Commit Graph

4842 Commits (2f87c880dfdd585319f3f828f38095562907dde8)

Author SHA1 Message Date
Jon Hart 28bf9f8d50 Correct order of mixins so RHOSTS works properly 2014-06-16 10:02:27 -07:00
Jon Hart 9e5281d0c6 Mixin Msf::Auxiliary::Scanner, switch to run_host to fix DNS lookup issues 2014-06-16 09:58:20 -07:00
Tod Beardsley 2aa26fa290
Minor spacing and word choice fixups 2014-06-16 11:40:21 -05:00
Jon Hart c7c0528e44 Fuzz NTP private messages too 2014-06-15 20:23:33 -07:00
scriptjunkie 5fe8814af6
Land #3330 adding admin check to smb_login 2014-06-15 14:42:26 -05:00
Samuel Huckins fa8c9bc4f3 Merge pull request #75 from rapid7/feature/MSP-9692/afp_login
MSP-9692 #land
2014-06-13 10:51:26 -05:00
Samuel Huckins f452652f54 Merge pull request #61 from rapid7/feature/MSP-9708/ssh-bruteforce
Functional steps updated and passing, along with specs. Proof being maintained seemed off, but it's not persisted, just used for setting platform.

MSP-9708 #land
2014-06-12 18:37:44 -05:00
Samuel Huckins d215b8e5b2 Merge pull request #47 from rapid7/feature/MSP-9712/winrm-bruteforce
45 merged, steps passing.

MSP-9712 #land
2014-06-12 16:04:17 -05:00
Samuel Huckins 52d63f51bb Merge pull request #50 from rapid7/feature/MSP-9705/postgres_login
Verily verified.

MSP-9705 #land
2014-06-12 15:49:39 -05:00
David Maloney 539f30e720
refactor afp_login 2014-06-12 14:16:05 -05:00
Tod Beardsley 1ab379a0fe
Land #3448, ident =! indent 2014-06-12 14:15:06 -05:00
Tod Beardsley e9783200f2
Land #3447, fix variable typo 2014-06-12 14:07:34 -05:00
David Maloney 96e492f572
Merge branch 'master' into staging/electro-release 2014-06-12 14:02:27 -05:00
William Vu cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key) 2014-06-12 13:41:44 -05:00
Jon Cave a647246148 Use correct variable name 2014-06-12 19:38:41 +01:00
William Vu 62a4991508
Land #3446, some code cleanup from @todb-r7 2014-06-12 13:35:36 -05:00
Tod Beardsley 3f5e50d18f
Aux modules don't have ranking.
msftidy should have defintely caught this. That it didn't catch on
Travis-CI concerns me. Need to research this.
2014-06-12 13:21:59 -05:00
Tod Beardsley 1aa029dbed
Avoid double quotes in the initialize/elewhere
There is no need to have double quotes there for uninterpolated strings,
and every other module uses single quotes.
2014-06-12 13:20:59 -05:00
Samuel Huckins fe33444858 Merge pull request #58 from rapid7/feature/MSP-9693/db2_auth
Errors resolved, cred created

MSP-9693 #land
2014-06-12 12:49:54 -05:00
jvazquez-r7 e85f829ee4 modules living inside scanner should include the Scanner mixin 2014-06-12 12:20:44 -05:00
HD Moore fa4e835804 Fix up scanner mixin usage, actual test/bug fix 2014-06-12 11:52:34 -05:00
Samuel Huckins 430b3d181e Merge pull request #67 from rapid7/feature/MSP-9695/ftp_login
Access level string clarified, specs passing, valid looking cores with proper info

MSP-9695 #land
2014-06-12 11:33:18 -05:00
Samuel Huckins 71a4f1ab33
Clarified RW access level
MSP-9695
2014-06-12 11:32:20 -05:00
jvazquez-r7 67d4097e1d
Land #3271, @claudijd's Cisco ASA SSL VPN Bruteforce Aux Module 2014-06-12 11:27:23 -05:00
HD Moore 487bf219f0 Rename to match the title 2014-06-12 11:23:34 -05:00
jvazquez-r7 7650067b41 Fix metadata 2014-06-12 11:22:52 -05:00
jvazquez-r7 e76c85c5d1 Fix usage of print_* 2014-06-12 11:13:45 -05:00
David Maloney e4ff07dfa8
Merge branch 'staging/electro-release' into feature/MSP-9693/db2_auth 2014-06-12 10:52:06 -05:00
David Maloney 88f8b585a3
Merge branch 'staging/electro-release' into feature/MSP-9705/postgres_login
Conflicts:
	Gemfile
	Gemfile.lock
2014-06-12 10:47:02 -05:00
Samuel Huckins a5d88fd2ab
Space in arg list, because I don't hate feedom. 2014-06-12 10:29:14 -05:00
joev 6bc37cca0c
Land #3430, @brandonprry's generic MongoDB injection enum. 2014-06-11 21:41:23 -05:00
William Vu 23f7fe45ed
Add Chromecast wifi enumeration module 2014-06-11 21:00:47 -05:00
David Maloney c074ebda7b
refactor telnet_login 2014-06-11 17:46:42 -05:00
dmaloney-r7 85bee6ea12 Update ftp_login.rb 2014-06-11 17:29:23 -05:00
Brandon Perry cca91dd7c5 Update mongodb_js_inject_collection_enum.rb
some @jvennix-r7 fixes
2014-06-11 17:07:57 -05:00
David Maloney 83a2dc250d
make ftp guest attempts optional 2014-06-11 16:37:59 -05:00
James Lee c8e1fab6ec
Merge branch 'staging/electro-release' into feature/MSP-9708/ssh-bruteforce
Conflicts:
	lib/metasploit/framework/credential.rb
2014-06-11 16:28:01 -05:00
James Lee b756395eaa
Merge branch 'staging/electro-release' into feature/MSP-9712/winrm-bruteforce
Conflicts:
	lib/metasploit/framework/credential_collection.rb
	spec/lib/metasploit/framework/credential_collection_spec.rb
2014-06-11 16:21:59 -05:00
David Maloney 1164cf5363
refactor ftp_login
uses new cred goodness
2014-06-11 16:21:55 -05:00
Jon Hart 7ce9114a1e Initial commit of an NTP fuzzer 2014-06-11 13:46:08 -07:00
Trevor Rosen 87a9ee9a69 Merge pull request #59 from rapid7/feature/MSP-9697/tomcat_login
Feature/msp 9697/tomcat login

MSP-9697 #land
2014-06-11 15:35:09 -05:00
HD Moore 81019ed850 Supermicro work 2014-06-11 15:03:54 -05:00
Trevor Rosen 6c0d668f0a Merge pull request #55 from rapid7/feature/MSP-9701/msssql_login
Feature/msp 9701/msssql login

MSP-9701 #land
2014-06-11 13:48:59 -05:00
Samuel Huckins 84aa0d42ed Merge pull request #57 from rapid7/bug/MSP-10004/rubyzip
Trevor added a 0.4.1 tag right before this PR landed, making this unmergable. Pulled in staging/electro-release, specs passing.
2014-06-11 13:48:03 -05:00
Samuel Huckins 1903542683
Merge branch 'staging/electro-release' into bug/MSP-10004/rubyzip
Conflicts:
	Gemfile
	Gemfile.lock
2014-06-11 13:42:26 -05:00
Trevor Rosen e8752f9c56 Point to correct creds version 2014-06-11 13:38:35 -05:00
Trevor Rosen 651871bd7a Resolve upstream conflict 2014-06-11 13:34:45 -05:00
David Maloney 9593422f9c
Merge branch 'master' into staging/electro-release 2014-06-11 10:23:56 -05:00
William Vu 6ca5cf6c26
Add Chromecast YouTube remote control 2014-06-11 00:08:08 -05:00
James Lee fb8c1f4c4b
Refactor ssh_login to use LoginScanner stuffs
Also, Metasploit::Credential::Creation stuffs.
2014-06-10 17:30:06 -05:00
David Maloney c06fd21fb1
refactor tomcat_mgr_login
uses the new Metasploit::Credential magic now
2014-06-10 15:59:00 -05:00
David Maloney 693c4aae66
make sure we capture realms
need to account for the possability of
realms in mssql_login
2014-06-10 14:41:45 -05:00
Luke Imhoff b05e7fb9ac
Fix require
MSP-10004

Change 'zip/zip' to 'zip' to match >= 1.0.0 rubyzip API.
2014-06-10 13:58:07 -05:00
David Maloney 74d376e387
refactor db2_auth module
you know what it is
2014-06-10 13:43:07 -05:00
Luke Imhoff 4d923a4809
Update to Rubyzip 1.X API
MSP-10004

`require 'zip'` instead of `'zip/zip'` and rename all classes to remove
redundant Zip prefix inside the Zip namespace.
2014-06-10 13:41:42 -05:00
Tod Beardsley 44540e6d00
Land #3437, CSS Injection MITM scanner 2014-06-10 13:36:35 -05:00
jvazquez-r7 4aa1fee398 Land #3326, @FireFart's Heartbleed - server response parsing 2014-06-10 13:27:28 -05:00
David Maloney 0c89d6cdce
refactor mssql_login
now uses all the Metasploit::Credential goodness
2014-06-10 11:49:08 -05:00
David Maloney 15ceb1e826
put calls in right place it helps 2014-06-10 11:17:19 -05:00
David Maloney 63ec83ea90
missing public
missing the public in the invalidate_login call
now fixed
2014-06-10 11:12:17 -05:00
David Maloney 6362eac0b0
add invalidate_login call 2014-06-10 11:11:22 -05:00
David Maloney e9d9806408
invalidate_login
added invalidate_login call
also made to_s on credential drop the @
if there is no realm present
2014-06-10 11:07:15 -05:00
David Maloney dc590008a7
add invalidate_login call
add the new invalidate login call to make sure
we update the status on failed logins appropriately
2014-06-10 10:58:27 -05:00
Tod Beardsley 521284253f
Be more clear about the vuln and impact 2014-06-10 10:29:23 -05:00
jvazquez-r7 9b55f5143a Add module for CVE-2014-0224 2014-06-09 17:38:11 -05:00
James Lee e629fdb47d
Report the realm, too
derp
2014-06-09 17:06:56 -05:00
David Maloney 32f87b985c
refactor mysql_login
refactor mysql_login to use the new
Metasploit::Credential apradigm
2014-06-09 14:20:58 -05:00
David Maloney 61fd962331
refactor vnc_login
refactor for new credential usage
2014-06-09 13:55:24 -05:00
Tod Beardsley 4103f2295b
Missing comma 2014-06-09 13:44:46 -05:00
Tod Beardsley 0e14d77dba
Minor fixup on DTLS module 2014-06-09 13:42:30 -05:00
jvazquez-r7 0e611b5d64
Land #3429, @jhart-r7's auxiliary module for CVE-2014-0195 2014-06-09 13:34:38 -05:00
jvazquez-r7 ed5d83a41b Add vulnerability discoverer 2014-06-09 13:25:33 -05:00
jvazquez-r7 daf662b3c0 Do minor cleanup 2014-06-09 13:23:56 -05:00
David Maloney a4e96d8f59
Merge branch 'master' into staging/electro-release 2014-06-09 13:07:22 -05:00
David Maloney f8f5691eee
refactor postgres_login module
postgres_login now uses all the new components
such as Metasploit::Credential and the LoginScanner
class
2014-06-09 12:59:05 -05:00
jvazquez-r7 1f33566033
Land #3432, @Meatballs1 sap_soap_rfc_brute_login's clean up 2014-06-09 11:39:52 -05:00
jvazquez-r7 b39b41e29f
Land #3371, @Meatballs1 fix for sap_mgmt_con_getprocessparameter 2014-06-09 11:25:01 -05:00
Jon Hart 06e45e8253 Clean up TLS fragment building 2014-06-09 08:39:30 -07:00
David Maloney 482aa2ea08
Merge branch 'master' into staging/electro-release 2014-06-09 10:27:22 -05:00
Christian Mehlmauer 099003708c
Land #3422, SAP Bruterforcer datastore cleanup 2014-06-08 08:42:27 +02:00
Brandon Perry 4367e8ef0c Update mongodb_js_inject_collection_enum.rb
Fix some logic bugs that caused incorrect results.
2014-06-07 21:03:28 -05:00
Brandon Perry dc89621d5c Update mongodb_js_inject_collection_enum.rb
No need to make extra requests. Off by one.
2014-06-07 20:09:00 -05:00
Brandon Perry 2663af986b Update mongodb_js_inject_collection_enum.rb
This adds a bit more error handling, and better decision making in regards to false responses.
2014-06-07 19:58:12 -05:00
Jon Hart a7a1a2bf3b Move dtls_fragment_overflow.rb under ssl where it belongs 2014-06-07 12:56:34 -07:00
Brandon Perry 4071fb332b Create mongodb_js_inject_collection_enum.rb
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7

https://gist.github.com/brandonprry/c2de8ac2be825007c4de
2014-06-07 11:20:34 -05:00
Jon Hart 8637a1fff1 OpenSSL DTLS CVE-2014-0195 POC 2014-06-06 19:24:47 -07:00
Meatballs fe20e6e1c4
Merge remote-tracking branch 'upstream/master' into soap_brute_fix
Conflicts:
	modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
2014-06-07 02:44:16 +01:00
Meatballs 8624ddfc3e
Clean up SAP SOAP RFC Brute Login
Honour the user supplied settings
Abort a host on connection error
Check a 200 response for some appropriate data
Let datastore validation handle things like options being present
Be more verbose if needed
Use the HTTPClient more appropriately
2014-06-07 02:34:49 +01:00
Meatballs b997c2ac1f
Further tidies 2014-06-07 02:00:35 +01:00
dmaloney-r7 ff8e6d2c50 Merge pull request #45 from rapid7/feature/MSP-9988/credential-collection
Add a CredCollection class and refactor WinRM bruteforce module
2014-06-06 11:53:28 -05:00
James Lee 2ee408e9db
Refactor winrm_login with Credentials 2014-06-05 14:26:29 -05:00
James Lee 8b6e188ba8
Add support for realm in CredentialCollection
MSP-9988
2014-06-04 17:03:52 -05:00
David Maloney 4960503a59
fix jtr_format
use raw-md5 as that sort of works
2014-06-04 14:10:28 -05:00
David Maloney 30c35907bf
refactor psotgres_hashdump
refactor psotgres_hashdump to now save
hashes as Metasploit::Credential objects
2014-06-04 12:21:49 -05:00
David Maloney d1f7f93e4b
refactor mysql_hashdump
mysql_hashdump now uses Metasploit::Credential to
save hashes.
2014-06-04 11:59:47 -05:00
David Maloney 201e6e9866
Merge branch 'feature/MSP-9750/MSSQL_hashdump' into feature/MSP-9751/mysql_hashdump 2014-06-04 11:58:58 -05:00
David Maloney 28bf29980e
Merge branch 'master' into staging/electro-release 2014-06-04 10:21:08 -05:00
David Maloney d3949b3d6c
refactor mssql_hashdump
refactor mssql_hashdump to use Metasploit:Credential
2014-06-03 15:02:59 -05:00
Meatballs 0e3549ebc4
mc brute tidy 2014-06-03 17:27:46 +01:00
Tod Beardsley b7dc89f569
I prefer "bruteforce" to "brute force" for search
Just makes it easier to search for, since it's an industry term of art.
2014-06-02 13:09:46 -05:00
David Maloney 34004908bb
Merge branch 'master' into staging/electro-release
Conflicts:
	.ruby-version
2014-06-02 11:10:33 -05:00
William Vu 8bd4e8d30a
Land #3406, indeces_enum -> indices_enum 2014-06-02 11:06:33 -05:00
RageLtMan 74400549a1 Resolve undefined method `get_cookies'
Anemone::Page is not a Rex HTTP request/response, and uses the
:cookies method to return an array of cookies.
This resolves the method naming error, though it does break with
Rex naming convention since Anemone still uses a lot non-Rex
methods for working with pages/traffic.
2014-05-30 14:39:51 -04:00
jvazquez-r7 4a1fea7abb
Land #2948, @juushya's PocketPAD login bruteforce module 2014-05-30 11:47:16 -05:00
jvazquez-r7 b0bdfa7680 Clean up code 2014-05-30 11:44:42 -05:00
jvazquez-r7 fb59221189
Land #2494, @juushya's etherpadduo login module 2014-05-30 11:35:28 -05:00
jvazquez-r7 d92a7adc68 change module filename 2014-05-30 11:31:49 -05:00
jvazquez-r7 40a103967e Minor code cleanup 2014-05-30 11:28:37 -05:00
jvazquez-r7 6f330ea190 Add deprecation information 2014-05-29 17:38:01 -05:00
jvazquez-r7 aea0379451 Fix typos 2014-05-29 12:37:51 -05:00
David Maloney 696d2b7e6b
Merge branch 'master' into staging/electro-release 2014-05-29 12:30:32 -05:00
dmaloney-r7 e669324366 Merge pull request #25 from rapid7/feature/MSP-9673/axis2-login-scanner
Add axis2 login scanner
2014-05-29 11:22:22 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00
William Vu 785b53820e
Land #3399, print_error instead of print_status 2014-05-28 14:53:00 -05:00
James Lee 05e24326a6
Style compliance 2014-05-28 14:31:34 -05:00
joev c89cd24621 Rewire some snmp modules to use print_error instead of print_status. 2014-05-28 13:31:00 -05:00
Tod Beardsley 4b5c62ba8d
Dress up CAPWAP DoS desc a little. 2014-05-28 12:19:17 -05:00
jvazquez-r7 55ef5dd484
Land #3115, @silascutler's module for elasticsearch indeces enumeration 2014-05-27 11:28:34 -05:00
jvazquez-r7 2271afc1a5 Change module filename 2014-05-27 11:25:39 -05:00
jvazquez-r7 3de8beb5fd Clean code 2014-05-27 11:22:40 -05:00
jvazquez-r7 69e8286838 Fix title 2014-05-27 10:29:32 -05:00
jvazquez-r7 1316365c2f Fix description 2014-05-27 10:22:39 -05:00
jvazquez-r7 abe1d6ffc7
Land #3190, @Karmanovskii's module to fingerprint MyBB database 2014-05-27 10:20:24 -05:00
jvazquez-r7 86221de10e Fix message 2014-05-27 10:18:27 -05:00
jvazquez-r7 b96c2dd0ca Change module filename 2014-05-27 10:15:39 -05:00
jvazquez-r7 1d8c46155b Do last code cleaning 2014-05-27 10:14:55 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Karmanovskii eacf70af83 Update mybb_get_type_db.rb
26.05.2014  23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
jvazquez-r7 217a14e4d7
Land #3366, @jholgui's module for CVE-2013-4074 2014-05-25 18:53:30 -05:00
jvazquez-r7 33ba134147 Clean msftidy warnings and metadata 2014-05-25 18:52:01 -05:00
jvazquez-r7 d3c17d8e3e Delete wireshark_capwap_dos 2014-05-25 18:39:53 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
JoseMi 9f166b87f6 Changed the description 2014-05-24 18:58:36 +01:00
JoseMi 71e2d19040 Adapted to auxiliary modules structure 2014-05-24 18:53:10 +01:00
Tod Beardsley 1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
See the discussion on f7bfab5a26, PR #3386
2014-05-23 17:10:27 -05:00
Tod Beardsley 9f78bec457
Use normalize_uri (@wchen-r7)
Instead of editing the datastore['PATH'], use normalize_uri.

Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
Tod Beardsley f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
Tod Beardsley 7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
Tod Beardsley f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
Tod Beardsley fa353e6bd9
Add CVE, IBM ref for SameTime modules 2014-05-22 11:34:04 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Karmanovskii e26dee5e22 Update mybb_get_type_db.rb
19/05/2014
I deleted      -     #return Exploit::CheckCode::Unknown  # necessary ????
2014-05-19 21:32:30 +04:00
William Vu a30d6b1f2d
Quick cleanup for sap_icm_urlscan 2014-05-19 09:21:26 -05:00
William Vu dc0e649a10
Clean up case statement 2014-05-19 09:21:07 -05:00
William Vu bc64e47698
Land #3370, cleanup for sap_icm_urlscan 2014-05-19 09:16:18 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
Meatballs 6b1e4c3a9d
Show loot and error code 2014-05-19 11:17:58 +01:00
Meatballs 848227e18a
401 should be a valid url 2014-05-19 10:59:38 +01:00
Meatballs 5d96f54410
Be verbose about 307 2014-05-19 10:52:06 +01:00
Meatballs 88b7dc3def
re-add content length 2014-05-19 10:46:47 +01:00
Meatballs e59f104195
Use unless 2014-05-19 10:41:01 +01:00
William Vu a97d9ed54f
Land #3148, check_urlprefixes for sap_icm_urlscan 2014-05-17 16:10:52 -05:00
sappirate dd1a47f31f Modified sap_icm_urlscan to check for authentication of custom URLs
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii 06912ac2b6 Update mybb_get_type_db.rb
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi 21cf0a162c Added module to crash capwap dissector in wireshark tool 2014-05-17 11:31:43 +01:00
Christian Mehlmauer 488c3e6b93
Land #3358, @jvazquez-r7 Advantech WebAccess 7.1 SQLI module 2014-05-16 21:26:41 +02:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
Tod Beardsley 3c1363b990
Add new SNMP enumeration modules 2014-05-16 08:32:46 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
William Vu f9982752f3
Land #3362, ax rank for aux/dos mods 2014-05-14 15:20:07 -05:00
Tod Beardsley dc57e31be1
Aux modules don't respect Rank anyway 2014-05-14 15:03:10 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
Karmanovskii cbb84e854c Update mybb_get_type_db.rb
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
William Vu 92a9519fd9
Remove EOL spaces 2014-05-09 18:34:12 -05:00
jvazquez-r7 8c55858eae
Land #3309, @arnaudsoullie's changes for modblusclient 2014-05-08 10:45:19 -05:00
jvazquez-r7 25f13eac37 Clean a little response parsing 2014-05-08 10:44:53 -05:00
Arnaud SOULLIE 1f3466a3a3 Added Modbus error handling.
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
jvazquez-r7 b81f94a229
Land #3336, @todb-r7's CVEs addition 2014-05-05 13:43:04 -05:00
Tod Beardsley c6affcd6d3
Fix caps, description on F5 module
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu 353a50cdd0
Land #3316, Content-Length fix for http_ntlmrelay 2014-05-05 13:38:36 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
William Vu a8915f0ed8
Land #3310, OpenSSH timing attack improvements 2014-05-04 19:47:51 -05:00
Tom Sellers a47b883083 Remove redundant simple.connect
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
Tom Sellers b2eeaef475 Add admin check to smb_login
The attached updates changes smb_login to detect if the newly discovered user is an administrator.  It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656.
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773.

Specifically it:

 - Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
 - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
 - Dealt with the issue in PR #2656 where the username was prefixed with a '\'


Verification

Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting

To validate that the remote domain ignores domain value use the following command from a windows system:

net use \\<hostip>\admin$ /user:<random_value>\<username>   <password>
2014-05-02 06:16:21 -05:00
Christian Mehlmauer f7d8a5e3a3 rework the openssl_heartbleed module 2014-05-01 21:43:58 +02:00
jvazquez-r7 d3045814a2 Add print_status messages 2014-05-01 11:05:55 -05:00
jvazquez-r7 cc2e680724 Refactor 2014-05-01 11:04:29 -05:00
jvazquez-r7 28e9057113 Refactor make_payload 2014-05-01 10:23:33 -05:00
jvazquez-r7 bd124c85cb Use metadata format for actions 2014-05-01 09:52:55 -05:00
William Vu 7777202045
Deconflict #3310 and correct the description 2014-04-30 12:02:57 -05:00
jvazquez-r7 9cd6c5ef2b
Land #3297, @Th4nat0s's F6 backends disclosure module 2014-04-30 09:31:37 -05:00
jvazquez-r7 4e80e1c239 Clean up pull request code 2014-04-30 09:31:07 -05:00
Tod Beardsley a5983b5f57
Light touchup on FP checker 2014-04-29 16:14:41 +01:00
Tod Beardsley 88efeea378
Add a false positive check 2014-04-29 16:07:42 +01:00
Arnaud SOULLIE e386855e0e Add ACTIONS descriptions 2014-04-29 16:55:05 +02:00
Tod Beardsley 4d76128937
Merge upstream and deconflict #3310 whitespace 2014-04-29 15:32:32 +01:00
Arnaud SOULLIE 04f2632972 Implement jvazquez-r7 comments 2014-04-29 16:09:47 +02:00
Rich Lundeen 60b9f855b4 Bug with HTTP POST requests (content type sent twice) 2014-04-28 18:44:02 -07:00
jvazquez-r7 4caf03b92f
Land #3301, @nodeofgithub's patch for sercomm module 2014-04-28 17:19:47 -05:00
Thanat0s 70314494ca test nil of port & host 2014-04-28 23:33:01 +02:00
Thanat0s fe3f7fd76a Obey to reviewer.. code fix 2014-04-28 23:26:29 +02:00
Tod Beardsley a6edd94c7f
Just fix refs and desc for release 2014-04-28 19:47:15 +01:00
Tod Beardsley a7e110be9e
Add a peer method, elaborate desc and prints 2014-04-28 19:41:44 +01:00
sinn3r 829b9ff4ff
Land #3308 - Fix smb_login using error_reason 2014-04-28 12:33:24 -05:00
Arnaud SOULLIE a0add34a7d Removed warning message and changed default unit number to 1 2014-04-28 15:47:10 +02:00
Pedro Laguna ab913a533e Update oracle_demantra_file_retrieval.rb
Fixed typo
2014-04-28 14:36:48 +01:00
Arnaud SOULLIE a2ccbf9833 Add read/write capabilities to modbusclient 2014-04-28 15:29:55 +02:00
Zinterax fb39e422aa Fix smb_login calling nonexistent method
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:

Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>

This changes uses the built in method get_error to return an error code.

[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
Thanat0s 2396d497d8 move scanner to gather 2014-04-28 12:57:54 +02:00
Thanat0s 3bfa8ea707 Pass msftidy 2014-04-28 12:53:49 +02:00
Thanat0s f34cfefb8f Change hash to array 2014-04-28 12:52:46 +02:00
Thanat0s 6610977e86 add cookie.match and alway return 2014-04-28 12:39:32 +02:00
Thanat0s d5fe8471ed unless id 2014-04-28 12:16:49 +02:00
Thanat0s 328acc44fa Start cleaning as requested 2014-04-28 11:32:46 +02:00
nodeofgithub b80d366bb7 Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00
William Vu c2bb26590c
Land #3250, version handling for Heartbleed server 2014-04-25 00:17:26 -05:00
Ramon de C Valle fd232b1acd Use the protocol version from the handshake
I used the protocol version from the record layer thinking I was using
the protocol version from the handshake. This commit fix this and uses
the protocol version from the handshake instead of from the record layer
as in https://gist.github.com/rcvalle/10335282, which is how it should
have been initially.

Thanks to @wvu-r7 for finding this out!
2014-04-25 01:48:17 -03:00
Christian Mehlmauer ef815ca992
Land #3288, Postgres support for Heartbleed scanner 2014-04-24 18:03:13 +02:00
Spencer McIntyre 9ccb9397e3
Land #3264, throttl and csv output support for module 2014-04-23 19:00:28 -04:00
Spencer McIntyre e2b92a824f Change white space for authors in dns_reverse_lookup 2014-04-23 18:56:27 -04:00
William Vu 15bd92dd50
Fix OpenSSH timing attack module 2014-04-23 10:10:37 -05:00
William Vu 0a108acea3
Fix missing comma
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
William Vu 6d7fde4302
Land #3157, OpenSSH user enumeration timing attack 2014-04-23 10:01:10 -05:00
William Vu 1a2899d57b
Fix up whitespace 'n' stuff 2014-04-23 10:00:34 -05:00
Thanat0s 457c48b89b Error on sleep 2014-04-23 11:38:23 +02:00
Jonathan Claudius d70aa4cdbb Fix MSFTidy complaints 2014-04-22 22:07:25 -04:00
Jonathan Claudius b3cabaaa28 Clean up some formatting concerns 2014-04-22 21:58:14 -04:00
Jonathan Claudius f71ad111da Change return values from nil to false 2014-04-22 21:48:16 -04:00
Jonathan Claudius 3d793fc6f1 Add default VPN group fall back 2014-04-22 21:45:04 -04:00
Jonathan Claudius 4d9ece2f9a Add hyphens and digits to group regex 2014-04-22 21:34:08 -04:00
kenkeiras 96f042110f return is not needed when it's the last lifunction line 2014-04-22 22:33:47 +02:00
kenkeiras c9d8da991a Use Rex.sleep instead of select 2014-04-22 22:33:19 +02:00
kenkeiras d2a558dc85 Removed unused code 2014-04-22 22:33:02 +02:00
Wiesław Kielas 8f6567967d Heartbleed PostgreSQL TLS support improvements 2014-04-22 17:36:06 +02:00
Wiesław Kielas fbe392a896 Add PostgreSQL TLS support to the Heartbleed scanner 2014-04-21 23:27:40 +02:00
Tod Beardsley e514ff3607
Description and print_status fixes for release
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
William Vu 1faf069130
Land #3284, deprecated module cleanup 2014-04-20 23:10:55 -05:00
James Lee ee413ac385
Remove previously deprecated modules 2014-04-20 22:15:44 -05:00
kenkeiras b8e0187647 Use OptPath for file path options 2014-04-18 21:56:17 +02:00
kenkeiras fb0af8a799 Remove unnecesary ssh_socket variable 2014-04-18 21:50:54 +02:00
kenkeiras c875bdadf5 Change THRESHOLD into a datastore option 2014-04-18 21:18:48 +02:00
kenkeiras 8a3329c891 Password made pseudo-random instead of a bunnch of A's 2014-04-18 21:10:34 +02:00
kenkeiras 47ff820a83 Remove unnecesary 'RHOST' deregister 2014-04-18 21:06:46 +02:00
kenkeiras cc2d4f9ed7 Remove unnecesary @good_credentials 2014-04-18 21:03:22 +02:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
jvazquez-r7 c4d4af031c
Land #3276, @todb-r7's "make msftidy happy"'s fix 2014-04-18 09:54:52 -05:00
jvazquez-r7 5083143971
Land #3238, @Zinterax's timeout addition in openssl_heartbleed 2014-04-18 09:28:04 -05:00
Tod Beardsley 2a729c84f6
Fix disclosure date 2014-04-18 09:27:41 -05:00
jvazquez-r7 8a011ec9f6
Land #3197, @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880 2014-04-18 08:58:54 -05:00
jvazquez-r7 f3299e3ced Do minor code cleanup 2014-04-18 08:58:11 -05:00
jvazquez-r7 2366f77226 Clean timeout handling code 2014-04-18 08:16:28 -05:00
Zinterax e38f4cbfa0 Apply response_timeout to get_once, code cleanup
Add response_timeout to get_once

Change timeout output in establish_connect()

Add disconnect ater timeout output

Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
Zinterax fab091ca88 Fix Action => DUMP
Fix for when Action is set to DUMP. Modifed the check to use action.name.

Console output:

msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
Zinterax 1cf1616341 Rebase. Add timeout option support
Rebase to account for the KEYS merge.

Modify bleed() to work with timeout option.

Modify establish_connect() to work with timeout option.

Modify loot_and_report() to work with timeout option.

---Test Console Output---

Client Hello Timeout:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched Apache:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnerable Server:

msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
Zinterax 021ac53911 remove me 2014-04-18 07:03:36 -04:00
Jonathan Claudius 01d843f78f Handle certificate auth nuances 2014-04-17 20:24:19 -04:00
Jonathan Claudius 6daae961cb Add parameterized requests for detection/enumeration 2014-04-17 19:40:27 -04:00
Tod Beardsley 845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
Whoops.
2014-04-17 17:47:47 -05:00
Tod Beardsley 2aa2cb17f3
Reimplement a check. 2014-04-17 17:10:54 -05:00
Tod Beardsley d40ab039e4
Clean up whitespace. Protip: use commit hooks 2014-04-17 16:28:07 -05:00
Tod Beardsley c34d548e50
First, undo #3252. Sorry about that.
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
Jeff Jarmoc e3daf6daf7 Singular 'TLS_CALLBACK' option 2014-04-17 15:51:37 -05:00
Jeff Jarmoc 6c832e22d6 rename scan to loot_and_report 2014-04-17 15:47:57 -05:00
Jeff Jarmoc c12eae66b3 Error and return if public key wasn't retrieved. 2014-04-17 15:44:40 -05:00
Jeff Jarmoc 578002e016 KEYS action gets it's own function 2014-04-17 15:39:05 -05:00
Tod Beardsley 5b0b5d9476
Land #3252, check() functionality for Heartbleed 2014-04-17 15:34:35 -05:00
Tod Beardsley a2d6c58374
Changing << to + per @jlee-r7 2014-04-17 15:34:13 -05:00
Jeff Jarmoc 9f30976b83 Heartbleed RSA Keydump
Flattened, merge conflicts resolved, etc.
2014-04-17 14:30:47 -05:00
Jonathan Claudius 7ddd93cf5d Add redirect support to #is_app_ssl_vpn? 2014-04-17 12:06:29 -04:00
Jonathan Claudius 0c5fb8c0c2 Fix bug in group enumeration regex 2014-04-17 10:31:05 -04:00
Christian Mehlmauer 71a650fe6e
Land #3259, XMPP Hostname autodetect by @TomSellers 2014-04-17 08:54:15 +02:00
Tom Sellers 1f452aab48 Code cleanup
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
Tom Sellers 9e2285619e Additional cleanup
Whitespace cleanup
2014-04-17 10:46:33 -05:00
Jonathan Claudius f53e7f84b8 Adds Cisco SSL VPN Bruteforce Aux Mod 2014-04-16 22:47:58 -04:00
Tom Sellers ee0d30a1f3 Whitespace fix
Removing extra line feeds
2014-04-16 17:27:39 -05:00
Tom Sellers 92eab6c54b Attribution addition
Per comment from Firefart
2014-04-16 17:26:09 -05:00
Tom Sellers 1f3ec46b8a Heartbleed - Add autodetection of XMPP hostname (round 2)
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.

This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
sinn3r 7a4e12976c
First little bit at Bug 8498
[FixRM #8489] rhost/rport modification
2014-04-15 18:20:16 -05:00
sinn3r d7513b0eb2 Handle nil properly when no results are found 2014-04-15 18:19:29 -05:00
Tod Beardsley 9db01770ec
Add custom rhost/rport, remove editorializing desc
Verification:

````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````

...etc.
2014-04-14 21:46:05 -05:00
Tod Beardsley 40a359f312 Include a vhost for Shodan or else it complains
Works now. The rhost option was not keeping the custom vhost option.

````
msf auxiliary(shodan_search) > rexploit
[*] Reloading module...

[*] Total: 13443 on 269 pages. Showing: 1
[*] Country Statistics:
[*] United States (US): 2006
[*] Germany (DE): 1787
[*] Korea, Republic of (KR): 1061
[*]     Italy (IT): 916
[*] Hungary (HU): 604
[*] Collecting data, please WaitUntilAuthEmptyt...

IP Results
==========
````
2014-04-14 21:23:27 -05:00
Tod Beardsley 1436f68955
Fix shodan to not muck with datastore 2014-04-14 21:21:11 -05:00
Tod Beardsley 9035d1523d
Update wol.rb to specify rhost/rport directly
- [ ] Fire up tcpdump on the listening interface
 - [ ] Run the module and see the pcap:

listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
Tom Sellers 0360d1177f Heartbleed - Add autodetection of XMPP hostname
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server.  This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS.  The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
Thanat0s 07ed8d832a Update db 2014-04-15 02:48:55 +02:00
David Chan 1a73206034 Add detection for GnuTLS with with multiple records 2014-04-14 17:09:25 -07:00
Thanat0s fecdbd1781 F5 bigip cookie module 2014-04-15 01:11:17 +02:00
Thanat0s 176204d62d With implemented remarks 2014-04-14 21:11:04 +02:00
Tom Sellers 634a03a852 Update to openssl_heartbleed to deal with SMTP RFC
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response  '550 esmtp: protocol deviation'

Reference:
   http://www.symantec.com/business/support/index?page=content&id=TECH96829
   http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00
David Maloney c537aebf0f
Land #3228, JtR colon Seperation 2014-04-14 11:19:16 -05:00
Thanat0s dd7bceee56 fix threaded issues 2014-04-12 17:43:39 +02:00
Thanat0s d493c48cc6 add thottling,notes insert and output to dns_rev_lookup 2014-04-12 16:36:18 +02:00
Ramon de C Valle 039946e8d1 Use the first cipher suite sent by the client
If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
first cipher suite sent by the client. This complements the last commit
and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282).
2014-04-12 05:05:14 -03:00
Ramon de C Valle b95fcb9610 Use the protocol version sent by the client
Use the protocol version sent by the client. This should be the latest
version supported by the client, which may also be the only acceptable.
This makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282).
2014-04-12 04:21:35 -03:00
David Chan 6fafc10184 Add HeartBleed check functionality 2014-04-12 00:07:00 -07:00
Sebastiano Di Paola a63f020a68 Fixing coding style 2014-04-11 19:39:57 +02:00
Sebastiano Di Paola 4acacb005d Fixed a bug...referring to wrong variable after filtering with regexp 2014-04-11 19:33:23 +02:00
Sebastiano Di Paola 83fe1cec65 Cleaned up Array.join call 2014-04-11 19:24:32 +02:00