96f54410
Be verbose about 307
2014-05-19 10:52:06 +01:00
88b7dc3def
re-add content length
2014-05-19 10:46:47 +01:00
e59f104195
Use unless
2014-05-19 10:41:01 +01:00
a97d9ed54f
Land #3148 , check_urlprefixes for sap_icm_urlscan
2014-05-17 16:10:52 -05:00
dd1a47f31f
Modified sap_icm_urlscan to check for authentication of custom URLs
...
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
06912ac2b6
Update mybb_get_type_db.rb
...
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
21cf0a162c
Added module to crash capwap dissector in wireshark tool
2014-05-17 11:31:43 +01:00
488c3e6b93
Land #3358 , @jvazquez-r7 Advantech WebAccess 7.1 SQLI module
2014-05-16 21:26:41 +02:00
2012d41b3d
Add origin of the user, and mark web users
2014-05-16 13:51:42 -05:00
4143474da9
Add support for web databases
2014-05-16 11:47:01 -05:00
883d2f14b5
delete debug print_status
2014-05-16 11:13:03 -05:00
ea38a2c6e5
Handle ISO-8859-1 special chars
2014-05-16 11:11:58 -05:00
c9465a8922
Rescue when the recovered info is in a format we can't understand
2014-05-16 08:57:59 -05:00
3c1363b990
Add new SNMP enumeration modules
2014-05-16 08:32:46 -05:00
7ec85c9d3a
Delete blank lines
2014-05-16 01:03:04 -05:00
9091ce443a
Add suport to decode passwords
2014-05-16 00:59:27 -05:00
f9982752f3
Land #3362 , ax rank for aux/dos mods
2014-05-14 15:20:07 -05:00
dc57e31be1
Aux modules don't respect Rank anyway
2014-05-14 15:03:10 -05:00
5b3bb8fb3b
Fix @FireFart's review
2014-05-14 09:00:52 -05:00
cbb84e854c
Update mybb_get_type_db.rb
...
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
de49241195
Land #3185 , regex option validation
2014-05-14 01:27:18 -05:00
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
a7075c7e08
Add module for ZDI-14-077
2014-05-13 14:17:59 -05:00
3f3283ba06
Resolved some msftidy warnings (Set-Cookie)
2014-05-12 21:23:30 +02:00
92a9519fd9
Remove EOL spaces
2014-05-09 18:34:12 -05:00
8c55858eae
Land #3309 , @arnaudsoullie's changes for modblusclient
2014-05-08 10:45:19 -05:00
25f13eac37
Clean a little response parsing
2014-05-08 10:44:53 -05:00
1f3466a3a3
Added Modbus error handling.
...
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
e8bc89af30
Land #3337 , release fixes
2014-05-05 14:03:48 -05:00
b81f94a229
Land #3336 , @todb-r7's CVEs addition
2014-05-05 13:43:04 -05:00
c6affcd6d3
Fix caps, description on F5 module
...
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
353a50cdd0
Land #3316 , Content-Length fix for http_ntlmrelay
2014-05-05 13:38:36 -05:00
3072c2f08a
Update CVEs for RootedCon Yokogawa modules
...
Noticed they were nicely documented at
http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html
We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
a8915f0ed8
Land #3310 , OpenSSH timing attack improvements
2014-05-04 19:47:51 -05:00
a47b883083
Remove redundant simple.connect
...
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
b2eeaef475
Add admin check to smb_login
...
The attached updates changes smb_login to detect if the newly discovered user is an administrator. It is based on code from Brandon McCann "zeknox" submitted in PR #1373 , the associated changes, and the newer PR #2656 .
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773 .
Specifically it:
- Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
- Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
- Dealt with the issue in PR #2656 where the username was prefixed with a '\'
Verification
Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting
To validate that the remote domain ignores domain value use the following command from a windows system:
net use \\<hostip>\admin$ /user:<random_value>\<username> <password>
2014-05-02 06:16:21 -05:00
f7d8a5e3a3
rework the openssl_heartbleed module
2014-05-01 21:43:58 +02:00
d3045814a2
Add print_status messages
2014-05-01 11:05:55 -05:00
cc2e680724
Refactor
2014-05-01 11:04:29 -05:00
28e9057113
Refactor make_payload
2014-05-01 10:23:33 -05:00
bd124c85cb
Use metadata format for actions
2014-05-01 09:52:55 -05:00
7777202045
Deconflict #3310 and correct the description
2014-04-30 12:02:57 -05:00
9cd6c5ef2b
Land #3297 , @Th4nat0s's F6 backends disclosure module
2014-04-30 09:31:37 -05:00
4e80e1c239
Clean up pull request code
2014-04-30 09:31:07 -05:00
a5983b5f57
Light touchup on FP checker
2014-04-29 16:14:41 +01:00
88efeea378
Add a false positive check
2014-04-29 16:07:42 +01:00
e386855e0e
Add ACTIONS descriptions
2014-04-29 16:55:05 +02:00
4d76128937
Merge upstream and deconflict #3310 whitespace
2014-04-29 15:32:32 +01:00
04f2632972
Implement jvazquez-r7 comments
2014-04-29 16:09:47 +02:00
60b9f855b4
Bug with HTTP POST requests (content type sent twice)
2014-04-28 18:44:02 -07:00
David Maloney
Jon Hart
William Vu
Tod Beardsley
Spencer McIntyre
jvazquez-r7
James Lee
HD Moore
Christian Mehlmauer
j0hnf
scriptjunkie
Samuel Huckins
Jon Cave
joev
Brandon Perry
Trevor Rosen
Luke Imhoff
Meatballs
RageLtMan
Karmanovskii
JoseMi
sappirate
Arnaud SOULLIE
Tom Sellers
Rich Lundeen