Commit Graph

4681 Commits (35bc8e905e0102227c8307593730b1a43e767bc6)

Author SHA1 Message Date
christopher lee 68d72cbfa7 Goliath Cleanup in preparation for merge to master 2018-03-06 10:21:22 -06:00
James Barnett 08f10d7da1
Comments 2018-02-22 14:51:17 -06:00
James Barnett 1cee532526 Merge branch 'rapid7/master' into goliath 2018-02-22 14:49:45 -06:00
James Barnett e396dbabcd
Dont save email addresses as valid users
Also add initial module doc for owa_login
2018-02-22 14:48:35 -06:00
James Barnett e531dbc976
Fix bug causing all logins to appear valid
The headers we were looking for were a little too loose
and were incorrectly identifying all responses as successful
login attempts
2018-02-22 11:25:35 -06:00
Jacob Robles 738d6ab33a
Land #9604, Fix logged errors when running without Python 3.6 / gmpy2 2018-02-22 08:11:30 -06:00
Brent Cook 7e665ab287 check for extra libraries explicitly, fail gracefully 2018-02-21 21:54:58 -06:00
William Vu 3880f6a65e Finally fix "Unknown admin user ''" after 2yrs
The failed password auth was necessary after all. I misread the PoC. :'(

Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
2018-02-21 20:44:35 -06:00
William Vu cc2495dd9c Explain fortinet-backdoor -> FortinetBackdoor 2018-02-21 17:05:30 -06:00
William Vu a5d78b82d4 Add require for Net::SSH::CommandStream 2018-02-21 15:51:53 -06:00
William Vu 854ac67b8e Use start_session in fortinet_backdoor
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.

Hoping we fix this in a subsequent commit or related PR.

Please see #6612 and #9524.
2018-02-21 15:33:34 -06:00
Brent Cook 78822fd799
Land #9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream 2018-02-21 06:59:09 -06:00
William Vu 9cbc55ce40
Land #9593, finger_users regex fix 2018-02-21 01:27:40 -06:00
James Lee d6206dc046
Better regex in finger_users 2018-02-20 15:48:00 -06:00
Brent Cook 56c00a8cb6 initial OWA 2016 support 2018-02-19 21:43:49 -06:00
Brent Cook c4c864f391
Land #9558, Fix #9417, map timeout exp to a var for telnet_encrypt_overflow 2018-02-15 15:54:23 -06:00
Wei Chen ef948ccc38 Fix #9417, map timeout exp to a var for telnet_encrypt_overflow
Fix #9417
2018-02-14 09:19:28 -06:00
HD Moore 7cfc17860d udp_probe is necessary for pivot scans 2018-02-14 08:45:46 -06:00
HD Moore 234f5a316b Revert "Remove old deprecated modules"
This reverts commit a2c5cc0ffb.
2018-02-14 08:42:44 -06:00
Wei Chen fbeba8bfd2 Fix #9513, Add private_type to be able to store password for Tomcat
If there is no :private_type, the create_credential method in
Metasploit::Credential::Creation will quietly skip the password,
which makes it look like a bug when the user is trying to view
the password from the creds command.

Fix #9513
2018-02-13 14:31:56 -06:00
follower ecb5fffb0b
Typo fix: "withint" --> "within" 2018-02-13 06:20:57 +13:00
Brent Cook 44b08feeb0
Land #9525, Update mysql_hashdump for MySQL 5.7 and above 2018-02-08 13:56:26 -06:00
Brent Cook 1bb5499fce fix whitespace 2018-02-08 13:55:40 -06:00
Osanda Malith Jayathissa 00ead05237
Update for MySQL 5.7 and above
Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7.
2018-02-08 13:40:35 +00:00
Brent Cook b1d0529161 prefer 'shell' channels over 'exec' channels for ssh
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
Adam Cammack 51e098da35
Add scanner for Bleichenbacher oracle (ROBOT) 2018-02-02 16:29:07 -06:00
Matthew Kienow 6caba521d3
Land #9424, Add SharknAT&To external scanner 2018-01-24 12:40:29 -05:00
Pearce Barry eb572a3ef5
Land #8632, colorado ftp fixes 2018-01-23 17:45:07 -06:00
Adam Cammack be08af5404
More Python style fixes 2018-01-23 09:17:22 -06:00
Brent Cook 10fde42adc
Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-22 16:46:39 -06:00
Brent Cook b12953fa85
Land #9404, update module author 2018-01-22 16:41:50 -06:00
Wei Chen 394c31c1e3 Remove NoMethod Rescue for cerberus_sftp_enumusers
Please see reasons in #9436
2018-01-22 11:10:23 -06:00
Wei Chen 38d056b930
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
Land #9436

Thanks Steve!
2018-01-22 11:07:23 -06:00
Wei Chen 85d018096b Pass password_prompt and non_interactive to fix #8970
Fix #8970
2018-01-22 11:06:12 -06:00
Pearce Barry 2a6b3671bf
Add connection addr+port info to http response object.
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
Steve Embling 8f75d3a46b Possible fix to changes in net::ssh usage 2018-01-19 15:10:14 +00:00
Pearce Barry e9ce2374e5
Auto-resolve target if it's a hostname (owa_login).
Ensures the module does save the creds which it claims to be saving.  See MS-2968.
2018-01-17 16:47:21 -06:00
Adam Cammack 0f0b116751
Rename scanner bits to avoid confusion 2018-01-17 14:46:31 -06:00
Adam Cammack c7894f1d74
Split long lines and add comments 2018-01-17 12:04:12 -06:00
Adam Cammack 37bf68869f
Add scanner for the open proxy from 'SharknAT&To' 2018-01-16 21:05:19 -06:00
Brendan Coles d172259f5d
umlaut 2018-01-13 16:06:11 +11:00
William Vu eb8429cbd3
Revert "umlaut"
This reverts commit ffd7073420.
2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00
bka-dev 086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
RageLtMan f2a8d68a1f Permit encrypted SSH keys for login scanner
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.

Testing:
  None yet
2017-12-31 02:53:06 -05:00
Brent Cook 8de760f1f7
Land #9348, Only use basic auth in couchdb_enum when credentials are provided 2017-12-28 21:24:45 -06:00