182 lines
6.2 KiB
Gherkin
182 lines
6.2 KiB
Gherkin
@wip
|
|
Feature: MS08-067 netapi
|
|
|
|
Background:
|
|
Given a directory named "home"
|
|
And I cd to "home"
|
|
And a mocked home directory
|
|
Given I run `msfconsole` interactively
|
|
And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
|
|
|
|
Scenario: The MS08-067 Module should have the following options
|
|
When I type "use exploit/windows/smb/ms08_067_netapi"
|
|
And I type "show options"
|
|
And I type "exit"
|
|
Then the output should contain:
|
|
"""
|
|
Module options (exploit/windows/smb/ms08_067_netapi):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
RHOST yes The target address
|
|
RPORT 445 yes Set the SMB service port
|
|
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
|
|
|
|
|
|
Exploit target:
|
|
|
|
Id Name
|
|
-- ----
|
|
0 Automatic Targeting
|
|
|
|
"""
|
|
|
|
Scenario: The MS08-067 Module should have the following advanced options
|
|
When I type "use exploit/windows/smb/ms08_067_netapi"
|
|
And I type "show advanced"
|
|
And I type "exit"
|
|
Then the output should contain:
|
|
"""
|
|
Module advanced options:
|
|
|
|
Name : CHOST
|
|
Current Setting:
|
|
Description : The local client address
|
|
|
|
Name : CPORT
|
|
Current Setting:
|
|
Description : The local client port
|
|
|
|
Name : ConnectTimeout
|
|
Current Setting: 10
|
|
Description : Maximum number of seconds to establish a TCP connection
|
|
|
|
Name : ContextInformationFile
|
|
Current Setting:
|
|
Description : The information file that contains context information
|
|
|
|
Name : DCERPC::ReadTimeout
|
|
Current Setting: 10
|
|
Description : The number of seconds to wait for DCERPC responses
|
|
|
|
Name : DisablePayloadHandler
|
|
Current Setting: false
|
|
Description : Disable the handler code for the selected payload
|
|
|
|
Name : EnableContextEncoding
|
|
Current Setting: false
|
|
Description : Use transient context when encoding payloads
|
|
|
|
Name : NTLM::SendLM
|
|
Current Setting: true
|
|
Description : Always send the LANMAN response (except when NTLMv2_session is
|
|
specified)
|
|
|
|
Name : NTLM::SendNTLM
|
|
Current Setting: true
|
|
Description : Activate the 'Negotiate NTLM key' flag, indicating the use of
|
|
NTLM responses
|
|
|
|
Name : NTLM::SendSPN
|
|
Current Setting: true
|
|
Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow
|
|
authentification on windows Seven/2008r2 when SPN is required
|
|
|
|
Name : NTLM::UseLMKey
|
|
Current Setting: false
|
|
Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key
|
|
when the LM response is sent
|
|
|
|
Name : NTLM::UseNTLM2_session
|
|
Current Setting: true
|
|
Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a
|
|
NTLMv2_session
|
|
|
|
Name : NTLM::UseNTLMv2
|
|
Current Setting: true
|
|
Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key
|
|
is true
|
|
|
|
Name : Proxies
|
|
Current Setting:
|
|
Description : Use a proxy chain
|
|
|
|
Name : SMB::ChunkSize
|
|
Current Setting: 500
|
|
Description : The chunk size for SMB segments, bigger values will increase
|
|
speed but break NT 4.0 and SMB signing
|
|
|
|
Name : SMB::Native_LM
|
|
Current Setting: Windows 2000 5.0
|
|
Description : The Native LM to send during authentication
|
|
|
|
Name : SMB::Native_OS
|
|
Current Setting: Windows 2000 2195
|
|
Description : The Native OS to send during authentication
|
|
|
|
Name : SMB::VerifySignature
|
|
Current Setting: false
|
|
Description : Enforces client-side verification of server response signatures
|
|
|
|
Name : SMBDirect
|
|
Current Setting: true
|
|
Description : The target port is a raw SMB service (not NetBIOS)
|
|
|
|
Name : SMBDomain
|
|
Current Setting: .
|
|
Description : The Windows domain to use for authentication
|
|
|
|
Name : SMBName
|
|
Current Setting: *SMBSERVER
|
|
Description : The NetBIOS hostname (required for port 139 connections)
|
|
|
|
Name : SMBPass
|
|
Current Setting:
|
|
Description : The password for the specified username
|
|
|
|
Name : SMBUser
|
|
Current Setting:
|
|
Description : The username to authenticate as
|
|
|
|
Name : SSL
|
|
Current Setting: false
|
|
Description : Negotiate SSL for outgoing connections
|
|
|
|
Name : SSLCipher
|
|
Current Setting:
|
|
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
|
|
|
|
Name : SSLVerifyMode
|
|
Current Setting: PEER
|
|
Description : SSL verification method (accepted: CLIENT_ONCE,
|
|
FAIL_IF_NO_PEER_CERT, NONE, PEER)
|
|
|
|
Name : SSLVersion
|
|
Current Setting: SSL3
|
|
Description : Specify the version of SSL that should be used (accepted: SSL2,
|
|
SSL3, TLS1)
|
|
|
|
Name : VERBOSE
|
|
Current Setting: false
|
|
Description : Enable detailed status messages
|
|
|
|
Name : WORKSPACE
|
|
Current Setting:
|
|
Description : Specify the workspace for this module
|
|
|
|
Name : WfsDelay
|
|
Current Setting: 0
|
|
Description : Additional delay when waiting for a session
|
|
"""
|
|
|
|
@targets
|
|
Scenario: Show RHOST/etc variable expansion from a config file
|
|
When I type "use exploit/windows/smb/ms08_067_netapi"
|
|
When RHOST is WINDOWS
|
|
And I type "set PAYLOAD windows/meterpreter/bind_tcp"
|
|
And I type "show options"
|
|
And I type "run"
|
|
And I type "exit"
|
|
And I type "exit"
|
|
Then the output should match /spider-wxp/
|