0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
6b1e4c3a9d
Show loot and error code
2014-05-19 11:17:58 +01:00
848227e18a
401 should be a valid url
2014-05-19 10:59:38 +01:00
5d96f54410
Be verbose about 307
2014-05-19 10:52:06 +01:00
88b7dc3def
re-add content length
2014-05-19 10:46:47 +01:00
e59f104195
Use unless
2014-05-19 10:41:01 +01:00
a97d9ed54f
Land #3148 , check_urlprefixes for sap_icm_urlscan
2014-05-17 16:10:52 -05:00
dd1a47f31f
Modified sap_icm_urlscan to check for authentication of custom URLs
...
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
3c1363b990
Add new SNMP enumeration modules
2014-05-16 08:32:46 -05:00
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
3f3283ba06
Resolved some msftidy warnings (Set-Cookie)
2014-05-12 21:23:30 +02:00
92a9519fd9
Remove EOL spaces
2014-05-09 18:34:12 -05:00
8c55858eae
Land #3309 , @arnaudsoullie's changes for modblusclient
2014-05-08 10:45:19 -05:00
25f13eac37
Clean a little response parsing
2014-05-08 10:44:53 -05:00
1f3466a3a3
Added Modbus error handling.
...
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
a47b883083
Remove redundant simple.connect
...
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
b2eeaef475
Add admin check to smb_login
...
The attached updates changes smb_login to detect if the newly discovered user is an administrator. It is based on code from Brandon McCann "zeknox" submitted in PR #1373 , the associated changes, and the newer PR #2656 .
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773 .
Specifically it:
- Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
- Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
- Dealt with the issue in PR #2656 where the username was prefixed with a '\'
Verification
Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting
To validate that the remote domain ignores domain value use the following command from a windows system:
net use \\<hostip>\admin$ /user:<random_value>\<username> <password>
2014-05-02 06:16:21 -05:00
f7d8a5e3a3
rework the openssl_heartbleed module
2014-05-01 21:43:58 +02:00
d3045814a2
Add print_status messages
2014-05-01 11:05:55 -05:00
cc2e680724
Refactor
2014-05-01 11:04:29 -05:00
28e9057113
Refactor make_payload
2014-05-01 10:23:33 -05:00
bd124c85cb
Use metadata format for actions
2014-05-01 09:52:55 -05:00
7777202045
Deconflict #3310 and correct the description
2014-04-30 12:02:57 -05:00
a5983b5f57
Light touchup on FP checker
2014-04-29 16:14:41 +01:00
88efeea378
Add a false positive check
2014-04-29 16:07:42 +01:00
e386855e0e
Add ACTIONS descriptions
2014-04-29 16:55:05 +02:00
4d76128937
Merge upstream and deconflict #3310 whitespace
2014-04-29 15:32:32 +01:00
04f2632972
Implement jvazquez-r7 comments
2014-04-29 16:09:47 +02:00
a6edd94c7f
Just fix refs and desc for release
2014-04-28 19:47:15 +01:00
a7e110be9e
Add a peer method, elaborate desc and prints
2014-04-28 19:41:44 +01:00
829b9ff4ff
Land #3308 - Fix smb_login using error_reason
2014-04-28 12:33:24 -05:00
a0add34a7d
Removed warning message and changed default unit number to 1
2014-04-28 15:47:10 +02:00
ab913a533e
Update oracle_demantra_file_retrieval.rb
...
Fixed typo
2014-04-28 14:36:48 +01:00
a2ccbf9833
Add read/write capabilities to modbusclient
2014-04-28 15:29:55 +02:00
fb39e422aa
Fix smb_login calling nonexistent method
...
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:
Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>
This changes uses the built in method get_error to return an error code.
[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
ef815ca992
Land #3288 , Postgres support for Heartbleed scanner
2014-04-24 18:03:13 +02:00
15bd92dd50
Fix OpenSSH timing attack module
2014-04-23 10:10:37 -05:00
0a108acea3
Fix missing comma
...
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
6d7fde4302
Land #3157 , OpenSSH user enumeration timing attack
2014-04-23 10:01:10 -05:00
1a2899d57b
Fix up whitespace 'n' stuff
2014-04-23 10:00:34 -05:00
d70aa4cdbb
Fix MSFTidy complaints
2014-04-22 22:07:25 -04:00
b3cabaaa28
Clean up some formatting concerns
2014-04-22 21:58:14 -04:00
f71ad111da
Change return values from nil to false
2014-04-22 21:48:16 -04:00
3d793fc6f1
Add default VPN group fall back
2014-04-22 21:45:04 -04:00
4d9ece2f9a
Add hyphens and digits to group regex
2014-04-22 21:34:08 -04:00
96f042110f
return is not needed when it's the last lifunction line
2014-04-22 22:33:47 +02:00
c9d8da991a
Use Rex.sleep instead of select
2014-04-22 22:33:19 +02:00
d2a558dc85
Removed unused code
2014-04-22 22:33:02 +02:00
8f6567967d
Heartbleed PostgreSQL TLS support improvements
2014-04-22 17:36:06 +02:00
fbe392a896
Add PostgreSQL TLS support to the Heartbleed scanner
2014-04-21 23:27:40 +02:00
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
1faf069130
Land #3284 , deprecated module cleanup
2014-04-20 23:10:55 -05:00
ee413ac385
Remove previously deprecated modules
2014-04-20 22:15:44 -05:00
b8e0187647
Use OptPath for file path options
2014-04-18 21:56:17 +02:00
fb0af8a799
Remove unnecesary ssh_socket variable
2014-04-18 21:50:54 +02:00
c875bdadf5
Change THRESHOLD into a datastore option
2014-04-18 21:18:48 +02:00
8a3329c891
Password made pseudo-random instead of a bunnch of A's
2014-04-18 21:10:34 +02:00
47ff820a83
Remove unnecesary 'RHOST' deregister
2014-04-18 21:06:46 +02:00
cc2d4f9ed7
Remove unnecesary @good_credentials
2014-04-18 21:03:22 +02:00
c4d4af031c
Land #3276 , @todb-r7's "make msftidy happy"'s fix
2014-04-18 09:54:52 -05:00
5083143971
Land #3238 , @Zinterax's timeout addition in openssl_heartbleed
2014-04-18 09:28:04 -05:00
2a729c84f6
Fix disclosure date
2014-04-18 09:27:41 -05:00
8a011ec9f6
Land #3197 , @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880
2014-04-18 08:58:54 -05:00
f3299e3ced
Do minor code cleanup
2014-04-18 08:58:11 -05:00
2366f77226
Clean timeout handling code
2014-04-18 08:16:28 -05:00
e38f4cbfa0
Apply response_timeout to get_once, code cleanup
...
Add response_timeout to get_once
Change timeout output in establish_connect()
Add disconnect ater timeout output
Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
fab091ca88
Fix Action => DUMP
...
Fix for when Action is set to DUMP. Modifed the check to use action.name.
Console output:
msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run
[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
1cf1616341
Rebase. Add timeout option support
...
Rebase to account for the KEYS merge.
Modify bleed() to work with timeout option.
Modify establish_connect() to work with timeout option.
Modify loot_and_report() to work with timeout option.
---Test Console Output---
Client Hello Timeout:
msf auxiliary(openssl_heartbleed) > run
[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Patched Apache:
msf auxiliary(openssl_heartbleed) > run
[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Vulnerable Server:
msf auxiliary(openssl_heartbleed) > run
[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
021ac53911
remove me
2014-04-18 07:03:36 -04:00
01d843f78f
Handle certificate auth nuances
2014-04-17 20:24:19 -04:00
6daae961cb
Add parameterized requests for detection/enumeration
2014-04-17 19:40:27 -04:00
845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
...
Whoops.
2014-04-17 17:47:47 -05:00
2aa2cb17f3
Reimplement a check.
2014-04-17 17:10:54 -05:00
d40ab039e4
Clean up whitespace. Protip: use commit hooks
2014-04-17 16:28:07 -05:00
c34d548e50
First, undo #3252 . Sorry about that.
...
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
e3daf6daf7
Singular 'TLS_CALLBACK' option
2014-04-17 15:51:37 -05:00
6c832e22d6
rename scan to loot_and_report
2014-04-17 15:47:57 -05:00
c12eae66b3
Error and return if public key wasn't retrieved.
2014-04-17 15:44:40 -05:00
578002e016
KEYS action gets it's own function
2014-04-17 15:39:05 -05:00
5b0b5d9476
Land #3252 , check() functionality for Heartbleed
2014-04-17 15:34:35 -05:00
a2d6c58374
Changing << to + per @jlee-r7
2014-04-17 15:34:13 -05:00
9f30976b83
Heartbleed RSA Keydump
...
Flattened, merge conflicts resolved, etc.
2014-04-17 14:30:47 -05:00
7ddd93cf5d
Add redirect support to #is_app_ssl_vpn?
2014-04-17 12:06:29 -04:00
0c5fb8c0c2
Fix bug in group enumeration regex
2014-04-17 10:31:05 -04:00
71a650fe6e
Land #3259 , XMPP Hostname autodetect by @TomSellers
2014-04-17 08:54:15 +02:00
1f452aab48
Code cleanup
...
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
9e2285619e
Additional cleanup
...
Whitespace cleanup
2014-04-17 10:46:33 -05:00
f53e7f84b8
Adds Cisco SSL VPN Bruteforce Aux Mod
2014-04-16 22:47:58 -04:00
ee0d30a1f3
Whitespace fix
...
Removing extra line feeds
2014-04-16 17:27:39 -05:00
92eab6c54b
Attribution addition
...
Per comment from Firefart
2014-04-16 17:26:09 -05:00
1f3ec46b8a
Heartbleed - Add autodetection of XMPP hostname (round 2)
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
7a4e12976c
First little bit at Bug 8498
...
[FixRM #8489 ] rhost/rport modification
2014-04-15 18:20:16 -05:00
9db01770ec
Add custom rhost/rport, remove editorializing desc
...
Verification:
````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````
...etc.
2014-04-14 21:46:05 -05:00
0360d1177f
Heartbleed - Add autodetection of XMPP hostname
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
1a73206034
Add detection for GnuTLS with with multiple records
2014-04-14 17:09:25 -07:00
634a03a852
Update to openssl_heartbleed to deal with SMTP RFC
...
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response '550 esmtp: protocol deviation'
Reference:
http://www.symantec.com/business/support/index?page=content&id=TECH96829
http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00
6fafc10184
Add HeartBleed check functionality
2014-04-12 00:07:00 -07:00
a63f020a68
Fixing coding style
2014-04-11 19:39:57 +02:00
4acacb005d
Fixed a bug...referring to wrong variable after filtering with regexp
2014-04-11 19:33:23 +02:00
83fe1cec65
Cleaned up Array.join call
2014-04-11 19:24:32 +02:00
Tod Beardsley
Meatballs
William Vu
sappirate
Christian Mehlmauer
jvazquez-r7
Arnaud SOULLIE
Tom Sellers
sinn3r
Pedro Laguna
Zinterax
Jonathan Claudius
kenkeiras
Wiesław Kielas
James Lee
kenkeiras
Jeff Jarmoc
David Chan
David Chan
Sebastiano Di Paola