167 lines
5.4 KiB
Plaintext
167 lines
5.4 KiB
Plaintext
[ INTRODUCTION ]
|
|
|
|
The msfrpcd daemon uses the xmlrpc plugin to provide a remote
|
|
interface to the Metasploit Framework. By default, this service
|
|
listens on port 55553, uses SSL, and is password protected.
|
|
|
|
The RPC interface allows access to a minimal set of framework
|
|
APIs, covering the core framework, the module set, the job list,
|
|
and the session table. These APIs can be used to enumerate
|
|
modules, execute them, and interact with the resulting sessions
|
|
and jobs.
|
|
|
|
|
|
[ USAGE ]
|
|
|
|
To activate the RPC interface, launch msfrpcd, or load msfconsole
|
|
and load the xmlrpc plugin.
|
|
|
|
$ ./msfrpcd -P s3cr3tp4ss
|
|
- or -
|
|
msf> load xmlrpc Pass=s3cr3tp4ss
|
|
|
|
Once the interface is started, any compatible RPC interface can be used
|
|
to interact with the service. The 'msfrpc' client provides a Ruby
|
|
shell that can be used to talk to the service.
|
|
|
|
$ ./msfrpc -h server_name -P s3cr3tp4ss
|
|
[*] The 'rpc' object holds the RPC client interface
|
|
|
|
>> rpc.call("core.version")
|
|
=> {"version"=>"3.3-dev"}
|
|
|
|
|
|
[ API - AUTH ]
|
|
|
|
Method: auth.login
|
|
Expects: username, password
|
|
Returns: { "result" => "success", "token" => "<token>" }
|
|
Summary: This method is used by rpc.login() to obtain the session key
|
|
(token) which is sent in subsequent requests. This token uniquely
|
|
identifies a particular client and can be used by multiple clients,
|
|
even after the originating TCP session is closed. The RPC client
|
|
object automatically sends this token with all other method calls.
|
|
Inactive tokens are destroyed after five minutes of non-use.
|
|
|
|
|
|
[ API - CORE ]
|
|
|
|
Method: core.version
|
|
Expects: none
|
|
Returns: { "version" => "<framework-version>" }
|
|
|
|
|
|
[ API - MODULE ]
|
|
|
|
Method: module.exploits
|
|
Method: module.auxiliary
|
|
Method: module.payloads
|
|
Method. module.encoders
|
|
Method: module.nops
|
|
Expects: none
|
|
Returns: { "modules" => [ "module1", "module2", ... ] }
|
|
Summary: This method is used to obtain a list of available modules
|
|
of the specified type. The resulting module names can be used in
|
|
other calls within the module service.
|
|
|
|
Method: module.info
|
|
Expects: module_type, module_name
|
|
Returns: { "name" => "<name>", ... }
|
|
Summary: This method returns all shared module fields (name, authors,
|
|
version, description, etc), but also the list of targets and actions
|
|
when appropriate.
|
|
|
|
Method: module.options
|
|
Expects: module_type, module_name
|
|
Returns: { "<option_name>" => { "type" => "integer", ... } }
|
|
Summary: This method returns a list of all options for a given module,
|
|
including advanced and evasion options. The returned hash contains
|
|
detailed information about each option, including its type, its
|
|
default value, whether it is required, and so on.
|
|
|
|
Method: module.compatible_payloads
|
|
Expects: module_name
|
|
Returns: { "payloads" => [ "payload1", "payload2", ... ] }
|
|
Summary: This method only works for exploit modules and returns a
|
|
list of payloads that are compatible with the specified exploit.
|
|
|
|
Method: module.execute
|
|
Expects: module_type, module_name, options_hash
|
|
Returns: { "result" => "success" }
|
|
Summary: This method only works for exploit and auxiliary modules
|
|
and uses the simplified framework API to launch these modules
|
|
with the specified options. Option values should be placed into
|
|
the options_hash argument, including items such as PAYLOAD,
|
|
TARGET, ACTION, and all required options.
|
|
|
|
|
|
|
|
[ API - JOB ]
|
|
|
|
Method: job.list
|
|
Expects: none
|
|
Returns: { "<job_id>" => "<job_name>" }
|
|
Summary: This method returns a list of running jobs, along with
|
|
the name of the job.
|
|
|
|
Method: job.stop
|
|
Expects: job_id
|
|
Returns: { "result" => "success" }
|
|
Summary: This method kills a specific job by ID
|
|
|
|
|
|
|
|
[ API - SESSION ]
|
|
|
|
Method: session.list
|
|
Expects: none
|
|
Returns: { "<session_id>" => { "type" => "shell", ... } }
|
|
Summary: This method returns a list of active sessions, including
|
|
the fields type, tunnel_local, tunnel_peer, via_exploit,
|
|
via_payload, and desc.
|
|
|
|
Method: session.stop
|
|
Expects: session_id
|
|
Returns: { "result" => "success" }
|
|
Summary: This method kills a specific session by ID
|
|
|
|
Method: session.shell_read
|
|
Expects: session_id
|
|
Returns: { "data" => "<shell_data>" }
|
|
Summary: This method reads any pending output from a session. This
|
|
method only works for sessions of type "shell" and does not block.
|
|
|
|
Method: session.shell_write
|
|
Expects: session_id, shell_data
|
|
Returns: { "write_count" => "<number_of_bytes_written>" }
|
|
Summary: This method writes the specified input into the session.
|
|
This method only works for sessions of type "shell" and does not
|
|
block.
|
|
|
|
|
|
[ EXCEPTIONS ]
|
|
|
|
When an error occurs, an exception is thrown on the client side. This
|
|
exception will be of class XMLRPC::FaultException and the faultCode
|
|
and faultString methods of this exception will contain detailed
|
|
information about the problem. Many API calls will raise faultCode
|
|
of 404 when the specified item is not found. An unhandled, server
|
|
exception will result in a faultCode of 500 on the client side.
|
|
|
|
|
|
|
|
[ SECURITY CONSIDERATIONS ]
|
|
|
|
At this time, the SSL certificate used by the service is
|
|
dynamically allocated, making it vulnerable to a man-in-the-middle
|
|
attack. Future versions will address this by allowing a certificate
|
|
to be generated and verified.
|
|
|
|
The current implementation passes the username and password for the
|
|
RPC service as parameters on the command line. This can lead to
|
|
disclosure of the password to other local users on some Unix systems.
|
|
The msfrpc and msfrpcd applications change the displayed arguments
|
|
as soon as they are launched, but there is still a brief window of
|
|
time where another local user may snoop the msfrpcd password. In the
|
|
future, the password will be specified via TTY or file.
|