diff --git a/Guidelines-for-Writing-Modules-with-SMB.md b/Guidelines-for-Writing-Modules-with-SMB.md index a2e1886378..ef0605de10 100644 --- a/Guidelines-for-Writing-Modules-with-SMB.md +++ b/Guidelines-for-Writing-Modules-with-SMB.md @@ -87,8 +87,9 @@ connect(versions: [1]) 2. **NetBIOS session, negotiation and authentication** -The actual negotiation and authentication are handled by `smb_login`. This retrieves the NetBIOS name, user name, password and domain from the `SMBName`, `SMBUser`, `SMBPass` and `SMBDomain` options set by the operator, respectively. Other options can be set and are defined in [MSF SMB client](https://github.com/rapid7/metasploit-framework/blob/6.x/lib/msf/core/exploit/smb/client.rb#L32). Under the hood, `smb_login` establishes the NetBIOS session (if needed), negotiates the protocol version/dialect and sets the SMB Session up using NTLM challenge-response authentication protocol. -If, for whatever reason, the authentication options cannot be retrieved from the user options, it is still possible to provide them manually by calling `simple.login()` directly (see [SimpleClient#login](https://github.com/rapid7/metasploit-framework/blob/6.x/lib/rex/proto/smb/simpleclient.rb#L63)) +The actual negotiation and authentication are handled by `smb_login`. This retrieves the NetBIOS name, user name, password and domain from the `SMBName`, `SMBUser`, `SMBPass` and `SMBDomain` options set by the operator, respectively. Other options can be set and are defined in [MSF SMB client](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/msf/core/exploit/remote/smb/client.rb). Under the hood, `smb_login` establishes the NetBIOS session (if needed), negotiates the protocol version/dialect and sets the SMB Session up using NTLM challenge-response authentication protocol. + +If, for whatever reason, the authentication options cannot be retrieved from the user options, it is still possible to provide them manually by calling `simple.login()` directly (see [SimpleClient#login](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/rex/proto/smb/simple_client.rb#L55)) ```ruby simple.login(name, user, pass) ``` @@ -111,7 +112,7 @@ file = smb_open(file_path, 'o') print_status("File content: #{file.read}") file.close ``` -See [SimpleClient#open](https://github.com/rapid7/metasploit-framework/blob/6.x/lib/rex/proto/smb/simpleclient.rb#L197) and [RubySMB::Dispositions](https://github.com/rapid7/ruby_smb/blob/master/lib/ruby_smb/dispositions.rb) for details about the `smb_open` mode argument. +See [SimpleClient#open](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/rex/proto/smb/simple_client.rb#L189) and [RubySMB::Dispositions](https://github.com/rapid7/ruby_smb/blob/a8af935d1f4b5fb57fc7c13490ca75bdacf032b9/lib/ruby_smb/dispositions.rb) for details about the `smb_open` mode argument. * write to a file ```ruby @@ -159,7 +160,7 @@ Following the same workflow described above: dispatcher = RubySMB::Dispatcher::Socket.new(sock) ``` * initialize the client -SMB versions 1, 2 and 3 will be negotiated by default. Use `smb1`, `smb2` and `smb3` keyword arguments to disable a version (`false` value). See [RubySMB::Client#initialize](https://github.com/rapid7/ruby_smb/blob/master/lib/ruby_smb/client.rb#L265) for more initialization options +SMB versions 1, 2 and 3 will be negotiated by default. Use `smb1`, `smb2` and `smb3` keyword arguments to disable a version (`false` value). See [RubySMB::Client#initialize](https://github.com/rapid7/ruby_smb/blob/a8af935d1f4b5fb57fc7c13490ca75bdacf032b9/lib/ruby_smb/client.rb#L281) for more initialization options ```ruby client = RubySMB::Client.new(dispatcher, username: datastore['SMBUser'], password: datastore['SMBPass'], domain: datastore['SMBDomain']) ``` @@ -188,7 +189,7 @@ tree = client.tree_connect(\\\\\\) file_path = 'file/path/relative/to/the/share/root' ``` -* read a file (see [RubySMB::SMB1::Tree](https://github.com/rapid7/ruby_smb/blob/master/lib/ruby_smb/smb1/tree.rb#L76) and [RubySMB::SMB2::Tree](https://github.com/rapid7/ruby_smb/blob/master/lib/ruby_smb/smb2/tree.rb#L60) for details) +* read a file (see [RubySMB::SMB1::Tree](https://github.com/rapid7/ruby_smb/blob/a8af935d1f4b5fb57fc7c13490ca75bdacf032b9/lib/ruby_smb/smb1/tree.rb#L83) and [RubySMB::SMB2::Tree](https://github.com/rapid7/ruby_smb/blob/a8af935d1f4b5fb57fc7c13490ca75bdacf032b9/lib/ruby_smb/smb2/tree.rb#L67) for details) ```ruby file = tree.open_file(filename: file_path) data = file.read diff --git a/How-to-obfuscate-JavaScript-in-Metasploit.md b/How-to-obfuscate-JavaScript-in-Metasploit.md index 62659b766f..02072955f5 100644 --- a/How-to-obfuscate-JavaScript-in-Metasploit.md +++ b/How-to-obfuscate-JavaScript-in-Metasploit.md @@ -8,7 +8,7 @@ arrr[0]["src"] = "a"; To avoid getting flagged, there are some common evasive tricks we can try. For example, you can manually modify the code a little bit to make it not recognizable by any signatures. Or if the antivirus relies on cached webpages to scan for exploits, it is possible to make the browser not cache your exploit so you stay undetected. Or in this case, you can obfuscate your code, which is what this writeup will focus on. -In Metasploit, there are three common ways to obfuscate your JavaScript. The first one is simply by using the ```rand_text_alpha``` method (in [Rex](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/text.rb#L1223)) to randomize your variables. The second one is by using the [ObfuscateJS](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/exploitation/obfuscatejs.rb) class. And the third option is the [JSObfu](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/exploitation/jsobfu.rb) class. +In Metasploit, there are three common ways to obfuscate your JavaScript. The first one is simply by using the ```rand_text_alpha``` method (in [Rex](https://github.com/rapid7/rex-text/blob/3bb11cb5c9997096a82a4e160fcb31c152385a9a/lib/rex/text/rand.rb#L127-L132)) to randomize your variables. The second one is by using the [ObfuscateJS](https://github.com/rapid7/rex-exploitation/blob/f3058a0737ba89fd116f99a8381a409bba6a53fa/lib/rex/exploitation/obfuscatejs.rb) class. And the third option is the [JSObfu](https://github.com/rapid7/rex-exploitation/blob/f3058a0737ba89fd116f99a8381a409bba6a53fa/lib/rex/exploitation/jsobfu.rb) class. ## The rand_text_alpha trick @@ -60,7 +60,7 @@ arrr[0]["src"] = "a"; obfu = ::Rex::Exploitation::ObfuscateJS.new(js) ``` -```obfu``` should return a [Rex::Exploitation::ObfuscateJS](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/exploitation/obfuscatejs.rb) object. It allows you to do a lot of things, you can really just call ```methods```, or look at the source to see what methods are available (with additional API documentation). But for demo purposes, we'll showcase the most common one: the ```obfuscate``` method. +```obfu``` should return a [Rex::Exploitation::ObfuscateJS](https://github.com/rapid7/rex-exploitation/blob/f3058a0737ba89fd116f99a8381a409bba6a53fa/lib/rex/exploitation/obfuscatejs.rb) object. It allows you to do a lot of things, you can really just call ```methods```, or look at the source to see what methods are available (with additional API documentation). But for demo purposes, we'll showcase the most common one: the ```obfuscate``` method. To actually obfuscate, you need to call the ```obfuscate``` method. This method accepts a symbols argument that allows you to manually specify what symbol names (variables, methods, classes, etc) to obfuscate, it should be in a hash like this: @@ -191,7 +191,7 @@ And finally, let's try to obfuscate a few times to see how that goes: **Using JSObfu for module development** -When you are writing a module, you should not call Rex directly like the above examples. Instead, you should be using the ```#js_obfuscate``` method found in [JSObfu mixin](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/jsobfu.rb). When you're using JavaScript in your module, always do write it like this: +When you are writing a module, you should not call Rex directly like the above examples. Instead, you should be using the ```#js_obfuscate``` method found in [JSObfu mixin](https://github.com/rapid7/rex-exploitation/blob/f3058a0737ba89fd116f99a8381a409bba6a53fa/lib/rex/exploitation/jsobfu.rb). When you're using JavaScript in your module, always do write it like this: ```ruby # This returns a Rex::Exploitation::JSObfu object diff --git a/How-to-write-a-browser-exploit-using-BrowserExploitServer.md b/How-to-write-a-browser-exploit-using-BrowserExploitServer.md index 9e5f16f1ae..0a840b7b20 100644 --- a/How-to-write-a-browser-exploit-using-BrowserExploitServer.md +++ b/How-to-write-a-browser-exploit-using-BrowserExploitServer.md @@ -2,7 +2,7 @@ The Metasploit Framework provides different mixins you can use to develop a brow * **[Msf::Exploit::Remote::HttpServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-HttpServer)** - The most basic form of a HTTP server. * **[Msf::Exploit::Remote::HttpServer::HTML](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http_server/html.rb)** - which provides Javascript functions that the module can use when crafting HTML contents. -* **[Msf::Exploit::Remote::BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer)** - which includes features from both HttpServer and HttpServer::HTML, but with even more goodies. This writeup covers the [BrowserExploitServer](https://rapid7.github.io/metasploit-framework/Msf/Exploit/Remote/BrowserExploitServer.html) mixin. +* **[Msf::Exploit::Remote::BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer)** - which includes features from both HttpServer and HttpServer::HTML, but with even more goodies. This writeup covers the [BrowserExploitServer](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/msf/core/exploit/remote/browser_exploit_server.rb) mixin. ### The Automatic Exploitation Procedure diff --git a/Meterpreter-Configuration.md b/Meterpreter-Configuration.md index 23e608a3c2..24ded90d29 100644 --- a/Meterpreter-Configuration.md +++ b/Meterpreter-Configuration.md @@ -28,7 +28,7 @@ In the past, Meterpreter has required that the stager (or stage0 as some like to ### Loading configuration in Windows Meterpreter -Stage 1 of loading Windows Meterpreter now utilises a new loader, called `meterpreter_loader` ([Win x86](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/meterpreter_loader.rb), [Win x64](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader.rb)), which does the following: +Stage 1 of loading Windows Meterpreter now utilises a new loader, called `meterpreter_loader` ([Win x86](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/meterpreter_loader.rb), [Win x64](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb)), which does the following: * Loads the `metsrv` DLL from disk. * Patches the DOS header of the DLL so that it contains executable shellcode that correctly initializes `metsrv` and calculates the location that points to the end of `metsrv` in memory. It also takes any existing socket value (found in `edi` or `rdi` depending on the architecture) and writes that directly to the configuration (more on this later). diff --git a/git/Git-Reference-Sites.md b/git/Git-Reference-Sites.md index 207c078d9f..619fd212b1 100644 --- a/git/Git-Reference-Sites.md +++ b/git/Git-Reference-Sites.md @@ -9,11 +9,9 @@ The following sites are great references for Git padawans and jedi alike: * [The Git Community Book](http://book.git-scm.com): A free book put together by the Git community for those new to Git. * [Git Magic](http://www-cs-students.stanford.edu/~blynn/gitmagic/): Another free Git book put together by a Stanford CS student. * [Git Ready](http://gitready.com): A collection of Git tips and tricks. -* [Why Git is Better Than X](http://whygitisbetterthanx.com): In case you still need convincing, this site breaks down Git vs. other popular SCM packages. * [The Git Parable](http://tom.preston-werner.com/2009/05/19/the-git-parable.html): A story by GitHub founder Tom Preston-Werner that reveals the underlying principles behind Git's construction. A great starting point for understanding the nature of Git. * [Git is Easier Than You Think](http://nfarina.com/post/9868516270/git-is-simpler): A nice tutorial that breaks down one Git user's experience switching from Subversion. * [PeepCode: Git](http://peepcode.com/products/git): A one-hour (not-free) screencast covering Git basics. Well-made and easy to follow. -* [Git - The Simple Guide](http://rogerdudler.github.com/git-guide/): A simple introductory guide to getting up and running with Git. * [GitHub Flow](http://scottchacon.com/2011/08/31/github-flow.html): Another great post from Scott Chacon describing a GitHub-based workflow for projects. * [Getting Started with GitHub](http://pragprog.com/screencasts/v-scgithub/insider-guide-to-github): Also from GitHub's own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub.