From e7f9d789eb4f9575de6a9ba304a7442aa2ff6290 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 28 Mar 2018 09:25:51 -0700 Subject: [PATCH 1/4] Add docker docs for etcd --- .../scanner/etcd/open_key_scanner.md | 48 ++++++++++++++++++- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md index a5811b0834..6dfdff6434 100644 --- a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md +++ b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md @@ -11,6 +11,10 @@ unauthenticated users access to the data stored via HTTP API. 4. On Centos 7.1 you need to mod (or disable) the firewall: `systemctl stop firewalld` 5. Lastly, lets add a key-value for interest: `curl http://[IP]:2379/v2/keys/supersecret -XPUT -d value="password!"` +### Docker + + 1. `docker run -p 2379:2379 miguelgrinberg/easy-etcd` + ## Verification Steps 1. Install the application @@ -25,12 +29,12 @@ unauthenticated users access to the data stored via HTTP API. ### etcd 3.2.15 on CentOS 7.1 ``` -msf5 > use auxiliary/scanner/etcd/open_key_scanner +msf5 > use auxiliary/scanner/etcd/open_key_scanner msf5 auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 msf5 auxiliary(scanner/etcd/open_key_scanner) > run -[+] 2.2.2.2:2379 +[+] 2.2.2.2:2379 Version: {"etcdserver":"3.2.15","etcdcluster":"3.2.0"} Data: { "action": "get", @@ -62,3 +66,43 @@ host port proto name state info ---- ---- ----- ---- ----- ---- 2.2.2.2 2379 tcp etcd open {"etcdserver":"3.2.15","etcdcluster":"3.2.0"} ``` + +### etcd in Docker + +``` +msf5 > use auxiliary/scanner/etcd/open_key_scanner +msf5 auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1 +RHOSTS => 127.0.0.1 +msf5 auxiliary(scanner/etcd/open_key_scanner) > run + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf5 auxiliary(scanner/etcd/open_key_scanner) > run + +[+] 127.0.0.1:2379 +Version: {"etcdserver":"3.1.3","etcdcluster":"3.1.0"} +Data: { + "action": "get", + "node": { + "dir": true + } +} +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf5 auxiliary(scanner/etcd/open_key_scanner) > loot + +Loot +==== + +host service type name content info path +---- ------- ---- ---- ------- ---- ---- +127.0.0.1 etcd.data etcd.keys text/json etcd keys /Users/jhart/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt + +msf5 auxiliary(scanner/etcd/open_key_scanner) > services +Services +======== + +host port proto name state info +---- ---- ----- ---- ----- ---- +127.0.0.1 2379 tcp etcd open {"etcdserver":"3.1.3","etcdcluster":"3.1.0"} +``` From 7767505678d5a9bcd007a5d5dcff6b6bf773fefa Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 28 Mar 2018 09:31:50 -0700 Subject: [PATCH 2/4] Fix some style issues --- .../scanner/etcd/open_key_scanner.rb | 46 ++++++++++--------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/modules/auxiliary/scanner/etcd/open_key_scanner.rb b/modules/auxiliary/scanner/etcd/open_key_scanner.rb index 39ca1dac7f..7c24d1e7c3 100644 --- a/modules/auxiliary/scanner/etcd/open_key_scanner.rb +++ b/modules/auxiliary/scanner/etcd/open_key_scanner.rb @@ -11,34 +11,36 @@ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'Etcd Keys API Information Gathering', - 'Description' => %q{ + 'Description' => %q( This module queries the etcd API to recursively retrieve all of the stored key value pairs. Etcd by default does not utilize authentication. - }, + ), 'References' => [ - ['URL', 'https://elweb.co/the-security-footgun-in-etcd'] - ], + ['URL', 'https://elweb.co/the-security-footgun-in-etcd'] + ], 'Author' => [ - 'Giovanni Collazo ', # discovery - 'h00die' # msf module - ], + 'Giovanni Collazo ', # discovery + 'h00die' # msf module + ], 'License' => MSF_LICENSE ) - register_options([ - Opt::RPORT(2379), - OptString.new('TARGETURI', [ true, 'URI of the vulnerable service', '/']) - ]) + register_options( + [ + Opt::RPORT(2379), + OptString.new('TARGETURI', [true, 'URI of the vulnerable service', '/']) + ] + ) end def run_host(target_host) path = normalize_uri(target_uri.to_s, 'v2/keys/?recursive=true') vprint_status("#{peer} - Collecting data through #{path}...") - res = send_request_raw({ + res = send_request_raw( 'uri' => path, 'method' => 'GET' - }) + ) # parse the json if we got a good request back if res && res.code == 200 @@ -47,22 +49,22 @@ class MetasploitModule < Msf::Auxiliary store_loot('etcd.data', 'text/json', rhost, response, 'etcd.keys', 'etcd keys') # since we know its vulnerable, go ahead and pull the version information - res = send_request_raw({ + res = send_request_raw( 'uri' => normalize_uri(target_uri.to_s, 'version'), 'method' => 'GET' - }) + ) banner = '' if res && res.code == 200 banner = res.body end - report_service({ - :host => rhost, - :port => rport, - :name => 'etcd', - :proto => 'tcp', - :info => banner - }) + report_service( + host: rhost, + port: rport, + name: 'etcd', + proto: 'tcp', + info: banner + ) rescue JSON::ParserError => e print_error("Failed to read JSON: #{e.class} - #{e.message}}") return From 5cdfadd0df29722f91a8daf7b59a7904df318359 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 28 Mar 2018 09:38:02 -0700 Subject: [PATCH 3/4] Fix more style issues --- modules/auxiliary/scanner/etcd/open_key_scanner.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/etcd/open_key_scanner.rb b/modules/auxiliary/scanner/etcd/open_key_scanner.rb index 7c24d1e7c3..898a8e7207 100644 --- a/modules/auxiliary/scanner/etcd/open_key_scanner.rb +++ b/modules/auxiliary/scanner/etcd/open_key_scanner.rb @@ -10,19 +10,19 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'Etcd Keys API Information Gathering', + 'Name' => 'Etcd Keys API Information Gathering', 'Description' => %q( This module queries the etcd API to recursively retrieve all of the stored key value pairs. Etcd by default does not utilize authentication. ), - 'References' => [ + 'References' => [ ['URL', 'https://elweb.co/the-security-footgun-in-etcd'] ], - 'Author' => [ + 'Author' => [ 'Giovanni Collazo ', # discovery 'h00die' # msf module ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE ) register_options( @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary ) end - def run_host(target_host) + def run_host(_target_host) path = normalize_uri(target_uri.to_s, 'v2/keys/?recursive=true') vprint_status("#{peer} - Collecting data through #{path}...") From e01679d3740d7f105c72ad7ea2c57fa88b51c0cb Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 28 Mar 2018 09:55:05 -0700 Subject: [PATCH 4/4] Use common path in etcd docs --- .../modules/auxiliary/scanner/etcd/open_key_scanner.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md index 6dfdff6434..e2955483de 100644 --- a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md +++ b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md @@ -96,7 +96,7 @@ Loot host service type name content info path ---- ------- ---- ---- ------- ---- ---- -127.0.0.1 etcd.data etcd.keys text/json etcd keys /Users/jhart/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt +127.0.0.1 etcd.data etcd.keys text/json etcd keys /root/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt msf5 auxiliary(scanner/etcd/open_key_scanner) > services Services